The acceleration of the digital era has led to many benefits. New and exciting medical treatments are available. Learning platforms have increased in accessibility. Businesses are more streamlined. And even out-of-town family and friends are staying connected.
As technology becomes more sophisticated, there is a growing demand for data privacy laws and regulation. Recently, the world watched as the European Union enacted the General Data Protection Regulation (GDPR). However, the principles for business regulatory standards were laid out well before this.
In 1902, preceding the establishment of the Federal Trade Commission, President Theodore Roosevelt persuaded Congress to create a new cabinet, dubbed the Department of Commerce and Labor. Within this cabinet, the Bureau of Corporations was established on February 14, 1903. This investigatory agency’s purpose was mostly aimed at reviewing the books of industrialized monopolies. However, the idea of regulation management had begun.
The United States has since developed additional regulations and commissions as shown in the following timeline.
The ever-evolving digital world has not been so harmonious with law enforcement. Outdated regulation and sophisticated criminalization have led law enforcement into court battles with big tech. For example, in 2013 the Federal Bureau of Investigation ordered Microsoft to hand over email information regarding potential criminal activity. While Microsoft provided some account details, they refused to provide any data stored overseas. The 2nd United States Circuit Court of Appeals in New York ended up ruling against the Justice Department in 2016. However, the United States Supreme Court eventually dropped the case. This was due to the induction of the Clarifying Lawful Overseas Use of Data (CLOUD) Act. One of the main purposes of the CLOUD Act is to help speed up the lengthy mutual legal assistance treaty (MLAT) process while offering a high level of protection of citizens’ data held electronically.
U.S. States Taking on Data Privacy
Although the United States does not currently have a single federal data protection legislation, a few states have taken data privacy enactments upon themselves. In fact, a great example of data privacy laws in motion recently made the headlines.
Members of an Illinois class action lawsuit won against Facebook’s use of facial recognition technology in 2015 through 2019 due to Facebook not obtaining user consent. The citizens of Illinois cited the action as a violation of their state’s biometric privacy law. This landmark victory is currently the largest settlement in United States history, awarding $650 million in damages.
California has attempted to follow GDPR in some respects through the California Consumer Privacy Act (CCPA). This act gives consumers more control over their personal data, including the right to know, access, and delete personal data (with some exceptions), and the right to opt-out of processing at any time.
Massachusetts has some of the toughest data privacy laws in the nation. The Standards for the Protection of Personal Information of MA Residents (the “Massachussetts Standards”) contains much of the same legal language as CCPA. However, Massachusetts requires every business that owns or licenses the personal information of MA residents to develop, implement, and maintain a strict data security program.
Likewise, New York recently passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which expands on existing regulations to protect more consumer information and redefine what constitutes a data breach. It broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” Depending on their size and complexity, businesses must meet several necessary requirements to be “deemed in compliance.”
In addition, Delaware, Maine, Utah, and Nevada adhere to strict data privacy laws. As citizens voice their desire to have electronic personal data secured and protected, we can expect to see much more change in the United States as data evolves.
The implementation of GDPR in the European Union and European Economic Area on May 25, 2018 sent any business handling data within those areas, regardless of home-based location, into a data organizing frenzy. The intention of GDPR is to implement privacy, transparency, and data rights for residents of the member nations. It also addresses the transfer of personal data outside these areas. Absolutely no personal data may be processed unless it is done through consent, contract, public task, vital interest, legitimate interest, or legal requirement. Citizens’ rights under GDPR include the following:
- The right to withdraw consent freely.
- Timely notifications of data breaches.
- Customers are to be notified within 72 hours of the breach.
- The right to access existing data profiles.
- The right to data portability.
- Customers must be able to reuse the same data in different environments.
- Data privacy by design.
- Customers have the right to know that the company storing their personal data has designed proper data systems to safeguard their information.
- The appointment of data protection officers.
- Depending on the size of the company, that company may have to protect their customer’s data through a specialized position known as the “Data Protection Officer.”
Although the European Union and the United Kingdom are currently involved in Brexit, GDPR policies are not expected to be affected if an agreement regarding data handling procedures can be reached.
Notable Privacy Laws Around the World
Iceland: In 2018, Iceland’s Parliament passed the Data Protection Act to implement GDPR in their country to help protect citizens’ data.
Malaysia: In 2010, Malaysia passed the Personal Data Protection Act, which went into effect in 2013. Like GDPR, Malaysians have a right to access and correct personal data, as well as withdraw consent from processing data. However, it is limited to data processed within Malaysia. This regulation does not cover Malaysian data outside of Malaysia.
China: In 2017, China passed the Cyber Security Law. This requires companies to explain to users what content they are collecting.
Argentina: Argentina’s Personal Data Protection Act of 2000 states data can only be collected with informed consent by the consumer. Much like GDPR, Argentinians have the right to request access, corrections, and deletions of their personal data.
Australia: Australia’s Privacy Act of 1988 is based off the Australian Privacy Principles. They cover transparency and anonymity – the collection, use and disclosure of data; maintaining the quality of data; and the data subject’s rights.
We have an obligation as Privacy and Compliance Specialists to review and respond to confidential legal requests and ensure they follow the legal and policy requirements of the content owners as well applicable jurisdictional laws. As a result, we must consistently demonstrate good judgement, tact, and discretion to exceed our clients’ expectations.
Privacy laws are sure to evolve over time. Consequently, IPS will implement and enforce policies that keep our company and our clients operating in a legal and ethical manner. Whether it’s a new training requirement, jurisdictional law, or attorney requirement, we are committed to providing innovative, compliant solutions to safeguard all data privacy matters.
Stay informed with industry-relevant emails curated by our team of experts.
We send out emails once or twice a month relating to IP Services, industry news, and events we'll be attending so you can meet our experts in person.