I spent the last two months in our New York City headquarters as part of my new role as CA’s Global Chief Privacy Strategist. This function was created in addition to our Chief Privacy Officer who is leading the charge on our privacy compliance efforts globally. I am primarily focused on ensuring the company has a clear view and voice on the important issues around privacy, and more broadly, trust in technology. It also enables me to engage in a wide range of discussions with customers, partners and press.
Before I head back home to Brussels, I wanted to share some of my observations around the US privacy landscape. But let me start with answering a question I have heard a couple of times while here:
Why is CA investing in this?
In my interactions with stakeholders, the question arose as to why CA, as a B2B company, thinks it is necessary to make these investments. As a B2B organization we clearly are not in the same position as those companies that directly host a wide range of consumer data. However, we do manage data that is entrusted to us by our employees, and by people that express an interest in trying or buying our products. Our customers entrust us with their customers’ data when they use our SaaS products, and we know we have a duty to be a good custodian of all of this data. We need to earn and maintain the trust of all of our data stakeholders on a daily basis. And if we fail to earn and keep that trust, they won’t do business with us. That is why CA is making these investments, that is why our CEO and other executives are speaking up. That is why I have been engaging with a range of stakeholders in the US to get “the privacy pulse” in the States. Here are some of my observations.
Are we heading towards a US GDPR?
The GDPR entry into force happened during my time in the U.S., and it was quite interesting to see the discussions on GDPR at the moment in time it went live. So inevitably, the question came up as to whether the US will/should create a US GDPR. My thoughts? Yes and no. I don’t expect a GDPR-style law in the US, which some have called for. Now, people might mean different things when they call for a US GDPR; one is to strive towards the objectives of the GDPR, including taking steps to increase user trust and reduce administrative burdens for industry. Or they might take it another level down, i.e. focus on the same core principles as outlined in the GDPR. But some people might actually mean implementing the broad approach taken in the GDPR and transposing that directly in the US system.
So we need to be clear on what we are asking for. Personally, I don’t believe talking about privacy in the US context through the GDPR lens of a mere copy-and-paste exercise. First, it polarizes the debate into pro and against GDPR style camps instead of focusing on what we actually are trying to achieve. Second, privacy culture is indeed different across the world. The US has a specific history and context. To be clear, the above doesn’t mean that I am not supportive of the GDPR. I am. It isn’t a perfect law, but it is the result of a long process with all stakeholders involved in the context of Europe’s history and culture when it comes to data privacy. Yes, it has set a benchmark across the world with regards to its ambition and its profile. But that doesn’t mean it should be implemented in the same way across the world as in the EU
A federal privacy bill
I personally believe in the opportunity, and necessity, in the coming years to have a federal cross-sectoral privacy bill focused on core principles; in essence laying a common foundation for privacy law across all parts of the economy. This will require all stakeholders to come together and be realistic about where common ground can be found and use that as a stepping stone. But it will require time and a lot of effort.
So what can we expect in the short-to-medium term?
In short, more fragmentation, both at the state and federal level.
I do expect more state legislation, following in California’s footsteps. These efforts might not always be “pure privacy laws”; they may mix consumer protection, security and privacy efforts. Although I welcome the increased focus also at the state level on this crucial issue, it creates the risk of divergent approaches and fragmentation.
I see a growing appetite for some federal legislation in an attempt to address some of the crucial issues. This could be in the aftermath of another visible privacy issue or building on a growing consensus on Capitol Hill that core aspects need to be fixed. Such a (sectoral) law would need to look beyond the issue (and company) of the day and ensure this wouldn’t have unintended consequences.
I also believe we will see attempts develop a voluntary privacy framework where industry would take on specific commitments around core principles, which could then be enforced by regulators. Such a framework could exist by itself but could also serve as a way to implement potential federal legislation.
And what about data breach?
I will make a wild bet here, I do believe we will move towards a federal data breach law, if not during the small window in this Congress, then in the next. Ideally, a data breach law would get folded into any federal horizontal privacy push. However, as that might take some time, I do think making progress on such a law separately is needed and urgent. But it would need to ensure it meets basic aspects such as a pre-emption.
The US privacy report
I close with some privacy predictions… just for fun.
- The next Congress will pass a federal data breach law by early 2020;
- State privacy legislation will proliferate over the next 2 years – creating divergent privacy approaches across the US;
- The next Congress will take a serious stab at addressing specific issues, either via a (tech) sector focused bill, or trying to address specific issues (around transparency, control);
- A voluntary privacy framework will be created, allowing organizations to make specific commitments, which would then be enforced by the FTC (and other regulators, depending on the sector);
- Federal cross sectoral law: we will see a renewed discussion around a privacy “Bill of Rights” during next Congress, but its success remains to be seen as issues like pre-emption and others will influence the debate.
Whatever materializes (or not) in the coming years, I do believe that we will see a lot of traction in the US around this important discussion. I look forward to continuing my engagement and that of CA. Please share your thoughts on where you think things might be going.