New privacy regulations on the horizon

- Privacy is not a new phenomenon. Humans have always had an instinctual desire for privacy, but the concept of privacy as a protected right under the law has only developed in the last few hundred years. In the US, we first saw privacy appear in the Constitution under the Fourth Amendment as the right to be free of unreasonable searches and seizures. Eventually the idea of privacy was conceptualized here in the US by two young lawyers, Louis Brandeis and Samuel Warren, as the right to be let alone. These early forays into defining privacy in the US have stuck and resulted in a patchwork of various privacy laws designed to give individuals the freedom to protect their bodies, behavior, and data from prying eyes. The US has developed laws around government use of data, as well as regulations protecting the privacy of health data, educational data, children's data, video viewing data, and financial data. There are also numerous state laws covering protection of consumer's data in the event of a data breech. Now cut across to Europe. There, many of the privacy laws arose in reaction to the abuses of World War Two and authoritarian governments. Individuals saw that information collected for a seemingly benign purpose could be used as a tool of oppression when in the wrong hands. Several European countries passed laws and in 1995, the Data Protection Directive was passed and ushered in an era of comprehensive data protections for all EU citizens. The directive arose at a time when the commercial internet was in its very early stages. As more and more data came online and the complexities of different country privacy laws came into play, there came a call for a new privacy law to replace the directive, one that would take into account the vast amounts of data now being collected and would include fines high enough to make companies pay attention. In 2016 the EU adopted the general data protection regulation, otherwise known as the GDPR. The GDPR greatly expands EU citizens' rights to control their data. Even more significantly for many companies is that the law extends to any company, even companies outside of the EU, that are processing the data of EU residents. So that means that a small company selling barbecue sauce out of a storefront in Texas could be subject to the GDPR if they sell a few bottles of sauce to a European living in France who fancies American barbecue. This means that many companies collecting something as simple as an email address or credit card number from a citizen of the EU may find themselves right in the middle of what I like to call GDPR territory. So you may be thinking well how bad can this law be? First I'll probably never get caught, and second, if I do, I'll just pay the fine. You may want to rethink that strategy. Getting caught can be as easy as a frustrated customer contacting their local privacy regulator and telling them that you've somehow misused their data or not honored their data rights, and if a regulator does come knocking and finds that you have violated the law, the fines may be as high as 4% of a company's global annual turnover. That's right, 4% of your company's global annual turnover. For some companies that could equate to billions of dollars. In addition to complying with the GDPR, if you have customers in Europe, you'll need to find a way to legally transfer that data to the US. That means you'll need to sign onto an agreement between the EU and the US called the Privacy Shield that sets out standards for handling European citizens' data in Europe, or use another transfer mechanism such as standard contractual causes or binding corporate rules. If you're using cookies in Europe, you'll also need to look at privacy laws in Europe covering cookies. In addition to all of the regulations in Europe and the US, we're also seeing the rise of privacy regulations in Asia. China has a cyber security law, India, Japan, South Korea, Singapore, the Philippines, and many other countries in Asia are actively regulating the privacy of their citizens' personal data. This trend is continuing on in Latin America, where several countries have passed privacy laws and several more are working to pass laws that are equivalent to or even go further than Europe's GDPR. So congratulations, you've made it to the end of my long lecture on privacy laws across the globe. Hopefully you've got an appreciation for just how complex this area of the law is and how important it is for your company to get it right. And maybe, just maybe, you'll go give your privacy lawyer a pat on the back.