The General Data Protection Regulation of the European Union
Various countries worldwide have different policies for data security. The gold standard for these privacy and security laws is the General Data Protection Regulation (GDPR) of the European Union (EU), currently the strongest.
The GDPR passed the European Parliament in 2016 and effective May 25, 2018, it has been enforcing obligations on all organizations around the world that collect, process, or use data on people in the EU. Violations of its privacy and security standards result in severe penalties and fines. The maximum is €20 million or four percent of the organization’s global profits, whichever is higher. In addition to this, the data subject can sue for separate compensation for damages.
Based on the 1950 European Convention on Human Rights that recognized the right to privacy, the GDPR recognizes and ensures the privacy rights of data subjects. These are the right to information, right to object, right of access, right to erasure, right to rectification, right to data portability, right to restrict processing, and rights related to automated decision-making and profiling.
Subject Consent and Data Processing
Consent from the subject is the primary requirement for data processing, and there must be documentary evidence of this consent. According to the GDPR, a request for consent must be in plain and clear language that is obviously distinct from other matters. The consent must be knowledgeable, specific, unequivocal, freely given, and subject to withdrawal at any time. Subjects younger than 13 years old cannot give consent without parental permission.
Data processing is allowable only under specific circumstances. You need it to save a person’s life. You need it for a contract that the subject is a party to. You need it to fulfill a legal requirement. You need it to fulfill an official function or perform a task for the public good. Your interest in processing the data is legitimate. You must then document the lawful justification for data processing and inform the subject about this.
The GDPR has seven protection and accountability principles. Accountability means the data collector is responsible for complete compliance with the regulation. Accuracy means the data must be correct and up to date. Integrity and confidentiality mean data processing must have full security, reliability, and privacy, such as the use of encryption. Data minimization means collecting and processing only the minimum quantity of data necessary for the specified purposes. Purpose limitation means data processing must only be for the specific purpose given to the subject upon collection. Storage limitation means personal data storage must only be for the period necessary for its specified purpose. Finally, data processing must be lawful, fair, and transparent to the subject.
According to Article 25 of the GDPR, every organization must include data protection by default in designing any activity or product. All the seven principles of the GDPR must be automatically included.
In case there is a data breach, an organization has 72 hours to inform data subjects. If it does not do so, it faces penalties. The requirement is only waived if the organization is using technological defenses like encryption that make the data unusable to the hacker.
Global Data Protection
The need for data privacy protection laws increases as more individuals give their personal data to various apps and cloud services while data breaches are occurring more frequently. Countries and states are trying to keep up with the GDPR to protect their citizens.
On September 18, 2020, Brazil declared the Lei Geral de Proteção de Dados (LGPD) retroactively effective from August 16, 2020. In November 2020, Canada proposed the Digital Charter Act. On December 1, 2020, New Zealand enforced its Privacy Act 2020 to replace and update its 1993 Privacy Act. In the U.S., the California Consumer Privacy Act (CCPA) got an update with the California Privacy Rights and Enforcement Act of 2020 (CPRA) that will be in force by January 1, 2023, covering personal data collected after January 1, 2022.
These are only a few of the developments in data privacy laws around the world. We can expect more regulations to tighten up as people and governments realize the urgency of the situation.