Data Protection Laws 101
Cases of data breaches or illegal access to sensitive business data have been on the rise for several years now. From Facebook to Adidas, the past year has seen a fair share of data breaches.
According to a recent study by IBM, the average cost of a data breach is $3.85 million.
This has given way to an array of privacy laws being established by countries worldwide.
In fact, according to Deloitte, the number of privacy laws has grown from 20 to 100 over the last couple of years.
In our article, we’ll be talking about the following top 5 data privacy acts-
1. EU – US Privacy Shield Framework
2. Data Protection Act 1998
3. GDPR 2018
4. CCPA 2020
5. Digital Millennium Copyright Act (DMCA)
EU – US Privacy Shield Framework
The Privacy Shield Framework complies with EU data protection requirements when transferring personal data from the European Economic Area (EEA) to the United States of America.
Also called the Safe Harbor 2.0, Privacy Shield was brought to life in July 2016 and assured the right lawfulness of international data transfers between the EU and the US. It is controlled by the International Trade Administration (ITA) within the U.S Department of Commerce. Here are the seven Privacy Shield principles:
- Notice
- Choice
- Accountability for Onward Transfer
- Security
- Data Integrity and Purpose Limitation
- Access
- Recourse, Enforcement, and Liability
To join the framework, a US-based organization is required to first self-certify to the American Department of Commerce and publicly pledge to comply with Privacy Shield’s requirements.
While joining the law is voluntary, the commitment becomes enforceable under the law of the United States of America.
Failing to comply with the principles of the Privacy Shield will result in the company being removed by the Department of Commerce after first providing a 30-day notice to the organization. Under the Federal Trade Commission Act, an organization could be penalized by the Federal Trade Commission (FTC) for up to $40,000 per violation.
Data Protection Act of 1998
The Data Protection Law of 1998 (DPA 1998) is an act of the United Kingdom Parliament. It defines the ways in which the information of the people living in the UK may be legally utilized and managed.
Often referred to as ‘UK GDPR’, the act defines the responsibilities a business has, to protect the personal data of the citizens of the UK. It provides protection to sensitive information such as racial/ethnic origin, political and religious beliefs, physical and mental health, and criminal charges.
The DPA 1998 was amended in 2003 to give individuals better control over marketing communications. It gave an option to opt-in to receive SMS, emails, and phone calls from an organization.
Any data breaches in the UK are investigated by the Investigation Commissioner’s Office (ICO). There are a number of penalties and processes when it comes to taking action on data protection. The ICO issues penalties up to £500,000 as well as prosecutes anyone who commits a criminal offense under the act.
The government recently again amended the bill in 2018 to modernize the framework. Any usage of the customer’s data would first require their consent to further use the information.
The DPA 1998’s principles state that the data must –
- Be obtained for lawful reasons only
- Be accurate, adequate, relevant, and not excessive
- Not be retained for longer than necessary
- Be processed lawfully
- Not transferred to other countries without permission
- Be secure
- Be processed in line with your rights
- Be processed for limited purposes
GDPR 2018
The General Data Protection Regulation or GDPR is a regulation in EU law that automatically applies to all 28 member states of the European Union. Enforced on May 25, 2018, this pervasive regulation applies to all the companies that collect and process data that belongs to European Union citizens.
The privacy shield, that is designed to allow the transfer of personal data from the European Union to the United States of America gives your company a jump start on meeting GDPR’s requirements.
The key changes to consider in the GDPR are –
- Consent
- Territorial Scope
- Penalties
Under GDPR, the level of ease of withdrawing consent should be the same as giving it and in an explicit, clear and plain language to receive an informed one.
The territorial scope has been widened. Controllers and processors cannot steer clear of the GDPR obligations almost anywhere. Due to this international reach, it’s plausibly the biggest change to the regulatory landscape of data privacy.
As for penalties, the maximum that an organization can be fined for non-compliance of GDPR is 4% of the annual turnover or €20 million – whichever is higher.
CCPA 2020
The new kid on the block, the California Consumer Privacy Act (CCPA) is a bill to protect the privacy rights of the residents of California.
Introduced in January 2018, the bill was passed on September 2018 and will be enforced from the 1st of January, 2020.
CCPA impacts all companies that serve/work for Californian residents and meet at least one or more of the following criteria:
1. Gross revenue of more than $25M, annually
2. Processing information of more than 50,000 households, consumers, or devices
3. Derive 50% or more of their annual revenue from selling California consumers’ personal information
The Californian act empowers residents with control of their personal data and provides them the right to –
- Know about all data that a business collects on them, twice a year at no extra charge
- Direct the business to delete their personal data
- Say no to their data being further sold
- Sue companies who collect their data, where data was stolen, and if the company was irresponsible in protecting their data
- Request to find out all third-parties who have their information
- Know the purpose behind collecting information
Additionally, this data privacy law grants a number of rights to the consumer. Such as:
1. Right to Request Personal Information
(Section # 1798.100, 1798.115)
This requires companies to tell their customers about the personal information collected and the purpose for which it is used.
2. Right to Portability
(Section # 1798.130(2))
This right requires the consumer’s personal information to be in a portable and readily usable format.
3. Right of Deletion of Personal Information
(Section # 1798.105)
This right grants consumers the right to get their personal information deleted
4. Right to Opt-Out
(Section # 1798.120 1798.135)
This allows consumers to direct a business that sells personal information about the consumer to third parties to not do so.
Come 2020, companies will have 30 days to conform to the law once they are notified of a violation. Failing to do so can end up in penalties between $2500 to $7500 per violation, imposed by the California Attorney General.
Digital Millennium Copyright Act
Signed by then-President Bill Clinton on October 28, 1998, the Digital Millennium Copyright Act (DMCA) balances the interests of copyright owners to prevent any sort of copyright infringement.
However, since the law is a part of the US copyright law, it is only applicable to websites in the US. However, even if the copyright owner is outside America, they can still be issued a DMCA notice if the website is from the US.
It is divided into 5 titles –
- The “WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998”
- The “Online Copyright Infringement Liability Limitation Act”
- The “Computer Maintenance Competition Assurance Act”
- Title 4 contains 6 miscellaneous provisions relating to distance education, Copyright Office, the applicability of collective bargaining agreement obligations in the case of transfers of rights in motion pictures, the exceptions in the Copyright Act for libraries and for making ephemeral recordings, and the “webcasting” of sound recordings on the Internet
- The “Vessel Hull Design Protection Act”
A DMCA takedown notice is an official notification sent to the ISP, web host or the company that the material is an infringement of copyright.
The company should then take down the content almost immediately to prevent the ISP to forcibly remove the content themselves. The types of content include –
- Books, articles, poetry, blogs, etc
- Images or posts on the company’s official social media sites
- Songs or other audio files
- Videos
- Digital Software
The violators of the DMCA face a fine up to $500,000 and up to 5 years in jail.
Summing up
Data privacy laws are revolutionizing the way we collect, store, and use information. While these privacy acts can only thwart potential data breaching and not completely eliminate it, adhering to these is a good idea.