Here are a few takeaways from what I said this week at the InfoGov World Expo virtual auditorium.

  • Is it still “early days for GDPR?” Not if you ask Germany, France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Spain’s Agencia Española de Protección de Datos (AEPD), Denmark’s Datatilsynet and other DPAs who have been hard at work enforcing and issuing fines.
  • Is this enough enforcement? Not if you ask, which is taking the initiative and filing hundreds of claims of its own.
  • Is this enforcement of the wrong kind? Maybe, if you ask UK’s Department for Digital, Culture, Media and Sport (DCMS), which proposes to alleviate the Information Commissioner’s Office from the obligation to investigate every single complaint so it can focus on bigger picture things.
  • Is the US behind the EU on data protection? Hmm, do you have an hour to read this post? It depends. The US is very well established in incident response laws and CPRA is instituting a number of key GDPR principles like: fair and lawful, data minimization, retention limitation, DPIAs and a dedicated data protection authority.
  • Are we headed to a US Federal Privacy law anytime soon? I dunno, define “soon.” The bipartisan dichotomy regarding preemption and private right of action is ongoing but, watch this space for increased federal privacy enforcement with the establishment of a Federal Trade Commission Privacy bureau, the appointment of a new commissioner specialized in privacy and the publishing of eight enforcement priorities.