Example: The UK Information Commissioner's Office (ICO) recently levied its highest fine to date - Â£130,000 - on a council that violated the Data Protection Act. Earlier, the ICO fined a different council Â£120,000 for similar infractions. In France, the CNIL issued a 100,000 euro fine against Google over certain data collection practices. In addition, a German data protection commissioner fined a company 60,000 euros over data violations.
In the U.S., the Federal Trade Commission (FTC) reached settlements with Facebook, Google, Twitter, Skid-e-kids and other companies on privacy-related infractions. The Securities and Exchange Commission fined three financial executives a total of $55,000 for privacy violations. And FINRA, the Financial Industry Regulatory Authority, fined advisory firms $600,000 for data protection inadequacies.
Existing frameworks are being prodded, poked and turned inside out over concerns they are outdated, not working, in need of improvement.
These are just some of the enforcement events we've witnessed this year.
All the while, plaintiffs' attorneys have entered the courtroom. In the U.S., the number of class-action lawsuits filed for data protection and privacy has exploded. Claims about data breaches, targeting, tracking and data collection are moving through the civil court system.
Although a great deal of thoughtful policy work goes on each day in our field, these events have pushed the privacy agenda forward swiftly.
Existing frameworks are being prodded, poked and turned inside out over concerns that they are outdated, not working, in need of improvement. There is a desire to find new public policy answers for data protection, and, indeed, new answers have been floated. New terms - terms that once might have been the sole domain of boardroom binders and business school textbooks - accountability and privacy by design - have entered the policy parlance. Both of these concepts, in fact, are included in the draft of Europe's new data protection framework.
Looking Ahead into 2012
The policy and enforcement uptake of 2011 will bring even more attention to data privacy in 2012.
Along with the settlements, suits and undertakings come mandatory audits - some, over the course of decades; monetary fines and training requirements - factors that will force the affected organizations and those that are watching and learning from them to turn more and more attention to data privacy. While in privacy-mature organizations, post-settlement cleanup will be a big undertaking, the cleanup could turn less mature privacy organizations on their heads. There will be an even greater need for expert guidance, and this translates to more growth in the profession and more demand for education and training.
We will see more steam from the enforcement engine as regulators beef up compliance measures. We know that the European Data Protection Supervisor, in addition to data regulators in France, Italy and elsewhere, has increased the number of spot inspections it will conduct in the coming months. In the U.S., the Department of Health and Human Services' Office for Civil Rights has started an aggressive audit program to measure compliance with the Health Insurance Portability and Accountability Act, and state attorneys general have directed more resources to paying attention to data privacy issues. In addition, it is widely believed that there are many more enforcement actions in the pipeline at the FTC.
Also in 2012, we will see more lawsuits. Dozens, if not hundreds, of class actions will be filed. Some will be stuffed; some will be settled.
So, what do you do now to prepare for the inevitability of a litigious and increased-enforcement environment?
- First, get your house in order. There is good faith in hard work. And in the absence of explicitly clear compliance requirements, being able to show strong privacy commitment in your organization is as good as you can hope to achieve. Pay attention to the state of data management practices. Accountability and privacy by design are not just buzz phrases; they are real, and, increasingly, they will be accepted as privacy program requirements.
- Next, mitigate your risk. Class lawyers and enforcement agencies will be on the lookout for bleeding-edge practices that run afoul of consumer privacy expectations, if not laws. Pay close attention to aggressive data practices within your organization. Be vigilant when changing data practices from prior standards. And make sure your organization has strong data breach response plans in place.
- Finally, pay attention. Hundreds of pages of policy guidance will emerge from the European Union, U.S., Canada and elsewhere in 2012. Organizations that use data strategically must pay attention to these emerging standards. Watch for them. If data is important to your company, you should read these reports the day they are released.
Data privacy isn't going away; it's here to stay. Organizations that acknowledge this and act on that knowledge will be rewarded.
Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as executive director of the IAPP, Hughes leads the world's largest association of privacy professionals.