Three years in the making, European Union officials finally agreed on a draft of the General Data Protection Regulation. The EU-wide legal framework sets standards for data collection, sharing and privacy that will replace 28 different sets of national privacy laws. Officials promise stronger personal data protection measures for Europeans and an easier compliance process for businesses. While the new rule package won’t go into effect until 2018, cybersecurity experts are already forecasting greater discussion around data privacy, particularly among U.S. companies, because of GDPR.
The first thing about GDPR that struck security experts at a webinar earlier this month is its complexity. During the event, hosted by incident response provider Resilient Systems, three security and privacy specialists — Bruce Schneier, a leading cryptologist and the CTO of Resilient Systems; Jon Oltsik, senior principal analyst at Enterprise Strategy Group; and Gant Redmon, general counsel for Resilient — discussed their security predictions regarding the 201-page document as we enter the New Year.
It’s not only the length of the legislation that’s intricate — “If you have to say it in 201 pages, it’s going to be complex,” Redmon quipped — but also the fact that although EU negotiators are hoping to develop a centralized authority with GDPR. Upon closer inspection, however, that doesn’t actually appear to be the case, Redmon added.
For example, the rule package stipulates that each member country have its own national data protection authority, called a supervisory authority, to which companies and organizations are required to report data breaches.
“It’s going to start to look more like the U.S. There will be different folks and different bents to compliance that you have in each of these member states,” Redmon said.
He added that even though proponents of GDPR were hoping for more objective data protection standards from the legislation, in the future these codes of conduct will likely be outsourced to different industries.
“Both of these [factors] will have a big effect on industry, and compliance is going to be more complex than people were hoping,” Redmon said.
There is also the danger of over-regulation, which could push data collection activities underground, Schneier warned.
“I’m a big fan of the regulation of privacy … but too little regulation and it’s a free for all; too much regulation and we lose visibility into practices,” he said.
Contributing to this potential over-regulation is data sharing legislation passed by the U.S. Congress last week that takes a different stance from the EU: The Cybersecurity Act of 2015 (CISA). The bill, which was attached to a must-pass spending bill, provides liability protection and antitrust exemptions for companies that choose to share cybersecurity information with federal agencies such as the NSA. Detractors say the law allows companies to bypass civil rights and privacy mandates, including warrant requirements to conduct surveillance.
“Privacy protections have been weakened and Europe is now 200 pages and counting in complication. This is going to be hard,” Schneier said. “We want one single Internet — one single set of rules — and we’re further and further away from that.”
Oltsik agreed, saying that CISA not only waters down privacy but also creates a complete disconnect between U.S. legislators and their EU counterparts. This gap must be bridged in order to address the global problem of what he calls the “Balkanization” of privacy.
“We’re talking about data privacy on one hand and backdoors … on the other,” Oltsik said. “It’s as if we’re debating these issues with a complete lack of cooperation with each other.”