The General Data Protection Regulation (GDPR) was adopted in April of 2016 by the European Union and became effective in May of 2018. At a high level, these regulations are fairly straightforward in their requirement to “Protect User Data,” but we see that, like any regulation worth its salt, compliance may not be as straightforward as advertised. As you’ll see, despite the complexities and sea of acronyms to be had, the bottom line is data privacy compliance will spur corporate spending, leading to an investing opportunity to those that recognize it. With that said, here’s a look at GDPR’s set of regulations affecting companies that collect data on citizens of countries within the European Union.
This legislation looks to lay out a framework that protects “fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.” From the get-go, this is strong stuff. This is targeted at information that users have already provided (knowingly or unknowingly) to companies they interact with online.
Some of the legislation focuses on companies providing transparency into what they are collecting and how they are collecting it — we are already seeing the effects of this in all the banners appearing on websites asking users to accept or modify what cookies are being left on their computer when visiting a website.
But beyond informing users how and what information is collected, companies now have a responsibility to tell users where the data is being routed, and how it is being used. If the company releases collected data to any third party, it is held accountable for any actions taken by the third party, including passing data through geographies or networks that are deemed to be unsafe.
Examples of this include the 2019 investigation of Nokia (NOK) by Finnish officials when they suspected Nokia devices were routing user data through Chinese networks without disclosing the routing to customers. Earlier this year, video conference provider Zoom (ZM) came under fire for its practice of routing calls through Chinese-owned and located servers (as well as hosting encryption keys on those servers). In response, Zoom added the following explicit consent mechanism:
Recently, two California-based companies Salesforce.com (CRM) and Oracle (ORCL) were named in a potential €10B class-action lawsuit filed in the Netherlands (with a similar claim to be filed in London later this month), which claims that the two were collaborating to enhance user information in order to produce more salable/valuable profiles by aggregating user data from third-party sites using their third-party cookies ‘Bluekai’ and ‘Krux.’ The GDPR violation? They allegedly did so without the users’ knowledge, which would be a direct and clear violation of GDPR. One of the interesting parts to us is that real-time bidding on and sale of user profiles is “a thing” and the only issue is how the defendants were collecting the data to be sold.
The case against the two tech giants is being brought by The Privacy Collective, which is a European non-profit focused on consumer privacy. So far there has been no word from Brussels concerning an official EU investigation. We suspect many will be keeping a close eye on this one given not only the size of the potential fines to be paid, but the implications for other companies as well. As the magnitude of GDPR and other related privacy violation fines increase, in some cases to levels that could wipe out a small or undercapitalized company, the fines themselves create another potential motivation for cyber attackers. Per CoreView, there were 31 major GDPR fines of at least €100,000 and so far in 2020, 17 such major fines have been announced.
Sticking with potential fines, one of the provisions in GDPR is that any time fines are assessed, any company held responsible for the infraction has the right to make claims against any and all parties who transported, processed, or were end-users of ill-gotten data. One would assume that culpability, in this case, would be straightforward as the internet “never forgets” but expect a flurry of lawsuits following any major penalty outcome as companies battle to limit what percentage of a fine is their responsibility.
These rules also apply to situations where companies are hacked or are the victims of their own mistakes.
In May of this year the iconic French newspaper Le Figaro was found to have compromised an 8TB database comprised of almost 7.4 billion records of users’ personal information from its website as well as website traffic. The database was hosted by the service Dedibox (owned by Frances Online SAS), who in turn utilized Poney Telecom, which according to researchers, is where the completely unprotected database resided. No actions have been taken as of yet by the EU but as the compromised data falls well within the definition of protected user information, it is expected that fines will be handed down. As many have pointed out in the past, the wheels of justice turn slowly but grind exceedingly fine.
Any company dealing with EU citizen data is subject to GDPR regardless of domicile. With the borderless nature of the web, this regulation is having a profound impact on companies around the world. One of the most fascinating aspects of the digital lifestyle in which more and more of our lives are conducted in the virtual world, rather than the physical one, is that the rules that govern our actions, choices, and that protect us are becoming increasingly more global.
This increasing complexity is making it more challenging for new entrants to compete with the existing behemoths, and at the same time, creates new challenges for those same behemoths to adapt to this new reality. It means that as companies battle bad actors and cyberattacks, they must also open their wallets to ensure GDPR compliance as well.
And while we’ve focused above on GDPR, we’d point out that in the last several days California’s Attorney General Xavier Becerra announced the Office of Administrative Law approved the final regulations under the California Consumer Privacy Act (CCPA), which went into effect immediately. So this isn’t just some European thing, but a global trend.
While data privacy isn’t a sector recognized by S&P Dow Jones, data privacy along with cybersecurity are poised to become the digital version of corporate insurance, meaning that it will become mandatory for most if not all organizations. Between now and then, that growing market is one investors should tap into, and long-term we suspect cybersecurity and data privacy stocks will be viewed as essential services, which means ample growth opportunities in a global economy in which growth will become more elusive in the coming years. The opportunities here are particularly profound in a world that is becoming increasingly “virtual,” where physical borders have no meaning. This means that organizations could face crippling fines if they don’t comply with regulations that apply well outside of their physical presence.
There are a few ETFs that offer cybersecurity exposure but few have focused on data privacy the way the Foxberry Tematica Research Cybersecurity & Data Privacy index has. Investors looking to gain exposure to that pain point and subsequent demand driver for data privacy companies should dig into companies such as NortonLifeLock (NLOK), Ping Identity (PING) and Cloudflare (NET), to name a few.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.