Four Data Protection and Privacy Laws You Must Know
by Robert Bond
Data Protection and Privacy Legislation that will Change How Businesses Collect, Protect, and Use Your Personal Information
GDPR, China’s Cybersecurity Law and Colorado’s and California’s Privacy Legislation Aim to Protect Personal Information
Question: What do China and the European Union have in common with an increasing number of states like California and Colorado?
Answer: They all have new laws regarding both cybersecurity and privacy.
The WannaCry ransomware attack and the Facebook Cambridge Analytica scandal, along with numerous other cyber threats, have generated increasing concern among organizations and individuals regarding both cybersecurity and privacy. In response, many places around the world have enacted legislation designed to either establish rules and regulations or to strengthen those that already exist. And while the United States has yet to do the same thing on a federal level, cyber security experts are scrambling to keep up with the patchwork of new laws that are being enacted at the state level.
Among the emerging number of different cybersecurity and privacy regulations that have been popping up around the world in in the past few years, most impactful new laws that experts need to be aware of include the European Union General Data Protection Regulation (GDPR), China’s new Cyber Security Law (CSL), Colorado’s H.B. 18-1128, and California’s AB 375.
As technology increasingly transforms the world into a global cyber village, both cyber security experts and legal council will be increasingly expected to be familiar with these laws. To get us all up to speed, here is a snapshot of those laws, and just a few of their key provisions.
Defining Data Privacy vs. Data Security
Perhaps the first thing to understand about these laws is the difference they draw between data and information, so we can better understand the difference between security and privacy. In short, security is to data what privacy is to information.
Data is the collection of often meaningless information, while information is data that has been organized or interpreted to have some value or meaning; meaning that can be associated with an identity in many cases. “Data” is a random set of nine or ten numbers that are seen as largely meaningless information. For example, while those same seemingly random numbers would be “information” if they were organized or interpreted to be Jane Doe’s social security number or phone number.
Protecting data typically means protecting the confidentiality, integrity, and availability of information, three components which are often referred to as the CIA triad. Confidentiality is about controlling who can view your data without authorization and includes communication protection methods like cryptography and encryption. Integrity is the ability to ensure that data remains unaltered and availability ensures that data is readily accessible to all authorized users when it is needed.
What is Privacy in Cybersecurity
Privacy is the ability to protect both sensitive information or data and personally identifiable information (PII). It’s about controlling who is allowed to see what, when, and why, in other words. In Europe, “privacy” has been defined by courts as “the right to be forgotten” or “the right to be left alone.” Such rights help determine what and how data is collected, how and with whom it is shared, and how long it should be retained.
In simple terms, cyber security is about protecting data, and privacy is about protecting information. Or to use an analogy, if security is the ability to keep people out of your house by erecting a fence, privacy is the ability to limit what people can see through the windows by putting up blinds. And as an old saying goes, “You can’t have privacy without security, but you can have security without privacy.”
Consumers want both companies and governments involved in cybersecurity and privacy efforts and are increasingly suggesting that companies bear a larger share of the responsibility. However, for now, it is governments that are taking the lead, on both the state and international levels.
China’s Cyber Security Law or CSL – Effective June 1, 2017
China’s new Cyber Security Law (CSL) took effect on June 1, 2017 and was the first comprehensive law to address cyber security and privacy concerns at a national level. The trouble with China’s new law, however, is that it is somewhat vague, leaving cyber security experts to figure out much of it as they go.
The law covers everything from privacy information to security standards, and applies to “network operators” and “critical information infrastructure” (CII) providers. And the difficulty of deciphering the vague language of this law is compounded by the fact that “network operators” and “CII” are terms the law defines rather broadly in theory, which allows China to apply it expansively in practice.
The good news is that it will help bring China in line with global cybersecurity norms and best practices. The bad news is that it comes with requirements that may force companies to provide source code, encryption, and other crucial information for review by Chinese authorities. Perhaps even worse is that in the immediate future it may cost companies billions of dollars to conform to the law, which could force some firms to invest in data servers in China that would be subject to government spot checks and investigations.
Some key provisions of the law include that those defined as “network operators” must obtain “informed consent” from users to collect PII, maintain a cybersecurity log of incidents for at least six months, and comply with data backup and encryption requirements. For CII providers, many of the same provisions apply – in addition to a requirement that “important data” and other personal information must be stored within China.
GDPR, The General Data Protection Regulation – Effective May 25th, 2018
Following China’s lead, the European Union passed the General Data Protection Regulation, or GDPR, which was the first comprehensive law addressing cybersecurity concerns on an international level.
The GDPR, which took effect on May 25 of this year, was passed out of worry about the buying and selling of PII by companies like Google and Facebook. The Cambridge Analytica scandal further demonstrated how easy it was to compromise information from as many as 87 million accounts when the law was rolled out and enforcement began. In response, the law gives EU consumers more control over how personal data is collected and used online and affects any organization that holds or uses data on residents in the EU; regardless of where the organization is based or where the data is stored
The GDPR also expanded the definition of “Personal Data” or PII. As a result, information or sensitive data like name, phone number and email address as well as information like a postal code, driver’s license, passport, credit card, bank account, IP address, workplace, union membership, social factors, genetics and biometrics, must all be protected. And like China’s CSL, each EU resident must give explicit consent for how their information will be used, and can withdraw that consent at any time, thus, “the right to be forgotten” rule in GDPR.
Whether your company has an office in the EU and shares internal data, or EU-based customers purchase your products or services online, the GDPR aims to hold businesses accountable by requiring any company that holds or uses data on people inside the EU to notify regulators of a major data breach within 72 hours of its discovery.
Companies must also allow consumers to easily opt in and out of data collection. If organizations aren’t compliant, European regulators can issue fines up to 4% of an organization’s annual global sales or €20 million ($23.5 million) — whichever is greater.
What is H.B. 18-1128 – Colorado Privacy Law – Effective September 1, 2018
On September 1, 2018, one of the strictest state-based privacy and data breach laws in America was passed. Known as H.B. 18-1128, the new Colorado law requires that, without exception, all businesses in Colorado and that handle personally identifiable information (PII) of Colorado residents must comply. There is no exemption for small businesses in this legislation
This law applies to any “Covered Entity” which is an entity that “maintains, owns, or licenses personal identifying information” of a Colorado resident in the course of business.
The law defines “personal identifying information” broadly, and can include a social security number, personal identification number, password; passcode, official state or government-issued driver’s license or identification card number, government passport number, biometric data, employer, student, or military identification number, or financial transaction device; as well as username and email address along with password or security questions and answers (as defined in C.R.S. § 18-5-701(3)).
Businesses must implement and maintain reasonable security measures to protect documents containing PII, both on paper and electronically. They must also contractually require third parties that they share this data with, such as cloud service providers and other vendors, to implement those same reasonable security measures. In addition, they must implement a written policy covering the disposal of documents containing PII. Finally, the definition of PII in this law is extremely broad. Businesses who experience a data breach must notify the parties affected within 30 days with no extensions. This is the toughest notification provision in the country.
The Attorney General, who must be notified if a breach affects over 500 residents, can sue for non-compliance to recover damages on behalf of Colorado residents. More significantly, the AG can file criminal charges if requested by any local District Attorney or the Governor.
California Cybersecurity Law – AB 375 – Effective January, 2020
A law that has some similarities to GDPR is California’s new cybersecurity law, AB 375, which goes into effect on January 1, 2020. Under this law, companies must inform consumers about what types of data they are collecting prior to the data being collected, as well as the sources from and the purpose for which it is collected. Unlike how many organizations handle a customer’s data today, those consumers have the ability to opt out of the sale of their PII. And if people consent to their data being collected, they can request the categories of information under which that data will be classified, as well as “the identity of third parties to which the information was sold or disclosed,” according to the legislation.
In addition to this, AB 375 requires that entities covered by the law must list things like consumer rights, as well as the categories of PII those entities have collected, sold, or disclosed over the last 12 months. Like the EU’s GDPR, California residents have the right to request a copy of any data that a U.S. organization might be storing on them, as well as the right to request that all of it be deleted.
According to Nuala O’Connor, president of the Center for Democracy and Technology, a digital rights group, “California has always been a bellwether for where rest of the country is going on tech policy and tech legislation.” Since California passed the first law requiring the notification of customers of a data breach in 2003, for example, all 50 states have followed suit, with many states modeling their own laws after those of California.
Not since the inventions of ships and steam engines has there been such global migration – only today most of that migration is not so much individuals, but their data and personal information. As a result, people are eager for greater “informational privacy,” by which a person can control who can look into their digital identities, and what they are allowed to see, as well as the freedom to construct that identity without unreasonable constraints.
Like immigration laws, each country has passed its own regulations concerning cybersecurity and privacy, discerning the vagaries and differences of which could be a full time job in itself. The good news, however, is that, in the same way “the Open Systems Interconnection Model (OSI model) was designed by the International Organization for Standardization (IOS) as a reference model for open communication through various technical systems,” so too will similar international pressure and demands help to establish more uniformly accepted international standards for cybersecurity and privacy. And with new laws concerning both being passed from Qatar to Quebec to all 50 states, such a standard would only make the job of cybersecurity and privacy professional that much easier.