A wave of change in data laws

Over the last few years, online attacks have led to negative press and increased scrutiny for a number of high-profile companies, fuelling the already growing concerns regarding user privacy in the digital world.

Last year, Apple faced an intense media spotlight after a controversial hack whereby private and sensitive photographs of celebrities were leaked online, raising doubts over the security of the tech giant’s products and iCloud service.

More recently, the company operating the Ashley Madison website (an online service facilitating extramarital affairs) experienced a disastrous data breach exposing the personal data of over 30 million accounts, and resulted in the CEO of its parent company stepping down. The breach in question was carried out by hacking group The Impact Team, who released names, email address and other personal information of users. Leaked emails also revealed that the company may have breached the computer networks of competitors. The company has been the subject of US legal proceedings and the incident has also been linked to two suicides.

Natasha Simmons, Bristows

So, while the digital age brings an array of benefits, it also creates new privacy risks. According to Jim Dempsey of the Berkeley Center for Law and Technology, data security is “a truly existential issue that directly affects the bottom line. The reputational harm is huge. The legal headaches are huge.” Reputational damage is especially detrimental to a company like Ashley Madison, where the principle of user secrecy lies at its core. Company Boards are concerned, more than ever, with protecting corporations’ reputation following a data breach. If personal information about individuals is held and it is lost or misused, even unintentionally, it is likely that there will be significant consequences.

In light of these new risks, there has been a shift towards the strengthening of consumer privacy and increased regulation, particularly within Europe. The new General Data Protection Regulation (GDPR), intended to address some of the privacy challenges presented by new technology and fulfil the potential of the digital economy, is currently making its way through the EU legislative process.

It is anticipated that the final text will be agreed by the end of this year, with a two year implementation period before coming into force in 2018. Key features of the GDPR include the recent concept of the “right to be forgotten,” mandatory data breach notification and the one-stop shop, among other changes. Companies will have to interpret and apply the GDPR carefully in order to comply with the new rules and minimise the risk of data breaches.

It remains to be seen what the exact outcome of the reform process will be, and just how successful the law will be in playing catch up with technology, but it’s clear that there is wave of legal change approaching which we must prepare for.

Natasha Simmons is an associate at Bristows

You might also be interested in…