Data security laws loom over the globe: What you need to know

With new privacy laws coming into effect in China and California, you may soon be longing for the care-free days when the European Union's (EU) General Data Protection Regime (GDPR) was your major compliance headache.

Although China’s Personal Information Security Specification ("the Specification") and the California Consumer Privacy Act (CCPA) are both described as "GDPR-like," there are significant differences, including the "Right to Equal Service" for data subjects who opt out of data collection, and the broader definitions of "personal information" in the new regulations.

Even if your business is fully compliant with the GDPR you will have to make changes if you fall within the scope of these regulations. For example, if you do business in China or the United States, you probably have personal information about Chinese citizens or California residents, and you may have to comply with the new regulations.

Here's what your team needs to know.

Top 4 Myths Regarding GDPR Compliance Beyond the EU

The age of consent

The CCPA and the Chinese Specification both detail requirements for disclosure of collection, processing, sharing and use of personal information, and obtaining consent from data subjects. The requirements are similar to the GDPR, but differ in some minor details. California, for example, requires that businesses provide toll-free telephone numbers residents can use to request copies of their data, or to request that data be amended or deleted.

There are also a few minor differences regarding consent. China requires businesses to obtain consent from the data subject before collecting, processing, or sharing personal information. California requires disclosure of what information you're collecting and what use you will make of it, at or before the point of collection, but it only requires prior consent if the data subject is a minor.

Opting for free service

California has also established a "Right to Equal Service" for those who choose to opt out of data collection, and China has a similar provision. This affects services like Gmail and Facebook, which fund free services for users by selling user data to advertisers. Under the CCPA, a service provider is not allowed to deny the service, charge a fee or higher price, or provide a different level of service to users who opt out. It does say that different prices or rates may be charged "if that difference is reasonably related to the value provided to the consumer by the consumer’s data."

China’s Specification has a similar requirement restricting an information controller's right to refuse to provide service. This requirement makes a distinction between core business functions and ancillary functions. Information controllers may decline to provide ancillary functions if a data subject opts out of providing personal information, but they must continue to provide core functions as long as the data subject provides the information needed for just those core functions.

It is difficult to predict how this will work in practice. That depends on how many California residents and Chinese natives choose to opt out of the data collection, and how that affects businesses that rely on revenue generated from data collection and analysis.

Sniffing out personal information

The biggest problem with the new regulations, though, is that the EU, California, and China all define sensitive personal information differently. The combined definitions are so broad that data controllers may need to encrypt or otherwise protect every piece of information they learn or infer about a data subject.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

The CCPA says personal data is "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

And the Chinese Specification defines "personal information" as "a variety of information recorded by electronic or other means that can be identified individually or in combination with other information to identify a particular natural person's identity or reflect a particular natural person's activity."

China further defines sensitive personal information as "any personal information which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment." China places more stringent controls and greater restrictions on this category of information.

What qualifies as personal

Each authority has helpfully provided examples of the types of information that it considers personal information. They range from the obvious, such as name and address, to household information, contact lists, physical descriptions, and olfactory information (smells).

Even if a piece of information, such as a zip code, can't uniquely identify an individual on its own, it must be protected if it can uniquely identify an individual when combined with other information.

Unfortunately, it takes very few pieces of information to uniquely identify an individual. One researcher (PDF) showed that 87% of individuals in the U.S. can be uniquely identified by a combination of their 5-digit zip code, gender, and date of birth. This means that any information about a person is likely to be considered personal information, under one regulation or another, and will need to be protected.

It's anything but simple

You might have hoped the GDPR would simplify compliance, but that's unlikely. Each new regulation seems to add different procedures, new rights, and broader definitions of personal information, which means compliance will only become more difficult.

For now, it looks as if you should plan to disclose all data collection, encrypt every scrap you collect, and use the data in ways that benefit the data subjects enough that they will consent to its collection.

Topics: Security