Written By Shuja Khan
Updated on August 03, 2022
Min Reading 3 Min
Increasing digitalization, cyberattacks, and instances of data breaches have prompted a domino effect of enacting data privacy laws around the globe. However, permanent data destruction has been a constant prerequisite in these laws. This article explores global data protection laws focusing on how permanent data destruction forms a mandatory requirement for meeting data security compliance.
In the U.S., the average cost of a data breach reached a staggering $9.5 million in 2022, almost double the global average. According to the Breach Level Index, over 9.7 billion data records have been lost or stolen globally since 2013 through data breaches and cyber-attacks. The rise of global data protection laws can be attributed to this alarming trend.
Data destruction is a primary requirement for compliance with all data protection laws. The laws mandate an end-of-life data destruction policy. Careless disposal of confidential data such as PII (Personally Identifiable Information) is subject to harsh legal penalties in many countries. Companies that do not have regimented processes for the retirement of technology and the resident data are also at risk of losing reputation, trust, and revenue. Failing compliance can be disastrous; the fines and penalties can dent any company’s financials.
Major initiatives have been undertaken by countries across the globe to enact their data protection laws, especially after General Data Protection Regulation (GDPR) came into effect in the European Union (E.U.). In the U.S., the situation is slightly different in the absence of any overarching federal law on data privacy. Data protection laws in the U.S. can be traced back to the early 1970s. Most U.S. states have enacted their data privacy laws, the most prominent being the California Consumer Privacy Act (CCPA). However, growing concerns and incidents led to the establishment of more federal laws that tend to protect data and mandate the secure disposal of sensitive information like PII when no longer needed:
As we can see, these laws address industry-specific concerns, but there is no all-encompassing federal privacy law that can be applied universally. Therefore, states took it upon themselves to enact specific laws addressing data privacy and protection concerns. Understanding the data sanitization requirements and repercussions of non-compliance to these laws will help companies mitigate risk and stay compliant. We will take a look at the comprehensive data protection laws enacted recently by 5 states in the USA:
This law was passed in early 2020 and has paved the way for many states to follow suit. It incorporates the founding principles of GDPR, focusing on data privacy and protection requirements. The law gives Californians greater control and the right to personal data. The rights include knowing the personal data that is collected, sold, or disclosed and to whom. In addition, the law covers denying the sale of that data, access to the data, request to delete the data, and not being discriminated against for exercising these rights. Data destruction is a compliance requirement in CCPA and falls under the customer’s right to personal data deletion or the right to opt-out of processing that data. Organizations must ensure permanent destruction of this within a stipulated time upon receiving such a request. Failure to comply can lead to heavy fines and penalties.
Fines & Penalties: Any intentional violation of CCPA guidelines invokes a maximum penalty of $7500 per incident. An unintentional violation invokes a maximum penalty of $2500 per incident, with a cure period of 30 days.
This amendment to CCPA will be enforced in July 2023. This act aims to strengthen customer rights, establish an overseeing authority, and place more requirements on the organizations. The customer rights have been expanded to include opting out of sharing personal information, the right to correct and delete incorrect data, and access data beyond 12 months. They also have the right to opt-out of automated decision-making and profiling with expanded right of action in data breaches. It also expands the rights of minors. Data destruction is a compliance requirement in CPRA. It would be covered under the customer’s right to deletion, right to delete incorrect data, and data storage limitation (once data reaches end-of-life, it must be deleted).
Fines & Penalties: An unintentional violation would be fined a maximum of $2500 per incident, and an intentional violation invokes a fine of a maximum of $7500. Any violation involving a customer under 16 would invite a maximum fine of $7500. The cure period is 30 days for businesses to remedy the violation once they get information about non-compliance.
In March 2021, Virginia became the second state after California to enact comprehensive data protection law that would come into effect in Jan 2023. It aligns closely with CCPA & CPRA in granting Virginia residents the right to access, correct, delete, know about, and opt out of the sale and processing of their personal information. They also have a right not to be discriminated against for opting out. Permanent data destruction is necessary under VCDPA as it grants a time of 45 days to respond to the customer’s request for deletion.
Fines & Penalties: Although it lacks private action from affected customers like CCPA, the attorney general has the authority to fine up to $7500 per violation.
Following California and Virginia, in June 2020, Colorado became the third state to enact a data privacy law. This act aligns closely with CCPA, CPRA, and VCDPA & GDPR. CPA grants citizens the right over their data and places the onus of obligation on the organizations that collect personal data. It grants citizens the right to access, correct, and delete their data. It also gives the right of portability (taking data and moving to another organization) and opting out of data-based targeting of ads and sale of their data. The right of the customer to have their data deleted places the responsibility on the organization to ensure the permanent destruction of that data in a time-bound manner. A business must respond to a consumer’s request within 45 days.
Fines & Penalties: The enforcement of this act is not limited to the attorney general but also district attorneys, with a cure period of 60 days. There is no direct mention of fines in the act. Still, the violation is considered a misleading trade practice for which the fines are covered under Colorado Consumer Protection Act, attracting up to $20,000 in penalties per violation.
In March 2022, Utah became the 4th state to sign a data privacy law. It will be enforced from Dec 31, 2023, and aligns closely with VCDPA. The law provides the consumer rights of deletion, access, portability, and opt-out of data sale to third parties, including use in targeted ads. Data destruction requirements under UCPA fall under customers’ rights, which grants them the right to have their data removed from the company’s database. However, the organization must fulfill the request within a stipulated time and ensure permanent data destruction to remain compliant.
Fines & Penalties: The attorney general can enforce the law and contains a cure period of 30 days. UCPA carries penalties up to $7500 per violation.
The law was signed in May 2022, making Connecticut the 5th state in The U.S to enact data privacy laws. It also became the 1st state that requires opt-in consent for teens between 13 and 16 years old before using their data for targeted advertisement. This law will become enforceable from July 2023. It allows citizens greater control over their data for targeted advertising, personal data sale, and some automated decisions. It aligns with CPA & VCDPA. Similar to other data privacy and protection laws, this law also advocates permanent data destruction once the request is received from a customer. The period for responding to a request is within 45 days. Once the request is received, data must be deleted beyond any scope of recovery.
Fines & Penalties: The attorney general may impose fines up to $5000 for willful violations and further penalties under provisions of CUTPA (Connecticut Unfair Trade Practices Act).
In addition to these laws, there are other prominent state laws in the U.S. that target specific segments of data protection and privacy:
Passed in July 2019, this act amends existing law on notification of data breaches. It also imposes more responsibility on organizations that collect information on New York residents. This law became enforceable in Mar 2020.
The law came into existence in June 2019 and covered Internet Service Providers (ISP). This law was enforced in July 2020 and prevented ISPs from selling, sharing, or granting access to customers’ data without explicitly receiving customer permission.
Enacted in 2017, this law regulates the collection, usage, and storage of biometric identifiers of Washington citizens.
GDPR has been at the forefront of data privacy laws and laid the foundational work for subsequent laws enacted post-2018. The principle of “right to erasure” is an underlying theme in all data privacy laws, giving data subjects more control and accessibility over their data. Permanent data destruction is mandatory under GDPR, and the concerned organization is given 30 days to respond to the request. The “right to be forgotten” also mandates data destruction by standardized practices of using overwriting software to ensure that personal data has been deleted and cannot be recovered. A software that can generate certified and tamper-proof reports of erasure is best suited for this task fulfilling compliance and maintaining audit trails.
Fines & Penalties: Under Article 83(5), liabilities for infringement in GDPR can be massive. Fines up to Euro 20 million or up to 4% of the global turnover, whichever is higher, may be imposed on an organization if it disregards the basic principles as mentioned under Article 5. Since its enforcement, there have been 1087 fines imposed under GDPR totaling Euro 1.6 Billion. Amazon Europe Core S.a.r.l. was fined €746,000,000 on July 22, 2021, which remains the largest fine to date.
PIPEDA is a Canadian law enacted to safeguard the privacy of its citizens. It governs organizations in Canada that collect, use, and process the personal data of Canadian citizens for commercial purposes. This law was adopted in April 2000 and applied to all organizations except Alberta, British Columbia, and Quebec, as they have state privacy laws similar to PIPEDA and are generally exempted from it. Federal organizations are all covered under this law. Individual rights under PIPEDA allow access and correction of data and reporting in case of inappropriate use of their data, including selling.
PIPEDA mandates data destruction, erasure, or making the information anonymous once it reaches end-of-life. Clause 4.5.3 of PIPEDA (Limiting Use, Disclosure, and Retention principle) advocates organizations must develop guidelines for data destruction or anonymization. Anonymization carries risks as reverse engineering can lead to data recovery and a data breach or theft. Using a software-based data destruction method is ideally suited to these conditions.
Fines & Penalties: Failure to comply with PIPEDA can lead to huge fines. The law prescribes fines up to $100,000 for each violation, which can quickly mount to huge sums.
POPIA was enacted in November 2013 and enforced in July 2020. This South African data privacy act highlights requirements that organizations must comply with while handling the citizens’ personal information. This law provides South Africans with 9 rights containing the right to access, correct and deletion, request deletion, object to the collection, and legal remedies. This law applies to organizations based in South Africa that process their citizens’ data.
Data destruction requirements under POPIA align with other data privacy laws; the right to deletion mandates data destruction rendering it unrecoverable.
Fines & Penalties: Violation of POPIA has serious ramifications and can be broadly categorized into serious & minor:
Global data privacy and protection laws give us an introspective view of how different countries and states build up defenses against data breaches and overall data security. It also shows a clear trend of state players giving data privacy its due importance. Organizations are responsible for taking actionable steps to ensure compliance, as it is no longer an option but an obligation with serious ramifications. Data sanitization and data destruction feature prominently in these laws and are mandatory for meeting compliance.
The international standard for data destruction that ensures the destruction of data beyond recovery is NIST 800-88 which recommends software-based erasure using overwriting capabilities. BitRaser data erasure solution, is the globally preferred data wiping solution to meet compliance with laws and regulations; it supports 24 international erasure standards, including but not limited to NIST 800-88, DoD 3 or 7 Passes, etc. In addition, the tool is tested for its efficacy by NIST. It generates a 100% verifiable documented proof of erasure, ensuring compliance with EU-GDPR, CCPA, SOX, GLBA, HIPAA & other international data protection regulations like Japan’s APPI.
BitRaser is NIST Certified
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|