The False Security of GDPR Compliance

As a privacy attorney, I wish that I had a dollar for every time someone told me that they are fully compliant with all privacy laws because they have a GDPR compliant Privacy Policy, they provide GDPR privacy rights to everyone, or they ensure that their employees follow the GDPR rules for processing personal data. Since GDPR is one of the strictest privacy laws out there, many business owners assume that if they are compliant with GDPR, they will automatically be compliant with all privacy laws. Unfortunately, this is simply not the case. This is due to the fact that each privacy law has differences in the privacy rights offered, the required Privacy Policy disclosures, the business obligations, and more. In this article, we will discuss some of these differences to demonstrate the fact that compliance with GDPR does not equal compliance with all other privacy laws. 

Why are privacy laws different? 

Wouldn’t it be nice if there were only one worldwide privacy law? It would surely make everyone’s lives much easier, so why doesn’t this exist? Like all other laws (e.g., consumer protection or contract laws), privacy laws are based upon the culture and views of each country. For example, the European Union views privacy as a fundamental human right, whereas other countries, such as the United States, do not. 

In addition, individuals in certain countries may be more worried about particular privacy harms than others. For example, US privacy laws regulate the sale of personal information while other countries do not, reflecting the fact that the sale of personal information is more pervasive in the United States than in other countries. 

Lastly, the importance of privacy and thus the allocation of resources to privacy law enforcement differ as well. For example, the United Kingdom has established the UK Information Commissioner’s Office, which is a government agency that is specifically dedicated to privacy law enforcement. On the other hand, privacy laws in the United States are usually enforced by State Attorneys General who have very limited resources and a variety of different priorities (e.g., product recalls, scams, consumer protection, etc.). Don’t believe me? Take a simple question such as “How does your law define personal information?” If you contact a Data Protection Authority outside of the United States, you will receive a quick, detailed, and helpful answer. Contact someone within the United States, and you may receive a response a few months later stating that they cannot provide you with legal advice and maybe, if you’re lucky, pointing to a specific section of the text of the law. 

These cultural differences illustrate the fact that Canada, Australia, the European Union, the United Kingdom, and others view privacy as a team effort – the government helps companies understand and comply with laws and respect privacy rights. On the other hand, countries such as the United States view privacy as a strictly legal obligation that companies must figure out on their own. These differences are then reflected in the laws and the compliance requirements themselves. 

Privacy Policy requirements 

As mentioned before, many business owners are tempted to obtain a GDPR Privacy Policy and call it a day, incorrectly assuming that if the Privacy Policy complies with GDPR, it will automatically comply with all other laws. GDPR requires Privacy Policies to contain the following disclosures: 

1. Effective date; 
2. Your business name and contact details; 
3. What personal data you collect; 
4. The purposes for which you will be using the personal data; 
5. Whether personal data will be used for direct marketing; 
6. Whether you engage in automated decision making or profiling and, if you do, the logic behind the automated decision making or profiling; 
7. The categories of third parties with whom you share personal data; 
8. The list of privacy rights provided to individuals, including how individuals can exercise those rights; 
9. Legal bases for processing personal data; 
10. How long personal data is stored; 
11. Whether you intend to transfer personal data outside of the data subject’s country of residence, and where you intend to transfer that data to; 
12. The name and contact details of your Data Protection Officer if you have one; and 
13. The use of cookies and other tracking technologies. 

After reading this list, you may think to yourself, “That’s really comprehensive, what additional disclosures could other privacy laws possibly require?” Below are just a few examples of Privacy Policy disclosures that are required by other privacy laws but not GDPR: 

1. How your website responds to Do Not Track Signals; 
2. Whether you sell personal data; 
3. Whether you use personal data for targeted advertising; 
4. How to appeal a decision made regarding to privacy rights requests; 
5. Whether you subscribe to any Australian Privacy Codes or External Dispute Resolution Schemes; 
6. The use of identification or location tracking technologies. 

A Privacy Policy that complies with GDPR will not include the disclosures specified above (as they are not required by GDPR) and thus will not be compliant with other privacy laws, leaving your business at risk of fines or even lawsuits. 

Privacy rights 

Another area where compliance with GDPR does not equate to compliance with other laws is the provision of privacy rights. GDPR provides the following privacy rights to residents of the European Union: 

1. Right to transparent information; 
2. Right of access; 
3. Right to rectification; 
4. Right to withdraw consent; 
5. Right to erasure; 
6. Right to restriction of processing; 
7. Right to data portability; 
8. Right to object; and
9. Right to opt out of automated decision making or profiling. 

On the other hand, other privacy laws provide additional privacy rights that are not provided by GDPR, examples of which include: 

1. Right to opt out of sales of personal information; 
2. Right to use a pseudonym; 
3. Right to appeal a privacy rights decision; 
4. Right to not be discriminated against based on the exercise of privacy rights. 

If your compliance program does not take these rights into account (because you only comply with GDPR), you would not be compliant with the privacy laws that do provide these rights. 

Data breach notification 

If a company is subject to a data breach, GDPR requires it to notify the relevant Data Protection Authority of such data breach within 72 hours. However, if the company notifies the Data Protection Authority and no one else, it will not be compliant with other privacy laws. For example, data breach laws in the United States require the notification of State Attorneys General. Australia requires you to notify the Office of the Australian Information Commissioner and so on. 

While there are more examples of how compliance with GDPR will not equate to compliance with other privacy laws, we won’t belabor the point further. As you can see, if your compliance program only takes GDPR into account, you will be out of compliance with other privacy laws, leaving your business at risk of fines and even lawsuits. Since each privacy law has its own unique requirements, the first step in your compliance journey is to determine which privacy laws apply to you so that you do not overlook any requirements.