
Data privacy basics – international compliance
One of the hallmarks of 21st century startups is that they go global early, or even from inception. But while some brilliant ideas hatched in the US have instant global appeal, others may run up against markets organized around laws that don’t even exist in the home country.
Many a good idea starts with personal data –collection, organization, enrichment, training and monetization. The unfettered imagination puts data to work in innovative ways that open new markets and create new demand, thus generating revenues. Yet some of the simplest ideas will run afoul of market concerns stemming from laws foreign to us.
How are privacy laws outside the US different from US laws?
More than 100 countries have adopted comprehensive data protection laws. The US has no such law and is the sole outlier among the world’s major economies. There are several fundamental differences between the smattering of US privacy laws and data protection laws in other countries. First of all, and particularly in the countries of the UK and the EEA (European Economic Area, comprised of the 27 EU member states plus Iceland, Liechtenstein and Norway), data protection rights are considered fundamental rights of the individual, protecting an individual's right to privacy in respect of data relating to an identified or identifiable natural person. Privacy rights are not fundamental rights under US law.
Second, countries with data protection laws have generally adopted comprehensive rules that apply to all personal data processing by all persons: natural, legal or governmental. In other words, the standard approach outside the US is not to legislate based on sectors or specific types of data (although of course, even with a comprehensive data protection law there may be specific laws requiring additional protections for, say, patient health data, or bank customer data).
Third, in most countries there is a data protection authority dedicated to enforcing the law, issuing recommendations and preparing opinions on proposed legislation that may impact privacy rights in personal data.
With the adoption of the California Consumer Privacy Act (CCPA), which took effect January 1, 2020, the US has its first broadly applicable privacy law, albeit at state level and with important exceptions.
Is there data that is subject to regulation outside the US that may not be regulated in the US?
One example is monitoring data, which alone or combined can provide rich insights into worker productivity and consumer proclivities. Under the laws of the European Economic Area – the world's largest free trade area, with over 500 million consumers – the monitoring of human beings will likely entail the processing of personal data, whether an IP address, an image or the GPS coordinates of a daily commute. In the EEA, monitoring persons by collecting their personal data will be subject to specific restrictions, such as express consent of the individual each time she is located, or the vote of workers' representatives. This can mean that an employee-monitoring service measuring productivity against other factors (day, time, weather, sick leave history) that is seen as implementing workplace progress in one jurisdiction will be perceived as risky, if not illegal, in another.
A second example is using and training data to inform decision making. The appeal of more efficient and more predictive decisions around, say, extending loans or detecting fraud seemingly should be universal, but here again the EEA legal position on protecting individuals' rights may militate against any type of automatic decision making. In many cases, an individual must consent whenever a legal or significant decision about him or her is made automatically, and he or she will be entitled to obtain human intervention in the decision. In other cases, the product itself may need to win the approval of a data protection authority in order to be marketed without creating compliance risks for customers.
What is the GDPR?
The General Data Protection Regulation, or GDPR, applies throughout the EEA but also specifically applies to companies outside the EEA that offer products or services to, or monitor the behavior of, persons in the EEA.
GDPR was the inspiration for the CCPA and Brazil’s LGPD, or General Law on the Protection of Personal Data.
Do I have to comply with the privacy laws of every country?
Data protection laws don't necessarily apply in the same way that other laws do. Data protection laws may apply based on where the data is collected, where the relevant individual resides, or (in the case of GDPR) if personal data processing is related to offering goods or services to, or monitoring behavior of, natural persons in the EEA. It is therefore prudent to check the data protection law of every country from where data originates to see if that law applies.
What are some steps my company should take to comply with data privacy laws outside the US?
One feature of all comprehensive data protection laws is the requirement to provide notice to individuals, at the time of collection of their data, about what is being done with that data: who is collecting it, why, where the data is going and to whom. Data protection laws grant individuals rights in respect of their data, and privacy notices must contain information about those rights, and how to exercise those rights. In the US, most companies comply with this requirement by including a privacy policy on their website (see our article on Privacy Policies).
The requirements for the content of the notice are not uniform across the globe, but, at least with respect to consumers, it's usually possible to draft one notice that will get the business close to compliance in most jurisdictions. In practice, this will mean the notice is longer than it might have been were it designed to meet the requirements of only one country's law. But lengthy notices are here to stay. Increasingly, data protection laws (like GPDR, or the LGPD in Brazil or PIPL in China) mandate more detailed notices, containing specific types of information, such as how to file a complaint with a regulator and how long personal data is retained. The GDPR also sets out specific notice requirements if a child's data is collected. All of this means notices are getting longer, and making sure they are well drafted will become more and more important to ensure true transparency.
While the privacy notice is a key transparency obligation under data protection laws, it is not the only one. Many countries require notice relating to the use of cookies and other tracking technologies that collect personal data, and in the EEA notice is required even if no personal data is collected by those technologies. Many countries also require separate notice to be placed on any personal data collection form. And although not falling under data protection laws, consumer protection laws may require specific information on websites regarding the site operator and other actors. All these requirements are in addition to consumer transparency requirements, such as the conditions for returning a product or obtaining a refund under statutory warranty.
Another notable feature of some data protection laws, particularly in certain countries in Asia and Latin America, is the requirement to obtain active (not passive) specific, informed consent to collect or use personal data, which makes the privacy notice all that much more important to comply with data protection law.
Does my privacy policy/notice have to be in any language other than English?
If you have a privacy notice intended to satisfy transparency requirements under data protection laws, you might need to translate it into the local language(s) – or you might not. Independent of data protection laws, some countries have general legislation requiring use of a national language with the public, which usually will apply to privacy notices. In other contexts, there may be no mandate to use the national language, but, to ensure comprehension by the reader, it may be prudent to translate the privacy notice.
Download PDF