For many, the concept of a federal data privacy law seems like a distant dream. On a state-level, legislation around doesn’t appear to be slowing down however.
With an influx state-specific data privacy laws stipulating that organizations be held accountable for the data they collect on consumers, it can get easy to lose sight of the steps forward other countries have taken over the last year when it comes to laws on data protection.
As any enterprise that does business abroad knows, there’s a handful of ever-changing rules and regulations to follow outside of the U.S. when it comes to data.
In its latest data security incident report, law firm Baker Hostetler looked at a handful that organizations should pay attention to.
The firm identified four international data protection law developments from the last twelve months its tracking that could still impact organizations here in the U.S.
EU-US data transfers
Regulations around the flow of data have always been a little confusing for U.S. companies that do business with Europe. That was compounded in July 2020 after the Privacy Shield, an arrangement that allowed firms to share Europeans' data to the U.S., was invalidated, and even more so last year, when new specifications were rolled out. These changes - Standard Contractual Clauses (SCCs) - require data importers to confirm that they will only disclose personal data to a third party outside of the European Economic Area. As the report notes, organizations that previously relied on SCCs to transfer personal data out of the EU will need to transition all existing contracts to new SCCs by December 27, 2022.
The European Union and the U.S. announced last month that they’d agreed "in principle" to a new framework for cross-border data transfers. The arrangement - the Trans-Atlantic Data Privacy Framework - still needs to be translated onto legal documents and formally adopted on both sides, something that compliance officers will be no doubt be tracking as we move forward as well.
China’s new data protection Laws
China passed not just one but two data protection laws last year; the Data Security Law, in effect since September 1 and the Personal Information Protection Law, in effect since November 1.
Integral to the DSL are data classification requirements. Organizations inside and outside of China that use and process data need to have a system in place that emphasizes data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation. While organizations may not think that another country's data protection law applies to their company, PIPL in particular has global reach, as Baker Hostetler points out. The law covers the processing of personal information of individuals located in China, including when that data is processed out of China, like when an organization offers goods and services in China or analyzes the behavior of individuals in China.
Cookies and changes to tracking technology
This item isn’t going to be a surprise for anyone who caught the recent news about how websites in France are being ordered to stop using Google Analytics, as the country's data protection authority, Commission Nationale de l’informatique et des libertés (CNIL) has found the service conflicts with guidelines laid out by the General Data Protection Regulation.
Data protection authorities in the Netherlands, Finland, Italy, Turkey, and China are weighing similar moves, considering action against companies that collect too much information on consumers. "Companies using non-essential cookies and other tracking technologies should be on the lookout for growing compliance demands," the law firm writes.
Healthcare data
Organizations that collect healthcare data are no doubt aware of their obligations to the law but an increase in COVID-19 data, like individuals' vaccination statuses has muddied the water considerably. Ultimately matters are being decided on a country by country basis; Ireland, for example, last summer said that "the collection of employee vaccination data is likely to be unnecessary and excessive with no clear legal basis."
Organizations should keep tabs of how their country views regulation around this type of data.
"The use of health data has continued to be a hot spot for proactive data protection authority audits, and individual complaints of alleged health data misuses have also resulted in a number of recent regulatory enforcement actions,” the firm writes.
