European Jurisdictions outside GDPR

European Jurisdictions with Lesser Known Internet Privacy Laws Outside of GDPR

Privacy has long been recognized as a fundamental human right in many societies. And in this new age of global interconnectivity enabled by the Internet, a growing number of countries are regulating the massive data collection and privacy of its residents.

The rules governing data privacy vary from one country to another. Some particular privacy laws are noted for their stringency or wide breadth of application to most businesses. While most are aware of the comprehensive privacy laws passed in the European Union (EU) and California state in the United States, many are unaware of other jurisdictions with privacy laws. For instance, the General Data Protection Regulation (GDPR) is not applicable law in all European countries. Some countries have implemented their own version of GDPR or have otherwise passed a data privacy law heavily based on GDPR principles.

The following are some European countries where the EU GDPR does not apply, but nevertheless has some data privacy law in place:

United Kingdom

The United Kingdom is no longer a member of the European Union. It left the EU on December 31, 2020. The GDPR no longer applies domestically to the UK, as it had since May 2018, while the UK was still a member state.

While the GDPR has been repealed for the UK after Brexit, this does not mean that the UK no longer has a data privacy law. The UK has its version of the EU’s GDPR that took effect on January 31, 2020. It governs all personal data processing by individuals within the United Kingdom, along with the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations (PECR).

The EU has now classified the UK as a “third nation” outside the scope of GDPR, for which transfers of data to the UK must be examined for legitimacy. However, the EU issued an adequacy decision for the UK on June 28, 2021. This decision maintains that personal data can continue to flow freely from the EU to the UK. It is a limited four-year process and will need to be renewed after expiration in June 2025.

Iceland

Iceland has had data privacy legislation in place for quite some time. Although it is not a member of the European Union, Iceland’s legislation has been updated to largely meet the GDPR’s standards, such that its citizens are likely to get the same degree of protection as their European counterparts.

To implement the GDPR, Act 80/2018 on Privacy and Processing of Personal Data (the “Act”) was passed by the Icelandic Parliament in July 2018. The Data Protection Authority oversees compliance by companies with the Act and looks for ways to improve data policies.

Norway

Norway is another country that values privacy. Like the UK and Iceland, Norway is not a member country of the EU, but a member state of the European Economic Area (EEA) where GDPR also has jurisdiction.

The GDPR was made part of Norwegian law in July 2018 by the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018.

The Norwegian Data Protection Authority (“Datatilsynet”) is an independent public authority that protects individual privacy. Datatilsynet enforces data protection regulations such as the Personal Data Act and holds organizations and others to comply with them. It can impose financial sanctions and penalties for non-compliant entities.

Switzerland

Switzerland has a well-deserved reputation for protecting the privacy of its residents’ information.

Switzerland protects its citizens’ privacy through its constitution and regulations. The Federal Act on Data Protection 1992 (FADP) was passed to protect people’s privacy. It prohibits the processing of personal data without consent from the person to whom it relates. These regulations are similar to GDPR and have been deemed adequate by the EU.

According to FADP, personal data is protected and cannot be processed unless the subject or the law allows it to be done so.

Final Thoughts

It is becoming more common for governments and business organizations to move services to the Internet to enhance efficiency and accessibility. However, these improvements will likely have a significant impact on data privacy.

More and more countries are passing some version of a comprehensive or omnibus data privacy law, while others have no such data privacy regulations. Although it is impossible to provide 100 percent security online, business owners can take initial steps to improve the secure collection and processing of information, such as first determining which laws may apply to them.

Checklist for GPDR Compliance

US Businesses’ Checklist for GPDR Compliance

General Data Protection Regulation (GDPR) is legislation that consists of one of the world’s strictest rules for personal data protection. If you’re a US-based business that does business with individuals in the European Union, you need to comply with this regulation. A checklist will be helpful to keep you on track!

GDPR

GDPR is a European Union data privacy law that mandates organizations to keep data safe. The regulation was implemented in May 2018. Moreover, the data privacy law allows people to have more control over how their data is used. Failure to comply with the law is subject to large fines. 

US Companies & GDPR Compliance

It’s easy to think that the GDPR law only applies in Europe. However, it applies to companies outside the EU as well due to its extra-territorial scope. 

Any company that collects personal data of people in the EU is required to comply with the GDPR. 

However, GDPR also recognizes that some non-EU companies work with EU citizens only an incidental basis. Therefore, based on Recital 23, foreign companies are only required to comply with GDPR if they target EU residents with their marketing. 

Collection of Personal Data

There are two categories in personal data under GDPR: 

  • Data controllers: A data controller is a public authority, individual, agency, or another body that determines the purpose and means of personal data processing. The controller is the one who decides how personal data will be processed. 
  • Data processor: A data processor is anyone or any organization or agency that processes personal data on behalf of the controller. In this case, they don’t make decisions about how personal data is handled. 

GDPR Compliance Checklist for US Companies

If you are a US-based company that deals with EU clients, having a GDPR checklist will help you stay on track with your GDPR compliance. That way, you can prevent large fines that can be detrimental to your finances. 

This checklist will help ensure GDPR compliance:

Information Audit for EU Personal Data

Determine what personal data you need to process and whether it belongs to people in the EU. If you find you process EU data information, determine which activities the information is related to, such as offering goods or services to data subjects regardless of whether connected to a payment. 

Let Your Clients Know

Keep in mind that using consent will involve other duties. You need to let your clients know you’re processing their data, and the easiest way to do this is through consent. Furthermore, you also need to provide clear and transparent information about activities to your data subjects, which involves updating your privacy policy. 

Evaluate Your Data Processing Activities

When you evaluate your data processing activities, you’ll be able to understand the security and privacy risks of the data you process. Through this, you can implement ways to mitigate the risks

Improve Your Protection

When you have determined your data processing activities, it’s time to start implementing data security practices, like end-to-end encryption, that will help limit your exposure to data breaches. 

Have a Data Processing Agreement with Your Vendors

You are accountable for your third-party clients should they violate their GDPR obligations. Therefore, a data processing agreement between you and your vendors is crucial. The agreement must detail the rights and responsibilities of each party. 

Have a Representative in the European Union

Non-EU organizations must appoint a representative based in one of the EU member states. On the other hand, you won’t need a representative if you only process occasionally, doesn’t include processing, on a large scale, and is unlikely to risk the rights and freedoms of natural persons. 

If you need a representative, the representative will act on your behalf and may be addressed by any supervisory authority. Keep in mind that a representative doesn’t affect your responsibility or your liability. 

Some of the tasks of the representative include cooperating with the supervisory authorities regarding actions taken to ensure compliance with GDPR. 

Have a Plan If There’s a Data Breach

Having a proper plan in place if there’s a data breach is crucial. Hackers are all over the internet and a minor vulnerability can breach your data that will affect your GDPR compliance. Don’t let this happen to you; therefore, you need to have this included in your checklist to ensure you’re prepared should anything go wrong. 

Complying with GDPR may seem like another tedious task you need to do. Instead of looking at it that way, consider this an opportunity for you to strengthen your relationship with your customers. Moreover, being GDPR-compliant can prepare you for regulations in other countries like, Japan, Brazil, and South Korea. 

Other Tips To Be GDPR-Compliant

Your GPDR compliance must be taken seriously. It’s essential you know all the data you collect and how it flows through your internal systems. You should remember that IP addresses are classified as personal data as well. So, if you’re unsure if the IP addresses you collect are personal data, refer to the supervisory authority in the EU state to be sure. 

Another thing to help you be GDPR compliant is to have a Data Register, which is a comprehensive record of how your company is practicing GDPR compliance. The day register should map the flow of data through the company, and the more details are in it, the better. So, in the event of an audit, your data register can be used as proof of compliance. Furthermore, if you suffer a data breach, the data register can be used as proof of progress towards improved data security. 

Speaking of data breaches, you should report it immediately, as this is also a mandatory GDPR requirement. Data processors should report data breaches to controllers, and the controllers will be the ones to report to a supervisory authority.

It’s crucial you evaluate your data collection requirements as well. Make sure you are gathering the data you need because when you acquire sensitive data without good reason, this can be an alarm bell for the supervisory authority. 

Be GPDR Compliant Today

If you haven’t worked on your GPDR compliance as a US business owner yet, you do business with individuals in the EU; it’s time that you do it before you face big penalties. Use this checklist to help you out. 

GDPR Enforced In The US

How Will GDPR Be Enforced In The US

The General Data Protection Regulation (GDPR) is a law that protects the privacy of most Europeans. The GDPR protects in part by imposing limitations on the free movement of personal data between the European Union (EU) and other countries. It took effect in May 2018.

This ground-breaking data protection and privacy regulation goes well beyond the boundaries of the European Union’s physical borders. Furthermore, it requires companies based outside of the EU to safeguard the personal data of their people.

Extra-Territorial Scope of GDPR

The GDPR’s scope goes beyond the boundaries of the EU. That means that websites outside the EU that handle personal data about EU citizens are also obliged to comply with the GDPR’s requirements.

The text of the General Data Protection Regulation (GDPR) provides an essential compliance checklist that companies should follow if they are subject to GDPR. This “checklist” contains particular requirements that are unique to countries outside of the EU, such as American companies and organizations.

You may be wondering how the laws of the European Union might be enforced  in an area over which the EU supervisory authorities have no jurisdiction. The reality is complicated, but in short, there are avenues in which United States (US) courts might enforce agreements referencing GDPR and apply guidance of the EU Commission or EU supervisory authorities.

Enforcement of GDPR in the US

The General Data Protection Regulation (GDPR) is being implemented in the EU and EEA by the many supervisory authorities situated across the region. The GDPR does, however, apply to companies situated outside of Europe.

Businesses subject to GDPR that do not have a physical presence or establishment in any EU member-states may need to have a physical representative located inside the region to comply with the GDPR. For those who have violated the General Data Protection Regulation, EU supervisory authorities may address this representative for complaints or for levying fines.

EU enforcement agencies may take disciplinary actions against those who violate the rules. These organizations are likely to get support from government officials in the country where the company is based. Noncompliance may be pursued by EU enforcement agencies, especially against multinational or large corporations, by stop processing orders or regulatory investigations Furthermore, EU data protection authorities may fine companies that continue to do business with US organizations that violate GDPR, effectively preventing US companies from getting customers in the EU.

Finally, EU and US companies may pursue US companies for breach of contract, if GDPR compliance is written into the underlying agreement. These contractual claims may be adjudicated in US courts, depending on the contract, even if they relate to EU compliance.  

GDPR and US-EU Data Sharing

The General Data Protection Regulation (GDPR) defines, in Article 45, the circumstances under which personal data may be transferred outside of the EU. It states that data transfers beyond the EU are permitted if the receiving country has an adequacy agreement with the EU. It is also applicable if the data processor or controller demonstrates an adequate level of data privacy safeguards inside the EU. The EU previously acknowledged the EU-US Privacy Shield as an acceptable mechanism for transfer; however, with the recent “Schrems II” decision from the Court of Justice of the European Union, the Privacy Shield framework has been invalidated for data transfers.

Since the US as a whole does not feature on the European Union’s list of countries with a sufficient level of data protection law, businesses should consult with their privacy counsel as to the best alternative mechanisms for international data transfers

GDPR Compliance Requirements for US Companies

Any US company obliged to comply with the GDPR may be subject to strict requirements as companies located in the EU.

Suppose your website collects or processes personally identifiable information (PII) of EU citizens. In that case, you should do so based on a lawful basis. The following is a checklist that companies in the United States may use as a starting point toward compliance with the General Data Protection Regulation, subject to the advice of their local privacy counsel:

  • Identify and appoint a data protection officer to oversee the processing of EU personal data;
  • Inform your customers about the reasons for which you are processing their data;
  • Make sure you have a data processing agreement in place with your suppliers;
  • Evaluate your data processing operations and improve the level of protection;
  • Determine what to do in the case of a data breach in your organization;
  • Comply with all applicable rules governing cross-border data transfers; and
  • Designate a representative in the European Union;

With the GDPR compliance checklist and retention of local privacy counsel, you may be able to mitigate the risk of enforcement actions brought by EU regulatory authorities. Moreover, a consent management platform (often referred to as a CMP) may help you make your website GDPR compliant.

GDPR Fines for US Companies

The General Data Protection Regulation (GDPR) has significant enforcement penalties to incentivize compliance. There is the possibility of substantial fines for noncompliance with the law, which may reach 4 percent of global sales or €20 million, depending on the severity and circumstances of the violation.

As reported by the US International Trade Commission, since May 2018, data protection authorities in EU member states have collectively penalized US companies for more than $417 million under the General Data Protection Regulation (GDPR).

Conclusion

The General Data Protection Regulation (GDPR) is applicable based on the location of the data subject when their data is processed, not on their citizenship or country. Any company in the United States that provides services or monitors customers in the European Union (EU) should determine their obligations under GDPR, if any apply, and how to comply with the GDPR.

All companies based in the United States should work toward complying with the guidelines of GDPR, if they are subject to it. It is not just to protect the data being transferred and to avoid being fined. But, it is also to protect companies’ integrity and the US in dealing with data protection.

Learn more about the General Data Protection Regulation (GDPR) implications for your business’s marketing strategies. Metaverse Law specializes in data privacy, data protection, and cybersecurity laws. It continues to provide practical solutions for today’s online businesses, including GDPR compliance. To learn more about our services, please contact us now!

cybersecurity attorney

Why Every CIO Should Have a Cybersecurity Attorney

Every day, the digital world expands by leaps and bounds, and someone could be taking advantage of your company’s information to commit illegal or unethical actions. Today, many crooks are using the Internet to disguise their identity. It can be challenging to protect your company from outside attacks. A high-quality cyber lawyer has the experience to advise businesses as to the reasonable steps to take to avoid becoming a victim and to be protected from within.

Differentiating technical specialists from those responsible for legal responsibilities and hazards enables businesses to create more effective breach response strategies. Understanding the function of a third-party cybersecurity company can aid in this process.

Cybersecurity has always been one of the primary concerns of chief information officers (CIOs). Since the number of high-profile hacks seems to increase month after month, security is plaguing Information Technology (IT) executives throughout the workday.

What is a CIO?

The Chief Information Officer, known as the CIO, holds the top technical position within a given organization. A CIO is responsible for managing, implementing, and using information and computer technologies. Because technology is increasing and reshaping industries globally, the role of the CIO has increased in popularity and importance.

The CIO analyzes how various technologies benefit the company or improve an existing business process and then integrates a system to realize that benefit or improvement.

This person makes crucial business decisions concerning the organization’s technological strategy and interfaces with other C-level executives to communicate needs, processes, and progress. One role of the CIO is to provide an executive-level interface between the technology department and the rest of the business.

What is a Cyber Security Attorney?

Cybersecurity attorneys typically advise on implementing strategies to meet state, federal, and international legal requirements. They may also represent clients before regulatory bodies and serve as the quarterback and crisis manager during incident response to mitigate loss and guide toward  compliance with the law.

A cybersecurity attorney must be knowledgeable with fundamental cybersecurity laws. It is for them to contribute effectively to the company’s operations. These laws include:

  • Electronic Communications Privacy Act 
  • Homeland Security Act
  • Cybersecurity Information Sharing Act of 2015, 
  • Federal Trade Commission Act, 
  • laws on data breach notification,
  • applicable sector-specific state and federal laws

Additionally, the cybersecurity attorney must have a firm grasp of privacy legislation. They must, at the very least, be familiar with privacy legislation. Privacy regimes set obligations to enhance data security since security is necessary for data to stay private.

A cybersecurity attorney should be bilingual in both legal and technological language. Oftentimes, a critical function of such an attorney is to convert legal requirements into design requirements and comprehend technical specifics. As a result, the attorney must grasp the fundamentals of technology or possess a genuine interest and desire to study.

Cyber Security Attorney as a Need

When you don’t have an experienced professional to help protect your company from an inside attack, you subject your operations to a higher level of risk. It’s better to hire a specialist today than at the moment you find out you’ve been compromised.

Many crooks rely on attacks from abroad to gain access to U.S. corporations. Law firms with a reputation for solid cybercrime protection have the upper hand when defending their clients. It is why every CIO should have a comprehensive cyber defense attorney to advise them. When it comes to demonstrating in court that a corporation’s security has been compromised despite implementing reasonable security controls, a professional cyber law firm is more likely to be able to fight back and win. If a cyber crimes attorney does not represent you, you may never know.

A skilled cybercrime attorney can help them get that understanding. They are more likely to know what to ask in court and potentially defeat the government’s case against the company. It can be an expensive process to fight a cyber case. However, the outcome could mean the difference between accepting a settlement or paying big money to defend against an action. Every CIO needs to make sure their law firm is fully staffed to handle cyber cases. The best ones will be located in cities with thriving cybercrime defense attorneys.

The Internet has created a world where criminals can create a fake Twitter account to impersonate a famous person. They can use burner accounts to send emails to spammers. There are even some who use false identity information to try to trick people into opening bank accounts or PayPal accounts under pretenses. An experienced law firm can make these and other cases stick. When cases do make it through the system, the attorney representing the company will know when they have a winning situation.

A good CIO will be aware of the need for an experienced lawyer who can work on cyber cases. Because cyber crimes often involve stealing information, the information may need to be presented as evidence in court. It may mean the company’s entire network should be checked, from top to bottom and back up. In this kind of scenario, an ounce of prevention is worth a pound of treatment. Any company that fails to put in the necessary time and resources to protect itself is putting itself at risk of getting sued.

For a cyber law firm to win its cases, it must also put its client’s interests on the same level as their own. Any information that is stolen or misused needs to be appropriately represented. That means the management must train every employee working to treat documents over the Internet and any company’s computer systems. A good lawyer will also work closely with the IT department to stop any unauthorized access to the company’s computers.

When a CEO realizes that they may be subjecting their companies to cyberattacks, the company’s CIO and cybersecurity attorney should help them out. Law firms should work hard to track down every instance of cybercrime they are liable for, not just the common ones. Every person should know how to prepare defenses in cyber cases. Every business should have an IT department that can track down any attacks when they do happen.

To know what you need for your cybersecurity attorney, contact Metaverse Law today and learn more.

Group of stars around the text GDPR

Data Privacy Matters

How Will GDPR Affect Business Marketing Approaches in The Digital Age

The General Data Protection Regulation (GDPR) has approaches that impact today’s marketing strategies. With the increasing interplay between internal and external regulation and increasingly intrusive practices by law enforcement authorities, digital marketing’s future may involve significant changes. At the same time, the European Union (EU) is making efforts to strengthen its regulatory regime and pass several laws to improve its relationship with the US. It is essential to consider the potential social, political, and legal impact of GDPR on your business. Furthermore, certain restrictions dictate the way companies can conduct their business online. Given all this, it is clear that if you want to continue to enjoy the benefits of doing business online within the EU, you need to be fully aware of the implications of GDPR and how it impacts your marketing techniques.

What is GDPR? 

The GDPR is a set of rules developed by the European Commission to enable citizens to have more control over personal data. Several reforms are created to prepare regulations, laws, and obligations of data privacy and consent involving individuals, businesses, and entities. Some of these regulations cover consumer credit, advertising, information protection, payment data transfer and schemes, and more. 

This framework sets out general guidelines for ensuring the protection of personal information. In particular, GDPR protects against the unnecessary, unethical, and illegal use of personal data. However, it is essential to note that GDPR addresses different aspects of the whole regulatory framework, which means that every reform is examined separately for its relevance and applicability.

Regulation on personal information processing is vital to the reforms related to the GDPR’s subject matter. It sets out the rules and procedures that ensure personal information processing occurs within the Commission’s data protection frameworks.

This regulation aims to protect individuals from unfair and unwarranted discrimination when taking up jobs, accessing services, performing online transactions, and other related digital activities. It covers the unwarranted use of collected data for criminal prosecution and employee protection from unfair dismissal and other workers’ compensation claims.The security requirements defend corporate clients and enterprises from data protection risks and ensure that their companies comply with the principles laid down in the GDPR. All these aims are governed through the various bodies that constitute the Commission’s regulatory bodies and state data protection agencies.

What is GDPR compliance? 

GDPR compliance involves ensuring the legal process of data collection, processing, and maintenance.

All entities under the GDPR scope, digital-based or not, will have to comply with this particular regulation. It requires companies to take necessary measures and create protocols to protect the personal data of the organization, employees, and clients involved for their legitimate purposes, or other lawful bases, in line with the EU data protection regulation and directives. 

Several regulations are addressed in the GDPR. You need to keep in mind that all organizations and their processors and controllers are obliged to ensure they do not breach any of the provisions within the regulation and prepare measures that they can take to protect their users.

Controllers

Under Article 4, section 7 of the General Data Protection Regulation,” ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

Processors

Under Article 4, section 8 of the General Data Protection Regulation,” ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

How Will GDPR Affect Business Marketing

The main aim of GDPR is to ensure that unauthorized third parties cannot misuse all personal information kept by company processors and controllers. For instance, organizations must ensure that they inform their clients about the procedures they follow to process their data, the additional risks they face if they fail to comply with the regulations, and how they can benefit from it. The regulation also addresses how companies and controllers can implement suitable systems to handle their clients’ data according to the different regulations. With all these in mind, it’s clear that understanding the GDPR compliance requirements is vital for those within the scope to stay in business.

Who does GDPR apply to?

The EU General Data Protection Regulation (GDPR) has implications for many organizations, particularly those controlling or processing personal information in the European Union or EU data subjects.

The compliance scope includes regulations in data processing for direct marketing purposes by the companies’ advertising agencies through telemarketing and other means and using data to generate ad campaigns. 

Application of the GDPR to Organizations

The GDPR will apply to the personal data processing by organizations established in the EU, regardless of where the data processing transpires. It will also apply to the personal data processing by organizations that control or process data in connection with (1) offering goods or services (with or without charge) to, or (2) monitoring individuals in the EU.

Data Consent According to the GDPR

Under the GDPR, controllers or processors can process personal data in specific limited, designated circumstances with consent. There are particular requirements of valid consent provided by the GDPR:

  • Children under 16 will require parental guidance and permission in giving consent.
  • Consent must be a voluntarily given, specific, informed, and unambiguous indication through a statement or clear confirmation. 
  • Consent must be just as easy to withdraw and to provide. 

How GDPR Affects Marketing

GDPR Affect Business Marketing Approaches in The Digital Age

Many businesses are scrambling to prepare and implement effective marketing strategies to comply with the GDPR. In our internet-connected age, most of them require digital marketing efforts while also needing to maintain identity, privacy, and reputation protection. Therefore many companies have already begun to prepare their plan to ensure they comply.

Marketing significantly involves data collection. Without data gathering and collection practices, marketers can’t do much work achieving advertising goals. 

For marketing strategies to work under the compliance of the GDPR, organizations need to follow six elements for data processing, such as the following:

  1. Rights of Individuals
  2. Right to be Informed
  3. Right to Erasure (“Right to be Forgotten”)
  4. Data Protection Officer (DPO)
  5. Obligations on data processor / processors
  6. Data Protection Impact Assessment

To all ends, you need to seek consent for all data you need to collect from audiences or individuals, or find another legal basis for processing, and provide necessary information on how you intend to use such data for your marketing purposes. Unsolicited data and communications are strictly against the GDPR when applied to the marketing landscape, unless you can show that you fall within an exception.

Learn more about the General Data Protection Regulation (GDPR) applications for your business marketing approaches. Metaverse Law focuses exclusively on privacy, data protection, and cybersecurity law with practical solutions for today’s online businesses, including GDPR compliance. Visit us here to inquire about our services!