I spent the last two months in our New York City headquarters as part of my new role as CA's Global Chief Privacy Strategist. This function was created in addition to our Chief Privacy Officer, who is leading the charge on our privacy compliance efforts globally. I am primarily focused on ensuring the company has a clear view and voice on the important issues around privacy, and more broadly, trust in technology. It also enables me to engage in a wide range of discussions with customers, partners, and press.
Before I head back home to Brussels, I wanted to share some of my observations around the US privacy landscape. But, let me start by answering a question I have heard a couple of times while here:
Why Is CA Investing in This?
In my interactions with stakeholders, the question arose as to why CA, as a B2B company, thinks it is necessary to make these investments. As a B2B organization, we clearly are not in the same position as those companies that directly host a wide range of consumer data. However, we do manage data that is entrusted to us by our employees and by people that express an interest in trying or buying our products. Our customers entrust us with their customers' data when they use our SaaS products. We know we have a duty to be a good custodian of all of this data. Because of this, we need to earn and maintain the trust of all of our data stakeholders on a daily basis. And, if we fail to earn and keep that trust, they won't do business with us. That is why CA is making these investments; that is why our CEO and other executives are speaking up.; that is why I have been engaging with a range of stakeholders in the US to get "the privacy pulse" in the States. Here are some of my observations:
Are We Heading Towards a US GDPR?
The GDPR entry into force happened during my time in the U.S. It was quite interesting to see the discussions on GDPR at the moment in time it went live. So, inevitably, the question came up as to whether the US will or even should create a US GDPR. My thoughts? Yes and no. I don't expect a GDPR-style law in the US, which some have called for. Now, people might mean different things when they call for a US GDPR; one is to strive towards the objectives of the GDPR, including taking steps to increase user trust and reduce administrative burdens for industry. Or, they might take it another level down, i.e. focus on the same core principles as outlined in the GDPR. But, some people might actually mean implementing the broad approach taken in the GDPR and transposing that directly in the US system.
We need to be clear on what we are asking for. Personally, I don't believe talking about privacy in the US context through the GDPR lens of a mere copy-and-paste exercise. First, it polarizes the debate into pro and against GDPR style camps instead of focusing on what we actually are trying to achieve. Secondly, privacy culture is indeed different across the world. The US has a specific history and context. To be clear, the above doesn't mean that I am not supportive of the GDPR. I am. It isn't a perfect law, but it is the result of a long process with all stakeholders involved in the context of Europe's history and culture when it comes to data privacy. Yes, it has set a benchmark across the world with regards to its ambition and its profile. But, that doesn't mean it should be implemented in the same way across the world as it is in the EU.
A Federal Privacy Bill
I personally believe in the opportunity and the necessity, in the coming years, to have a federal cross-sectoral privacy bill focused on core principles. In essence, a bill laying a common foundation for privacy law across all parts of the economy. This will require stakeholders to come together and be realistic about where common ground can be found and use that as a stepping stone. But, it will require time and a lot of effort.
So, What Can We Expect in the Short-to-Medium Term?
In short, we can expect more fragmentation, both at the state and federal level.
I do expect more state legislation to follow in California's footsteps. These efforts might not always be "pure privacy laws" ? they may mix consumer protection, security, and privacy efforts. Although I welcome the increased focus at the state level on this crucial issue, it creates the risk of divergent approaches and fragmentation.
I see a growing appetite for some federal legislation in an attempt to address some of the crucial issues. This could be in the aftermath of another visible privacy issue or building on a growing consensus on Capitol Hill that core aspects need to be fixed. Such a (sectoral) law would need to look beyond the issue (and company) of the day and ensure this wouldn't have unintended consequences.
I also believe we will see attempts to develop a voluntary privacy framework where industry would take on specific commitments around core principles, which could then be enforced by regulators. Such a framework could exist by itself, but it could also serve as a way to implement potential federal legislation.
And What About a Data Breach?
I will make a wild bet here: I do believe that we will move towards a federal data breach law, if not during the small window in this Congress, then in the next. Ideally, a data breach law would get folded into any federal horizontal privacy push. However, as that might take some time, I do think to make progress on such a law separately is urgent. But, it would need to ensure that it meets basic aspects such as a pre-emption.
The US Privacy Report
I will close with some privacy predictions:
- The next Congress will pass a federal data breach law by early 2020.
- State privacy legislation will proliferate over the next 2 years, creating divergent privacy approaches across the US.
- The next Congress will take a serious stab at addressing specific issues, either via a (tech) sector focused bill or trying to address specific issues (around transparency, control).
- A voluntary privacy framework will be created, allowing organizations to make specific commitments, which would then be enforced by the FTC (and other regulators, depending on the sector).
- Federal cross-sectoral law: we will see a renewed discussion around a privacy "Bill of Rights" during next Congress, but its success remains to be seen as issues like pre-emption and others will influence the debate.
Whatever materializes (or not) in the coming years, I do believe that we will see a lot of traction in the US around this important discussion. I look forward to continuing my engagement and that of CA. Please share your thoughts on where you think things might be going.