Data is fueling the Manufacturing 4.0 transformation, but manufacturers find that incohesive privacy regulations challenge their ability to innovate. By Stephanie Hall
The digital transformation underway in manufacturing 4.0 is all about data, with its applications reaching across shop floors, supply chains, products and the customer experience. Data is a tool for realizing new potential in existing operations, and it also represents new business opportunities in a digital manufacturing environment.Technological advances rooted in data are not happening in isolation. They are moving forward at the same time as society is grappling with fundamental questions about the privacy implications of data collection and use, and as governments are developing regulations motivated by privacy concerns. The rapid speed of data-driven change combined with a shifting regulatory environment on data privacy has created challenges for manufacturers.
Manufacturers are pushing for certainty from federal policymakers on data privacy and making the case that overly prescriptive and constantly shifting privacy laws create a regulatory burden that distracts from the development of next generation technologies and products. But the opportunities and benefits of data applications should not wait, and manufacturers can still realize data-driven transformation in this environment.
Europe Makes the First Move on Data Privacy
The regulatory landscape on data privacy experienced a massive shift when the European Union enacted the General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR is a comprehensive data protection law with mandates on the collection, use and protection of personal data. It applies to organizations that are located in the EU or provide services to individuals in the EU, as well as organizations that collect or analyze data on residents of the EU (even if they are located outside of Europe). 1
Initial compliance efforts were a shock to industry and recent high-profile enforcement actions have continued to keep industry’s attention on the law. The GDPR allows for penalties of up to 4 percent of a company’s global annual revenues or €20 million, whichever sum is greater, for violations of its provisions. Within the GDPR’s first year and a half in action, there were thousands of complaints filed, resulting in more than 150 enforcement actions with a wide range of penalties.2 In one of the more notable enforcement actions, French data authorities fined Google $57 million last year for a lack of transparency in its collection and use of data in online advertising. Similarly, the British data enforcement authority fined British Airways $230 million for a data breach that resulted in the loss of customer information.3
A patchwork of state-by-state data regulations can stall innovation while also undermining the ability of organizations to manage privacy risks.
While the concept of safeguarding privacy through regulation is not entirely foreign to the United States, U.S. policymakers have generally taken a different approach than European regulators. To date, the United States has pursued a sector-by-sector approach to the handling of data, creating frameworks specific to segments of the economy. For example, the Health Insurance Portability and Accountability Act governs the health care industry and the Gramm-Leach-Bliley Act provides privacy rules to the financial services sector. The GDPR in the Europe Union represents a break from these sector-specific laws by applying to a comprehensive swath of personal information in all sectors and across multiple entities.
As companies under the purview of GDPR work to understand the law and develop compliance programs, even companies outside of the EU’s privacy mandate understand that the ground had shifted on privacy regulations. “With the GDPR’s extraterritorial application and threat of fines based off of global turnover, companies around the globe, including those with limited EU reach, were forced, whether as a matter of law or customer relations, to take steps in furtherance of GDPR compliance,” said Jennifer Kashatus, a data protection and cybersecurity expert and partner at DLA Piper LLP. “For some companies, compliance was an update of an existing data protection program,” she continued, “but, for others, it required a paradigm shift in the company’s attitude toward data protection: data protection could not be viewed as limited to companies that dealt directly with consumers, but was relevant to any company that handled personal data, whether of business customers, employees, or otherwise.”
Another First-in-the Nation Regulation from California
In 2018, the state of California followed the EU’s path and enacted a sweeping privacy law, the California Consumer Privacy Act (CCPA). That law provides a broad definition of the scope of personal information and requires for-profit entities to provide California consumers with information about the data they are collecting, as well as greater control over the use and sharing of that data4. With passage of the CCPA, California helped catalyze the broader privacy debate in the United States.
The CCPA applies to California businesses that earn $25 million in revenue or more per year, companies that receive 50,000 California consumer records per year or entities that derive a majority of their revenue from the sale of personal information. It went into effect in January of this year with enforcement to begin six months later. The law provides the California attorney general with general enforcement authority over the provisions of the law and it also includes a private right of action that allows individuals to sue in the case of data breaches.
Many questions remain for industry on the CCPA, and answers will continue to be a moving target. California regulators are currently undertaking rulemakings to develop details on provisions of the law ranging from the notice businesses must provide consumers to processes for handling consumer rights requests and what companies must include in their privacy policies.5 Privacy advocates are pursuing additional ballot initiatives and follow-up legislation that could further change industry’s obligations.
An economic analysis prepared for the state pegged initial compliance costs of the CCPA at an estimated $55 billion, or 1.8 percent of California’s gross state product in 2018.6 The law was widely perceived to be targeted at technology platforms and internet companies, but it captures a much broader segment of the economy. An estimated 27,000 manufacturers in California alone must comply with the provisions of the CCPA law.7
Just as the impacts of the GDPR were not confined to the EU, the CCPA’s impacts extend far beyond the West Coast. The law covers businesses outside California that provide goods and services to consumers in the Golden State. And, because California is the fifth-largest economy in the world, regulatory impacts there have an outsized effect across the country. The CCPA has also led other states to pursue their own data privacy legislation, with legislatures in states such as Washington, Illinois and New York drafting their own versions of the CCPA. In the wake of these developments, attention has shifted to federal policymakers to consider a better approach to privacy policy.
Companies are prioritizing innovation in combination with privacy and security, and they need policymakers to do the same.
A Call for a Federal Privacy Policy
The prospect of a state-by-state regulatory approach to privacy in the United States poses real challenges to manufacturers, which is why industry has been advocating for a unified federal privacy standard that protects individuals’ privacy while promoting U.S. innovation and industrial competitiveness.
A patchwork of state privacy laws and unpredictable regulatory changes on data privacy undermine the ability of organizations to manage privacy risks, protect consumers and make business decisions with the certainty they need. State-by-state privacy requirements create conflicts for manufacturers, their operations and their processes due to the interstate nature of data flows. They stall innovation by creating a regulatory burden that distracts from the development of next generation technologies and products.
Managing shifting data privacy regulations poses unique challenges to manufacturers because they design and build security and privacy into their systems and products. It is often an extensive process to adjust those systems and products in the face of evolving data regulations. A federal privacy policy would provide much needed certainty to industry, strengthening business and supporting consumers.
Given the international aspects of data privacy regulation with GDPR, manufacturers also need a federal privacy framework to be interoperable with global privacy frameworks. This is necessary to ensure U.S. manufacturers with global operations and international data flows are not stymied by conflicting international frameworks. With 95 percent of the world’s consumers located outside the United States, manufacturers benefit from regulatory certainty in global business enterprises. A confusing and inconsistent regulatory privacy regime deters U.S. manufacturers from seeking access to new markets to drive job growth here or from delivering the best, most advanced products to their customers in different markets.
Manufacturers are Prioritizing Innovation
There is a lot at stake for manufacturers as data privacy regulations take shape.
With data-driven solutions, business and operations leaders are making process improvements to increase productivity and reduce costs. Plant managers are integrating data applications into their daily operations to improve the way machines run, streamline repairs and improve plant safety. Information technology and security professionals are managing digital infrastructure transitions across organizations, upgrading systems and building security into products and processes.
As start-ups and small business are key parts of an innovation ecosystem, it is critical that data policies do not extinguish this critical source of new ideas.
For consumers, connected devices are providing opportunities for convenience and efficiency. For example, Whirlpool has created a line of smart appliances driven by consumer preferences that improve users’ experiences. Privacy, security and safety are fundamental components of the development and design of these new systems and products, but the unpredictability of privacy regulations proves challenging.
According to Nathan Rohrer, Chief Privacy Officer at Whirlpool, it is difficult for the company to invest in specific compliance solutions knowing it could quickly be made obsolete by a reformed CCPA or a new state law. “A strong, comprehensive national privacy law will give us the certainty we need as the connected appliance market continues to grow,” said Nathan.
Needed: Innovation in Privacy Policy
While companies are prioritizing innovation in combination with privacy and security, they need policymakers to do the same. For manufacturers, the benefits of incorporating data into their operations, products and services are as vast as the data sets themselves. It is critical that U.S. policies promote this continued progress rather than chill the innovation potential of data.
The types of data in play across the manufacturing ecosystem are diverse. Data polices should acknowledge the diverse ways that organizations are integrating data into their operations and products and account for the fact that different types of data have different
implications and risks for privacy and security. Organizations should have the flexibility to develop risk-based privacy practices suitable to their business models. Federal data privacy policies must be flexible enough to account for various types of data, including consumer data, business-to-business data and data from digitized shop floors.
There are lessons to be learned from the GDPR by looking at the law’s impacts on companies, technologies and the factors necessary for innovation. Experts have pointed out that data minimization requirements in the GDPR are at odds with progress in automation and machine learning. And purpose requirements, which make organizations identify the purpose of the data collection before it takes place, would foreclose unanticipated breakthroughs that arise from new insights into the potential of preexisting data sets.8
We know that small businesses and start-ups are key parts of an innovation ecosystem, and it is critical that data policies not undermine small businesses and thereby extinguish this critical source of new ideas and groundbreaking technology. Unruly regulations can have an outsized impact on small businesses because they have fewer resources to devote to pay for consultants, lawyers, privacy professionals and new technology solutions. If a small business has limited products and services, they are less able to evolve if regulations foreclose one of those offerings. The GDPR is seen as stalling the ability of European start-ups to gain momentum and as a barrier for smaller U.S. companies to make it in Europe.9
These are important lessons for U.S. policymakers. Federal data policy in the United States should take account of the constantly evolving nature of technology and be flexible enough to work for the data-intensive innovations of the future, including automation, artificial intelligence, and quantum computing and other developments in advanced manufacturing.
Continued Progress through Data
While the regulatory environment remains uncertain, manufacturers are continuing to see progress and gains from data, and they continue to embrace data-driven transformation. According to PwC, 93 percent of manufacturers believe IoT’s benefits exceed its risks, and 68 percent plan to increase their investment in IoT over the next two years.10
Manufacturers are aware of the risks and challenges of an unpredictable regulatory regime. But they must also undertake an opportunity assessment of the benefits of data. By viewing data applications through a lens of opportunity rather than a lens of risk, businesses are more likely to choose action, which benefits their business, rather than choose caution, which can leave them behind. Manufacturers should be clear-eyed about the opportunities afforded by data in order to place regulatory risks in the right context and give appropriate weight to these regulatory risks.
The federal government is undertaking efforts to provide guidance to industry as it examines and plans for privacy risks. In particular, the National Institute of Standards and Technology is working to develop a framework to guide organizations’ data privacy risk analysis and to provide voluntary best practices that organizations can implement. This framework is modeled off NIST’s prior work developing a Cybersecurity Framework to help organizations manage cyber risk. According to an MLC survey, almost half of manufacturers have adopted the NIST cybersecurity framework to help mitigate cyber risks.
If the level of adoption of the cybersecurity framework is any indicator, then the NIST efforts on privacy are an opportunity for organizations to develop a common language and benchmark to guide their privacy risks and opportunities. But more needs to be done at the federal level to provide much-needed certainty to manufacturers and consumers.
Data is driving innovation across the industry and at all levels, and managing this transformation is a necessary effort and a significant opportunity for modern manufacturers. A shifting regulatory landscape on privacy continues to pose its challenges, but manufacturers are in the business of building solutions; they will continue develop solutions across shop floors, in cutting-edge processes and through innovative new products. They will also be part of the dialogue with policymakers in Washington, D.C., and beyond to build solutions for a federal approach to privacy that fosters a Manufacturing 4.0 future. M
Footnotes
1 https://www.bdo.com/services/business-financial-advisory/information-governance-privacy/general-data-protection-regulation
2 https://www.enforcementtracker.com/. This is an estimate. Not all enforcement actions are public.
3 https://www.complianceweek.com/gdpr/what-we-can-learn-from-the-biggest-gdpr-fines-so-far/27431.article
4 https://oag.ca.gov/privacy/ccpa
5 https://www.wileyrein.com/newsroom-articles-California-AG-Releases-Proposed-CCPA-Implementing-Regulations.html
6http://www.dof.ca.gov/Forecasting/Economics/Major_Regulations/Major_Regulations_Table/documents/CCPA_Regulations-SRIA-DOF.pdf
7 Id.
8 https://www.aei.org/wp-content/uploads/2019/03/Senate-Judiciary-Roslyn-Layton-Testimony-March-12-2019-FINAL.pdf
9 Id.
10 https://www.pwc.com/us/en/services/consulting/technology/emerging-technology/iot-pov/manufacturing-iot-snapshot.html
11 https://www.manufacturingleadershipcouncil.com/2018/12/07/cyber-risk-the-m4-0-dilemma/