GDPR goes West

Talk of the US adopting a national privacy legislation continues to ramp up following last week’s announcement of yet another data breach at Facebook.

Having been no stranger to creating headlines over the past year, the social media giant announced late Friday that a bug exposing ‘a broader set of photos than usual’ affected more than 6.8 million users for 12 days between September 12 and September 25, 2018.

US lawmakers almost immediately questioned why the bug, which was patched after its discovery on September 25, was not disclosed sooner.

Further questions pointed to whether Facebook should be held accountable for the fallout of the security issue, which further confirmed the company’s tendency to save data – such as private photos – that it probably shouldn’t.

“How many more times is Facebook going to compromise its users’ privacy?” was the overarching view, and one offered from Democratic Congressman Frank Pallone via Twitter.

“I’ll be taking a closer look at this failure, along with the many other issues, in the next Congress,” he added.

Facebook, to its credit, said that it had notified the Irish Data Protection Commissioner (IDPC) of the incident on November 22, in order to be compliant with reporting rules under Europe’s newly-enacted General Data Protection Regulation (GDPR) – even though those rules require disclosure within 72 hours.

“The Data Protection Commission has received a number of breach notifications from Facebook since the introduction of the GDPR on 25 May 2018,” the IDPC said in a statement released Friday.

“With reference to these data breaches, including the most recent breach received, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”

If found in violation of the legislation, Facebook could face a fine of €20 million ($22 million) or 4% of its annual turnover – the Silicon Valley conglomerate has already appealed a previously issued penalty of £500,000 (approximately $630,000) under the UK’s Data Protection Act.

But while things may seem bad for Facebook over in Europe, stateside, calls for reining in the social media platform and its fellow tech giants have reached a point where regulation, according to Apple’s Tim Cook, is “inevitable.”

“Generally speaking, I am not a big fan of regulation,” Cook told ‘Axios on HBO’ in November.

“I'm a big believer in the free market. But we have to admit when the free market is not working. And it hasn't worked here. I think it’s inevitable that there will be some level of regulation.”

He added: “I think the Congress and the administration at some point will pass something.”

Cook, the CEO of one of America’s most successful tech companies, isn’t alone in calling for the US to adopt its own version of GDPR.

Google, along with Microsoft, Amazon, Verizon, and many others, have all submitted comments to the National Telecommunications and Information Administration (NTIA) on how data privacy should be handled on the federal level.

There are currently no protections for consumers under federal US law, and the comments made by industry representatives mark a significant change from the anti-regulation arguments previously put forward by the Silicon Valley lobby, as international privacy scandals such as Cambridge Analytica have forced the tech industry to change its tune.

Internet companies, however – most of which have endured gruelling testimonial hearings before US Congress over data misuse – may have another reason to jump on the ‘national privacy is a good thing’ bandwagon.

In June this year, California passed the first attempt at reeling back Silicon Valley’s power
with the California Consumer Privacy Act (CCPA) – a bill poised to come into effect in 2020, that mirrors GDPR in its personal data safeguards.

“The CCPA regulates for-profits that collect data from residents of California, primarily by creating consumer rights of access, transparency, and control over the trail of data,” said Stacey Gray, member of the policy counsel at the Future of Privacy Forum, speaking during a recent webinar on the differences between the GDPR and CCPA.

“It is anticipated that the CCPA will be very influential, not only in the United States, but because California is the fifth largest economy in the world, and the way the law applies may affect other companies operating in the United States, including all major US tech companies,” she said, adding that California had historically been progressive on consumer rights after becoming the first US state to pass a data breach notification law in 2002.

Whether the CCPA has helped pave the way for a federal statue on consumer privacy is a conversation that Big Tech will want to be a part of.

Having thrown millions of dollars into attempts at stopping the CCPA, and demands for amendments now sitting before Californian lawmakers, industry has turned its attention primarily to acting as authority over any federal bill.

This was a point echoed by Ashkan Soltani, former Chief Technologist at the US Federal Trade Commission (FTEC) in his testimony during a British parliamentary committee’s inquiry into fake news.

“This is currently the first time I have seen in the US when the Administration, Congress and the companies are all aligned to pass federal privacy legislation,” he said.

“[It’s] primarily to pre-empt the California law and to potentially give them carve-outs from GDPR, because the conservative administration feels like it might be oppressive to business.”

Privacy advocates, like the American Civil Liberties Union (ACLU), tend to agree.

“A pre-emption proposal could sweep broadly, foreclosing states from passing new consumer protections, limiting enforcement by states agencies and attorneys general, and invalidating a host of existing protections for sensitive information like Social Security numbers, student data, and more,” the non-profit wrote in October.

“Particularly given the rapid pace of technological innovation, we should be wary of a federal law that locks in place limited nationwide standards that will soon be obsolete and blocks any innovation by the states, which are often more adept at responding to new challenges.”

Google appears to be taking the lead on the matter.

Along with comments issued to NTIA, the tech giant proposed a framework for national data privacy regulation ahead of its hearing before US Senate in September, in which five other major tech companies spoke about their approaches to privacy.

Consumer advocacy groups, notably, did not attend the meeting.