Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

The Future of GDPR – Dead, Diluted, Detested or Accepted?

GDPR Day” (May 25th, 2018) has brought a flood of activity. For example, most of us have experienced an overload of updated privacy statements in our inboxes, which can induce privacy fatigue (call it “privapathy”) that ultimately results in ignored or deleted emails.

GDPR Day” (May 25th, 2018) has brought a flood of activity. For example, most of us have experienced an overload of updated privacy statements in our inboxes, which can induce privacy fatigue (call it “privapathy”) that ultimately results in ignored or deleted emails.

Meanwhile, law firms have already filed suit with multiple regulators in Austria, France, Belgium and Germany – Facebook and Google were hit with $8.8B in lawsuits on the first day. Why so many different regulators? While there is one European Data Protection Board (EDPB), it acts only as a coordinator of the independent EU member states “Supervisory Authorities” (SAs), which will each handle GDPR governance in their own countries. Multi-national companies are supposed to have a single “lead authority”, but the chance of multi-jurisdiction legal complications should be cause for concern. 

Other companies have attempted to opt-out of compliance with the new regulations by blocking European Union (EU) internet addresses. The Los Angeles Times, the Chicago Tribune, and The New York Daily News are telling visitors that, “Unfortunately, our website is currently unavailable in most European countries.” Of course, if they do business with an EU citizen or company at all – accepting payment for advertising German cars for example – then they remain subject to the regulation. 

GDPR is proving disruptive for European citizens who are no longer able to interact with services from outside the EU. And the compliance costs can be significant as well. But are there legitimate concerns of overreach?

Will GDPR do more harm than good?

The costs paid (and ongoing) are necessary for the “fundamental human right to privacy”, according to the architects of GDPR. But how extensive should that privacy really be? 

On May 25th, Gartner analyst Dr. Anton Chuvakin published a blog post titled, “My GDPR-Inspired Rant: Privacy, WTF!!!” One of his points is that GDPR defines personal data or personally identifying information (PII) too broadly. Certain information such as name, email address, phone number and physical address have been public information for decades or even centuries. He also makes the case there is a social benefit to shared data, such as a pharmaceutical company that pools data from healthcare records to spot a cure for cancer. Having lived in Russia, he also equates “the right to be forgotten” with Stalin-level evil.

So what is the future of GDPR?

Advertisement. Scroll to continue reading.

In observing this activity and conflict, GDPR will either become dead, diluted, detested or accepted, as other regulations before it. 

Dr. Chuvakin’s final conclusion is that “GDPR will either die a slow bureaucratic death or will destroy Europe’s chance to be a part of the digital future.” This is the “dead” scenario, which we have seen historically in legislation such as the Glass-Steagall Act

But more commonly, legislation is modified. GDPR itself is an evolution of the Data Protection Directive, superseding and extending it to companies outside of the EU who conduct business with EU residents or companies. In the case of GDPR, though, given the flood of activity and costs, it would seem unlikely that further strengthening is in the future. More likely, it would be diluted the way that the Dodd-Frank Act has been reformed.  

Another scenario is also likely. Legislation like GDPR tends to get the greatest attention from those impacted the most by it. EU citizens who can’t access web sites they prefer, and businesses being fined, will eagerly provide negative news about the regulation. This may not rise to a significant enough level for a repeal or modification, but will the negative outweigh the positive aspects such that more people detest it than appreciate it?

Finally, many regulations that begin with similar levels of resistance fade into general acceptance. The Sarbanes-Oxley Act of 2002 (SOX) hardly gets mentioned anymore, as companies have adapted to the compliance routines and costs that it introduced. Will GDPR fade into the background in a similar way?

Whichever path that GDPR takes, what is clear is that it will impact the understanding and discussion of privacy worldwide among technology companies and consumer advocates. What isn’t clear is if the general public will really value their “right to be forgotten”, their “right to access” their own data, and the right to “data portability”, or if privapathy will lead to a sense that the regulation has overreached. The ultimate outcome will be determined by which group cares the most about it.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.