I’m back from the wonderful International Privacy + Security Forum organized by Daniel Solove and Paul Schwartz. In addition to starting to learn about GDPR and the EU approach, I also learned something about China’s new cybersecurity law that came into effect June 1, 2017, and how it affects international/global firms like Amazon.
There seems to be a lot in China’s law that has yet to be interpreted or clarified, so it will be interesting to watch as it evolves. One thing I also learned in particular is that since its implementation, the government has not taken any enforcement actions over data security – the only enforcement actions have been over privacy violations, although some of those seem less oriented to privacy and more oriented to politics (cf the Marriott gaffe and its consequences).
As to the GDPR, well the GDPR actually has very little in it that addresses data security. It’s more about privacy and data protection. For security, my understanding is that we need to look at the NIS directive. If I’m wrong on that, hopefully some EU law expert will correct me. But in addition to this overarching EU layer or law, the GDPR also recognizes a role for individual countries’ laws, so there are still DPOs and DPAs. And not surprisingly to me, some attendees were predicting that some of the German data protection authorities will continue to aggressively pursue a few American-based multinational companies like Google and Facebook.
If you have a chance to attend one of these conferences, do it. I even found a convenient hotel for these trips. Now if I could just make all the road traffic getting in and our of D.C. disappear, I’d truly be in heaven. 🙂
Let me go drink some more coffee and get started updating my blogs. 🙂