Could GDPR Violations Result in Jail Time?
16 Jan, 2020By: Mary Helen Sprecher
The General Data Protection Regulation, or GDPR, which governs the safekeeping of electronic records, became law in the EU about a year ago and its restrictions were felt around the world – including in sports events here in the U.S.
What you might not know is that one country is putting a similar law into effect – with some pretty sharp teeth that should concern event owners. E-mail Marketing Daily notes that brands active in India will soon find themselves burdened with a GDPR-style law that will create barriers to doing business there. Even more importantly, the law will create criminal penalties (including jail time), whereas GDPR provides only civil fines.
As youth and amateur sports become increasingly globalized, this should be a concern for event owners, particularly those who find themselves disseminating information to (and collecting information from) potential participants in the international arena.
In India, the government of Narendra Modi has approved a second draft of the pending Personal Data Protection Act and it will be voted on by Parliament in February, according to The Daily Swig.
E-mail Marketing Daily notes that it was not immediately clear whether the law demands opt-in for sending emails or allows for opt-out. “One feature that upsets observers,” noted E-mail Marketing Daily, “is the rule that sensitive data on Indian citizens must be stored on servers within India, although non-sensitive information can be kept outside. However, the Indian government will define the difference” (between sensitive and non-sensitive information).
“Trade groups, including the US-India Business Council (USIBC) and US-India Strategic Partnership Forum, have balked at such barriers to operating in a country of 200 million Internet users and an IT sector with an annual growth rate of 7.2 percent,” The Daily Swig writes.
While it’s unlikely that event owners in the U.S. who violate any new privacy regulations would be subject to extradition for India to face charges, it is important to ascertain that all communications will be in line with as many privacy regulations as possible, and to move forward accordingly.
Already, data privacy laws are being enacted in the U.S. on a state-by-state basis, meaning that event owners and rights holders need to be familiar not only with their own state laws, but others as well.
The challenge: the legal landscape concerning data privacy is in flux. Between 2016 and 2018, there was an enormous uptick in the number of states enacting privacy laws for data held at various levels. A chart showing the two-year change can be found here – but it should be noted the information shown was only current at the time of publication. Event owners should seek expert advice on their own state laws as well and should find out whether they will need to be cognizant of data laws in states where their event is traveling – and whether the home states of individual athletes will have laws that come into play as well.
Event owners and rights holders also need to understand state laws concerning consumer notification if data has been compromised. According to the National Conference of State Legislatures, in 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. These new and amended state data breach laws expand the definition of personal information and specifically mandate that certain information security requirements are implemented.
In addition to the laws that appear on the link above, many states also have other data security laws that apply to state agencies or other governmental entities – something that will be vitally important to sports event owners at those levels.
Event owners, rights holders and others who collect data of athletes, sponsors, volunteers, officials and any other participants will need to be aware of laws concerning the disposal of that information. According to the linked information, multiple states and Puerto Rico have enacted laws that require either private or governmental entities or both to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
Additionally, it should be noted that the Federal Trade Commission's Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The rule applies to consumer reports or information derived from consumer reports. HIPAA also has disposal requirements for electronic protected health information.
Cyber liability insurance is offered, notes Lorena Hatfield of K&K Insurance Company, in a recent issue of Sports Destination Management. This, she notes, is an evolving field, and event owners should contact their insurance provider to ascertain what is covered and what information is needed.