Data Privacy Rights
Written by: Madhu Maganti, CPA, CISA
The lines between data security and data privacy often get blurred. Data security is about securing data against unauthorized access. Data privacy is all about authorized access, concerning who has it and who defines it. In this regard, data security is about the technical implementation of what data privacy dictates. In this article, we will look at the evolution of the privacy rights and where we envision the regulators will go in the protection of privacy rights.
The right to privacy didn’t find the time of the day on any platform in the early to mid-1900s. However, in the 21st century and what is especially true as of today is that everyone (or mostly everyone) is worried about their privacy and tried to take some control over the day they disseminate in the internet. If one must stand up for their privacy right on their own, it would be extremely painful without the help of regulations. These regulations help the individuals in ensuring their personal data is not shared without permission.
Today, the “right to privacy” has a far-reaching effect with the modern tort law including four general categories of invasion of privacy: intrusion into a person’s solitude/private space by physical or electronic means; unauthorized public disclosure of private facts; publication of facts that place a person in false light; and unauthorized use of a person’s name or likeness to obtain a benefit.
The evolution of Privacy Rights started with the Bill of Rights Guarantees, 1789 which includes the Fourth Amendment, describing an unspecified “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,” and the Ninth Amendment, stating that “[t]he enumeration of the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people,” but does not specifically mention a right to privacy. There were several changes brought about to the privacy Rights and I have listed some of the prominent ones – Post-Civil War Amendments, the Privacy Act (1974), Health Insurance Portability and Accountability Act (HIPAA) (1996), Financial Monetization Act (1999), US Freedom Act (2015) to name a few.
One of the biggest regulations that has been implemented in order to put further power in the hands of the individuals is the passing of the General Data Protection Regulation or GDPR as it is more commonly known. This regulation enhances the data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EAA), and it was implemented on May 25, 2018. This regulation aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR does not only affect the companies within the EU but has a more global impact. With global commerce, consumers can be in any part of the world. This regulation had companies from across the globe scampering to ensure compliance. The cost of compliance is very high, and the cost of non-compliance is probably even higher with violators subject to fines of up to 20 million Euros or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
Close on the heals of the GDPR, the California Consumer Privacy Act (CCPA) was passed and signed into law on June 28, 2018. This Act takes on the foundational aspects of GDPR and adds some more rights that protect the consumers of the State of California. CCPA grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it. It gives consumers the right to tell companies to delete their information as well as to not sell or share their data. Businesses must still give consumers who opt out the same quality of service. It also makes it more difficult to share or sell data on children younger than 16. The legislation, which goes into effect in January 2020, makes it easier for consumers to sue companies after a data breach. And it gives the state’s attorney general more authority to fine companies that don’t adhere to the new regulations. CCPA takes effect January 1, 2020.
Vermont has a Data Broker Privacy Law that is effective January 1, 2019. Its aim is to regulate businesses that collect, aggregate, and sell data about consumer with whom the business does not have a relationship.
What next?
There is a growing voice within the consumer community as well as Tech CEOs like Tim Cook among others calling on the US Congress to pass a comprehensive federal privacy legislation. In his article in Time magazine, Tim Cook laid out four principles that should guide this regulation, namely, the right to have personal data minimized, the right to knowledge (knowing what data is being collected and why), the right to access (Companies should make it easy for us to access, correct and delete personal data) and lastly, the right to data security. Data Security provides the individual the trust that the data cannot go into the wrong hands through unauthorized means.
This Federal privacy legislation is much needed to ensure consistency across the board. Several lawmakers have drafted their bills and these ambitious bi-partisan bills are expected in both the Senate and the House this term. They may not arrive for some time, but the time needs to be spent to shape these bills to ensure compliance without being too complicated and burdensome.
Right now, companies are working on complying with the GDPR, will need to make adequate changes to technology to adjust for the CCPA among other state legislations that might impact them. The incremental cost of making these technology and policy/procedural changes to meet the state legislations will be cumbersome and this Federal legislation might change things. At this moment, it might not be clear if Congress will pass a legislation like GDPR or replace all the existing rules with something worse. One is hopeful that the privacy rights of the individuals will emerge victorious and companies will show more respect to the occupants of the cyberworld.