The Battleground Seen from the Two Worlds
Global organizations need a resilient strategy and actionable plans for dealing with the two worlds of privacy, cybersecurity, and data protection and governance: the world of rights and the world of harm. Emanating from Europe and having spread across most of the globe, the world of rights is taking huge, confident strides, looking to some of us who inhabit the world of harm like those long-legged alien vehicles in the War of the Worlds. We all experience the world of rights asserting itself now through the critical Privacy Shield negotiation (see our analysis of current status here), which is is just a skirmish on the way to the great war to transform technology over the next few years represented by the General Data Protection Regulation (GDPR).
The view from the world of rights is the inverse; the long-legged alien vehicles are the NSA and the tech companies invading nations around the world to extract personal information, and the GDPR has been painstakingly constructed to defend the dignity of the individual. Note here that the perceived threats from Europe come from the governments taking regulatory action, and the threats seen in Europe and elsewhere come from the march of innovation in technology and its use in surveillance to the limits permitted by regulation.
Our regulatory world, the world of harm, has not been taking huge and confident strides, resembling more the townspeople milling around in confusion, wondering whether to welcome the aliens, fight or flee, and not able to act effectively either through Congress or the regulators. The GDPR stands there in the sky as a comprehensive and detailed structure for reshaping the relationship between technology and the individual, certainly inconsistent with what we may think technology wants, but clearly and powerfully responding to what technology seems to the world of rights to be. By contrast, U.S. legal foundations for privacy and data security were generally enacted more than 15 years ago in sectoral silos that have been challenged by disruptive technology, and our regulatory agencies have responded to those challenges by swarming in to create many complex, overlapping layers of regulation opaque except to groups of U.S. regulatory lawyers. Now, our lead privacy and technology regulator, the Federal Trade Commission, has gotten itself into a terrible situation in which the first case to really try its data security standards in the federal courts, LabMD, has the worst possible facts and record.
The LabMD Answering Brief to the Federal Trade Commission was filed a week ago, and three FTC Commissioners must now decide whether to side with their staff and make LabMD the horrible record on which the courts may undermine their security standards, or to side with their Chief Administrative Law Judge and fight judicial battles concerning those standards on better facts. As Dissent Doe noted first, the brief reiterates many of the reasons why the FTC should have dropped this case long ago and should look for any way to drop it now. But the brief’s job was not to make all such arguments, was not to tell the whole story told, for example, by the House Committee Staff Report to Rep. Issa, or the Wallace testimony that the ALJ found entirely credible. Many of these issues were discussed further, along with broader constitutional and policy issues, in an excellent amicus brief filed by TechFreedom.
With Congress and our regulatory agencies tying themselves in knots, what of the third branch? Daniel Solove just published an extremely powerful and typically quick analysis of why the unexpected death of towering Justice Antonin Scalia yesterday could result in a new 4th Amendment jurisprudence, undermining the Third Party Doctrine that fails to extend privacy protections to the cloud world in which most of our private, confidential, personal and sensitive data have migrated and will remain, and undermining current limitations on standing in actions relating to surveillance and data breaches. The result could be real, constitutionally-based regulation of privacy in the digital era.
Planning for the Two Worlds
Meanwhile, however, your organization needs that strategy and those plans for dealing with the growing world of rights and the shrinking world of harms. Perhaps you are establishing data centers in Europe, a move that offers optical and legal advantages given that the current structure of European law can never disfavor data kept there, even though governmental surveillance in Europe may be or become much less constrained than in the U.S. That will only help with the data transfer issues, however. Truth be told, beyond all of the hopeful statements about harmonization, the two worlds are not converging on the full range of processing issues; they are diverging (in part because Europe is moving while we stand relatively still). Compliant global companies are used to living in two or more worlds in their dealings with employees, individual customers, and customer representatives. Now companies need to choose whether to design and build their products differently for each of the two major worlds, to try bridge the ever-widening gap, or to focus on one world or another.
Now companies need to choose whether to design and build their products differently for each of the two major worlds, to try bridge the ever-widening gap, or to focus on one world or another.