Data Privacy in Europe and North America: An Introduction

Cyber-attacks, specifically data harvesting, are on the rise. In 2022, the number of cyber-attacks increased 38% over the previous year, with organizations suffering an average of 1,168 cyber-attacks per week in the fourth quarter—the highest total on record.

The same researchers anticipate that the number of attacks will increase dramatically in 2023 as AI tools, such as ChatGPT, are used to launch sophisticated cyber-attacks at an alarming rate. Other emerging technologies, like quantum computing, will further accelerate this trend in the coming years.

Governments have responded to the growing cyber threat by passing international, national, and local legislation designed to improve consumer data privacy protections and prevent cyber criminals from harvesting data.

Canada, Mexico, and the European Union (EU) are three leaders in the information security space. These governments have passed robust data privacy protections that place the consumer at the forefront of information security. The United States, on the other hand, has created a network of data privacy legislation that protects consumer data at the national and local levels.

This article will provide organizations with a brief overview of data privacy legislation in North America and Europe, as well as common data privacy themes found in all of these laws.

Common Data Privacy Themes

The most common form of regulated data is consumer information, called personally identifiable information (PII) in the cybersecurity world. This information includes:

• Social security numbers
• Driver’s license numbers
• Medical files
• Financial information
• Criminal history
• Geographic location
• Login credentials

Hackers target PII because it allows them to do things like 1) take out a line of credit in an individual’s name, 2) access user accounts, 3) make online purchases and commit fraud, 4) hold embarrassing information ransom, and 5) even lock users out of their accounts. Criminal groups also hold PII hostage to blackmail breach victims and sell this valuable information to nefarious groups on the dark web.

Organizations have a legal responsibility to safeguard data that can be used to identify an individual, directly or indirectly. Failure to adequately protect consumer PII can result in public embarrassment, large fines, and regulatory investigations.

Most data privacy laws also mention consumer financial data by name as well. That’s because bad actors can use this information to commit fraud and quickly make a profit. The economic incentive associated with financial data makes all forms of consumer and business transactions attractive targets for hackers. These criminals are mostly looking for credit and bank card information. This data can be used to withdraw or transfer money to outside accounts, to use their card for online purchases, or it can be sold online to the highest bidder. The importance of financial data is why the US, Canada, Mexico, and European Union each regulate financial information as a critical form of protected consumer data.

Key Government Regulations – Europe and North America

Canada and the European Union (EU) are leaders in the consumer data privacy space. Both governments have passed stringent laws that require robust information security from private sector companies and levy huge fines against businesses that fail to adequately secure data.

International organizations and companies doing business in the EU or Canada must develop legal data privacy policies, safeguard data using approved principles, and create internal systems to prevent data breaches that can expose consumer information.

Mexico also has strong data privacy protections on the books, including sections of the Mexican Constitution and national data privacy legislation governing cybersecurity protections in the private sector.

In the United States, data privacy is governed by a patchwork of laws at the federal level, with states like California recently passing local laws that demand compliance as well. Organizations operating within the United States, and particularly those that serve as vendors to the federal government, must carefully follow these laws to avoid legal and financial sanctions. Read the QD5 guide to data privacy laws in North America and the European Union to learn how to navigate this patchwork of national legislation.

United States of America

Federal Information Security Management Act

The Federal Information Security Management Act of 2002 (FISMA) created a set of cyber security requirements for American federal agencies. The law requires federal agencies and 3rd party government vendors to develop and implement an information security program, and to follow best practices from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).

The NIST cyber security framework and Zero Trust approach were developed as a result of this law, and both have become standard secure-by-design methods used extensively in public and private sector cyber security.

In 2014, Congress passed the Federal Information Security Modernization Act of 2014 (FISMA 2014), which provides additional directives for federal agencies and vendors. Federal agencies and 3rd party vendors must adhere to the following requirements to stay compliant:

• Maintain an inventory of company information systems and interfaces
• Categorize sensitive information and systems using FISMA’s risk assessment methodology
• Implement minimum security requirements, defined in FIPS 200 and NIST SP 800-52
• Conduct regular risk assessments to identify cyber threats
• Develop and implement a “System Security Plan” using NIST SP 800-18
• Conduct annual security reviews for yearly FISMA certification and accreditation
• Continuously monitor security controls and update documentation in real-time

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the protection of public health information (PHI) in the American healthcare industry. Every organization that manages healthcare data and PHI, including insurance companies, healthcare providers, and medical clearinghouses, must follow its strict data stewardship guidelines.

Data privacy protections in HIPAA are dictated in the Privacy Rule. This section outlines data stewardship requirements for “individually identifiable health information,” also known as PHI. This includes medical conditions and diagnoses, healthcare services provided during treatment, and financial data. Providers must disclose their privacy policy to patients before treatment as well. 

Organizations must also implement “reasonable safeguards” to protect sensitive data. This includes common cyber security protocols like NIST Zero Trust, Identity Access Management (IAM), and safeguarding physical information like file cabinets and medical records. Failure to properly handle and secure confidential medical information can result in civil penalties and administrative sanctions. Individuals who knowingly harvest or disclose individually identifiable health data may be subject to criminal penalties as well.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, governs data privacy in the United States financial services industry. 

The bill requires companies that offer consumers financial products or services, such as bank accounts, loans, investing services, and insurance, publicly disclose data handling practices to consumers.

The law’s Financial Privacy Rule and Safeguard Rule require that commercial banks protect the “confidentiality, integrity, and security of any personal, nonpublic information” that the institution collects on customers and consumers (two different categories in the GLBA) during the course of business.

To be compliant, commercial banks must publicly release a privacy policy that describes how they will handle, share, and protect personal data. Banks must also give customers an easy method to opt out of data sharing with 3rd parties. Finally, financial institutions must create a written information security plan describing how they will safeguard data. This must include an employee training plan, data privacy software and cyber protections, and regular threat testing. 

California Consumer Privacy Act – California

While most cyber security regulations are national, the US state of California is also a pioneer in data privacy protection. 

The California Consumer Privacy Act (CCPA) and the subsequent ballot initiative California Privacy Rights and Enforcement Act (CPRA), also known as CCPA 2.0, lay out a set of strict standards for all companies doing business in California. The laws also set up an enforcement mechanism within the newly created California Privacy Protection Agency.

The CCPA has been in force since January 1, 2020, and the CRPA entered into force on January 1, 2023. 

Because California is home to Silicon Valley and over 40 million consumers, the CCPA is one of the few local information security laws that boasts widespread compliance. Companies with a significant consumer base in the United States should follow the CCPA and CRPA to ensure compliance and avoid fines.

In addition to requiring the protection and safe storage of a range of personal data, the laws also demand that consumers in California have the right to access, delete, and opt out of data collection. These include the rights to:

• Know and access data
• Have personal data deleted
• Opt out of the sale of their data
• Nondiscrimination
• Data portability

Failure to adhere to CCPA and CRPA regulations will result in significant penalties, including a $2,500 violation for every unintentional violation and $7,500 for each intentional violation.

Canada

Personal Information Protection Electronic Documents Act

The Personal Information Protection Electronic Documents Act (PIPEDA) governs data privacy protections in Canada. It enforces strict requirements for the collection, use, and disclosure of personal information in the private sector. Organizations must also follow the PIPEDA’s Fair Information Principles. 

Under the PIPEDA, personal information includes:

• Age, birth date, and name
• Financial, credit history, and loan information
• Blood type and DNA
• Marital status
• Medical, education, and employment data
• Driver’s license or social security numbers
• Political opinions, assessments, and criminal records

The PIPEDA applies to all domestic and foreign organizations that collect, use, or sell the personal data of Canadian residents for “commercial activity,” not just organizations based in the country.

Organizations operating in Quebec, Alberta, and British Columbia may also be exempt from the PIPEDA, as each of these provinces has its own data privacy regulations that take precedence over national law.

To comply with PIPEDA, organizations must receive consent before handling a consumer’s information. Customers must manually opt-in to data collection and have the ability to view collected data, and details on how it will be used must be explicit.

Failure to abide by PIPEDA regulations or adequately protect sensitive data can result in large fines and regulatory sanctions. 

Mexico

Data privacy in Mexico is governed under two legal frameworks: the Mexican Constitution and the Federal Law for the Protection of Personal Data Held by Private Parties (FLPPDHPP).

Within the Political Constitution of the United Mexican States, Article 16 states:

All people have the right to enjoy protection on his personal data, and to access, correct and cancel such data. All people have the right to oppose the disclosure of his data, according to the law.

Political Constitution of the United Mexican States

The inclusion of these personal data protections in the national constitution makes Mexico a leader in the field of data privacy and an outlier in the world—since most data privacy protections are the result of national legislation and are not considered constitutional rights outside of judicial case law.

The Mexican government extended these data privacy protections in September 2011 with the passage of the FLPPDHPP, which governs the implementation of personal data protections by private parties. The federal legislation restricts the collection, storage, and use of personal data by private parties engaged in commercial activities (with an exemption for credit reporting companies).

In particular, the law restricts the collection of “sensitive personal data,” defined as information “which may reveal items such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political views, sexual preferences.”

Data controllers, or those who determine how data is processed and used, must follow the following principles:

• Legality
• Consent
• Notice
• Quality
• Purpose
• Fidelity
• Proportionality, and
• Accountability under the Law

The strict legislation also requires data stewards to handle information with “a reasonable expectation of privacy” and to provide a privacy notice to individuals visiting their website or using their service before collecting data. Note that the law does not require affirmative consent from users for regular personal data. Although it does require express written consent for sensitive personal data and financial information.

The National Institute of Transparency, Access to Information and Personal Data Protection (INAI) is charged with enforcing these legislative requirements, including investigating compliance, levying fines and regulatory penalties, and advising private organizations on how to improve their data privacy protections. 

The European Union

General Data Protection Regulations

The EU’s General Data Protection Regulations (GDPR) was passed in 2016 and entered into force on May 25, 2018. The GDPR lays out a series of cyber security and data handling requirements for all companies doing business in the EU. 

These regulations apply regardless of where the company is physically located. If a business tracks and analyzes European visitors to its company website, they are subject to the GDPR and may be fined if they fail to comply.

The GDPR governs how companies handle personal data, which includes any information that can be used to identify an individual consumer directly or indirectly. This data includes location data, email addresses, ethnicity, gender, web cookies, and even biometric data. 

It also demands that companies operate according to the following “protection and accountability principles”:

• Lawfulness, fairness, and transparency – All data must be processed and destroyed lawfully.
• Purpose limitation – Data can only be processed for legitimate purposes and must be used in a limited manner as detailed in the company’s public privacy policy.
• Data minimization – Institutions must minimize the amount of consumer data they collect and retain.
• Accuracy – Organizations must ensure that the consumer data is accurate and timely.
• Storage limitation – Businesses may only store data for as long as necessary, as defined in the privacy policy.
• Integrity and confidentiality – Consumer data must be handled securely and confidentially.
• Accountability – The organization’s data controller must be able to defend its data privacy controls to GDPR compliance experts upon request.

Failure to adhere to GDRP requirements will result in governmental fines and sanctions. The EU has aggressively sanctioned organizations that violate the GDPR, levying $1.3 billion in fines against Meta (Facebook) alone in 2023—the largest fine in GDPR history.

Looking Forward

Data privacy laws will expand as the number of cyber threats continues to rise and emerging technologies, such as advanced AI and quantum computing, develop in complexity. National and local governments are responding to this dangerous landscape by passing laws, such as GDPR and PIPEDA, which protect consumers’ right to data privacy and levy large fines against companies that fail to safeguard data.

Organizations can protect their reputation, prevent data breaches and public embarrassment, and get ahead of legislative changes by integrating secure-by-design principles and other cyber protections into their enterprise network proactively.