The privacy legislation picture is growing ever more complex with more countries adopting new laws all the time. A key theme of PrivSec Global next month will be focusing on these legislative changes and other regulatory developments and what they mean. Here we pick out several jurisdictions that are seeing major changes.
According to the United Nations, two-thirds of countries worldwide have now put in place legislation to secure data protection and privacy and a further 10% have draft bills in the pipeline.
As public awareness of data privacy grows, and particularly since the implementation of the European Union’s ground-breaking General Data Protection Regulation (GDPR) three years ago this week, governments have felt compelled to respond in kind.
We have seen a slew of bills across the globe and although many of the basic principles around legitimate reasons for processing data, consent, data quality, and data security are shared, there are key differences in the way these objectives are being met.
This patchwork approach across the globe is a challenge, not just for data protection and privacy but for cyber security also, and particularly for organisations operating in different jurisdictions.
Next month’s PrivSec Global event features a whole group of sessions on regulatory developments around the globe, bringing you up to speed on the latest events and changes and enabling you to converse with thought leaders and businesses on the shifting landscape for regulation. You can find out more and register to attend here.
To get you in the mood, here we pick out some of the more interesting regulatory developments around the world.
The European Union
The success of GDPR can be seen in the number of pieces of legislation that are described as “GDPR-style” as well in the adoption of GDPR-standards worldwide by tech giants such as Microsoft.
There is a sense that, with the legislation having bedded down, regulators are now flexing their muscles and increasingly likely to use their enforcement powers. Law firm in January publisher research showing a 19% annual increase in GDPR breach fines and suggested regulators were beginning to “test the limits” of their powers.
The Irish Data Protection Commission has however faced heat over what some, including campaigner Max Schrems, see as a lack of enforcement action.
The Irish DPC, which reportedly asked for more resources from the Irish government last year, is understood to be stretched by its role as the EU’s de facto data protection regulator for big tech. this is due to the fact that many major tech firms have their EU headquarters in Ireland.
Helen Dixon, the Irish Data Protection Commissioner, has defended the commission’s record compared to that of other EU regulators, and was strongly criticised by Germany’s federal data protection regulator (BfDI) Ulrich Kelber.
This in March resulted in the unedifying spectacle of the European Commission Vice President Vera Jourova telling the regulators to “stop squabbling”, and raising the prospect of a centralised model of enforcement.
All of this raises questions about the future of the One Stop Shop model – under which organisations work with one supervisory authority (in the nation in which they are headquartered) even if they conduct cross-border data processing in several countries.
Another criticism of the GDPR is that it has fuelled a swathe of micro-claims for breaches and class action cases. Stewart Room, Global Head of Data Protection, Privacy and Cyber Security Legal, Strategy and Consulting Services at law firm DWF told GRC World Forums in March that the threat of fines was leading to perverse incentivises to not be transparent. Room argues instead for fines to be waived where companies come clean about breaches at an early stage.
What next for GDPR? A key question is the extent to which the legislation needs updating in the face of new technology. Axel Voss, a politician who was a driving force behind the GDPR, warned in March that the legislation is now out of date as it hasn’t kept pace with new technology.
“We have to be aware that GDPR is not made for blockchain, facial or voice recognition, text and data mining… artificial intelligence,” said the German MEP.
Expect key debates over the next few years about how the regulation can be revised.
Hear more about GDPR at ‘Divergence in GDPR and the Financial Services Industry’at PrivSec Global at 12pm on 24 June
The key question in the United Kingdom’s data protection regulations is the extent to which the country will diverge from GDPR following Brexit, Indeed, UK politicians have made no secret of the fact they see this as a strong possibility. Culture Secretary Oliver Dowden has openly said the EU “doesn’t hold the monopoly on data protection” and made it clear the government doesn’t’ necessarily intend to follow GDPR word-for-word in its own regulations.
The key issue is what this means for data adequacy and the prospects for the free flow of personal data between the UK and EU and vice versa.
The good news is we have a draft adequacy agreement in place and this now gained the broad support of the European Data Protection Board (EDPB) also, which last month found the two laws were “broadly aligned”.
However scratch below the surface and there are concerns and perhaps a lack of trust from the European Commission that the UK’s laws will remain equivalent, seen in the decision to time-limit the adequacy decision to four years so it can be reviewed.
The EDPB has raised concerns that the UK’s immigration rules could restrict GDPR rights and has also recommended the Commission looks into the UK’s surveillance powers and rules surrounding onward transfers of personal data.
Whether any of this is serious enough to jeopardise the adequacy agreement in the short terms is unclear but data protection experts in Europe will be watching the direction of travel. One possible solution, suggested by the European Parliament’s in-house think tank, would be the introduction of supplementary rules to “bridge the gap” between the UK and EU regimes.
The first week of November 2020 was a dramatic day in United States politics with huge ramifications for global politics.
But while the world watched as President Donald Trump lost his grip on power, privacy professionals were (perhaps) as interested in other events in California. Voters in the Sunshine State passed the Proposition 24 ballot bringing the California Privacy Rights Act into law.
This law, itself coming hot on the heels of the first comprehensive state privacy law, the California Consumer Privacy Act, established the California Privacy Protection Agency (CPPA) – an independent agency to handle regulation and enforcement.
It also allows consumers to prevent businesses from sharing personal data, amend their personal data, and limit the use of “sensitive personal information” such as precise geolocation, race, ethnicity and health information. Companies would need to apply data minimisation and consumers are able to find out the length their data will be retained.
California has led the charge, but now other states are also trying to pass their own legislation. In March, Virginia became the second state to pass a comprehensive privacy law with its Consumer Data Protection Act, which comes into effect in 2023.
Several states have also seen their attempts to pass a law fail, including Washington and. earlier this month, Florida (see box below).
The situation state-by-state is changing rapidly and there is even a #patchwork2021 hashtag on Twitter for people to follow the latest.
At-a-glance: state privacy legislation in the US
Passed but not yet taken effect
Alabama, Alaska, Arizona, Colorado, Connecticut, Illinois, Maryland, Massachusetts, Minnesota, New Jersey, New York and Texas.
Failed to pass
Washington, Kentucky, Mississippi, North Dakota, Oklahoma, Utah and West Virginia, Florida
And what prospects for a federal privacy law?
Democratic lawmaker Suzan Delbene in March reintroduced a bill aimed at creating a uniform standard for privacy rights across the US, arguing the emerging patchwork situation is too onerous for consumers and small businesses. It remains to be seen whether momentum behind Delbene’s drive will increase.
Hear more about US data protection laws at ‘Americas Focus: USA and the Developing Nature of Privacy Law’ at PrivSec Global at 5pm on 22 June
While questions remain over whether the US will ever have an all-encompassing federal privacy rule, supporters of such a move may want to look south for inspiration.
Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) was passed last September, uniting 40 different statutes governing personal data under one mechanism.
LGPD has been described as ‘GDPR-like’ in that its key privacy-preserving principles are accountability, transparency and data minimisation.
However the LGPD has some key differences, including 10 legal bases for processing personal data, compared to GDPR’s six. LGPD includes legal bases for studies by research agencies, and the regular exercise of rights in court proceedings, credit protection and health protection.
Further questions are likely later this year when the LGPD enforcement regime becomes operational. The administrative sanctions of the legislation do not come into effect until August.
Brazil then will have to wait for a few months for enforcement action under its new data privacy law. In South Africa, however, its landmark new data privacy law will be enforced a bit sooner.
Businesses are currently rushing to ensure they are complaint with the new Protection of Personal Information Act (POPIA), ahead of a deadline of June 30, after which enforcement begins under a new Information Regulator.
POPIA, like GDPR and CCPA, is built on the principles of accountability, transparency, security, data minimisation and the rights of data subjects.
The act grants citizens rights regarding their personal information and establishes eight bases for lawful processing.
POPIA is widely seen as containing a wider definition of data, using ‘personal data’ rather than the ‘personally identifiable data’ under GDPR.
Miranda Nolan, security writer at Mimecast, says the legislation also “broadens the traditional concept of a data breach beyond just exfiltration.” She says: “Any unauthorised access to personal information constitutes a breach, even if the cybercriminal or employee does not do anything with that data.”
Hear more about South Africa’s data protection laws at ‘Regulatory Developments: POPIA and the Principles of Enforcement Action’ at PrivSec Global at 10am on 22 June and at ‘Regulatory Developments: POPIA and the Transition from Non-Regulation’ at 9am on 23 June
Another fresh piece of legislation that definitely falls into the category of ‘GDPR-like’ is the Dubai International Finance Centre’s Data Protection Law, that came into effect last October.
It may be tempting to think that Dubai, with its international reputation as a place where it is easy to do business, would lag behind other nations in its adoption of data protection regulation, but as privacy concerns increase it is playing a central role in the Middle East region.
Lori Baker, one of the architects of the legislation and a speaker at PrivSec Global next month, has previously talked about how the DIFC law makes certain things mandatory that aren’t in GDPR, such as a requirement on companies engaged in high-risk processing to appoint a Data Protection Officer.
All eyes are now on how the law will be enforced, with Baker stressing that DIFC will take a softly-softly approach based on building awareness.
Where is it? India’s high-profile Personal Data Protection Bill (PDPB) has seemingly been on the verge of being enacted for a while now, but we are still waiting.
The bill has had its fair share of negative publicity, largely due to an exemption that allows the Indian government to exempt government agencies from the provisions of the bill for the purposes of public order and national security.
Others however, including Naavi Vijayashankar, Executive Chairman of the Foundation of Data Protection Professionals (FDPPI) have argued the criticism is overblown, that there are sufficient safeguards in place and that provisions such has exemptions for consent or giving prior notice for law enforcement purposes merely mirror those in GDPR.
Thailand’s new Personal Data Protection Act is in danger of being postponed due to concerns that businesses won’t be ready in time.
The act covers collection, use and disclosure, including across borders, of personal data.
Principles in the legislation include data minimisation, data controllers informing data subjects of the purpose of the collection and the data-retention period.
Data subjects would have the right to access their personal data, rectify incomplete, inaccurate, misleading or not up-to-date data, request erasure of their personal data, opting out of their data being used for activities such as direct marketing, and withdraw consent.
The act is supposed to come into effect next month, but the country’s digital economy and society minister Chaiwut Thanakhamanusorn has said it may be delayed.
China’s Personal Information Protection Law (PIPL) would be the first comprehensive national level data protection law in the country and a draft was published for consultation.
The law would create binding compliance obligations in many areas previously just considered guidance.
It consists of 70 articles and provides similarities to the EU’s GDPR, emphasising seven principles for data processing – legality, explicit purpose, minimum necessity, transparency, accuracy, accountability and data security.
In April, a fresh draft of PIPIL made headlines due to its requirements to require internet platforms with a “large number of users” and “complex businesses” to establish their own data protection “watchdogs”. primarily composed of people from outside the company.
Meanwhile, privacy campaigners are getting excited about a court ruling in April forced a zoo operator to delete visitors’ facial recognition data.
The ruling, by Hangzhou Fuyang People’s Court was described by He Yuan, executive director of Shanghai Jiao Tong as “hugely meaningful” as for the first time a court has ruled Chinese citizens can demand their data be deleted.
Hear more about privacy regulation in China at “APAC Privacy Focus: China - their own internal regulations, what’s coming, and how do they relate to China’s neighboring countries” at PrivSec Global at 8am on 24 June