Two years after the coming into force of the GDPR, we are seeing over 300 GDPR sanctions across EU countries, and ongoing discussions on how to prove compliance as seen by different data protection authorities. But is GDPR compliance really a local challenge, one company branch in one EU country at a time?
In this article, we are looking at how GDPR is part of a global discussion around privacy and how compliance efforts should be adapted to cater for privacy requirements both globally and locally.
Personal data is a huge company asset that is often overlooked
This data is often and increasingly in danger: it can be lost, stolen, or tampered with. Situations when this danger materialises (also known as data breaches) have been growing in magnitude over time and have continued to be a permanent concern for IT departments and cybersecurity teams alike.
We can take, for example, the 2020’s biggest breaches in terms of number of individuals affected: a data breach that seems to have affected nine million customers of an airline, another one to have affected over five million clients of a certain hotel chain, and multiple data breaches of one tech operator that have affected at least two million clients. Only three breaches alone have impacted over 16 million people, which is equivalent with the entire population of the Netherlands.
With such an enormous range of individuals being impacted worldwide, companies should reconsider what personal data they use, how they are prepared for data breaches, and how their security measures cover personal data at global or regional level instead of in a single country perimeter.
GDPR is not the only privacy law in the world anymore
Two years ago, the General Data Protection Regulation (GDPR) came into force as the first ever data privacy piece of legislation. Its extraterritorial reach and the new enforcement powers of the data protection authorities (DPAs) were so impactful that two main things happened: first, only in Europe, as of now there are over 300 GDPR sanctions from various European DPAs. Second, GDPR is not the only privacy legislation in the world anymore. A new wave of regulations and laws on similar topics have started all across the world. For example, here is a selection of them from other continents, based on their strongest economies:
- North America. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020;
- Latin America. Lei Geral de Proteção de Dados (LGPD) came into force in Brazil in February 2020;
- The Personal Data Protection Act (PDPA) was enforced in Thailand on the 27 May 2020;
- The Personal Data Protection Bill (India) is being analysed for adoption since December 2019;
- The Japan’s Act on Protection of Personal Data, dating since 2003, was amended in June 2020, and it now follows the model of GDPR;
- Pacific. New Zealand’s Privacy Amendment Bill entered into force in March 2020 and Australia’s Government is in the implementation phase of the Consumer Data Right.
Recent privacy laws and regulations strongly resemble GDPR
Looking just at the Americas, we picked the strongest economies (California in the US and Brazil) and analysed in more detail what are the biggest differences between their respective laws and Europe’s GDPR. We looked at three key dimensions: data breach management, individual rights management, and third-party accountability.
|Data breach management
|Data controllers must report data breaches within 72 hours> of becoming aware of the incident.
|*There is no specific time requirement for reporting data breaches.
|The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects in a reasonable time period, as defined by the national authority.
|Individual Rights Processing
|Individuals have the right to restrict the processing of their personal data in certain circumstances. An individual can limit the way that an organisation uses their data.
Eight subject rights granted by GDPR related to data privacy: 1) The right to be informed 2) The right of access 3) The right of rectification 4) The right to erasure 5) The right to restrict processing 6) The right to data portability 7) The right to object 8) Rights of automated decision making and profiling.
|Businesses must publish up-to-date information about what types of consumers’ personal information they have sold or shared for commercial purposes (primary focus is on data sold as opposed to processed).
three main categories of rights, subject to exceptions: 1) The right to access personal information collected about them in the 12 months prior to the request 2) The right to deletion of their personal information 3) The right to opt out of sales of their personal information
Businesses must provide a specific process by which consumers can opt out of the sale of their personal information
|Similar to GDPR, individuals have the right to restrict the processing of their personal data in certain circumstances.
Nine subject rights> granted by LGPD related to data privacy: 1) The right to confirmation of the existence of the processing 2) The right to access the data 3) The right to correct incomplete, inaccurate or out-of-date data 4) The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD 5) The right to the portability of data to another service or product provider, by means of an express request 6) The right to delete personal data processed 7) The right to information about public and private entities with which the controller has shared data; 8) The right to information about the possibility of denying consent 9) The right to revoke consent.
|Third Party Accountability
|Data controllers are responsible for direct oversight of data processors (third parties).
Contracts between data controllers and third parties must state at a minimum: 1) Third Parties will act only on documented instructions 2) Third parties won’t contract a sub-processor without prior approval 3) Third parties will delete or return all personal data to the data controller at the end of the contract.
|A service provider (third party) cannot retain, use, or disclose personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or otherwise specified under the law.
A service provider (third party) is not liable for failure by a business that shares personal information with them to comply with its CCPA obligations.
|The controller and the processor can be jointly liable for information security incidents and/or improper and unauthorized use of the data or for non-compliance with the law. The liability of the processor may be limited to its contractual and information security obligations if it does not violate the rules imposed by the LGPD.
Privacy notices must clearly, adequately and visibly provide information to data subjects about third parties that will receive the personal data and the responsibilities of the third parties processing data on the controller’s behalf.