Your Right to Privacy

While the right to privacy has been a debated topic from a constitutional perspective for years, no such right is directly spelled out in the Constitution, save for the Fourth Amendment (from which much precedent derives), which states, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” outlining probable cause as a requirement for such search. Queue Criminal Law 101. However, the right to privacy that I want to focus on is a different one. It is in the context of technological and digital advances, which will only become more prominent as we continue to unfold the technological capabilities that have come to both advance and threaten economics.

A variety of countries have had privacy protections in place for many years, however, it was not until recently, with the passing and implementation of the General Data Privacy Regulation (“GDPR”) in the EU on May 25, 2018, that the world really started to shine a light on the impact and widespread sharing of “sensitive personal information.” What GDPR did was create a organizational structure relative to regulatory compliance requirements, definitions, and enforcement of such requirements, subjecting non-compliance to a penalty of €20 Million or 4% of global turnover, whichever is greater. Not all issues of non-compliance are subject to the aforementioned (and potentially debilitating) penalties. Other penalties include written warnings, bans on processing, rectification of issue, and suspension of data transfers.

There is no doubt the penalties are meant to be a reprimand, a warning even, but you may be asking what type of data processing GDPR applies to. “Personal Data,” pursuant to GDPR, means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This includes anything from e-mails to VPNs. If it can be used to identify a person, it applies.

GDPR also created Data Subject rights, which provide an individual with control over their personal data. Those rights include: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; and the right to object. Further, GDPR developed various bases for data processing, under which lawful transfer of data can occur. The legal bases for processing are: 1) consent; 2) performance of a contract; 3) legitimate interest; 4) vital interest; 5) legal requirement; and 6) public interest. When evaluating whether a legitimate interest applies, an organization must balance the following - whether such processing is required for the functionality of the organization and whether such processing outweighs risk to data subject’s rights. If the answers are “no,” legitimate interest cannot be applied as a basis for that processing. As such, organizations must understand their data inventory, be able to identify all personal data to the subject it applies, and have a legal basis for maintaining and processing such data.

Important to note here is that GDPR applies to processing of personal data within the EU, applying to companies outside of the EU that process information therein. In light of the implementation of GDPR, a number of countries have opted to follow suit utilizing GDPR as a standard of sorts for the development and implementation of their own privacy laws. Some noteworthy countries include, China, India, and Brazil. While global initiatives have been taken in applying GDPR as a standard, the US has maintained, what is known as the “alphabet soup” of regulations, as applicable to privacy laws. From Health Insurance Portability and Accountability Act (“HIPAA”) to the Children’s Online Privacy Protection Rule (“COPPA”), to everything in between, including the financial industry, governed by the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”). The US generally governs privacy based on industry, however, there are states, like California, taking the initiative to implement protections similar to GDPR on a state-wide basis, such as the California Consumer Protection Act (“CCPA”). CCPA has similar implications as GDPR, but has certain limitations applicable to California and does provide for an individual right to bring suit for a maximum recovery of damages in the amount of $750.00. To date, the US does not have an omnibus regulation relative to privacy.

So what can you do? First, be cognizant of your rights. READ THE FINE PRINT. No one, and I repeat, NO ONE wants to review lengthy terms and conditions of an app or phone updates and the like, but you would be really shocked as to what kind of access is included in those terms. So just be aware. And most importantly, don’t be afraid to ask the questions - of your employer, of your social media platforms, and of all instances where personal information is being collected, processed, and stored.

-agl.