Jiri Cerny, Legal & Corporate Affairs Director, Microsoft
Many countries are currently reconsidering their approach to privacy. This is a trend that has emerged as a response to some recent personal data exploitations that citizens did not find acceptable and, which the current privacy laws were not able to tackle.
Europe has come with their GDPR already in 2018 and it’s currently being considered as the most comprehensive privacy law. Europe has a long tradition of privacy, which is considered as a fundamental legal right.
As global focus on data protection law continues to increase, GDPR is becoming a global privacy benchmark and there are two main drivers behind this notion:
1. With the increasing number of countries who revisit their privacy laws, GDPR serves as inspiration for emerging privacy laws across the globe.
2. GDPR applies to all companies that process personal data of EU citizens, irrespective of the location of the company in question. This means that any business, which is active in EU, needs to take GDPR into account.
If there is a global company with operations in EU, it frequently adopts GDPR driven obligations globally, as unification of privacy approach simplifies their internal processes.
One of the aspects that made GDPR such a well-known topic is the amount of fines that can be imposed. GDPR establishes different two thresholds for fines. The highest possible fine is either up to 20 million EURO, or up to 4% of the global annual turnover (whichever is higher).
However, it’s not only the possibility of fines that should be considered as a reason of compliance with privacy laws. Violation of privacy can seriously affect companies’ reputation and most importantly trust of their customers, partners, and employees.
Data Protection and Cyber Security
The second major policy trend affecting data protection is cybersecurity. Similarly to privacy, governments are becoming more concerned, if they are ready to tackle challenges brought by new dimension of cyber-attacks. Unlike with privacy laws, which are meant to protect individuals’ rights, cybersecurity laws are primarily driven to protect states’ security, and extend regulatory requirements beyond personal data.
Cyber-attacks can affect public safety also through providers of core infrastructure. Therefore, the modern cybersecurity laws focus not only at state bodies, but also at some private businesses. Example of the forthcoming Cybersecurity law is the European directive NIS, which establishes minimum security requirements to tackle cybersecurity risks. It came into effect in 2018 and the affected entities had the challenge to comply both with GDPR as well as with NIS requirements.
Even though Privacy and Cybersecurity are meant to address different concerns, there is a common denominator that needs to be found. When we think about privacy and cybersecurity in today’s digital world, we usually need to address these topics from a perspective of an IT environment of specific entity. Assessing privacy and cyber security requirements, as two distinct and independent domains, can hardly achieve a sustainable outcome. GDPR and NIS both apply the risk-based approach and the technical and operational measures applied to tackle specific risk need to be proportionate to the addressed risk. This allows the affected entities to take a holistic approach to their compliance privacy and cybersecurity compliance.
From a policy perspective, notions of privacy and cybersecurity should be considered as topics with mutual dependencies and should not force the entities to apply two different set of standards.
It is an undisputed trend that compliance with privacy and cybersecurity laws is becoming an absolute necessity for any organization. However, new privacy and cybersecurity obligations should not be viewed as just another regulatory requirement that companies need to follow. Companies should also see it as a great opportunity to reevaluate how they processes the data, what data is really needed, what are the appropriate processing methods and what subcontractors are involved. It is also an opportunity to unify and simplify all processes where not only personal data is involved.
We can expect the data processing based on machine learning and artificial intelligence will significantly raise in the near future. These notions will enable new methods of personal data use and it will only increase pressure for enhanced privacy standards. We can expect that future AI regulation will build on principles already established by privacy and cybersecurity laws. There are certain areas, such as face recognition, where we might need to rethink the current privacy regulations. With the absence of relevant regulation, companies should consider a need to impose certain ethical standards that are yet to be implemented in the AI-related policies.