We’ve seen an unprecedented number of breaches in the United States in recent years, spanning both the public and private sector. Despite how critical data privacy laws are to preventing breaches and sustaining internet health, the U.S. lacks a comprehensive consumer privacy law and national data breach standard. Instead, American consumers face a patchwork of privacy laws that leave some personal information unprotected in surprising ways, and a general purpose consumer protection law enforced by the Federal Trade Commission (“FTC”) that maps imperfectly onto privacy rights. Legislators have attempted to enact data breach laws; at least 11 bills were introduced in Congress in 2015. However, these bills were stalled largely by disagreement over the extent to which a federal law should preempt more privacy protective state data breach laws.
Nevertheless, other countries have enacted and are beginning to enforce data breach laws. Many of these laws are more stringent than similar provisions in U.S. federal laws with breach provisions, such as the Gramm-Leach-Bliley Act (“GLBA”)1 and Health Information Technology for Economic and Clinical Health Act (“HITECH”).2 The EU’s General Data Protection Regulation (“GDPR”)3 and South Africa’s Protection of Personal Information Act (“POPI”)4 are two examples. Below is an overview of three aspects of GDPR and POPI that may reflect emerging trends in international data breach law and could significantly impact U.S. businesses’ operations abroad.
A major difference between international data breach standards and U.S. law is their applicability. U.S. privacy laws only apply to certain classes of information – GLBA addresses financial data, HITECH and the Health Insurance Portability and Accountability Act (“HIPAA”)5 govern health data, the Family Educational Rights and Privacy Act (“FERPA”)6 regulates maintenance of educational records, and the Children’s Online Privacy Protection Act (“COPPA”)7 applies to children’s data. FERPA and COPPA do
not address data breach, and although GLBA and HITECH (a complementary law to HIPAA) include breach response standards, their protections are limited to financial and health data. Section 5 of the FTC Act gives the FTC power to address “unfair or deceptive” business practices, and may be used to impose penalties for breaches of any type of data.8 Section 5 does not, however, give the FTC authority to put rules in place to prevent breaches or require businesses to notify anyone of a breach. In sum, U.S. federal law provides no affirmative breach protections for information beyond financial or health data.
International privacy laws take a more comprehensive approach. The GDPR applies to “any information relating to an identified or identifiable natural person (‘data subject’).”9 This includes a person’s name, identification number, location data, online identifier or information on the “physical, physiological, genetic, mental, economic, cultural or social identity” of the person. Similarly, POPI’s breach provisions apply to all “personal information,”10 defined as any information related to an individual, including (but not limited to) demographic information and information on their marital, occupational, religious, health, or educational status. “Personal information” also includes the individual’s opinions or someone else’s opinions on the individual.
It should be noted that POPI does not use the “linked or linkable” or “identifiable” language often found in American and EU privacy laws’ definition of personal information. This may cause POPI to be interpreted to cover a more narrow set of information than would be protected under the GDPR or a U.S. comprehensive privacy law, if one existed. Still, it’s noteworthy that both GDPR and POPI will protect a more expansive group of information than existing U.S. laws in the event of a breach.
U.S. laws that include data breach provisions generally only require notification to regulatory authorities or affected persons if the breach is expected to result in a particular type or level of harm. GLBA, for example, only requires notification when the incident is expected to result in “substantial harm.” The law leaves it up to the regulated entity to determine whether the incident meets this threshold. HITECH requires notification when the breach “compromises the security or privacy” of the information and, similar to GLBA, leaves it up to the breached entity to determine whether the incident reaches this level. Even some state breach laws tie notification to demonstrated or expected harm;11 many only require notification when the breach is expected to cause concrete harms such as fraud or identity theft.
In contrast, POPI takes a broad approach to breach notification. Under POPI, any suspicion that personal information has been accessed or acquired by an unauthorized person must be reported to both the affected individual and the enforcing agency (the “Information Regulator,”) regardless of the harm the incident might cause.12 Likewise, the GDPR triggers notification13 to the member nation’s supervisory authority when any personal data has been breached, whether or not the breach will cause harm. The GDPR does limit consumer notification slightly; it only requires notification to an individual when the breach is “likely to result in high risk to the rights and freedoms” of that person.14
POPI and the GDPR also require notification in a shorter timeframe than many U.S. laws. POPI requires breach notification to authorities and affected individuals “as soon as reasonably possible after discovery of the compromise” and the notification must be made in writing with sufficient information to allow the individual to take protective measures. The GDPR is similarly strict. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”15 These standards are markedly shorter than HITECH, which requires notification “without unreasonable delay,”16 but gives entities up to 60 days to notify stakeholders after a data breach is discovered. Moreover, although many U.S. state laws require notification “as soon as possible”17 or “as expeditiously as possible,”18 state laws that put a time limit in place for notification often give breached organizations 45 or more days to notify.19
What do these trends mean for American companies? While the GDPR and POPI cannot determine data breach response standards for countries outside of their jurisdiction, they are certainly persuasive authority. The GDPR applies to every EU member state – most of which do business with and host foreign offices for companies across the globe. So, at the very least, U.S. companies must keep these legal developments in mind when designing future data protection policies and procedures. Additionally, South Africa’s legislative framework and its constitutional courts serve as a model for nations in Africa and abroad. At least one expert credits South Africa’s influence over international jurisprudence to it being “not American, thus rendering [its] reasoning more politically palatable to domestic audiences in an era of extraordinary U.S. military, political, economic, and cultural power.”20 Chances are these sentiments will only increase in the years to come. Data breach legislation will likely move swiftly ahead in other nations, whether or not the Trump Administration or next Congress decide to push for it at home. U.S. companies must prepare now to comply with these new standards if they expect to remain globally competitive.