Takedown breakdown: A roundup of global data privacy laws
Privacy law has come a long way since 1890.
It was then, a full quarter-century after the end of the American Civil War, when the concept of an individual’s right to privacy first appeared in the U.S. with the publication of the Harvard Law Review article “A Right to Privacy”. This landmark article is acknowledged as the first-ever U.S. publication to advocate for privacy rights, defining privacy as the “right to be let alone” (a concept we can certainly all relate to, even now).
Although authors Samuel Warren and Louis Brandeis couldn’t have known how important data security would become in the 21st century, their article helped kickstart the global privacy movement we’re now so familiar with. Indeed, since these initial stirrings, the implementation of privacy-related initiatives across the world has grown exponentially.
Timeline of key privacy regulations
As we crest the 2020s, this emphasis on data security as a fundamental aspect of responsible business operations is quickening. Complimentary trends such as an increasingly multinational business community, the importance (and amount) of data used by organizations, new data types like streaming data from Internet of Things (IoT) devices, and the need to stay compliant with a growing number of international regulations has made data classification and data security automation a must-have for virtually every organization.
A global data awakening
Add to this the increasingly mainstream concept that we, as individuals, have ownership over our personal data – from personally identifiable information (PII) data, to personal health information (PHI) data, to payment card information (PCI) data – along with the right to control where it lives and who can have it, and it’s easy to see why global data privacy laws are on the upswing.
TItus co-founder and CTO Stephane Charbonneau says that, in part, the rush to implement global data privacy laws is simply the next logical step in what’s become an increasingly connected world. “Everyone’s got an online identity now,” he explains, adding that the rise in identity theft has made the public much more aware of the pitfalls of shoddy data security. This growing public awareness, says Charbonneau, has led large enterprises to rethink their approach to data security.
“Banks and other big companies, in the past, have weighed the risk of getting a fine versus the risk of not doing anything” from a cost perspective, he says. “That’s just been the reality: They say ‘If the fine is $1 million, I’m not going to spend $5 million just to avoid that.”
But the threat of profound reputational damage (not to mention potential litigation) from playing fast and loose with customer data, particularly in the age of social media, has changed the game for virtually everyone. “A single person complaining the right way on social media has such a huge impact” on reputation, explains Charbonneau.
“A few years ago you could scream until you’re blue in the face, or try to take them to court, and you might get something – but the impact on the company really wasn’t that big. But being on the right side of those tweets is something that also now keeps organizations up at night.”
There’s also the issue of the potential loss of customer trust in the event of a data breach.
Slickwraps says customer trust was ‘violated’ in data breach caused by glaring security holes https://t.co/RtzYBMZAxf
— The Cyber Security Hub (@TheCyberSecHub) February 24, 2020
Global data privacy laws: What’s new
Data security laws, of course, are nothing new. Regulations like the federal NIST SP 800-53 (2005) and BIPA in Illinois for biometric data (2008) have been on the books for years. But there are several either just coming into being or that are on the way. Some of the world’s most far-reaching and stringent data privacy laws, in fact, have been enacted within the past few years.
General Data Protection Regulation (GDPR) – EU, 2016
We’ll start with the GDPR, mostly because every other data privacy law or proposed law of the past two to three years has been based on this landmark legislation. Virtually everyone who uses the Internet regularly has probably at least heard of at least one element of GDPR – after all, it’s the reason why virtually every website now asks up-front if you’re cool with cookies.
Having come into effect midway through 2018, GDPR lays out requirements for processing and handling EU citizens’ personal data by any company (regardless of geography), and is backed by the ability to levy heavy fines. Add to this the fact that many European countries are now implementing their own privacy laws based on GDPR – and that sometimes go even further – and it’s easy to see why Europe is now considered ground zero for data security.
Japanese Act on Protection of Personal Information (APPI) – Japan, 2017
Japan is credited with being the first Asian country to enact strong data security standards, back in 2003, and it strengthened these with a reformed privacy law in 2017. As a result, Japan was added to the EU’s white list of countries with acceptable data protections (the EU, correspondingly, was the first region added to Japan’s white list).
California Consumer Protection Act (CCPA) – California, 2018
Passed in June 2018, the CCPA became law the first day of 2020 and is meant to increase consumer protection and data privacy rights for Cali residents. Under the act, and similar to GDPR, residents have a right to know how their personal data is being collected, by whom, and whether it’s being sold to others. They also have the right to access their data at any time. Some media reports indicate that the CCPA has gotten off to a rocky start, as tech companies in the state spent much of 2019 attempting to water down the legislation.
Lei Geral de Proteção de Dados Pessoais (Brazilian General Data Protection Law, or LGPD) – Brazil, 2018
Like the CCPA, the new Brazilian LGPD closely replicates requirements pioneered by the EU’s GDPR. It was ratified in August of 2018 and comes into effect in August of 2020. Some differentiators between the LGPD and GDPR is that under the former, the definition of personal information is broader and organizations will be granted less time to respond to individual data protection requests.
Global data privacy laws: What’s on the horizon
According to Forrester’s 2019 Global Map Of Privacy Rights And Regulations, other U.S. states and (like Massachusetts and New York) are following California’s lead and will soon have similar regulations. But there’s legislation in the works across the world, as well, including:
Personal Data Protection Bill 2019 (PDP Bill 2019) – India, 2019
Tabled in the Indian Parliament midway through December 2019, the bill is undergoing analysis by a Joint Parliamentary Committee and other groups. Among other things it recommends setting up an Indian data protection authority and includes the right to be forgotten, but has also come under fire (somewhat ironically, considering the bill’s name) amid worries the bill “gives the government blanket powers to access citizens’ data.”
New York Privacy Act (Bill S5642) – New York, 2019
Touted by some as even more stringent than the CCPA, the proposed New York Privacy Act was introduced last year and “would give residents more control over their data than in any other (U.S.) state,” according to Wired. It also requires companies to give customers’ data privacy a higher priority than profits, although how exactly this would be achieved (and how realistic that might be) has yet to be determined.
Massachusetts Consumer Data Privacy Bill (SD 341) – Massachusetts, 2019
Massachusetts has also recently introduced its own data privacy bill, with its big differentiator being the ability for Mass residents to sue companies if their data is collected or used improperly (without having to prove harm).
Mind your Own Business Act of 2019 – U.S., 2019
This bill might be the most dramatic data privacy legislation ever pondered. It calls for increased Federal Trade Commission authority to regulate data collection, a requirement for annual data protection reports for certain entities, and even significant criminal and civil penalties for individuals if they preside over false or misleading data security reporting.
Stay on the right side of global data privacy laws
With the sheer amount of data being both ingested and shared by many organizations, keeping compliant using manual processes is a near-impossible task. Thankfully, data security automation and data classification products exist that can help with GDPR compliance, CCPA compliance, other, more long-standing regulations such as NIST compliance or compliance with International Traffic in Arms Regulations (ITAR) or Nato Standard Agreements (STANAGs).
These data security products enhance regulatory compliance through data discovery and classification for sensitive data including personally identifiable information (PII) data, personal health information (PHI) data, and payment card information (PCI) data. Data classification software provides automated workflows to help identify the data you have, its level of sensitivity, and how it should be handled by your security stack, your employees, and your partners.