New EU data protection rules a turning point for privacy

On Jan. 24, Facebook announced major privacy changes in advance of the European Union’s new Data Protection mandate, coming into effect later this year. Starting May 25, any company that is non-compliant can face fines equivalent to as much as 4 percent of their annual revenue, forcing a major review of corporate privacy policies across the board that will have an impact far beyond the borders of the European Union.

At the heart of the General Data Protection Regulation (GDPR) is a desire to harmonize data protection policies across the continent, protect European citizens and enforce transparency in how personal data is used in an age of globalization and big data. GDPR has major implications both for marketers and those concerned with the storage and security of personal information. Users want to know who is collecting their personal information, and what it is being used for as they don’t want to receive any unsolicited enquiries. 

Back in 2002, I assisted in creating the New Jersey Biometric Identifier Privacy Act which foresaw a world in which advertisers would find it very useful to cross-reference all of the data that they collect, sell it to third parties and push new offerings without the consent or knowledge of the individual who gave it to them in the first place. The law prevented an entity from collecting biometrics for the purpose of commercial advantage without the person’s authorization, and moreover, prevented the sale or disclosure of the biometric to any third party without user consent, unless required by law or to complete a financial transaction.

{mosads}Since 2002, there have been numerous other state laws enacted in the United States, including the more recent one in Illinois which has resulted in many lawsuits for non-compliance, but we, in the United States still do not have federal legislation that brings it all together.

We are in a new era. In the absence of a unified approach and in an age of digital transformation and continued data breaches, the notions of data privacy and reassessing digital identity are moving front and center. Trusted identity is the new currency, shaping how we conduct our lives in so many ways — finance, health, travel, social interactions, work — and so the stewards of identity databases, at all levels regardless of size, must recognize the enormous societal responsibility that they have.

Several overarching principles are emerging, reflected in the GDPR, Facebook’s announcement, an how other companies large and small are looking at these issues:

Anonymity: Most personal information, like names, addresses, social security numbers, and other identifiers are static and can be linked back to an individual, and as a result, are vulnerable to cyberattack. Behavioral biometrics, which does not rely on PII to establish a user profile to begin with, and by its nature cannot be used to reverse engineer someone’s actual identity, has become an alternative to redefining digital identity.

Privacy by design: Privacy by design is not about data protection, but rather about a systemic approach in which services can be rendered without the transfer of personal data. The FIDO framework, a device-based biometric authentication standard, and the use of Identity as a Service schemes that don’t rely on PII, are examples of privacy by design.

Decentralization of personal information: In light of the Equifax breach, many questions are being asked about the need and sensibility to store vast amounts of personal information in a central database. Federated identity is a concept that has been thrown around with controversy for quite some time, but gaining some momentum now that owning personal data is akin to a hot potato.

Beyond these trends, the Facebook announcement highlights the need for transparency, accountability and control of personal information, but putting all this into practice is easier said than done. The GDPR provides a framework and an incentive for everyone to get to work.

Frances Zelazny is vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics to protect users and data. She providedtestimony last year to the New York State Assembly’s banking committee on cybersecurity threats facing the U.S. financial industry.