Will GDPR usher in a new paradigm for how companies treat consumers’ online privacy?

Back in 2001, Eric Schmidt, then Google’s CEO, described the search giant’s privacy policy as “getting right up to the creepy line and not crossing it.

Well, Europe has now demarcated the creepy line – and it is well in favor of its individual citizens. The General Data Protection Regulation, or GDPR, elevates the privacy rights of individuals and imposes steep cash penalties for companies that cross the creepy line – now defined in specific detail.

Related article: Zuckerberg’s mea culpa reveals reprehensible privacy practices

Europe’s revised online privacy regulations took effect last Friday. European businesses are bracing for disruption – and U.S. companies won’t be immune to the blowback. There are more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses. All of them, from Google, Facebook and Microsoft, down to mom-and-pop wholesalers and service providers, now must comply with Europe’s new rules for respecting an individual’s online privacy.

The EU is expected to levy GDPR fines totaling more than $6 billion in the next 12 months, an estimate put out by insurance giant Marsh & McLennan. As these penalties get dished out, senior management will become very uncomfortable; they’ll be forced to assume greater responsibility for cybersecurity and privacy, and not just leave it up to the IT department.

This is all unfolding as companies globally are racing to embrace digital transformation – the leveraging of cloud services, mobile computing and the Internet of Things to boost innovation and profitability. In such a heady business environment, a regulatory hammer was necessary to give companies pause to consider the deeper implications of poorly defending their networks and taking a cavalier attitude toward sensitive personal data.

Facebook and the Cambridge Analytics scandal, and the wider Russian interference in U.S. presidential and other elections, drove home how poor security practices — including lassitude over the privacy of sensitive consumer data — can fuel  nation-state espionage, political manipulation and general oppression of the wider citizenry.

Snowden & Schrems

As GDPR gets established as a stake in the ground, let’s not forget that American whistle-blower Edward Snowden and Austrian citizen Maximilian Schrems should be credited for their respective roles in compelling the United States and Europe to formally address an individual’s right to privacy in the Digital Age.

It was Snowden who outed the National Security Agency’s Prism surveillance program in the summer of 2013. Prism blew over quickly in the United States. But in Europe it intensified public demand for more individual control over personal data collected by U.S. e-commerce companies.

It was Schrems who in the fall of 2015 persuaded the European Court of Justice that trans-Atlantic data transfer rules cobbled together in a 15-year-old agreement, known as Safe Harbor, were insufficient to keep European citizens’ data from the prying eyes of U.S. intelligence agencies.

Then a 28-year-old law student, Schrems was reviled by Facebook’s aggressive collection and use of what he considered his private information. Schrems asked Facebook to send him his records and received a truckload of documents.

When Schrems failed to get the Irish high court to rule on his grievances, he took it to the equivalent of the EU’s Supreme Court—and won. The result was GDPR, a sweeping pro-consumer regulation that grants significant privacy rights to citizens of the European Union.

Key provisions

Here’s the core of GDPR:

•It mandates both consent and pseudonymization for any and all personal data collection.

•Data breaches are required to be disclosed within 72 hours (with some exceptions).

•Citizens have the right to access their personal data and information collected on them, as well as the right to correct any inaccuracies.

•Citizens also have the right to have their personal data deleted (within specific limits).

•Companies found to be in non-compliance can be penalized up to 20 million euros, or 4 percent of global revenue, whichever is greater.

Beyond the hew and cry over the initial penalties sure to be meted out, GDPR can be expected to send shock waves reverberating across Europe and the U.S. We’ll soon find out precisely how companies, regulators and citizens react; no one should be surprised if GDPR-related fallout extends for some time to come.

U.S. tech giants – Google, Twitter, Facebook, Amazon and Microsoft – can be expected to take it all in stride. It helps to have hundreds of millions of dollars to push their weight around. Perhaps some aspect of good corporate citizenship will play in as they make the required adjustments. Microsoft alone has hired more than 300 programmers to ensure compliance.

New line in the sand

The new regulations are extensive. One says any business operating in, or doing business with, citizens of the E.U., must retain an individual or organization to represent it in any interaction with regulators. And many organizations must also now designate a DPO, or data protection officer.

And yet another rule requires giving individuals the right to ban companies from sharing behavioral data with unknown third parties. This will be problematic, to say the least, for Google and Facebook — corporations accustomed to operating under a “creepy line’’ privacy policy.

This new line in the sand, known as GDPR, shifts control of privacy back to the individual, where it belongs. And this is a good thing. The current creepy line approach has driven consumers to use ad blockers; given Cambridge Analytics and Russian election meddling, consumer mistrust in corporate exploitation of behavioral data can only increase.

On the other hand, companies that embrace a new paradigm, one that goes above and beyond GDPR to proactively respect individual privacy will lead to good things. Business practices that seek to earn consumer confidence and true will lead to trustworthy, sustainable companies, long term.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: