Key legislation

Europe and UK: A number of laws that all interconnect, broadly harmonised across the EU and UK (for now).  The rules apply to all data relating to an identifiable living person.

(1) GDPR and UK GDPR: whose formal citations are, respectively: 

• • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation); and

• • [the above] as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018

(2) UK and EU member state specific legislation implementing the GDPR, which (amongst other things) cover exemptions and country specific derogations e.g. UK Data Protection Act 2018.

(3) PECR: the Privacy and Electronic Communications Regulations 2003, which cover marketing via electronic means (including telephone, email, text and fax), cookies, security of information services and privacy in respect of certain specific types of data.  This will, one day, be replaced in the EU by the e-Privacy Regulation.

US: Laws fragmented by data type and region – there are federal laws covering specific industries, environments and individuals (such as health, financial services and children) and local State laws that provide broad privacy protection to the residents of the applicable State.  Below are ones we most commonly advise on: 

(1) HIPAA: the Health Insurance Portability and Accountability Act of 1996 – a federal law applicable to health data

(2) RFPA: the Right to Financial Privacy Act 1978 – federal law protecting financial privacy of individuals from government processing and management of that information.

(3) GLBA: Gramm-Leach-Bliley Act – federal law protecting non-public information of customers or users of financial products from being used, sold or shared with third-parties.

(4) FCRA: Fair Credit Reporting Act – federal law regulating how consumer reporting agencies such as credit bureaus and background-screening companies can collect and use consumer financial information.

(5) COPPA: Children’s Online Privacy Protection Act 1998 – protects the personal information stored or processed online of children under 13 years.

(6) State laws – In some States there is a strong push for local consumer protection laws to cover residents. The most notable ones are the California Consumer Privacy Act 2018 (CCPA) as amended and updated by the California Privacy Rights Act 2020 (CPRA).  These laws currently provide the most comprehensive protection in the USA, and are therefore followed by many industry leaders irrespective of where their organisation is based.

Australia:  Just the one key piece of legislation, The Privacy Act 1988, applies to information or opinion about an identified (or reasonably identifiable) individual.

Who needs to comply?

Europe and UK:  Organisations (including businesses, public sector bodies, charities and societies) of any size that are actively processing the data of, or marketing to, individuals in the UK and/or EU

US: The US federal privacy laws each have a relatively narrow scope as regards the type of data, but in general all organisations processing that type of data will need to comply.  Each state law has its own rules as regards applicability – by way of example, only businesses (and not charities or government bodies) that meet one or more of the following thresholds are subject to the CCPA/CPRA:

(1) Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year)

(2) Annually buys, sells, or shares the personal information of 100,000 California consumers or households.

(3) Derives 50% or more of its annual revenue from selling or sharing personal information

Australia:  Organisations or agencies that “carry on business” in Australia whether domicile or offshore above a threshold of turnover of AUD$3 million (APP entity). 

Documentation needed

Privacy Notice (also know as a Privacy Policy, Privacy Statement, Data Protection Policy etc.) – this notifies individuals of your processing activities, and is good practice in all jurisdictions.  

In the UK/EU, organisations are required to inform data subjects of their processing activities, so this document (which can be called a Data Protection Notice or Policy) can be used to satisfy that requirement.  

In Australia, it is a legal requirement for APP entities above the threshold to have an up to date Data Protection Policy that describes how that entity manages personal information. The Australian regulator (OAIC) has published a checklist for this.  

In the US there are different requirements that apply to different information categories, so the regulatory landscape requires some customization of Privacy Policies across the board. The main obligation, and the smartest move, is to understand what you have to disclose and make sure that the user is informed on how the personal information is treated, regardless if there is a monetary transaction behind it or not.

Data Processing Agreement – relates to processing of data by one organisation on behalf of another.

This is required in the UK/EU wherever there is a “processor/controller” relationship.  Certain provisions must be included in this document law.  

Under the Privacy Laws in the US, most notably the “CCPA model” , this “processing on behalf of” relationship is often referred to as a “Service Provider”, providing services for a “Business”.Though, there are no mandated contractual terms for this relationship, the laws hold the original data collector liable for any breaches or misuses by third-party providers, so there is an implicit requirement of compliance throughout the process. 

There is no requirement in Australia for a specific contract, however data processing and sharing agreements are becoming more widely used especially for businesses with a global presence.

Internal Data Protection Policy – there is no strict legal requirement to have this policy in any of the jurisdictions discussed in this article.  However, organisations in all jurisdictions are responsible for the actions of their staff and an internal policy can help to ensure that staff understand what the regulations means for them and how the organisation expects them to behave.  A clearly worded and well publicised internal policy is a very useful tool to protect the organisation from regulatory breaches.

Risk assessments – the UK/EU data protection regime requires organisations to conduct formal risk assessments for certain types of data processing.  These include:

Data Protection Impact Assessments, where there is a proposed change in the technology used in connection with personal data processing, or where change to processes are likely to impact the risks associated with personal data processing.

Data Transfer Impact Assessments, where certain overseas transfers are contemplated. 

Legitimate interest assessment, where an organisation is looking to rely on legitimate interest as its legal basis for processing.

Certain security risk assessments are also required in the US under HIPAA and under FTC rules relating to financial information, but these have much narrower application then the GDPR risk assessment requirements.

Risk assessments are not mandatory in Australia, although they can still be a useful compliance tool.

Who enforces the law?

Europe and UK: each jurisdiction has its own “Supervisory Authority”.  In the UK this is the Information Commissioner (ICO).  The EU has a “one-stop-shop” system allowing companies that are established in the EU (not the UK) to deal with one “lead” regulator.

Possible penalties: fines of up to €20 million, or 4% of global annual turnover (whichever is greater); can order businesses to delete databases or change data practices; in a few extreme circumstances, criminal charges can be brought against the directors of companies.

US: Although there is not currently a regulator specifically for data, complaints regarding breaches of the various rules can be brought to the different industry regulators, depending on the subject matter. For example, financial privacy violations can be brought to the Federal Trade Commission, HIPPA violations to the Office of Civil Rights, and State privacy violations to the local office of Attorney General (some States have their own Privacy Protection Agency, such as California). These bodies may investigate and impose penalties. 

Possible penalties: fines can be huge and based on total number of individual breaches, not just a breach in the process or policy.

Australia: The Office of the Australian Information Commissioner (OIAC)

Possible penalties: Fines have been modest to date, but the maximum fine for any breach of the Australian Privacy Act has been increased in a recent amendment  to the Act to the greater of AUD$50 million, 3 x the value of the benefit obtained through the use of the data, or 30% of the adjusted annual turnover for the relevant period.

Conclusion

Europe and the UK are somewhat ahead of the game when it comes to data protection and privacy regulation, but compliance in these regions can feel quite bureaucratic.  The US has a less comprehensive regulatory regime, however, fines for infringements are often higher than elsewhere.  Penalties for failure to comply with data protection regulation in Australia are also becoming more severe.

There may still be significant differences between jurisdictions, but what is very clear is that the data protection protection landscape is only getting tougher, and you need to take it seriously wherever you are.

If you need help with any aspect of your data protection compliance, reach out to us.