The Privacy Landscape in 2016

Privacy has made headlines for years now, and the rise of social platforms like Facebook has brought the issue into focus. In 2016, I expect privacy to remain at the forefront of technology news, especially with increasing digitization and technology innovations like Smart Cities, digitized transport and the Internet of Things (IoT). These technologies are generating amounts of data previously unknown. IT analysts International Data Corporation (IDC) state that by 2020 the IoT will account for 10% of all the data generated on Earth.

One of the most impactful changes in recent years, which affects privacy gravely, is the massive increase in data theft. Since 2013 there have been a staggering 3.7 billion records stolen. This heady mix of technology innovation, data generation and sophisticated cyber threats is creating new challenges for the privacy agenda.

Here are the key privacy issues emerging or consolidating in 2016:

Blurred Lines:  Data and the Corporation
The lines between data ownership are blurring. Personal data under the corporation umbrella become a corporate asset, yet they are still owned by the individual, and there can be serious impacts on that individual if the data gets into the wrong hands. And data are valuable to all interested parties, from the original owner, to the corporation that can potentially use or sell those data, to the cybercriminal who can extort money from the data through the black market. The privacy implication of this triad of interests is clearly complex, creating blurred lines of responsibility and ownership.

The way privacy is addressing these complexities in 2016 and beyond involves technology, visibility, laws, regulations and guidelines.

Corporate Obligations and the Privacy Policy 
Obligations are most often set out in a privacy policy. However, the issue of privacy policy creation has been in flux for years, creating confusion amongst the general public. The evolution of the privacy policy has greater importance as data sharing has increased with social platforms. This evolution took off in 2008 when the Patient Privacy Rights (PPR) Trust Framework was developed. The PPR Framework gave a working set of guidelines, which could be applied to privacy policies to create a clear, user-accessible policy.

Since then, platforms such as Facebook and Google have pushed the limits of privacy policy politics to the nth degree, and much debate within the technology and legal communities has ensued. The Federal Trade Commission (FTC) has instigated a number of legal actions against technology platforms, including Google, for misuse of users’ data. These actions have been partly responsible for a more respectful view of user data by the likes of Facebook and Google, who are starting to take heed and create better privacy policies which, at least on paper, make the companies look like they take user privacy seriously.

While the US continues to have no overarching privacy law, relying instead on a mosaic of federal and state laws, the humble privacy policy remains a very important legal document for redressing privacy violations. In 2016, more than any time in history, the privacy policy needs to be a means of privacy respect and control, as it sets corporate obligations and practices. However, privacy policies issues go beyond words on the page. There should be a user-centric approach to privacy policy engagement that ensures the user understands what the policy covers and how their personal data may be used.

Privacy Laws and Regulations
As I said, the US lacks a holistic privacy legal framework. A number of industry specific guidelines and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) and the Americans with Disabilities Act (ADA), can be used to develop privacy approaches within a given context, but no single law exists. It will be interesting to see how recent events, such as the Snowden episode and the Apple vs. FBI privacy battle, shape the privacy landscape. The time feels right for a single US privacy law, and the work done in California might be the template. The state of California is setting standards across the board in privacy, including the handling of personal data by online services and online protection of minors.

It looks like 2016 will be the year where at least EU-US communications and privacy will have some positive outcome. The infamous Safe Harbor collapse of last year left EU-US data communications in flux, affecting many companies on both sides of the Atlantic. However, the announcement on 29 February by the European Commission of the EU-US Privacy Shield, which will replace Safe Harbor, is good progress. This agreement sets out the obligations and mechanisms needed to guarantee safety and privacy respecting EU-US data transmissions.

Privacy Challenges Ahead
Visibility of data:  As data generation increases, we need to understand where these data are stored, between whom they are transmitted and the end points being used. Data visibility is one of the keys areas that we need to be aware of to plan for privacy. For example, according to a recent IDC report, around 60% of all data generated by the IoT were duplicate data. Without understanding the data life cycle and where data flow, you can’t begin to truly protect an individual’s personally identifiable information.

The jurisdiction challenge:  The differing approaches to privacy, by jurisdiction within the USA, are a challenge that needs to be met in 2016. Bringing together a common law to manage public expectations is long overdue. The alignment of the planets, such as social media, increased public awareness of privacy, mass data generation and increased cyber threats, is bringing this need to the fore. The US government is taking cyber security threats seriously, with the introduction of the Cyber Intelligence and Protection Sharing Act (CISPA). Perhaps it is time for a similar action to protect privacy across the board.

Desai will speak on Data Privacy at the 2016 North America CACS Conference in New Orleans, 2-4 May.

Avani M. Desai CISSP, CISA, CIA, CIPP, Executive Vice President, Schellman & Company, Inc.

[ISACA Now Blog]