Seclored: The Data Security News Blog

Evolution of Global Data Privacy Laws: What to Expect & Why You Should Care

Category: Data Privacy

During 2023, we’ve witnessed a material shift in the approach to underlying data privacy laws. These changes are expected to continue in the United States and globally.

In the United States, data privacy laws have been historically rooted in a harm prevention-based complexity of privacy protection, seeking to prevent or mitigate damages in specific sectors. However, under the broader rights-based approach, as seen with the European Union’s General Data Protection Regulation (GDPR), entities and individuals can own their personal information, have the legal right to control it, and determine who can use it as a matter for them to decide.

Following California’s lead with the California Consumer Protection Act (CCPA), states such as Colorado, Connecticut, Utah, and Virginia have been enforcing new GDPR-type rules this year. More states are planning to jump on this bandwagon. The implications of this fundamental shift in data privacy protection will be experienced in the years to come.

Comparing Data Privacy Approaches: US Harm Prevention vs. EU Rights-Based Model

The United States has a history of allowing institutions to collect personal information without explicit consent. However, the government regulates the use of this information to prevent or mitigate harm in specific sectors. For instance, the Gramm-Leach-Bliley Act (GLBA) regulates the financial services space.

Similarly, healthcare and other sectors have regulations such as the Health Insurance Portability and Accountability Act (HIPAA) to safeguard medical records and personal health information. HIPAA protects medical records and other personal health information from misuse. Consistent with their underlying philosophy to allow the collection and use of personal information yet prevent harm, these rules impose restrictions on industries and institutions regarding their handling of personal information.

Instead of a harm prevention-based approach, the European Union (EU) pursued a rights-based view for protecting personal information. In the EU, the view is that data privacy is a fundamental individual right. Individuals effectively own their personal information, and who can use it is a matter for them to decide as opposed to institutions’ oversight by a regulator.

The EU recognized the need for a modernized approach to data privacy. This recognition occurred partly due to advancements in information technology and accelerating the use of personal data in a globally linked digital world. That’s when the EU adopted the General Data Protection Regulation (GDPR). GDPR brought together holistically key principles reflecting the Europeans’ human rights-based approach as a foundation for data privacy protection.

Key Data Privacy Principles and Implications: GDPR Influence on Evolving Laws

To understand new data privacy laws, it’s helpful to know the principles of GDPR. The GDPR principles can help you figure out what’s happening with these new laws.

Such laws reflect the influence of the GDPR’s rights-based framework. They apply to businesses across various sectors, representing a comprehensive approach to privacy protection, including the sector-specific laws that remain in place.

GDPR distinguishes between the roles of “data controllers” and “data processors.” The former are the businesses and entities that control the collection and use of the data; they decide what to do with it. The latter carry out the instructions provided by the data controllers. The obligations that apply to data controllers and their responsibilities differ from those of data processors.

The new states’ data privacy laws include this distinction and approach. They articulate various rights of entities, especially individuals, with respect to their personal information. They generally include rights to:

  • Request access to inspect personal information.
  • Request that errors in their personal information be
  • Portability, where personal information can be transferred to another entity.
  • Erasure, where personal information can be deleted.
  • Consent by being able to decide whether personal information may be sold or whether it may be used for purposes of receiving targeted advertising.
  • Appeal the denial of a data privacy protection request by a business.

In addition, GDPR and many of the states’ laws include certain governing principles, such as:

  • Data management systems designed with data privacy protections in mind (including data mappings and data lineage, so you know what data are stored where and the protections are appropriate to the data’s sensitivity level).
  • Records should be appropriately managed and maintained regarding collecting, processing, and using personal data.
  • Sensitive personal information should be kept, if at all, only for the duration to serve its required purpose.
  • Personal information should be used with informed consent from the data owners in a transparent, understandable way and only for legitimate uses allowed under law.
  • Accountable, well-trained staff should monitor compliance with data privacy protection requirements, supported by good risk management capabilities.
  • Data should be protected using best practices for cybersecurity to minimize the risks of data breaches, including appropriate physical and technology-based defenses. This is especially true for unstructured data types like PDFs, spreadsheets, images, and other related file types.
  • A good incident response plan should be in place to ensure that appropriate notifications are delivered timely under the notification deadlines applicable under law.
  • Staff should be trained in data privacy protection practices pursuant to well-designed policies and standards, and their access to sensitive personal information should be limited to mitigate risks on a need-to-know basis.
  • Contractual provisions regarding data privacy protection should be in place to ensure that vendors and contractors are also guarding against risks of misuse and breaches.

Becoming familiar with these principles helps us understand the rapidly evolving data privacy laws in existence now and in the future.

Seclore’s Advanced Data Protection: Unveiling the So What of Data Privacy Conformance

Seclore has published a whitepaper to showcase how the various data privacy rules are evolving globally with spotlights on the EU, United States, Canada, India, Australia, and other countries, including a detailed look and impact within the financial services sector that is well worth a read.

For your consideration, while these new data privacy rules are intended to be comprehensive in scope, they contain certain carve-outs for data already protected under other laws, such as GLBA and HIPAA in the United States.

The statutes vary with respect to their reach, based on businesses that hit certain revenue thresholds or on the number of residents, consumers, households, or devices with data in the applicable jurisdiction. Each statute is different and should be carefully analyzed as to its scope, requirements, potential liabilities and penalties, and its means of enforcement.

However, a foundational understanding of these new laws and where they originate will create a basis for analyzing and understanding their requirements and those from new laws yet to come. Data privacy laws globally are evolving rapidly…make sure you stay on top of them, as they are here to stay!

Tom Dunlap is the Founder and Managing Partner of DIACSUS LLC, an international advisory and consulting firm for the financial services industry, specializing in the data ecosystem spaces of governance, management, innovation, integration, transformation, digitization, & visualization, as well as operational risk & regulatory intelligence. Tom serves on the advisory boards for DeepSee.ai and PredictIntel.
Tom has over 33 years of financial services industry experience across a range of data management & operations leadership roles. Prior to DIACSUS LLC, for 4 years he was Group Chief Data Officer, head of enterprise data governance, and head of data operations of the London Stock Exchange Group (LSEG). He was a senior consultant and advisor to Raymond James Financial and fintech company Lingotek. Tom spent 18 years with Goldman Sachs in a variety of senior operations and data leadership roles, including Managing Director of operations and global head of the firm’s enterprise data strategy and reference data operations. In addition, he held the role of Vice President for Citibank’s Worldwide Securities Services Division.
Tom was a two-term member of the Financial Research Advisory Committee of the US Treasury Department’s Office of Financial Research, on the Board of Directors of the Enterprise Data Management Council, and he is the current CDO Ambassador for the State of South Carolina.

Since 2015, Lisa has served as the Director of Legal Business Development at Seclore Technology. In this role, she focuses on product recognition and sales in the legal market, engaging with law firm professionals to discuss data security best practices and analytics workflows. Previously, during her 23-year tenure at Goodwin Procter LLP and Foley Hoag LLP, Lisa excelled as a Senior Litigation Paralegal, leading international and domestic eDiscovery teams and bridging the gap between legal and litigation support. Recognized for her contributions, she became President of the Board for the New England Litigation Technology Professionals in June 2016. Lisa holds degrees from Boston College and Syracuse University.

Related Posts