Data privacy regulations – what they mean for movers

As more aspects of the moving process become digital, more data on transferees and their families is being collected, collated and sent around the world, making topics such as personal data collection and data protection increasingly important.

New information technology is making personal data easier to share and access than ever before. With this in mind, keeping users’ personal information – often called ‘personally identifiable information (PII)’ – safe is essential; if it is not, it can put them, or the company in which they work, at risk. Theft or other fraudulent acquisition of personal data can lead to dire consequences, while the collection, use and sharing of data without consent is also a concern.

For more information about PII, see boxed article, ‘What is meant by ‘personal data’ or ‘PII’?’

Illegal use of PII has become a growing problem with serious implications, and governments around the world are developing strict regulations to control and protect private data. As of January 2021, around 130 countries had launched data-privacy laws – representing two-thirds of the world’s jurisdictions. While this is a positive step, most countries having their own data-privacy rules makes developing a global approach a challenge.

How does PII impact on the moving industry?

There are inherent risks to removals companies when using their transferees’ private data. Accordingly, they should be aware of their data privacy protection responsibilities (see FIDI Focus 289, Feb/March 2019 – portfolio.cpl.co.uk/FIDI-Focus/289/32).

While private data is often required on shipping documents, movers should always ask if this is absolutely necessary – and remove private information when it is not legally required. As a moving company, you are responsible for telling your customers about any potential data-privacy risks and providing guidance to them whenever possible. By doing this, you mitigate the risk of not being compliant from a data-protection perspective.

Transferees’ private data may be sold or shared by third parties depending on the jurisdictions, exposing them to identity theft, fraud and unwanted solicitations.

A US case study

US Customs and Border Protection (CBP) is legally allowed to sell vessel manifest data, including PII of transferees – such as social security and passport numbers, home addresses and other personal data – to data brokers.

While it is not the intent of the CBP to release sensitive data of individuals, the manifests currently provided to data brokers often include the PII of transferees and military personnel shipping household goods into the country. The data brokers post the manifest information online to provide shipment analysis and trends, which exposes the PII of transferees.

Over the past four years, a coalition of national military and moving associations – including AMSA, ERC and IAM – has been urging the US Senate to protect the PII of transferees by passing the Moving Americans Privacy Protection Act into law, to prohibit CBP from releasing the PII of movers’ clients to global data brokers.

On 8 June 2021, the US Senate passed the US Competition and Innovation Act (USICA), which includes a key provision directing the US Secretary of the Treasury to ensure that any personally identifiable information is removed from a vessel, aircraft or vehicle manifest before it is provided for public disclosure.

This example shows how moving businesses need to be well informed about data privacy regulations and related consequences for their companies in case of non-compliance.

The General Data Protection Regulation (GDPR)

The European Union’s GDPR regulation developed out of bold data-protection reforms. It came into effect on 25 May 2018, and is currently the toughest privacy and security law in the world.

The strict rules impose obligations on organisations anywhere in the world – so long as they target or collect data relates to people in the EU. The EU is levying harsh fines against those who violate these privacy and security standards, with penalties reaching into the tens of millions of euros. In June 2021, for example, Luxembourg’s data-protection commission (the CNPD), levied a fine proposal of more than US$425 million against Amazon for its collection and usage practices for personal data.

The main aim is to protect the rights of the EU data subjects, who include citizens and residents, as well as visitors to the region. It governs the collection, use, transmission, and security of data collected from residents of any EU member country. The law applies to all EU residents, regardless of the location of the entity that collects the personal data.

Under GDPR, all businesses and government agencies require explicit consent for data processing, and must make collected data anonymous, provide quick notifications about data breaches, ensure safe data transfers, and appoint a data protection officer when required.

Global influence

The EU-GDPR has inspired many privacy regulations worldwide, from Brazil’s LGPD to the CCPA in California. While many of these laws agree on the broad terms of data protection, each implements these protections in its own way.

Latest UN Conference on Trade and Development (UNCTAD) figures show the worldwide data-privacy situation across 194 countries as follows:

• 66% of countries with legislation
• 10% with draft legislation
• 19% with no legislation
• 5% with no data

What has happened since May 2018?

The GDPR has become a global point of reference for data protection. From Chile to South Korea, and Brazil to Kenya, many countries around the world are modernising their privacy rules. This creates new opportunities to increase protection for individuals and facilitate data flows – benchmarking against GDPR standards.

The importance of data protection to ensure trust in the digital economy and to facilitate data flows has also been recognised at international level.

Conclusions

FIDI’s report concludes that the need for trust and accountability for personal information is growing in the minds of customers, consumers and other stakeholders. But the risk is broader than regulatory compliance and, therefore, companies must have the right competence, processes and systems in place.

With the number of complaints and fines related to privacy and data protection on the rise, there seems to be a growing need for guidance.

Businesses interested in further mitigating data-privacy risks may consider looking into information security management systems – such as the ISO/IEC 27701 standard.

FIDI Global Alliance has been a pioneer in data privacy protection management by incorporating stringent data privacy elements into its FAIM quality standard as early as 2015 (FAIM 3.1), giving FIDI Affiliates an important advantage in preparation for the EU GDPR. These elements were reinforced in the following – and current – version of FAIM (FAIM 3.2).

The FAIM Standard covers topics related to personal information. A FIDI Affiliate needs to demonstrate that their company has a documented data (privacy) protection procedure in place – ensuring that personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments described in your privacy notice – as well as a process in place to control data (privacy) protection of their supply chain.

l You can find the full report in the Business Tools library on FIDINET. For questions or comments, contact
Marie-Pascal Frix at
marie-pascale.frix@fidi.org

Strangely, there is no universal definition of personal data. In simple terms, it refers to any type of data that can be used, alone or combined with other relevant information, to identify a specific individual.

What is Considered PII?

What is considered as PII depends on where you do business. Despite the discrepancies between the laws of different countries and regulatory entities, the following is, in general, considered sensitive ‘personally identifiable information’:

• Full name
• Social security number
• Driver’s licence/national identity card
• Physical mailing address
• Phone numbers
• Criminal or employment history
• Passport information
• Credit card information
• Financial information
• Medical records

The EU’s GDPR regulations include an important number of additional elements, such as:

• Email address
• Any online identifier (including, but not limited to, IP address, login IDs, social media posts, customer loyalty histories, cookie identifiers, and so on)
• Geolocation data
• Biometric data (including, but not limited to, fingerprints, voiceprints, photographs, video footage, etc). Any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual

The California Consumer
Privacy Act

Another recent piece of PII legislation, the California Consumer Privacy Act (CCPA), goes even further than the GDPR by including additional data such as:

• Aliases
• Online account names
• Records of personal property
• Purchased products and services
• Purchases or consuming tendencies
• Browsing history
• Search history
• Information regarding user’s interaction with websites
• Audio, electronic, visual, thermal, olfactory, or similar information
• Education information that is not publicly available
• Inferred consumer profile, including a consumer’s preferences, characteristics, psychological trends,  predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.