Happy Data Privacy Day — Five Lessons Learned On Regulatory Enforcement
In the United States, Europe, Canada, and India, January 28 is designated Data Privacy Day to mark the signing of the first legally binding, international treaty that dealt with data protection and privacy in 1981. Thirty-eight years later, technology has only further emphasized the need for privacy regulations and requirements. GDPR is the first step for a new generation of privacy protections. GDPR came into force in the EU in May 2018 and has already inspired similar regulations to be passed or debated in other regions. California, Brazil, Japan, and India are only a few examples.
European regulators are using their new GDPR to investigate firms’ privacy practices. Here are a few regulatory actions that caught our attention:
- After failing to restrict access to patient data, a hospital in Portugal was fined €400,000 by the Portuguese Data Protection Authority. The hospital chose to appeal on the grounds that the authority fining them had not yet been officially appointed. The fines were levied in July 2018 but were only recently made public.
- On January 21, the French data regulator announced it would fine Google €50 million for its convoluted system of managing and understanding user privacy practices, especially as it relates to targeted advertising. Although €50 million ($57 million) is a drop in the bucket for Google, which made $33.7 billion in Q4 of 2018, it announced that it plans to appeal the fine. The internet giant will have to do an exceptional job convincing regulators that its consent systems are fair or face the prospect of reform.
- Italian regulators fined Facebook €10 million for violating its customer code. Facebook was cited for misleading users about the commercial nature of Facebook data usage.
Beyond the actions themselves, there are some lessons that we are starting to learn, such as:
- Regulators are evaluating processes, policies, and deployment of security controls in their investigations. While public attention was on data breaches to trigger the first enforcement actions, these cases demonstrate that processes and policies caught regulators’ attention instead. In the case of the Portuguese hospital, for example, the regulator focused on bad practices in the way that access to personal data was allocated and managed. The hospital violated the rules not because it didn’t have the technology in place but because it didn’t think well enough about its deployment and the policies that go with it.
- While the infringements have been severe, the exemplar GDPR fine we are expecting is still yet to come. In fairness, the €50 million that the French CNIL imposed on Google is the highest data protection fine in history. However, it’s still only a small fraction of what GDPR allows regulators to levy. For example, 4% of Google’s global revenue is almost €4 billion. Although we are expecting regulators to do more, consumer trust and loyalty to companies that respect their privacy is likely to make a bigger impact on companies’ value and profits. One example? In the middle of its latest privacy scandal, Facebook lost $120 billion in market cap in a single day.
- Regulatory actions are appearing across a variety of sectors. Data protection authorities are definitely looking at big tech firms, as we expected. But they are also looking across sectors, including healthcare, startups, financial services, and utilities, among others. Every business that collects, processes, and stores personal data of its customers and/or employees is subject to the rules.
- Data protection and competition law are slowly coming together. If we recognize that data is an asset, we also recognize that it plays an important role in contributing to the determination of firms’ market share and position in the market. Assessed together with other market conditions, such as lack of competitors on the market, data assets can be a means to establish market dominance or abuse thereof. When a firm acquires personal data in a way that undermines privacy, data protection rules and competition law meet. Following this line, competition authorities in Germany and then Italy issued fines. This is interesting not only because it represents a new way of assessing the value of personal data and its impact on the conditions of market competition but also because a combination of remedies by data protection and competition regulators would really change the face of the market as we know it.
- Regulatory enforcement action is only one side of a bigger picture. With the value of intangible assets (such as reputation and goodwill, for example) on the rise across the S&P 500, privacy breaches can have dramatic consequences. It’s not by chance that when we asked risk professionals to rate their level of concern with reference to different risks, they put data privacy risk on top of the list. A privacy breach could easily translate into a breach of trust, and customers do not like them: They are not only increasingly aware of their privacy rights, but they take actions to protect themselves. Take this as an example: Our data shows that 67% of US adults are not comfortable with companies sharing and selling their data and online activities. As a result, 51% of them report taking active measures to limit the collection of their data by apps and websites. And, if this means stopping doing business with a company altogether, they will.
(Written with Elsa Pikulik, senior research associate at Forrester)