PRIVACY IN OTHER JURISDICTIONS

The last couple of years have seen a great deal of activity in the domain of privacy and data protection. Businesses today gather large amounts of information about their consumers, making them exposed to data breaches and cybersecurity incidents in the absence of explicit data protection regulations. Unauthorized access to and exploitation of millions of people’s sensitive personal data can have serious consequences and destroy consumers’ privacy.

India is still in the process of establishing data protection laws, and there is presently no particular data protection law in place. At present, Section 43(A) of the Information Technology Act, 2000 provides citizens with basic personal data protection in India. Several countries outside of India, however, have already established data protection regulations.

In this blog, we shall discuss some of these major data protection laws that have been implemented around the world.

General Data Protection Regulations (GDPR)

The GDPR came into force in May 2018 and is seen as the gold standard for data protection regulations. The regulations apply to any data of a “natural” person and further define personal data as any information that may lead to the identification of an individual including, but not limited to, name, email address, location, and biometric data. Any organization offering goods and services or monitoring the online behaviour of EU citizens falls under the ambit of the GDPR, including organizations that are located outside the EU.

The companies (Data controllers) involved in the collection and processing of data for the abovementioned activities need to make sure they are compliant with the regulation. If they are processing data on a large scale, a Data protection officer (DPO) is to be appointed to oversee the process and regular Data Protection Impact assessments are to be carried out where “high-risk” data (biometrics/genetic data) is being collected. Further, the data controllers must make sure only data necessary for their services is collected lawfully and transparently and proper security measures are taken to maintain the integrity and confidentiality of the user data. The data controllers remain accountable in the event of a breach of data, and it extends to incidents where such breaches take place under an appointed data processor. It also requires that data subjects whose data has been breached are informed of the same.

The GDPR also gives the data subjects control over their data and rights as mentioned below:

Right to be informed
Right to access
Right to rectify information
Right to erasure/right to be forgotten
Right to data portability
Right to restrict data processing
Right to object
Automated individual decision making

All requests by data subjects are to be handled within 30 days of receiving them. GDPR also requires the companies to ask for user consent before their data can be collected and processed and the consent should be allowed to be withdrawn at any time. Further, a “privacy by design” approach should be followed and data protection should be built at the core of every business.

The GDPR imposes a two-tier fine for violations. Companies in breach of the regulations may face fines up to 23 million dollars or 4% of their global revenue (whichever is higher). For less severe breaches the fines are 10 million dollars or 2% of global revenue. Authorities can also ban companies from processing data of EU citizens.

California Consumer Privacy Act 2018 (CCPA)

The CCPA came into force in January 2020 and applies to “businesses” that collect “consumer” data. Where Consumer means a California resident and business means a for-profit entity that meets one of the following requirements:

Generates over $25 million in annual gross revenue.
Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes. (Set to be increased to 100,000 under California Privacy Rights Act (CPRA))
Derives 50% or more of its annual revenue from selling consumer personal information.

Under CCPA, businesses need to show they are taking protective measures to safeguard the data consumers chose to share with them. Like the GDPR, consumers have the right to withdraw consent from the collection and processing of their personal information, and a link with “do not sell my personal information” needs to be placed on the websites. For users under 16, explicit consent is needed. Personal information means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” CPRA which comes into force in 2023 will provide further individual rights and a new category of “sensitive data” like race, ethnicity, etc. Consumers are afforded the following rights under the CCPA:

Right to access information
Right to the knowledge of collection and sale of data
Right to stop the sale
Right against discrimination (in case rights are exercised)

Consumers can sue businesses in case of breach of data due to their negligence and is limited to $750 per consumer. Compared to GDPR the amount seems insignificant, but class actions can be filed under CCPA and would leave a business open to considerable exposure in such a situation. The attorney general is also allowed to bring an action in case a pattern of misconduct has emerged.

Singapore’s Personal Data Protection Act (PDPA)

The PDPA came into force in February 2021 and applies to organizations, and companies handling the personal data of Singapore residents, whether incorporated in Singapore or not. There are also exemptions in the case of:

Individuals using data for their personal purposes
Employees in the course of their employment with an organization
Public and government agencies, as they have their own set of privacy rules

Personal data is defined as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access”.

Lawful user consent is required before collecting and processing data and consent can be either affirmative or deemed. Users are also to be notified why their information is being collected, how it will be used and that they have a right to withdraw consent. Organizations are prohibited from restricting access to services/websites if consent to the collection is not granted. Further, the collection of data needs to be done in a limited and transparent manner and cross-border transfers of data can only take place if the jurisdiction has comparable data protection laws. The data intermediaries, unlike the GDPR, do not bear any responsibility in case of a breach and the sole liability lies with the organization.

The fines for non-compliance with the act are $1 million or 10% of the annual turnover of a company with an annual turnover of $10 million (whichever is higher).

China’s Personal Information Protection Law (PIPL)

PIPL came into force in November 2021 and applies to personal information processing entities and/or entrusted parties which are equivalent to GDPR’s data controller and data processors respectively. It also applies to entities located outside of China but who provide products or services, analyze/assess the behaviour of individuals in China, or when required by law to do so. Such foreign entities are required to appoint a dedicated representative in China to liaison with the domestic authority. Data has been categorized into personal information and sensitive personal information. The difference is that sensitive information may not only identify an individual but also infringe upon their dignity or expose them to harm to personal safety.

The PIPL requires entities to get express consent from data subjects, which can be withdrawn anytime. If any changes are made to the method of processing of information, fresh consent needs to be taken from the subjects. Further, the entities are required to implement strict security measures and conduct personal information protection impact assessments and retain the records for 3 years. In the case of cross-border transfers, a separate user consent needs to be taken and data can only be shared with recipients providing similar levels of data protection as under PIPL.

The regulation also guarantees the rights to data subjects mentioned below:

the right to access, correct, erase, object to and restrict the processing of the individual’s data
the right to data portability
the right not to be subject to automated decision making
the right to withdraw consent; and
the right to complain to the regulator.

The regulatory authority may impose administrative, civil, or criminal liability on organizations found to be non-compliant. Their licenses to operate may be cancelled, illegal profits confiscated or may be fined up to 50 million RMB or 5% of annual revenue, though it is unclear if it is global or domestic revenue. People handling the personal data may also be held personally liable and can be fined up to a million RMB. Violations may also be recorded in the “credit files”. An action in tort may also arise, with the burden of proof on the violating organization.

Conclusion

Today, many countries have established privacy legislations, and new ones are being enacted everyday. This necessitates that you quickly comply with the privacy regulations of the jurisdiction in which you operate, or risk severe fines.
At Tsaaro, we have a team of privacy professionals that can assist your business in complying with these and other data protection standards throughout the world.
Join us today to secure your organisation by utilising our wide data protection services such as Data Protection Officer as a Service, Regulatory Assessments, Regulatory Process Implementation, and Privacy Risk Management.

Check out our Services page for further information.