No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Protecting Personal Data – Sooner or Later!

by Robert Bond
May 1, 2015
in Risk
data protection

During 2013, a number of major events occurred around the world began to focus the attention of governments, businesses, and consumers on data protection and information security. The revelations by Edward Snowden about mass surveillance activities of organizations such as the National Security Agency in the United States and GCHQ in the UK raised awareness of the fragile nature of privacy. The increasing hacking activity of groups such as Anonymous as well as the revelations of nation-state hacking also raised awareness of cyber-risks and the threat of cyber-attacks.

Every few months for the past two years, countries have been passing data protection laws in various parts of the world, including South Africa, Columbia, Malaysia, South Korea, and Singapore—all of which bear similarities to the laws in the European Union that many regard as burdensome.

The EU has been active in producing opinions and guidance on new technologies, such as wearable technology, big data, the Internet of Things and cloud computing. Indeed, the EU has been in active negotiations with many governments around the world to find compromises to enable the global movement of personal data, but, at the same time, it has been outspoken about regimes that do not follow the EU model. In the past two years, there has been much activity in the EU around revisions to its digital framework, particularly its data protection regime, culminating in the current draft of the general data protection regulation.

Finally, regulators in many parts of the world, including the U.S., Canada, Singapore, Hong Kong, Australia, and the EU, have issued demands that the rights of individuals must be respected regarding the collection and processing of their personal data. This has led to calls for clearer and more explicit consent mechanisms for collecting personal data, greater transparency and accountability by both governments and businesses with regards to the way in which they collect and use personal data, and, finally, greater transparency pertaining to the use of technology for the purposes of monitoring and profiling individuals.

General Comparisons Between the U.S., EU, and Asia

United States

Briefly, the U.S. has no federal law regarding data protection, but it has a complex sector-specific set of rules, including HIPPA, COPPA, and the Gramm-Leach-Bliley Act. There are, however, many relevant state laws in the U.S. For example, California alone has more than 25 state privacy and data security laws.

The Federal Trade Commission (FTC) is vigilant on behalf of consumers against companies that do not comply with applicable laws. It has focused attention on the activities of search engines such as Google, mobile app companies, and the marketing and advertising sector. The data protection laws in the U.S. directly affect businesses and protect U.S. citizens, but they do not give protection in the U.S. to non-U.S. citizens.

European Union

The EU has had a data protection law for many years, namely the EU Data Protection Directive (Directive 95/46/EC, also known as the Data Protection Directive), which is designed to protect the privacy and all personal data collected for or about citizens of the EU. Like many data protection laws around the world, the Data Protection Directive is based on the Organisation for Economic Co-operation and Development (OECD) Guidelines (2013) governing the protection of privacy and cross-border flows of personal data.

The Data Protection Directive is implemented in each of the 28 Member States, but with variations—some of which are considerable. The European Data Protection Supervisor is the coordinating regulator for each of the 28 Member States. Each Member State has its own data protection commissioner who has varying enforcement and auditing powers. There is a patchwork of guidance and regulatory activity across each Member State, but no “level playing field.”

Asia

While Asia has lagged behind the EU in developing data protection laws, it has more recently “upped its game.” In the past few years, data protection laws with similarities to those of the EU have been passed in Malaysia, Singapore, Hong Kong, South Korea, and the Philippines, with data protection-related laws coming through in India and China. The law in South Korea is felt by many to be one of the most draconian in the world, and even the Malaysian law carries significant prison sentences for officers whose businesses are non-compliant.

In terms of data sharing between countries, the member countries of the Asia Pacific Economic Convention (APEC) rely on mutual recognition, and there is a cross-border privacy rules program in place.

Registration/Notification Requirements

In the U.S., there are no requirements for data controllers to file or register, and there is no federal data protection authority.

In the EU, there are registration requirements in each Member State, but these vary. For example, in the UK, registration is mandatory for regulated businesses and those that process certain categories of personal data. There are also exemptions for registration for small businesses. On the other hand, in France, businesses that process personal data of any kind have to register with the Data Protection Authority and the process is quite detailed. In many EU Member States, certain processing activities require specific registration, for example, the use of whistleblower hotlines and/or the use of closed-circuit television (CCTV) and monitoring technology.

In Asia, registration requirements vary from country to country and in countries such as Malaysia, registration requirements are dependent upon sector. There are data protection authorities in Asian countries that have data protection laws, although they are quite new and are only just beginning to develop their powers and guidance.

Collection and Processing  

In the U.S., the rules vary widely from state to state, but they generally require pre-collection notice and opt-out for use and disclosure of regulated personal information. Opt-in rules usually apply where information is considered sensitive, for example, health information or children’s information.

In the EU, data controllers need to meet one of several conditions to collect and process personal data, including:

  • consent;legitimate reason;
  • performance of a contract; and
  • protecting the data subject’s vital interests.

There are stricter rules for processing sensitive personal data in the EU, such as gaining a data subject’s explicit consent.

In Asia, the requirements vary across the region, but the fundamental principles of the Data Protection Directive can usually be found in the various national laws—principles such as purpose definition and use limitation. Countries such as South Korea, Singapore, and Malaysia take strict views on how sensitive personal data is processed.

Transfer

In the U.S., there are no restrictions on transferring personal data outside of the country. Om the other hand, in Europe, even though transfers of personal data are freely committed between EU Member States, certain conditions have to be met when such data is transferred outside of the EU, including:

  • consent;
  • legitimate reason;
  • performance of a contract; and
  • protecting the data controller’s vital interests.

Unless the recipient country to which personal data is exported is approved by the European Commission (and very few countries are approved), then adequate protection for the rights of individuals have to be adduced by means of contractual controls or through the EU-US Safe Harbor framework when the data is being transferred from the EU to the U.S.

In Asia, there are some countries that restrict transfers of personal data outside their borders, but, as mentioned earlier, the APEC cross-border privacy rules cover data transfers within APEC based on mutual recognition.

EU General Data Protection Regulation

There have been calls for an overhaul of EU data protection legislation for some time. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, more commonly known as the Data Protection Directive, predates significant developments. The Directive was introduced at a time before the widespread use of comlex consumer technology, such as smart phones and tablets, and the advent of Web 2.0 and its associated exchange of information between individuals online. Further, the Directive pre-dates widespread public awareness of the importance of privacy and the value of individuals’ personal information. As technology has advanced and practices have changed, the need for an overhaul of the law has become more apparent.

The Data Protection Regulation was drafted with a view to address the shortcomings of the Directive. It also aimed to escalate the importance of privacy to a corporate boardroom-level concern. The European Commission wishes to see data protection so escalated, making it comparable in importance to other corporate topics such as bribery, corruption, and money laundering.

Calls for an overhaul to the European Data Protection Directive have increased in recent years. The first glimpse of the European Commission’s response came in November 2011 with the leaked draft proposed European Data Protection Regulation. The leaked draft was followed in January 2012 with the official draft Regulation, largely similar though containing some significant changes. For example, the penalties of fines of up to five percent of worldwide annual turnover were reduced to two percent of worldwide annual turnover in the official draft. Likewise, the deadline upon data controllers for notifying the data protection authority of a breach softened from a mandatory 24 hours of the data controller becoming aware of such breach, to a more workable 72 hours “where possible.” Nonetheless, the official draft Regulation was substantially similar to its leaked predecessor.

The next significant step in the evolution of the Regulation came with the report published by the European Parliamentary Committee on Civil Liberties, Justice, and Home Affairs (LIBE), dated December 2012. The LIBE report advocated over 3,000 amendments to the draft Regulation, while largely retaining the structure.

On October 21, 2013, LIBE published its latest version of the Regulation with a reinstatement of the five percent of worldwide annual turnover and changes to the requirements to appoint a DPO.

The Regulation is a lengthy piece of legislation, at around three times the length of the Data Protection Directive. It is also significantly more prescriptive than its predecessor, which has attracted criticism from various quarters including European data protection authorities. While the principles of the Regulation follow those of the Directive, it introduces widespread and significant changes to the data protection landscape. The key changes include:

  1. Registration with the Data Protection Authority
  2. The data protection officer
  3. The data protection principles
  4. Consent
  5. The right to be forgotten
  6. Application of the regulation
  7. Breach notification
  8. Applicable data protection authority
  9. Sanctions

The Data Protection Regulation has been heralded as a means for businesses to save significant costs. However, critics have observed that, in fact, it places a significant burden on companies operating in the EU. Significant expense is likely to be incurred in the recruiting and training of DPOs. As explained above, appropriate expertise is required and there are simply not enough data protection specialists to go around. However, the levels of the fines that may be levied for non-compliance are likely to force companies into investing significant resources in compliance.

Mandatory breach reporting obligations mean that organizations that fail to implement appropriate policies and procedures to observe the principles of the Regulation are likely to come to the data protection authorities’ attention fairly rapidly.

Privacy advocates are likely to welcome the changes introduced by the Regulation, especially aspects such as privacy impact assessments that would ensure that observance of the data protection principles is an integral part of any new process or activity undertaken by a data controller. This is intended to ensure that organizations treat privacy as a key consideration at the outset of a new project, rather than an afterthought introduced just before the project goes live.

There appears to be a perception, particularly in the U.S., that the Regulation is unlikely to actually come into force. However, the Regulation is likely to be approved in the current European Parliament and, if so, would be likely to come into force in approximately two years. The general perception is that it will come into force in 2017. As a Regulation, it will take effect immediately, unlike the Directive, which operates through national implementing legislation. It is therefore likely to be more uniform in its application.

Companies looking to prepare for the introduction of the Regulation would be prudent to ensure that they are compliant with the current laws since the principles of the Regulation are very similar to those of the Directive. However, the potential consequences of non-compliance with the Regulation are far more serious. If there was ever a perception among companies that compliance is a “nice to have” rather than a necessity, the Regulation looks set to consign that belief to history.


Previous Post

Running with Scissors, or Legacy Data

Next Post

What is the Real Responsibility of Your Board of Directors?

Robert Bond

Robert Bond

Robert Bond headshot 8-25-14Robert Bond has been a solicitor and notary public of England and Wales for over 30 years, and brings deep expertise and global perspective to our LRN ECA partner audience in areas of privacy and data protection, information security, global ethics and corporate responsibility, social and digital media, e-commerce, and Internet law among other important risk areas. Robert is a widely published author and recognized global authority in his areas of expertise.

Related Posts

parliament

Coming Soon to the UK: Sweeping Corporate Criminal Liability Reforms?

by Peters and Peters
March 28, 2023

UK legislators have proposed major amendments to the Economic Crime and Corporate Transparency Bill currently passing through Parliament. If adopted,...

wind turbines

What Companies Around the Globe Need to Know About EU Sustainability Reporting

by John Peiserich
March 28, 2023

By the beginning of next year, large companies in the EU or that do a substantive amount of business in...

amsterdam

At a Gathering of Compliance Practitioners, No Shortage of Food for Thought

by Mary Shirley
March 28, 2023

Last week, about 300 ethics and compliance professionals descended upon Amsterdam’s Hotel Okura to participate in SCCE’s European Compliance &...

documents

Meeting Accounting Standards in an Uncertain Economy

by Tom Zauli
March 28, 2023

After a Covid-related grace period, new contract accounting standards — ASC 606 — are in effect for both public and...

Next Post
What is the Real Responsibility of Your Board of Directors?

What is the Real Responsibility of Your Board of Directors?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT