There are good reasons why so few meaningful laws exist to govern the Internet. If there were an easy way to govern it, many more such laws would presumably have been implemented years ago. Cyberspace is a fast moving and ever-changing landscape that caters to criminality, and illegal and outrageous behaviour. No set of laws is going to change that, but it would be wrong not to devote greater resources to strengthen the international legal regime in an attempt to do so. Failure to move in that direction will mean that the world’s nations will simply fall further and further behind the cyber curve. While there is no alternative to implementing an even tougher range of security protocols in such an environment, the world should be realistic about what can be achieved, how quickly, and how effectively from a legal perspective, in this era of Virtual Terrorism.
The EU will implement the most dramatic law of its kind governing data in May. The General Data Protection Regulation (GDPR) will strengthen and unify data protection for all individuals within the EU. When it becomes effective, it will give control of personal data back to citizens and residents and simplify the regulatory environment for international business by unifying the regulation within the EU, replacing a data protection directive from 1995. The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It also provides for harmonisation of the data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations. It comes with a strict data protection compliance cost, however, with severe penalties of up to 4% of worldwide turnover.
There are some truly revolutionary aspects of the GDPR—both from the perspective of the data user and the data provider or processor. Its rollout will be an experiment. Either it will prove to be mostly successful and prompt global companies to modify their data handling methods in some fundamental ways, or it will turn out to be a Kafkaesque, bureaucratic, enforcement nightmare. Global firms are taking the pending implementation of the new rules seriously, and it will cost companies a lot of money to be in full compliance with the new rules. The real challenge will be whether the EU has a monitoring and enforcement mechanism that is up to par with the GDPR, whether and how individuals will report infringements, and whether any of it will make a real difference at the end of the day. Kudos go to the EU for even attempting it.
The GDPR will be the world’s most comprehensive and advanced legal framework for protecting privacy and addressing data breaches. The biggest change to the regulatory landscape of data privacy associated with the GDPR is its extended jurisdiction—it applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process “in the context of an establishment”. This topic has arisen in a number of high profile court cases.
The GPDR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens must also appoint a representative in the EU.
The conditions for consent have been strengthened under the regime. Companies will no longer be able to use long and illegible terms and conditions. Any request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing directly attached to that consent. Going forward, consent must be clear and distinguishable from other matters, and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach. Part of the expanded rights of data subjects outlined by the GDPR will also be their right to obtain from the data “controller” confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. The data controller must further provide a copy of the personal data, free of charge, in an electronic format. This is a dramatic shift to data transparency and empowerment of data subjects.
Also known as Data Erasure, the “right to be forgotten” entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include data that is no longer deemed relevant to the original purpose for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Contrast the GDPR and the concept of Data Erasure with the direction the US is going. In the last months of Barack Obama’s presidency, the then-Democratic-led Federal Communications Commission (FCC) prepared guidelines that created unprecedented protections for the personal information that Americans put into cyberspace. The Internet data rules created under the FCC would have permitted Internet Service Providers to sell consumers’ browsing data—but only with explicit permission by way of consumers “opting in” to their data being sold to third parties. In 2017, President Trump reversed all that and signed a bill that puts everything any Americans do on the Internet, and all the data generated in the process, on the table for Internet providers to sell to whomever they choose—with or without consumer consent. If you call a car dealership, it is against the law for phone companies to sell information about your vehicle and your interest in selling it, but if you try to sell your car online, the company you pay each month for your Internet connection can now sell that information.
In the past, Internet users could selectively decide whether to use the services of Facebook or Google, or abstain from using them if they wished to safeguard their personal information. That is no longer the case. The Terms of Service we all unwittingly agree to when we use Internet-related services give these companies permission to basically do whatever they want with the information (and images) we voluntarily give to them which was bad enough. Now, they have permission to sell it to whomever they please. The recipients of that information are, in turn, free to do with it whatever they choose to do with that information. That process may now continue ad nauseam.
There is strange legal (and moral and ethical) dichotomy at play here, which is indicative of some of the larger questions that “the law” (to the extent that it exists) is at pains to address on the subject of cybersecurity. This raises a number of questions, such as, are there any boundaries that apply to cyberspace? In order for any law to be meaningful, the individual(s) perpetrating a crime must be identifiable and the law itself must be enforceable. In a world without boundaries, where virtual terrorists operate across borders at will and anonymously, can any law be truly meaningful? Even if and when a perpetrator may be identified, caught, and prosecuted, how meaningful can a law against virtual terrorism be if it catches a fraction of one per cent of the lawbreakers? That is, of course, a question that also applies for more terrestrial crimes.
The truth is, virtual terrorists change their IP addresses, locations, identities, and personas with such regularity, and so quickly, that they can basically act at will, confident that they will never be caught. While some progress has been made in an effort to craft laws with meaning and teeth to battle virtual terrorism, they remain evolutionary, muddled, inadequate, and behind the curve. If ever there was a case to be made for staying ahead of the curve, it would be in the legal realm, because laws take a long time to create, implement, and enforce. As it stands today, virtual terrorists can count on staying ahead of the curve for many years to come because the progress that has been made pales in comparison to the scourge being fought.
Daniel Wagner is author of the new book Virtual Terror, founder of Country Risk Solutions, and managing director of Risk Cooperative.