Governments around the globe are changing how they view privacy as a result of the EU’s deliberations on personal data protection and breach notification.
Those deliberations resulted in the General Data Protection Regulation (GDPR) coming into force on May 25, 2018. Meanwhile, many other governments, including two states in the U.S., have recently enacted or are considering similar regulations. These changes mean that organizations which have previously avoided the effort to become GDPR-compliant could still find themselves facing similar regulatory requirements and fines—or at least the need to get their data and processes in order to scale into new regions.
"Keep up with the growing list of new privacy laws and amendments outside the EU with the help of Auth0"
GDPR Whitelisting Influence
While GDPR applies directly to data from EU citizens, the EU also regulates whether or not personal data may flow from within the EU to an outside country.
These agreements allow for data to securely flow between two countries and often diminish or remove the need for additional contractual clauses.
The EU is also going to create a European Data Protection Board that will wield the power to influence large swathes of the digital data economy. Warnings about adequacy protections are already influencing other government’s data protection efforts.
The threat of removal from this whitelist is reportedly part of what influenced some changes in Argentina’s latest data protection bill. Canada is also looking to align data protection efforts with GDPR.
Most recently, the UK’s Prime Minister Theresa May made it abundantly clear that she’s seeking more than an adequacy agreement with the EU, pushing for the UK’s Information Commissioner’s Office (ICO) to serve as GDPR’s UK enforcing agency, with the likely goal of having the ICO serve on European Data Protection Board. South Korea, as well as Japan, are also in white-list discussions with the EU. If you’re a global company like Auth0, it’s a good idea to keep up with the growing list of new privacy laws and/or amendments to existing privacy laws in countries outside of the EU.
The countries listed below are currently "whitelisted" by the EU as having adequate protections, meaning that data may currently flow from the EU (and Norway, Liechtenstein, and Iceland) to one of these countries without additional protections:
- Canada (commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
- United States (Privacy Shield framework only)
Argentina: Draft Data Protection Act
On Jan. 2017, after a public comment period, The Argentine Data Protection Agency (Dirección Nacional de Protección de Datos Personales) presented a draft of the Data Protection Act. The proposed bill offers several changes, including the elimination of registration databases and limiting the recognition of data subjects to individuals removing the current inclusion of legal entities. Like GDPR, the updated bill also revised legal definitions to include biometric and genetic data. Subjects must also be notified if a deal is canceled due to a credit report. The bill also seeks to make DPPA an independent entity to preserve GDPR whitelisting, since the EU raised objections to its current position under the National Ministry of Justice and Human Rights. The bill is expected to reach Argentina’s congress in 2018.
Australia: Notifiable Data Breach Scheme (NDB)
This amendment to Australia’s Privacy Act of 1988 went into effect last month on Feb. 28, 2018. Under NDB, individuals must be notified if a data breach is likely to result in "serious harm" and requires that the notification indicate steps that harmed individuals should take to protect themselves. The Australian Information Commissioner must also be notified. NDB applies to organizations with an annual turnover of $3 million AUD or more, as well as businesses that trade in personal information, health information, and tax file number (TFN) recipients.
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
At the end of Feb. the Canadian government published a report recommending an update to the Personal Information Protection and Electronic Documents Act (PIPEDA) in force since April of 2000. Including GDPR-familiar principles like consent and data portability, the recommendation also includes considering implementing measures to improve algorithmic transparency. Also striking is the inclusion of language that demonstrates GDPR’s reach citing the intent to "work with its EU counterparts to determine what would constitute adequacy status for PIPEDA in the context of the new General Data Protection Regulation (GDPR)."
Japan: Act on the Protection of Personal Information (APPI)
Into force as of May 30, 2017, APPI, shares many GDPR similarities, including a "whitelist" of other countries with acceptable data protection regulations that may encourage safe data flow. But while GDPR’s purpose is to encourage the "free movement" of data while also providing protection, APPI focuses on protecting the rights of individuals and extends protections to include personal identifier codes, and aggregated information in the "business operator’s" database. The EU and Japan remain in discussions regarding mutual "whitelisting".
UK: Data Protection Bill
The UK’s third-generation Data Protection bill is intended to fill many of the gaps generated by Brexit and protect the free-flow of data between the UK and the EU, accounting for 75% of the UK’s cross-border data flows, worth billions of pounds in trade. The bill also addresses data standards for social, health, law enforcement, and intelligence agencies as well as legal enforcement of GDPR standards. The portion of the bill seeking to deny data access rights for "effective immigration control" came under fire during the first weekend of March 2018, with groups seeking to have the exemption removed and threatening legal action.
CALIFORNIA: California Consumer Privacy Act (CCPA)
Targeting the November 2018 ballot in the state of California in the United States, the California Consumer Privacy Act seeks to limit companies’ ability to collect and sell consumer data and includes data breach notification requirements as well as the right to know what is being collected and the right to say "don’t sell my data." Also included is the right to be protected from discriminatory practices like denying services or charging higher prices, influenced by collected data. The bill faces significant opposition, from within the tech industry.
NEW YORK: DFS Cybersecurity Regulation, The Stop Hacks and Improve Electronic Data Security Act (SHIELD)
The U.S.’s New York State took the lead in new and proposed regulations last year with cybersecurity regulations for all non-governmental agencies operating under banking law, including scrutiny of third-party vendors. Annual compliance reports for businesses providing financial services in New York State are due this March. But in the wake of the Equifax breach, New York is now considering more stringent regulations. Currently under review in the Senate Rules Committee, The Stop Hacks and Improve Electronic Data Security Act (SHIELD) provides breach notification requirements and protections for personal data. Breaches would be considered a violation of business law. SHIELD would also add the option of seeking remedies under the civil law. Like GDPR’s protection for EU’s citizens, the SHIELD Act would apply to any business holding sensitive data for New Yorkers, regardless of location.
"Governments around the globe are taking a cue from GDPR. Check out @auth0’s list of countries and states with new privacy laws or amendments."
Global Deployment and Compliance with Auth0
Auth0’s ability to deploy anywhere and remain current with constantly changing laws and regulations gives companies the flexibility to grow without having to worry about whether or not their authentication solution can scale. If you’d like insight into how Auth0 can help you deploy in particular regions, please reach out to [email@example.com](mailto: firstname.lastname@example.org).
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 50M logins per day, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its customers that are located in 70+ countries.