UK regulatory body orders Cambridge Analytica to hand over data and personal information collected from a voter located in the United States; on the first day of GDPR enforcement, billions in lawsuits are filed against Google and Facebook.
Last week, the U.K. Information Commissioner’s Office (ICO) took the unprecedented step of ordering U.K.-based Cambridge Analytica to turn over all of the data and information the company has on an American voter. The decision comes after two years of legal wrangling that began when the data subject (in this case, the American voter) filed a “subject access request” to Cambridge Analytica to see the personal information and data the company had compiled on him. When the company refused to comply, the individual lodged a complaint with the ICO under U.K. data privacy laws. The ICO has said Cambridge Analytica’s failure to comply would be “a criminal offence.” It also opens the door for other foreign data subjects to make claims under U.K. laws.
Why this matters
It is clear that we are entering an era of increasingly strict data privacy regulations. The ICO ruling comes just before the EU’s widely publicized General Data Protection Regulation’s (GDPR) official enforcement date on May 25, 2018. Meanwhile, the United States Congress currently has three separate data privacy bills under consideration and several Latin American countries are considering regulations modeled after GDPR. The current environment suggests a trend toward more regulation, not less.
In addition, we are beginning to see the blurring of national borders when it comes to electronic data privacy. The Cambridge Analytica case is a perfect example of that. The data subject was in the United States but filed a complaint – and prevailed – under British laws.
The implications for companies operating in the United States, including those without operations in other countries, may be significant.
What companies should do now
The combination of imminent data privacy regulations, increasing consumer expectations and rapidly emerging case law cast a bright light on organizations’ approaches to data collection and processing. Following are essential steps to take now:
- Be clear about the data you collect and how you intend to deal with it: Organizations often have good reasons to collect data and personal information of all kinds. Frequently, however, data is collected for data’s sake with no immediate use in mind. Without a clear picture of why data is used and how it will be treated, an organization is likely to be ill-prepared for the future of data privacy. It is not enough for the chief security officer or head of IT to be the sole voice on data protection. A commitment to data security must start at the top. The fundamental question for any organization is this: How do you intend to treat data at the enterprise level?
- Assess existing systems and understand your data risk: It is critical that organizations understand how existing privacy laws affect their organizations and the types of information they collect. Know the risks and benefits associated with existing processes, review controls and be clear on how they protect your organization, and evaluate the systems you have in place to address data subject requests. Put simply, any organization, regardless of size or location, should have a basic understanding of how it handles the retention, protection and disposal of people’s data.
- Implement best practices: Once an assessment is complete, you may need to implement new controls and processes. A central part of that effort will be to lead from the top and educate internal stakeholders on the importance of proper data management and the company’s expectations around privacy. In addition, many organizations are now considering the value of bringing a data privacy officer (DPO) on board (a role highlighted under GDPR).
The evolving context for data privacy keeps business leaders up at night. While this new environment is somewhat unpredictable, those who proactively plan a thoughtful approach to data privacy will be better prepared to manage whatever the future may bring.
GDPR NEWS UPDATE
- With the GDPR now enforced, Google and Facebook have been hit with a mass of lawsuits accusing the companies of sharing users’ personal data. Austrian privacy activist Max Schremes filed $8.8 billion in lawsuits against Facebook and Google on the first day of GDPR enforcement.
- Facebook has received three complaints in Germany, Austria and Belgium amounting to €3.9 billion.
- Google received a separate complaint in France for €3.7 million.
- All of the complaints have been launched under Schremes’ non-profit organization NOYB.
- Some major U.S.-based media outlets are choosing an alternative approach to address the GDPR, including blocking users from the EU:
- Los Angeles Times, Chicago Tribune and the New York Daily News block users from the EU.
- A+E Networks® (specifically A&E, History and Lifetime Channel) redirects visitors from the EU with the message, “This content is not available in your area.”
As regulators begin to enforce GDPR through case law, we will continue to monitor the situation as it develops and advise our clients.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.