During 2013, a number of major events occurred around the world began to focus the attention of governments, businesses, and consumers on data protection and information security. The revelations by Edward Snowden about mass surveillance activities of organizations such as the National Security Agency in the United States and GCHQ in the UK raised awareness of the fragile nature of privacy. The increasing hacking activity of groups such as Anonymous as well as the revelations of nation-state hacking also raised awareness of cyber-risks and the threat of cyber-attacks.
Every few months for the past two years, countries have been passing data protection laws in various parts of the world, including South Africa, Columbia, Malaysia, South Korea, and Singapore—all of which bear similarities to the laws in the European Union that many regard as burdensome.
The EU has been active in producing opinions and guidance on new technologies, such as wearable technology, big data, the Internet of Things and cloud computing. Indeed, the EU has been in active negotiations with many governments around the world to find compromises to enable the global movement of personal data, but, at the same time, it has been outspoken about regimes that do not follow the EU model. In the past two years, there has been much activity in the EU around revisions to its digital framework, particularly its data protection regime, culminating in the current draft of the general data protection regulation.
Finally, regulators in many parts of the world, including the U.S., Canada, Singapore, Hong Kong, Australia, and the EU, have issued demands that the rights of individuals must be respected regarding the collection and processing of their personal data. This has led to calls for clearer and more explicit consent mechanisms for collecting personal data, greater transparency and accountability by both governments and businesses with regards to the way in which they collect and use personal data, and, finally, greater transparency pertaining to the use of technology for the purposes of monitoring and profiling individuals.
General Comparisons Between the U.S., EU, and Asia
Briefly, the U.S. has no federal law regarding data protection, but it has a complex sector-specific set of rules, including HIPPA, COPPA, and the Gramm-Leach-Bliley Act. There are, however, many relevant state laws in the U.S. For example, California alone has more than 25 state privacy and data security laws.
The Federal Trade Commission (FTC) is vigilant on behalf of consumers against companies that do not comply with applicable laws. It has focused attention on the activities of search engines such as Google, mobile app companies, and the marketing and advertising sector. The data protection laws in the U.S. directly affect businesses and protect U.S. citizens, but they do not give protection in the U.S. to non-U.S. citizens.
The EU has had a data protection law for many years, namely the EU Data Protection Directive (Directive 95/46/EC, also known as the Data Protection Directive), which is designed to protect the privacy and all personal data collected for or about citizens of the EU. Like many data protection laws around the world, the Data Protection Directive is based on the Organisation for Economic Co-operation and Development (OECD) Guidelines (2013) governing the protection of privacy and cross-border flows of personal data.
The Data Protection Directive is implemented in each of the 28 Member States, but with variations—some of which are considerable. The European Data Protection Supervisor is the coordinating regulator for each of the 28 Member States. Each Member State has its own data protection commissioner who has varying enforcement and auditing powers. There is a patchwork of guidance and regulatory activity across each Member State, but no “level playing field.”
While Asia has lagged behind the EU in developing data protection laws, it has more recently “upped its game.” In the past few years, data protection laws with similarities to those of the EU have been passed in Malaysia, Singapore, Hong Kong, South Korea, and the Philippines, with data protection-related laws coming through in India and China. The law in South Korea is felt by many to be one of the most draconian in the world, and even the Malaysian law carries significant prison sentences for officers whose businesses are non-compliant.
In terms of data sharing between countries, the member countries of the Asia Pacific Economic Convention (APEC) rely on mutual recognition, and there is a cross-border privacy rules program in place.
In the U.S., there are no requirements for data controllers to file or register, and there is no federal data protection authority.
In the EU, there are registration requirements in each Member State, but these vary. For example, in the UK, registration is mandatory for regulated businesses and those that process certain categories of personal data. There are also exemptions for registration for small businesses. On the other hand, in France, businesses that process personal data of any kind have to register with the Data Protection Authority and the process is quite detailed. In many EU Member States, certain processing activities require specific registration, for example, the use of whistleblower hotlines and/or the use of closed-circuit television (CCTV) and monitoring technology.
In Asia, registration requirements vary from country to country and in countries such as Malaysia, registration requirements are dependent upon sector. There are data protection authorities in Asian countries that have data protection laws, although they are quite new and are only just beginning to develop their powers and guidance.
Collection and Processing
In the U.S., the rules vary widely from state to state, but they generally require pre-collection notice and opt-out for use and disclosure of regulated personal information. Opt-in rules usually apply where information is considered sensitive, for example, health information or children’s information.
In the EU, data controllers need to meet one of several conditions to collect and process personal data, including:
- consent;legitimate reason;
- performance of a contract; and
- protecting the data subject’s vital interests.
There are stricter rules for processing sensitive personal data in the EU, such as gaining a data subject’s explicit consent.
In Asia, the requirements vary across the region, but the fundamental principles of the Data Protection Directive can usually be found in the various national laws—principles such as purpose definition and use limitation. Countries such as South Korea, Singapore, and Malaysia take strict views on how sensitive personal data is processed.
In the U.S., there are no restrictions on transferring personal data outside of the country. Om the other hand, in Europe, even though transfers of personal data are freely committed between EU Member States, certain conditions have to be met when such data is transferred outside of the EU, including:
- legitimate reason;
- performance of a contract; and
- protecting the data controller’s vital interests.
Unless the recipient country to which personal data is exported is approved by the European Commission (and very few countries are approved), then adequate protection for the rights of individuals have to be adduced by means of contractual controls or through the EU-US Safe Harbor framework when the data is being transferred from the EU to the U.S.
In Asia, there are some countries that restrict transfers of personal data outside their borders, but, as mentioned earlier, the APEC cross-border privacy rules cover data transfers within APEC based on mutual recognition.
EU General Data Protection Regulation
There have been calls for an overhaul of EU data protection legislation for some time. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, more commonly known as the Data Protection Directive, predates significant developments. The Directive was introduced at a time before the widespread use of comlex consumer technology, such as smart phones and tablets, and the advent of Web 2.0 and its associated exchange of information between individuals online. Further, the Directive pre-dates widespread public awareness of the importance of privacy and the value of individuals’ personal information. As technology has advanced and practices have changed, the need for an overhaul of the law has become more apparent.
The Data Protection Regulation was drafted with a view to address the shortcomings of the Directive. It also aimed to escalate the importance of privacy to a corporate boardroom-level concern. The European Commission wishes to see data protection so escalated, making it comparable in importance to other corporate topics such as bribery, corruption, and money laundering.
Calls for an overhaul to the European Data Protection Directive have increased in recent years. The first glimpse of the European Commission’s response came in November 2011 with the leaked draft proposed European Data Protection Regulation. The leaked draft was followed in January 2012 with the official draft Regulation, largely similar though containing some significant changes. For example, the penalties of fines of up to five percent of worldwide annual turnover were reduced to two percent of worldwide annual turnover in the official draft. Likewise, the deadline upon data controllers for notifying the data protection authority of a breach softened from a mandatory 24 hours of the data controller becoming aware of such breach, to a more workable 72 hours “where possible.” Nonetheless, the official draft Regulation was substantially similar to its leaked predecessor.
The next significant step in the evolution of the Regulation came with the report published by the European Parliamentary Committee on Civil Liberties, Justice, and Home Affairs (LIBE), dated December 2012. The LIBE report advocated over 3,000 amendments to the draft Regulation, while largely retaining the structure.
On October 21, 2013, LIBE published its latest version of the Regulation with a reinstatement of the five percent of worldwide annual turnover and changes to the requirements to appoint a DPO.
The Regulation is a lengthy piece of legislation, at around three times the length of the Data Protection Directive. It is also significantly more prescriptive than its predecessor, which has attracted criticism from various quarters including European data protection authorities. While the principles of the Regulation follow those of the Directive, it introduces widespread and significant changes to the data protection landscape. The key changes include:
- Registration with the Data Protection Authority
- The data protection officer
- The data protection principles
- The right to be forgotten
- Application of the regulation
- Breach notification
- Applicable data protection authority
The Data Protection Regulation has been heralded as a means for businesses to save significant costs. However, critics have observed that, in fact, it places a significant burden on companies operating in the EU. Significant expense is likely to be incurred in the recruiting and training of DPOs. As explained above, appropriate expertise is required and there are simply not enough data protection specialists to go around. However, the levels of the fines that may be levied for non-compliance are likely to force companies into investing significant resources in compliance.
Mandatory breach reporting obligations mean that organizations that fail to implement appropriate policies and procedures to observe the principles of the Regulation are likely to come to the data protection authorities’ attention fairly rapidly.
Privacy advocates are likely to welcome the changes introduced by the Regulation, especially aspects such as privacy impact assessments that would ensure that observance of the data protection principles is an integral part of any new process or activity undertaken by a data controller. This is intended to ensure that organizations treat privacy as a key consideration at the outset of a new project, rather than an afterthought introduced just before the project goes live.
There appears to be a perception, particularly in the U.S., that the Regulation is unlikely to actually come into force. However, the Regulation is likely to be approved in the current European Parliament and, if so, would be likely to come into force in approximately two years. The general perception is that it will come into force in 2017. As a Regulation, it will take effect immediately, unlike the Directive, which operates through national implementing legislation. It is therefore likely to be more uniform in its application.
Companies looking to prepare for the introduction of the Regulation would be prudent to ensure that they are compliant with the current laws since the principles of the Regulation are very similar to those of the Directive. However, the potential consequences of non-compliance with the Regulation are far more serious. If there was ever a perception among companies that compliance is a “nice to have” rather than a necessity, the Regulation looks set to consign that belief to history.