Personal data protection and privacy law is rapidly evolving in the United States and across the world. However, while some regions, such as the European Union (GDPR), have adopted a more rigid and comprehensive approach, other countries are embracing more sectoral and self-regulated ideologies. Here’s an overview of current APAC regulation.
In the United states, there is no single principal legislation that governs data protection at the federal level in the U.S. Instead it is a patchwork of hundreds sector-specific and medium-specific laws across the state and federal levels with one exception- CCPA.
Global Laws to Know
General Data Protection Regulation (GDPR)
The fat cat of data protection regulation, General Data Protection Regulation (GDPR) is a legal framework or set of laws designed to give EU citizens more control over their personal data.
In addition, under the terms of GDPR, not only do organizations have to ensure that PII is gathered under strict, legal conditions, but those who collect and manage it (data controllers) are required to protect it from misuse and exploitation. In addition, as GDPR recognizes data privacy as a fundamental human right, data controllers must respect the rights of individuals to access, correct, port, and delete data about themselves, and to object to use of that data.
However, it should be noted “None of this is predicated on the individuals’ owning the data. It is based on their rights to the protection of their personal data,” according to Susan Grant, CFA Director of Consumer Protection and Privacy. As data privacy is a human right, personal data, or data about an individual, cannot be owned, sold or given away like a commodity.
In addition, GDPR also requires organizations to appoint a data protection officer (DPO). This independent data protection expert is responsible for monitoring an organization’s GDPR compliance, advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority.
Though GDPR was established in the EU, it applies to businesses all over the world. If there’s even the slightest chance that your website might collect the personal information of someone from one of the EU member states, then you’re required to comply. Otherwise, you could be faced with massive fines and penalties.
Global Laws Inspired by GDPR
- Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD) was modeled directly after GDPR and is nearly identical in terms of scope and applicability, but with less harsh financial penalties for non-compliance.
- Australia – the Privacy Amendment (Notifiable Data Breaches) requires organizations with an annual turnover of over $3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery or faces fines of up to 1.8 million AUD (approximately 1.1 million EUR).
- South Korea – South Korea’s Personal Information Protection Act, 개인정보 보호법, includes many GDPR-like provisions such as requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
U.S. Data Protection Regulation to Know
While the United States has no plenary data protection regulator, the FTC has broad jurisdiction over commercial entities under its authority to prevent unfair or “deceptive trade practices.” Though the FTC does not explicitly regulate privacy policies, the agency “uses law enforcement, policy initiatives, and consumer and business education to protect consumers’ personal information.”
Under Section 5 of the FTC Act, the FTC could pursue legal actions against organizations that have:
- Failed to implement and maintain reasonable data security measures.
- Failed to provide sufficient security for PII.
- Failed to abide by any applicable self-regulatory principles of the organization’s industry.
- Made inaccurate privacy and security representations (lying) to consumers and in privacy policies.
Other U.S. Data Protection Federal Laws
- The Health Insurance Portability and Accounting Act (HIPAA – P.L.104-191), national standards designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
- The Children’s Online Privacy Protection Act (15 USC §6501 et seq.), also known as COPPA, governs the collection and use of personal information about children by the operators of internet services and web sites.
- The Gramm Leach Bliley Act (15 USC § 6802 et seq.) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
- The Fair Credit Reporting Act (15 USC § 1681), governs the information collected by consumer reporting agencies
The California Consumer Privacy Act (CCPA)
The nation’s first definitive set of data privacy laws, the California Consumer Privacy Act (CCPA) ensures:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
- Consumers have a right to request what information is collected; and
- Businesses are required to provide a privacy notice prior to collecting information from a consumer.
“Businesses,” as defined by the CCPA, are for-profit, private entities that:
- collect “personal information”
- determine the means of processing that personal information
- do business in California
- And meets one of the following criteria:
- has annual gross revenues exceeding $25 million
- annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers
- derives 50% or more of its annual revenue from selling personal information.
In layman’s terms, the law gives California residents the legal right to access all of the information a company has saved on them as well as a full list of all the third parties that data is shared with. It also empowers them to sue companies if privacy guidelines are violated, even if there is no breach.
Nevada’s Senate Bill 220
Much less comprehensive than CCPA, Nevada’s Senate Bill 220 requires operators of internet websites and online services to follow a consumer’s direction not to sell his or her personal data.
What does this mean for you?
As EVOTEK’s Chief Information Security Officer Matt Stamper explained in a recent interview, “Ultimately, both the CCPA and the GDPR have driven fundamental change to how organizations think about their data governance practices and have made the topics of privacy and security appear frequently on executive and board agendas. In this spirit, the CCPA and the GDPR have been effective at raising the awareness of how organizations collect, store and share sensitive data about consumers (aka data subjects).”
As data minimization is one of key priorities of GDPR and similar regulations, it’s become critical for CISOs and DPOs to work closely together to shrink and fortify the overall attack surface. This will help both teams more effectively identify what PII actually needs to be collected, stored and transferred.
Furthermore, CISOs and DPOs must partner together to build data protections into all new digital product designs. By working closely with an organization’s developers, the DPO and CISO can proactively address data protection needs into the design process.
Last but not least, in the event of a data breach or privacy violation, it’s vital that CISOs help ensure their organization’s incident response approach is in compliance with regulatory requirements. Under GDPR, for example, failure to notify a data protection authority of a breach within 72 hours can result in a fine of €10 million ($11.3 million) or 2% of a company’s global turnover. This “notification of breach” must include:
- An investigation of the incident – what happened?
- What was the breach?
- What caused it?
- What is affected?
- What are the steps to respond and communicate about the incident?