You might be about to see companies like Facebook, Google and many others whose business models depend on using their customers’ data, scramble in the wake of a case currently in front of the U.S. Supreme Court.
Thomas Robins, a Virginia man, is alleging Spokeo, Inc., a people-search website, had inaccurate (albeit more flattering) information listed about him on their site. As The Wall Street Journal noted, the lawsuit “alleges violations of the Fair Credit Reporting Act, a federal law that regulates credits [sic] bureaus and sets standards over how consumer credit information is collected, stored and shared.”
Each violation of federal law can result in up to a $1,000 fine per instance. If the U.S. Supreme Court rules this violation can take class action status, this could mean violations become extremely expensive.
There’s A Bigger Problem
The bigger problem is that it’s not just social networks that collect, process and transfer people’s data. It’s every company in every industry that uses peoples’ data to better market to them, deliver better services or even provide customer support. Some of the most confounding issues for these companies are actually the result of business practices that are not in any way nefarious or annoying:
Data Backup And Redundancy: For many reasons, including regulatory reasons, companies are required to store and back up their customers’ data. A good data redundancy policy is one where data is backed up, in full, in geographically disparate locations. That reduces the risk that the data will be wiped out by some large natural disaster. For companies located in large countries like the U.S., dispersing data geographically isn’t difficult. But for smaller countries like Belgium or Singapore, it’s next to impossible. To ensure data is backed up and retained for audit and compliance purposes, data needs to be stored outside their country’s borders, which can trigger privacy, sovereignty and security concerns.
Globally Dispersed Teams: Most large organizations have globally dispersed teams that need to work together. For companies to be effective at their sales and marketing efforts, data needs to be analyzed at global and regional levels to identify patterns and opportunities. That same data is often used to provide customer support, do product and service planning and trouble shoot issues and resolve them effectively. With new data privacy laws emerging, it’s becoming very difficult for data scientists, business analysts, product development, marketers and customer support to do their jobs within the confines of emerging data privacy and sovereignty laws.
More Data From More Things: As more things get connected to the Internet — our cars, homes, clothes and watches — those things are increasingly transmitting data. They transmit everything from where they’re located to how fast they’re going, what other devices they’re interacting with and more. Individually, those data points may not reveal private data, but in aggregate they can become incredibly telling about people’s lives. Companies are struggling to define standards on the amount of data required to identify an individual. With enough information, anyone can be identified, as MIT recently proved using credit card metadata. One only needs the dates and locations of four credit card purchases to identify 90 percent of people in the data set.
Changing Privacy Laws Are Being Applied Extraterritorially
Countries and economic areas, such as the EU, are continually crafting new laws relating to data privacy and data sovereignty. Staying on top of those ever-changing laws and adapting technology to comply with those laws is increasingly difficult. For instance, the ECJ has ruled that a person now has “the right to be forgotten,” meaning companies may be required by law to delete someone’s data if they so request. Google was recently told by the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s main data protection authority, that Google had 15 days, as of June 13, 2015, to apply the EU’s right to be forgotten laws — not just on French (.fr) sites, but all sites worldwide.
The British Columbia Court of Appeal in Canada similarly ordered Google to remove content from its sites globally because content violated Canadian laws. This extraterritorial application of laws has wide sweeping impact on e-commerce, privacy, defamation and freedom of information. But, what does it mean to be “forgotten?” Is it enough to be forgotten at a single point in time, but collection of data about you from that point forward is okay? What about data collection for the purposes of providing customer support? These laws are unclear and a constantly moving target.
Law Enforcement Is Getting Clearer
When it comes to issues around use of private data for law enforcement, there are some international agreements taking shape. The U.S. and the EU are in talks about a Data Protection Umbrella Agreement that “is expected to cover issues such as bulk collection of data by law enforcement agencies — which would be limited to specific purposes — as well as reduce data retention limits, and give EU citizens a right of judicial redress in the U.S. if they suspect their personal data is being misused.”
Every country around the world is starting to define and redefine laws about how they want to handle data privacy, because data privacy is no longer just a legal issue, it’s a political, technology and business issue, as well.
What Can Businesses Do?
In this arena, uniquely, technology is lagging policy. Countries are creating laws more quickly than companies can adapt their software to deal with those changes, particularly if they use big data technology or cloud environments.
Here are a few tips for what companies can do to deal with rapidly evolving data privacy laws:
Appoint an executive as Chief Data Steward with responsibility for ensuring compliance with data privacy laws.
Conduct risk-benefit analysis on use and access rights of your data internally to determine if how you want to use the data is really worth the risk to the business.
Think brand-first to avoid mistakes that materially damage your reputation and trustworthiness with your consumers. If you’re storing people’s private data, customer trust is your No. 1 asset.
Have a clear crisis response plan for when laws are breached. You’ll want to bring together legal, finance, IT and line of business management to address the issue.
Have a plan in place with clear chains of escalation so you aren’t caught scrambling.
Implement policy-based controls on your data that not only protect the actual data but the metadata, as well.
Proactively communicate privacy policies to your customers and get their consent wherever possible.
Participate in the conversation at a political and social level.
This Is The New Normal
The challenges surrounding data privacy are becoming more severe as more “things” become connected to the Internet, such as our cars, homes, offices, watches and clothing. Companies collecting data about our personal devices could be sending that data all over the world. Because of this, I expect laws will become stricter, more plentiful and increasingly complicated over the next few years.
Complying with each country’s shifting laws will be a full-time job for most companies, not to mention potentially extremely costly. The old days of being able to buy, aggregate, analyze and infer data about customers without repercussions are gone. Companies need to be able to stay on top of data privacy laws and respond quickly and effectively to this rapidly changing legal environment.