A review of the most widely used new jargon in the privacy and cybersecurity space through 2019 would likely have one acronym at the top of the pile — GDPR. Discussed in countless TV features, newspaper articles, YouTube videos, podcasts, Internet forums, and social media platforms, the EU’s General Data Protection Regulation has certainly marked a turning point in how governments, regulators, businesses, and consumers approach the question of privacy. Yet, the GDPR is just one of several recent privacy and cybersecurity laws that are changing the handling of confidential personal data both online and offline. Here’s a look at four recent privacy laws that hold substantial international significance, including, of course, GDPR.
General Data Protection Regulation (GDPR)
GDPR went into effect in May 2018 and applies to all companies operating in European Union member states. It also applies to any business not based in the EU if that business provides services to, monitors the behavior of, or captures the data of EU citizens. A notable exception to GDPR laws is authorities established to prevent, investigate, detect, or prosecute criminal offenses or execute criminal penalties.
The global buzz around GDPR has primarily been due to three factors. First, the EU is a major player in the world’s economy and comprises about 20 percent of global GDP. Second, numerous companies with their headquarters outside the EU have a presence or business in the EU. Third, the law places an unprecedented amount of power in the hands of data subjects.
A qualifying organization that fails to comply with GDPR requirements may be liable to penalties and fines that could be as high as 4 percent of the company’s global revenue. To avoid running afoul of this law, businesses must implement appropriate controls and safeguards to protect private data in use, at rest, and in transit.
California Consumer Privacy Act (CCPA)
The CCPA was enacted and became law in June 2018 but takes effect in January 2020. It is often perceived as California’s adoption of GDPR. CCPA grants data subjects the right to request that a company divulges the specific pieces and categories of personal data it collects, the sources the data is collected from, the purpose for which the data is collected, if and why the data is sold to third parties.
The CCPA is a state law but it has international significance for three reasons. First, California is not only the state with the largest GDP in the U.S. but its economy would rank fifth on the planet if it were a country. Second, California is home to Silicon Valley which arguably makes it the de facto technology capital of the world. Third, the law applies to businesses that collect data from Californians. So whereas CCPA addresses businesses in California, the state’s global profile means the CCPA inevitably affects businesses and persons outside California.
Not every company is subject to CCPA. Businesses subject to this law must satisfy at least one of the three conditions — do over $25 million in gross revenue per year, handle the personal data of at least 50,000 households, consumers or devices, and derive half or more of their overall revenue from the sale of consumer personal data.
Brazilian General Data Protection Law (LGPD)
The LGPD was passed in 2018 and goes into effect in February 2020. Just like the CCPA, the LGPD adopts plenty of sections of the GDPR. The law is internationally important given Brazil’s stature as the largest economy in Latin America. It’s only a matter of time, therefore, before countries in the region that don’t have a comprehensive privacy law follow suit.
Overall, the LGPD creates a framework for the management of Brazilians’ personal data. The key principle of LGPD is that consent must form the basis for sales and marketing activities. LGPD harmonizes, replaces, and improves the more than 40 legal provisions that directly and indirectly dealt with privacy and the protection of personal data in the past. Like the GDPR, the LGPD applies to businesses both within and outside Brazil that provide services to Brazilians, and collect and process the confidential data of residents of Brazil.
If your business is already in compliance with GDPR, then you likely have already satisfied the majority of privacy obligations set out by LGPD. There are some key differences between the two laws such as shorter timeframes for processing requests from data subjects and additional specific bases for lawful data processing.
Australia’s Notifiable Data Breaches (NDB) scheme
The NDB law was passed in February 2017 and went into effect in February 2018. The NDB notification rules apply to Australian companies with a turnover of at least AU$3 million. However smaller businesses with a turnover below this threshold may still be subjected to the NDB scheme if they handle sensitive government contracts or health documents.
For a breach to be deemed reportable, it has to exceed a certain harm threshold. It’s not a precise threshold but is defined as a serious physical, emotional, psychological, financial, economic, and/or reputational impact.
Once a business becomes aware of a harmful breach, it must notify regulators immediately. The notification should capture as much detail as is available at that point including what data was compromised and what actions the affected persons can take to mitigate the impact. After that, the business should notify affected individuals as soon as possible. A business that fails to report a serious breach could be slapped with a penalty of as much as AU$2.1 million depending on the harm the breach caused.
Australia is geographically isolated from much of the world. Nevertheless, Australia has proven to be a legal and scientific trailblazer. In addition to Australia’s economy being the largest in Oceania, it is also closely intertwined with that of Asia, which is the continent that will most define the 21st century. So, laws passed in Australia, like the NDB, have international implications.
Awareness of recent privacy laws is crucial
Privacy has long been a concern of the average business but the risk of a privacy breach has greatly increased thanks to the proliferation of the Internet and the amount of commerce that takes place online.
Many businesses that find themselves on the wrong end of privacy regulations don’t set out to break the law. It’s often borne out of a lack of awareness of privacy rules. The road to privacy compliance begins with knowledge of relevant privacy laws. Making sure your business is, where applicable, on the right side of the laws we’ve discussed above is a good first step.
Featured image: Pixabay