Worldwide Privacy
Regulations Landscape

Written by Etti Berger, CEO and Co-Founder, TripleP Training and Consulting Ltd.

The explosion of social networking services usage, along with the change in status of the mobile phone (smartphone), together with the proliferation of mobile internet uses and the increasing porosity between public and private life bring us to huge amount of personal and sensitive data that is being shared with companies and organizations. We talk about banking information, contacts, addresses, social media posts, and even your IP address and the sites that you’ve visited are all stored digitally.

Companies tell you that they collect this type of information so that they can serve you better, offer you more targeted and relevant communications, all to provide you with a better customer experience.

But, since 2018 we have been facing a new era. New data protection regulations put the consumer in the driver’s seat, and the task of complying with these regulation falls upon businesses and organizations. 

A year ago, Europe’s General Data Protection Regulation (GDPR) set the tone for privacy, making it a cornerstone of their landmark legislation. In the 12 months from May 2018 to May 2019, privacy regulation has experienced change in all major hubs of data creation, from the U.S. to China and from Europe to Latin America. 

Whether your organization works locally or operates globally, privacy regulations impact your decisions when collecting or processing personal data, which has become omnipresent in all facets of business. The result is a delicate balance for law enforcement officials, IT leaders, and businesses as they strive to protect sensitive information, a difficult task that seems to become more challenging by the day, without violating the privacy rights of their customers or employees through things like monitoring programs or endpoint data loss prevention protocols.

The following regional breakdown examples provides both a roundup example of recent key updates as well as clear recommendations for the coming year:

  • North America – The California Consumer Privacy Act (CCPA) emerged on the legislative scene and passed in record time, paving the way for change across the U.S. privacy landscape. At the time of publication, 13 states have followed suit, introducing draft laws, some of which exceeded the CCPA in scope. Cumulatively, they have been impacting nearly 40% of the population in the U.S.
  • Europe – The first six months of the GDPR were fairly quiet. But, in late January, eight months into enforcement, the French Data Protection Authority (DPA) issued the GDPR’s first multimillion dollar fine. Google was given a €50 million penalty, not for exposing user data, but rather for failures in transparency and consent management related to the Android operating system. Indicators point to year two being substantially busier from a regulatory and enforcement perspective; organizations adopting a wait-and-see approach are urged to swiftly align to regulatory requirements.
  • Asia Pacific – The largest countries in the Asia Pacific region (China and India) introduced and, in the case of China, passed extensive privacy legislation. India is expected to pass the Personal Data Protection Bill (PDPB) in the coming parliamentary session. The PDPB is a lighter version of the GDPR, with the intent of fortifying it over the coming years. Japan concluded a multiyear process of reciprocal adequacy with Europe, creating the largest geographic area where personal data could flow unhindered while being adequately protected. South Korea is expected to be next in line, joining the list of 13 countries (currently) holding adequacy decisions with the EU. 
  • Latin America – Portuguese-speaking Brazil — responsible for over one-quarter of Latin America’s GDP — has followed the European model quite closely with the Lei Geral de Proteção de Dados (LGPD), scheduled to take effect in 2020. A knock-on effect in other parts of Latin America is to be expected over the coming years. Argentina has already seen a presidential proposal to replace its existing legislation to align better with Brazil and the EU.

The Way Forward

As more countries adapt their privacy laws toward the GDPR, there is an inflection point that we are expected to cross in the 2019-2020’s time frame. At that point, a large portion of the spending power will be located in countries with mature privacy regulations (demand), forcing hosting providers, developers and vendors (supply) to harmonize against a common standard. Many countries and organizations today see this shift and have introduced privacy policies, with the intent of working toward the GDPR and becoming part of a modern data market. 

Security and risk management leaders charged with supporting their businesses in a highly competitive market should enforce a modern privacy standard in line with the GDPR and focused on the data subject. This will allow organizations to differentiate their offering and grow unhindered. Organizations should align with positive and quantifiable change targets in line with core business goals so as not to allow privacy management to be seen as yet another cost center. Customer retention cost of acquisition of new customers and data storage cost reduction are just some of those positive targets.