New technologies, whether from Apple, Facebook or other organizations always cause regulatory confusion. When cars were first developed and sold in large numbers in the early 20th century, the streets were chaos: there were no stop signs, warning signs, traffic lights, traffic cops, driver’s education, lane lines, street lighting, brake lights, driver’s licenses or posted speed limits. The first stop light was not invented until 1923. Uniform street signage did not exist until 1933. Of course, as time went on, automobile regulation became a matter of course.
The same is true of information technology. The first Mac from Apple, introduced a mere two decades ago, had 32MB of RAM. Now for as little as $4 you can get more than 30 times that amount of storage on an SSD thumb drive. It is unsurprising that the growth of storage when combined with the Internet has led to a proliferation of data. This proliferation has resulted in new uses for that data, including misuse, which has led to greater concern and hence greater regulation.
Contrary to popular belief, concerns about data, or more specifically our personal data, have been around for more than 100 years. In the early days of daily newspapers, reporters crashed society weddings and printed pictures of the guests, much to their consternation. This led to speculation about the right to privacy. This right was finally recognized in the U.S. by the Supreme Court in the case of Griswold v Connecticut in 1965. Still, in a world where communication was limited to telephone and paper, utilization or commercialization of private information was quite limited.
This did not stop some regulation. Early regulation included a law governing how the U.S. federal government used information that it received from citizens. Other laws concerning health care (HIPAA) and financial information (GLBA) introduced restrictions on the use of information, but these limitations were confined to specific sectors.
U.S. regulation is not unique or the most advanced. Many countries around the world have enacted privacy or cybersecurity regulations. The most comprehensive was the EU’s DPD (Data Protection Directive) in 1995, which required all EU member states to adopt laws similar to the DPD. It even had an impact far beyond the EU, with Australia and Singapore adopting laws that contained many of the DPD requirements.
However, the DPD didn’t have the global influence of its successor, the EU GDPR (General Data Protection Regulation), which came into force in May 2018. The GDPR made two main changes to the DPD: the Regulation became mandatory across the EU, and it raised the fines for non-compliance to a maximum of 4% of global revenue. South Korea, India, Brazil, and ten other countries have adopted similar laws, in some case swallowing the GDPR whole.
The GDPR also affects U.S. organizations. Although there is no legislation that comprehensively adopts the GDPR like some countries, it has had a profound influence on U.S. laws. The paralysis at the federal level has led all 50 states to come up with their own solutions to cybersecurity and privacy. The most notable is the CCPA (California Consumer Privacy Act), which has adopted several GDPR principles, including notice, access, erasure, prevention of onward sale, legitimacy, and private rights of action. About half the states have adopted risk-based requirements for cybersecurity as well as breach notification. New York’s financial regulations adopt concepts such as cybersecurity programs, policies, and data protection officers all found in the GDPR.
However, there is a problem. When 50 states legislate in this area, there can be 50 different requirements. These can be frustrating and expensive for any business that operates across state lines. The solution is a federal law. Right now, there are almost 20 draft laws in the U.S. Congress. Most are either very specific or lack the breadth of the GDPR, but this may change.
The cost of elections means the U.S. Congress tends to be more amenable to lobbying by corporations or organized groups like Apple or Facebook. If they spoke with one voice, they would have the power to prevent comprehensive legislation. In this case they don’t: Big tech is very divided.
On one side are the privacy advocates, which include Apple, Cisco, and Microsoft. These organizations have business models that would benefit from GDPR-style comprehensive legislation, so they have come out strongly in favor of the model.
On the other side are organizations that want minimal or no privacy requirements and simple cybersecurity regulation. Corporations such as Google and Facebook make tremendous profit from using their customers’ information, so they are against any limitation on ‘borrowing’ their users’ data.
All of these organizations on both sides are exceptionally profitable and have enormous resources. They are well positioned to sway both legislators and the public. If they all were in favor of one law, it would be sure to pass, but they are not.
It is also not necessarily a partisan issue. Legislators from both the left and right are worried about the use and security of their constituents, and more importantly, their own information. The result will no doubt be a vigorous debate, but the outcome will be influenced in some way by the GDPR.
Unlike Chinese businesses, American businesses have generally ignored the requirements of cybersecurity and privacy. In China, for example, more than 3,000 organizations are certified to ISO 27001. They have years of experience in ‘borrowing’ U.S. intellectual property and know very well how to protect it.
At IT Governance USA we have decades of experience in both cybersecurity and privacy. We’ve helped hundreds of organizations implement cybersecurity and GDPR-compliant privacy frameworks. With the global influence of the GDPR and the ever-resourceful organized criminals at work, U.S. businesses will need to pay more attention to cybersecurity and privacy. We have unmatched expertise to help you with both no matter what legal outcome prevails.
Contact us at email@example.com or on +1 877-317-3454.