Privacy Thoughts for Challenging Times
A few weeks ago, I and many of us in the privacy world were looking forward to this year’s IAPP Data Protection Intensive (DPI) in London, IAPP Global Privacy Summit, and the HCCA Compliance Institute among others during a season of gatherings where we could share information and ideas about emerging data privacy issues.
Fast forward to today, as we are all working together to flatten the curve in the midst of the coronavirus pandemic, the privacy community has pivoted to sharing ideas virtually instead of live.
So, let me lead off by sharing some of the topics that have been on my mind.
The effects of COVID-19 on privacy and privacy regulations.
Data can be a potent weapon against a global pandemic. For instance, the U.S. has asked airlines for the names, dates of birth, and other PII on passengers who may have been exposed to the novel coronavirus in flight, and several countries have used or explored using personal data from cellular providers to track possible contacts with infected persons. Personal medical information is also likely to prove useful in tracking and understanding the disease.
EU data protection authorities are already issuing guidance on how the GDPR must be enforced and where requirements may be relaxed in these difficult times. In the U.S., the Department of Health and Human Services has issued a limited waiver of HIPAA sanctions in order to allow medical providers to share patient information with family members, who may be at risk, as well as public health authorities and emergency personnel.
It will be interesting to see what other modifications are made as the pandemic progresses, and what the long-term implications will be on healthcare privacy laws around the world.
Brexit, Brexit, Brexit.
After several years of national uncertainty, the UK has officially exited the EU, leaving uncertainty in the data privacy world at an all-time high. The UK Information Commissioner’s Office (ICO) has been one of the strongest and most active data protection authorities under the GDPR.
How will this split change regulatory practices and flow of data across the UK and EU? I am curious to see the post-Brexit developments.
Ad tech has raised huge privacy concerns and raises equally huge questions.
- Does tracked behavioral data count as personal data?
- What about generated data? If data is tied to a device that belongs to a person, is that personal?
- What are the implications of the predicted (or perhaps over-predicted) death of cookies following Google’s recent announcement?
One of this year’s scheduled IAPP DPI keynote speakers, Johnny Ryan, has called real-time bidding advertising auctions “the largest data breaches ever recorded, every single day.” Anyone whose organization does online advertising (and whose doesn’t?) will need to come up to speed on this emerging issue.
Children’s privacy rights
Children’s privacy rights have been protected for more than a decade by the Children’s Online Privacy Protection Act (COPPA) in the U.S. But many organizations have exploited loopholes in the law.
Now the issue of childrens’ privacy is coming to the fore with U.S settlements and fines, including a record $170 million settlement with YouTube and its parent company Google for COPPA violations. And other countries are getting into the act, with the UK’s Age Appropriate Design Code and enforcement of child privacy provisions in the GDPR, Brazil’s new LGPD, and other national privacy laws.
How can we comply with these laws to protect both our businesses and our children?
In addition to these current hot-button topics, we are on a learning curve to understand the newest privacy laws around the globe, including Brazil, China, and India. And many organizations are grappling with how to perform the Privacy Impact Assessments required by GDPR without having undue impact on schedules and projects.
As we deal with the immediate threat of this pandemic and its financial and societal effects, we also can’t forget that we must continue to protect our organizations and the privacy of our customers, employees, and partners.
There are plenty of bad actors already taking advantage of the situation with phishing attacks, consumer scams, and other mischievous schemes. Computer systems, like bodies, can be infected, and panicked people can have lowered defenses against scammers.
The world needs privacy guardians now more than ever. So, I hope you can all stay safe and, wherever you are sheltering from the viral storm, keep up this important work.