'Most Innovative Startup 2020' by RSA - Watch the video
Learn MoreBlogs
Published on August 18, 2020 AUTHOR PRIVACY RESEARCH TEAM
With the increase in digitalization and its impacts on the globe, a new wave of data privacy laws has emerged. Countries all across the world are increasingly acknowledging the need for the protection of personal information in the digital space and formulating their laws based on the framework set up by the European Union’s General Data Protection Regulation (GDPR).
The GDPR in its current form serves as a beacon of hope, providing many rights to individuals with respect to the protection of their personal data and imposing realistic obligations upon corporations that collect and process their data. While the GDPR is a commendable effort by the European Commission, it has to be read together with the Directive 2002/58/EC on privacy and electronic communications that predates the GDPR by 14 years; the e-Privacy Directive (e-PD).
Both e-PD and GDPR reflect the principle of the protection of personal information as an individual’s basic right as enshrined under the EU Charter of Fundamental Rights. Together with the e-PD and the GDPR, the European Union offers the strongest data protection legal framework currently in the world. With the e-PD being changed to reflect the problems of the modern day, it is very important to understand its history and what changes are being contemplated.
The e-PD applies to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the community”. This means that the e-PD regulates all publicly available electronic communications services and telecommunication services irrespective of the technologies used.
Under the Directive, service providers are required to take appropriate technical and organizational measures to ensure confidentiality of communications, safeguard the security of their services and inform the subscribers of any special risks arising out of the breach of security of the network.
The objective of both the GDPR and the e-PD is to ensure an appropriate level of security and confidentiality of data and communications of European Union residents. However, the matters that fall under the subject matter domain of one regime are outside the scope of the other. This is clarified in Recital 173 and Article 95 of the GDPR, according to which, the GDPR does not apply where there are already existing e-Privacy rules.
Despite having two separate applicability areas, there may be some overlap and, in that situation, both GDPR and e-PD must be read together.
Corporations that send electronic marketing including email advertising in the European Union must comply with the requirements of both GDPR and e-PD. The e-PD requires service providers to obtain the consent of data subjects before processing their data for marketing. This includes an obligation upon corporations to provide full and accurate information to data subjects about the types of processing they intend to perform, their rights to not give consent and withdraw consent. The e-PD also grants subscribers protection against unsolicited communications for direct marketing purposes.
Similarly, the GDPR provides data subjects the right to object to data being processed for direct marketing purposes including an objection to profiling. The GDPR clarifies that in the context of the use of information society services, i.e. services delivered over the internet, the data subject may exercise his or her right to object by automated means using technical specifications, notwithstanding anything contained in the e-PD.
The e-PD was originally known as the “cookie law” because it provides specific rules on cookies, unlike the GDPR. As per the e-PD, organizations must provide clear and comprehensive information to users in relation to the processing of cookies and must acquire informed consent of users before tracking with cookies. The two exceptions to this are “where technical storage or access is for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”. Under the e-PD, users must have the opportunity and the right to refuse to have a cookie stored on their terminal equipment.
Although the GDPR does not specifically mention cookies, it classifies cookie identifiers as a type of “online identifier” meaning that it may be considered personal data under certain circumstances. The GDPR further requires controllers and processors to demonstrate that the data subjects have consented to the processing of their information and that there must be some lawful basis for the processing of data subjects’ personal information.
The e-PD will soon be replaced by the e-Privacy Regulation (e-PR) that is currently in its draft stage and under review by the European Union. The e-PR is expected to complement the GDPR just like the e-PD but will be an updated version which will be more in line with the industry-wide technological changes that have taken place in the last few years.
The proposed e-PR will not only provide protection to the content of European Union residents’ electronic communications but it will also stop the transfer and use of metadata associated with that communication. Therefore, e-PR is expected to update e-PD by ensuring confidentiality in all current and future means of communications including telecommunication services over the internet, emails, internet phone calls, personal messaging services through social media, voice services and other interpersonal communication services.
Having revised rules on cookies, the e-PR will allow users to refuse the tracking of cookies by being in control of the privacy settings. Furthermore, no consent shall be required for “non-privacy intrusive cookies”. The e-PR provides protection against any form of unsolicited electronic communications including spam.
This new law will have potentially significant effects on corporations especially those that use metadata or tracking tools to monitor online behavior. The e-PR has adopted the same standard of “consent” as that of the GDPR. Similarly, it has adopted identical penalties as that of the GDPR. Any violation of the regime will be subject to the same upper limit administrative fine, i.e. 20 million euros or four percent of the company’s total worldwide annual revenue, whichever is greater.
The e-PR is expected to update the existing outdated regime of the e-PD into a modernized one. It protects end-user’s privacy by ensuring their consent to the storage and access to stored data in their terminal equipment to avoid unwanted tracking cookies. It is in fact, a part of the comprehensive reform process of the European Union in relation to data protection and privacy laws.
Unlike its predecessor e-PD, the e-PR will automatically be applied to all member states across the European Union since it is self-executing and would not be requiring local domestic regulations by member states to be passed for its implementation.
SECURITI.ai is an innovator of AI-Powered cybersecurity and data protection solutions. Its product is the world’s first PrivacyOps platform that helps automate all major functions needed for privacy compliance in one place.
The SECURITI.ai’s Data Subject Rights Module is an automated system that drastically simplifies the process of fully complying with data subject rights requests.
The Data Mapping Automation Solution helps customers transition smoothly from their existing manual processes to a modern automated framework with minimal disruption and tracks personal data in structured and unstructured data stores to connect it to users. It enables companies to demonstrate compliance with privacy regulations.
The SECURITI.ai’s Consent Management Tool automates the consent lifecycle, enabling organizations to keep trust with individual customers in the processing of personal information.
The Assessments Module enables the evaluation of the readiness of a company's internal departments and divisions and measures the organization’s strengths against data privacy regulations.
The Vendor Assessments applies powerful automation to privacy assessment collection from third-parties and power analytics to yield deep insight into third-party compliance with privacy regulations.
SECURITI.ai helps businesses discover data over a web of internal and external systems, stitch a data graph to link personal data with each individual, conduct an automated internal assessment of policies as well as third-party vendors, manage consent and do a lot more.
Ask for a DEMO today to understand how SECURITI.ai can help you comply with GDPR, e-Privacy Directive, and a whole host of other global privacy laws and regulations, such as the CCPA, with ease.
Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.
Learn MoreDiscover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs
Learn MoreSimplify gathering information, dynamically update your data catalog, and automate assessments and reports
Learn MoreMeet Brian Lillie, Former CPO at Equinix as he discusses the potential challenges of CCPA and how the PrivacyOps framework can be the key to unlocking compliance.
Learn MoreWatch the 3-minute pitch presented by Rehan Jalil on SECURITI.ai in the RSAC Sandbox Competition
Learn More
[email protected]
PO Box 13039,
Coyote CA 95013
Find data assets, and discover personal and sensitive data in structured and unstructured data systems, across on-premises and multi-cloud.
Classify & label data to ensure appropriate security controls are enabled on most sensitive data in your organization
Collect, organize, enrich and build a data catalog to address privacy, security and governance solutions
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Assess risk scores for every data asset, asset location, or personal data category
Auto discover personal data in Snowflake and enforce access governance
Auto discover personal data in Snowflake and enforce access governance
Discover, classify, manage and protect sensitive data in Box. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Slack. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more
Discover, classify, manage and protect sensitive data in Workday. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Github. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Jira. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Dropbox. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in SAP Successfactors. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Servicenow. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Zendesk. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Apache Hive. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Apache Spark SQL. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Cassandra. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Couchbase. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Maintain your Data Catalog with continuous automated updates
Automate data subject rights request fulfillment and maintain proof of compliance
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.
Automation of privacy assessment collection from third parties, collaboration among stakeholders, follow-ups and compliance analytics.
Automate global cookie consent compliance.
Simplify and automate universal consent management.
Automate the incident response process by gathering incident details, identifying the scope and optimizing notifications to comply with global privacy regulations.
Keeping privacy notices up-to-date made easy
Operationalize GDPR compliance with the most comprehensive PrivacyOps platform
Operationalize CCPA compliance with the most comprehensive PrivacyOps platform
Revolutionize LGPD compliance through PrivacyOps
Enable privacy by design through the AI driven PrivacyOps platform
Discover data assets, detect & catalog sensitive data in it
Classify and label data to ensure appropriate security controls
Monitor data security posture and identify external and internals risks to data security
Policy based alerts and remediations to protect data from external and internal threats
Investigate data security issues and take remediation actions
Snowflake is a cloud based data warehouse that allows organizations to run large scale data analytics projects to uncover business insights, run or train machine learning models, and modernize their data infrastructure.
The Amazon S3 (Simple Storage Service) is a web-service which allows for scalable storage solutions for data archival, backup, and recovery purposes.
Microsoft O365 is the ubiquitous productivity suite for every business worker. Users rely on Office products such as OneDrive and SharePoint to collaborate with their co-workers.
Organizations want to migrate their on-premises data to cloud data stores to take advantage of scale and flexibility while reducing operational cost of managing on-premises infrastructure. However, due to privacy regulations such as GDPR, CCPA administrators have to ensure that data is migrated in compliance with these laws.
Protecting sensitive content is a priority for all organizations, however, due to volume of sensitive content and
While data aids in business decision making, global privacy regulations such as GDPR, CPRA require organization to identify personal & sensitive data & use only for its intended purpose and implement adequate protection.
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and is scheduled to come into effect on January 01, 2020. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.
The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018 and changed the global privacy landscape. It has broadened the definition of processing activities and personal data, impacting companies worldwide, and has tightened the rules to obtain consent before processing information.
The Lei Geral de Proteção de Dados (LGPD) is modeled with similarities to the General European Data Protection Regulation (GDPR) and contains sixty-five articles. It was approved on August 14, 2018 and its validity has undergone several changes, the last relevant fact being MPV 959. LGPD is in effect since September 18, 2020. The sanctions by the ANPD (Brazilian Data Protection Authority) were postponed to August 2021. The LGPD allows people have more rights over their data and expects organizations to comply with their regulations or face heavy penalties or fines.
The government of New Zealand has recently replaced its long-existing Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) will take effect from December 1, 2020.
The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet through a Royal Decree has deferred the enforcement of certain data protection provisions of the PDPA until 31 May 2021.
In order to protect the data of individuals in South Africa, Parliament assented to the Protection of Personal Information Act (POPIA) on 19th November 2013. The commencement date of section 1, Part A of Chapter 5, section 112 and section 113 was 11 April 2014. The commencement date of the remaining sections (excluding section 110 and 114(4)) was 1st July 2020. As per the Regulator’s Operational Readiness Plan the Regulator will be able to take enforcement actions for the violation of POPIA by July 1st 2021.
The DIFC Data Protection Law, 2020 lays down regulations regarding the collection, disclosure and processing of personal data in the DIFC, a special economic zone in Dubai. It also gives rights to individuals whom the personal data relates to and provides power to the Commissioner of Data Protection to enforce the law, enact regulations and approve industry-wide Codes of Conduct.
The Australia Privacy Act 1988 (Privacy Act) was enacted to protect the privacy of data subjects and regulate how Australian agencies and organizations with an annual turnover of more than $3 million handle their customers’ personal information.
Singapore’s Personal Data Protection Act (PDPA) comprises various provisions governing the collection, disclosure, use, and care of personal data. It recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes.
On April 13, 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) received Royal Assent. It came into force in stages, beginning on January 1, 2001. PIPEDA came fully into effect on January 1, 2004. The legislation applies to organizations that collect, use or disclose personal information in the course of commercial activities.
After the invalidation of Privacy Shield, many companies are relying on the SCCs in order to continue transferring data of EU citizens to companies based in countries who are not deemed adequate for data transfer.
After the CJEU judgement, it is clear that these companies have to conduct Risk Assessments with the data recipients in these countries in order to ensure they have enough controls to mitigate any potential data or regulatory risk.
On 2nd March, 2019, the Department of Health—Abu Dhabi (DoH), launched the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) Standard. This is the first standard that aims to provide healthcare professionals and entities a comprehensive guide to the regulation of healthcare data in Abu Dhabi. This law ensures the highest levels of privacy and security of patients’ data, in line with international standards, is maintained.
On January 31, 2020, the government of Saudi Arabia issued the Executive Regulations to the Saudi E-Commerce Law 2019 (“ECL”) that was in effect since October 2019. The Executive Regulations together with the ECL (“Law”) aim to protect consumers’ personal data by requiring organizations to take appropriate technical and administrative measures.
Turkey was one of the first countries to start the trend of legislating data protection. Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” The LPPD is based on the European Union Data Protection Directive 95/46/EC and has several similarities with the GDPR. It aims to give data subjects’ control over their personal data and outlines obligations that organizations and individuals dealing with personal data must comply with. The LPPD has also provided comprehensive guidelines for the transfer of personal data to the third parties.
In December 2019, India, following several other countries' footsteps on the privacy laws' developments, introduced the Personal Data Protection Bill (PDPB) to regulate the processing, collection, and storage of personal data.
On 13 October 2020, the National People's Congress of the Republic of China submitted the long awaited draft of the Personal Information Protection Law (Draft PIPL) to the Standing Committee meeting for preliminary review. This draft was officially released for the public consultation on 21 October, 2020. The consultation period will last until 19 November 2020.
The Irish Data Protection Act, 2018 (Irish DPA) implements the General Data Protection Regulation (GDPR) and transposes the European Union Law Enforcement Directive in Ireland. Since it incorporates most of the provisions from the GDPR and the Law Enforcement Directive with limited additions and deletions as per the national law, it is considered to be the principal data protection legislation in Ireland.
The Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (the “PDPO) is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations.. The Data Protection Principles ( the “DPPs or DPP ''), which are contained in Schedule 1 to the PDPO, outline how entities should collect, handle, disclose, and use personal data.
In 2012, the Philippines passed the comprehensive privacy law, Data Privacy Act 2012 Republic Act. No, 10173 (the "DPA"). The DPA recognizes the rights of individuals to have more control over their personal data while ensuring a free flow of information to promote innovation and growth.
The United Arab Emirates (UAE) has a Federal Telecommunication Law ( Federal Law) which requires that a company must hold a license in order to provide public communications services and operate public telecommunication networks. Under this Federal Law, a Telecommunication Regulatory Authority (TRA) was established which regulates the telecommunication sector in the UAE.