The General Data Protection Regulation (GDPR), which is the biggest change to European Union privacy laws in 20 years, is now in full effect. Businesses have had a full year to prepare, but some American companies seem to have decided that compliance isn’t worth the effort.
Mikko Hypponen, F-Secure’s Chief Research Officer, has been tracking some of the companies who seem to be ending or limiting their offering to European customers.
It this a practical decision? Is GDPR unfair to non-European interests?
“I think they’re missing out on a very important point about personal data,” Erik Andersen, Practice Leader at F-Secure’s Cyber Security Services Delivery, said on a forthcoming episode of the Cyber Security Sauna podcast. “And that is, it is not their data.”
Erik said that we have been living in a “sort of Wild West era” of data privacy. In that metaphor, the GDPR is the sheriff sent to the outskirts to restore some order. You can’t expect everyone to be happy to see the sheriff.
“Organizations who has considered every data the find as their own and who have regarded it as their right to use it as they see fit, may certainly view GDPR as an unfair regulation. But they simply don’t get the point that it’s not their data.”
He noted that one of the best advocates of the so-called “New Deal for Data” is actually American, namely “Sandy” Pentland, the Toshiba Professor of Media Arts and Sciences at MIT. The professor makes the case that the tremendous amounts of data being generated both presents tremendous opportunities for innovation and abuse, hence the need for workable guarantees that privacy rights are enforced.
“Collectively, we now have data that could help green the environment, create transparent government, deal with pandemics, and, of course, lead to better workers and better service for customers,” Pentland told Harvard Business Review. “But obviously someone or some company can abuse that.”
With GDPR coming now, at what can still be perceived as the dawn of the “big data” era, customers can reclaim something that has always been theirs — data.
That’s the big idea behind GDPR: citizens deserve control over their privacy.
And while GDPR seems very new to some American companies, the law has been moving in this direction for a while. The regulation, for instance, requires disclosures of data breaches with three days, a game-changing obligation when it generally takes 191 days for companies to identify that they have been breached. But breach notifications aren’t a novelty in the US.
“While there is no federal law on the subject, 47 states in the US already have breach notification laws,” Erka Koivunen, Chief Information Security Officer at F-Secure, wrote in his excellent post on GDPR myths. “That’s why there are so many public accounts of American security breaches. It is not that American businesses are worse ‘in cyber’ than Europeans – they are just more open and honest about their mishaps.”
So in some ways Europe is catching up with the US and pulling the rest of the world ahead when it comes to a new world where, as Mikko often notes, “If it uses electricity, it will go online.”