Today is GDPR's first birthday, so it's a great opportunity to look at how organizations have adapted in the last year. While most users felt the impact of GDPR in the form of cookie notifications on every single website, the General Data Protection Regulation revolutionized the way organizations must justify their usage of user data.
Increasingly, the business model where companies provide free services in exchange for extremely valuable personal information is coming into question, with legislators and consumers bartering for consumer rights. Facebook has come out in support of radical privacy for users, however this directly contradicts their current ad-based business model.
France recently fined Google €50 million for engaging in “forced consent” for data processing. Yet many are concerned that Ireland, the location of many tech giants’ European headquarters, has not engaged in much regulatory action against the companies it houses. While it may be because Facebook, Google, and other giants are fully compliant with GDPR, a conflict of interests may also be possible.
Facial Recognition: The Next Frontier
Under GDPR, facial recognition data, since it includes biometric markers, is classified as "sensitive personal data," but this doesn't always mean that positive consent is required. A landmark case in Cardiff, Wales just found last week that automatic facial analysis in public spaces is no different from CCTV cameras analyzed by human law enforcement officers. However, some privacy and civil liberties advocates are concerned that this will lead towards increasingly automated discriminatory search practices.
The United States Congress begins to reckon with the biases and privacy implications of facial recognition technology, just as companies like Amazon and JetBlue are doubling down on developing the tech despite ethical concerns.
Increasing Global Compliance Regulations
GDPR compliance may become the easy part, as organizations face a patchwork of new compliance regulations. While some U.S. publications never adapted and still block European IP addresses, this sort of holding pattern may no longer be an option as organizations ramp up to prepare for California's Consumer Privacy Act, which will go into effect in January 2020. The Act has less stringent notification policies, but more rigorous privacy and control stipulations than GDPR, and the majority of businesses are unprepared to face it. While organizations can use their GDPR compliance as a baseline, most need to become much more agile in the ways they approach data privacy compliance. Brazil, India, Japan, and American states are working towards their own privacy restrictions.
Instead of being reactive, organizations must strive to proactively establish firm understanding of their data pipeline and controls over access. Once organizations take the plunge and invest in establishing a complete picture of data lineage, new regulations will necessitate tweaks instead of complete system overhauls, saving time and investment in the long run.