INTERNATIONAL DATA PRIVACY
GDPR
International Data Privacy rights first came into daily conversation in 2016 when the EU passed the General Data Protection Regulation (GDPR). That passage put countries around the globe on notice that the EU fully intended to do everything it could to protect the individual data privacy rights of its citizens. GDPR took a very proactive approach and was specific as to what would, and would not, be allowed going forward when it came to EU citizens personal information. The GDPR was crystal clear: if you wanted to do business with an EU citizen, GDPR would apply.
Penalties
Anyone that chose not to abide by the GDPR shouldn’t avail themselves to EU citizens because the drafters of GDPR added “teeth” to that legislation, enforceable as of 2018. The message was equally sure that swift and severe penalties for any violation of GDPR would surely befall any and all offenders. GDPR also included multiple layers of violations, and potential violations, and reviews, which also served to add ample and harsh administrative and legal costs to any organization that violated, or potentially violated, the data privacy rights of an EU citizen.
Updated
Since first passed in 2016, GDPR has been amended and altered by case holdings several times. GDPR has added decisions regarding standard contract clauses between controllers and processors, standard contract clauses applicable to the transfer of personal data to third countries, and the processing of personal data and the free movement of such data, among many other things. Also, as Brexit was voted on and passed in 2020, GDPR no longer applies to citizens of the UK. In 2021, the UK passed the UK General Data Protection Regulation that applies to UK citizens.
International Expansion of Data Privacy Rights
International data privacy rights have exponentially multiplied since 2016. Out of the current 195 countries in the world, at least a third have already adopted legislation surrounding data privacy. Additional rules, regulations, and legislation are currently being worked on in both those who have already adopted such laws and those who have yet to be finalized. Many government bodies have used GDPR as a baseline or guideline when writing their own data privacy laws to protect their citizens. The list of countries that have passed, or are about to pass, legislation regarding data privacy rights include Cuba, China, Switzerland, Thailand, India, Philippines, Mexico, and a host of others.
Patchwork
As you can see, just within the last few years international data privacy has become an ever-changing, mis-matched patchwork of privacy laws and penalties as set forth by individual countries on behalf of their citizens. Different strengths, weaknesses, morals, customs, social norms, natural resources, and a host of other factors come into play when each of the countries draft the laws, rules, and regulations that apply to doing business with their citizens.
Additional Layers of International Data Privacy Rights
In addition to all of the different laws, rules and regulations contributing to the overall global data privacy web, there are also varying differences and layers within each of those individual countries. Should you choose to do business with any given country, be aware that different data privacy rights, and mandatory reporting time frames, are also applied to various professions, employees, and a host of other delineations and divisions that must be adhered to within their borders or affecting their citizens. These overlapping requirements create increased legal costs, affiliate and vendor friction, and additional administrative costs, all of which result in increased costs to the final consumer, the intended beneficiary of data privacy rights.
Keeping Current
For these reasons and others, every company should carefully review the scope of their breadth and reach. What is allowable in the US as pertaining to employees may very well be illegal if applied to your employees overseas. In every aspect of data privacy, whether it be negotiating contracts with your suppliers or labor organizations or customers, or simply drafting a new Privacy Policy , correct identification of “scope” is absolutely critical. For large organizations with operations across the globe, scope can be very difficult to comply with.
Data Maps
Each of these data privacy rights law, rules, and regulations usually travel with the data, which will likely affect where you decide to store data and where that data travels on its way home. A variety of alternate data privacy rights will apply to your virtual meetings in the way of location data, physical, cultural, and other identifiers, directly or indirectly. International data privacy rights must be taken into consideration when considering eDiscovery, virtual collaboration rooms, backgrounds for video conferences, advertising, telehealth, and many other international considerations.
Time Frames
From country to country, industry to industry, timing varies greatly. For some situations in India, for example, mandatory timing can be as little as 6 hours. In other countries, timing may be as much as 72 hours. Knowing, in advance, what the data privacy laws, rules, and regulations are that pertain to the individual aspects of your business, and what their respective timing requirements are, should be visited and updated regularly by every company. Even within the US, states are developing and passing their own data privacy laws, applicable to their citizens and those that do business within their state, none of which are required to mirror, or even be in step with, any other US state.
Non-Compliance
Whatever data privacy rights you encounter, there are always penalties for non-compliance. Non-compliance with data privacy rights is normally both swift and severe. Such rules, regulations, and laws are designed to be complied with so penalties for violations normally more than remove any profit to be realized through non-compliance when it comes to data privacy rights.
Compliance Plan Development
Devising a comprehensive international data privacy compliance plan for all goods and services that your company offers, in advance, is now mandatory for every business that chooses to remain a going concern. In addition, given the sheer number of governing bodies promulgating new international data privacy rights legislation, or revising their current legislation, reviewing and revising your company compliance plan at frequent, regular intervals should now also be considered mandatory. This constant state of evolving international data privacy rights, coupled with the over-lapping patchwork created thereby, requires companies to be fluid and adapt quickly to change.
Reputation
Penalties and fines aside, becoming known across the globe to your customers, employees, suppliers, and governing bodies as a company that doesn’t protect the rights of others, or obey the law, can be a death knell. In the US, there are additional data privacy concerns that may also apply to those in various professions, such as those applicable to banking and finance, healthcare.
For assistance with your Data Privacy compliance program, call Susan Larsen of Larsen Law Offices, LLC.
Healthcare
Technology