I have been following the recent Facebook data breach crisis with interest. For those who have not, Cambridge Analytica (a UK based analytics and marketing firm) illegally accessed and used the Facebook account profiles of ~50M people to influence political outcomes, in particular the US Presidential election.
What will be the response of the regulatory authorities to this recent data breach?
My view is that US and other global regulators will fast track regulation similar to the new European regulation on General Data Protection - GDPR that comes into force on the 25th May 2018. Implications for firms such as Facebook when they suffer a data breach will be significant. If GDPR regulation had been in force at the time of the Cambridge Analytica breach then the fines alone would likely have been 4% of Facebook's global revenue, US$1.4B. Substantial by any measure.
Some of the key new European GDPR regulations coming into force on 25 May 2018 include:
1. Privacy by design, e.g. don't let third parties like Cambridge Analytica access private client data via API.
2. Notification to impacted clients without undue delay, i.e., clients should not discover their data has been breached in the newspapers two years after the breach. This principle is behind the introduction of the mandatory data breach notification law here in Australia.
3. Notification to regulators within 72 hours. This principle has been followed by the Australian mandatory data breach notification law, with implications both for individuals and companies that discover breaches.
4. Clients must consent to data usage - I'm sure when I opened my Facebook account I didn’t consent to third parties using my data to influence elections.
5. Implementation of intrusion detection (No idea if this was in place at Facebook)
Another key part of the GDPR regulation is the right to be forgotten. That is, the right to close your account and have all of your records deleted by the service provider. I suspect many Facebook users would like to be calling on this feature right now if it was available. In 2014 the European Court of Justice ruled that irrelevant and outdated data should be erased on request. The recent UK High Court decision on this subject between Google and an unnamed plaintiff that was found against Google suggests that the legal support for a right to be forgotten exists and is valid.
Key Takeaways
Data privacy regulation will continue to tighten and at a more rapid pace given the scale and frequency of data breaches, e.g., Equifax last year, Facebook this year. Many of these regulations are multi-jurisdictional. So, if you are in Australia and you have clients in Europe then you are captured by GDPR which has fines of 4% of global revenues.
Think twice about off-boarding clients in a specific region to avoid new regulations. Many Australian firms are considering off-boarding European clients to avoid GDPR. Like much regulation over the last few years, it is likely that data privacy regulations will tighten in all regions and due to the need to fast track, will follow the existing models like GDPR regulation in Europe. So off-boarding will cut revenues but not the requirement to comply with data protection. A smarter strategy is to ensure that all systems are compliant and use that as a key differentiator in your market.