The United States does not have comprehensive federal privacy legislation with a private right of action. Rather, in response to the patchwork of federal and state sectoral laws regulate the collection, processing, disclosure, and security of PI depending on the industry of the organization, the nature of the data in question, and other criteria. The net effect of this patchwork system is that data privacy and biometric litigation is constantly in a state of flux. Click through for an overview of privacy and biometric litigation in the US. Our data privacy and cybersecurity litigators stay abreast of these developments, for a complete understanding of the most up to-date arguments and strategies to defeat data privacy and biometric class actions and related disputes.
Privacy – US
The US lacks an omnibus data protection regime and data privacy and security law in the US is a patchwork of federal and state laws, regulations, and industry self-regulatory programs, enforced by a myriad of authorities and organizations. Data privacy and security is increasingly regulated in the US with several new paradigm-shifting state laws having recently gone into effect, or to become effective in 2013. Click through for an overview of data regulation in the US. The US team of our Global Data Practice helps clients understand the evolving legal landscape and develop and operationalize information governance risk and compliance programs and to protect and maximize the value of their data and digital assets.
Privacy – Europe
In the European Union (EU), the legal framework for privacy and data protection centers around the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (ePrivacy Directive, also known as the “Cookie Directive”).
Both the GDPR and the ePrivacy Directive (as implemented at national level) apply to the European Economic Area (EEA), which includes all 27 EU Member States, as well as Iceland, Lichtenstein and Norway.
Please note, although the GPDR and ePrivacy Directive do not apply in Switzerland, Swiss laws are in the process of being harmonized with the legislative requirements of the GDPR and the ePrivacy Directive.
Following the UK’s departure from the EU, the GDPR has been transposed into UK law (please see ‘UK GDPR’ below). The UK has additionally transposed the Privacy and Electronic Communications Regulations (PECR) into UK law. While the obligations stemming from the GDPR and UK GDPR are near on identical, it remains to be seen whether the UK will eventually deviate from the EU data protection rulebook to pursue its own regulatory path.
Privacy – Asia-Pacific
The challenge for anyone doing business in the Asia-Pacific region is the ever-expanding number of countries initiating data privacy/cybersecurity requirements in the region, some with significant penalties for failure to follow. It would be one thing if they lined up to the GDPR perfectly, but each seems to have its own flavor, unique requirements and purpose. Several have pretty standard GDPR obligations, like data subject notifications, consent requirements, retention and security requirements. But several have very unique applications, such as, to name a few:
- China’s lack of a ‘legitimate interest’ as a legal basis for processing, its much broader restrictions on moving data outside of China and its requirement to have a local Data Privacy Representative responsible for compliance with PRC laws;
- Japan’s heightened concerns over collection of national identification in contrast with easier ability to transfer to processors;
- Korea’s restrictions on moving data outside of Korea, as well as its 24 hour breach notification rules;
- The application of both Philippine and Vietnamese data privacy laws to the personal data of their respective citizens living abroad; and
- Each jurisdiction with its own definition of what is a data breach and when/if/to whom it is notifiable.
We have prepared a comparison of the regional data privacy/cybersecurity laws across a set of consistent categories, such as:
- Obligations on collecting/handling/transporting data;
- A data subject’s right to query/modify;
- Cross-border obligations;
- Breach notification requirements; and
We have also included whether a country allows discovery and/or class action litigation, as that can factor in risk considerations.