This blogpost will try to provide a comparison guide concerning the EU General Data Protection Regulation and the New York State law “Stop Hacks and Improve Electronic Data Security Act”.
The GDPR went into effect on the 25th of May 2018 to offer a new framework for data protection. It is applicable to processing carried out by any legal entity — no matter where it resides — that offers goods or services to individuals in the EU.
The NY SHIELD Act came into effect on the 21st of March 2020. It is a state’s law which intends to enhance privacy rights for New York residents. Its provisions apply to “any person or business that owns or licences computerized data which includes private information on a resident of New York”.
“Personal data”, under the GDPR, is any information related to an identified or identifiable natural person. The term “private information”, under the NY SHIELD Act, specifically includes biometric information used to authenticate or ascertain the individual’s identity, financial accounts, credit or debit card number, security codes, access codes, passwords, as well as online accounts.
The GDPR requires the assignment of a Data Protection Officer for public authorities, and companies whose core activities require large scale, regular and systematic monitoring of individuals, and consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. The NY SHIELD Act requires an employee to have specific cybersecurity responsibilities within the entity which collects and process data.
Additionally, the GDPR provides for the implementation of appropriate technical and organizational measures, including a Data Protection Impact Assessment. However, it does not include specific details and technology recommendations for the safeguarding of personal information.
On the other hand, the NY SHIELD Act requires the implementation of a cybersecurity program, including all the reasonable administrative, physical, and technical safeguards. Administrative safeguards can include internal and external documentation, and employee training programs. Physical measures include the appropriate security measures to be in place at a working environment. Technical measures include encryption, software design, firewalls, incident response planning and testing and other security controls. The level of security required will depend on the size and scope of the business, as well as the nature of the data being processed, and it will also depend on the sector in which the business operates, for which sector-specific cyber security laws are also in place in the US.
Following the above, the GDPR states that international best practices and standards may be used to ensure compliance with the law. However, no specific standards are mentioned within its articles.
The NY SHIELD Act provides that regulated organizations which are in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Homeland Security Act, and/or the New York State Department of Financial Services cybersecurity regulations, as well as other laws and security frameworks, are also considered to be in compliance with the NY SHIELD Act.
The GDPR establishes specific rights for all “data subjects”, such as the right to access, the right to data portability, the right to object to and/or restrict data processing, while at the same time it allows individuals to request the deletion of their personal information, and it permits any automated decision-making and profiling only under certain specific conditions.
Such rights are not established by the NY SHIELD Act. In fact, under the NY SHIELD Act, an individual does not have the right to request the deletion of personal information stored by a business or entity. Additionally, no one has the right to export the personal information being stored by a business, and/or to “opt-out” for the sale and processing of personal information. It has no provisions to stop automated decision-making, or to stop information sharing, however sensitive personal information must be secured appropriately.
Both the GDPR and the NY SHIELD Act provide that monetary penalties may be issued in cases of non-compliance. However, whereas the GDPR has no limits to individuals who would like to pursue damages, an individual is not entitled the right to sue an entity for a breach under the NY SHIELD Act.
Under the GDPR, a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. If the breach poses a risk to an individual’s rights and freedoms, the organization has to notify the supervisory authority at the latest within 72 hours after having become aware of the breach.
The “breach of the security system”, under the NY SHIELD Act, is defined as “any unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business”. If a data breach occurs, notification should be made to New York residents affected by the breach, as well as to the New York Attorney General, the department of state and state police within ten days. Exceptions to the aforementioned provide that a notification to New York residents is not required in cases where notification has been granted under another data breach law, and/or when a disclosure will not result in any harm to the resident (the “risk of harm” balancing act). In this case, a “risk of harm” analysis must be documented and the relevant documentation must be retained for a period of five years. However, if the disclosure affects more than 500 New York residents, a copy of this risk of harm analysis document must be sent to the Attorney General within ten days of its creation.
The GDPR provides that administrative fines can be directly issued by a data protection authority. Specifically, penalties for severe violations can be up to €20M or up to 4% of the organization’s worldwide annual revenue, whichever is higher. Under the NY SHIELD Act, any failure to implement a compliant information security program is enforced by the Attorney General and may result in civil penalties of up to $5K per violation, capped to a maximum of $250K.
As a conclusion, we could say that the GDPR is a privacy law more focused on a risk-based approach, considering the risks by a breach to a data subject’s fundamental human rights. On the other hand, the NY SHIELD Act is mostly focused on a harm-based approach, examining the financial or physical harm that a data breach may cause to the individual whose data is the subject of the breach.
We hope the article helped you to grasp the basics regarding GDPR and NY SHIELD Act, and gave you a starting point if you want to research the subject in depth.
Until next time.
References
https://gdpr-info.eu/recitals/
https://www.privacy-regulation.eu/en/article-3-territorial-scope-GDPR.htm
https://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm
https://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm
https://www.nysenate.gov/legislation/bills/2019/s5575
https://www.beyondtrust.com/assets/documents/GDPR-vs-US-State-Laws-CCPA-NYShield-WhitePaper.pdf
https://www.jdsupra.com/legalnews/gdpr-ccpa-and-now-the-ny-shield-act-98403/
https://www.drift.com/blog/new-york-shield-act/