A WORLD TOUR OF DATA PROTECTION REGIMES

SARA wong

August 9th, 2020

While we may be homebound and unable to travel the globe at the moment, our data isn’t.

In fact, in a single day, our data may have travelled to Singapore, the UK, India, and the USA before lunchtime.

Cloud computing has changed how ‘far from home’ our data can go and how frequently it goes on these trips. This new, complex reality is why regulators have been struggling to relevantly and adequately protect the data rights of individuals.

However, following the Cambridge Analytica scandal in 2018, more people woke up to the dangers of the relatively unchecked technology sector and the difficultly of keeping up with technological innovations was no longer an acceptable excuse for inadequate regulation.

In light of this, what are regulators around the world today doing to keep pace with technology and protect our personal data?

On our world tour of data protection regimes, we’ll travel to the EU to consider the General Data Protection Regulation and to the USA to look at the California Consumer Privacy Act. We’ll also make a few quick stops to India and Australia and have a look at what is happening with data protection on that side of the globe.

Source: https://www.dlapiperdataprotection.com/

General Data Protection Regulation

Source: http://www.businessminds.com/2018/03/09/what-countries-need-to-know-gdpr/

The first step on this tour has got to be the General Data Protection Regulation (EU) 2016/679, also known as the GDPR.

Referred to some as the ‘gold standard’ of data protection regulation, the GDPR entered into force in 2016, but only began to be enforced in 2018. It has been an important and necessary legislative update seeing as the last EU Data Protection Directive (95/46/EC) was written and adopted in the 1990s.[1]

Rights under GDPR

The GDPR’s aims include protecting people’s fundamental rights and freedoms, enabling the free movement of personal data, and contributing to economic and social progress and trade.[2] Harmonising data protection laws across the EU is another important goal of the GDPR.[3]

How the regime seeks to fulfil these lofty goals is by both reinforcing existing data rights, and by establishing new rights for the everyday individual. A few examples of rights the GDPR protects includes:

the right to erasure (aka ‘the right to be forgotten’), which entitles people to request controllers to delete their personal data based on certain criteria;
the right of access, which obliges controllers to provide data subjects with access to their personal data; and
the right to not be evaluated on the basis of automated processing.

And with a maximum penalty of up to €20M or 4% of global turnover (whichever is higher) for breaches, even corporate behemoths have incentive to comply.[4]

The GDPR in action

But what effect has the GDPR actually had over the last two years?

For one, the GDPR has compelled organisations to develop and improve cybersecurity measures, which help to limit data breaches and the impact of such breaches. A 2019 Cisco study ‘Data Privacy Benchmark Study’ reported that GDPR-ready organisations are less likely to have experienced a breach in the previous year and if they did suffer breaches, they lost fewer records and saw smaller incident costs.[5]

From a consumer’s perspective, you may have noticed that, around May 2018 when the GPDR came into force, websites began asking for your consent to enable cookies. Companies also started sending you emails notifying you about their updated terms and conditions.

Enforcement of the GDPR has also resulted in 160,000 reported breaches and €114M (AUD185M) in fines.[6] Examples of hefty fines that have been imposed include France’s €50M (AUD81M) fine against Google for its non-transparent process of gathering consent, and the UK’s €204M (AUD332M) fine against British Airways in July 2019 for a significant data breach.[7]

But it’s not all good news…

Alongside the positive impacts of the GDPR, there have been some undesirable effects, as is inevitable.

Some argue that the GDPR has been hampering innovation in the blockchain space, given that distributed ledger technology is at odds with the GDPR’s ‘right to be forgotten’.[8] The ubiquitous opt-in pop ups that greet you every time you visit a new website have also caused ‘consent fatigue’ for many consumers who become inclined to automatically click ‘accept’ instead of actively engage with the choice to opt out. Moreover, small business lacking the financial and legal resources to be GDPR complaint are more vulnerable and likely to be hit with fines and penalties—there is still a knowledge gap and many business leaders still do not fully grasp basic data security concepts like encryption.[9]

In sum…

Despite its shortcomings, the GPDR has undoubtedly earned its place as the pioneer of data protection regulation for the modern age as it has prompted countries around the world to face, instead of to neglect, the challenge of regulating data flows, usage, and storage.[10]

California Consumer Protection Act (CCPA)

Source: https://multichannelmerchant.com/ecommerce/top-approach-accelerates-ccpa-compliance/

The California Consumer Protection Act (‘CCPA’) is another regime that is may have an outsized influence on data protection regulation in the future. Dubbed by some as the American version of the GDPR,[11] the CCPA came into effect on January 2020 and started to be enforced on 1 July 2020.

Businesses be will be subject to the CCPA if they:

1) Earn USD$25M (AUD36M) or more in revenue every year;
2) Buy, receive, sell or share personal information of 50,000 or more consumers, households or devices every year; or
3) Derive 50% or more of its annual revenue from selling consumer personal information.[12]

Consumer rights protected by the CCPA include the right to notice, the right to access, the right to opt in or out of the sale of personal information, the right to request deletion, and the right to equal services and prices.[13]

In some ways, the CCPA is not as restrictive as the GDPR. For example, it does not restrict the transfer of personal data outside the US, does not require the appointment of data protection officers, and only limits the right to access data that has been collected within the last 12 months.[14] However, in other respects, the CCPA expands the scope of the GDPR. For example, the CCPA’s definition of ‘personal information’ includes household information. Furthermore, other provisions afford California citizens the absolute right to opt out of the sale of their personal information.[15]

It will be interesting and educative to see how the CCPA will, over time, shape data practices and regimes both in the USA and around the world.

PERSONAL DATA PROTECTION BILL

The Personal Data Protection Bill (‘PDPB’) was introduced into India’s Parliament in December 2019. If passed and implemented, the PDPB will replace the Information Technology Act, 2000.

The Bill outlines seven data protection obligations:

Fair and reasonable processing;
Purpose limitation;
Collection limitation;
Notice;
Data quality;
Data storage limitation;
Accountability; and
Consent.

While it is currently still being debated in Parliament, the PDPB may turn out to be even more stringent that the GDPR and the CCPA. For example, ‘reasonable purposes’ for processing data under the PDPB are to be determine by India’s proposed Data Protection Authority. This is in contrast to the GDPR which allows data controllers to determine if they have legitimate interests to process data.[16] The PDPB’s storage limitation provisions also require that data that has finished serving its lawful purpose is deleted, while the GDPR allows such data to be retained as long as it is in a form that no longer identifies individuals.[17]

If the PDPB ends up passing into law in August 2020,[18] it will be one to pay attention to.

THE AUSTRALIAN REGIME

Finally, our last stop is to the land Down Under.

While Australia does not have a one holistic data protection regulation, it protects data rights through a combination of broad and specific Acts.

At the federal level, the Privacy Act 1988 provides the foundation for privacy protection. The Act outlines the 13 Australian Privacy Principles (‘APPs’) that govern standards, rights and obligations related to the collection, use and disclosure of personal information, governance and accountability, integrity and correction of personal information, and rights of access.

The APPs only apply specifically to certain entities such as Australian government agencies and Australian businesses with an annual turnover of more than AUD3M.[19] This in contrast with the GDPR which applies to data controllers or processors regardless of their size or turnover. The APPs also do not enshrine specific individual rights like the right to be forgotten and outline a more liberal definition of consent—that is simply has to be ‘express’ or ‘implied’[20]—compared to the GDPR’s more robust definition of consent.[21]

In an effort to strengthen the Privacy Act, in March 2019, the Australian Government announced that reforms to the legislation centred around increasing the penalties for both serious or repeated breaches and minor breaches of the Privacy Act.

Outside of the Privacy Act, there are federal Acts including the Telecommunications Act 1997, the Criminal Code Act 1995, and the National Health Act 1953 that also address data and privacy concerns, albeit for specific industries and contexts.

While not comprehensively contained within a single regulation like the GDPR, Australia’s data protection regime is by no means underdeveloped. Australia is following the rest of world in updating their laws to protect data privacy more effectively.

Next Destination?

The surge of efforts to create more robust, relevant data protection regimes around the world in the last two years has marked the beginning of an era of awareness and protection of data rights. The combined effect of these regimes, and the data breach scandals we hear about too often nowadays, is that we are starting to be more quickly alerted to the possible abuses of data by any type of organisation or application.

Just a few months ago, we saw Zoom get hit with criticism for its inadequate privacy and security protections, which pressured the San Francisco-based VTC company to implement a 90-day feature freeze to prioritise crucial security software updates. This happened within a month of reaching its peak usership of 200 million.[22]

Furthermore, although millions around the world have downloaded COVID-19 tracing applications in recent months, the apps have also been heavily scrutinised to determine whether personal data collected by them would be adequately protected.[23]

As the juggernaut that is technology continues forward, we will need to be responsive and keep data protection regimes as relevant and up-to-date as possible. The non-interventionist or the ‘let’s wait and see’ approach is no longer acceptable—we have learnt our lesson from Cambridge Analytica.

[1] https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en

[2] https://gdpr-info.eu/art-1-gdpr/

[3] Ibid.

[4] https://gdpr-info.eu/art-83-gdpr/

[5] https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf (page 2).

[6] https://which-50.com/gdpr-fines-top-e114-million-report/

[7] https://www.adexchanger.com/privacy/google-loses-its-appeal-on-50-million-euro-gdpr-fine/

[8]https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf (page 7).

[9] https://gdpr.eu/2019-small-business-survey/

[10] https://theword.iuslaboris.com/hrlaw/whats-new/the-impact-of-the-gdpr-outside-the-eu

[11] https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of-2018/.

[12] California Consumer Privacy Act of 2018, s 9 <https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121>.