Pulse #5: CCPA & GDPR
New data privacy laws attempt to bring some order to this mess.
Ah, data privacy: one of those thing we know we should be worried about even though we don’t know what to do.
While ordinary users are horrified and tech companies shrug their responsibility away, some legislation projects attempt to bring order to this mess in a way that’s fitting with the times.
Yes, the European Union’s General Data Protection Regulation became effective a year ago, but anyone can get distracted for a month or twelve and we won’t hold it against them.
Let’s review quickly why we got a million policy update emails last year.
What: The law seeks to give individuals control over their personal information and unify the region’s rules.
How: Users have a right to, among other things:
-Know what data is collected, under what legal basis, how long it will be stored and if it’s transferred to a third party.
-Withdraw their consent to the processing of their personal data.
-Access their information and how it’s being used, request a copy of it, or ask for it to be deleted.
-Learn if there’s an infringement of GDPR or an information breach.
Organizations that violate this rules will be fined up to 20 million euros or 4% of their annual global turnover, whichever is highest.
When: It was approved in April 2016 and came into effect in May 2018. Its regional antecessor was the Data Protection Directive of 1995.
Where: It affects all data controllers, data processors and data subjects located in the EU. That means foreign companies that work with personal information of European residents must adhere to this regulation, but so should European companies that handle information from other countries.
Who: There are three actors: data controllers (organizations that collect information from individuals), data processors (e.g. cloud service providers) and data subjects.
On the other hand, the California Consumer Privacy Act was passed last year. It’s a meaningful step, since the state boasts the fifth largest economy in the world and is home to some of the main players in the global tech industry.
What: The state law gives California residents the right to:
-Know what personal information of theirs is being collected and sold.
-Access it.
-Refuse to the sale of their data.
-Get the same service at the same price, even if they exercise their right to privacy.
When: It comes in to effect on January 1st 2020.
Where: It applies to organizations that do business in California and exceed a certain revenue, amount of users or share of income derived from consumer information, but only to the extent that they handle the data of California residents.
Who: There are four players in this law: consumers, businesses, service providers and “third parties”.
How: It establishes fines for companies that don’t follow these rules and also allows consumers to join class action lawsuits, under certain circumstances.
A few key differences
- The CCPA’s definition of personal data is wider, and includes geolocalization, biometric data and browsing history. It also contemplates household information, and not just that of individuals.
- The GDPR has a maximum for fines for infringing organizations, whether there is a leak or they simply don’t take the precautions to avoid it. The CCPA only penalizes them once a problem has occurred, but has no caps for fines. It also contemplates class action lawsuits.
- The CCPA is, at the moment, les precise, but in the remaining year and a half before its implementation it will likely become more detailed.
- In California people will have the right to have their data erased only if a company gets it “directly” from them, an idea that is open to interpretation.
Where do we stand in Latam?
Does all of this affect Latin America? The short answer is kind of.
As for its direct impact, in the case of GDPR European companies are required to give the same rights to individuals all over the world. CCPA, on the other hand, is explicitly about the personal data of Californians. Although many of the world’s biggest tech companies are based there, the law doesn’t hold them accountable for handling all information.
However, one might hope that having to fulfill all these requirements for just a small group of users leads them to offer the same terms to the whole world. That will all depend on how complicated and disadvantageous the process is.
Beyond that, these new laws are a precedent and a base for other similar regulations all across the world, and during the past year several countries have reviewed their policies on the subject.
Next, a brief overview of the situation in Latin America.
Argentina: There is a law from the year 2000. In 2018 the Executive Power brought forward a revised bill, that has not yet been approved and has been criticized as vague.
Bolivia: A bill is being treated since late last year. There’s a Regulation for the Development of Information and Communications Technologies, from 2013, as well as electoral and telecommunications laws and constitutional protections.
Brazil: The General Data Protection Law was approved in July 2018, based on GDPR. It establishes rights, obligations and best practices.
Chile: There is a 1999 law that regulates the treatment of personal data, and currently there is a draft amendment. The Chilean constitutional reform will also include the right to personal data protection.
Colombia: There is a project to bring the current law, from 2013, up to date, and a list of countries that fulfil its standards for international data transfer.
Mexico: A 2010 law gives individuals the right to access, rectify, cancel data and oppose its treatment. Constitutional protections are also in place.
Panama: The country has just approved a law that will become effective in two years.
Paraguay: The constitution foresees the right to privacy, and there is a law from 2001 with amendments from 2002 and 2015. There is no specific authority for data protection.
Peru: A law was passed in 2011 and amended in 2017. Reforms are being made to comply with the Budapest Convention.
Uruguay: There’s a law from 2008/2009, and a new proposal that is expected to be approved in the next few months.
