Introduction
Data privacy and protection regulations are rapidly evolving around the world. As technology advances and data collection becomes more pervasive, governments are responding with new laws aimed at protecting consumer privacy and providing individuals with more control over their personal data. In this article, I outline several key data privacy laws and regulations that organizations need to be aware of. Understanding this changing regulatory landscape is crucial for any company that collects or processes personal data.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union law that went into effect in 2018. It imposes strict rules on companies that offer goods or services to people in the EU, or that collect and analyze data tied to EU residents. The GDPR gives individuals more control over their personal data and imposes hefty fines for noncompliance.
Some key elements of the GDPR include:
-
Consent – Companies must get clear, affirmative consent from individuals before collecting their data. Consent requests must be easy to understand and separate from other terms and conditions.
-
Right to access – Individuals have the right to see what data a company has about them and request a copy of that data. This is sometimes called the “right to portability.”
-
Right to erasure – Also known as the “right to be forgotten,” this allows individuals to request that a company delete their personal data. There are some exceptions where companies do not have to delete the data.
-
Data protection officers – Companies that handle significant amounts of sensitive data must appoint a data protection officer (DPO) to oversee compliance efforts.
-
Data breaches – Data breaches must be reported to authorities within 72 hours of first discovery. Breaches affecting large numbers of people may also need to be reported to the individuals impacted.
-
Fines – Companies can be fined up to 4% of global annual revenue for GDPR violations. This has resulted in fines of hundreds of millions of euros for major companies like Amazon and Meta (Facebook).
The GDPR only applies to EU residents but has become a global standard for data protection. Many countries are developing laws inspired by it.
California Consumer Privacy Act (CCPA)
Modeled after the GDPR, the California Consumer Privacy Act (CCPA) took effect January 1, 2020. It applies to for-profit companies that do business in California, collect personal data about California residents, and meet certain size thresholds.
Key aspects of the CCPA include:
-
Right to know – Consumers can request details about what categories of personal data a business collects about them and how it is used.
-
Right to delete – Consumers can ask businesses to delete their personal data, with some exceptions.
-
Right to opt-out – Consumers can direct a business not to sell or share their personal data.
-
Private right of action – Consumers can sue companies for data breaches resulting from failure to implement reasonable security procedures.
The CCPA only applies to California, but it covers a huge number of U.S. companies and residents given the size of the state. Several other states are now considering similar consumer privacy laws.
Schrems II Ruling
In July 2020, Europe’s highest court issued a landmark ruling that invalidated a major data transfer agreement between the EU and United States. This “Schrems II” decision named after the Austrian privacy activist who challenged it, found that the EU-U.S. Privacy Shield failed to adequately protect Europeans’ data from U.S. government surveillance.
The ruling complicates data transfers between the EU and U.S. Companies can no longer rely solely on the Privacy Shield and must evaluate alternate measures for cross-border data transfers to ensure compliance with EU standards.
This ruling demonstrates that even general data protection laws like the GDPR have extraterritorial scope when data of EU residents is concerned. It underscores the global nature of data privacy regulation.
Looking Ahead
Many other data privacy and protection laws are in development worldwide:
-
Brazil passed its General Data Protection Law (LGPD) in 2018, taking effect in 2020. It imposes GDPR-like requirements with fines up to 2% of Brazilian revenues.
-
India is drafting a new Personal Data Protection Bill with GDPR-inspired rights and rules. It remains pending as details are negotiated.
-
China enacted a new Personal Information Protection Law taking effect November 2021. It regulates data collection and cross-border transfers based on a categorization system for different types of data.
-
Privacy laws are advancing at the state level in the U.S. beyond California, including in Virginia, Colorado, Utah and Connecticut. A federal U.S. privacy law is also under discussion.
Conclusion
Data privacy regulation is a rapidly evolving landscape that companies must monitor closely. The trend is toward heightened individual rights and restrictions on how personal data can be used. By familiarizing themselves with major laws like the GDPR and CCPA, organizations can proactively adapt their data practices to mitigate compliance risk. Data collection and privacy are becoming central strategic concerns for businesses across all industries and geographic markets.