Published on the 24/07/2019 | Written by Jonathan Cotton
It’s an increasingly complex regulatory environment but there’s more to come, says Forrester…
Another day, another jurisdiction somewhere passes a slew of new user data laws.
For those tasked with abiding by such laws, it’s already a complicated landscape: From Australia’s troubled encryption laws to the EU’s GDPR provisions to California’s CCPA. It’s a lot to manage.
Well get used to it, says Forrester. The trend towards more extensive national and international consumer privacy regulation is only set to continue.
“Although GDPR is just one year old, many nations have been inspired by the scope and depth when drafting their own privacy bills,” says Forrester.
“The California Consumer Privacy Act (CCPA) as well as the Brazilian General Data Protection Law (LGPD) have been signed and will come into effect in 2020. Other states are following the example of California; New York recently passed a stringent privacy bill. Countries such as India are drafting their versions, as well.”
The trend poses a real challenge to those operating in and across those regulatory environments, with security and risk leaders consistently ranking compliance with global privacy regulations as one of their top three challenges.
“One year post-implementation, Europe is still working out the particulars of the GDPR,” says Elsa Pikulik, Forrester research associate.
“While GDPR became directly applicable law in all member states of the European Union upon its implementation in May 2018, there are over 50 areas in which member states are permitted to legislate differently than GDPR in their domestic data protection laws. Several countries are still finalising their guidance.”
As businesses increasingly operate across national borders, firms are compelled to stay abreast of the privacy climate across those borders. Failure to comply carries a cost: There have already been more than €56 million in fines levied since GDPR implementation.
But if growing consumer privacy laws are an increasing challenge for business, social media giant Facebook doesn’t seem to have received the memo. Forrester’s new report, Facebook, Inc.’s Scandals Will Not Doom The Company: Regulation Will Only Strengthen It In The Short Term, says that, thanks to a 27 billion-strong user base and formidable data holdings, any new government regulation around user privacy will likely only hurt its competitors.
And while Mark Zuckerburg has spent much of this year promoting his Privacy-Focused Vision for Social Networking, just a few weeks ago Facebook attorney Orin Snyder painted a decidedly less rosy, less user-centric picture of the service during California litigation related to the Cambridge Analytica data sharing scandal: “There is no privacy interest [for users] because by sharing with a hundred friends on a social media platform, which is an affirmative social act to publish, to disclose, to share ostensibly private information with a hundred people, you have just, under centuries of common law, under the judgment of Congress, under the SCA, negated any reasonable expectation of privacy”.
Luckily, saner minds were in the room, among them Judge Chhabria, who thankfully took issue with Snyder’s all-or-nothing approach to privacy, responding: “If I share something with 10 people on the understanding that the entity that is helping me share it will not further disseminate it to a thousand companies, I don’t understand why… that’s not a violation of my expectation of privacy.”
Fair point, but Facebook’s lawyers are paid to argue the point of course and Snyder continued to do so, perhaps providing us with a point we should all take heed of: “There is no expectation of privacy when you go on a social media platform, the purpose of which… is to share and communicate things with a large group of people.”