January 28 is the annual celebration of Data Privacy Day, which exists to raise awareness about the importance of privacy and how to protect personal information. The annual event commemorates the 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), a treaty among the Council of Europe. Convention 108 remains the only international legally binding agreement on data protection law, but the landscape of technology and data privacy law have changed significantly in the last 40 years.
The Council of Europe asserts that the longevity of Convention 108’s applicability despite changing technology is due to its “technologically-neutral, principle-based approach.” But Convention 108 still needed to be modernized in 2018 for compatibility with other legal data protection frameworks, primarily the European Union’s General Data Protection Regulation (GDPR).
The need to update Convention 108 highlights the difficulties of legislating data privacy as technology changes. I’ve previously written about whether the Video Privacy Protection Act (VPPA), enacted in 1988 to govern VHS rental stores and updated in 2012, continues to apply to certain online video streaming services.
Similarly, on December 8, 2020, the U.S. Supreme Court heard oral arguments in the case of Facebook, Inc v Duguid. Duguid alleges that Facebook sent unsolicited text messages using an “automatic telephone dialing system” in violation of the Telephone Consumer Protection Act of 1991.
Because technology evolves faster than law, the U.S. is left with various narrowly tailored laws rather than a single comprehensive data privacy protection framework. Some are industry- or information-specific, such as the Gramm-Leach-Bliley Act governing financial institutions, the Health Insurance Portability and Accountability Act (HIPAA), and the Children’s Online Privacy Protection Act. Others are state-specific, such as California’s Consumer Privacy Act and the Michigan Identity Theft Protection Act.
So, what can organizations and individuals do? As consumers, the first step is to pay attention. Don’t ignore the privacy settings on websites, apps, hardware, and software; make informed decisions.
As organizations, consider how you collect and use data and how it aligns with your organizational culture. Regularly review your privacy policies and security practices, especially regarding your employees, partners, and vendors. Know that some industries, states, and countries are subject to more regulation than others. And keep in mind that Smith Haughey is available to help you prepare privacy policies and security practices and to provide counsel on the various laws that may apply.
If you have questions regarding your personal data or the data which you or your organization collect, contact Smith Haughey attorney Matthew Wiebe for assistance.