Regional Privacy Laws

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 59 minutes
Video Transcription
in this video, we're going to give an overview of different data privacy laws in countries and regions throughout the globe.
The CCS K exam doesn't require in depth knowledge of these different laws. However, when you take the test, I highly recommend you have a copy of the C s, a cloud security guidance document on hand and searchable. This will allow you to find some of the key highlights about the different privacy laws applicable to the different countries.
In 1988 Australia passed a privacy act
that defined 13 different privacy policies. These policies were applicable to private and nonprofit companies making more than $3 million a year.
The principles also applied to private health providers and certain small businesses.
Amongst other things, these principles required reporting data breaches specifically around the data breaches of P I. I personally identifiable information that could cause serious harm and in those circumstances, the entities that this privacy act is applicable to.
I need to report it to the Information Commissioner.
Australia also has a over our king consumer law that protects its consumers against false and misleading contracts or poor conduct by the businesses themselves. This isn't specific to technology, but it can certainly be applicable as a cloud provider operating in Australia.
In 2017 China passed its own cybersecurity law that governs and dictates operations of networks and critical infrastructure throughout the company.
This law placed various security requirements on that infrastructure information security measures. Emergency response plans are required of the businesses and they need to support the Chinese authorities in their investigations, off breaches or looking for data.
In 2017 China also drafted regulations on cross border data transfers. This put a lot of increase on the number of data categories that need to be stored locally in the country of China within the physical
boundaries of the country.
Japan has its own active protection of personal information overall, AP P I protects personal information and data. In 2017 it was amended to limit how that data can be transferred to third parties.
Japan also has regulations that pertain to personal health information. Ph i patient information.
When it comes to data transfer outside of Japan, no formal consent is required so long as you are transferring it out of Japan and into a country that has a comparable privacy framework in place.
Russia has significant restrictions on data processing. In 2015 they required data of the Russian citizens be physically stored within Russia. This is very similar to China's localization restrictions that we previously discussed.
In 2018 the European Union published GDP Art, the General Data Protection Regulation. This was a real big deal in the industry
in any company that processes data of any EU citizen regardless and avoid that. Actually you citizen is located. Must adhere to these regulations with regards to managing data of that individual or those individuals that are you citizens. Certain things include making sure you're very clear
on obtaining consent of the data subject.
You're very clear on what you're intending to use the data. Four. You can only transfer data to countries that have similar privacy and data protection frameworks in place.
You citizens have the right to request a company, provides all the data that they've collected
about them and even assert that they want to be for gotten require that those companies completely purge that data and information about them. Cos Air required to report breach within 72 hours off, becoming aware of the breach not within 72 hours of the breach itself because sometimes it takes more than 72 hours
t even
be aware that the breach occurred.
Failing to meet these regulations has some extremely steep fines, 20 million euros or even 4% of a company's gross income in that area. Germany has also come in and then they require a D P o, a data protection officer,
be in place for any company that has more than nine employees.
Also applicable is the Network Information Security directive from the EU. This governs network and information security for digital services such as e commerce, search engines and cloud computing.
And those essential service providers must notify government authorities if there is an impact to the services that they provide.
So if the search engine goes down, the government needs to be made aware of it.
Certain countries outside the EU have also adopted regulations highly influenced by GDP are including Dubai, Israel, Morocco, Senegal guitar and South Africa.
Privacy policies in Central and South America are rapidly changing. They've been highly inspired by European Directive 95 46 E. C. And the APEC Privacy Framework it's worth noting that European Directive 95 46 A c was the precursor to the GDP are that we just discussed a few moments ago.
Mexico itself also has explicit laws on the books that require disclosure. During the incidents of data breach,
Canada has addressed data privacy with Pepita, the Personal Information Protection and Electronic Documents Act,
unlike GDP, are in the EU. The United States does not have a single comprehensive privacy act. Rather, individual things such as the Gramm Leach Bliley Act are applicable. HIPPA very much focused on health information and patient health information and the management around that which was also amended for
high tech.
That brought some more modern constraints and requirements on health care providers for managing their information. Other privacy laws include addressing the nuances of data related to minors. This is Copa Children's Online Privacy Protection Act,
and there are other general laws that require reasonable security measures for personal data be put in place by companies,
and as we've hit on so many times, the data controller is ultimately responsible. This includes inheriting responsibility of data processors and subcontractors, actions and inactions and ability to protect the data or being held accountable when subcontractors air not performing unnecessary and expected diligence to manage the data
in the US there are also certain state level laws. These air aimed to fill the void due to the lack of an over our King federal level law. These laws apply to data of individuals, state residents. It doesn't matter where the company itself is located. If you have information from and about individuals that reside in the states that have enacted this laws,
the expectation is
the company will be able to adhere to those laws.
Amongst other things, These laws require written contracts between the entity and the service providers themselves to ensure that adequate protections are in place for personal data. There are laws that require notification to government agencies in the course of bridges. Massachusetts itself has
a pretty extensive suite of state laws,
and so does California, recently introducing the California Consumer Protection Act. And for a long time, the FTC has been responsible for enforcing action against unfair and deceptive practices.
While this isn't a technology specific or even a privacy data specific, it is worth noting because it's been pulled in too many cases and circumstances
as a reference against and prosecuting companies who are mishandling data or using data in ways that the customer themselves who was providing the data did not expect it to be used.
So in this video we took a whirlwind tour of all the privacy lost throughout the globe. Once again, you don't need to remember rise each and every one of these. But when you're taking the exam, it's gonna be very effective for you to have some good notes and highlights about key points on these different laws in the regions that their applicable to.
Up Next