Data breaches have always been on the rise. From high profile firms like Yahoo and Uber to the small startup’s everyone has been the victim of attacks on their cyber security. After a survey by an NGO from the Identity theft Report Centre in 2017, there were about 1579 data privacy breaches compared to 1091 in 2016.
Data privacy and security have been the utmost priority of every institution, especially for all law firms. The wiper attack on DLA Piper in 2017 and 2016 the email hacks of Cravath and Weil Gotshal showed everyone how important it is to stop all these cyber attacks. There was one more incident in the UK where the email address and passwords of almost 800,000 UK law firms were available on the dark web.
What measures were taken by the legislators to stop these attacks?
On the one hand, Canada, China, and EU legislators introduced privacy laws like PIPEDA, CSL, and GDPR to eliminate data breaches. And on the other hand, the United States still depends on the old and inconsistent state rules for data protection.
In this article, we will discuss old and newly formed data privacy laws and predict their future.
GDPR by European Union:
GDPR stands for General Data Protection Regulation. It is an effort of the EU to provide its citizens with better control over their data. This law was passed in April 2016 but came into effect on May 25, 2018.
The major principle of GDPR is that data privacy is the fundamental right of every user. Therefore, every EU citizen has the right to transfer, access, and rectify their data stored by any entities. Furthermore, all the business organizations that gather your personal information must inform you about any data breach within 72 hours.
All the organizations that fail to abide by these European privacy laws have to pay 4% of their annual revenue or €20 million as compensation.
PIPEDA by Canada:
PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a Canadian data privacy law that governs the security, retention, and processing of the personal data of its citizens.
PIPEDA excludes all those charitable organizations that do not engage in commercial activities. The OPC (Officer of the privacy commissioner), which is Canada’s central data protection authority, has the right to give suggestions to the citizens making complaints. Still, for further action, they have to take matters to court.
Due to the rise in cases of data threats, the data privacy act passed a data privacy act in 2015. It has given certain guidelines to every institution for collecting, retaining, and usage of personal data of its citizens. In addition, Canadian privacy laws exempt business entities from using users’ personal information without their consent.
It is somewhat like implementing HIPAA laws in Canada. HIPAA is a federal law in the USA that ensures that no one discloses sensitive patient health information without consent. So we can conclude that PIPEDA is somewhat like implementing HIPAA laws in Canada.
CSL by China:
Although China is not very good at protecting the privacy of its citizens, but still in its heated political environment, it has understood the need for a solid cybersecurity law. Therefore, it implemented Cybersecurity Law (CSL) in 2016, which came into full force by 2018. It also made strong rules for the collection, use, and security of the personal information of its citizens. In addition, the critical sector industries like communications, energy, transport, and public services are subjected to compulsory testing of their network security.
The foreign companies working in China might have issues with the new CSL law as it requires all the information about their business and data on the Chinese citizens.
A patchwork of sectoral laws in the United States:
The United States is still relying upon its inconsistent set of rules and patchwork of sectoral law for the data protection of its citizens. US privacy laws only cover certain industries and types of personal information like financial and health data. Due to which there are various inconsistencies in the rules that incorporate industries concerning certain personal data.
One of the acts that come under US privacy law is HIPAA. HIPAA stands for health insurance portability and accountability act. It tends to provide patients with more control over their health information. It states that written consent is a must for the disclosure of their health data. HIPAA covered entities like healthcare providers, health plans, and healthcare clearinghouses. Few entities do not fall under covered entities but still process the personal health information of the patients. HIPAA does not bind those entities. So it means that a doctor might not disclose an individual’s information, but a wellness tracker or a fitness device can.
The same issues arise in the financial data act called Gramm-Leach-Bliley Act(GLBA). In GLBA, they collect privacy disclosures and information to protect their data. But it is also applied to only lenders, insurers, and banks. Because of which it creates inconsistency in the protection of financial data.
Due to these uncertainties, California became the first state to implement a data breach notification law in 2003. And now, there are a total of forty- seven other states that have executed the California privacy protection act in their region.
Despite increasing cyber security attacks, the US has been an ardent critic of data protection legislation. From Obama to Trump, none of the ministers have shown interest in establishing a stronger and better data protection law.
What were the general policy predictions for 2018?
With the regular changing trends in data protection policies, people predicted a vast change and advancement in cybersecurity policies for 2018.
Testing of US-EU privacy shields was supposed to happen for more powerful domestic privacy policies.
The privacy shield was an agreement that allowed data transfer between Europe and the USA. The idea of a privacy shield felt feasible because of the difference in the privacy laws of both the nations.
In the trade battle, China’s CSL appeared to be a source of leverage.
China’s new Cybersecurity Law might disrupt cross-border transfers of information that are routine in the ordinary course of business,” according to a document submitted to the WTO Services Council by the Trump administration.
Cybersecurity legislature in all states.
The state of New York was the first to adopt a comprehensive cybersecurity law. The regulation demands active risk evaluation, detailed emergency response plans, and cyber threat surveillance and identification.