The Growth of Global Data Privacy Laws – Beyond GDPR & CCPA

The push for data privacy has exploded in recent years, with regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) leading the charge. This means consumers around the globe are gaining rights regarding how their data is collected, stored, and sold, as well as more ways to hold companies accountable when poor data security practices lead to data breaches involving their personally identifiable information (PII).

With GDPR covering the EU and CCPA covering the large state of California, those who aren’t residents of those regions may be wondering if there are any data privacy regulations that are protecting their specific data and rights. The answer is… it depends. Not all countries around the world, and states in the U.S., have data privacy regulations.

However, there’s a lot to be optimistic about. Gartner has predicted that “by 2022, half of the planet’s population will have its personal information covered under local privacy regulations in line with the General Data Protection Regulation (GDPR), up from one-tenth today.” Another Gartner prediction says that “by 2021 more than 60% of large organizations will have a privacy management program fully integrated into the business, up from 10% in 2017.”

If these predictions hold true, then it will be incredible steps in the right direction for consumers from both regulatory and corporate perspectives.

So, what will that data privacy growth look like beyond the well-known GDPR and CCPA? Since we’ve already discussed those regulations at length, I felt it was appropriate to start highlighting lesser-known data privacy laws in the United States and across the globe.

Lei Geral de Proteção de Dados (LGPD) – Brazil

Originally scheduled to go into effect in August 2020 (although this may get pushed back to May 2021 due to COVID-19), Brazil’s LGPD is closely modeled after the EU’s GDPR and is the largest data privacy regulation in the world after GDPR and CCPA. Its primary goal is to unify 40 different regulations, often industry-specific, and resolve conflicts that occur due to the sheer number of different data privacy regulations in the country.

The regulation is comprised of several articles that specify and protect the rights of data holders and applies to organizations that process data in Brazil, process personal data collected in Brazil, or process personal data while providing goods or services in Brazil. Like with GDPR and CCPA, a company does not need to be headquartered in Brazil to be affected by LGPD.

Under LGPD, the person whom personal data applies to is considered a holder, and holders gain many rights regarding their personal data. This includes, but is not limited to:

• Access to one’s personal data
• Correction for inaccuracies in personal data, or for outdated personal data
• Deletion, or anonymization, of personal data not in compliance with LGPD or processed without the consent of the holder
• The ability to revoke one’s prior consent
• Information about how one’s data is used, and who that data is shared with

Article 18 of LGPD covers all data holder rights under the regulation, and additional articles go on to cover punishments and fines for those found not in compliance.

It’s clear that GDPR has a large influence on LGPD, although there are differences. This is the primary regulation to watch beyond GDPR and CCPA, as it should have the most immediate impact.

Regulations in the States of Nevada & Maine – United States

As of the time of this blog, the International Association of Privacy Professionals’ State Privacy Law Comparison only had Nevada and Maine with signed data privacy laws. States like Massachusetts, New York, and Maryland seem to be on the right track, but nothing is official yet.

Nevada’s Senate Bill 220 – This regulation is by no means as comprehensive as GDPR, CCPA, or LGPD. Its primary goal is to give consumers the right to opt-out of the sale of their personal information but doesn’t go much farther. This is in stark contrast to California’s CCPA, which takes much larger steps to protect consumer personal information and provide consumers with rights to recourse against organizations found to not be compliant.

Maine’s An Act to Protect the Privacy of Online Customer Information – This regulation has limited scope as well, and “prevents the use, sale, or distribution of a customer’s personal information by internet providers without the express consent of the customer.” It’s a start, but like Nevada’s SB 220 it doesn’t come close to the comprehensive legislation CCPA provides to the residents of California.

It’s good that Nevada and Maine are taking data privacy seriously enough to sign regulation into law, however, these regulations are much smaller in scope than GDPR, CCPA, and LGPD. It’s also concerning that the United States may end up with a patchwork of state-level data privacy regulations, rather than a sweeping federal regulation.

While state rights are an integral part of how America functions, the internet makes tracking the flow of data between states quite complex. By comparison, GDPR covers all countries that are members of the EU. Data privacy progress in the U.S. is certainly positive, however federal regulation modeled after CCPA and GRPD would be much more effective than a combination of different state laws.

Personal Data Protection Bill (PDPB) – India

This bill is still making its way through India’s parliament, but it’s worth discussing as it’s also modeled after GDPR (clearly the current gold standard for data privacy regulation).

If enacted, PDPB will apply to organizations processing personal data collected, disclosed, or processed within India. Like LGPD, this applies to companies that aren’t headquartered in India but process personal data there.

What’s covered under PDPB resembles GDPR as well. Consumers gain rights to access their data, correct their data, and delete their data. The bill also covers the consumer’s Right to be Forgotten, as well as data portability between organizations.

However, just because an organization is prepared for GDPR doesn’t necessarily mean they’re ready for PDPB. There are slight scope differences between the two regulations, and PDPB hasn’t been finalized yet. The specifics of the regulation are bound to change, and any organizations with ties to India should be keeping an eye on it.

Other Regulations and Frameworks

While the above regulations have been data privacy focal points after GDPR and CCPA, there’s a few other laws and organizational frameworks that are worth mentioning as well:

• South Africa’s Protection of Personal Information Act (POPIA)
• National Institute of Standards and Technology’s (NIST) Privacy Framework
• Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR)
• U.S. industry-specific laws, such as HIPAA, GLBA, SOX, FISMA, and COPPA
• ISO/IEC 27001 – Information Security Management

That is by no means an exhaustive list of attempts to protect personal data around the globe, however, it shows that data privacy is increasingly on the minds of consumers, businesses, and lawmakers.

How Stealthbits Helps with Data Privacy

Stealthbits provides a range of capabilities that allow users to identify, secure, and report on consumer data and personally identifiable information (PII).

Stealthbits’ StealthAUDIT, a full-fledged Data Access Governance (DAG) solution, can:

Discover Hosts: Identify the different platforms within your network that may contain various unstructured and structured data repositories, to ensure a comprehensive view of your organization’s privacy data footprint.

Discover Sensitive Data: Analyze content for patterns or keywords that match built-in or customized criteria related to customer privacy, and classify that data.

Understand Access Rights: Once sensitive data has been discovered, determine who has access to that data and what they’re doing with it.

Perform Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with data privacy regulatory standards, including responding to Data Subject Access Requests (DSARs) and deletion or archival of stale data.

Learn more about how Stealthbits’ helps with both data privacy and data security here.