Data privacy, sometimes also referred to as information privacy, is an area of data protection that deals with the proper handling of sensitive data, including, notably, personal data, as well as other confidential data such as certain financial and intellectual property data, in accordance with regulatory requirements, as well as protection of confidentiality and integrity of data.
WHY PRIVACY LAW IS IMPORTANT?
Privacy laws are important for several reasons. Primarily, they are an absolute necessity for some industries such as banking, healthcare, lawyers, etc. Mainly, professions that involve privacy laws are required to support them both online and offline.
The protection of personal data and confidential information is of the utmost importance. When items such as financial data, health information, and other personal data of consumers or users fall into the wrong hands, it can create a dangerous situation. Lack of control over access to personal information can put people at risk for fraud and identity theft.
In addition, a government-level data breach can threaten the security of entire countries. This is where data protection laws become possibly the most important factor. As more and more of our lives and activities take place online, cyber security is a growing concern.
1. European Union
The EU's General Data Protection Regulation (GDPR), which governs how individuals' personal data is processed and transferred in the EU, came into effect on May 25, 2018. The GDPR protects people in the EU from unlawful data collection or processing and works to enhance consent requirements, provide enhanced user rights, and require privacy policies written in an easy-to-understand manner.
GDPR requirements apply to every member state of the European Union with the aim of creating more consistent protection of consumer and personal data across all EU countries. Some of the main privacy and data protection obligations comprise:
- Requirement of subjects' consent to data processing
- Anonymization of collected data to protect privacy
- Providing data breach notifications
- Secure handling of data transfers across borders
- Requiring certain companies to appoint a data protection officer to monitor GDPR compliance
GDPR is comprehensive privacy legislation that applies to all sectors and companies of all sizes and is the most vigorous privacy law in the world to date. Since then, it has inspired other laws around the world to raise their requirements and has inspired the creation of new laws.
The Australian Privacy Principles (APP) is Australia's privacy law, which consists of 13 principles that serve as guidelines for the management of personal information. They regulate standards, rights, and obligations regarding:
- Collection, use, and revelation of personal information
- Governance and accountability of the organization or agency
- Reliability and correction of personal information
- The rights of individuals to gain access to their personal information
One of the functions of the Office of the Australian Information Commissioner (OAIC) is to investigate any complaints of a breach of privacy regarding the processing of your personal information. Anyone can file a complaint with the office at any time, free of charge, and the office will investigate as quickly as possible.
The General Data Protection Law (LGPD) is the legal framework for regulating the collection and use of personal data. It entered into force in Brazil on August 16, 2020. The law was adopted and will be enforced by the National Data Protection Authority (ANPD).
The LGPD has been influenced by the European Union's General Data Protection Regulation (GDPR). Some of the main qualities embraced by the companies:
- Map all processing activities and maintain processing records.
- Process personal data in accordance with one of the legal bases for processing provided by law.
- Comply with the rights of data subjects.
- Notify authorities and data subjects in certain cases of security incidents.
- Appoint an in-charge equivalent to, but not identical to, a data protection officer.
- Take technical, organizational, and security measures.
- And take additional measures in case of international data transfer.
Organizations will need to prioritize acquiescence with a privacy-first while balancing this with revenue goals and creating customer relationships. The risks of non-compliance are significant, and most companies cannot afford fines of millions of reais.
There are two federal privacy laws for Canada that are implemented by the Office of the Privacy Commissioner of Canada:
- The Privacy Act, which describes how the federal government manages personal information.
- The Personal Information Protection and Electronic Documents Act (PIPEDA), which encompasses how businesses manage personal information.
The Privacy Act deals with an individual's right to access and correct personal information held by the Government of Canada. The law also covers the government's collection, use, and disclosure of personal information. The Privacy Act applies only to federal government agencies listed in the Privacy Act Schedule of Institutions.
PIPEDA sets the basic rules for how private sector organizations collect, use, and disclose personal information in the course of commercial activities across Canada. This also applies to the personal information of employees of businesses regulated by federal law, such as:
- telecommunication companies.
Personal Information Protection Law (PIPL) became effective on November 1, 2021. Along with the Cyber Security Law and the Data Security Law, the PIPL is the third of three Chinese laws aimed at ensuring an integrated approach to cyber security, data security, and data privacy. The Personal Information Protection Law (PIPL) has several elements that strongly resemble the EU GDPR. The PIPL is intended to protect personal information, regulate its processing, and promote the acceptable use of personal information.
The PIPL also has extraterritorial capacity when businesses outside China process the personal information of Chinese citizens for the purpose of:
- The offering of goods or services to domestic individuals
- Analysis and assessment of activities of domestic natural persons
- Other situations provided for by laws and administrative guidelines
Parties hoping to do business in China should be wary of legal ambiguities as they navigate data privacy in China.
India's Personal Data Protection Bill was introduced in Parliament in December 2019. Since then, India has witnessed key developments in the field of privacy and personal data protection in various industries.
Currently, the Information Technology Act 2000, together with supplementary regulations, is the legal framework for ensuring the protection of personal information.
The high risk of unauthorized access to personal data may lead to the development of IS 17428 is the latest standard issued by BIS to regulate data privacy practices in organizations. It assists in managing the framework for creating, implementing, and maintaining updated data privacy practices.
The standard consists of two parts:
- The first is that the technical and administrative requirements for protecting the confidentiality of personal and confidential data are mandatory.
- The second part simply suggests following the specific recommendations listed to extend compliance with the requirements in the first part of the standard.
India is on the verge of following the EU's lead and streamlining data protection rules, even as there are reports of a possible overhaul of the bill.
The main legislation governing data protection in Israel is the Protection of Privacy Law, 5741-1981 ('the Privacy Law') and its regulations, the most important of which are the Privacy protection (Data Security) Regulations, 5777-2017 (“Security Regulations”). The Basic Law: Human Dignity and Liberty, 5752-1992, the standards given by the Israeli authorities, the Privacy Protection Authority ('PPA').
The PPA echoes the analysis of the responsibilities under the existing Privacy Law, and the Privacy Law pertains to all entities in Israel, private, business, and public, that store or process personal information.
The PPA represents Israel in the international privacy field and contributes to the legislative process. The PPA has administrative and criminal investigative powers and can carry out assessments and audits of any entity covered by the Privacy Act. The PPA may also enact administrative penalties in certain circumstances.
The Israeli government in February 2018 approved an amendment to the prevailing Privacy Law that would give the PPA greater powers to investigate data privacy breaches and levy fines of up to ILS 3.2 million (approximately 900,000 EUR) for violations, if passed by the Knesset. It is presently not clear whether this amendment will move forward.
In 2003, the Personal Information Protection Act (APPI) was enacted to regulate privacy issues in Japan, which was one of the first data protection regulations in Asia, and the Personal Information Protection Commission (PPC), a central agency that acts as the government's oversight organization on privacy issues. It underwent a major overhaul in September 2015 after a series of high-profile data breaches stirred Japan, making it clear that APPI's requirements no longer met modern needs.
The APPI was amended to take effect on 30 May 2017, a year ahead of the EU General Data Protection Regulation (GDPR). On June 5, 2020, the Japanese Parliament approved a bill to further amend the APPI ("Amended APPI"). From April 1, 2022, Amended APPI entered effect.
The new amendments bring the APPI further into line with the GDPR by expanding the scope of Japanese data subjects' rights, making data breach notifications mandatory, and limiting the range of personal information that can be delivered to third parties.
The APPI applies to all business operators that process the personal data of individuals in Japan. This applies to both companies that offer goods and services in Japan and is located in the country, as well as those that have offices outside of Japan. Thus, like the GDPR, the Japanese privacy law has an extraterritorial scope.
9. United Kingdom
The current version of the legal framework as amended, following the UK's withdrawal from the European Union on 31 January 2020 applies in the UK since 1 January 2021.
All organizations in the UK that process personal data must comply with these two data privacy laws or face fines of up to £17.5m or 4% of annual global turnover - whichever is greater.
10. United States Of America (USA)
There is no singular law in the United States that covers the privacy of all types of data. Instead, it has a mix of laws referred to by acronyms such as HIPAA, FCRA, FERPA, GLBA, ECPA, and COPPA. There is no law in the country that regulates what data is collected and how it is used. Lawmakers have tried for years to pass a federal privacy law but to no avail.
While there is currently no data privacy law that applies to all industries at the federal level, each state in the Union has its own data privacy laws. Some examples include New York State's 23 NYCRR 500, which applies to financial institutions operating in New York, the California Consumer Privacy Act (CCPA), which has a much broader scope, and the Colorado Privacy Act in Colorado.
The CCPA has many provisions that overlap with the GDPR. California may be only one state out of fifty, but the state has a larger population and annual GDP than most countries in the world, meaning that the market impacted by the CCPA is a tiny fraction not only of the US but also of the global economy.
But all of these protect only a fraction of US citizens or cases, however, a new privacy bill introduced by lawmakers Cathy McMorris Rogers, Frank Pallone, and Roger Wicker on June 3 could change that. The American Privacy and Data Protection Act is the first comprehensive national data privacy framework that has bipartisan and bicameral support, making it closer to becoming law than any other federal privacy legislation enacted in the US in the past.