New privacy laws taking shape worldwide
Cybersecurity and privacy were hot topics at eMerge Americas, the recent business and technology conference that connects the United States and Latin America.
Facebook is facing potential fines up to $1.6 billion, and Google has already been fined at $57 million for violation of Europe’s General Data Protection Regulation (GDPR).
It follows that regulations regarding data protection have been enacted all over the globe, including Europe, Latin America and the United States.
The GDPR, which went into effect on May 25, 2018, served as a landmark for many other recent laws, including the California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, and the Brazilian General Data Protection Law (LGPD), effective August 2020.
Every state in the United States already has legislation for protection of personal information, but none are as comprehensive as the GDPR. It’s critical to note that various states are on the way to revising their own laws with unprecedented fines. California’s incredibly stringent CCPA, for example, provides for a data breach private cause of action, which increases the likelihood of class actions.
On the other hand, companies had been dealing with privacy issues and their legal consequences long before these rules were enacted. In light of the digital issues companies face, businesses are required to act proactively and not use these laws only as checklists but as continual guidance.
It is important for all companies to be aware of and comply with privacy laws by maintaining effective compliance programs in accordance with the applicable rules, together with other important mitigating factors such as encryption. A company doing business in Florida and collecting or handling personal data needs to be attentive to privacy regulations not only in Florida, but in Europe and Latin America as well.
Europe
The GDPR was a paradigm shift because of its potential geographic reach, its comprehensive legal definitions of data elements and the introduction of the “right to be forgotten.” The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person” (e.g., IP address, hair color, job, religion, medical history, political opinions, telephone, credit card, account data). The law has a mandatory 72-hour breach reporting requirement. Penalties for violation could reach up to €20 million, or 4% annual global turnover—whichever is higher.
The GDPR is relevant to companies all over the world because it can apply to businesses, regardless of size, which: have a physical presence in Europe; have employees located in Europe; offer goods or services to people residing in Europe (including over the internet); collect or handle personal information from European residents; or monitor the behavior of people residing in Europe (including website analytics).
There are some essential measures that a company must take to be compliant with the GDPR: document the “personal data” it collects; identify to the individual the purpose of its data collection; determine and disclose how the data is stored; obtain consents and permit withdraw (the GDPR affords individuals the right to object to profiling and to have their personal data deleted, corrected and transferred).
Latin America
Companies doing business in Latin America should be compliant with several laws dealing specifically with privacy, the most recent one from Brazil. The LGPD is very similar to the GDPR, including its breadth of application and individual’s rights. However, the law awaits 150 possible amendments, and enforcement is not clear because the president vetoed provisions regarding a Data Protection Authority (DPA), while establishing one provisionally.
In Mexico, the Federal Law on the Protection of Personal Data (FLPPD) entered into force as early as July 6, 2010. Since then, Mexico has imposed over 350 sanctions for privacy violations, totaling $21 million. The Mexican government has enacted other regulations in the subsequent years, which complemented the FLPPD, all regulations together being very comprehensive in scope and enforcement, even providing for imprisonment as a penalty.
Colombia has a body of regulations that includes special categories of personal data, breach notification requirements, a DPA and individual privacy rights. Colombia also recognizes the right to privacy and the right to data rectification under its Constitution.
Argentina is currently in the process of replacing its current Data Protection Law for a more comprehensive regulation similar to the GDPR. The current legislation, from the year 2000, does not provide for breach notification requirements.
Companies doing business in Latin America that are also subject to GDPR must ensure that they comply with both sets of laws.
Domestic laws of note
Florida recognizes privacy as a constitutional right. The Florida Information Protection Act (FIPA), 2014, governs entities doing business in Florida and handling personal information. The covered entities are defined as “sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information,” including government entities. Consistent with many state laws, FIPA provides for data breach notification requirements, requiring notification to the Florida Attorney General’s Office of any breach affecting more than 500 people, no later than 30 days after the breach. In contrast with the GDPR, FIPA provides for a detailed list of what constitutes personal information and has lower penalties for violation of the law.
In today’s economy, entire industries depend on the collection and use of data to run their businesses. Since the creation of the internet, there have been concerns about the safety of users. Privacy issues soon appeared and became progressively substantial and frequent. Companies can protect themselves by being proactive and aware of the latest regulations taking shape across the globe.
Richard Montes de Oca is the founder and managing partner of MDO Partners in Miami. He focuses on compliance, contracts and international law. Contact him at rmontes@mdopartners.com.
Priscila Bandeira is an associate at the firm. She assists clients with corporate governance documentation, corporate formation, international transactions with emphasis in Brazil and drafting transaction agreements. Contact her at pbandeira@mdopartners.com.
This article first published on law.com.
See also: