Why is the topic important/relevant in 2019?
Data is quite possibly the most valuable asset in today’s business landscape. It forms companies’ big data libraries, fuels marketing, and advertising decisions, advises product and promotion launches, and contributes to many more crucial business decisions. Online privacy is a serious concern globally, from North and South America to Europe, Africa, and Asia. According to the article, The Survey by Big Brother Watch, around 80% of the respondents said that data protection is a serious concern. Another survey, by the World Economic Forum, resulted around 58% stating that it is a serious concern. The survey also found that 59% of people believe that their privacy is not protected on the Internet. Therefore, data protection is one of the most salient topics of 2019. With the world becoming more connected, and developing nations joining the ranks, shortly everyone will be online. The companies and organizations with which people transact will be held to higher standards and will become bigger targets for nefarious actors. These organizations, public and private, governmental or NGO, will be held responsible in the court of public opinion and within the courtroom for failing to keep the general public, and their data, safe. The legal implications of data mismanagement will soon be devastating, not to mention the effect of loss of customer loyalty on bottom lines. New data protection policies and public sentiment will shape how organizations conduct business for years to come.
Real-world examples/case studies supporting the prediction Intro real-world examples
Currently, the United States lacks a comprehensive, overarching data protection policy, but it does have numerous regulations that cover different industries. For example, within the healthcare sector, there is Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), and Health Insurance Portability and Accountability Act (HIPAA). There are similar networks of regulations within technology and financial sectors, and even more, regulations depending on the state(s) which an organization operates. The variations among sectors and between states make data protection adherence difficult for organizations and complicate enforcement for the government. The Council on Foreign Relations says that the patchwork style, “puts U.S. companies at a disadvantage globally as emerging economies adopt simpler, and often more EU-style, comprehensive approaches,” and the CFR calls for Congress to join other nations in their data protection approach, combining the various regulations into one, cohesive federal policy that covers all institutions, fills current gaps, incentivizes companies to prevent data losses, and provides a way to hold organizations that violate privacy accountable.
Another North American county, Canada, has a strong grasp on data protection with its Personal Information Protection and Electronic Documents Act (PIPEDA). However, some believe it could be more comprehensive and in line with GDPR, allowing for individuals to provide and revoke consent for organizations to use their data.
In Brazil, Lei Geral de Proteção de Dados Pessoais (LGPD) was signed on August 14th, 2018 and it goes into effect in February 2020. This piece of legislation is very similar to the EU’s GDPR and covers personal data, extraterritorial application, and lawful bases of processing personal data. Extraterritorial application, which is similar to GDPR, applies data privacy protection not only to operations in Brazil but also to firms whose purpose it is to offer goods or services in Brazilian territory or when data is collected in Brazil. LGPD also outlines lawful bases of processing personal data, some of which differ from GDPR including for public agencies, research studies, legal or arbitration proceedings, and protection of life & safety, among others. Lastly, it specifies the sanctions and penalties of violating LGPD, one of which is a two-percent fine of an organization’s revenue within Brazil.
Other South American nations have similar policies or established governmental oversight, such as Chile, with its Privacy Protection Laws (Law No. 19.628, 19.812), and Peru, with the National Registry for the Protection of Personal Data (NRPDP). These are all examples of how government policies are not only influencing a company’s data protection policies but also requiring certain actions by corporations.
To protect data, the Asia-Pacific region is beginning to develop laws that outline policy. For example, Australia amended the Australia Privacy Act 1998 to include mandatory breach notification requirements that require organizations to report an “eligible data breach” to the Office of the Australian Information Commissioner and notify affected customers immediately. Japan has implemented the privacy law PIPA (Personal Information Protection Act). PIPA deals with personal information. It also creates the amendment PIPC (Personal Information Protection Commission) which is an authority charged with overseeing data protection. China doesn’t have a privacy law but is currently trying to protect the privacy and data security through Cyber Security Law. The law requires consent from individuals to collect and use personal information. The Chinese government forces organizations operating in China to follow the Cyber Security Law, and if companies don’t comply with the law, they receive penalties such as financial penalties or losing their right to conduct business in China.
Many countries in Asia are beginning to implement data and privacy protection legislation, but creating a comprehensive framework to implement in Asian-Pacific countries is difficult as there is no United Asia, similar to the EU. However, companies are trying to make a privacy compliance strategies that follow six core principles of privacy, including notice, choice, security, access and correction, data integrity, and data retention.
Public sentiment and their consequential legal laws and policies has created huge hurdles for any company that does business internationally. From medical devices to social media, data collection is plenty and must be handled carefully, specific to the country of the users.
In the United States, relatively recent events such as the Equifax data breach, DNC email hacking, and Russian interference in the 2016 election challenge the public’s reception towards data breaches. It is an ever-changing reality within American life and something for which companies need to be conscious. A January 2017 study by the Pew Research Center found that, “64% of Americans have personally experienced a major data breach,” and that, “large shares of the public lack trust in key institutions to protect their personal data.” In combination with the U.S.’s piecemeal policies and negative public sentiment towards data protection, companies operating within the United States will be firmly in the crosshairs for their data protection decisions.
After the GDPR was established in May 2018, companies operating in EU nations began updating their internal policies to comply to the stringent new requirements. For example, Facebook added a page to address new policies concerning GDPR and how it affects their advertising business: EU users’ data, specifically cookie usage, would have to be compliant with GDPR in how Facebook obtains consent and will only keep the data for so long as is necessary for the purposes for which it was collected; and that data subjects are informed of the retention period and retention period criteria. Despite these efforts, some companies have already been faced with fines and lawsuits from EU governments.
Microsoft is currently in legal trouble with the Netherlands and could potentially be fined tens of millions of dollars due to the findings of a report commissioned by the Dutch government. The allegations are that Microsoft maintained a ‘large scale and covert gathering of people’s personal information via Office applications.’ An investigation revealed that even though Microsoft tried to make their policies and practices GDPR compliant by storing documents on servers based in the EU, other data with private information was still ending up on US servers. Telemetry and other content such as email titles, and sentences where translation or spell check were used was discovered to be collected and secretly stored on US data systems. These practices are non-compliant with the GDPR due to the lack of transparency in practices, lack of purpose limitation, absence of consent or withdrawal, and lack of legal ground for processing the data.
In an effort to correct the situation, and avoid fines, Microsoft has provided an improvement plan to end all violations; the plan is set to be submitted for approval this April. In the meantime, Microsoft has provided a “zero exhaust” version of applications to system admins. Researchers hired by the government on the matter also recommend a prohibition on Microsoft connected services, a removal of the option for users to send data for “help improve” office; and to avoid using the web-only version or SharePoint Online. For further protections they even suggest VIP accounts be periodically deleted, to ensure that diagnostic data associated with those accounts will be deleted more frequently, and for system admins to pilot alternative software.
Save your time!
We can take care of your essay
- Proper editing and formatting
- Free revision, title page, and bibliography
- Flexible prices and money-back guarantee
To avoid EU prohibition (confusing word choice), Microsoft is expected to meet compliance expectations. This is not Microsoft’s first encounter with privacy laws abroad. In 2013, Microsoft challenged a warrant demanding an email account whose data was stored in Ireland. The grounds were based on the 1986 Electronic Communications Privacy Act that the government could not demand US companies turn over data that is stored overseas. The CLOUD Act, passed by Congress in 2018, worked to clarify that US companies, provided a warrant was presented, would have to turn over data on U.S. citizens regardless of where their information is stored; however, the same act allows companies to reject challenge these requests if they believe the request violates the privacy rights of the foreign country the data is stored in. (Wording?)
Analysis and rationale supporting why or why not the group thinks that the prediction will come true Determine after research Considerations for possible solutions/improvements/advancements (e.g. additional controls, training, etc)
Deloitte Digital Media trends survey, “shows that if consumers are given control over their data, including the right to delete it, they are more comfortable sharing it.” Companies many see increased loyalty from customers by adopting policies that provide more control over data.
Pew: Most Americans do not adhere to the recommended data protection practices, making it more difficult for companies when they may be hacked. The public wants security, but they do not always act like they want security. This presents a challenge to companies, but it is also an opportunity to dictate public sentiment by being a market leader in data privacy and protection.
The most common way to protect privacy is using encryption. Several governments have seen benefits of controlling access through encryption. For example, China’s Anti-Terrorism Law makes it possible to decrpyt and access technical support of telecom or Internet service providers to investigate terrorist activities. Also in India, if the something happens relating terrorism, they use a central monitoring system to investigate the phone and internet services.
With the amount of data being produced globally growing at an exponential rate, data protection has come to the forefront of the news due to regulation changes, as well as public distrust in companies with their personal data. As a result of these two driving forces, organizations have generally been reactive to adjusting their own data protection policies.
The age of the Internet and big data is reflected in the reformation of data protection laws in the EU. Implemented on May 28, 2018, the General Data Protection Regulation (GDPR) replaced Directive 95/46/EC which was put into place in 1995. Times are drastically different than they were in 1995, prompting this change.
Another continent experiencing changes, albeit differently than in the EU, is Africa. With the rise of affordable mobile devices and infrastructure growth, Africa has one of the fastest-growing populations of Internet users. A major difference in Africa compared to western countries in terms of how internet services are provided; in Africa, internet services are given for free in return for access to their data, from Facebook. Along with the rapid growth of internet use, these factors set the stage for a different approach to data protection regulations.
While the GDPR covers all countries in the EU, the data protection laws in Africa are disparate. Although the African Union has established the AU Convention on Cybersecurity and Data Protection (AU Convention), it is up to each individual country to transpose it into their nation’s legislation. Seventeen out of the 54 countries have comprehensive data protection laws, but even within those 17 nations, the laws vary from country to country.
“GDPR will be one of the biggest disruptive forces impacting business models across industries – and its reach extends beyond the EU borders.” – Cindy Compert, CTO, Data Security & Privacy, IBM Security
From the IBM Study: Majority of Businesses View GDPR as Opportunity to Improve Data Privacy and Security, almost 60% of the organizations surveyed embrace GDPR as an opportunity to improve privacy, security, data management or as a catalyst for new business models. IBM created solutions for their customers to become more compliant with GDPR, suggesting businesses to leverage improved policies to gain customer trust.
Because the current climate consists of increased regulation and strong public distrust, businesses have no other option but to adjust their own policies to comply in order to survive. By embracing current regulations, companies not only avoid fines and penalties, but they can also improve consumer trust. Companies who choose to ignore the current climate will be left behind.
Stuck on your essay?
