In our first episode of “Are You DataSmart?” we introduce the concept of privacy and the fundamental right it is (and is not) depending on where you operate. We’ll introduce the concept and how it will affect companies going forward no matter where they are based.
GDPR is global in scope and the monetary fines alone are worth discussing!
Christian: And I’m Christian Ward. And today, I think a great way to start the series is to discuss some of, really an introduction to the legality around data security. I think from the business perspective, there are a lot of things to consider when it comes to what authorities: what laws are out there, what jurisdictions. And as data and the use of data in your strategy is a global approach no matter how small you are, depending on where your customers live, you’ve got to get a sense of what are the sort of regulations and laws that are important to be knowledgeable about.
And I think we’ll start today with sort of that classic understanding of what is the difference, really, between privacy, data security, and the actual, you know, effect on companies depending on how they handle those items. Jay, I’m always reminded of the Benjamin Franklin quote on, you know, “Three men can keep a secret so long as two of them are dead.” And I find it very funny that, you know, we’re trying to build both technology and business models that can sort of handle that level of secrecy, but what is really the main structure out there?
Jay: Well, it’s a great question. And I think a lot of people conflate secrecy and privacy and data security is all kind of one thing. From a legal perspective, secrecy is pretty much nothing, it’s something that you whisper into your pillow. A secret is outside of the realm of national security or the Bank Secrecy Act. There’s really no such thing as secrecy under the law. There’s confidentiality, there’s privacy, and there’s security. And for our purposes, the question is what is data security and what is privacy? Are they the same? And they’re certainly related but to my mind, data security is a means to an end. And if the end is securing information, then data security is the means to achieve privacy.
You know, in the United States, the law doesn’t really have any formal recognition of privacy as a right to be preserved. I mean, there’s some talk about it in, you know, constitutional law cases from the ’60s and ’70s but for the most part, privacy isn’t a critical or central component of how the law works in this country. It’s the complete opposite in Europe. By law, in the Charter of Human Rights and the Treaty of Rome, the Treaty of Lisbon, the European Union takes privacy very seriously, it’s a fundamental right. So, when you’re talking about privacy in Europe, think about it the way we think of free speech in the United States.
So, data security is really what you’re doing to safeguard information regardless of why you’re doing it, whether it’s to protect your consumers, to maintain a business advantage or to secure privacy. Privacy is the end goal, whether it’s by law or just by design. They are separate concepts that are related to one another.
Christian: So, it’s fascinating. I actually was not aware of the concept of, you know, a basic fundamental right to privacy in these other jurisdictions to Queen Europe. That’s fascinating, you know, partially because when we think about it from a business perspective, building out your data warehousing where you have people entering data, where people interact with the data through a UI versus where the data is stored, these are huge questions. The cloud has obviously opened up an enormous new capability for businesses to solve for that. But I tend to think that taking that step back and looking at the historical perspective of privacy as right is kind of an amazing way to then approach data architectures and business approach to managing and handling data. Because it’s just not the way we think here in the United States in terms of privacy.
Jay: Yeah, that’s right. And the interesting thing is you started with the Franklin quote, now throw it back. It seems that the only people who’ve ever said anything ever are Ben Franklin, Thomas Jefferson, and Mark Twain. But one of the things that Franklin…
Christian: Oscar Wilde. I love Oscar Wilde.
Jay: Wilde and Churchill, yeah. So, the Irish, the English, and the Americans are the only ones who’ve ever said anything. But he said that, you know, the great line, you know, “People who would trade a bit of freedom for security deserve neither.” And that’s just…that makes some sense but in the reality of today’s legal framework, it doesn’t because everything is a trade-off between the facility and the convenience of lightning-fast computing, cloud computing, and cloud storage and the right to privacy, whether or not it’s enshrined in legal tax or not. So, one thing that I always, you know, try to caution my clients to do is to evaluate meaningfully what the trade-off is and, you know, how sensitive is the data that you’re handling? If you’re talking about, you know, you have customers and you’ve retained their mailing address and, you know, what their last order from you was and their social security number, I think you can come up with a pretty clear hierarchy of which of those is more sensitive and is subject to more safeguards and needs more security around it.
And, you know, if you understand data as a component of privacy, you know, each individual datum is a piece of the puzzle, the mosaic that creates your digital and online identity, you need to be thoughtful about what you’re doing to protect that data. So it’s, you know, as I said, it’s not a clear answer in any way what’s data, you know, where the lines between data security and privacy and convenience stop but these are the questions that you have to be asking yourself.
Christian: Absolutely. Which kind of brings me to the opening around GDPR, the schema around general schema. And I’d love to touch a little bit on the FTC’s approach to this as well and what their basic frameworks are. Tell us a little bit from the legal perspective what is the general schema around GDPR? And in particular, I’d like to focus on, you know, what are the effects for businesses in the United States and how they interact with companies in the EU?
Jay: So, if you’re not following closely the goings on in Brussels about the data security regulation, then I don’t know why you would be, but if you hadn’t, four or five years ago, you wouldn’t really have known that this was brewing, probably the single most significant data security law in the world. I mean, now probably it is. The general data protection regulation or GDPR is a worldwide regulation, it doesn’t just apply only in Europe. If you process information about European citizens and you market your services there or you have an establishment there, this regulation applies to you no matter where you are in the world.
The GDPR is about creating an enforceable and, in many ways, widely understood framework for data security. And there are a lot of concepts, you know, we can read about them in the blog, you can see them all over the place but there are two primary concepts. One is protecting the fundamental right of European citizens to their privacy, to their personhood as it’s found in information and enforcing those rights through a robust regime. And by robust, I mean violations of the GDPR’s data security requirements can cost the company €20 million or up to 4% of its annual global turnover.
Christian: Okay. Wait, wait, wait. What? Say that again.
Jay: €20 million euros or 4% of annual global turnover.
Christian: Is there any…sorry to interrupt. Is there any person…obviously, this hasn’t gotten to effect yet, but when you say fines like that, I mean, that’s an entire company’s business. What do you expect? Is it going to be on a scale, is it going to be per infractions? So, if there is, you know, 50 instances of a visible face or a face that can be identified, stored somewhere, it shouldn’t…what are you expecting in terms of how they rule on those fines?
Jay: I’m going to give you the classic lawyer answer of we’re really not quite sure yet. But that’s…the truth is we’re waiting to see what this regulation is going to look like in practice. We’re waiting to see how each country’s individual supervisory authority. Because under the federal system that the EU has, each member state will have its own supervisory authority that will enforce and regulate the GDPR. So, if you’re primarily doing business in France, the CNIL will do it. If you’re in Germany, it’s the BFDI. And they’re going to have, you know, idiosyncrasies in the way that they enforce it. So, we don’t know how it’s going to look.
There is an ultimate authority that’s in the European Data Protection Board that can resolve disputes and sort of oversees the process but no one knows how aggressive regulators are going to be from the get-go. You know, there is no exception for small and medium-sized enterprises either. I mean, if you’re Facebook, you’re subject to it. If you are a mom and pop travel agency that, you know, has a one-room office in Belgium, it applies to you too. So, GDPR is unprecedented, there’s never been anything like it before. And the closest thing that I can liken it to in this country is the Securities and Exchange Act in the Securities Act in the wake of the Great Depression. I mean, that was a fundamental change in the way an entire industry was regulated. This is a fundamental change in the way every industry is regulated if that industry is touching data and is touching European citizens.
Christian: Absolutely makes sense. You know, I think we’re set up for some really interesting back and forths between global companies and regulators. But as you pointed out, this is not merely just a, you know, large company or a global company or a concern, it really touches upon everyone. There is no carveout for mid and small-sized companies to comply with these things. So, Jay, I think that’s a great place for us to stop where, you know, we’ve given a pretty good framework around, you know, GDPR, the FTC, and ultimately, kind of the difference that you started within the conversation, which is setting up frameworks to be able to handle these things, to understand the difference between privacy and data security, and that means to an end to ensure that you’re staying in line with all regulations.
Thank you, everyone, for listening to this episode of “Are You DataSmart?” And we’ll be back next week with more information diving into some data strategies and how they also will be affected by company regulation. Thank you, everyone.