Data Privacy Update
During the 2022 annual Board of Directors meeting, the decision of the board was to remove the online lookup utility from the website due to ongoing security issues. Allow me to explain in further detail what precipitated this action.
To start this discussion, we have to go back to April 2016 when the European Union (EU) published the General Data Protection Regulations (GDPR). Full implementation of this regulation was slated for spring of 2018. So, the first question is, “...why do we in the United States care about the activities of a bunch of unelected Bureaucrats in Brussels?” THE GDPR is written such that if you or your organization maintains personal data on any citizen of the European Union, despite where they may reside, then you and/or your organization is subject to the full complement of the GDPR. This has been upheld through the World Court and back to the United States Department of Justice (DOJ). It was this action by our DOJ that caught every business in the United States off guard in early 2018 and created internal frenzies among company legal departments to bring their organizations into compliance prior to the implementation deadline.
The GDPR is written such that failure to comply, or any data breach that falls under the guidelines of the regulation is grounds for extremely severe fines. Since its implementation, the EU has levied millions of dollars in fines on a number of US companies, Microsoft and Google being the top recipients of monetary action by the EU. As a result, companies in the US have had to add a slew of attorneys to interact with their organizations to create additional procedures the companies must follow to operating in an electronic environment and to keep the EU happy. And a note from our attorney—we are not certain if the corporation would be required to submit to a foreign jurisdiction—meaning the courts of a country in the EU_-since our organization “does business” all over the word. In other words, our CA corporation could perhaps lawfully be hauled into court in Europe and fined.
In 2018 the state of California implemented the California Consumer Privacy Act (CCPA) which pretty much mirrors the GDPR, and it was fully implement in 2020. Other States are beginning to implement their own variations of the GDPR. As our corporation is domiciled in CA, any violation of the GDPR—or the CA equivalent—would certainly subject us to a suit in CA. In other words, if we violate the GDPR, we likely also violate CA law, and we are subject to fines whether in a CA court or a court of an EU country.
Ten-Ten International is a small, non-profit organization, licensed to do business in the state of California. We are not equipped with personnel or funding to fully comply with the requirements of the GDPR and now the CCPA. Our master membership database, which contains privacy information is maintained in a secure database that does exceed the requirements of the GDPR and CCPA. However, it is the online interfaces that provide access to that database, such as the online lookup, that is the problem. In early 2020 we modified that interface to remove personal information. But we live in a society where bad actors spend every waking minute of their sorry, underworld existence looking for ways to breach an organization’s website and servers in order to steal personal data. No matter how much in the way of security measures we apply to our servers and website, these actors are always two to three steps ahead.
Therefore, based on all of this, I made the recommendation to the BOD that we remove the online lookup all together. Ten-Ten International is in the process of producing a secure, stand-alone utility for current members to perform the same lookup task that was provided on line. This utility should be available for members before the middle of July 2022.
Since this decision by the BOD, there have been outlandish and unjustified attacks directed at the BOD by justifiably upset members who were, until now, simply ignorant of the compelling reasons for this action. The BOD was acting on my recommendation which is based on my professional working knowledge of the GDPR and CCPA. I have seen firsthand the amount of time, effort and money that my company alone has spent to bring it line with the requirements of these regulations. Ten-Ten just does not have the resources to do all of this. If you still feel the need to throw shade and firebombs at someone, then direct them to me, but in a professional capacity!!
Jeff K. Steinkamp, N7YG, #65084
IT Manager, Ten-Ten International.