Privacy Babel: Making Sense of Global Privacy Regulations
In the world of data privacy, the European Union General Data Protection Regulation has grabbed all the headlines. As much of a landmark piece of legislation the EU GDPR is for any company or organization that stores or processes EU citizen data, it’s by no means the only one that global organizations must now navigate. US regulators such as the FCC and FTC are stepping up their game to regulate digital identity, while in Canada, Australia and Singapore as well as Russia, privacy requirements are tightening up — and getting some teeth. While in the US, federal agencies like the FTC, FCC and even sectoral regulatory bodies like the SEC, CFPB, FINRA have become more vigilant around privacy enforcement, individual states are also becoming more proactive in around privacy and consumer data protection. The latest example is the expansion of the Florida breach notification requirements under FIPA (The Florida Information Protection Act) which now mandates that the state Attorney General is notified in the event of a breaches, and that covered organizations consult with local law enforcement.
Globally, some 65 countries have either passed new privacy legislation in the last year or have legislation pending — including China and Brazil. The impetus for the growing emphasis on data privacy and protection is more widespread consumer unease about the impact of digital business on the privacy of their data — compounded by ongoing breaches to extract personal data. Regulators and legislators across the globe are intensifying efforts to spell out requirements for collecting, storing, processing and sharing consumer and customer data.
The Cost of Negligence
Regardless of the jurisdiction or the point of departure for regulators, the point of commonality is that organizations must demonstrate responsibility and transparency in the storage, processing and transfer of private data, and operate on the basis that are now custodians of personal and private data. Along with clear statements of intent for data collection and consent from consumers and customers, organizations must provide a privacy policy.
The specifics of the legislation — whether in terms of consumer rights such as the “right to be forgotten”, data retention requirements or the need for data privacy officers — may vary widely by jurisdiction, along with the ability to actually enforce the legislation or regulations and impose penalties. Although the severity of fines and penalties varies from country to country, what is common is that penalties have grown in size and regulators have become more comfortable using them.
In this context, the EU GDPR heralds the most significant change for data privacy in the digital era, but not only because of the technical requirements or even the stipulation for data protection officers under certain circumstances. Instead, it’s the magnitude of the penalties for violations, and the expressed willingness of regulators to impose the fine when the rules come into force of up to 4% of the total worldwide annual turnover of the preceding financial year.
In tandem with more explicit requirements on their responsibility across jurisdictions, organizations must also conform with the expanding definition of what constitutes personal data — whether biometric data in the case of the EU GDPR or MAC addresses or cookie IDs in the case of new privacy regulations proposed by the FCC in the US. In its recent enforcement decisions, the Singapore’s Personal Data Protection Commission has argued that context matters: violations of personal data protection requirements when the data is “of a sensitive financial nature” is more likely to draw fines. For companies looking to comply with new privacy regulations it will therefore be increasingly expected that they can find any personal data accurately and at scale.
It’s A Matter of Shared Principles
Certainly, many regulations and requirements will more closely resemble the GDPR’s provisions as they near approval and the governing principles will become a point of comparison. However, it is important to understand that differences in approach will persist. For instance, the EU GDPR takes a comprehensive stance, especially when compared with the US, where much more of a sectoral focus led by industry regulators is in play. A clear example of this is the current battle being played out between FCC and FTC on who gets to define digital privacy.
Also, while the US does not currently have federal general privacy protection legislation in place that applies broadly to the private sector and corporations[1] , many states have implemented consumer privacy protection laws, including California, Massachusetts and Florida. The New York state legislature currently has a bill in committee for an Online Privacy Protection and Internet Safety Act, which includes a provision for a data breach group that would include the state attorney general, state officials and CIO and the Homeland Security commissioner.
In Australia, regulators and legislators have worked with enterprises to define self-regulatory frameworks and standards in order to ensure responsible protection of consumer privacy. The outcome is that guiding federal privacy principles are more focused on practical implications for the implementation of privacy policies and protections. By contrast, Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) emphasizes operating principles and hews more closely to the EU’s comprehensive approach to the citizen’s right to privacy.
the Privacy Act applies to federal agencies: stablishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.
The 10 Privacy Principles of PIPEDA
3 Consent
5 Limiting Use, Disclosure, and Retention
6 Accuracy
8 Openness
Australian Privacy Principles
APP 1 — Open and transparent management of personal information
APP 2 — Anonymity and pseudonymity
APP 3 — Collection of solicited personal information
APP 4 — Dealing with unsolicited personal information
APP 5 — Notification of the collection of personal information
APP 6 — Use or disclosure of personal information
APP 7 — Direct marketing
APP 8 — Cross-border disclosure of personal information
APP 9 — Adoption, use or disclosure of government related identifiers
APP 10 — Quality of personal information
APP 11 — Security of personal information
APP 12 — Access to personal information
APP 13 — Correction of personal information
Still, while principles may diverge, the influence of the EU GDPR is that global regulation trends are coalescing around a set of common requirements and considerations:
● Choice and Consent
● Security for Data Protection
● Data Access
● Notification Requirements
● Data Retention
● Right to Be Forgotten
● Disclosure to Third Parties
● Data Protection Officers
● Cross-border transfers
However, the extent to which the requirements are spelled out shows a wide divergence. For instance, even in the context of the GDPR, the requirement for a data protection officer is only mandatory when the organization is a public authority, engages “in large scale systematic monitoring, or “large scale processing of sensitive personal data”. Under the Singapore, PDPA (Personal Data Protection Act), it is up to the organization to decide whether they should appoint a full time DPO, or have the function subsumed under another responsibility.
Similarly, PIPEDA stipulates that personal data should be retained “as long as it is required to fulfill its intended purposes” rather than any specific time period.
So how does a multinational company manage differing definitions of PII and different requirements around subject access, notification windows and processing traceability?
Getting on the Same Page: Bringing Data Science to Data Privacy
We are long past the stage not whether data privacy and protection should be on the IT and digital business agenda. Instead, the question is how to best to reconcile business opportunities with a mosaic of legislative and regulatory requirements.
The first step is the the obvious one: mapping business operations to data privacy jurisdictions. There’s getting around the specific terms required to meet more rigorous requirements, like the EU GDPR or the Singapore PCDA. And, it’s important to understand the underlying principles that frame the legislation: whether comprehensive, sectoral or defined in collaboration with industry.
However, the foundation of protecting the privacy of personal data relies on consistent application of privacy policies and more importantly accurate intelligence on the data that is being protected. All regulatory requirements share the need to know what data you are storing, who that data belongs to, where that data is located, who is accessing that data, what consent has been approved around that data and where that data is being used. Without that foundational knowledge it is impossible to accurately determine whether an organization is compliant with a specific regulation. It is also impossible to govern that data. No intelligence, no control. Without control the risk of penalties and even breach grows.
by @stavvmc & @dimitrisirota