Privacy Compliance is going global

Two years after the coming into force of the GDPR, we are seeing over 300 GDPR sanctions across EU countries, and ongoing discussions on how to prove compliance as seen by different data protection authorities. But is GDPR compliance really a local challenge, one company branch in one EU country at a time? 

In this article, we are looking at how GDPR is part of a global discussion around privacy and how compliance efforts should be adapted to cater for privacy requirements both globally and locally.

Personal data is a huge company asset that is often overlooked 

This data is often and increasingly in danger: it can be lost, stolen, or tampered with. Situations when this danger materialises (also known as data breaches) have been growing in magnitude over time and have continued to be a permanent concern for IT departments and cybersecurity teams alike.

We can take, for example, the 2020’s biggest breaches in terms of number of individuals affected: a data breach that seems to have affected nine million customers of an airline,  another one to have affected over five million clients of a certain hotel chain, and multiple data breaches of one tech operator that have affected at least two million clients. Only three breaches alone have impacted over 16 million people, which is equivalent with the entire population of the Netherlands.

With such an enormous range of individuals being impacted worldwide, companies should reconsider what personal data they use, how they are prepared for data breaches, and how their security measures cover personal data at global or regional level instead of in a single country perimeter.

GDPR is not the only privacy law in the world anymore

Two years ago, the General Data Protection Regulation (GDPR) came into force as the first ever data privacy piece of legislation. Its extraterritorial reach and the new enforcement powers of the data protection authorities (DPAs) were so impactful that two main things happened: first, only in Europe, as of now there are over 300 GDPR sanctions from various European DPAs. Second, GDPR is not the only privacy legislation in the world anymore. A new wave of regulations and laws on similar topics have started all across the world. For example, here is a selection of them from other continents, based on their strongest economies:

• North America. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020;
• Latin America. Lei Geral de Proteção de Dados (LGPD) came into force in Brazil in February 2020;
• Asia: 
  • The Personal Data Protection Act (PDPA) was enforced in Thailand on the 27 May 2020;
  • The Personal Data Protection Bill (India) is being analysed for adoption since December 2019;
  • The Japan’s Act on Protection of Personal Data, dating since 2003, was amended in June 2020, and it now follows the model of GDPR;
• Pacific. New Zealand’s Privacy Amendment Bill entered into force in March 2020 and Australia’s Government is in the implementation phase of the Consumer Data Right.

Recent privacy laws and regulations strongly resemble GDPR

Looking just at the Americas, we picked the strongest economies (California in the US and Brazil) and analysed in more detail what are the biggest differences between their respective laws and Europe’s GDPR. We looked at three key dimensions: data breach management, individual rights management, and third-party accountability.

Section/Law	GDPR (Europe)	CCPA (California)	LGPD (Brazil)
Data breach management	Data controllers must report data breaches within 72 hours of becoming aware of the incident. *Data subjects must be notified about a data breach as soon as it occurs (without undue delay). The breach notification to data subjects must use clear and understandable language, including the same pieces of information that need to be communicated to the supervisory authority.	*There is no specific time requirement for reporting data breaches. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper if the data breached is not reasonably safeguarded (i.e. encrypted).	The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects in a reasonable time period, as defined by the national authority.
Individual Rights Processing	Individuals have the right to restrict the processing of their personal data in certain circumstances. An individual can limit the way that an organisation uses their data. Eight subject rights granted by GDPR related to data privacy: 1) The right to be informed 2) The right of access 3) The right of rectification 4) The right to erasure 5) The right to restrict processing 6) The right to data portability 7) The right to object 8) Rights of automated decision making and profiling.	Businesses must publish up-to-date information about what types of consumers’ personal information they have sold or shared for commercial purposes (primary focus is on data sold as opposed to processed). Consumers have three main categories of rights, subject to exceptions: 1) The right to access personal information collected about them in the 12 months prior to the request 2) The right to deletion of their personal information 3) The right to opt out of sales of their personal information Businesses must provide a specific process by which consumers can opt out of the sale of their personal information	Similar to GDPR, individuals have the right to restrict the processing of their personal data in certain circumstances. Nine subject rights granted by LGPD related to data privacy: 1) The right to confirmation of the existence of the processing 2) The right to access the data 3) The right to correct incomplete, inaccurate or out-of-date data 4) The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD 5) The right to the portability of data to another service or product provider, by means of an express request 6) The right to delete personal data processed 7) The right to information about public and private entities with which the controller has shared data; 8) The right to information about the possibility of denying consent 9) The right to revoke consent.
Third Party Accountability	Data controllers are responsible for direct oversight of data processors (third parties). Contracts between data controllers and third parties must state at a minimum: 1) Third Parties will act only on documented instructions 2) Third parties won’t contract a sub-processor without prior approval 3) Third parties will delete or return all personal data to the data controller at the end of the contract.	A service provider (third party) cannot retain, use, or disclose personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or otherwise specified under the law. A service provider (third party) is not liable for failure by a business that shares personal information with them to comply with its CCPA obligations.	The controller and the processor can be jointly liable for information security incidents and/or improper and unauthorized use of the data or for non-compliance with the law. The liability of the processor may be limited to its contractual and information security obligations if it does not violate the rules imposed by the LGPD. Privacy notices must clearly, adequately and visibly provide information to data subjects about third parties that will receive the personal data and the responsibilities of the third parties processing data on the controller’s behalf.

The key concepts in terms of data subject rights, managing data breaches and managing the relations with third-parties, are present across the GDPR, the CCPA and the LGPD. The three laws are going in the same direction: to encourage companies to take similar actions to protect privacy, be transparent with the DPAs, and give individuals some control over their data.

Privacy requirements and the business-as-usual: globality vs. locality

A fundamental question many of us get is, what is the impact of these privacy requirements over the way modern businesses use personal data in their day to day operations? 

A company whose activities cover several countries should consider the similarities and differences among the data privacy requirements in the territories where it is present. Obviously, this means looking at privacy laws like the above-mentioned, but also looking at any other local laws that confer extra powers to the DPAs (e.g., to perform dawn raids, or to sanction differently than in other countries). Analysing key aspects such as above is key to understanding the expectations of local DPAs. 

Two key elements of privacy compliance

After understanding the regulatory context, the biggest challenge is setting up the framework of compliance with the privacy requirements in different jurisdictions. There are two important notions to take into account:

• The Granularity of privacy compliance, or how fine-grained should the objective be, for the compliance team to be able to say the company is compliant with privacy regulations X (either GDPR in Europe, CCPA if California, etc). The company could consider the privacy compliance of one or more business processes, IT systems, or of products or services.
• The Strategy of privacy compliance, or what approach should a company take to be compliant across several territories with different privacy laws. To be compliant, an organisation could choose a territory-based approach where each territory manages its actions independently from the others. Or, it could adopt a common compliance strategy across all its territories based on the privacy law that is the most stringent, and account for the local differences wherever they occur. In the first case, there is the risk of effort duplication when performing the same actions when working in silos. In the second case, it could take time to launch a consolidated action plan but there is the advantage of later efficiency in applying a consolidated approach. 

What we think

GDPR started a wave of privacy legislation that is changing the way companies use personal data across the world.  With businesses spanning multiple territories, it becomes crucial to think privacy from a global perspective and enact it locally in a way that makes sense from a data subject angle. It is no longer good enough to have some privacy checklist implemented, instead what is needed is a privacy framework that can be proven to be working well. If such a proof could be trusted by multiple DPAs and business partners at the same time, that can be the basis of a future-proof management strategy.