On Demand Library
Created in partnership with
Individual Rights in Data Privacy Law
9:56
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of US Privacy Laws
GDPR - What kinds of data are protected?
GDPR vs. CCPA
What kinds of companies need to worry about health data?
Lifecycle of a Data Breach
Transcript

00:07
Adam Stofsky
Shanian, I've often heard of modern privacy laws described as having a kind of consumer rights framework or being focused on individual rights. Can you explain what that means? What is the concept of individual rights under privacy laws? 


00:23
Shannon Yavorsky
So the concept of individual rights is really about giving individuals, consumers control over their data. So you as an organization, as a company, collect my data, and as a consumer, I would like to have access to that data to know what you're collecting about me and to be able to delete it or correct it if I want or have access to it. And so these are really like the individual rights that are enshrined in the privacy legislation across the globe. The right to access data, the right to know what data is being collected about you, the right to have that data deleted. So if you no longer want to do business with a company, you can say, look, I want you to delete all my data. The company has to be able to delete that data. Correction. 


01:15
Shannon Yavorsky
So you've got my address wrong, and I want to make sure you're sending my mail to the right place. So the ability to correct that data portability. So I've got a ton of data one platform, but actually I want to move to a different provider. Being able to take your data from one place to another, that's data portability and then opt out. The right to opt out of the sale of your personal information. So a company can't just widely sell your data to third parties. A lot of the news privacy laws allow individuals to opt out of the sale of personal information. I think it's important to note that these rights aren't absolute. So, as an example, the right to deletion as an organization, you don't just press a button and all the data is deleted. 


02:04
Shannon Yavorsky
In most cases, there's some data that an organization might need to comply with tax law or in the context of litigation. So you can't just delete everything. 


02:14
Shannon Yavorsky
You really have to collect all that. 


02:16
Shannon Yavorsky
Personal information you have about someone and then figure out, okay, what do I have a legal obligation to hold on to? And then figure it out from there and be able to parse out like, okay, this is data that I need to keep, but the rest of it I'll delete. Similarly, with access requests, it's not like you collect all the personal information. For example, me at my firm, I've sent millions of emails, I think, over time, and all of those emails, if I were to make an access request, it's not necessarily that the firm is going to take those 1 million emails and give them to me. It has to be personal information about me, right? And they can't disclose data about personal information about someone else. 


03:03
Shannon Yavorsky
So it has to be, you have to go through it and figure out what is actually about someone what has to be redacted. So sort of crossed out because it relates to someone else and you can't disclose that information. So lots of different considerations. But I think the important point is that these individual rights really intended to give people control over their personal information, but they're not absolute. 


03:29
Adam Stofsky
And what do companies have to do with respect to these individual rights? What is their obligation? 


03:34
Shannon Yavorsky
First and foremost, describe in the privacy notice that you have those rights, and you'll see in privacy notices around the globe, depending on the jurisdiction, that there will be a section that talks about consumer rights. And it'll set out. You have the right under certain privacy laws to access, delete, port or opt out of certain data and offer a process by which people can exercise those rights. So that's step number one. 


04:00
Shannon Yavorsky
Step number two is the hard part of operationalizing that and figuring out, okay, who at the Company is going to be responsible for looking in all the different databases, figuring out what that data set looks like, and then who's going to be responsible for going through the maybe it's not a million documents, but maybe you're looking at 10,000 documents and figuring out what's actually responsive to the individual rights request and get it back to the individual in a reasonable form within a set period of time. So under us. State privacy laws, companies have roughly, depending on the law, 45 days. That can be extended by another 45 day term. In Europe, companies have 30 days in which to respond to those individual rights requests. So you can see that there's some time pressure here. 


04:48
Shannon Yavorsky
And so that operationalizing of these individual rights requests can be pretty challenging. And we're starting to see companies leverage software to be able to do this more efficiently because it does take so many man hours and time and resources to act on these requests, to access data or to delete data. 


05:14
Adam Stofsky
All right, let's go through the rights one more time. So first is individuals have a right to know, or right to have companies tell them how they're using their data. 


05:23
Shannon Yavorsky
Like really to know what data is being collected about them. 


05:26
Adam Stofsky
And this will usually go in a privacy notice. 


05:29
Shannon Yavorsky
There'll be a section of the privacy notice that says, these are the categories of personal information that we collect about you, and maybe it's your contact information or depending on the context. So let's say like in an employee privacy notice, it could be educational history or past employers information like that. 


05:52
Adam Stofsky
Then you have access. So consumers have the right to get their information and essentially know what information you are holding at a given moment, right? 


06:02
Shannon Yavorsky
Yeah, exactly. And like I said, that can be operationally challenging to get all that data together and figure out what has to be provided to the individual. So are you going to send them a PDF? How are you going to send it to them, the format in which is easy for them to understand. So these are all operational challenges and access can be particularly tricky. 


06:26
Adam Stofsky
Then you've got the right to correction or it's another is called rectification, right? 


06:31
Shannon Yavorsky
Yeah, that's right. So it's about being able to fix data points that a company holds about you. And that can be important, let's say in the context of your address or your phone number. If the company's got that wrong, you might not be getting the information that you need to get from them or a product that was supposed to ship to you. So correction is a really important right as well. 


06:58
Adam Stofsky
And then you have the right to erasure, you said, right. Is that the same as the right to be forgotten? 


07:04
Shannon Yavorsky
Yeah, it's really the same thing. It's the right to deletion and the right to be forgotten. So to make sure that a company can delete the data that it holds about you, again, subject to a number of different exemptions, but you want to walk away from a company and you don't want them or an employer, for example, in Europe, and you want to erase your history there. So you submit a request to the company and say, I want you to delete my data, I don't want you to hold it anymore. And again, you subject to exemptions, like if a company has to hold on to it for tax reasons or litigation reasons, otherwise you've got to delete it. 


07:48
Adam Stofsky
And then you got portability, which is the right to have your data be movable to a different company, essentially, right? 


07:57
Shannon Yavorsky
Yeah, exactly. 


07:58
Shannon Yavorsky
In a format that's able to translate to another organization. So that could be, let's say you have tons of images, photos on a social media platform and you want to move to another platform. So you want to go from X, so Twitter to threads or something. They would notionally have to figure out a way to ensure that data was ported over. 


08:27
Adam Stofsky
And the last thing you said was the right to and I've forgotten now what the actual term of art is, but the right to kind of place limitations on how your data is used, right? 


08:38
Shannon Yavorsky
Yeah, there's limitation and then there's the right to limit the processing of personal information is an important right. And then the other one that I mentioned was opt out, the opt out of sale, which is again, just allowing the opt out. 


08:55
Adam Stofsky
That's what I was thinking of. Right, the opt out of sale. You can say, no, you can't sell. 


08:59
Shannon Yavorsky
My data, don't sell my data. 


09:01
Shannon Yavorsky
Exactly. 


09:01
Shannon Yavorsky
And you'll see in the US. 


09:05
Shannon Yavorsky
Exactly. 


09:06
Shannon Yavorsky
A link at the base of the page at the footer of website that says do not sell or share my personal information. You're supposed to be able to click on that and then toggle off any data sales so that the company is instructed to no longer sell your personal information. Which I think is a right that people really care about. Like, the idea that your data is being sold through an ecosystem, I think is something that consumers are more mindful of, potentially, than other their privacy rights. Or at least we see a lot of people really focusing on their right to opt out of data. 


09:42
Adam Stofsky
Oh, interesting. Well, thank you, Shannon. That was your crash course on individual rights under international privacy laws. Thanks again. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy