Global View: International Privacy Laws Today's online world, including the increasing use of the cloud to store data on remote third-party servers, offers unprecedented opportunities for the global storage and transfer of personal information. To address the risks associated with the unregulated exchange of personal information, many jurisdictions around the world have enacted privacy laws, regulations, and rules dealing with data collection, processing, storage, disclosure, and use. Although definitions of the term privacy vary, common elements include freedom or protection of individuals and sometimes groups from unauthorized or unwanted intrusion into, or observation of, their personal information and from violation of the integrity of this information.

The type of protection, as well as the speed, level of completeness, and depth of regulation and implementation, varies from country to country. Increasingly, countries have addressed the cross-border transfer of personal information and taken steps to prevent the circumvention of existing national laws governing the storage, processing, and disclosure of information through the "off-shoring" of these activities. Accordingly, when multinational companies do business outside their home country, including offering products or services on the Internet and collecting personal information from residents of a foreign country, they are likely to fall under the privacy laws and regulations in that country. The following is a brief overview of privacy laws and regulations in several key jurisdictions.

European Union The European Union (EU) Data Protection Directive (Directive 95/46/EC), adopted in 1995, requires its Member States to safeguard the privacy of personal data by

(1) giving notice to individuals about how their information will be used;

(2) offering a choice when disclosing information to third parties (with opt-in consent required for sensitive information);

(3) maintaining the security of personal information;

(4) ensuring that the data are reliable, accurate, and current; and

(5) giving individuals access to examine, correct, and delete information about themselves.

Because each EU Member State had to incorporate the provisions of the Data Protection Directive into national law for them to be binding, there is some variation in the privacy laws among the states.

The EU adopted the General Data Protection Regulation (GDPR) in 2016. It will enter into full force across all Member States on May 25, 2018. The GDPR will replace Directive 95/46/EC and affect organizations based within the EU, as well as foreign organizations doing business there. Although the GDPR is intended to make it easier for multinational entities operating across the EU to comply with data protection law, certain aspects of the regulation permit Member States to enact their own legislation, so inconsistencies in application may exist.

An important principle of both the Data Protection Directive and the GDPR is that personal information generally should not be collected unless the collection is

(1) proportional (meaning adequate and not excessive relative to its purpose),

(2) transparent (meaning that the affected individual must be informed as to the circumstances of the collection and consent to it), and

(3) for a legitimate purpose.

The GDPR will make it easier for individuals to access and control their own data, including information on how their data are processed; make it easier to transfer personal data between service providers; clarify the "right to be forgotten," which allows an individual to require that certain personal data be deleted (the subject of the "Inside Story" in Chapter 24); and, under certain circumstances, require notification when data have been hacked (e.g., if the breach is likely to result in a "high risk" to the data subject). Additionally, a data subject's consent to process personal data must be "as easy to withdraw as to give." In the case of "sensitive data," consent must be explicit.

By modernizing and unifying the rules, cutting red tape, and reinforcing consumer trust, the GDPR will help businesses reap the benefits of the "Digital Single Market." The legislation will make a "one-stop-shop" so that businesses can deal with only one privacy supervisory authority, making it less costly to do business in the EU; require companies based abroad to apply the same rules as EU-based firms when offering services inside the EU; provide for a "risk-based approach" to incorporating the rules; and require firms to build in data protection safeguards when developing products and services in the beginning stages of development (so-called data protection by design).

The GDPR broadened the definition of personal and sensitive data to include political opinions, religious and philosophical beliefs, health and sex life, and genetic and biometric data. The regulation applies both to data controllers (the entities determining how and why personal data are processed) in the EU and to data processors (the entities that process the personal data on behalf of data controllers) in the EU. The GDPR also applies to controllers and processors outside of the EU whose processing activities involve offering goods or services to EU data subjects or monitoring these subjects' behavior within the EU. Penalties for breaching the GDPR can be significant.

Unlike the Data Protection Directive, the GDPR does not require a company that processes personal information ("personal data") to register or notify data protection supervisory authorities before it starts collecting personal information. Instead, data controllers are required to maintain appropriate records to evidence compliance with the GDPR. Personal information may be transferred into third countries (countries outside the EU) only if the third country provides an adequate level of protection for the information.

Although the United States is not regarded as providing adequate protection, the EU and the United States adopted the EU-U.S. Privacy Shield in 2016 to permit the transfer of personal information from any EU member state to the United States under certain circumstances. The EU-U.S. Privacy Shield requires U.S. companies to ensure that individuals' digital information, "from social media posts and search queries to information about workers' pensions and payroll," is not misused. Companies must adhere to seven principles: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement, and liability, all as determined by self-assessment or assessment of a third party, with recertification required each year. The rules apply to all companies regardless of whether they are social media platforms, pharmaceutical companies, or industrial conglomerates subject to the jurisdiction of the FTC or the U.S Department of Transportation. In addition, the agreement requires the United States to provide an annual guarantee that its intelligence agencies will not have "indiscriminate access" to Europeans' digital data when these data are sent to the United States. The agreement enables about $260 billion of trade in digital services, with nearly 2,000 companies (including Facebook, Google, and Microsoft) relying on the EU-U.S. Privacy Shield to store data about EU citizens on U.S. servers. A separate Swiss-U.S. Privacy Shield became effective in April 2017 and covers data transfers from Switzerland.

In January 2017, the European Commission proposed a revision to the ePrivacy Directive that aims to reinforce the right to privacy and control of data for European citizens. (Directive 2002/58/EC, referred to as the ePrivacy Directive, protects the privacy of communications over public electronic networks.) The revision would require messaging, email, and voice service providers to guarantee the "confidentiality of conversations and metadata around the time, place and other factors of those conversations." The rules would prohibit service providers, such as Facebook Messenger, Google, WhatsApp, Skype, and others, from listening to, tapping, intercepting, scanning, or storing communications without users' consent (except for certain "critical" functions); require "explicit consent" before data could be used for advertising; and eliminate consent requirements for cookies that do not affect privacy ("privacy intrusive" cookies would still require consent). As with the GDPR, the fines for noncompliance would be significant. The proposed rule was designed to close the "perceived regulation gap between traditional telecom[] companies and predominantly US-based internet communications companies" and to also allow telecom companies to use certain metadatafor example, the length and location of callsto provide more services and earn more revenue. Although one EU regulator asserted that the proposed regulation is balanced because it gives consumers a high level of protection while also permitting businesses to innovate, others have stated that the EU is "on the verge of a regulation overload," as this proposal follows shortly after the adoption of the GDPR. Further, an industry spokesperson representing Google and other companies argued that the proposed revision risks "incoherence and confusion" because the GDPR requires one approach to safeguarding privacy and ePrivacy calls for another approach.

Read Global View article on international privacy laws [See Global View - International Privacy Laws which is near the end of Chapter 9 on Torts & Privacy Protection.(above)

Note especially the European Union General Data Protection Regulation [GDPR]. Note that the EU approach to data privacy is that the data is a digital assetof the owner and that organizations seeking to use your data must secure your affirmative consent and that the consent needs to be proportionate, transparent and for a legitimate purpose, including the right to be forgotten. The regulation applies to organizations outside the EU to the extent that they handle the data of EU nationals. Facebook accumulates and analyzes the data of persons accessing its [even when it is not actively being used by you], then sells advertising to third parties based on the data. Facebook currently considers your accession to their service as consent for the collection and use of your data. Facebook currently benefits from increased use. This is called a network effect. 'Network effect' isa phenomenon whereby a product or service gains additional value as more people use it.

If data is a digital asset owned by the individual, do individuals in the EU have the right to charge Facebook for each use of the individual's data or require that their information be deleted [right to be forgotten]? Would your company be ready to adopt a customer/consumer 'information' loyalty program to reward customers/consumers for allowing your company to use/sell the data? A one [1] paragraph response in Word format