While in
France a citizen of Brazil who resides in California books a bungee jump in New
Zealand. Is it a leap of faith into the unknown for both the operator and the
thrill-seeker?
By Tony Anscombe
The internet has created truly global markets for
businesses that would have once remained local and may have struggled to reach
a large enough audience to be profitable. Access to any website, from nearly
anywhere in the world, and the willingness of the business behind it to engage
with customers and deliver services or products to faraway places, has
revolutionized business opportunities for entrepreneurs.
This increased opportunity brings about many
challenges – for example, checkout, payment options and tax regulations may
differ from country to country. Fortunately, businesses can utilize a number of
outsourcing service providers and rely on them to provide the needed expertise
for e-commerce and payment systems that comply with local laws and regulations.
The entrepreneur is then free to focus on delivering goods or services to
customers. This opens the opportunity for even the smallest
business to trade on a global basis.
Conducting business online typically requires the
collection of data about customers and visitors to a web site; this takes the
form of web analytics, newsletter subscriptions, ad targeting, or it may be a
service subscription or product purchase. Depending on the location of the
business, and the location, residency or citizenship of the visitor or
customer, the company may need to comply with data privacy legislation. As a
consumer, I am an advocate for the need to protect my personal information
through robust legislation, but companies doing global business may be stepping
into a minefield.
In February I delivered a presentation at
CyberSecCon2020 in Auckland, New Zealand on the lessons learned around the
requirements of the data privacy regulations of both the General
Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA) ahead of the forthcoming New Zealand
Privacy Bill, which is currently working its way through the legislative
procedure and is expected to become law in the coming months.
There are over 100 countries in the world having
some form of data privacy legislation, ranging from limited all the way through
to robust. Then add do that a number of countries, like the USA, that have
individual legislation state-by-state. This is a complex subject!
Taking a leap of faith
Let’s imagine a fictional customer – Francisco – a
citizen of Brazil, who is a legal resident of California and travels frequently
on business. Francisco has decided to check off a life goal and bungee jump in
the home of bungee, New Zealand. He travels from California to France on
business and will then travel to New Zealand, but while in France he books a
bungee experience with a company based in New Zealand.
· For the purpose of my example, let’s imagine that 50,000 California
residents a year visit the bungee business in New Zealand. As a California
resident, Francisco is protected by CCPA, since the legislation applies to the
state’s residents regardless of where they, or the businesses they are
transacting with, are located.
· The transaction was initiated in France, a country that is part of the
European Union (EU). The EU’s GDPR legislation covers anyone located in an EU
country at the time of the personal information being collected.
· The website Francisco is transacting with is based in New Zealand, where
the proposed legislation applies to agencies (businesses) located there.
Which legislation should the company in New Zealand
comply with? Last year when I asked a similar hypothetical question of someone
in the European Commission, they responded with “that’s a great question”.
The confusion is likely to exist from Francisco’s
perspective as well. As a Brazilian citizen, he may think that the Brazilian
General Data Protection Law (LGPD) provides protection, or that as a California
resident the CCPA provides his protection.
Let’s extend the hypothetical scenario: Francisco
returns home to California and requests the bungee company to delete his
personal information and they refuse or fail to confirm the request. To which
regulator should he make a complaint? It’s highly probable that consumers may
not understand their rights when companies are in countries where they are not
residents, or they could assume the process to be too complicated when a
company holding their personal data is in another country.
Each of the regulations in my example has different
requirements: the GDPR is opt-in for data collection, the CCPA is opt-out. The
GDPR states that data must be encrypted; CCPA and the proposed New Zealand
Privacy Bill both state that reasonable security measures should be taken but
do not specify any further detail. The differences in the requirements are
numerous and in the unfortunate instance of a data breach occurring, who should
be notified, and could fines be levied by multiple regulators in different
countries? And which of the several legal systems will apply, or will several?
There may be legal precedent for which regulation takes priority, but this is
not clear to me, a non-lawyer.
Confused? Probably. I know I am!
Our entrepreneur from earlier needs clarity so that
data privacy does not inhibit anyone from conducting business in any location.
And consumers should be able to visit any business online with assurance that
there is protection of their data and accountability regardless of where they or
the business is located, including in countries without specific legislation.
One rule to ring them all
The internet is a global marketplace and there are
some existing data privacy agreements in place that attempt to provide a
baseline. These are limited in participation and regional; a list can be found
on the Electronic
Frontier Foundation website.
Is it time for one common set of rules on data
privacy regardless of residency, citizenship or location? There is precedent
for such rules; for example, 123 countries signed the World Trade
Organization’s (WTO) Marrakesh Agreement in 1994, which regulates international
trade between nations. If we accept that data is now a commodity item that has
a value and is traded, then maybe it could be included in a standard agreement,
in the same way the WTO regulates trading rules. A truly international standard
would need to adopt core principles and countries could always supplement these
with their own amendments, in the same way countries adopt trade agreements
between each other on top of the current WTO standard.
I am using the WTO as an example, but there are
numerous global organizations where a centralized data privacy agreement could
reside. Probably the most important element of any widely agreed international
regulation would be defining which regulator is responsible and when,
clarifying whether a citizen, resident or their location takes precedence or
whether a business is responsible by location or place of transaction.
At CyberSecCon2020, all the attendees I talked to
were clearly engaged in preparing for the New Zealand Privacy Bill, but at a
security conference covering data privacy this is probably to be expected. It’s
the people who don’t attend that are the challenge. Many companies may want to
comply and have a desire to sell and transact globally but are confused about
what they should comply with.
There are core principles for data privacy that are
common in the majority of the regulations and legislation:
· The reasons why personal information is collected, where it is collected
and how it is collected.
· How the personal information is protected from unauthorized access and
how the data is stored.
· The right for an individual to know what personal information is being
held about them.
· The ability to request the correction of inaccurate data and the right
to request data be deleted.
· Limitations on how organizations can use the information collected.
Unfortunately, the same core principles are not so
clear when it comes to security requirements, as some legislation details
specific requirements and others talk about “reasonable” security. Prior to the
CCPA taking effect in January, I co-authored a white paper that gives a view on what could be considered essential security
requirements. I recommend that any business collecting or storing data follows
the principles listed in the ESET’s guide to reasonable security section
of that white paper.