Legislation and Regulation
In May 2016 the existing EU Data Protection Directive 95/94/EC was replaced with the new EU Data Protection Regulation 2016. This is one of the most significant changes to business law in history and reflects the need to bring the law into line with changing technology and the boom in data capture and manipulation. The rights of the data subject is core to its objectives and it is clear from the terms within the Regulation that businesses cannot ignore data protection, unless they wish to expose themselves to unwelcome regulatory actions and financial liability.
There are many significant changes and we consider these to be the highlights:
- Regulation not a Directive. EU Law as of May 25th 2016 and each member state will have 2 years to enshrine it into national law.
- Impacts on all companies doing business within the EU. If you’re an overseas company and you control or process EU citizen data then this will impact you, regardless of your incorporation domicile.
- Extensive and prescriptive rights for data subjects.
- Increase in maximum fines up to 4% of global turnover or €20 million.
- Mandatory Breach Notification within 72 hours. (You must inform on yourself)
- Same liability for data processors as data controllers.
- Requirement for Data Protection Officers.
- Organisations are meant to be able to evidence “Privacy by Design” which is a term being used to show that the protection of personal data cascades through every business operation.
In addition there are a host of EU and member state laws which impact on data such as the use of Drones, CCTV, Data Transfers (EU / US Privacy Shield). Computer Misuse Act 1990 and specific laws such as Privacy and Electronics Communications (EC Directive) Regulations 2003. Further to Data Protection Laws there are also European Laws such as the European Convention on Human Rights (Effective 1953) which is enshrined in member state laws such as in the UK Human Rights Act 1998. This protects EU citizens from having data pertaining to them used in a way which can impact on them, their families and their well being in a negative way.
Within each member state there are also specific industry regulatory bodies such as the Financial Services Authority (UK), Federal Financial Supervisory Authority (Germany) and Autorité des marchés financiers (France). Each have their own requirements for organisations falling under their jurisdiction and can impose significant penalties for failing to protect information and / or to manage information appropriately.
There are international laws which can also be used to enforce regulatory action on a particular jurisdiction where data is concerned, such as Sarbanes Oxley or the Patriot Act.
United States Legislation and Regulation
Whilst there is no Federal Privacy (data protection) law or a central national authority, there are over 20 sector specific privacy or security laws and hundreds of other state laws. (California alone has over 25 state privacy and data security laws)
There are other relevant Federal laws which have some relevance to data protection such as Gramm–Leach–Bliley Act 1999 and Health Insurance Portability and Accountability Act 1996 (HIPAA). In addition there are emerging important regulatory bodies such as the Federal Trade Commission (FTC) recently been designated as the overseer for the EU/US Privacy Shield and the U.S. Securities and Exchange Commission.
Increase in Litigation
Of course laws and regulation are only as strong as the regulatory act itself and within the past 2-3 years there has been a surge in legal action being taken against companies who have suffered data breach, with more than 90 class actions in the US alone in 2016.
The plaintiffs vary in type from being employees (past and present), other organisations, investors and also data subjects themselves, who have found that their information has been exposed. There has been legal precedent that shows that the claimant does NOT have to evidence that there has been any financial harm as a result of the breach in order to be able to claim damages. (Google v Vidal Hall, UK courts found in favour of a claim of emotional distress. The Claimants were not required to evidence financial loss or hardship as the law protects privacy and not economic rights).
Some of these legal actions are dwarfing the potential fines with the cost of the largest data breaches now being vast. (Target est $750m / Sony est $1billion / Bell Canada $750m). Furthermore senior individuals are now being held accountable with the resignations of the Co-Chair at Sony and CEO at Target, where both resigned directly as a result of the data breach. Shareholders are increasingly looking at the executive level and not the IT department when something goes wrong.
In the US one of the most commonly used acts to underpin legal actions is the Fair Credit Reporting Act (FCRA) which is United States federal legislation that promotes accuracy, fairness and privacy for data used by consumer reporting agencies.
Regulators and lawyers have now made it impossible for corporations to ignore their data protection responsibilities without increasing financial liability and the likelihood of regulatory action. Whilst legislation and subsequent legal action is a very complex area, most corporations when found to culpable after breach have generally failed to demonstrate control, due diligence or management oversight where data protection / privacy is concerned.
The DPG Pathfinder when deployed can be used to create a state of the art defence where an organisation can demonstrate that data protection is a process which is embedded into the very core of the business.