This is why your data privacy is so important

There’s been yet another shift in the ever-changing world of data privacy, and we wanted to make sure (as always) that we’re keeping you aware of the changes. So, here we go again.

In this article, we’ll go over the basics of data privacy and explore some laws and regulations governing data privacy. We’ll touch on the now-outdated Privacy Shield that used to be the standard for European Union (EU) to United States (US) data transfer and how Mailgun tackles data privacy above and beyond legislated standards.

Data privacy, also known as information privacy, focuses on properly handling sensitive data or personally identifiable information based on the standards outlined in data protection regulations. We’ve all heard that data is the new gold, making data privacy more important as data collecting mechanisms become ubiquitous.

At its heart, data privacy stipulates that an individual has a right to expectations on a separation of public and private, including:

• The right to not be contacted.
• The right to have control over their personal data.
• The right to revoke access to their personal data.

With these rights in mind, data privacy touches on how data is:

• Collected: Though there are differences in specific data privacy laws, the general expectation is that personal data will only be collected for legal purposes directly related to the function or activity of the user. In addition, the collected data should be adequate, not excessive. Many data protection codes stipulate that data collection should be transparent, lawful, and fair.
• Stored: Again, despite differences in data privacy laws, the general understanding is that data should be properly stored to safeguard them from cybersecurity threats. In addition, data retention should only last the necessary amount of time and not longer. We’ll explain why proper storage is so important for data privacy below.
• Managed: Broadly speaking, data privacy stipulates that you need to implement proper data management, meaning you need to use physical and cybersecurity measures to ensure the protection of the data, so long as it’s in your possession. You should protect it from unauthorized access as well as corruption. 
• Shared with third parties: Data privacy regulations stipulate that you should be careful how the data in your possession is shared with third parties. Most regulations stipulate that users must give explicit consent for their data to be used by third parties.

The final component of data privacy is compliance with data protection legislation. We’ll go over a few of the key data protection legislation below.

Before we dive into data privacy, let’s clarify the potential confusion between data protection, data privacy, and data security.

• Data protectionconsists of two components: data security and data privacy. In other words, data protection is the umbrella term referring to how data is protected (data security) and how to properly handle data (data privacy).
• Data privacy focuses on how sensitive information should be properly handled. Data privacy centers around the individual and the individual’s expectations of what they can consider being public versus private. Consent and data removal are key components.
• Data security deals with how data should be protected. For instance, encryption standards, network security, and data breach responses are all a part of data security. As far as email programs go, securing your email gateways is a good start to enacting proper data security.

In short, data security and data privacy are components of data protection. While the three work together to create proper safety practices for securing and handling data, we’ll focus on data privacy in this article.

Data privacy is important both from a company and a consumer perspective. Let’s take a look at why.

The consumer, also known as a “data user,” is concerned about data privacy because:

• They’re sharing personal and sensitive data. This includes bank account details, credit card numbers, social security details, and personal details like gender and weight, email addresses, and more.
• The data they share can be misused with disastrous consequences. A data user is interested in data privacy because without proper data protection protocols to guarantee data privacy, their personal data can be easily abused by hackers and other ill-meaning individuals or companies.
• Even if their data isn’t misused, it can be used to identify them. In sharing data, individuals are guaranteed a degree of protection that their information cannot be used to identify them. For instance, if a data user provided their religious affiliation as part of the data collected, they risk being discriminated against if proper data privacy protocols aren’t in place. Data privacy safeguards individuals from uninvited surveillance.
• Their data might be sold to advertisers and marketers who, while not malicious, can still flood their inboxes with spam. This is a particular concern for businesses that rely on email marketing. We’ve all been on the receiving end of junk emails because our email addresses were sold by unscrupulous businesses. This is yet another reason why data privacy is important for your customer.

From a company’s perspective, data privacy is equally important because:

• A company must be able to meet their customers’ data privacy needs because they have a social obligation to respect their data. This is a way to maintain your consumer’s trust in your brand.
• A company should meet its consumers’ data privacy needs to maintain consumer engagement and continue delivering a high-quality product.
• Companies have legal obligations to comply with data protection laws, depending on the countries they operate in.

Transparency and faulty data collection, storage, and management protocols are the biggest threat to data privacy. If companies aren’t transparent about their data privacy practices, they risk alienating their customers and becoming non-compliant regarding data protection laws.

While there are very real data security risks, like phishing scams, data breaches, SQL injection attacks, and so on, we’ll focus on data privacy in this article.

As we mentioned above, there are several laws and regulations that govern data privacy. These include:

• The EU-US Data Privacy Shield
• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• The Children’s Online Privacy Protection Act (COPPA)
• The Health Insurance Portability and Accountability Act (HIPAA)

This isn’t an exhaustive list, but these are the forerunners in the data privacy legislation field. Let’s dig into each of these below.

You may have heard of the EU-US Data Privacy Shield, which, beginning in 2016, regulated consumer data usage in transactions between Europe and the United States. American companies were able to use the Privacy Shield to validate and accredit these transatlantic data transactions. Using the Privacy Shield allowed American companies to actually do those transactions.

However, on July 16, 2020, the European Commission Court of Justice (CJEU) invalidated the adequacy of the EU-US Data Privacy Shield’s protection. In other words, American companies can no longer use the Privacy Shield as a way to “allow” transatlantic data transactions.

But what does this mean for Mailgun? You wouldn’t be the first to ask. Since the ruling, some of our customers have asked about its impact on our services and our business. Don’t worry – we still have you covered. We’ll go into more detail in the next section below, where we provide more detailed information on how we deal with data protection and how the CJEU’s decision impacted our protocols.

Under the EU’s General Data Protection Regulation (GDPR), proper safeguards must be in place for data transfers to and from any country outside of the European Union, including the United States. Until July 16, 2020, the Privacy Shield was considered an adequate GDPR protection and had complied with its requirements when transferring personal data to the United States. However, as we mentioned above, this changed in July 2020.

Since the Privacy Shield framework is now considered inadequate, alternative protection is required for all data transfers. These alternatives may include the Standard Contractual Clauses (SCCs), also called EU Model Clauses, or Binding Corporate Rules. According to the GDPR, these Standard Contractual Clauses ensure appropriate data protection safeguards and can thus be used for data transfers from the EU to third countries. We’ll go over this in more detail below, but Mailgun uses SCCs to facilitate data transfers from the EU.

Moving away from US-EU data transfers, the California Consumer Privacy Act (CCPA) of 2018 is a California state statute that was a forerunner in granting consumers more control over how their user data is collected. In fact, the CCPA influenced many subsequent recommendations and legislation.

The CCPA secures the following privacy rights for California consumers, including:

• The right to know about the personal information a business collects about them, how it’s used, and how it’s shared
• The right to delete personal information collected from them
• The right to opt out of the sale of their personal information
• The right to non-discrimination for exercising their CCPA rights

Companies are required to provide consumers with transparency regarding their data practices. In fact, the CCPA is quite expansive in that it also applies to data brokers.

The Children’s Online Privacy Protection Act (COPPA) is a 1998 data privacy law that seeks to protect children under the age of 13 in their online activities. COPPA imposes restrictions on operators of web services targeting children under 13. In addition, COPPA also imposes restrictions on operators of web services who know they are collecting personal information from a child under 13 years of age.

Under these restrictions, a web operator must:

• Include in a privacy policy with when and how to seek verifiable consent from a parent or guardian
• Explicitly state their responsibilities in protecting the children’s safety and privacy online
• Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online
• Notify parents of any changes to data practices that they previously consented to on behalf of their child
• Provide a way for a parent to review the personal information collected from their child
• Provide a way for a parent to refuse to permit the web operator’s further use or maintenance of their child’s data
• Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children under the age of 13
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
• Operators are prohibited from conditioning a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity

The Health Insurance Portability and Accountability Act (HIPAA) is an American 1996 law governing the collection, storage, management, and use of personal data in a health and medical context. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the HIPAA requirements. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

Specifically, HIPAA seeks to:

• Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
• Reduce healthcare fraud and abuse
• Enforce standards for health information
• Guarantee security and privacy of health information

Though it was imagined as a personal health information law and not as a general data privacy law, HIPAA lays the groundwork for many modern data privacy regulations.

Many of our customers ask how we handle data privacy and implement data protection at Mailgun. We gave you the short version above, but here’s the long version:

• We go far beyond the minimum requirements of the GDPR(along with the European Commission Board recommendations).
• We don’t (and didn’t) only rely on the Privacy Shield, so it’s not an issue that the CJEU ruling in July 2020 declared the Privacy Shield as inadequate.
• We maintain Standard Contractual Clauses (SCCs) for all our data transfers – including transfers with our sub-processors that process our customers’ personal data. These SCCs, as per the CJEU ruling, continue to be a valid legal mechanism to transfer data under the GDPR. If you’re using Mailgun, your data is safe and valid.

To go one step further, we’ve implemented additional safeguards beyond SCCs, to ensure that we have proper technical and organizational measures in place for any personal data transfers, including data encryption and security. What does this mean?

It means we have the highest security measures in place to protect the personal data we process. In addition, we have a vendor management procedure in place to ensure all our sub-processors respect our strict requirements. We use this vendor management procedure to:

• Control all of our data sub-processors
• Audit and inspect all of our data sub-processors
• Conduct frequent audits on all processing and/or transfers of our customer’s personal data.

This is basically a fancy way of saying that our data processes and data processors are safe, valid, and frequently inspected. We also perform audit risk assessments, and we implement the requisite technical and organizational measures to ensure that proper security and data protection are respected. Learn more about Mailgun’s security and privacy measures.

No, you don’t have to do anything – we’ve already implemented all necessary protections. Mailgun has you covered and protected, like a kitten swaddled in bubble wrap.

We know that data privacy laws move at lightning speed, but we’re dedicated to staying ahead of these changes and to having a lawful basis for data transfers in compliance with applicable data protection laws.

If you want to know more, take a look at our Data Processing Addendum (DPA), which provides information on how we process your personal data and includes the specific measures we have in place to keep this protected.

We understand our customers’ concerns and remain steadfast in our commitment to ensuring that their data is secure and protected. And, as long as we’re here, you can rest assured that we’ll be going above and beyond to protect that data – and its transfers – under international laws. So feel free to kick back and leave data privacy to us.

Do you have any additional questions about data privacy for our Legal team? Feel free to drop them a line at legal@mailgun.com!

Author: Darine Fayed Darine Fayed is the Vice President Head of Legal EMEA for Sinch. She provides legal counsel on our international contracts, oversees our data protection and handles a variety of other legal matters. She writes often about compliance laws and policy standards that affect email communication.