Global Data Privacy & Security Regulation and Enforcement
Data is critical for business in the digital age. Cloud, mobile, IoT, machine learning, AI, blockchain, and other technology-driven developments are...
A Short Guide to Global Data Privacy & Security Regulation and Enforcement
Data is critical for business in the digital age. Cloud, mobile, IoT, machine learning, AI, blockchain, and other technology-driven developments are accelerating disruption and re-defining roles and boundaries. Opportunity and risk abound as digitalization and automation transform every sector. Businesses increasingly seek to develop new data sources, leverage existing information, and enter unfamiliar ecosystems and data sharing arrangements with third parties.
Data privacy and security laws are pivotal in this context. Regulators draft these laws to restrict how businesses collect, use, share, store, and disclose data. Recent years have witnessed an unprecedented expansion in data privacy and security regulations globally as regulators seek to catch up to technology.
Many jurisdictions premise these laws on notions of privacy as a fundamental human right, and apply the rules comprehensively to any data about an individual or a device. Other jurisdictions focus on notions of fairness or consumer protection, and other perceived harms or inequalities. In terms of specifics, regulators and legislators are free to develop their own definitions and requirements that are not subordinate to a larger global architecture of rules and norms.
As the underlying business models and data handling activities are continuously changing, these various and divergent global data privacy and security regulations pose acute challenges for interpretation and application. Companies must also take into account aggressive penalty structures, as well as private rights of action, potential business disruption, reputational harm, and other adverse consequences for non-compliance when evaluating how to proceed.
As a result of these factors, companies must take data privacy and security laws more seriously than ever before. Companies need to focus on the development of solutions that consider not only likelihood and severity of risk, but also business necessity and the interests of the consumers, employees, and other individuals.
Our 2019 Global Data Privacy & Security Handbook provides detailed overviews of the increasingly complex and sophisticated data privacy and security standards in around 50 countries.
We have created this guide on the back of the data collated in our 2019 Global Data Privacy & Security Handbook and:
- provide a snapshot of key recent and imminent changes to data privacy and security regulation which illustrate the fact that such regulation is still very much a moving target
- share our anticipated enforcement priorities
- take a look at the rise of data security breach notification requirements
- highlight some trends to watch over the next months
Enjoy the read!
Data privacy & security regulation
A moving target
These days, data privacy and security are heavily regulated in many countries around the world. And yet, data privacy and security regulation is still very much a moving target with many countries introducing comprehensive regulation for the first time and other countries with established regimes overhauling those to reflect the reality of the digital world.
New data privacy and security laws of which to take note
While differences in regulatory approach remain, there is a clear trend towards omnibus data privacy and security laws. Our data shows that out of 52 countries surveyed, the US and Saudi Arabia are the only two that do not have omnibus data privacy and security laws in place. On top of that, a myriad of sector-specific data privacy and security laws exist (42 out of 52 countries surveyed have such sector-specific requirements).
Here are some of the newest omnibus data privacy and security laws.
The EU GDPR
2018 was the year in which the GDPR finally started to apply directly in all EU member states. The EU member states have been busy drafting, negotiating and enacting local data protection laws supplementing the GDPR and as of May 2019, 25 out of 28 European Member States have adopted such laws. Greece, Portugal and Slovenia are the countries still working on their local data protection laws.
There is still much uncertainty regarding the interpretation and enforcement of the GDPR provisions and diverging local laws but local regulators and the European Data Protection Board are publishing guidance on key GDPR provisions.
At the same time, regulators are stepping up their enforcement efforts and the first fines for GDPR non-compliance have been issued. In many respects, GDPR compliance is still a moving target and businesses need to keep a close eye on guidelines and enforcement decisions that will provide answers to the most pressing and controversial questions.
Beyond GDPR
While the GDPR has certainly been the focus for multinational businesses in 2018, that year has also seen the introduction of comprehensive GDPR-inspired personal data protection regimes in other regions. Here are some prominent examples:
Brazil
In August 2018, Brazil passed its first omnibus data protection law, the General Data Protection Law (GDPL). The GDPL is still subject to change as close to 200 amendments have been proposed including substantial changes concerning the legal basis for data processing, the application of the law to public entities and technical standards for data security. That said the GDPL is expected to come into effect in August 2020 except for the provisions regarding the creation of the Brazil Data Protection Authority, which are already in force. The law is mostly inspired by the EU GDPR but is in a simpler format and there are key differences including lower monetary penalties and a specific exception for credit rating. A sensible first step for businesses operating in Brazil would be a data-mapping exercise in order to understand current data processing activities, identify gaps and vulnerabilities and then establish a compliance plan.
India
In the second part of 2018, India released a Personal Data Protection Bill (PDP Bill) proposing a comprehensive personal data protection law. The PDP Bill has been modelled after the EU’s GDPR and is expected be tabled before the Parliament before the end of 2019. The PDP Bill provides for the manner in which personal data must be collected, stored, processed and transferred.
It introduces concepts such as data fiduciary (similar to a data controller), data principal (similar to a data subject) and data processor and also sets out rights of data principals and obligations of data fiduciaries and processors while collecting and processing data. The PDP Bill also provides the manner and circumstances in which personal data may be lawfully transferred outside India.
Accountability and governance requirements are finding their way into data privacy and security laws
Thailand
For several years, Thailand has been developing an omnibus data protection law. In September 2018, the government issued a new draft Personal Data Protection Act (PDPA), which includes GDPR-like features and has been approved by the National Legislative Assembly in February 2019. The PDPA will start to apply in late May 2020 (one year after its publication in the Government Gazette) and will be the first Thai legislation governing the collection, use, and/or disclosure of personal data, with extraterritorial effect.
Data subjects will have GDPR-style rights and controllers and processors may be required to appoint a data protection officer and/ or representative in Thailand. Businesses should start their compliance efforts soon.
California
California, which has always been at the forefront of data privacy, has introduced the California Consumer Privacy Act ("CCPA") which is already bringing profound changes ahead of its 1 January 2020 effective date, given its 12-month look-back provision to January 2019. CCPA is an unfamiliar type of law for the United States, in large part, due to its broad scope. It establishes a new privacy framework for businesses that fall within its jurisdiction by:
- creating an expanded definition of “personal information”
- creating new data privacy rights for California consumers, including rights on transparency, access, portability, and deletion
- establishing expansive rights of choice on the “sale” of personal information
- imposing special rules for the collection and sale of personal information directly from minors
- creating a new statutory damages framework for violators that fail to implement and maintain reasonable security procedures and practices to prevent data security breaches
Consumer data protection statutes in Colorado, Maine, Nevada, and Vermont have also recently entered into effect and legislators in ten states (Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, Rhode Island, Texas and Washington) have introduced draft bills that would impose broad obligations on businesses to provide consumers with transparency and control of personal data, similar to the requirements under the CCPA.
What detail to include in a data privacy notice
Despite a trend for data privacy and security legislation to align globally, there are still many differences between local laws making global compliance a real challenge. For instance, to draft a global data privacy notice is near impossible as the requirements as to what information needs to be included varies widely between countries.
Spotlight on the United Arab Emirates
The United Arab Emirates (UAE) is one of the countries without a comprehensive data privacy and security framework to date but one to monitor closely as numerous changes are being introduced and comprehensive regulations might be on the horizon.
In the absence of one federal authority coordinating legislative efforts, several sectoral regulators in the UAE, as well as individual Emirates, are introducing their own data protection and data security requirements creating a fragmented and complex data protection landscape.
- In January 2019, the President of the UAE issued Federal Law No. 2 of 2019, which regulates the use of information technology and communications in the healthcare sector. The law introduced data residency requirements among a number of other data protection requirements for companies processing data which is related to an individual’s health.
- In March 2019, the Telecommunications Regulatory Authority (TRA) implemented a policy regulating the operation of IOT solutions. The policy introduced GDPR concepts such as privacy by design, data minimisation and purpose limitation into local onshore law. It also incorporates definitions rom the GDPR, such as ‘consent’, ‘data controller’ and ‘data processor’. These definitions are not currently used but arguably signal an intention by the TRA to introduce further legal GDPR-style requirements in future.
- We expect new legal requirements to be introduced by the regulators of the Dubai International Financial Centre and Abu Dhabi Global Market financial free zones to update their existing data protection frameworks to align with the GDPR.
- We are also aware that the Ministry of Finance will soon issue a new data protection law for the financial services industry.
Due to the pace of developments, it is highly advisable for companies operating in the UAE to monitor developments closely.
Changes to long-established laws on the horizon
In addition to new laws being crafted, many countries with long-established data privacy laws are in the process of making changes to those laws. 41 out of 52 countries surveyed indicated that they anticipate material changes to their data privacy and security laws in the next 12 months.
One example is Singapore where a review of the Personal Data Protection Act 2012 is underway. Contemplated changes are expected to take place by the end of 2019 and include a mandatory data breach notification regime as well as additional bases for the collection, use and disclosure of personal data.
Australia has also announced wide-reaching reforms to its Privacy Act, including increasing penalties, introducing additional enforcement and other powers for the regulator, creating a code for social media and online platforms which trade in personal information, requiring social media and online platforms to implement a mechanism for ceasing use of an individual’s personal information on request by the individual, and introducing specific rules to protect the personal information of children and other vulnerable groups even more strongly.
Argentina is also contemplating material changes to its data privacy and security legislation including expanding its territorial reach, requiring the notification of data security breaches in certain instances, introducing a right to be forgotten, increasing penalties and mandating data protection impact assessments.
Businesses need to monitor new laws being adopted and existing laws being changed in order to ensure compliance with new requirements which can be challenging at an operational level. Moreover, businesses should follow and contribute to public consultations to ensure the business impact of a proposed change is understood by regulatory authorities and any incoming laws or proposed changes do not jeopardize entire business models.
41 out of 52 countries indicated that new or material changes to existing data protection regimes are expected in the next 12 months
Regulator enforcement activity
Data privacy and security enforcement ahead
Around the world, data privacy and security regulators are becoming more active and tougher on businesses with poor data protection practices. Regulators are dedicating more resources to the enforcement task and we are expecting higher penalties to be issued for non-compliance moving forward. Regulators are also starting to collaborate with their counterparts across borders in order to align themselves and support each other. All of these factors will significantly increase the risk of non-compliance.
Out of 52 countries surveyed, only 7 do not have a data privacy and security regulator: Bolivia, India, Venezuela, Chile, Paraguay, Saudi Arabia and Vietnam
That said, the level of regulator activity still varies among countries:
We asked local counsel to rate how active the regulator is in their jurisdiction.
*Thailand is in the process of establishing a regulators and it is yet to be established how active it will be.
The risk of non-compliance with data privacy and security laws for private sector organisations
We asked local counsel to rate the risk of non-compliance with data privacy and security legislation in their jurisdiction.
Despite regulators overall stepping up their enforcement activities, they will be forced to focus their resources and efforts on certain aspects and deficiencies they consider the most pressing. We anticipate data privacy and security regulators to focus on the following:
Data security and incident response practices
Insufficient data security and data breach notification requirements (which are increasingly being made mandatory) will be a number #1 priority for regulators in all regions as most recently evidenced by the UK ICO's first GDPR enforcement actions. Our data also shows that insufficient data security or inadequate data incident response ranks amongst the three most common compliance mistakes committed by business across jurisdictions indicating that many businesses would be wise to focus their efforts on data security and incident response practices.
Online consent practices and transparency requirements
Regulators are still determining where to set the bar for valid consent but consent has emerged as a key battleground in Europe in 2018 and we expect this to remain an area of focus. Big players with data-driven business models are a prime target. But businesses of all sizes relying on data subject consent as a processing ground would be wise to ensure they are transparent about their data practices vis-à-vis the data subjects and enable data subjects to be in control of their data. A challenging task given the requirement to make privacy notices clear and concise but at the same time complete and comprehensive.
Excessive collection and processing of personal data online
We expect regulators in Europe to continue to scrutinize the collection and processing of personal data in excess of what is necessary to deliver a service or product, particularly in the online world. In the past, regulators have penalized businesses for collecting personal information through apps or websites for purposes unrelated to the use of such app or the provision of a service. Continuing such excessive collection of personal data on the basis of user consent will be a risky strategy. Similarly, arguing that the collection is necessary for the performance of a contract is also going to be difficult as this legal basis will be interpreted rather narrowly, even where services are provided for "free" (as foreshadowed by the EDPB recently in its draft Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects).
"Contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things. A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6(1)(b)."
Extract from the draft EDPB Guidelines
The most common data subject rights across jurisdictions
Online tracking and cookie walls
Cookies and other online tracking technologies are an important analytics tool for many businesses. Cookie walls which block users from accessing a website or app unless the user consents to the placing of tracking technology risk a finding that consent is not voluntary. They should be reviewed and adapted to ensure users are given a genuine choice between accepting or rejecting any tracking. Regulators views are currently not consistent as to when such choice is given, so an area to watch for more guidance.
Data subject rights
We expect regulators to also devote attention to ensuring businesses respect data subjects' rights as these play a vital role in giving data subjects control over their data (a key theme). All countries within scope except South Africa (until the commencement of Protection of Personal Information Act, 2013) and Saudi Arabia grant data subjects specific rights which businesses need to operationalize. The most common right is the right to access, closely followed by the right to rectify personal data. Often implementing these data subjects rights in practice is a challenging task.
Data residency requirements
Obligations to store certain personal data within the jurisdiction are very prominent with 21 out of 52 countries surveyed having such requirements in place. They are particularly prominent in Asia (e.g., China, Vietnam, India and Indonesia) and are a particular challenge for businesses that largely operate online and do not typically set up technology infrastructure in each jurisdiction where they offer their products or services.
Direct marketing requirements
Compliance with requirements related to the use of personal data for direct marketing activities via email, sms and telephone will also be a priority not least because the regulators receive many complaints in this regard. 47 out of 52 countries surveyed have specific requirements in place and these are often complex and difficult to adhere to in practice.
Cross-border data transfers
In the EU, all eyes are on Brexit developments which may result in the UK becoming a "third country" and require new solutions for legitimizing transfers from the European Economic Area to the UK. In the US, we expect to see continued activity with enforcement by the US Federal Trade Commission (FTC) with the EU-US Privacy Shield Framework.
The most common data privacy and security compliance mistakes
We asked local counsel to identify the top three most common data privacy and security compliance mistakes made by companies doing business in the jurisdiction.
The game changer
Data security breach notification
Data privacy and security laws often now embed breach notification duties with broad application and short timelines.
Our data shows that 41 out of 52 countries surveyed already require the notification of personal data security breaches.
Jurisdictions will continue to adopt more expansive data breach notification requirements with lower risk thresholds and faster timelines for notifications to authorities and individuals. Argentina, Malaysia, New Zealand, Singapore and South Africa are prominent examples of countries in the process of introducing mandatory data breach notification requirements.
The most common model is that data controllers are required to notify data protection authorities and individuals in a breach scenario, and data processors must notify the controller. But in Russia, South Korea, Venezuela, Colombia, Uruguay and Taiwan, data processors are also required to notify the authorities and individuals directly.
The rise of stringent data security breach notification requirements will continue to put pressure on organizations’ data protection programs as a breach notification to an authority will be a lead-in to a possible enforcement action as most recently evidenced by the UK ICO’s first GDPR enforcement actions. Moreover, notification to individuals entails serious reputational risks.
Most organizations hope that a significant data breach will never happen to them, but it often does. The digital age is a perfect set up, as it combines a larger surface area for attacks (e.g., more sensors, more devices, more connectivity, and more data) with increasingly sophisticated threats (e.g., more financial crime, more nation state activities, and more hacker collectives). A single event can pull a thread that raises issues across data collection, use, storage, and disclosure, and may be subject to mandatory reporting to authorities, individuals, and others. Organizations are therefore well advised to work through multijurisdictional "table top" exercises so as to have a better chance of managing such possible incidents well.
Are there obligations to notify personal data security breaches?
Outlook
Key trends to watch in the coming months
The GDPR recently turned one but the world of data privacy and security is still changing fast and profoundly with no sign of slowing down. Business impact of these changes is significant and some of the changes on the horizon may even demand changes to certain business models. Here are our predictions of what will be "hot" in the next 12-24 months.
A federal US privacy law?
While in 2018, all eyes had been on Europe, we are increasingly seeing attention turn to the US. California (discussed elsewhere) is sparking the spread of state consumer data privacy legislation, and as a follow-on, potential federal legislation on privacy. Much is yet to be determined as to what can be achieved, particularly in terms of pre-emption, and on what timelines.
Companies and industry associations have expressed support for a superseding federal privacy law. Several federal bills have been formally introduced, including the Data Breach Prevention and Compensation Act introduced in January 2018, the Data Care Act introduced in December 2018 and the American Data Dissemination Act introduced in January 2019.
Other federal proposals have been circulated informally. For its part, the Trump administration had the National Telecommunications and Information Administration ("NTIA") publish the outcomes and goals that should be the focus of any federal legislation. The Federal Trade Commission (FTC) is one of the over 200 parties to submit a comment on the NTIA’s proposed framework.
The FTC’s comment received sharp criticism from privacy watchdog groups, in particular the FTC’s statement that a default consumer opt-out of online advertisements would not be appropriate as it would likely result in "the loss of advertising-funded online content".
Additionally, businesses and industry groups, such as the US Chamber of Commerce and the Business Roundtable, have released federal legislative proposals all of which would preempt the CCPA and other similar state laws.
While all different in detail, the various proposals feature a range of common consumer rights and business obligations. For instance, they commonly grant consumer rights to access, rectification, deletion, restriction of processing and data portability, but importantly also a right to opt out of the sale of personal information as well as a consumer private right of action.
And they impose on businesses notice and transparency requirements, data breach notification obligations, mandated risk assessments, a prohibition on discrimination against a consumer for exercising a right, a purpose limitation and processing limitation and a strict opt-in for the sale of personal information of a consumer less than a certain age.
Whether or not a federal US privacy law will be coming, the US experience illustrates the immense challenge lawmakers may face in trying to get the balance right between protecting individuals and supporting business development.
Competition law, data privacy and consumer laws intersecting
There is an evident trend towards competition/antitrust, data privacy and consumer laws seen as intersecting, complementing each other and protecting the same values. Particularly in Europe but also in Australia, competition and antitrust regulators are very serious about the role of data in the digital age and are increasingly seeking to assert themselves in the data privacy space by taking actions in connection with business use of data and also proposing to overhaul existing competition law frameworks in order to make them fit for the digital economy. We are starting to see the first small signs of a similar perspective emerging in the US.
Data-related issues of interest to competition agencies include:
- market power and dominance associated with control of large datasets including relevant considerations in the context of M&A activity
- data as a barrier to entry
- consumer law concerns (as opposed to privacy-specific concerns) arising from data handling
- representations made to consumers with respect to data handling
- the manner in which privacy terms are imposed on consumers
- consumers’ ability to be in control and make informed decisions regarding handling of their data
- information asymmetries between consumers and businesses with respect to business data handling
- use of data as a "currency" to access services/products/ benefits
As these discussions continue to gather force, data will continue to move from an issue of primary interest to privacy regulators to an issue of common focus for other regulators.
Data portability, open data and data-driven innovation
Whilst stricter personal data regulation continues to evolve, greater access to data is also a trend, and opening-up of previously tightly held and controlled data sets is a key driver for governments in many jurisdictions in order to enable innovation and competition. The debate is still very much ongoing and no solution set in stone but proposals on the table to watch include:
- facilitating the switching between data-driven services through greater data portability and interoperability regimes (beyond what is codified in the GDPR)
- opening-up of government-controlled datasets
- increased collaboration, sharing and pooling of data in a B2B context
- mandated access to data held by dominant players in certain instances, likely through a sector-specific regime and on strict conditions
All of these proposals raise various issues such as the need to protect business secrets as well as privacy (where personal data is concerned), the risk of anti-competitive information exchange where competitively sensitive information is concerned, potentially undue costs on those businesses that control the data, and lack of incentive to continue to collect data - just to name a few. The discussions have some way to go before we will see regulatory change but change is on the horizon and will impact business models.
Ethics bringing a new dimension
As if that is not enough for businesses to grapple with, governments, policy makers, market players and individuals are increasingly bringing ethical considerations into the picture. Beyond compliance, stakeholders are being called to consider ethical implications of their actions. The imminent focus is on AI technology but ethical handling of data will soon be expected more generally. This is not a matter of legal compliance (we are still at an early stage, even if things are moving, especially in Europe), but arguably equally critical since it affects consumer trust.
Rise in class litigation
A loss of consumer trust in relation to business use of data has been felt widely in some sectors and is likely to continue to drive both consumer behavior and business and regulator responses in 2019. This is also true from a litigation perspective, since consumers are becoming more aware of their rights and willing to enforce them via available avenues. Companies should therefore get prepared to address claims and actions, from consumers, increasingly in the form of class actions which are starting to emerge in the US, UK, Canada and Australia. In particular, in the US, the new California Consumer Privacy Act embeds a private right of action for data breaches, with statutory damages of up to $750 per consumer per incident.
Data privacy and security contacts
Helping clients overcome the challenges of competing in the global economy
To contact a member of our Global Data Privacy & Security Leadership Team, please click here.
Please direct any questions or feedback about this publication to Brian Hengesbaugh or Anna von Dietze.
Brian Hengesbaugh
Partner
Global Chair of Data Privacy and Security
Email
Anna von Dietze
Lead Knowledge Lawyer
Global TMT Industry Group
Email
Additional reading
2019 Global Data Privacy & Security Handbook