Safeguarding Personal Data in Today’s Business World

Which Privacy Law Applies?

In the case of the General Data Protection Regulation (GDPR)—the European data protection law—it relates to the “protection of natural persons” and their “personal data.”¹ It doesn’t concern data on companies, enterprises, or other legal entities, but rather that of people related to such companies and entities.

The GDPR applies to the processing of personal data in the context of activities of entities established in the European Union (EU), by entities outside the EU when goods or services are provided to a person in the EU, and when such a person’s behaviour within the EU is monitored.² This means that an American citizen residing in the EU who buys a service from a company in the United States (US) is covered/protected by the GDPR, with GDPR obligations for the US provider.

However, the GDPR does not apply to processing personal data “by a natural person in the course of a purely personal or household activity.”³ So, if you occasionally put an item up for sale on a website or have a list of invitees for a party you’re planning, you don’t need to worry. On the other hand, if you start offering items or party services for sale on a regular basis, you’d better be cautious. There are also some additional rules and/or exceptions regarding treaties, public services, and special types of data (e.g., medical data, data on children). 

The bottom line? If your organization thinks a particular law applies, you had better research it, since it will determine whether and to what extent you must implement and budget for necessary measures. Since you can’t afford privacy negligence, you must do this for each country, state, or province in which your organization operates. Incidentally, according to the United Nations Conference on Trade and Development (UNCTAD), 137 out of 194 countries have the necessary legislations in place to secure the protection of data and privacy.⁴

Complicating matters further is the existence of privacy laws at different levels of government within a country. For example, in Canadian law, where the law is set at both federal and provincial levels, compliance with either or both levels must usually be determined on a case-by-case basis.

What if Multiple Laws Apply?

If multiple privacy laws apply to the activities of your organization, you must compare them. It may be that compliance with local national laws is synchronous with foreign laws.

For example, if your organization is a Canadian commercial organization that complies with the Personal Information Protection and Electronic Documents Act (PIPEDA)—the Canadian federal privacy law—you are also compliant with the GDPR. This is because the EU accepts the data protection safeguards of the PIPEDA as adequate. In the GDPR, this is referred to as an “adequacy.”

The law itself will often spell out necessary measures. For instance, the GDPR offers a choice between “standard contractual clauses” or “binding corporate rules” when transferring personal data outside the EU for processing (if no adequacy or alternative framework exists for the destination country). Otherwise, you should implement measures that address the requirements of multiple laws. Compliance with “gold standard” privacy laws like the GDPR will likely provide sufficient privacy and data protection as required by most other privacy laws. As such, GDPR compliance can be a cost-saving exercise, even if the EU as a market is less important to your organization.

Since no organization has unlimited resources, let alone all the necessary in-house expertise, it’s important to prioritize. Start with your local/national laws followed by your largest/most important markets and try to economize your efforts by aiming for “gold standard” compliance.

Some additional points to consider:

Beware of conflicts between privacy requirements and laws that may negate privacy protection, such as national security/law enforcement laws. This may require changes in business processes, such as the storage location of personal data.

Assess the data protection provided in countries where (sub)contract data processors are located, as the level of protection can never be lowered throughout the processing chain. For example, encryption is mandatory for data in transit.

What Else Do I Need to Consider?

Compliance with privacy laws may only be a starting point for organizations subject to further regulations. Other laws and regulations may impose privacy-related rules and demands.

Your organization should be aware if industry-specific regulations place restrictions on the use and/or distribution of personal data. Examples of such industries include healthcare, banking, finance, insurance, and public services. If this isn’t the case in your country, consult the regulations for the countries in which your organization operates.

Industry-related clauses in the GDPR on “automated individual decision-making” and “profiling” have consequences in the banking, finance, and insurance industries—in credit/loan approval processes, for example—and in the marketing business.⁵ 

Examples of other laws with privacy considerations are the European Digital Services Act, the Digital Markets Act, and the (future) Artificial Intelligence Act.

Keeping Up With Changes in the Law

Not only do new privacy laws keep coming into force, but existing privacy laws are also constantly being reviewed, replaced, or updated.

For example, at the end of 2022 a new federal law—the Digital Charter Implementation Act—was making its way through the Canadian Parliament. Part of this Act, the Consumer Privacy Protection Act (CPPA), will replace Part 1 of the PIPEDA. The Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act will also be new, and Quebec’s privacy laws will become effective in September 2023.

In the United States, new privacy laws at the state level have or will come into effect in 2023: Virginia (VCDPA) on January 1; Colorado (CPA) and Connecticut (CTDPA) on July 1; and Utah (UCPA) on December 31. On January 1, the California Privacy Rights Act (CPRA) replaced the California Consumer Privacy Act.

According to the website Secure Privacy, other possible changes include developments in the United Kingdom (Data Protection and Digital Information Bill, 2023), Saudi Arabia (law effective on March 17, 2023), Argentina (modernization, 2023), India (Digital Personal Data Protection Bill, 2023), and Indonesia (Personal Data Protection Law, 2024).

These clearly illustrate the constant evolution of the privacy law environment and demand constant monitoring of the necessary changes in your organization’s processes.

Tips on Staying Current

So, which privacy laws apply to your organization? Unfortunately, there’s no easy answer. But there are various ways to better manage your ongoing responsibilities related to privacy:

Make a list of the countries in which your organization operates and handles personal data, e.g., from customers, partners, vendors, or (sub)contractors. Study the privacy laws of these countries to see whether they apply to your organization and prioritize your efforts.

Verify the nationality/residence information of people involved in your organization’s activities, as it may be relevant. For example, an American citizen residing in the EU who buys a service from a company in the US is covered/protected by the GDPR.

List the supervisory authorities—data protection authorities (DPA)—to which your organization must report in the event of personal data-related incidents (e.g., a data breach). In the context of the GDPR, this means the DPA of the country in which your organization’s office is located, which decides on the processing of personal data, or where your organization’s representative (as required by the GDPR for organizations not established in the EU) is located.

Keep up to date on changes in the privacy law environment.

Don’t relent. Third parties can help your organization ensure compliance, but the responsibilities cannot be transferred. Your organization is still liable, even if it uses a third party. Organizations with similar activities can collaborate on best privacy practices and compliance in general, so seek and share guidance in your professional community.

Always remember that ignoring privacy laws is not an option!
 

Final Thoughts

Don’t curse the European GDPR law. Instead, praise its existence. The GDPR facilitates compliance with privacy requirements in 27 countries rather than burdening your organization with the need to comply with 27 different national privacy laws (and deal with 27 different data protection authorities).

If only the rest of the world would follow Europe’s lead.

This article includes contributions from IIBA Editorial Committee Member Kristyna Samcova. Kristyna Samcova is an experienced Senior Business Analyst/Consultant professional with more than 7 years of experience in the fintech/manufacturing industry. 

---

References

1. European Parliament and Council of the European Union. General Data Protection Regulation, Article 1.1. April 27, 2018. https://gdpr-info.eu/. 
2. European Parliament and Council of the European Union. General Data, Articles 3.2 and 3.3. 
3. European Parliament and Council of the European Union. General Data, Article 2.2c. 
4. United Nations Conference on Trade and Development. Data Protection and Privacy Legislation Worldwide, Statistics Canada. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.  
5. European Parliament and Council of the European Union. General Data, Articles 21 and 22.

---