The concept of privacy has grown in importance in the United States at a breathtaking rate. As recently as ten years or less, it was seldom, if ever, considered of concern in information governance circles, and information governance policies rarely contained a significant data protection component other than HIPAA compliance.
But oh my god! How the world has changed – now it's everywhere. And given this sudden surge in notoriety, one might think that it is a re-enacted legal concept, a product of a new legal doctrine invented in a think tank.
If you had thought that, you would not be completely wrong. There are certainly a lot of think tanks these days that really think hard about privacy. But they're not really thinking about a new concept. On the contrary, they are trying to turn a very old concept into an enforceable law and an attainable lesson in a world very different from that which the ancient thinkers faced in this area.
In the United States, the first references to the concept appear in the Constitution and the Bill of Rights and subsequent amendments. The third amendment prevents the government from parking soldiers in your home – a privacy issue, certainly – but perhaps most importantly, the ninth amendment reserves a wide range of rights – basically anything that the government is not specifically granted – to the people is (this concept is carried over) directly from the Magna Carta, until 1215).
This basket of rights has a lot of privacy. The fourteenth amendment, through decisions of the Supreme Court as early as 1923, granted a broad right to privacy and freedom from state interference in a number of areas that are central to privacy. And since then, the courts have delved into the matter extensively, using the Constitution as the basis for searching for a number of privacy rights. Over the years, extensive case law on data protection has developed.
The statutory data protection law is older than you might think. The state of California has an anti-eavesdropping law dating from 1862 – yes, you read that right – that forbids people from intercepting telegraph communications that are not intended for them – literally to eavesdrop on the wires. Indeed, they had their first invasion of privacy conviction within a couple of years when someone pounded on the wires for inside information for stock trading purposes. It could also have been the first insider trading case.
But how did it all end up in the rest of the world? In particular, how did it come about in places like Europe where, apart from England, historically there was no strong tradition of protecting individual rights? Through Canada, of course.
Canadians were early and active advocates of privacy rights as a legal concept. Canada's Human Rights Act dates back to 1977, the Canadian Charter of Freedoms dates back to 1982, and the Data Protection Act dates back to 1983. In very real terms, these are the cornerstones of all general privacy laws that follow. Privacy had gotten into dribs and drabs before that time – for example the Fair Credit Reporting Act of 1970 – but the way it was, it came up here and there on certain issues, not at all about the recognition of a general right to privacy. It is the Canadians who have given shape and expression to a concept that has so far been largely alluded to. And they have been thought leaders on this topic ever since.
The collapse of the Soviet Union aroused great interest in privacy in Europe and the European Union. The East German Stasi was particularly known for having informants everywhere – and this followed Nazi Germany and the Gestapo. People in Europe were very receptive to the concept of privacy as a right and the formal legal protection for it. So they quickly followed the Canadian model – first high-level conceptual statements – the 1980 Data Protection Convention – then an increasingly detailed and stringent set of laws that culminated the current regime of the General Data Protection Regulation and its numerous enforcement tools. The European Union has become a leader in data protection. The requirements and the enforcement of data protection law in the E.U. are the most comprehensive and strictest in the world.
An important consequence of this is the spread of today's E.U. Data protection law and law enforcement model. Much of the rest of the world has privacy laws modeled on E.U. Law and the GDPR. A look at the privacy map reveals that GDPR law is fully developed in places as distant as Argentina, South Korea, and Japan, with places like Australia and New Zealand following on from Canada closely behind. And it has evolved in some places that you may not have expected for a while: The community of West African states has passed a data protection law since 2010. There is clearly a trend here, and it is worth examining where that trend is headed because it has finally just arrived in the United States in the form of the California Consumer Protection Act, the CCPA.
A look at the US privacy map reveals that the CCPA is not alone and that about half of the states currently have a general privacy law on the books or in the works. How that works is important to all of us. Here are some key features that are likely to be near universal at some point and that you need to consider:
And friend, it will come to you soon. The trend is inevitable: Europeans have enforced compliance on many non-European organizations because they do business in Europe and they have provided a comprehensive model for other countries to follow. The more countries that use the same model, the greater the pressure on other countries, as well as on companies and other organizations, to adapt too. And now it's made it to the US, and states are reviewing it and adopting the same model – the CCPA. And because it is here, and because states follow a series of falling dominoes one at a time, you will eventually be forced to incorporate the same compliance model into your own business practices no matter how much you resist.
It's not about whether, it's about when. Even if your state is a loner, at some point you'll be inland and find that everyone else is there. If you want to do business elsewhere, you must comply with these.
So don't be like so many US companies who ignored the five-year warnings against GDPR enactment and the nearly two-year grace period before enforcement that are now serious – or have already had to pay – millions of dollars in fines. Familiarize yourself with data protection and start developing a reputable compliance program. Time is a waste!
Further information on continuous compliance with the evolving regulatory landscape can be found in this eBook: Risks and opportunities of managing information chaos