While in France, a citizen of Brazil who resides in California books a bungee jump in New Zealand. Is it a leap of faith into the unknown, for both the operator and the thrill-seeker?
The internet has created truly global markets for businesses that would have once remained local and may have struggled to reach a large enough audience to be profitable. Access to any website, from nearly anywhere in the world, and the willingness of the business behind it to engage with customers and deliver services or products to faraway places, has revolutionized business opportunities for entrepreneurs.
This increased opportunity brings about many challenges – for example, checkout, payment options and tax regulations may differ from country to country. Fortunately, businesses can utilize a number of outsourcing service providers and rely on them to provide the needed expertise for e-commerce and payment systems that comply with local laws and regulations. The entrepreneur is then free to focus on delivering goods or services to customers. This opens the opportunity for even the smallest business to trade on a global basis.
Conducting business online typically requires the collection of data about customers and visitors to a web site; this takes the form of web analytics, newsletter subscriptions, ad targeting, or it may be a service subscription or product purchase. Depending on the location of the business, and the location, residency or citizenship of the visitor or customer, the company may need to comply with data privacy legislation. As a consumer, I am an advocate for the need to protect my personal information through robust legislation, but companies doing global business may be stepping into a minefield.
In February I delivered a presentation at CyberSecCon2020 in Auckland, New Zealand on the lessons learned around the requirements of the data privacy regulations of both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) ahead of the forthcoming New Zealand Privacy Bill, which is currently working its way through the legislative procedure and is expected to become law in the coming months.
There are over 100 countries in the world having some form of data privacy legislation, ranging from limited all the way through to robust. Then add to that a number of countries, like the USA, that have individual legislation state-by-state. This is a complex subject!
Taking a leap of faith
Let’s imagine a fictional customer – Francisco – a citizen of Brazil, who is a legal resident of California and travels frequently on business. Francisco has decided to check off a life goal and bungee jump in the home of bungee, New Zealand. He travels from California to France on business and will then travel to New Zealand, but while in France he books a bungee experience with a company based in New Zealand.
- For the purpose of my example, let’s imagine that 50,000 California residents a year visit the bungee business in New Zealand. As a California resident, Francisco is protected by CCPA, since the legislation applies to the state’s residents regardless of where they, or the businesses they are transacting with, are located.
- The transaction was initiated in France, a country that is part of the European Union (EU). The EU’s GDPR legislation covers anyone located in an EU country at the time of the personal information being collected.
- The website Francisco is transacting with is based in New Zealand, where the proposed legislation applies to agencies (businesses) located there.
Which legislation should the company in New Zealand comply with? Last year when I asked a similar hypothetical question of someone in the European Commission, they responded with “that’s a great question”.
The confusion is likely to exist from Francisco’s perspective as well. As a Brazilian citizen, he may think that the Brazilian General Data Protection Law (LGPD) provides protection, or that as a California resident the CCPA provides his protection.
Let’s extend the hypothetical scenario: Francisco returns home to California and requests the bungee company to delete his personal information and they refuse or fail to confirm the request. To which regulator should he make a complaint? It’s highly probable that consumers may not understand their rights when companies are in countries where they are not residents, or they could assume the process to be too complicated when a company holding their personal data is in another country.
Each of the regulations in my example has different requirements: the GDPR is opt-in for data collection, the CCPA is opt-out. The GDPR states that data must be encrypted; CCPA and the proposed New Zealand Privacy Bill both state that reasonable security measures should be taken but do not specify any further detail. The differences in the requirements are numerous and in the unfortunate instance of a data breach occurring, who should be notified, and could fines be levied by multiple regulators in different countries? And which of the several legal systems will apply, or will several? There may be legal precedent for which regulation takes priority, but this is not clear to me, a non-lawyer.
Confused? Probably. I know I am!
Our entrepreneur from earlier needs clarity so that data privacy does not inhibit anyone from conducting business in any location. And consumers should be able to visit any business online with assurance that there is protection of their data and accountability regardless of where they or the business is located, including in countries without specific legislation.
One rule to ring them all
The internet is a global marketplace and there are some existing data privacy agreements in place that attempt to provide a baseline. These are limited in participation and regional; a list can be found on the Electronic Frontier Foundation website.
Is it time for one common set of rules on data privacy regardless of residency, citizenship or location? There is precedent for such rules; for example, 123 countries signed the World Trade Organization’s (WTO) Marrakesh Agreement in 1994, which regulates international trade between nations. If we accept that data is now a commodity item that has a value and is traded, then maybe it could be included in a standard agreement, in the same way the WTO regulates trading rules. A truly international standard would need to adopt core principles and countries could always supplement these with their own amendments, in the same way countries adopt trade agreements between each other on top of the current WTO standard.
I am using the WTO as an example, but there are numerous global organizations where a centralized data privacy agreement could reside. Probably the most important element of any widely agreed international regulation would be defining which regulator is responsible and when, clarifying whether a citizen, resident or their location takes precedence or whether a business is responsible by location or place of transaction.
At CyberSecCon2020, all the attendees I talked to were clearly engaged in preparing for the New Zealand Privacy Bill, but at a security conference covering data privacy this is probably to be expected. It’s the people who don’t attend that are the challenge. Many companies may want to comply and have a desire to sell and transact globally but are confused about what they should comply with.
There are core principles for data privacy that are common in the majority of the regulations and legislation:
- The reasons why personal information is collected, where it is collected and how it is collected.
- How the personal information is protected from unauthorized access and how the data is stored.
- The right for an individual to know what personal information is being held about them.
- The ability to request the correction of inaccurate data and the right to request data be deleted.
- Limitations on how organizations can use the information collected.
Unfortunately, the same core principles are not so clear when it comes to security requirements, as some legislation details specific requirements and others talk about “reasonable” security. Prior to the CCPA taking effect in January, I co-authored a white paper that gives a view on what could be considered essential security requirements. I recommend that any business collecting or storing data follows the principles listed in the ESET’s guide to reasonable security section of that white paper.