Advances in EU data law have tightened the way organisations handle the data of the bloc’s residents, but new legislation such as the GDPR, is opening the eyes of leaders worldwide to the real value of data security in the digital era.
Google are finding out the hard way, following a £44m (€50m) fine from French regulator, Commission Nationale de l’Informatique et des Libertés (CNIL), for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” the tech giant said.
Beyond fines, the statement shows that companies must align with evolving consumer needs, and this is what the GDPR is really all about. If the stick has driven compliance in the short-term, then the long-term carrot of ethical data handling and safer societies is what’s capturing the imagination of government and business executives on a global level.
Below we take a look at how regimes around the world are adapting the GDPR’s philosophy into existing working cultures.
South East Asia
As the EU’s largest commercial partner in ASEAN (Association of Southeast Asian Nations), Singapore accounts for just under a third of EU-ASEAN trade in goods and services. The
Singapore Data Protection Act (PDPA)borrows many of the GDPR’s principles, with consent playing a similarly central role.
Malaysia, and neighbouring countries are picking up on the protection value that regulation can offer citizens, understanding how new legal frameworks can help local and national businesses to build operations that are credible on a global security level.
Malaysia’s communications and multimedia minister, Gobind Singh Deo has now deemed data protection and interoperability a matter of urgency for ASEAN organisations following the signing of a regional ecommerce agreement.
The accord will help galvanise trust and confidence among ASEAN consumers in ecommerce, and allow ASEAN businesses to grow on all regional and international levels, according to Singapore’s Trade and Industry Minister, Chan Chun Sing.
Mr Singh Deo recently announced the 2019-2023 Strategic Plan for the Malaysian ministry’s departments and agencies, a scheme that comprises six initiatives designed to enhance reliable, affordable, and accessible telecommunications infrastructure.
He has described how the Personal Data Protection Department will embark on “an initiative to prepare the Public Sector Personal Data Protection Best Practices Draft,” as part of a review of the Personal Data Protection Act 2010.
Hong Kong has entered the regulatory limelight less ceremoniously, following the Cathay Pacific data breach which saw the personal details of around 9.4m travellers exposed.
Hong Kong’s Privacy Commissioner for Personal Data, Stephen Wong admitted the intrusion may have constituted “a contravention of a requirement under the law,” but the breach has stimulated calls from industry insiders to refresh the city’s 22-year-old Personal Data Privacy Ordinance (PDPO), last updated in 2012.
Charles Mok, Hong Kong’s legislative councillor for information technology, emphasised the need for the city’s ageing data protection laws to be brought in line with European standards.
“Hong Kong’s laws lacks not only teeth, but updated definitions, obligations for data processing firms, and rights for individuals. Our data protection law must evolve. The present PDPO is at least a decade away from the ongoing regulation regime in the EU.”
Echoing these sentiments, Stephen Wong, Privacy Commissioner for Personal Data (PCPD) said: “The European Union has a new regulation…and we also see some major data leaks in Hong Kong. I think it is time.”
Since the Cathays Pacific data breach, Mok and Wong are just two influential opinions to champion a revision of the PDPO while highlighting the need for accountability, not least to try to stop organisations from taking seven months to admit a data breach problem exists.
In July 2018, Brazil’s Federal Senate approved the Lei Geral de Proteção de Dados or (LGPD) which promises to deliver an agency to enforce the nation’s existing data protection laws.
The LGDP has similar definitions on key issues as the GDPR, in areas such as personal data, and establishes restrictions on the processing of sensitive data. LGPD’s article 5 defines ‘sensitive data’ as any data pertaining to racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organizations, data relating to health or sexual life, and genetic or biometric data when linked to a natural person.
The law applies broadly to data processing taking place in Brazil, and aims to protect personal data, whether obtained electronically or physical, or by private or public sectors.
User consent is another familiar core ethic, with LGPD’s article 7 limiting the number of situations whereby personal data processing is allowed. Explicit consent given by the data subject is required for the collection, use or processing of the data, and this consent must be given in writing. New rights are also provisioned regarding data access, updating and deletion and data portability.
Besides civil liability, non-compliance with LGPD can attract further penalties such as warnings, fines, suspension and cease of data processing orders. Again, annual net revenue would be used to calculate any fines issued, which in turn would be capped at fifty million Brazillian reais (R$50m), the equivalent of around $13m US.
Addressing the International Conference of Data Protection and Privacy Commissioners in Brussels in October last year, Apple boss, Tim Cook, condemned his country’s data-hoarding climate that has allowed the likes of Alphabet-owned Google, and Facebook to thrive.
“This is surveillance…these stockpiles of data serve only to make rich the companies that collect them. We at Apple are in full support of a comprehensive federal privacy law in the [US],” he said.
Cisco’s chief legal and compliance officer, Mark Chandler picked up the thread in January, highlighting the GDPR’s promotion of freedom, control and accountability. “With a few differences, [it] should be brought in in the US as well,” he said.
On the whole, big tech in the States hasn’t been as keen, with many preferring self-regulation and a begrudging push for weaker federal rules.
California is marching ahead in terms of state regulation, through the Consumer Protection Act (CCPA which was passed in less than a week last summer. Built on principles that value data privacy as a fundamental human right, the laws call upon organisations to know what data is collected and how it is used; retain the data in a readable format; maintain good access to data so that it can be easily used, moved and updated; be able to easily erase data when necessary, and to notify regulatory bodies and potential victims of data breaches in a timely manner.
There’s a year to go until the CCPA comes into being, but organisations are readying themselves for the its arrival.
Meanwhile, a lobbying battle in Washington DC has been reignited, with groups such as the Association of National Advertisers (ANA) and the Interactive Advertising Bureau both demanding clarity in certain elements of the legislation while stressing that the new laws may disrupt business continuity.
Head of the ANA’s Government Relations office in Washington, Dan Jaffe said that in its current state, the CCPA could force some brands’ bonus schemes into dangerous waters, as it could prove difficult to issue equal incentives to those who choose to consent, or refuse to consent, to data sharing.
Companies would have to formulate “massive data pools” dedicated to honouring consumer personal information requests, which could at the same time become a big attraction to hacking, Jaffe said.
The CCPA will at least guarantee a busy 2019 in data protection for the USA. As GDPR conducts its global shake-down, companies state-side will be compelled to take California’s new regulations seriously, and to comply within the prescribed 12-month window.
Other states are following suit. In early January, Massachusetts committed to updating its data breach notification law, which will go into effect on April of next year. Under the new amendments, companies suffering data breaches involving social security numbers will have to provide free support to victims for 18 months, and the state’s regulator will have to post information about breaches on its website. Washington State also proposes its own version of the CCPA.
Building upon the Electronic Communications and Transaction Act 2002 (ECTA) and the Consumer Protection Act (CPA), South Africa’s Protection of Personal Information (POPI) Act has been signed by the president Cyril Ramaphosa, but the rules have not yet come into being.
Both GDPR and POPI are similar in flavour, and firms in South Africa that have been preparing for the latter will be well-positioned to align with obligations of the former, give or take a few tweaks.
South Africa has a major trade partner in the EU, which means the POPI will have to fall in line with GDPR. This may be achieved through parliamentary amendments, or through variances in regulatory interpretation.
With the POPI Act predicted to come into being in the first half of 2019, organisations in South Africa are being encouraged to bring a global view into their compliance journeys, so that laws including the GDPR and the ePrivacy Regulation are fully respected.
The west African nation has been an active presence in Brussels this year, engaging in global discussions on technology and digital trends.
Resonating with the Ghanaian government’s National Transformation Agenda, Ghana is among the first four African nations to have ratified the Malabo Convention on cyber security and data protection – a key treaty for data security.
Ghana’s deputy minister of communications, Mr Vincent Sowah, described Ghana’s Data Protection Act 2012 as pivotal in terms of striking a balance between economic productivity and supporting individuals’ rights.
As Ghana heralds “A New Chapter Enforcing Accountability and Empowering Data Subjects,” Mr Sowa emphasised his government’s recognition of the advantages of a digital economy and in the revolutionary powers for transformation such an environment could engender, particularly in the financial services sector. He also highlighted the importance of protecting personal data, and how this must be achieved through transparency, fairness and accuracy.
“Across Africa, Ghana is seen as a trail blazer in this effort and one of only four countries in Africa, that has passed the law,” Mr. Vincent Sowah said, before underlining the role digitisation plays in enabling innovation in Artificial Intelligence, machine learning and IoT development.
The Executive Director of the Data Protection Commission in Ghana, Ms Patricia Adusei-Poku followed up by saying that data controllers who breach the Data Protection Law would be liable to prosecution, and that those guilty would be named and shamed in national dailies for their irresponsible conduct.
Ms Adusei-Poku added that data controllers who were not registered with the Commission left themselves open to prosecution and subsequent financial penalties.
Working in collaboration with the World Bank, the Commission is implementing new computer systems, set to go live in April, which should facilitate registration processes and to help organisations on their journeys to legislative compliance in Ghana.
Since its inception, the Commission has trained around 60 data controller practitioners and has implemented education campaigns to raise data privacy awareness among consumers.