Regional Privacy Laws

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> In this video, we're going to give
00:00
an overview of different data privacy laws
00:00
in countries and regions throughout the globe,
00:00
the CCSK exam doesn't
00:00
require in-depth knowledge these different laws.
00:00
However, when you take the test,
00:00
I highly recommend you have a copy of
00:00
the CSA Cloud Security Guidance document
00:00
on hand and searchable,
00:00
this will allow you to find
00:00
some of the key highlights about
00:00
the different privacy laws
00:00
applicable to the different countries.
00:00
In 1988, Australia passed the Privacy Act
00:00
that defined 13 different privacy policies,
00:00
these policies were applicable to
00:00
private and non-profit companies making
00:00
more than three million Australian dollars a year,
00:00
the principles also apply to
00:00
private health providers and certain small businesses.
00:00
Amongst other things,
00:00
these principles required reporting data breaches,
00:00
specifically around the data breaches of PII,
00:00
Personally Identifiable Information that
00:00
could cause serious harm.
00:00
In those circumstances,
00:00
the entities that this Privacy Act
00:00
is applicable to need to
00:00
report it to the Information Commissioner.
00:00
Australia also has an overarching consumer law
00:00
that protects it's consumers
00:00
against false and misleading contracts or
00:00
poor conduct by the businesses themselves,
00:00
this isn't specific to technology,
00:00
but it can certainly be applicable
00:00
as a Cloud provider operating in Australia.
00:00
In 2017, China passed it's own cybersecurity law that
00:00
governs and dictates operations of networks
00:00
and critical infrastructure throughout the company.
00:00
This law placed various security requirements
00:00
on that infrastructure,
00:00
information security measures,
00:00
emergency response plans are required of
00:00
the businesses and they need to support
00:00
the Chinese authorities in
00:00
their investigations of breaches or looking for data.
00:00
In 2017, China also drafted
00:00
regulations on cross-border data transfers,
00:00
this put a lot of increase in the number of
00:00
data categories that need to be
00:00
stored locally in the country of China,
00:00
within the physical boundaries of the country.
00:00
Japan has it's own act of protection
00:00
of personal information, overall,
00:00
APPI protects personal information and data and in 2017,
00:00
it was amended to limit how
00:00
that data can be transferred two third parties.
00:00
Japan also has regulations that pertain to
00:00
personal health information PHI, patient information,
00:00
when it comes to data transfer outside of Japan,
00:00
no formal consent is required
00:00
so long as you are transferring it out of
00:00
Japan and into a country that has
00:00
a comparable privacy framework in place.
00:00
Russia has significant restrictions
00:00
on data processing, in 2015,
00:00
they required data of
00:00
the Russian citizens be physically stored within Russia,
00:00
this is very similar to
00:00
China's relocalization restrictions
00:00
that we previously discussed.
00:00
In 2018, the European Union published GDPR,
00:00
the General Data Protection Regulation,
00:00
this was a real big deal in the industry,
00:00
and any company that processes data of an EU citizen,
00:00
regardless of where that actual EU citizen is located,
00:00
must adhere to these regulations with regards to
00:00
managing data of that individual or
00:00
those individuals that are EU citizens.
00:00
Certain things include making sure you're very clear
00:00
on obtaining consent of the data subject,
00:00
you're very clear on what
00:00
you're intending to use the data for,
00:00
you can only transfer data to countries that have
00:00
similar privacy and data protection frameworks in place.
00:00
EU citizens have the right to
00:00
request a company provide all the data that they've
00:00
collected about them and even assert that they want to be
00:00
forgotten and require that those companies completely
00:00
purge that data and information about them,
00:00
companies are required to report breach within
00:00
72 hours of becoming aware of the breach.
00:00
Now within 72 hours of the breach itself,
00:00
because sometimes it takes
00:00
more than 72 hours to
00:00
even be aware that the breach occurred,
00:00
failing to meet these regulations has
00:00
some extremely steep fines a €20 million,
00:00
or even four percent of
00:00
a company's gross income in that area.
00:00
Germany has also come in and then they require a DPO,
00:00
a Data Protection Officer be in place for
00:00
any company that has more than nine employees.
00:00
Also applicable is
00:00
the network information security directive from the EU,
00:00
this governs network and
00:00
information security for digital services,
00:00
such as e-commerce, search engines and
00:00
Cloud computing and
00:00
those essential service providers must
00:00
notify government authorities if there's
00:00
an impact to the services that they provide,
00:00
so if the search engine goes down,
00:00
the government needs to be made aware of it.
00:00
Certain countries outside the EU have also
00:00
adopted regulations highly influenced by GDPR,
00:00
including Dubai, Israel,
00:00
Morocco, Senegal, Qatar, and South Africa.
00:00
Privacy policies in Central and
00:00
South America are rapidly changing,
00:00
they've been highly inspired by
00:00
European directive 95/46/EC,
00:00
and the apec privacy framework.
00:00
It's worth noting that European directive 95/46/EC was
00:00
the precursor to the GDPR
00:00
that we just discussed a few moments ago.
00:00
Mexico itself also has explicit laws on the books that
00:00
require disclosure during the incidence of data breach.
00:00
Canada has addressed data privacy with PIPEDA,
00:00
the Personal Information Protection
00:00
and Electronic Documents Act.
00:00
Unlike GDPR in the EU,
00:00
the United States does not have
00:00
a single comprehensive privacy act, rather,
00:00
individual things such as
00:00
the Gramm-Leach-Bliley Act are applicable,
00:00
HIPPA very much focused on
00:00
health information and patient health information
00:00
and the management around that,
00:00
which was also amended for HiTech that brought
00:00
some more modern constraints and
00:00
requirements on health care providers
00:00
for managing their information.
00:00
Other privacy laws include addressing
00:00
the nuances of data-related to minors, this is COPPA,
00:00
Children's Online Privacy Protection Act
00:00
and there are other general laws that
00:00
require reasonable security measures
00:00
for personal data be put in place by companies.
00:00
As we've hit on so many times,
00:00
the data controller is ultimately responsible,
00:00
this includes inheriting responsibility of
00:00
data processors and subcontractors,
00:00
actions and inactions and ability to
00:00
protect the data or being held
00:00
accountable when subcontractors are not performing
00:00
unnecessary unexpected diligence to manage the data.
00:00
In the US, there are also certain state-level laws,
00:00
these are aimed to fill the void due
00:00
to the lack of an overarching federal level law,
00:00
these laws apply to data of individuals,
00:00
state residents, it doesn't
00:00
matter where the company itself is located,
00:00
if you have information from and about
00:00
individuals that reside in
00:00
the states that have enacted this laws,
00:00
the expectation is, the company
00:00
will be able to adhere to those laws.
00:00
Amongst other things, these laws require
00:00
written contracts between the entity and
00:00
the service providers themselves to ensure that
00:00
adequate protections are in place for personal data.
00:00
There are laws that require notification to
00:00
government agencies in the course of breaches,
00:00
Massachusetts itself
00:00
has pretty extensive suite of state laws,
00:00
and so does California's recently
00:00
introducing the California Consumer Protection Act.
00:00
For a long time the FTC has been responsible for
00:00
enforcing action against unfair
00:00
>> and deceptive practices.
00:00
>> While this isn't a technology-specific
00:00
or even a privacy data specific,
00:00
it is worth noting because it's
00:00
been pulled into many cases and
00:00
circumstances as a reference
00:00
against and prosecuting companies who are
00:00
mishandling data or using data in
00:00
ways that the customer
00:00
themselves who was providing the data,
00:00
did not expect it to be used.
00:00
In this video, we took a whirlwind tour
00:00
of all the privacy laws throughout the globe.
00:00
Once again, you don't need to
00:00
memorize each and every one of these,
00:00
but when you're taking the exam,
00:00
it's going to be very effective for you to
00:00
have some good notes and highlights
00:00
about key points on
00:00
these different laws and
00:00
the regions that they're applicable to.
00:00
[BACKGROUND]
Up Next