• United States




Looking back at privacy in 2016

Dec 22, 20164 mins

A recap of stories this year underscores an increasing concern around privacy in the digital era.

privacy eye look
Credit: CSO staff

As this tumultuous year comes to a close, here is a look back on some of the biggest stories we saw in the privacy field. Oddly, there is no central theme to these stories – except, perhaps, for the recurring message that privacy is a near-constant concern in today’s information economy.

We started the year with the Apple v. FBI case dominating the headlines. The FBI sought Apple’s assistance in defeating a kill switch that would delete data on the phone of the San Bernardino killer after repeated incorrect passcode entries. Apple refused, citing a concern for the privacy of all Apple users. The debate spiraled into a broader argument regarding encryption and government access to private data.

[ ALSO ON CSO: Privacy at what cost? Apple vs the US government ]

Ultimately, the government withdrew their request after finding an alternative solution to accessing the phone. The issue has not fully gone away, though, with more and more technology companies adding end-to-end encryption to their products. It seems pretty clear that privacy features will become even more marketable in the coming year as customers demand that their data is protected from government access.

Two of the biggest stories of 2016 involved Europe. First, we saw the Privacy Shield negotiations come to a successful conclusion. This agreement between the US and the European Union creates a data transfer “bridge” which allows companies to move data across the Atlantic while complying with tough EU data protection laws. Absent this agreement, companies were left with very few options for such transfers.

[ RELATED: Tech companies like Privacy Shield but worry about legal challenges ]

The deal is not without controversy, however, as privacy advocates on both sides of the pond have expressed concern over US governmental access to private sector data (see: Apple v. FBI). Indeed, the Privacy Shield has been challenged in European court and may encounter tough times ahead as European policy makers express skepticism over US privacy protections.

Second, we saw a massive piece of privacy regulation emerge out of Europe in the General Data Protection Regulation (GDPR). The GDPR replaces the now-outdated EU Data Protection Directive from 1995, and creates a complex new framework of issues for companies around the world. It may spur a talent shortage as well – with the IAPP estimating that over 75,000 data protection officers will be needed under a mandatory provision of the regulation (the IAPP currently has just under 27,000 members globally). Add to this significant challenges in implementing new consent standards for use of data, provisions for data erasure, and the right to be forgotten, and you have enough work to keep privacy pros gainfully employed for a long, long time. It is not hard to predict that the GDPR will be on the 2017 retrospective as well.

On the operational and risk management side, we saw developments in privacy in 2016 as well. One of the more popular topics at privacy conferences was the NIST Cybersecurity Framework. This was a unique opportunity to see the interconnections between privacy and cybersecurity, and NIST should be commended for doing a comprehensive review and providing valuable tools for managing cyber risk, while protecting privacy.

We also had some stories this year that suggested the challenges we will face with regards to privacy in the future. Pokemon GO exploded in the public eye over the summer and so did a debate about the privacy of augmented reality and location-based systems. Amazon Echo and Google Home raised issues of persistent monitoring in our homes. And autonomous cars portend many privacy issues ahead.

In the US public sector, we also saw some impressive movement on privacy. The White House issued OMB Circular A-130, which creates mandatory privacy roles in every agency (more privacy professionals!) and requires a systematic approach to managing data and training government employees. We also saw the creation of the federal Privacy Council, an oversight body made up of privacy leadership across the government. Much remains to be seen as to how much of this will survive in the Trump administration, but it would be a shame to see such positive privacy steps walked back.

That’s my list. It was another busy, busy year for privacy pros around the world. And it only seems to be getting busier and more complex as we head into 2017.

What’s on your list for the top privacy stories of 2016?


As President and CEO of the International Association of Privacy Professionals (IAPP), J. Trevor Hughes leads the world’s largest association of privacy professionals, which promotes, defines and supports the privacy profession globally.

Trevor is widely recognized as a leading privacy expert, appearing at SXSW, RSA and other privacy and technology events. He has contributed to media outlets such as the New York Times, TechCrunch and WIRED and has provided testimony on issues of privacy, surveillance and privacy-sensitive technologies before the U.S. Congress, the U.S. Federal Trade Commission, British Parliament and more.

Trevor previously served as the executive director of the Network Advertising Initiative and the Email Sender and Provider Coalition. He received his undergraduate degree from the University of Massachusetts, Amherst and his Juris Doctor from the University of Maine School of Law, where he is also an adjunct professor and member of the Law Foundation Board.

The opinions expressed in this blog are those of J. Trevor Hughes and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.