Understanding Global Data Privacy Legislation
The emergence of strict data privacy laws, both internationally and domestically, has posed a compliance headache for companies. Not only do privacy laws vary between jurisdictions, they include language such as “appropriate,” “proportional,” and “consistent”—ambiguous words that are left to companies and regulators to interpret and apply. RANE spoke with expert Lauren Reid, President of The Privacy Pro, a boutique privacy consulting firm specializing in data ethics, GDPR, and cross-border data transfers, to discuss how culture and history impact global data governance laws and how companies can use this knowledge to more efficiently develop their compliance programs.
Most global privacy laws, unlike US regulations, are based on the OECD Privacy Principles, guidelines that include concepts like collection limitation, data quality, security safeguards, openness, and individual participation that are present in privacy laws around the world today. Rather than being principles-based, Reid says US data privacy laws are reactive to specific issues, often incrementally legislated based on recently introduced technology or technology that is being widely adopted.
- In the US, privacy laws are applied based on sector, with different privacy rights spelled out for healthcare patients, students, bank customers, etc.
- A consistency among many global privacy laws is that companies are accountable for implementing appropriate protective measures, as opposed to a prescriptive law. According to Reid, this accountability principle puts it on the company to prove that they were thoughtful in the way they collected the data/followed compliance rules.
- There is no consistent framework between state and local privacy laws. Reid believes that the stringency of a locality’s privacy laws correlates to the political leanings of the state or city’s inhabitants. One of the most progressive cities in the US, San Francisco, recently banned facial recognition technology over fears of potential government abuse in the surveillance of its citizens.
Reid explains that the US position on privacy can be understood through the context of its history: “The values that the United States was founded on, including innovation, freedom of expression, and the First Amendment, are not consistent with heavy regulation.” Additionally, Reid notes, the US’s high risk appetite in business and finance entails that the US is unlikely to regulate and slow innovation down for a threat that it doesn’t have history with.
- This contrasts with Germany, where the country's history explains the strict attitude it has towards the regulation of data collection. During the Holocaust, Nazis implemented punchcard technology to generate and tabulate data that enabled the Germans to more effectively concentrate and destroy Jewish populations across Europe. Since then, the country has been incredibly stringent in regulating any effort that could allow for the tracking of people.
Reid posits that the most efficient way for companies to navigate between data governance laws in various jurisdictions depends on the profile of the company.
- Reid advises that companies that are headquartered in the US but operate throughout the world may benefit from setting a higher baseline of compliance and look to apply principles that are consistent with the “spirit of the law” across every jurisdiction. This may entail offering more privacy rights to an individual than would be necessary in a particular jurisdiction, but this approach will save time and money, build customer and employee trust, and is easier to apply in terms of training employees.
- Determining a consistent compliance approach can be difficult for US companies operating across multiple states due to the 1000+ privacy-related state laws in existence, and Reid believes that a company with this profile should look at each law and apply it as needed. For many industries that are heavily regulated (insurance, finance, telecommunications, etc.), privacy compliance can center around actions that are already necessary for complying with industry regulations.
Reid warns that firms are facing consequences larger than any fine in relation to data protection governance.
- In February 2019, following a lengthy antitrust probe into the company’s data gathering process, Germany’s Federal Cartel Office announced that Facebook could no longer require users to agree to data collection from other sites that Facebook owns. Reid notes that this may mark a new trend in compliance enforcement, as competition and antitrust regulators have historically focused on paid services rather than free ones like Facebook. The possibility of a data sharing shutdown/inability to collect a type of data that a firm may have been making a lot of money off of constitutes a consequence much worse than a simple fine.
- As of August 2018, close to a third of the 100 largest US newspapers had blocked European visitors to their sites because the media companies were unable or unwilling to comply with the GDPR, showcasing how businesses can lose access to an entire market because of an inability to meet privacy rules.
- In March 2019, Mailchimp asked Canadian e-commerce giant Shopify to remove the Mailchimp for Shopify app from the Shopify app store, citing Shopify’s updated terms that would “negatively impact (Mailchimp’s) business and put (Mailchimp’s) users at risk.”