Security and compliance professionals typically think about privacy in the context of regulatory requirements. For example, the EU’s General Data Protection Regulation (GDPR), HIPAA, the California Consumer Privacy Act (CCPA), and a growing number of other laws require organizations to protect personally identifiable information (PII) and personal health information (PHI). When that information is exposed in a breach, organizations are subject to fines, loss of customers, and reputational damage.
Less well understood are the privacy rights of users and how these differ between jurisdictions. For example, in the U.S. and U.K., employers are entitled to monitor private emails to establish whether the contents are business related. If the…