Laws, Protection Organizations, and Data Breaches

 

In order to understand the conversation around online privacy, it is important to be informed about the laws and protection authorities that exist in the U.S. and around the world.

​

United States 

​

ECPA (Electronic Communications Privacy Act) – U.S. Congress passed ECPA in 1986. This law extended restrictions on wiretaps of telephones by the government, transmissions of online data on computers, and access to stored communications. In other words, the Act is outdated and does not even cover the advancement of technologies such as cloud computing. This law is even older than the World Wide Web, which was invented in 1989, and almost every U.S. business has taken their company online since then.

 

Following ECPA, there have been no significant changes to internet privacy protections. The U.S. lacks strong privacy laws and a regulation authority, but the rise of the GDPR (General Data Protection Regulation) in the European Union has encouraged the commitment from the White House and Congress to work on privacy legislation. Even Silicon Valley is on board. Yet, it remains to be seen how all stakeholders will work together and ultimately in whose best interest.

​

European Union 

​

After seven years in the making, the European Union (EU) enacted the General Data Protection Regulation (GDPR) on May 25th, 2018. It was evident that the law was going to be a big deal because users received emails about privacy policy changes from several well-known companies, such as Apple, LinkedIn, and IBM. The GDPR was set to replace the Data Protection Directive from 1995. The revisions gave individuals the power to make companies disclose or delete their personal data, regulators could finally work in unison across the EU, and the maximum fine was increased to about €20m ($22.6m), which is 4% of a large company’s global revenue. The ones who will be most affected by the law will be technology and marketing companies, as well as data brokers. For companies who were entirely dependent on collecting and misusing user data, they would need to receive explicit permission to retrieve the data and regain approval if that use has been adjusted.

 

The law has already provided evidence as a checkmate for the collected power of technology companies. In January 2019, the Commission nationale de l'informatique et des libertés (CNIL), otherwise known as the French administrative regulatory body for data, presented Google with a $57 million fine for not properly educating users on how the company accumulates data across services such as the search engine, Google Maps, and YouTube in order to display custom ads. While this is the largest penalty under the privacy law currently, it will soon not be the only one. Facebook is under investigation for several cases in Europe as well.

​

Data Protection Authorities 

 

Many countries have also implemented national data protection authorities. These are organizations that are assigned to look after online privacy matters. Countries that have such bodies include those in the European Economic Area (Belgium, Denmark, Netherlands, United Kingdom, etc.) since 1995, Morocco, Australia, and Brazil. Ireland has had an independent Data Protection Commissioner office since 1989. Canada also has a non-partisan officer that examines Canadian complaints about privacy violations (Privacy Commissioner of Canada). The U.S. lacks such an agency.

​

​

Data Breaches

 

Without updated privacy laws or data protection authorities, there have been serious data breaches in the past few years.

 

In 2018, up to 500 million people who made a reservation at a Starwood hotel (Sheraton, Westin, etc.) could have had their name, address, phone number, and other personal details stolen. According to news articles, an unapproved third party had been accessing the Starwood network since 2014. In 2017, the Equifax data breach impacted over 143 million customers in the U.S., which cost the company approximately $439 million. Besides access to personal information, the credit card details of around 182,000 consumers were taken too. In 2014, a cyberattack affected confidential financial and personal details of over 76 million households and 7 million small businesses who were customers of JPMorgan Chase. The company took a heavy hit because of the breach, as it cost them $1 billion. Ironically, the bank spent $250 million on cybersecurity each year.

​

​

​

​

​