When GDPR [General Data Protection Regulation] was first discussed in Europe, one of the key drivers was the need to create a hedge against U.S. technology dominance, with data landlords, such as Facebook and Google, having too much power over EU citizens’ data.
It's the latest manifestation of a belief in Brussels that America’s laissez-faire data protection culture has long been at odds with Europe’s deep focus on citizens’ privacy and safety.
Now with the new legislation just days away, Larry Augustin, CEO of SugarCRM - who has had some strong views on the new regulation before now - believes that it is “inevitable” that the U.S. will follow suit with legislation of its own, bringing it into line with the European approach:
Although GDPR may be the headline right now, there’e been enough public visibility of the issues, and there’s enough public interest, that it would not surprise me to see the US now go down the path of some kind of legislation related to data privacy for consumers.
Data privacy issues are not going to go away. People are thinking a lot here now about GDPR, because Facebook, Twitter, and all of these issues keep coming. And Experian in the US, about managing personal information related to credit card data... there’s just a constant barrage of issues around data privacy and personal information.
Everyone has to address it, whether it’s in the context of GDPR or the next thing that’s going to come along. There is definitely a heightened awareness and interest.
Last month saw Facebook CEO Mark Zuckerberg testifying in Congress around data privacy concerns, with conflicting and evasive messages about his firm's commitment to offering U.S. customers GDPR-level protection. Augustin thinks that other tech firms will be keen to make their positions clear, but this won't be enough in itself:
It’s absolutely the case that companies will respond first with efforts to self-police and even to collaborate around potential standards. But I’m not sure that’s going to be enough to satisfy people, given the level of breaches that we’ve seen, the visibility.
When you have the CEO of Facebook testifying on these issues in Congress, which makes all of the television and news, I’m not sure that self-regulation is going to be something that Congress will accept. And I think we’re likely to see some legislation as a result.
Companies will certainly go down that self-regulation path, but I don't think there’s a lot of trust for that right now. There have been too many incidents. Not daily, perhaps, but almost weekly something comes up. And I don’t think that gives people the confidence that the industry can self-regulate.
That opens up the prospect that the once-unlikely scenario of the U.S. following Europe’s lead on data privacy is now inevitable. Augustin predicts:
I think you’ll see the U.S. following in the footsteps of Europe. Because Europe looks prescient and ahead of us on this, given all of the breaches that are appearing. I think that the U.S. is going to look at what some of Europe has done as a model. You’ll see legislation come down here in the U.S. related to it.
Augustin’s comments came in the wake of the announcement that Cambridge Analytica, the British company at the heart of both the Facebook data scandal and allegations of political manipulation in the U.S. and elsewhere, was entering bankruptcy proceedings.
But according to reports in the FT and The Guardian, another company with the same political, funding, and governance connections, Emerdata, is apparently ready to take its place.
These legal manoeuvres, along with the heightened awareness of just how easily people’s data and beliefs can be targeted by well-financed groups, certainly provided a useful context for a conversation about data privacy.
When diginomica last spoke to Augustin, he suggested that some large organisations – especially in the B2B space – would engage in legal manoeuvres of their own, by ignoring GDPR completely. In December 2017, he told diginomica:
There’s another set of companies that are saying, ‘You know what? This stuff is too ill defined. We’re just going to wait. And rather than invest money now that’s going to be wasted, we’re going to take the risk. We don’t know what it means to be compliant, so we’re just not going to do it'.
Today he stands by that belief that such companies are going to call the regulators’ bluff:
I am still hearing from people that they are holding off until they have greater clarity, with the real drivers for them being the cost of change and wanting to spend that money just once. The way they characterise it to me is that the regulations are in flux, so it will take a while for people to understand the law and what it really means to be compliant. I definitely hear from people that they want to see the answers to that before they go off and do the work.
For Augustin, the core challenge of GDPR isn’t just to do with large organizations ‘toughing it out’, but also the regulation's unintended impacts on smaller players:
People are worried about the amount of personal information that large internet companies can collect and use, and the legislation is motivated in part by that. But I think there’s an unintended side-effect: the fact that the cost of compliance, and the effort of compliance, is difficult for smaller companies.
While the behemoths have the ability to aggregate large amounts of personal information, they can also afford to implement controls for privacy management around that data. But it’s difficult for smaller companies to do that, so you actually end up hurting the smaller companies more with the legislation. I don’t think that’s a consequence that people were expecting when GDPR was created.
Big companies have the lawyers to fight the fines, they have the ability to pay some of these fines, and that’s a small cost for them compared to the value they get from their data. Small companies don’t have those resources and it’s a lot more difficult. So one of the things we have to be careful about with legislation is the rule of unintended consequences. Some of those consequences actually go against the intent.
Another challenge of GDPR comes as an unintended consequence of citizens’ 'Right to be Forgotten', he adds:
If you think about it, a customer has a right to be forgotten, which is a data privacy right, but on the other hand, a business has to maintain accounting records, tax records, and legal records, on its customers. The legislation allows for that, but it isn’t always clear which pieces of information are required for legal compliance.
So if a person asks to be forgotten, then OK, organizations need to comply with that, but they also need to comply with legal, tax, and regulatory accounting requirements that say they have to have a record of transactions and business customers.
This complex mix of issues was the driver for a new addition to the Sugar CRM suite, says Augustin:
That’s why we built the new data privacy manager for Sugar, which is in the latest release. For us this wasn’t about GDPR compliance, but about giving an organisation the ability to manage all the issues around data privacy. Think of it as a command center. Our target user is the data privacy officer, who can now manage all of the issues around data privacy, all of the requests that are related to that. It also stands as a point of record about all of the actions and issues to do with it.
Tied into all of this is another issue - user consent. This rising complexity means that the new age of automation isn’t going to be quite as automated as some people would like to believe. Surprisingly for the CEO of an enterprise suite provider, Augustin agrees, making the point:
We see that in the first few years of this legislation, there is going to have to be a lot of human intervention and decision-making that happens around some of these components. And potentially in the future, as it becomes better understood, more of that can become automated, but right now it’s still open to interpretation, so you need human involvement in these decisions.