In the United States, privacy legislation is widely recognized as a hot, trending topic of the 21st century. However, their presence can actually be traced back in history before the founding of the United States to the Magna Carta (circa 1215), which first established the right to privacy in one's own home.
Over the past few decades, the exponential increase in the accessibility and availability of personal data has led to the spread of data protection laws in the US and the rest of the world.
It is important to understand its evolution in order to understand current trends and be adequately prepared for future laws, since 100 out of 196 countries currently have some form of data protection laws.
This post covers the evolution of data protection law in the United States, the recent data protection laws as an important topic, and why it is important for organizations to be immensely concerned about compliance.
Data protection law in the United States began at the same time as the country itself, right in its founding documents: The United States Constitution and the Bill of Rights (1791). While the ideas contained therein are now considered established, almost universal legal concepts, this was far from the case at the time.
While the US Constitution as a whole does not contain an express right to privacy, the Bill of Rights expressly reflects the concerns of the authors regarding the protection of certain aspects of individual freedom and privacy. These aspects include the confidentiality of beliefs (1st amendment), home (3rd amendment), person and property (4th amendment), and the 5th amendment privilege against self-blame, which provides privacy protection for personal information.
In addition, the ninth amendment states that the “list of certain rights” in the Bill of Rights “must not be interpreted in such a way that other rights retained by the people are denied or diminished”. In Griswold v Connecticut (1965), the United States Supreme Court ruled that the 9th Amendment also supplements, even if not, amendments 1, 3, 4, and 5 protecting an individual's right to privacy are expressly set out in the Constitution.
Outside of constitutional amendments, privacy appeared in court long before the 20th century, and it appeared as a legal matter as early as 1864.
An enterprising stockbroker named D. C. Williams eavesdropped on corporate telegraph lines, then turned around and sold information about what he was hearing to other stock traders. He was later convicted of wiretapping and is essentially the first case of insider trading.
A few decades later, two United States Supreme Court justices published "The Right to Have Privacy" in the Harvard Law Review (1890), which is considered the landmark article on the concept of privacy and which became the next bill Century.
Why are people now concerned about data protection laws?
If the data protection law goes back almost 250 years, why does data protection law seem so passionate now?
There are many reasons.
For one, the ability to create, store, and analyze colossal amounts of data facilitates the invasion of privacy by from anywhere in the world without being even aware of it.
Likewise the misuse of this data has increased either intentionally or through a data breach. There is a wide range of unethical, improper and downright illegal uses of data to which we are now vulnerable.
Third, raised public awareness of privacy issues . It seems like almost every day there is a data breach in the news or an organization sends out a press release informing them of an incident. Technologies have made this even more possible because of our reliance on technology.
Finally, the GDPR punishes those who violate its rules and regulations with data breaches, resulting in severe fines.
And now, it turns out, the European authorities mean doing business with the GDPR. You enforce it aggressively; They complement it with all sorts of rules and regulations enforcing it on a granular level. When someone runs a business organization that is subject to GDPR, they really have no choice but to be compliant or pay the price. The authorities will examine, punish and do everything in their power to ensure you are complying with this law.
Data protection laws are clearly here to stay and there are two possible ways to either comply or not.
Failure to comply with laws, regulations, standards, and published privacy and security notices is a path to disaster. The end of the road is just a dead end of punishment by fines, damaged reputation, or both.
Compliance is not a cheap endeavor. The amount you invest in a privacy program can add up over time. However, when you look at 4% of annual GDPR fines, it adds up significantly over time.
However, there is an additional dimension of data protection compliance to be considered: ethics and peer pressure.
Data protection standards are increasingly anchored in law and are now even expressly regulated by contract. In addition, the standards and contractual conditions that apply to you, either explicitly or implicitly, also apply to business partners with whom you share data, especially in the USA.
While Europe has a data controller and processor, the United States only has the main party acting as the data controller. Thus, not only the contract signatories are liable, but also all their employees – they promise that they will manage and protect the data in accordance with the law.
Ultimately, the result is an interlocking series of contracts and commitments. Everyone is responsible for everyone else. It is a point of view that when choosing your suppliers you should choose those with much the same ethical principles as your own organization. This includes everyone who touches your customer's data, e.g. B. Your cloud provider or a relevant unit in your supply chain.
The basic principles of law apply, so that you are only as good as the weakest link in your chain. If someone falls short on your chain, it could affect your organization, even if this vulnerability occurs because one of your providers fails to protect privacy.
This means that you should choose your suppliers as partners that you can trust. And from a legal perspective, a partner really goes beyond a corporate partnership when it comes to privacy and ethics. It could be that some partners should be viewed as records and information managers.
Ethics that may be tied to the quality of your reputation should be incorporated into your policies and decisions about privacy compliance.
With changes being made almost every day, building a data protection compliance program today can often feel like hitting a moving target.
When you're working on a large project like a data protection compliance program, the first thing to do is to use some kind of framework or starting point rather than reinventing the wheel.
The first step should be to examine how other organizations like yours have managed their privacy program, which can certainly save you time, manpower, and other resources. From there, you can customize it for your specific use cases as needed.
For more guidance on creating a privacy compliance program that is compatible today and scalable tomorrow, see our digital guides: Privacy for the Information Professional and Developing a Working Privacy Program