The ease with which digital data can seamlessly move across geographic boundaries has strained the ability of lawmakers throughout the world to develop privacy laws and regulations that can protect their citizens’ personal information wherever that data may exist. These days, when even the smallest of start-ups can effortlessly operate globally, the difficulties caused by these strains are becoming more and more apparent.
In a post on Big Law Business, I address some of the exponential problems created by cross-border data movement. For example, a country (or organization within that country) with minimal privacy protection laws may still be subject to the data privacy laws of other nations – laws which may require a much higher level of security.
One such incident happened in April of 2015, when the US Federal Communication Commission fined AT&T for a data breach of American citizen data that occurred in Mexico, Colombia and the Philippines – outside the country, but not outside the reach of the law.
While a new agreement, referred to as the EU-US Privacy Shield, was reached on February 2, 2016, many of its provisions have yet to be revealed. As part of the Privacy Shield, two US agencies, the Commerce Department and the Federal Trade Commission, have announced greater diligence in assuring US organizations will follow EU privacy requirements, but privacy rights activists in the EU have already threatened suit to invalidate the new agreement.
Added into the complex legal puzzle is the final draft of the EU Data Protection Directive now being considered before the EU Parliament, and intended to replace the 1995 EU Data Protection Directive (EU GDPR). Some of the more significant changes include a data breach notification requirement, a fine of up to 4% of an organization’s annual gross receipts for non-compliance, and the codification of a “right to be forgotten” previously granted in a court decision.
Probably the biggest change, should the current version of the GDPR be enacted, is that it will apply more broadly than the current Directive, which only applies to organizations that have a physical presence in the EU. Instead, the GDPR will affect any organization doing business in the EU regardless of physical presence. In this way, the GDPR will be very relevant to most US-based organizations (even though awareness of this fact appears to be very low).
Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, have created a complex environment for IT data security. Residing in a country of little or no data privacy protection may soon no longer be a “Safe Harbor.” Invest in security measures now to ensure that your organization is able to keep customer data secure at the highest level of legal requirements, worldwide. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.