There’s been extensive praise, critique and frustration regarding the European Union’s General Data Protection Regulation, which went into effect on May 25, 2018. The regulation applies to all organizations that process personal data of an EU data subject, any individual who resides and/or travels through EU territory regardless of citizenship.
*I’m not a lawyer so don’t take everything I have to say on lawfulness to be the best source of legal counsel. Just trying to help people of interest gain some understanding in the relevance of privacy experience and data protection.
The regulation has caused headaches for business management, legal counsel and IT personnel. It almost goes without saying that GDPR was not the first ever data protection measure put in place by a governing body; yet, it was the most sweeping regulation passed that demanded accountability from organizations on a global level to comply with the European Commission’s measures. Many (particularly those in the North America) didn’t quite understand the gravity of GDPR and others who didn’t take the regulation seriously often presumed no action could be taken against them from a foreign government entity. It is understandably baffling for many in North America and others located far from the EU to comprehend that an EU entity could enforce its own regulation on organizations across an ocean, well outside of the EU’s jurisdiction.
GDPR was not the first attempt by the EU to enforce data protection measures for its citizens outside of its jurisdiction. Following Edward Snowden’s recent revelations of global surveillance in 2013, the EU thereafter responded by drawing up a framework with the US called Privacy Shield, which went into effect in 2015.
It was an agreement with the goal of ensuring that US businesses wouldn’t distribute EU citizen data to US government agencies. It hasn’t been the most effective agreement for the EU as recent reports have come out that the EU feels the US hasn’t lived up to its side of the bargain to protection the data of EU citizens.
Examples in North America
With that said on the EU’s approach to global data protection enforcement, any data processor, in any country, should first turn to their own nation’s regulatory approach on data protection and security. If you question whether your nation has some kind legal measures already in place to protect the processing of personal data, the answer for developed nations is almost always a resounding ‘Yes!’.
Take Canada for example. The Canadian parliament long ago passed its own nationwide regulation in April, 2000, on data protection and security to promote trust in customer experience for online shopping. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity. Since the coming months prior to GDPR going into effect, Canada has been considering new policy reforms to enforce a ‘right to be forgotten’ option for data subjects and to give individuals the legal right to ask search engines to de-index web pages and take down online information under certain circumstances.
In Mexico, on January 26, 2017, the new General Law for the Protection of Personal Data held by Regulated Subjects (source document in Spanish) was published in the Federal Official Gazette (Diario Oficial de la Federación). The law regulates the processing of personal data by any authority or agency of the executive, legislative, or judicial branch of the government at the federal, state, and municipal level, as well as by all autonomous bodies, political parties, and public trusts and funds, for which there was no prior framework. Under the law, regulated subjects must implement privacy notices, document security policies, and establish procedures to ensure data owners' rights to access, rectify, or oppose the processing of their personal data by a regulated subject.
Most recently in North America, the California State Government passed the California Consumer Privacy Act on June 28, 2018, which will go into effect on January 1, 2020. The law is modeled after GDPR but is certainly more focused on the commercial side of data processing as opposed to how organizations in general process data (more on this to come in a later blog posts comparing GDPR and the CCPA). There’s no question in my mind that California won’t be the last state to take initiative on this. Other historically ‘left-leaning states’ such as Illinois, Massachusetts, Oregon and Washington state are likely to pass their own laws over the next couple of years. It’s even been recently reported that the Trump administration is in talks with corporations to roll out its own data protection policy on the federal level.
Outside of North America
Certain South American countries, but definitely not all within the continent, have also stepped up to implement data protection policy reforms. It may come as a surprise, but Colombia actually has a quite intelligible law passed in 2012. Law 1581, reviewed by the Colombian Constitutional Court in Decision C-748/11, contains comprehensive personal data protection regulations, which are intended to implement the constitutional right to know, update and rectify information gathered about them in databases or file, applying to personal data storage and data storage located in an out of Colombia.
Data protection laws are not only enforced in the West but also the East. Numerous Asian and Pacific national governments have passed policy reforms addressing data protection and security. As of the end of 2014, the following jurisdictions in Asia now had already passed comprehensive data privacy laws: Australia (amended), Hong Kong (amended), India (new), Japan, Macao, Malaysia (new), New Zealand, the Philippines (new), Singapore (new), South Korea (new), and Taiwan (amended).
Russia has a long history of implementing data protection laws addressing the lawfulness of processing and handling personal data. DLA Piper, a global law firm specializing in data protection addresses Russia’s well-established history of data protection mandates:
“Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws. Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy of each individual (articles. 23 and 24). Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions which implement the provisions of DPA in relation to specific areas of state services or industries.”
Does any of this sound familiar?
What it all means for your organization
It is a daunting task to take into account the various data protection and security policies being passed on a regular basis. Policy reforms are constantly being amended and passed throughout the world to protect civil liberties and the privacy rights of consumers. In business, your goal is to understand your customer base and gather relevant info on those individuals to provide them with a higher quality of service and developer products that benefit them. Surely, data protection legislation comes off as a huge barrier in helping a business deliver higher quality; but, it doesn’t have to necessarily be thought of in that regard.
Understanding where your data is coming from, the purpose of processing that data, determine where and how to store data, the intended goal of processing that data and having your employees be concerned about the processing of personal data can greatly benefit an organization by allowing the organization to clear out unstructured data, develop trust with your customer base, boost company image and, hopefully, increase value from the potential ROI benefits of data protection company policies and procedures. Your company or organization should have a data plan in place to avoid taking time away from your ambitious projects. In general, if your company or organization has some sort of system in place that documents the processing of data, can report breaches internally and to the public and allows for users and customers to have the possibility of opting in/out to have their data processed, then your business should feel content with its system in place to meet basic compliance standards from general data protection policy.