Rhea Siers, former Deputy Associate Director for Policy, NSA
Rhea Siers, former Deputy Associate Director for Policy, NSA

Data privacy, for all that has been written on the topic, remains a fluid concept, continually evolving as the winds of change sweep through the digital frontier.

At times in 2016, those winds felt like a hurricane.

For Data Privacy Day 2016, SCMagazine.com asked key thought leaders to pull back on the curtain on the very concept of data privacy. They identified key events over the last year that have reshaped public policy and expectations of what happens—and what should happen—to personally identifiable information when users go online.

Many of the most important developments have had a Eurocentric flavor to them. For instance, the European Court of Justice in October 2015 struck down the European Commission's Safe Harbour Decision that had declared the data exchange framework established between the U.S. and Europe as secure. Albert Gidari, Director of Privacy at Stanford University Law School's Center for Internet and Society, called the decision a “watershed moment” because it “largely invalidated Safe Harbor data transfers to the U.S. and called into question all other bases for data transfer to the U.S. as well.”

On the other hand, “Critics note that individual European government surveillance practices will continue, while U.S. companies are targeted, using privacy as a commercial mallet,” cautioned Rhea Siers, Scholar in Residence at George Washington University's Center for Cyber and Homeland Security, and former Deputy Associate Director for Policy at the National Security Agency.

The European Union also reached agreement on its landmark General Data Protection Regulation, which gives citizens increased control over their personal data and sets continent-wide standards for the export of personal data outside of Europe. Omer Tene, Vice President of Research and Education at the International Association of Privacy Professionals, called the regulation a “once-in-a-generation legal reform which will shape the web's next decade.

But these victories for online privacy advocates were counterbalanced by calls for stepped-up surveillance following the shocking Paris terrorist attacks and other global ISIS-driven violence. Reports of terrorists communicating with each other through encrypted messaging applications have prompted a new round of security vs. privacy debates, including whether or not technology vendors should provide encryption backdoors and keys to federal enforcement agencies to prevent the next attack.

“The Paris nightclub massacre unleashed a wave of security measures that, as we know in the U.S. post-9/11, will take a long time to roll back,” said Gidari.

In the U.S., the Cybersecurity Act of 2015 was passed after years of false starts—albeit by folding the legislation into a larger spending bill. The act aims to accomplish many of the same goals outlined in President Obama's February 2015 executive order on cybersecurity: to encourage and incentivize collaboration and cyberintelligence sharing between government agencies and corporate entities.

Policies that didn't passed were in their own way significant. Efforts to implement a federal data breach notification law stalled, despite mounting concerns over the latest barrage of cyberattacks—most notably, the hacking of the U.S. Office of Personnel Management. “The OPM hack seemed to motivate Congress, but definitive action is still pending,” noted Siers. Discovered in April 2015, the OPM breach compromised the records of at least 22.1 million people, and was reportedly perpetrated by Chinese hackers.

Data breach fears also grew, added Tene, due to the “increased rollout of the Internet of Things (IoT), with smart cities, smart cars, smart toys and a whole variety of devices talking to each other and silently documenting our digital trail.”

But with all that has changed in the last 12 months, has the average citizen's expectations of privacy been transformed in proportion?

“I think there are significant shifts in consumers' expectations concerning timely breach notification,” said Siers. “There is growing consumer concern that they are vulnerable to breaches and growing fears that companies on the web simply can't guarantee the privacy of their users, from medical records held by health insurers to Ashley Madison.”

New research indicates that certain views on privacy may be as much as rooted in generational influences as they are by current news and events. A survey study released this month by the Center for Generational Kinetics found that Generation Z members (those born no earlier than the mid-to-late ‘90s) are least concerned about their privacy compared to older generations when it comes to paying with mobile apps or using social media. In contrast however, they are more concerned about privacy when sending and receiving messages (38 percent of Generation Z members compared to 29 percent of Millennials.)

While generational differences may exist between in terms of privacy expectations, these differences are “related to usage of technology, not just to age,” argued Siers.

Gidari seemed to agree, adding, “The privacy impacts of new technology have been experienced by each and every generation. The telephone, camera and hearing aids all raised red privacy flags in their time. But as technology gets adopted, laws catch up to address perceived privacy inadequacies, usually just in time to meet the next innovation.”