By Madhu Maganti, CPA, CISA, Director of IT Advisory and Security Group

Establishing the difference between data security and data privacy often gets blurred with the evolution of the data privacy rights. On one hand, data security helps secure data against unauthorized access, while data privacy is related to authorized access, including who has it and who defines it. Meaning, data security is about the technical implementation of what data privacy dictates. As privacy rights continue to evolve, regulators are faced with the challenge of identifying how to help protect data in the future.

The Beginning & Where We are Today

The right to privacy didn’t find the time of the day on any platform in the early to mid-1900s. In today’s age, mostly everyone is worried about their privacy and tries to take some control over the data they disseminate in the internet. If one must stand up for their privacy right on their own, it would be extremely painful without the help of regulations, as these measures help individuals ensure their personal data is not shared without permission.

Today, the “right to privacy” has a far-reaching effect with the modern tort law, including four general categories of invasion of privacy:

1. Intrusion into a person’s solitude/private space by physical or electronic means

2. Unauthorized public disclosure of private facts

3. Publication of facts that place a person in false light

4. Unauthorized use of a person’s name or likeness to obtain a benefit

The evolution of privacy rights started with the Bill of Rights Guarantees in 1789, which includes the Fourth Amendment, describing an unspecified “right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures,” and the Ninth Amendment, stating that “the enumeration of the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people,” but does not specifically mention a right to privacy. There were several changes brought about to the privacy rights, most prominently the Post-Civil War Amendments, the 1974 Privacy Act, the Health Insurance Portability and Accountability Act in 1996, Financial Monetization Act in 1999, and the 2015 U.S. Freedom Act, to name a few.

One of the biggest regulations implemented to put further power in the hands of the individuals was the recent passing of the General Data Protection Regulation (GDPR), which enhances the data protection and privacy for all individuals within the European Union (EU) and the European Economic Area. This regulation aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

GDPR not only affects companies within the EU but has a more global impact. With global commerce, consumers can be in any part of the world, so GDPR has companies worldwide scampering to ensure compliance. The cost of compliance is very high, but non-compliance is likely even costlier with violators subject to fines of up to $20 million euros or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Close on the heels of the GDPR is the California Consumer Privacy Act (CCPA), which will go into effect January 1, 2020. This new law takes on the foundational aspects of GDPR and adds more rights to protect the consumers of California. Additional privacy laws brought on by CCPA include:

  • Consumers have the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it.
  • Consumers hold the right to tell companies to delete their information as well as to not sell or share their data.
  • Businesses must still provide the same quality of service if the consumer opts out of sharing information.
  • Sharing or selling data on children younger than 16 years old will become more difficult.
  • Consumers have more leverage to sue companies after a data breach.

CCPA also gives the state’s attorney general more authority to fine companies that don’t adhere to the new regulations.

Another state taking serious measures toward privacy laws is Vermont. They recently put a Data Broker Privacy Law that went into effect on Jan. 1, 2019, which aim is to regulate businesses that collect, aggregate and sell data about consumer with whom the business does not have a relationship.

What’s Next?

There is a growing voice within the consumer community as well as technology-based company CEOs like Tim Cook among others calling on the U.S. Congress to pass a comprehensive federal privacy legislation. In a recent Time magazine article, Cook laid out four principles that should guide this regulation, namely, the right to have personal data minimized, the right to knowledge (knowing what data is being collected and why), the right to access (companies should make it easy for us to access, correct and delete personal data), and lastly, the right to data security. Data security provides the individual the trust that the data cannot go into the wrong hands through unauthorized means.

This federal privacy legislation is much needed to ensure consistency across the board. Several lawmakers have drafted their bills and these ambitious bi-partisan bills are expected in both the Senate and the House this term. They may not arrive for some time, but the time needs to be spent to shape these bills to ensure compliance without being too complicated and burdensome.

Companies working on complying with the GDPR will need to make adequate changes to technology to adjust for the CCPA among other state legislations that might impact them. The incremental cost of making these technology and policy/procedural changes to meet the state legislations will be cumbersome and this federal legislation might change things. At this moment, it might not be clear if Congress will pass a legislation like GDPR or replace all the existing rules with something worse. One is hopeful that the privacy rights of the individuals will emerge victorious and companies will show more respect to the occupants of the cyberworld.

Doeren Mayhew’s dedicated IT Advisory and Security Group works closely with organizations worldwide to ensure regulatory compliance and mitigate scrutiny. To learn more about data privacy laws, contact us today.