Erin E. Harrison, Legaltech News
In an environment of increasing threats and global regulations, legal
operations professionals needs to take data privacy more seriously.
There’s a major distinction between data security and data privacy—but
U.S. legal departments don’t necessarily know the difference.
That’s according to Sheila
FitzPatrick, one of the foremost experts in data privacy laws who works closely
with the U.S. government and the Council of the European Union, among other
groups. In a session at the first CLOC Institute in San Francisco, she
explained the differences between data security and data privacy and what
international data privacy laws mean for global companies and their legal
operations.
In the face of cybersecurity threats
that are increasing in both volume and severity, FitzPatrick said companies are
focused more on security than they are in privacy—a major misstep amid more
stringent data protection laws in the U.S. and abroad.
“They take security seriously, but
not privacy,” she told an audience of law department operations professionals
at the CLOC Institute.
But there is a sense of urgency to
put into practice solvent data privacy measures in an environment of global
focus on automation of legal activities, global regulatory explosion, intense
media and social media focus on data breaches, and heightened concerns over
data protection.
“We are having a phenomenal amount
of data security and privacy violations, which people are starting to question,
‘What is being done to protect my personal data?’” FitzPatrick said. “Privacy
is unfortunately usually an afterthought…Once you find out you have a problem,
you say, ‘I guess we should have addressed the privacy part first.’”
Personal vs. Sensitive Data
There are legal distinctions between
what is considered “personal” data versus what is categorized as “sensitive
data.”
“Any piece of information that is
identifiable to an individual or can identify an individual l directly or
indirectly,” is considered personal data. Whereas sensitive data is a subset of
personal data that can only be collected locally if required by law (i.e. it
cannot be transported out of country).
Privacy laws around personally
identifiable information (PII) apply to: employees, contractors,
applicants/candidates, customers, and other types of people.
Legal and regulatory requirements
have been put into place to protect individuals so that companies cannot
collect, use, process, share, store and/or transfer personal data on
individuals in global and regional jurisdictions.
“Data is your company’s greatest
asset but it can also be your greatest detriment if you don’t adhere to
compliance,” FitzPatrick said. “The laws actually do dictate what you can and
cannot do. …There are laws you have to be aware of when you are operating in
multiple jurisdictions.”
Citing the Microsoft case involving
emails stored in Ireland, FitzPatrick said the primary aspects of data privacy
and data sovereignty are vastly different across regions of the world.
“You need to collect data that you
absolutely have to have to run the business. ‘Nice to have’ is not protected by
data laws,” she said. “Then you need to understand what you are using that data
for. You need to be very clear about why you are collecting that data and what
you plan to do with that data. There is no implied consent.”
Data access and data transfer are
also very important in that data access should be based on an individual’s role
to a company.
“So if you run legal operations of a
company in the U.S., it does not mean you have the right to access data in a
foreign jurisdiction. You need to be very, very transparent about what you are
doing with that data,” FitzPatrick said. “Data security is a very critical
component, but again it is not the same as data privacy.”
With respect to data storage, very few records are permanently stored, she said. “Most people don't realize privacy laws dictate how long you can retain data,” she said, citing the “right to be forgotten” rule in which companies have a legal obligation to delete that data unless it’s under a legal hold.
LDOs also need to consider their
technical infrastructure including software, operating systems, networks,
databases, and cloud versus on-premise storage.
“Once you put data out into the
cloud, that is not when you want to think about whether you violated a privacy
law, because once you put it out there it’s out there for good,” FitzPatrick
said.
Companies also need to carefully
assess third-party access. “If you pass your data to a cloud provider and they
pass it to another provider providing services, you need to make sure
there’s privacy agreements in place, that you've vetted third party providers
and their partners to make sure they are complying with data privacy laws.”
Data Privacy Regulation Reform
Traditionally Europe, namely the
European Union, has had the most restrictive privacy laws, but that’s no longer
the case. China currently has the most stringent privacy laws, FitzPatrick
said.
The reform of EU data protection
rules vis a vis the General Data Protection Regulation (GDPR) “is going to
impact any organization even if you don’t have operations in Europe but it does
apply if you hold data of any European citizen,” she explained, noting the
harsh penalty of having to pay 4 percent of the company’s global annual revenue
if privacy laws are violated.
At the same time, the EU-U.S.
Privacy Shield, which ruled the previous Safe Harbor framework invalid,
requires the U.S. to monitor and enforce more robustly, and cooperate more with
European Data Protection Authorities. However, it remains in flux given Article
29 Working Party’s recent intervention via an opinion released in April 2016 in
which the group made numerous critiques to the proposed EU-U.S. Privacy Shield
framework.
But FitzPatrick cautioned that the
Privacy Shield might not come to fruition.
“Please don’t rely on Privacy
Shield. It may or may not come about, and if it does come about, it may not
look like what it does today,” she said.
As for the technological challenges
for legal ops, they run the gamut from global restrictions, compliance with
data privacy and sovereignty laws to: data location; jurisdiction and cross
border data flow; data control and/or ownership; data that could or should be
outsourced; data breach remediation and contingency plans; security (encryption
and tokenization); use of third parties; and litigation and e-discovery.
“It drives me crazy when I ask
people about their privacy program and they tell me about their security
program. They are completely different. You need to classify the data based on
the type of data. You need to think about how you are going to handle any
e-discovery data that resides in your environment and what your third party is
handling. Data security is not data privacy.”
No comments:
Post a Comment