With Yahoo agreeing to pay $50 million as compensation to victims of the security breach, one of the biggest Internet security breaches has now become a history. However, the question remains: Are Yahoo and others confident that such instances will not occur again? Are organizations across the world prepared to protect their customer data?
Over the past year, with the new reforms like GDPR being implemented, there have been significant changes in the way organizations view security and privacy of customer data. One of the reasons for this change is the hefty fine imposed in the event of a data breach.
As per GDPR mandate, there are two tiers of administrative fines that can be levied as penalties for non-compliance:
(1) Up to Euro 10 million or 2 percent annual global turnover – whichever is higher.
(2) Up to Euro 20 million, or 4 percent annual global turnover – whichever is higher.
However, GDPR is applicable to the companies operating in the European region, or those associated with them from other regions. With data breach incidents rising in new form by leveraging new technologies, implementing stringent data protection rules across all regions and organizations has become crucial.
With different countries following different mandates, will there be a consensus on devising a comprehensive data protection policy across the globe? As there is no geographic limit for any user or organization to perform any transaction or engage in a business deal, devising a country-specific or region/specific rules will not serve the purpose per se.
Recently, the Government of India drafted its data protection bill in the line of GDPR; however, it has invited criticism from many quarters. Among the major flaws reported were the following:
It will affect the BPO/IoT/AI industries which handle huge volumes of crowd-sourced data.
There is no clarity over which data needs to be shared outside and which ones not.
Ambiguity over the right to erase the data/ right to be forgotten will affect the stakeholders.
Data localization demands huge infrastructure and capital, which is not currently possible in India.
The Bill does not address personal privacy rights highlighted in the recent Aadhar judgment.
Functions of the State are not elucidated well especially in the context of test of proportionality.
The Bill could take away one of the most celebrated privilege of the citizen: the right to information.
The scenario is likely to be the same in any other country. Given that vast differences exist in terms of information access and use in different countries, such complexities will not only delay the creation of the data protection framework but make implementation even more complex.
For example, a conflict between GDPR and the Indian DPB on a particular clause could result in deadlock on the transaction between the two parties leading to more legal complications and business loss.
In this context, it is important that global leaders and businesses join hands to devise a robust data protection bill that is globally acceptable to safeguard the identity and data of millions of internet users.
As Apple CEO Tim Cook endorsed, a tough law is required to prevent the “weaponizing” of data. Cook, as well as his counterparts from Google and Facebook, has expressed their commitment to devising a strong data protection policy.
With GDPR affecting every country or business directly or indirectly, companies- big and small- are under pressure to change the way they handle data. Data governance has emerged as a corporate strategy, and so organizations which show commitment toward securing their customer data are set to gain a competitive edge.
At the end, the question remains: How long will it take for the governments across the world to draft a consensual data protection bill that can safeguard the interest of their citizens?