Highlights from the IAPP DPC Conference: Global Regulatory Challenges in Privacy
Here in the US, the winter holidays kick off with Thanksgiving. And as I digest my turkey dinner, I’ll also be digesting the many issues and ideas presented at the 2019 IAPP-Europe Data Protection Congress in Brussels.
If I had to summarize the theme of this year’s conference— the one thing that was on every privacy professional’s mind—I would say it was “coping with complexity.” The combination of new regulations, new technologies, and new business practices creates uncertainty as never before, and data privacy leaders around the world are searching for ways to navigate this complex web of challenges and requirements.
Any new, sweeping regulation creates uncertainty, as evidenced by the current trend of overreporting under GDPR, but we now face major new privacy laws and regulations at every turn. Multinational organizations still figuring out the fine points of GDPR compliance must also be in compliance with the EU ePrivacy Regulation, Brazil’s new General Data Protection Law (GDPL), and the California Consumer Privacy Act. (And then there’s Brexit.)
As was observed in one of the DPC sessions, new legislation is proposed or passed somewhere in the world almost every month, and these regs differ in ways subtle or sweeping, from protected information to protected persons, from notification requirements to notification windows.
New technologies were another very visible point of angst this year. The Internet of Things (IoT), from mobile devices to autonomous vehicles, raises privacy risks for users and data protection and compliance risks for the organizations that build, sell, deliver services, and gather data through these connected devices. Biometrics were also a topic of conversation, from the new kinds of sensitive personal information involved to compliance with new biometric privacy regulations. And most organizations are in the early stages of figuring out how to implement Data Protection Impact Assessments (DPIAs) when deploying new technologies in their organizations.
Several sessions explored the tension between the protection of personal data and emerging uses of AI and big data analytics, the benefits of which depend on using troves of personal data. Linked with use of analytics and AI are privacy issues around adtech. The EU has complex privacy requirements around data collection, behavior tracking, and e-marketing. The EDPB has given some guidance on consent and targeted advertising, but the new EU ePrivacy regulation may change things, so no one knows for sure yet how the targeted advertising cookie crumbles.
Finally, IAPP participants addressed the eternal challenges of compliance and incident response (IR). Several sessions addressed the issues of responding to increasing volumes of Data Subject Access Requests (DSARs) promptly and in required data formats, while identifying potentially unauthorized requests that could turn an otherwise compliant response into a data breach. And there was discussion about how to navigate GDPR enforcement differences between different EU member states and how to provide regulators with evidence of accountability/compliance. (Not to brag, but we here at RadarFirst think we have a pretty good answer for that one.)
An evolving regulatory landscape, securing new technology, data privacy in an increasingly data-driven age. . . any of these issues, taken by itself, is formidable. But here’s a thought experiment to show how they are multiplicative, not additive. Imagine that someone gives a FitBit-type smartwatch to a 14-year old Brazilian citizen living in California who downloads an app to track his fitness data, which is tracked by a post-Brexit UK company and stored in the cloud in a data center physically located in Germany. Now imagine that someone reports a breach of personal information involving that kid’s information. The age of consent to data collection is 16 in Brazil and the EU, but 13 in the U.S. The minor is a Brazilian citizen, so covered by the GDPL but what U.S, EU, or UK privacy laws might still apply? Fitness information could be considered health information, so what medical privacy laws apply? You can see how “accountability” can become very complex, very fast.
The power of a gathering like the IAPP DPC is not that one conference, even one full of experts, can provide all the answers. But it is inspiring to see how privacy professionals around the world are keeping abreast of developing challenges and preparing to meet them head on.
I ran across a fun Thanksgiving fact recently: among their many interesting qualities, turkeys have exceptional long-distance vision. Our global community of privacy professionals is also to be commended for looking ahead.