In the world of data protection, 2018 has been a monumental year across the globe. In May the EU enacted the General Data Protection Regulation (GDPR), the toughest and most complex data privacy law to date, which sets companies a host of privacy-related obligations and possible fines for non-compliance. The following month in the US, legislators in California passed the California Consumer Privacy Act, effective on 1st Jan 2020, which will bring about far stricter controls on businesses that have mishandled or exploited the private data of their users.
Clearly, we are witnessing a global shift towards more comprehensive legislation on data privacy. However, the idea of regulating how private entities collect and process personal information is by no means a new phenomenon.
In fact, efforts to guarantee the privacy of personal information date back to the 1948 Universal Declaration of Human Rights, which in article 12 grants individuals the “right to the protection of law” against “arbitrary interferences with his privacy”. Personal privacy was also included in the 1950 European Convention on Human Rights (ECHR), under article 8, which grants individuals the “right to respect for private and family life, his home and his correspondence”. Initial legislation at the national level included the UK’s 1984 Data Protection Act, which sought to regulate the use of automatically processed information related to individuals.
In the 1990s and 2000s, private entities began to collect and store vast amounts of data using digital platforms. But without adequate processes in place to manage that data, companies began to lose control over the way they process personal information, which led to a dramatic increase in data breaches and increased public concerns over the misuse of personal information.
In 1995, in light of growing public anxieties, the European Union enacted the Data Protection Directive, designed to regulate the processing of personal data within the European Union. The directive was the first of its kind at the EU level and was followed by the ePrivacy Directive, enacted in 2002, which dealt with several important issues such as information confidentiality, spam, cookies and the treatment of traffic data. In the United States, efforts to improve data protection standards relied on sector-specific laws, as opposed to a comprehensive legal framework for protecting personal data. Due to this uneven approach, companies are confronted with contradictory or competing requirements, whilst piecemeal legislative responses to data misuse have left U.S. citizens without adequate data protection.
In recent years, there have been numerous high-profile breaches of personal data: 68 million Dropbox user email addresses were leaked after a breach in 2012; a 2013 data breach affected 3 billion Yahoo email accounts; and in March of this year 50 million Facebook profiles were harvested for Cambridge Analytica in an extremely controversial breach of personal information.
Such events have greatly exacerbated public anxieties over how personal information is protected, as well as the non-transparent manner in which website and companies use that information. Whereas previously legislation on data protection lacked the enforcement mechanisms and scope to adequately protect personal information, we are now witnessing a clear global shift towards comprehensive and enforceable regulatory framework which place binding obligations on data processing procedures.
The Personal Data Protection Act (PDPA), enacted in Singapore in 2012, is an example of such legislation. The act comprises various rules governing the collection, use, disclosure and care of personal data and placing fines of up to $10,000 on companies which fail to comply. Any private entity collecting and processing personal information in Singapore must allow its customers to access, correct and find out how any data stored on them is being used.
This year has seen the arrival of two comprehensive data protection acts, namely the GDPR and CCPA. Before the GDPR, companies were not obliged to show exactly what data they had collected on a particular person. Now, under article 6 1.a of the act, they must obtain explicit consent from individuals before storing personal data or processing it for a specific purpose. Users also have the right to access, rectify and delete personal data upon request, and can submit a complaint if they feel their data is being misused. Individuals can also object to having their personal data used for any other purpose than that specified at the time that consent was given.
The legislation thus empowers individuals whilst creating a host of new obligations for companies. Failure to comply with the GDPR can result in heavy fines – up to €20 million or 4% of annual revenue – depending on which sum is higher.
Under the CCPA, citizens of California have the right to access, request, delete or protect their personal information. Companies are also confronted with more rules affecting the way they collect and sell data. Much like the GDPR, the law stems from a desire to place stricter controls on businesses that have mishandled or exploited the private data of their users. Under the legislation, individuals have the right to know what personal information is being collected about them and where it was sourced from, and the right to access or delete that information.
Companies operating in California must also comply if a user desires to opt-out of the sale of personal information to third parties. Companies can face a penalty of up to $7,500 if a rule violation is found to be intentional. They may also face cases where individuals ‘bring a private right of action’ if they believe that their personal data has been subject to unauthorized access, theft or disclosure resulting from a company’s failure to adequately protect their personal information.
These regulatory shifts thus dramatically change the way private entities collect and process consumer data. Whereas previously sanctions on data misuses were practically non-existent, the GDPR, CCPA and PDPA all set hefty-fines for non-compliance. New legislation is also expanding the definition of personal data to include identifiable information that is collected automatically, such as online identifiers (i.e. cookies), whereas before this type of data was not considered to be personal data.
Clearly, any company operating online cannot risk non-compliance with the new wave of data privacy laws. On top of that, they must also be on the lookout for new legislation as stricter laws on online privacy emerge in countries attempting to converge with data privacy standards.
From now on, any business operating online must develop the necessary tools to ensure that personal data is collected, stored and processed in a transparent manner. Companies lagging behind will not only find themselves with a tarnished reputation, but also a potentially crippling fine which could threaten the entirety of their commercial operations.