Data Privacy Happenings

Hello from MineOS's monthly newsletter, The Privacy Mindset! 👋

Today, May 25, 2023 is the 5-year mark of the EU's GDPR entering into effect and forever changing the internet.

For too many individuals, that change simply meant an abundance of bothersome cookie consent banners that didn't present a clear opt-out anyway, but that just goes to show the work the privacy sphere still has to cover to bring data privacy to where we all know it should be.

For many businesses, the GDPR meant getting their act together and treating compliance more seriously than ever. To those companies, we say "thank you."

For other companies, like Meta, the GDPR meant needing to find legal loopholes to continue extremely profitable data collection and transfer practices. To Meta's surprise, privacy advocates called them out for this and brought a lawsuit forward virtually the minute GDPR entered into force. 

This week, five years and many, many legal steps later, Ireland's Data Protection Commission has thrown down the gauntlet in the form of a record-breaking $1.3 Billion fine. 

The legal saga with Meta has been complicated, but it essentially boils down to illegal data transfers Meta conducts from the EU to the U.S., particularly in light of the Privacy Shield between the two being struck down as insufficient in 2020.

Meta has nearly exhausted its options in this fight, and while the company issued strong remarks against the Irish DPC's fine and warnings to end data transfers to the U.S. and bring its European operations into compliance within six months, there may not be recourse to do anything other than pay the $1.3 Billion and move on. 

The other endgame, of having its services banned in the EU and European assets potentially seized, is much, much worse for the company. 

What does this mean for GDPR? For one, it has in fact had a positive effect on corralling some of Big Tech's most exploitative data practices, but EU regulators have not been on the same page consistently enough to extend enforcement to a universal measure.

This has left cracks in the application of the regulation, leading to confusion, brazenness from companies like Meta in trying to litigate away objective violations, and subpar PR that has not properly informed enough citizens worldwide of their data rights. 

The largest fine in GDPR history is a nice and convenient bowtie for the regulation's fifth anniversary, but we all have to hope the next five years feature a more cohesive narrative, one where companies know exactly how to comply and take the steps to invest in innovate tech in order to do so, and the public becomes even more capable and willing to exercise data rights and reclaim their digital footprint. 

Product Spotlight

Properly offboarding old data systems and former employees is just as important to an organization as proper onboarding, which is why one of MineOS's newest features is the "Unused Asset List."

The Unused Asset List makes offboarding both items from your data inventory and former staff easier than ever, creating a convenient list that a user can refer to as a reminder of what to completely remove. It's this attention to detail that helps make a privacy program as strong and safe as possible 💪.

Regulation Focus

TIPA Exemption (3)

An individual, firm, association, corporation, or other entity that is licensed in this state under law as an insurance company and transacts insurance business.

Data Privacy is picking up incredible steam in the United States, with five state-level regulations having passed and been signed into law already in 2023, and more potentially on the way.

The five states to join the fray are, in order: Iowa, Indiana, Tennessee, Montana, and Texas. 

While it's great to see legislation being passed and getting the ball going for the very real issues of data privacy in the U.S., much of what is in these laws feels like a placeholder starting point rather than a true stance on individual data rights and corporate data handling.

Why is that? Because the business-friendliness is too prevalent in these state regulations, which is clearest in the extraordinarily long list of exemptions these bills share. 

The five new laws are already overlapping with Virginia's and Connecticut's in many cases, making compliance rather straightforward, but some states have taken it further, like Tennessee. 

Tennessee's new regulation, the Tennessee Information Protection Act (TIPA), carved out a unique exemption to the law for any licensed insurance agent or company, protecting a massive, billion-dollar industry from having to responsibly handle consumer data.

Comprises like this may have been necessary to get any law passed, but it feels hollow and guaranteed to have little effect when the exemption list is twice the size of the enshrined data rights.

Founder's Corner 

CTO & co-founder Gal Golan

Q: On the 5-year anniversary, what is the most important thing for GDPR going forward?

A: Like in nature, there are two factors contributing to the GDPR’s success: adoption and evolution.

The GDPR should be adopted by more businesses and new authorities. As modern data privacy laws become more widespread globally, they will become an inherent part of how we run businesses and build information systems.

In parallel to increased adoption, the GDPR must constantly evolve to stay relevant. Our world is changing rapidly and we cannot afford to have data privacy regulations that are lagging behind. We should focus on creating up to date controls that make sense and enable business, rather than being out-dated and disturbing it.

Upcoming Events

Join us Wednesday, June 7 at 2 PM GMT for the latest in our customer webinar series.

We'll be joined by Data.AI's Risk & Compliance Analyst Taufiq Azam to go through a full and practical breakdown of how to implement and conduct data mapping, with real-world examples and takeaways from those who have used MineOS to do it. 

We're always around

to talk data privacy.

Get in touch at press@saymine.com 

How did you like this month's issue?