The launch of the European Union’s General Data Protection Regulation (GDPR) established 2018 as the year of data privacy, spurring other countries to enact their own laws or update their existing system of laws. Even the U.S. has gotten in on the game, with a new law in California and a potential federal regulation in the works. But global data privacy is littered with differing definitions and requirements, starting with the meaning of data privacy itself. Let’s tread carefully into this minefield so you can approach your data systems—and your eDiscovery obligations—more accurately.
Data Privacy Is Not Data Protection
The GDPR didn’t do anyone any favors on this: it’s primarily about data privacy, but its name refers to data protection! These concepts are not the same, although they have some overlap.
Data privacy concerns what information organizations—from for-profit companies to government agencies and more—have about individuals and what they can do with it. The GDPR refers to this information as personal data, which is vastly more inclusive than the U.S. concept of personally identifiable information. Personal data is more than just a name, social security number, or birth date; it includes demographic or cultural information, IP addresses, and online cookie identifiers. Data privacy laws attempt to limit how organizations collect, store, and use that information and give individuals the right to correct or remove their information from a company’s dataset.
Data protection, on the other hand, is the protection of information against breach or unauthorized access. Data that is private is necessarily protected; if it isn’t secure, it also can’t possibly be private. However, an individual’s information may be protected from security breaches without the individual having any control over the privacy of that information.
Where in the World Is Data Processing Happening?
Another complexity arises around the term data processing. The GDPR again defines processing broadly, including essentially any action that can be done to or with data. If a company determines that it has personal data that it should not have and destroys that data, it has processed it.
The real wrinkle with data processing concerns where it occurs. With the rise of cloud computing, it’s more difficult to ascertain—and to remain aware of—where data is physically located. Additionally, the locations where data is stored, processed, accessed, and deleted could all be different. Data in the cloud can’t be physically seen, so changes in its location can be effectively invisible.
The geographic reach of different global data privacy laws varies, as do the activities that they limit and protect, the definitions they use, and their definitions of terms.
Global Data Privacy and Data Protection Provisions
For companies with the strongest data protection regulations, consult the EU’s list of countries that have been designated as having “adequate” data protection measures. These include Argentina, Canada, Israel, New Zealand, and, to some extent, the U.S., under the Privacy Shield framework. South Korea and Japan are both in the process of having their laws assessed. In fact, the Asia Pacific Economic Cooperation (APEC) is in the process of creating its own version of Privacy Shield, the Cross-Border Privacy Rules (CBPR) system. So far, the U.S., Canada, Japan, and Mexico have formally joined.
Speaking of Mexico, it has its own Federal Law on the Protection of Personal Data Held by Private Parties, which has been in effect since 2010. To the south, Brazil recently passed its General Data Privacy Law, which closely tracks the GDPR, including severe fines for violations. Brazil’s law primarily concerns actual data privacy, including the lawful ways that organizations can process personal or “sensitive” data.
The majority of African countries lack enforceable data protection or data privacy laws.
Is Data Privacy Coming to America?
In a fire drill earlier this year, California passed the first major data privacy act in the U.S., potentially sparking an onslaught of other state and local laws. The California Consumer Privacy Act provides true data privacy rights for Californians and creates considerable complications for tech companies headquartered in California. (While Illinois has its Personal Information Protection Act, that law concerns data security and protection more than data privacy.)
Those tech companies may not just roll over and take it: Facebook, Google, and others are lobbying for federal privacy controls that would supersede more restrictive state laws.
What’s a global company to do when faced with this morass of data privacy and data protection regulations, especially when it comes to managing data for eDiscovery? As a first step, remember that there is no data privacy without data security. In other words, you can’t afford a data breach. Need more help understanding how to maintain compliance with global regulations while managing your eDiscovery data? Please contact us; we’re here to help.