Data Privacy in Europe, the US, and Other Regions

Finjan TeamBlog, Cybersecurity

Finjan Data Privacy in Europe, the US, and Other Regions

As each day’s news seems to bring fresh revelations on how internet giants like Facebook and Google are allegedly abusing the trust of their subscribers by harvesting and selling personal data to the highest bidder, issues concerning online and general information privacy have become a major talking point.

These issues have also become a priority for lawmakers across the planet, with the drafting of regulations and the construction of legal frameworks aimed at strengthening privacy and data collection rules in various jurisdictions.

Given the differing nature and priorities of the numerous administrations worldwide, the result has been something of a mixed bag. But with digital commerce and international communications bringing various parts of the world together on an hourly basis, interaction between these different legal systems is inevitable.

To avoid confusion and the unintended infringement of laws set out in other regions, it’s become increasingly important to know what kinds of regulations are in place elsewhere – and how their conditions or requirements may impact or influence matters in your own part of the world.

In this article, we’ll be looking at how data privacy issues are being handled in various regions – in the major population centers and influencers of world opinion, and in other areas.

Data Privacy in Europe

Consumer rights and the protection of the individual have historically been the focus of privacy legislation in the European Union (EU), and this continues to be the case. Starting from the mid-1990s, the data protection rules drafted by EU policy-makers have become the global yardstick for most countries – with the notable exceptions like China, Russia, and the United States.

Strong legislation concerning data collection and storage has been in place for several years in many European countries, but with 28 distinct member states making up the EU, there have been issues with variation in legal requirements across borders. Frameworks like the European Union Data Protection Directive of 1998 (which requires anyone processing personal data to do so “in a fair and lawful manner”) attempted to bring some sort of continent-wide uniformity.

Such efforts have culminated in the passing of the General Data Protection Regulation or GDPR, a legal framework whose terms are due to come into effect on May 25th, 2018.

The GDPR has been designed to provide a uniform set of rules and recommendations strengthening privacy protection for citizens and residents of the European Union. It includes some of the strongest data privacy laws ever devised, and applies to EU individuals, regardless of where in the world their personal data is used, stored, or processed.

Under its terms, EU citizens are called “data subjects,” while companies that collect and hold consumer data are “data controllers.” “Data processors” is the term reserved for third parties which process consumer data for a data controller, and these would include off-site contractors and cloud services of all kinds.

The GDPR’s terms include a number of consumer-centric rights and provisions which are set to radically alter the way that online resources and commercial organizations request for, gather, store, manipulate, and share data from website visitors, customers, and subscribers. They include:

  • The right to data access: Organizations must honor requests made by EU citizens for detailed information on what data about them is being held, and how it’s being used.
  • Data portability: The right to switch services on demand, taking all the information that a company had on an EU citizen, with them – which obliges businesses to transfer this data on request.
  • Data erasure, or the right to be forgotten: Consent previously given for data to be collected may be revoked at any time – and EU citizens will have the right to have information deleted that’s already been gathered from them.
  • Breach notification: In the event of a hack or security breach, organizations must alert EU citizens within 72 hours of any incident which might compromise their privacy. This applies to both data controllers and data processors.

These conditions apply to any organization having dealings with the personal data of EU individuals, or with a presence in the EU – whether in the form of branch offices, websites, data sharing partners, sub-contractors, or cloud services.

And the penalties for non-compliance with GDPR are stiff, indeed. The figure most often quoted is the maximum fine of 4% of a company’s annual global turnover or €20 million (about $24.8 million), whichever is the greater. Little wonder that organizations across the globe are falling over themselves to establish the required mechanisms for compliance, before the GDPR commencement deadline in May.

Even though the United Kingdom is due to renounce its membership of the EU under the “Brexit” mandate, the UK was still a signatory to the GDPR when it was first drafted, and remains bound by its terms. For this reason, UK privacy legislation has had to be strengthened, to keep the nation in line with its GDPR responsibilities. The UK’s new Data Protection Bill updates the existing UK Data Protection Act of 1998 and enshrines current European privacy rules (GDPR) into British law.

Data Privacy – How It’s Handled in the US

Broadly speaking, the protectors of consumer rights and data privacy at the federal level are big organizations which are more or less household names.

  • The FCC (Federal Communications Commission) decides on the rules concerning what information Internet Service Providers (ISPs) can or cannot sell.
  • The Federal Trade Commission or FTC regulates laws on business privacy and enforces the Children’s Online Privacy Protection Act, which applies to websites gathering information from children under the age of 13.
  • Patient information and rules concerning how data is handled in the health-care sector come under the remit of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets out a framework of strict conditions for regulatory compliance, on the presumption that sensitive medical information simply shouldn’t be shared with third parties having no logical use for it.

There’s a general consensus that privacy laws in the US have been and continue to be drafted and enforced on the side of big business – which in the case of the internet equates to the content and infrastructure providers, the huge corporations enabling our telecommunications, wireless networking, and entertainment ecosystems, and individual or corporate entities that would fit the GDPR’s definition of data processors and data controllers.

Certainly, this seems to be the case in the matter of Net Neutrality – the principle that internet access should be treated in the same manner as public utilities like power and water. A vote in December 2017 by the US House of Representatives to rescind this mandate has since opened up a huge public debate, with citizens, privacy advocates, and consumer rights groups alike raising an outcry over the fact that ISPs will now be at liberty to treat their subscribers’ data in any manner they choose – including selling it off to the highest bidder.

Elsewhere, digital communications now falls within the conditions of the Electronic Communications Privacy Act (ECPA) of 1986, which combines the Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act, to update the Federal Wiretap Act of 1968. This previous act addressed the interception of conversations using “hard” telephone lines but didn’t apply to the interception of computer and other digital/electronic communications.

The ECPA currently protects wire, oral, and electronic communications as they’re taking place, and while their data is in transit or stored on computers. This applies to telephone conversations, email, and data stored electronically. Some provisions of The USA PATRIOT Act make it easier for law enforcement to gain access to stored communications protected under the ECPA, in select cases.

During its omnibus spending bill on March 23 2018, the US government passed the Clarifying Lawful Overseas Use of Data or CLOUD Act, which affords law enforcement a way to obtain data from companies using the subpoena process, while simultaneously offering companies an avenue to appeal against such requests if compliance would force them to break local law.

Even as Europe’s GDPR regime looms, the issue of data resident in overseas storage had been hitting the news, notably in the case of “Microsoft vs. U.S.”, in which the software giant was opposing a warrant calling upon it to give access to data stored in Ireland. With the passage of the CLOUD Act, this case has become irrelevant – but other issues still have to be fully resolved.

The question of requests for access by foreign governments to US data under the CLOUD Act remains unclear. The law permits the US President to enter into executive agreements with foreign governments concerning data collection on criminal suspects. But some have expressed concerns over how such requests might be abused by repressive regimes – despite provisions within the Act limiting executive agreements to nations which “respect the rule of law, recognize freedom of expression and other civil liberties.”

At the state level, there’s also a concern that the CLOUD Act may see a flood of state and local warrants being issued, as authorities seek to use the new legislation to obtain compliance from foreign providers, or providers storing data overseas.

Speaking of US state law, it’s interesting to note that the Silicon Valley state with its California Online Privacy Protection Act (CalOPPA) has one of the most stringent data privacy laws in the country. CalOPPA is the first law in the United States which specifically requires websites to post a privacy policy. And in a similar manner to the GDPR, the law applies not only to websites based in California but to any website which collects personal data from consumers who reside in California.

Data Privacy and The Situation Globally

Privacy laws are currently in effect in over 80 countries around the world.

It’s not entirely surprising that conditions in Russia and China – two nations whose privacy restrictions are now among the strictest and most oppressive on the planet – aren’t made public in online forums or publications describing privacy laws across the globe. And it’s not entirely cynical to disclose that privacy laws in China and Russia are designed and dynamically adjusted to suit the priorities and whims of the current regime and/or head of state.

India’s Information Technology Act requires every business to publish a privacy policy on its website, whether they deal with sensitive personal data, or not. This policy must describe what data is collected, the purpose of this collection, any third parties whom information might be disclosed to, and what security measures are in place to protect the data. Prior consent from users is required for certain sensitive information, including passwords or financial data.

In the continent’s economic powerhouse of South Africa, the approach to data privacy legislation (in light of current developments in Europe and elsewhere) has been a cautious one. Existing laws have been retained, with few moves as yet to amend them in keeping with Europe’s new and wide-reaching compliance regime.

On the surface, the reasons for this approach are economic: The resources needed to adjust legal frameworks, data-handling systems, and infrastructure to meet with GDPR conditions simply aren’t available. Better (and cheaper) to adopt a “wait and see” attitude, and make changes if the long arm of GDPR enforcement extends toward Africa. The slow pace of change may also be a nod to a historical reluctance to bend to the will of what are seen as former colonial powers.

This said, the influence of Europe in the realm of data privacy is extending, in a form of “digital colonization”, and a display of soft power.

Last year saw Japan adopt a series of reforms to mirror many of Europe’s existing data privacy standards – a situation that’s similar to planned reforms to the legal system of Argentina. Israel and New Zealand have already signed agreements with the EU certifying that their data protection rules are on a par with those of Europe. And nations including Colombia and South Korea are drafting new privacy legislation that’s closely based on the EU model.

Issues concerning data privacy are very much on the international agenda, and as the new legislative frameworks take effect, they’re likely to continue to do so for some time.

Share this Post

Finjan Data Privacy in Europe, the US, and Other Regions
Article Name
Data Privacy in Europe, the US, and Other Regions
In this article, Finjan provides a closer look at how data privacy issues are being handled in various regions - in the major population centers and influencers of world opinion, and in other areas as well.
Publisher Name
Publisher Logo