Feeling stressed out about GDPR? I can help! Here are all of my GDPR cartoons and attempts at GDPR humor in one post. It’s much better to laugh than to cry . . .
All posts tagged Privacy
The General Data Protection Regulation (GDPR) has actually been with us for quite a long time (in various forms), but this month is the moment of truth. On May 25, the GDPR will start being enforced.
Here’s a quick timeline of the evolution of the GDPR:
October 1995: Data Protection Directive (95/46/EC) is adopted. The majority of the rules of the GDPR are the same or similar to those of the Data Protection Directive. Thus, much of the GDPR has been with us for more than 20 years.
January 2012: First Draft of GDPR is released.
March 2014: European Parliament votes to support the GDPR.
December 2015: The Trilogue (EU Commission, European Parliament, and EU Council of Ministers) reaches an agreement about the GDPR.
April 2016: European Parliament and Council of the EU formally adopt the GDPR. There will be a 2-year grace period until the GDPR is enforced.
May 2018: GDPR enforcement begins on May 25.
Over at Bloomberg Law, I have a short essay entitled Prime Time for Privacy. From the essay:
The GDPR is a tremendous step forward for the privacy profession, but the maturity of the profession is what makes GDPR compliance possible.
The privacy profession serves a profound societal role. This is the profession that will help shape the future of privacy and guide the development of technology in ethical ways. With the rapid growth of technology, the privacy profession is more essential than ever. This is the profession that thinks about the human consequences of technology and how to bring the dizzying uses of data under control. Privacy professionals are on the front lines of shaping the data-drenched world we’re racing to construct. This profession will affect our lives and our society in profound ways in the years to come.
Read the full essay over at Bloomberg Law.
I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.
There, I said it. . .
In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.
But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law. Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.
The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition. Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.
Here are 10 reasons why I love the GDPR:
(1) Omnibus and Comprehensive
Unlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.
This baseline is important. In the US, protection depends upon not just the type of data but the entities that hold it. For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities. Health data people share with a health app, for example, might not be protected at all by HIPAA. This is quite confusing to individuals. In the EU, the baseline protections ensure that nothing falls through the cracks.
In an unprecedented transition, the FTC just got a full slate of 5 new commissioners, three Republicans and two Democrats:
Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D
It is difficult to predict how the FTC will approach privacy. The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States. There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in. In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.
The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year. Effectively, for many companies, the regulators they are paying attention to are across the pond.
The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference. Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers. This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.