Page 21 - November 2019 BarJournal
P. 21
CYBERSECURITY, DATA PRIVACY
& EMERGING TECHNOLOGIES FEATURE
adopting specific requirements for companies GDPR carries potentially very significant monetary
and other website proprietors to notify The example that has commanded the greatest penalties (up to €20 million or 4% of a violator’s
citizens/residents/consumers when systems in degree of attention in the past several years, of annual revenue for willful violations).
which their personal information is stored or course, is that of GDPR — the General Data
processed may have been breached, accessed Protection Regulation enacted by the European CCPA
without authority or otherwise compromised. Parliament in 2016 and which took effect in May Closer to home, that approach of imposing
As of today, every state in the union has some of 2018. GDPR was “designed to harmonize prescriptive, substantive legal duties in the
9
form of breach notification law that generally data privacy laws across Europe, to protect and handling of personal data on enterprises,
require enterprises whose collections of empower all EU citizens’ data privacy and to generally (i.e., regardless of industry vertical),
personal data have been breached to give notice reshape the way organizations across the region has found its way into state legislatures in the
10
to affected persons/potential victims (and approach data privacy.” Recognizing personal United States. Of most immediate consequence
12
sometimes fulfill other obligations). Ohio’s data protection as a “fundamental right,” GDPR is the California Consumer Privacy Act of 2018
breach notification statute, typical of many, grants substantive rights to “data subjects” (i.e., (CCPA) (effective date, January 1, 2020), which
7
requires notice to affected residents within people!) regarding their personal data (e.g., echoes a number of the concepts of GDPR,
45 days of discovery of a breach (subject to to grant and withdraw consent to process; to including recognizing privacy as “an inalienable
the needs of law enforcement and efforts to access and obtain a copy; to require deletion ) right of all people.” CCPA protects the rights
11
determine the scope of the breach) and, when and imposes corresponding requirements on of California residents to know what personal
more than 1000 people are affected, to notify “data controllers” and “data processors” (e.g., information a business collects, from what
consumer reporting agencies. 8 to protect data subjects’ rights; to limit data sources, for what purposes and to whom it is
Against this patchwork of industry-specific/ collection and processing to specific, lawful disclosed; to opt out of allowing a business to sell
vertical regulation at the federal level and purposes; to process such data confidentially such personal information; to require deletion
generalized breach notification requirements at and use appropriate security measures, such as of same (with some exceptions); and to receive
the state level, some government authorities have encryption; to secure requisite consents “using equal treatment from a business, regardless of
13
begun to impose more prescriptive, substantive clear and plain language”). Notably, GDPR asserts exercising the foregoing rights.
requirements on the handling and treatment of extraterritorial application (i.e., protections ‘travel International corporations with meaningful
personal data by all enterprises. with’ the personal data of EU data subjects) and business activities in Europe have been obliged
NOVEMBER 2019 CLEVELAND METROPOLITAN BAR JOURNAL | 21
