Different countries have different expectations of privacy in regards to data and have written their laws accordingly
There might also be other regulations in addition to the laws in regards to data so that there are more consumer protections in place, regulations are the interpretation and implementation of the laws
There may also be other guidance, standards and/or policies in place in addition to the laws and regulations
These things are in place to help regulate how data is used, saved, and deleted. There are different repercussions for each category if you fail to follow them
Why Data privacy is Important
Your data shares a surprisingly large amount about you that you may or may not want to be shared
Privacy for your data is important because companies that make profits off your data are not going to lead the charge in protecting their product
Some data is more sensitive than others, however data can offer more inferences about you then you might expect
For example, HIPAA covers medical data, but it doesn't cover Google searches, so if someone could get location history and see you were at the doctors, and then see your search history, they could probably make very accurate guesses as to your medical file without ever seeing it
Why some places don't have Data Privacy
Some countries don't have data privacy laws because the law makers don't understand the importance
Some don't have them because the country is more in favor of capitalism then consumer protection
Some places/industries don't have data privacy laws in place because laws take a long time to create, and the industry is changing too quickly for regulations to keep up
There is also disagreement within the countries about how much should be protected which can lead to some places have stronger laws than others even within the same country
How the laws and regulations are decided
This will depend on the type of government that is in charge
In the USA the branches of government will decide on the laws and interpretation of the laws at the country level and then also at the state level. It is possible to have laws for data for the entire country, or just singular states. Yes this makes it harder to implement and harder for companies to deal with
If the country is run more by a person then a government, that person could decide what laws if any are in place to regulate data, such as Russia
How GDPR changed the landscape of data privacy
GDPR was made in 2016 and implemented in 2018
It was made by the European Parliament and Council of the European Union
GDPR was one of the first data privacy laws passed that covered not just the broad range of EU citizens, but also was very stringent about what was and was not allowed, but also included penalties if it was not followed
"GDPR's seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability."
Lots of laws just said "do this or else" but didn't specify the "or else" so there wasn't as much incentive to follow the law
There was also a lack of people to enforce laws before GDPR specified who does the enforcement and how
Data Privacy and the EU
Because the law was passed by the EU it covers any country that is a part of the EU. (The UK added their own after Brexit)
GDPR as written is LONG there is not only a bunch of details about what can and can't be done, but it also includes a lot of language on what fines can be placed
GDPR covers personal data, but also has extra protections in place for "sensitive data" such as religion, biometrics, health, and even sexual orientation
Any data that can be traced back to you is considered personal, even if it's pseudonymized
Any business that is in the EU, or has information about EU citizens falls under GDPR
GDPR fines were designed to be a costly way of penalizing companies that didn't follow the laws set forth. They are flexible and scalable so they are painful but possible to pay
Meta - €1.2 billion (Ireland) 2023 fine because of a data transfer of European data to the US without protections from US government, also included suspension of user data transfers for 6 months
Meta - €390 million (Ireland) 2023 set of two fines for Facebook and Instagram regarding informed consent
TikTok - €345 million (Ireland) 2020 fine regarding children's data, included processing data correctly, age verification issues, and videos that were public by default, and comments enabled by default
Criteo - €40 million (France) Fine was in regards to targeted advertisements
TikTok - €14.5 million (UK) Fine was for children being allowed to create accounts without parental consent for collection and processing of data, or notification of how data was being used and collected
Data Privacy and the USA
There are both federal and state laws to protect data, it's not comprehensive like it is in the EU
Most states have unregulated data collection and use
There is a privacy act of 1974 that covers some data collection and use, but it's for the federal government
HIPAA is in place for healthcare, signed into law 1996, has limitations on what's a "covered entity"
GLBA covers financial institutions, signed into law in 1998
CA has the most strict data privacy law currently in the USA, the CCPA, was modeled after GDPR
Some states have laws signed into place like CA, MA laws are stuck in committee
But these laws tend to be behind the times and not updated to cover newer issues and trends such as social media or AI
Other examples of Data Privacy laws and regs around the world
Canada - CPPA which is currently going through draft but has failed before. Currently there are two laws, one for federal gov't and one for business (PIPEDA) but that's for specific business in specific areas only
New Zealand - Updated from the 2011 laws to include breach notification and restrictions on data transfer across borders
Thailand - PDPA follows GDPR guidelines, it's the first law specifically for data protection in Thailand
China - PIPL is the newest, but there were others such as Data Security Law (DSL) and Cybersecurity Law (CSL) this is another that is closer to GDPR
India - DPDP which is again similar to GDPR, however it doesn't cover businesses outside India even if they monitor data within India
Current trends in Data Privacy
Lots of countries are modeling their laws on the GDPR which will give more strict limits on data privacy and penalties for failing to follow the laws
International standards are becoming more strict as to what is considered personal data, if anonymized or pseudonymized counts as personal data in regards to the laws
Laws are being updated more frequently to cover the rapidly changing landscape, such as including social media data
There is still an issue with Consumer Apathy, not enough people care or understand data privacy importance, so it's hard in places like the USA where laws are not only slow to be passed, but also tend to favor corporations over people
Suggested Activities and Discussion Topics:
In pairs or small groups discuss the following questions:
Discussion Questions:
1. Identify and describe at least one major data protection laws or regulations for a country besides the USA. What are the main objectives and provisions of these laws, and how do they impact businesses and consumers? What are the potential consequences of non-compliance?
2. Identify and describe at least one major data protection laws or regulations for a state in the USA besides MASS. Pick a state that someone else hasn't chosen yet! What are the main objectives and provisions of these laws, and how do they impact businesses and consumers? What are the potential consequences of non-compliance?
3. Are there any innovative approaches to data protection that you find particularly promising or concerning? Where is the location of the law or regulation you are talking about? Explain what you find promising or concerning.