Previous article in series – Data Privacy: EU–U.S. Privacy Shield, HIPAA, GLBA
Jurisdictional variances become evident during cases involving cross-border data requests or cases of contention. Even between states in the same country there can be differences in data privacy. Section 2511 of Title 18 of the U.S. Federal Government’s legal code prohibits the unauthorized interception, disclosure, and use of wire, oral, or electronic communications. The prohibitions are absolute, subject only to the specific exemptions where an individual has consent of one party or is party to the communication themselves. “One-party consent” law is recognized in 38 states, yet there isn’t harmony because 12 other states demand a “two-party consent,” which means a single participant or observer with one-party agreement is not sufficient to meet the standard of law in those states.
A helpful maxim is to be aware of and adhere to the law that is operative wherever your service is being provided/consumed.
Impact of Distributed Information Technology (IT) Model
There is constant change and fluctuation in the jurisdictional landscape for data located in multiple geographic locations. As recent as 2018 the United States Congress enacted the Clarifying Overseas Use of Data (CLOUD) Act, which give broad powers to U.S. law enforcement officials to force U.S.-based technology providers to release data regardless of where the company stores data. Before this a mutual legal assistance treaty (MLAT) had to exist between two or more nations to define how assistance would be rendered when investigations where necessary. The CLOUD Act also allows the executive branch of the government to enter into “executive agreements” with foreign nations, which allows the participating nations to access data stored beyond their borders despite what privacy laws may be in place. It is important for organizations to keep abreast of changes to laws and regulation. While GDPR may represent the greatest protection of individual data privacy, the CLOUD Act may represent the greatest protection of a nation state’s right to an individual’s data. This may lead to conflict of actions.
ISO/IEC 27018:2019 suggests caution when engaging in processing or controlling data across borders: “Where specific contractual agreements apply to the international transfer of data, such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the agreements and the countries or circumstances in which such agreements apply should also be identified.”
Next article in series – Data Privacy: Standard Requirements