Global Privacy Laws and Data Protection Regulations

The protection of employee and consumer data has become a priority for companies and organizations, especially with the ever-increasing potential for liability due to the use of new technologies. The collection and management of data require a broad range of legal compliance activities. It is essential to prioritize and protect sensitive, confidential, and proprietary information. Data breaches or losses can have a substantial adverse effect on a company's financials and reputation. This article discusses several privacy laws expected to guide organizations in the protection of their information assets, and the privacy rights of individuals, through compliance.

European Union (EU)

In 2018, the General Data Protection Regulation (GDPR) became the de facto standard for personal data protection and privacy in the EU. Since its adoption, the GDPR has influenced some member states to implement some of the GDPR provisions into their respective national legislations. National data protection laws have been implemented in countries such as France, Finland, Germany, Portugal, Romania, and Poland.

GDPR is the result of efforts by the EU Government to protect and safeguard the personal data and privacy of its citizens. GDPR applies to all companies that process EU citizens data, including those that do not have a business presence in any EU Country. There are two types of Data Handlers that must comply with GDPR Rules: the Data Processor and the Data Controller. The Data Controller is an organization or agency that specifies personal data processing and the intended use of the data collected. Data Processors are third-party service providers that process data on behalf of the Data Controllers. Under GDPR, individuals have new rights which include, but are not limited to: the right to access personal data, the right to be informed when data is gathered about them, and the right to have their data corrected and updated.

The ripple effect of the GDPR in the EU shows the prominent need for data protection regulations and enforcement.  Neighboring countries, including Russia, Turkey, and Switzerland, have enacted regulations as well.

United States of America

The California Consumer Privacy Act (CCPA), which was signed into law in 2018, is the most comprehensive privacy legislation in the United States. The CCPA has become a framework for other states.

CCPA's protection is limited to the personal information of California's legal residents. The Act applies to for-profit businesses that operate in California whether physically located there or not.  The business must meet at least one of the following characteristics: annual revenue higher than $25 million, collects and process data of more than 50,000 consumers and households in California, and/or generates not less than 50% of its revenue from the sale of consumers personal information. In addition to the right of access and deletion granted to users under GDPR, the CCPA gives users the right to opt-out of the sale of personal information to third parties.

Other privacy laws in the United States include:

• Massachusetts Data Privacy Law S-120
• New York Privacy Act S5642
• Hawaii Consumer Privacy Protection Act SB 418
• Maryland Online Consumer Protection Act SB 613
• North Dakota HB 1485

Asia-Pacific and Africa

China enacted a landmark Encryption Law, which became effective in January 2020. It enhanced China's commitment to providing information security and national security. The law splits Encryption into three separate groups: Core Encryption, Common Encryption and Commercial Encryption. The Core and Common Encryption are used to protect all state secrets needed to ensure the security of the country, while Commercial encryption is used to protect trade secrets. In previous regulations, entities and individuals were not allowed to use commercial encryption products that were foreign-produced and were limited to approved encryption products manufactured in China. The Encryption Law indicates that China is open to foreign commercial encryption products, though their use may still be subject to control requirements. The law governs the import and export of commercial encryption that may pose a threat to national security or the general public interest.

Prior to this law, the Cybersecurity Law of the People's Republic of China (Cybersecurity Law), which had been effective since June 2017, covered various aspects of network security and set the tone for cybersecurity regulatory regime in China. The Cybersecurity Law applied to operators and service providers of networks (Network Operators) and companies in critical sectors such as energy, finance and public service (Critical Information Infrastructure).  Companies were defined as Critical Information Infrastructure if their destruction or data leakage would result in severe damage to state security. The Network Operators were therefore required to ensure Network Security and Personal Data protection with measures including implementation of security protocols, adoption of appropriate technological measures, obtaining consent before collecting personal data, and explicitly stating the means of collection and use of personal data.

Several jurisdictions in Asia and Africa have adopted data protection legislation, including Kenya, Nigeria, Thailand, Indonesia, and New Zealand. Kenya's Data Protection Act, which was signed into law in November 2019, has emerged as leading legislation on the continent of Africa.  The legislation aligns with EU's General Data Protection Regulation intending to safeguard collection and handling of data by governments and organizations. Any violation of the new law will be investigated by an independent office, and the violator will face a fine of up to $29,000 or two years in prison. Kenya's Data Protection Act has been pivotal in attracting investments from foreign technology companies. Amazon recently announced that it will set up part of its cloud infrastructure in Kenya in 2020.

Latin America and the Caribbean

Latin America and the Caribbean countries have also been impacted by the overhaul of data protection rules and legislations all around the globe. Local administrations have strengthened their respective legislations and designed programs to bring their security and privacy framework closer to current standards. Several jurisdictions have adopted data protection legislation, including Brazil, Barbados, the Cayman Islands, and Jamaica.

Wilson Consulting Group (WCG) is an innovative global cyber security consulting firm. We offer cyber security assessment, IT governance, cloud security services, risk management, penetration testing, and vulnerability assessment services to evaluate any threats that your organization may face and provide solutions to combat them. WCG recognizes that Security and Compliance within the cybersecurity realm is a top priority for businesses. We offer services to ensure a company's understanding of and compliance with Regulatory and Privacy laws.