For the past few years, in-house corporate compliance teams have been struggling to roll out protocols and procedures to comply with the GDPR and related e-Privacy & PSD2 proposed rules. Much time and money have been spent in hiring external consultants, attending expensive conferences held by privacy organizations for compliance tips, and for those big enough, socializing with some of the regulators in the hopes of improving relations. EU regulators were nice enough to give an informal one year grace period from the effective date of May 25, 2018 for companies to get organized.

That time has passed and all regulatory gloves are off now.

Corporations need to sit up and pay attention to this seismic increase in corporate risk exposure that will continue to worsen unless bold coordinated industry actions are taken now. Like the Spartans at Thermopylae, industry must lock-shields in unison to stem the growing tide of imbalanced privacy enforcement actions based on unfair privacy laws driven by hostile pro-privacy populist sentiments who have hijacked the global privacy narrative.

The GDPR now is over one-year-old and based on two recent proposed fines against British Airways and Marriott Hotels (and likely many many more to come from privacy regulators around the world such as Facebook’s proposed US$5 Billion consent decree with the FTC), it is exposing global corporations to the risk of multi-millions and possibly billions in fines and penalties while encouraging the sprouting of private (class action) litigations.

Multiple jurisdictions around the world have followed suit in enacting privacy laws of differing severity. California’s Consumer Privacy Law (labeled by Forbes Magazine as a potential “regulatory disaster”) will become effective January 1, 2020 even though there are about a dozen legislative bills attempting to fill gaping holes and clarify glaring ambiguities in that poorly drafted law. States like Maine, Nevada and New York have also joined the privacy band-wagon threatening to create a patchwork of disparate state privacy laws for corporations to follow. All eyes are on the U.S. federal government’s efforts to design and roll out a nation-wide privacy regime. Questions of whether a federal law on privacy would “preempt” state privacy laws remain unsettled and would most likely need U.S. Supreme Court intervention. Even assuming federal law would preempt state laws, it is axiomatic that state privacy laws nevertheless would apply to the extent such state laws offer increased protection and can supplement the federal privacy regime. Therefore U.S. based businesses of all sizes will probably need to comply with the different privacy laws of all 50 states (with each state expected to pass their own version of a privacy law to pander for votes from an electorate increasingly becoming anti-business and pro-privacy) in addition to a federal privacy law (that may be enforced unevenly depending on which administration is in charge and the increasingly hostile mood of the electorate for draconian privacy laws).

Firms doing business overseas or collect/process personal data from foreign citizens would need to face the daunting herculean task of complying with a kaleidoscope of international privacy laws that may be unbalanced, out of touch with recent technological advancements & innovations, and enforced unevenly, unfairly and over-zealously.

Without a doubt, politics will influence whether and how data monetizers would be investigated and punished. For example, in July 2019, the Republican-led FTC voted along party lines 3-2 in favor of approving the US$5 Billion proposed consent decree fine with both Democratic commissioners voting against the proposal. Some commenters already have blasted the proposed US$5 Billion as an “embarrassing joke” and too low compared to Facebook’s overall net revenue. At least in the U.S., we see that pro-business groups are attempting to reign in massive fines while consumer advocacy groups want to declare all out war on data monetizers. Whether the voice of pro-business groups within European Union would be heard in the midst of GDPR enforcement remains to be seen.

This continuing series on “Strategic Privacy Management” aims to help C-suite corporate leaders (of primarily large multinational companies, a group at immediate risk of being pirated by privacy laws) seize the global narrative on data privacy to protect shareholders’ interests and advance legitimate corporate objectives. This series is intended for companies (or “data monetizers”) that must wrestle with the commercial need to monetize data and their legal duty to comply with privacy regimes.

The key theme of this series advocates the need to create an independent private industry association called the ‘Fair Privacy Institute” that will lobby (on behalf of its membership fee-paying global public and private corporate constituencies) for the creation of balanced privacy laws and the fair, even enforcement of such laws, including the filing of strategic administrative lawsuits and promoting industry codes of conduct applicable to all key sectors to attain such goals.

Part 1 of this series describes the sad state of current privacy regimes such as the GDPR.  

Part 2 discusses key U.S. federal and state privacy initiatives and why there may be a glimmer of hope for privacy professionals there. 

As of January 30, 2020 I have held writing the remaining Parts (as detailed below) in abeyance pending further regulatory developments.

Part 3 will identify efficient ways on how data monetizers may comply with privacy requirements. It will also discuss how corporations may use other tools to strategically manage privacy risks to achieve legitimate corporate objectives.

Part 4 will explain why the GDPR in effect imposes strict liability for data breaches on data monetizers.  It will argue that simply complying with its requirements (as well as those of other deficient privacy initiatives) will merely expose data monetizers to substantial risk of unjust fines or penalties.

Part 5 will focus on how data monetizers may conduct legitimate advocacy for the creation of fair privacy laws and their even enforcement through the establishment of a private independent trade association called the “Fair Privacy Institute” dedicated to the advancement of data monetizers in the age of increased data privacy and digital commerce regulation.

Part 6 will examine how current privacy laws will stunt the growth of emerging technologies and jeopardize the development of positive life-changing applications by the industries of tomorrow. It will look at the near schizophrenic position of the European Union to promote AI investments on the one hand and enforce data privacy rules that are out of touch with technological advances and show why this is like burning a candle on both ends and unsustainable.

Part 7 will discuss how corporations may legitimately use emerging technological tools like big data analytics or zero knowledge proofs of knowledge (a way to develop anonymous digital identity to prove knowledge of a secret without actually revealing it) to achieve the happy medium of legitimately monetizing data and complying with privacy obligations. It will examine the underlying philosophical issue: since technology has created the problem of privacy leakage, society should use technology and not the law to protect privacy of data subjects.

Part 8 will analyze the final written rulings to be issued by the UK privacy regulator (after it has received feedbacks from other EU privacy regulators on same) to British Airways and Marriott to determine why the procedures put in place by the accused were not “reasonable” to protect data subjects’ privacy. As of January 30, 2020, the UK privacy regulator has yet to finalize its penalty or issue any formal rulings. Once these rulings are finalized, this Part will examine the various improvements to be recommended by the UK regulator for insights on whether these improvements are practicable for smaller companies. This Part also will analyze whether the alleged “deficiencies” found should fairly be characterized as “deficiencies” in the first place. Based on an analysis of these alleged deficiencies, This Part will determine whether the UK regulator unfairly made British Airways and Marriott into de facto insurers of unforeseeable and hard-to-prevent sophisticated cyber-attacks (many of which are now state sponsored).

Part 9 will examine the legal arguments to be submitted by British Airways and Marriott (both of which have expressed their determination to challenge their respective hefty fines) in their respective prospective lawsuits against the UK privacy regulator (and possibly against the EU regulatory body) for insights to guide other companies on how to better strategically manage their privacy risks and compliance. It will also set forth possible legal arguments that can be made against government privacy regulators such as violation of constitutional due process, fundamental unfairness in holding defendants strictly liable for unpreventable actions of state sponsored criminal hackers, defenses available under the GDPR such as section 82, procedural violations rooted in national civil procedures, availability of estoppel to prevent regulators from imposing additional penalties on the same violation based on other causes of action like securities violations (untimely/insufficient disclosure of hack), anti-trust violations and impositions of the new dreaded European internet tax for digital commerce.

Part 10 will look at one of the most lucrative (and therefore regulation-ripe) areas of data monetization: online ads and the real-time bidding component of digital advertising. It will examine how privacy regulators will attempt to reign in this sector by looking at their proposed measures. It will discuss the effects of such measures on the future of digital advertising and how industry can fight back (preferably preemptively) to protect legitimate corporate interests.

As privacy developments continue (and there are many of them), this series on “Strategic Privacy Management” will examine other hot topics relevant to corporate stakeholders and empower them to change the global narrative on privacy into a more balanced and rational dialogue to further the protection of digital privacy in a business-friendly way.