The Top Ten Privacy and Data Security Developments to Watch in 2018

  • European Union
  • 01/08/2018
  • Bloomberg Law

Sex toys are now tracking personal data, and sharing this data both across geographic borders and for (allegedly) undisclosed purposes. A Canadian company recently settled a class action relating to privacy claims involving “adult sensual lifestyle products” that transmitted various customer utilization data. Even the disclosed purposes for the data collection involved, apparently, “product improvement.” As one reporter covering the settlement indicated “think twice about connecting those sex toys to the Internet.” Roberts, Jeff John, “Sex Toy Maker Pays $3.75 million to settle ‘Smart’ Vibrator Lawsuit,” Fortune (March 10, 2017).

Now that I have your attention, it is clear that privacy and data security has moved from an issue impacting primarily healthcare and financial services companies, to an issue that affects, in large and small ways, virtually every company across the globe. These issues affect litigation, mergers and acquisitions, product development, research, corporate strategy, business partnerships, and, in some way most activities of most companies. Data is everywhere. And this data is increasingly personal—or at least tied to individuals—and is being examined for its utility in a broad range of areas, many of which were unheard of a decade ago. We are drawing links in activities using this data to generate insights in areas that we have never before thought of as linked. And with these opportunities comes as well a broad range of compliance, enforcement and business challenges for companies, and new risks (along with at least some benefits) for individuals across the globe.

Thirty years ago, privacy law generally did not exist. Virtually no one at a law firm or company worked on privacy law issues. Ten or fifteen years ago, the area began to grow, as a specialty niche in a handful of industry sectors such as health care and financial services. Now, privacy law has become a key foundational knowledge base for many lawyers, and drives full-time employment for a wide array of consultants, compliance officers, data analytics personnel, product engineers, customer service representatives, marketing executives and corporate strategists. The International Association of Privacy Professionals has grown from several hundred people to more than 34,000 members, across the world. It is increasingly challenging—even for privacy professionals—to master all aspects of privacy law and practice. With that in mind, what are the main developments to pay attention to in 2018?


The imminent arrival of the European Union’s new General Data Protection Regulation in May 2018 is clearly the dominant privacy story of the year. A recent study by the International Association of Privacy Professionals (with Ernst & Young) indicates that the Fortune’s Global 500 will spend roughly 7.8 billion to implement GDPR. IAPP also estimates that the GDPR’s global reach will require the hiring of at least 75,000 data protection officers worldwide.

The GDPR—expanding and updating the existing EU privacy directive—creates new privacy and data security obligations not only for virtually every company operating in the EU but also a broad variety of other entities around the world. The GDPR creates obligations for both data controllers and data processors. All personal data is covered. New data security obligations and breach notification requirements are imposed. The new “right to be forgotten” needs to be implemented. And the GDPR requires a new array of obligations in connection with anonymous and pseudonymous personal data. The GDPR creates the possibility of enormous fines—up to 20,000,000 euros ($24.12 million) or (in some situations) 4 percent of global turnover, whichever is higher. In addition, the GDPR leads to needs for new privacy leadership within many companies, the need to revise and expand tens of thousands of contracts, improved security protocols, new breach notification templates and a broad variety of overall privacy controls. In addition, much like the EU Data Protection Directive, which guided privacy thinking in most countries around the world, the GDPR system likely will motivate more countries to expand their data protection regimes.

Full text on