Data without Boundaries
A Primer on Global Data Privacy Laws
The Covid-19 pandemic has emerged as a gamechanger for the “Digital Age.” The pandemic caused an explosion in the amount of data that was generated and consumed globally. Indeed, dependence on technology has increased multifold. The issues that cropped up out of this explosion highlight some of the critical problems that the future holds for internet and data governance. The greatest challenge is to create a viable legal governance framework that can keep pace with the ever changing and evolving technology.
We need to rethink the “Data is the new Oil” analogy. Yes, data has become the most valuable resource on earth, but it cannot be regulated like a traditional natural resource. Data is limitless and easily accessible; the challenge is to use it in a manner that creates value but does not invade privacy. Data needs to flow without restrictions and must be available to all. The idea of “Internet Freedom” has become integral to the Digital Age.
Data Privacy — Global landscape:
Data privacy and protection has been a growing concern since the internet came into being. The issue came to a tipping point with the emergence of massive social media which has amassed a treasure trove of data.
The Facebook-Cambridge Analytica scandal has become a classic cautionary tale for misuse and exploitation of data. The data of millions of Facebook users was allegedly harvested and profiled for political purposes. The case set off a of chain of events where Mark Zuckerberg had to testify in front of the US Congress and eventually pay a fine of $5 Billion to the US Federal Trade Commission for misuse of data. Facebook faced multiple actions and scrutiny across the globe and paid fines to several regulators from different countries. Apart from the massive fines, the scandal damaged the reputation of Facebook and created a deep-rooted mistrust against social media companies.
Around the same time as this scandal was playing out, the European Union introduced a revolutionary data protection law called the General Data Protection Regulation (GDPR) on May 25, 2018. Technically GDPR is not the first privacy law in the world, but it is the frontrunner in addressing the latest issues that have emerged due to technological advancements. The law has set out the toughest standards for organisations who collect, use and share data. There was a massive movement for organisations to become GDPR compliant and ensure they maintain the highest privacy standards.
In the aftermath of the Cambridge Analytica scandal Facebook announced in 2018 that it will ensure a GDPR level of privacy standard worldwide and stick to the “gold standard” in privacy.
GDPR — an important step forward:
· The law has an extra-territorial scope. Which simply means, a law in a different country may apply to you based on certain conditions, such as handling personal data of their citizens or remotely offering services in their territory.
· GDPR lays down seven principles for transparency and accountability. These principles must be followed while collecting, sharing and processing data. Valid consent is one of the main requirements for collection and processing of personal data.
· The law requires organisations to adhere to accountability measures such as appointing a “Data Protection Officer” and implementing grievance redressal mechanisms.
· Individuals are empowered with rights over their data which can be enforced by the law.
· The law also lays down obligations to maintaining data security and data breach notifications.
· GDPR prescribes harsh penalties for infringement to a maximum of €20 million or 4% of annual global turnover.
· The GDPR also has an extensive framework for cross boundary transfers of data beyond EU, such transfers need to be governed by specific contracts (standard contractual clauses) or special provisions in law (adequacy decisions) which allow such transfers.
In 2020 Google was slapped a 50 million euros fine by the French data protection authority CNIL for not living up to the standards set by the GDPR. The data collection and processing policy by Google was not transparent enough while taking consent from its users.
It is important to understand that the GDPR is not just about big organisations not living up to the standards of privacy but covers all entities big or small. According to a leading research organisation DLA Piper in 2020, the data protection authorities in the EU recorded 121,165 data breach notifications and the penalties totalled $191.5 million.
2021 onwards Brexit has caused further complexity in the data privacy laws of UK. It will no longer be governed by the GDPR and thus, ends the free flow of data across its borders into the EU. The GDPR now treats UK as a third party and this translates into increased contractual compliances for entities engaging in cross border data flows.
Data Privacy and US:
The US still lacks a GDPR like law at the country level, but states like California have taken the lead in enacting a state specific comprehensive data privacy framework, California Consumer Privacy Act of 2018 (CCPA) became effective from 2020. Many other states are following the lead and are in the process of promulgating new laws. The laws at a country level are sector specific such as the Health Insurance Portability and Accountability Act (HIPAA) prescribes the privacy framework in the health industry or the Children’s Online Privacy Protection Act (COPPA) provides a wide and extensive legal framework to protect personal data of children. Additionally, the US Federal Trade Commission (FTC) has the powers to protect consumer interest and against unfair or deceptive trade practices which includes unfair data exploitation practices. The Facebook fine of $5 Billion was prescribed by the FTC.
Other Countries — Where are they on data privacy:
Singapore has a robust and comprehensive data privacy framework echoing the EU GDPR. The law has balanced the right of individuals to data privacy, and the necessity of organisations to use the data.
Over the past few years Australia, Brazil, Japan, South Korea, Thailand, South Africa already have brought into force GDPR inspired data protection laws. China, Canada, and few other countries have proposed revamped and comprehensive privacy laws.
India — Taking right steps forward
During Covid-19 the Aarogya Setu contact tracing application was launched in India. The application collects and tracks sensitive data of an individual, such as demographic data and location data via GPS and Bluetooth. Initially the application was met with suspicion and concern, was this invasive collection of data going to lead to a state of surveillance? Who is going to assume responsibility and liability if the data is breached and misused? Is this going against my individual freedom and right to privacy? The concerns were later allayed by the Government.
In the Fintech space unsecured loan applications have taken advantage of the Covid-19 situation and started exploiting the rich data trove India has under the garb of financial inclusion. Regulation is the need of the hour to balance the harm- benefit paradigm of the situation.
The geo-political situation in the India-China conflict has translated into a ban of over 118 Chinese applications citing reasons of compliance, privacy and national security. Data collected by Chinese applications poses a real risk of misuse.
The Information Technology Act, 2000 enforces a basic regime for data privacy and information security the law, its shortcoming is apparent and needs a revamp. The “right to privacy” was recognised in 2018 by the Supreme Court of India. Immediately, the “Justice B.N. Srikrishna Committee” was set up, which released a white paper on data privacy in India and the first draft of the proposed law in 2018. As of February 2021, the second draft of the bill titled “The Personal Data Protection Bill, 2019” is undergoing critical changes by a Joint Parliamentary Committee. The Committee is supposed to present its report in second week of March 2021 during the budget session.
In July,2020 the “Committee of Experts on Non-personal Data Governance Framework” lead by Infosys co-founder Kris Gopalakrishnan released its report on regulation of non-personal data. The Committee observed that non-personal data should be regulated to enable a data sharing framework to tap the economic, social, and public value of such data, and address concerns of harm arising from the use of such data. Sectoral authorities in India have started becoming proactive in rolling out data governance. The telecom, banking, insurance and healthcare sectors feature significant regulations.
The Government has announced a National Digital Health Mission which envisages a National Digital Health Ecosystem for creating a rich data medical database which can be used by all the stakeholders of the healthcare system from patients, hospitals to medical researchers.
The Personal Data Protection Bill, 2019 had received a massive response for its stakeholder feedback and received over 200 written submissions and depositions by companies like Facebook, Microsoft, Apple, Amazon, IBM, etc., prominent industry bodies like United States Council for International Business, Japan Electronics, and Information Technology Association, ASSOCHAM, NASSCOM, etc.
Similarly, the expert committee for non-personal data had received over 1500 responses from industry bodies, organisations, individual companies and various other stakeholders. It becomes our responsibility as stakeholders to participate in the policy making process and ensure that all businesses are able to harness the power of data.
Individual data privacy, national security, consumer exploitation, monopolistic behaviour by “Big Tech”, increasing cyber incidents, unregulated Fintech industry, data sovereignty and data in the health industry are some of the key areas where solutions are required in the near future.
Globally, the regulatory framework for data is at a tipping point with certain regions already taking proactive steps. While laws like the EU GDPR and US CCCPA are some of the mature legal frameworks, India awaits its “Personal Data Protection Bill”.
An international business must ensure and guarantee the best data privacy standards to nurture trust with all the stakeholders from users to governments.
· DLA Piper: DATA PROTECTION LAWS OF THE WORLD website available at https://www.dlapiperdataprotection.com/
· EU GDPR website available at: https://gdpr.eu/
· The Office of Information Commissioner UK website available at: https://ico.org.uk/
· Ministry of Electronics and Information Technology website available at: https://www.google.com/search?q=meity&oq=meity+&aqs=chrome..69i57j0i433j0j46i175i199j0l4.1726j0j7&sourceid=chrome&ie=UTF-8
-Vivek Sadhale, Co-founder, LegalLogic Consulting
-Jay Nene, Legal Advisor, LegalLogic Consulting
(This article was first published in Sampada, the monthly magazine of MCCIA. The online edition can be accessed here http://www.mcciapunesampada.com/ )