Our earlier postings discussed the potential impact of the European Union’s GDPR. on American companies as well as federal and state governments. We provided some suggestions for strategic and tactical moves to minimize impact. We predicted a variety of responses included an increased focus on data privacy. It’s happening.
There is an effort underway linking data privacy[1] to issues of election security[2]. Another is the emergence of GDP-type legislation in states. California passed what some call their version of GDPR. Other states, e.g. Vermont, are exploring data privacy action.
This discusses efforts to extend California’s existing privacy law. Legislator politicking and industry lobbying complicated the effort. They continue after the current changes. While the actual details of California’s regulations remain undetermined, we provide some advice. Understanding our conclusions requires some insight into the background legislative process and maneuvering that took place. Here are the details.
Amendment or ballot vote, does it matter?
California legislature passed what is being called California’s GDPR[3]. It is an update to existing privacy legislation. It came about somewhat uniquely. Some legislators wanted a ballot initiative, which requires a vote by California citizens, to incorporate new privacy rules. This path makes future changes difficult, as it would require supermajority authorization by legislators to amend the law.
Others, opposed to comprehensive changes, supported writing a limited set of amendments to the existing bill. This requires only a simple majority of legislator votes plus the governor's approval, no citizen vote needed. Future amendments could be initiated with the same majority. The expectation is that new rules will be amended before implementation.
A legislative deal was made against a ballot initiative. The legislature passed, and the Governor signed a bill approving some proposed changes to become effective in two years. The result is a privacy proposal less restrictive and easier to change (weaken or strengthen) in the future.
The deal avoided any extended discussion of the changes prior to passing. Some industry people opposed the referendum. They can be expected to attempt further changes to the new law before it is implemented. Right now, we do not know any details about what will actually be implemented when the new law comes into effect in several years.
Since the final contents are so uncertain, it would be futile to attempt to tease out details or draw implications of the existing law. We see no reason for anyone outside California to be overly concerned about California’s GDPR. However, that does mean you should do nothing.
Conclusion
We stand by our earlier advice to those not directly subject to the EU’s GDPR. Two items need attention. First, review security and handling practices involving an individual’s data. Any privacy legislation will include significant penalties for lax policies or process violations of data security. If risky or weak, revise promptly.
Second, examine and validate data backup procedures. Privacy legislation will likely allow individuals to demand that companies reveal any personal information databases. It will likely include rights to control and audit its distribution. Therefore, companies must be able to provide a history of data use if requested[4], possibly including going back for some years. And, your organization must be able to deal with the issue of data erased by accident or error. All these argue for reliable, validated backups.
Finally, we continue to monitor and comment on events as they evolve at federal and state (California, Vermont, etc.) levels. Multiple ways exist to look at privacy issues. The issues can be technical, legal, political, business, or societal. Our primary focus is on technical and business views, as one might expect.
Occasionally, political or legal issues will demand our attention. For example, an effort that ties privacy issues to the question of foreign interference in election processes could raise such interconnected issues. In addition, the ongoing rollout of GDPR itself drives the need to stay abreast of such issues and developments.[5] We will comment on these issues when we feel it is appropriate.
[2] Here is a concise description of the issue: https://tinyurl.com/y9vt9h8
[3] Previously, California amended its state constitution to include a right to privacy. It appears that there is no question that the legislature had the right (some say the duty) to legislate it. This is important when considering what other states might do. A legal California move might be subject to legal challenges in other jurisdictions.
[5] The current EU actions against Google for monopolistic practices in the smartphone market is an example. Monopoly means that a company exerts market power or control preventing customers from freely choosing among alternative suppliers or products. Without defending Google, it is very hard to define a smart-phone market as restricted while ignoring the presence of Apple, LG, etc. Be that as it may, many of the EU people involved in this issue are likely also involved with GDPR. This suggests that the EU is focusing special attention on very large American technology companies. Earlier EU actions focused on questions of tax avoidance and directed mostly against American companies lends some credence to that suspicion. It will be interesting to see how the European courts decide this issue. We will follow and comment as appropriate.
No comments:
Post a Comment