Multiplication of Privacy Acts: A headache for companies?
Multiplication of Privacy Acts: A headache for companies?
On the occasion of the passing of the new Colorado Privacy Act, let's take a look at the news about new data protection projects around the world and the increasing complexity for international companies.
We have already written that the GDPR has had a “snowball effect”, encouraging many countries to adopt or modify their legislation: Brazil, India, Kenya, New Zealand, Botswana, Tunisia, ...
This new deal has forced companies around the world to review their relationship with personal data and to embark on a compliance process that is often fragmented and has resulted in 160,000 violations and 126 million euros in fines.
However, the next big shake-up has already started in the United States, one of the largest markets in the world, starting with California, the 4th largest economy in the world!
There can only be one left (well maybe ...)!
Strongly inspired by the GDPR, and against the backdrop of the former American government's reluctance to create a federal equivalent, the California Consumer Privacy Act (CCPA) came into force on January 1, 2020 and has been followed by the California Privacy Rights Act (CPRA) and other equally ambitious regulations in Virginia (Virginia Consumer Data Privacy Act) and the most recent, the Colorado Privacy Act (CPA).
Though we witness a groundswell in the US about Data Privacy, many initiatives failed to pass, as in New York or in the state of Washington (Washington Privacy Act - WaPA), home to giants such as Microsoft, Amazon, Boeing or Starbucks.
This multiplication of state projects and calls from American tech giants seems to have moved the lines in the US Senate.
The recent passing of the new China Data Privacy Law is also a strong motive for the US Government to take it to the next level on data privacy regulation.
A Federal Privacy law is clearly at reach and could be the true equivalent of the GDPR in terms of affected population and market size, but as it stands, different projects with asymmetric approaches are in discussion. Among them, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act which is described as more business-friendly and would take over state’s laws; and the Consumer Online Privacy Rights Act (COPRA) which would be more GDPR-like, but additional to existing state laws.
If the COPRA project was adopted, the risk would therefore be to have 50 different regulations with subtle but marked nuances, as between the CCPA and the CDPA and CPA.
Much like the Scottish clans who used tartans of very similar patterns but different colors to distinguish themselves, keeping on state-level data privacy laws could introduce a lot of complexity through nuances and details that vary from state to state. We would be far from a "One Act to rule them all (and in the privacy bind them)."
The complexity induced by different national laws has already made compliance for globalized companies very difficult. The prospect of further fragmentation in a strategic market like the US could be a nightmare for some companies.
For example, the right to erasure of personal data: it concerns all data collected under the GDPR and only data collected in the 12 months preceding the request for the CCPA.
Will this famous right to be forgotten, valid only in the European space according to the decision of the European Court of Justice, also be limited to American soil, or will the extraterritoriality of American justice (recently reinforced through the Cloud Act) impose a worldwide erasure?
Or will the minimum age of consent for minors, which is 13 for the CCPA (with an opt-in request between 13 and 15) and 16 for the GDPR (which can be lowered to 13 if an EU member state chooses so), change the conditions of access to certain services depending on locality?
Managing this granularity may therefore make our privacy professionals (Scottish or not) lose their minds!
Multi-compatible Privacy Program or Data Asceticism?
One possible approach for companies would be to create a "Tartan" or multi-compatible privacy program based on the following main concepts:
- Transparency: This fundamental notion must give the data subject control over his or her data, from collection to deletion, through all stages of access. More than at any other time, it is in the event of a data breach or loss that transparency becomes paramount, as an important confidence-building factor that can limit the damage or end a company's reputation.
- Consent and contract: While the lawfulness of processing may vary from country to country, consent and contract are strong common denominators and less open to interpretation than a legal basis for processing such as legitimate interest.
- Minimization: To avoid juggling between data sets that are authorized in one jurisdiction and partly prohibited in another, companies may want to consider the usefulness of the data being processed. They should not lose sight of the fact that the only risk-free data is data that is not processed!
- Finally, by implementing and raising awareness about Privacy by design and Security by design, companies could maintain a high level of Confidentiality, Integrity, Availability and Traceability, indisputable cornerstones of data processing.
If this approach seems the most logical and pragmatic for a company with a very strong global presence, it should not obliterate the fundamental questions - almost philosophical for the so-called Data Driven companies - on the "why" of personal data processing and on the "how" of their security.
Finally, it is hard to imagine these "Data Driven" companies operating a cultural revolution to become "Data Ascetic". However, they could use pseudonymization or anonymization by default, which would have the merit of securing the data of the data subjects without making them lose their value.
Data Protection Officer & Account Manager at EVA Group