Forecasts: what lies ahead for privacy in 2021–2025. Part 3.
Today we will discuss trends and prospects in privacy with Elena Sebyakina, CIPP/E, Data Protection Officer, GDPR consultant, privacy analyst and columnist.
First trend. In 2020, one of the most striking trends began to gain momentum — class action lawsuits (class actions) under CCPA and GDPR from affected users against companies that allowed their personal data to be leaked. Now the controllers of personal data that have violated the privacy of their subjects will face not only fines, injunctions, or audits from the supervisory authority, but also compensation in favor of the subjects of personal data.
The problem is that the main subjects of such lawsuits are not necessarily the victims, but rather the law firms that have found this to be an excellent way to make money. They invite all users who might have suffered some sort of privacy violation (most often, a leak) to join a class action lawsuit and announce the amount of money each subject is going to be paid for their participation. Having started in the United States and the United Kingdom, the trend will soon spread to other countries whose procedural laws provide for class action lawsuits. British Airways, Facebook, Zoom, Walmart, Tik-Tok, and other companies have already received such lawsuits.
Second trend. Starting in Europe, the concept of “privacy as trust”, of which Ari Ezra Waldman, professor of law and computer technology at Northeastern University, USA (https://www.ariewaldman.com) is an apologist, will be further developed in doctrine and law.
The main essence of this approach to privacy is the development of a trust-based relationship between data subjects and their data controllers. This is achieved by strengthening the controller’s obligations in terms of transparency and human-centricity of the interfaces, systems, rules, and methods of personal data processing. Companies will have to become accountable to users and supervisory authorities will have to constantly communicate information about the processing to their subjects, provide them with additional rights and mechanisms for their implementation.
The subject will be expected to have full control over their data, their processing, and the controller itself with respect to the processing.
Third trend. The role of government authorities in the personal data processing industry is increasing, thanks to the general trend toward digitalization of state services. The pandemic has triggered the development of technology, integration and combination of databases.
In each country, it will depend on the development of civil society and the independence of the supervisory authorities: whether they will be able to protect the privacy of the citizens and to act as a counterweight to the state interests. If not, I’m afraid we will have the all-seeing eye of big brother and a significant infringement of privacy rights in such states.
Fourth trend. Not only lawyers and information security specialists will have to become privacy professionals, but also people in marketing, recruiting, programming, and interface design. Professions of privacy programmers, software architects, privacy user experience professionals and the like will emerge.
Privacy will continue to permeate many professions and will require deep knowledge of privacy principles and practices. Even now, when you type in “GDPR” into a search on a hiring website, the leading jobs requiring knowledge and experience in applying this legislation will be in the software engineering and software architecture professions. CEOs of companies, especially tech companies that develop their own products, will also be forced to acquire in-depth knowledge of privacy in order to understand the new reality and not expose their businesses to enormous risk.
Fifth trend. Development of the concept of personal data capitalization. It is clear that personal data has economic value, as evidenced by court practice. Personal data subjects entering into legal relations with companies in exchange for services often provide not only payment but also their personal data, which represents an economic value for the company. Especially if the data subject receives services for free. In fact, this is not true.
The form of payment in such a case is personal data and the opportunities generated by it: to contact the subject, manipulate their behavior and opinion, focus their attention, control their movements, use their time, and many other opportunities. That is, it is a commercial use of personal data that goes beyond the original contract with the subject. Obviously, such opportunities have a definite value to the company and it is ready to defend its interest to retain such opportunities.
A new trend in the coming years will likely be purchasing these opportunities (proprietary rights to dispose of personal data) directly from the subjects of personal data. Perhaps not for money, perhaps for certain discounts and bonuses, but companies will have to pay for something that they previously received from data subjects free of charge.
