Data Protection Authorities
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
welcome everyone to module seven of 10. Look at us. We are cruising along.
This module will be dedicated to evaluating how the C C P. A is enforced.
One could argue this is actually one of the most important modules of all, as we will outline for you the real world consequences of failing to abide by by the provisions of the C C p A.
Let's jump right into it.
This is where we are in our course outline.
We began by studying the history of the C C p. A and the scope of the businesses that are subject to the law.
After that, we went through four modules of looking at the privacy obligations that the CCP established
and that's it.
We will no longer introduce you to new privacy obligations.
Instead, the next four modules will outline how best to comply with the CCP A. In a real world context.
This module, of course, being dedicated to enforcement
In order to understand how the CCP is enforced, we need to begin by dedicating less than 7.12 reviewing how data protection authorities around the world and in the United States operate. So we can better understand and predict how the C c p. A. Will be enforced. Moving forward
our learning goals and objectives for less than 7.1.
we will review What is a D p. A.
What is a data protection authority?
We will have that conversation.
We will review how DPS are organized.
Moving forward. I'm just gonna use the acronym. Makes things faster.
I will outline for you worldwide prevalence of d P. A s. They are everywhere, and I will show you which countries have them
then number four.
Let us mentally prepare ourselves for the shortcomings of C c p A enforcement in the shortcomings of the judicial system in California.
Let's start this conversation by having a more holistic review off. What is a data protection authority?
There's three general topics I want to run by you
first. DPS are an independent public authority that both supervises two goals here and enforces through its investigative and corrective powers, the various privacy laws of the world.
That's a weird sentence.
I've highlighted for you the most important part.
They supervise and enforce, meaning that one can supervise data protection practices without necessarily enforcing a certain provisions of the law.
It could be viewed as a guide, so to speak, which flows very well into objective number. Two.
DPS also provide expert advice on data protection issues,
and they also handle potential complaints alleging around relevant violations of privacy law.
I think in the United States, particularly through the legal lens, people fear regulators and Onley view them as potential entities that might find a company for non compliance, and that's genuinely a credible fear.
But GPS are also in the business of simply guiding companies along.
They published guidance on a weekly basis on best data handling practices.
They also frequently host Webinars and once covert, clears live in person events to help train and foster a positive conversation around how companies should be organized internally
and how the pursuit of privacy compliance should be best initiated. Internally,
I'd like to just suggest and put out there that DPS are not necessarily all bad, and they absolutely have a positive role in the world of privacy compliance.
Just be aware that there are and will go through the list DPS in most countries,
including every member of the European Union,
moving forward. Let's take a look at how DPS are generally structured.
Please keep an eye on slide 188.
You're going to get a similar slide in less than 7.2,
and we're going to show you how the ideal Deepa is structured in this slide
in this scenario and how that does not exist in California.
So we're going to do some nice comparing and contrasting.
There's four different layers I want to address to how DPS are generally structured.
Let's start at the top.
In most cases,
T PAHs are very well funded.
They're funded by taxpayer money, meaning that they have an annual budget that is
much like most federal or state level agencies
consistently replaced and generally tends to grow year over year, allowing them to have long term goals and objectives.
They are also usually staffed by privacy experts, top notch privacy people that absolutely know what they're doing and understand how to enforce the law.
They also, as I mentioned a moment ago,
published guidance regularly to help companies avoid falling into some of the traps of non compliance, and in some scenarios
they are also established by specific privacy regimes.
Some of the DPS existed before the GDP are,
in fact, most of them in your existed.
But you'll see, for example, the L G P D. Which is the privacy law of Brazil, actually establishes a D. P. A s part of the law.
Because the privacy advocates in Brazil understood you can't pass a privacy law without also having a d. P. A. That's out there to give companies the guidance that falls into the four buckets we have on the screen.
Now, I hate to tell you,
but the United States lacks a d. P. A.
At the federal level, we simply do not have one.
Yes, the Federal Trade Commission does enforce the Gramm Leach Bliley Act. That's the financial privacy law,
and HIPPA is generally enforced. But the Department of Health and Human Services D. H s.
But in general,
the federal agencies are not primarily tasked with establishing federal privacy best practices.
If anything, they're Onley exclusively designed to help enforce and regulate a certain law or a certain sub piece of privacy enforcement.
The FTC, which I don't mention here but I'll call out,
also helps enforce Coppa, as do the state attorney general's.
But it's a patchwork system.
We certainly lack an overarching federal regulator that most other countries have
as it relates to data privacy enforcement.
In fact, on that note, look at your screen here.
There are DPS in most corners of the world, on all inhabited continents
in the European Union. Every country in the E A. That's the European Economic area has a d p. A.
But take a look.
This is current as of several weeks ago, and I know there are others, including Egypt, that's considering establishing a deepa here soon. But most countries that you see here that have mature, robust economies that are well integrated into global commerce have GPS.
The United States
simply does not have one.
Hopefully, that is something that is eventually they dressed. But I just want to point out that there are countries on here. Honduras, Costa Rica, which are not generally viewed as large economies that handle vast amounts of personal information.
But they have GPAs as to their credit.
I think it's important for you all to have um, or holistic understanding off which countries have GPS and which ones don't.
The United States is absolutely an outlier in that regard.
Introductory lesson here for less than 7.1,
less than 7.2 in less than 7.3 are going to talk more about seat specific enforcement mechanisms around the C C. P. A.
Our objectives here
we reviewed how DPS are organized and the regulatory landscape in the United States
again. Remember, there is no federal deepa.
A lot of other countries have one, but
There's simply a patchwork system with the Federal Trade Commission,
the Department of Health and Human Services.
Occasionally, some state level attorney general's will get involved. But
the United States is certainly behind the well in that development arc.
We will review in less than 7.2 how the C c P. A. Is specifically enforced as it compares to the global framework.
I'll see you there in the next video