Year 2020 saw a number of significant developments around data privacy legislations around the world. The pandemic-induced “new normal” has brought up new concerns around data privacy, making the case stronger for stringent data privacy laws in 2021.
Whatsapp has finally postponed the enforcement of its new data-sharing policy until May 15, but the damage seems to be already done, with millions of outraged users worldwide switching to alternative platforms, and potential lawsuits and investigations coming up in India and Turkey.
Whatsapp is not a one-off case, but just the tip of the iceberg in the debate around data privacy. Be it digital contact tracing or enforcement of physical distancing, digitalization of health or online shopping, work from home or online education, the pandemic-induced acceleration in digitalization have continued to push us further and further into the digital realms. Naturally, the “new normal” has brought up new concerns around data privacy, making the case stronger for stringent data privacy laws.
ALSO READ: COVID-19 — Finding the middle ground in safety vs data privacy debate
Interestingly, the past year also witnessed encouraging progress in this aspect. While Canada, Brazil, China and New Zealand introduced legislations on the lines of Europe’s General Data Protection Regulation, we also saw privacy find its way into COVID-19 related legislations in US Congress, including the COVID-19 Consumer Data Protection Act of 2020 in the Senate and the Public Health Emergency Privacy Act in the House. In a noteworthy event in November 2020, California citizens voted for amendments to the California Consumer Privacy Act and enacted a new statute, the California Privacy Rights Act. Currently, no other American state has a law as stringent as California, but around 30 states are working on legislations that contain at least some of the terms.
Let’s take a look at some of these legislations.
Brazil’s General Data Protection Law — Lei Geral de Proteção de Dados Pessoais (LGPD) – came into effect from September 16, 2020. The government also approved the creation of a national-level data protection authority —Autoridade Nacional de Proteção de Dados (ANDP) — which will be responsible for the enforcement of the LGPD.
Even though the final text was approved in 2019 after years of debates around data protection, its enforcement was delayed due to political developments in the country and later the COVID outbreak. The creation of the ANDP is a significant move in enactment of a law that makes transparency vital.
Among other terms and conditions very similar to GDPR, the LGPD places the consent of personal data holder and his/her right of access at the center, and requires organizations dealing with data to establish legal bases in Brazil to process personal data, and adhere to cross-border data transfer restrictions. Businesses also have to provide detailed privacy notices and updates on data breach notifications.
Canada introduced the Digital Charter Implementation Act, 2020 on November 17, 2020, which, if passed, will lead to a Consumer Privacy Protection Act (CPPA) and Personal Information and Data Protection Tribunal.
The new Act would give Canadians right to disclosures about the use of their personal information; including the right to transparency about how businesses use algorithmic decision-making based on their data. Users will also get the right to delete personal information or withdraw consent; and data mobility rights that allow for transfer of personal information between organizations.
Businesses on their part will be required to implement a privacy management program to ensure compliance with the new law. They will also have to meet certain terms similar to GDPR including those on consent to process personal data and use anonymized data when without consent.
ALSO READ: Digital contact tracing and why Americans have a problem with it
China published its draft Personal Information Protection Law (PIPL) on October 21, 2020 inviting public comments. The law again draws substantially from GDPR. If passed, the PIPL will become the China’s first statute that seeks to address data privacy concerns and provides protection of personal data for citizens. It will coexist alongside the current Cybersecurity Law, Data Security Law and the PRC E-Commerce Law.
The new law will apply to not only organizations operating within mainland China, but also to businesses or organizations located outside the country that process personal data of individuals residing in China. Interestingly, an organization seeking to transfer personal data of people out of China will have to go through a security assessment by the Cyberspace Administration of China in certain cases.
The New Zealand Privacy Act 2020 came into place on December 1, 2020, replacing the earlier Privacy Act 1993. The new Act applies to organizations that collect personal information in the course of “carrying on business” within the country even if they are not a legal entity in New Zealand. The new law also requires businesses collecting personal data to notify affected individuals as well as the Office of the Privacy Commissioner (OPC) in case of privacy breaches, or else face heavy fines to the tune of NZ$10,000 per violation.
The OPC has produced step-by-step guidance to help organizations and businesses understand and respond to the new obligations related to cross-border transfer of personal data collected within New Zealand. Using offshore Cloud providers or other third party for storage or processing data is not treated as a disclosure so long as the third party is not using that information for their own purposes.
The California Consumer Privacy Act of 2018 (CCPA), which was gives consumers more control over the personal information that businesses collect about them, was passed by the state legislature in June 28, 2018 and became effective on January 1, 2020.
On November 3, Californians voted in the California Privacy Rights Act (CPRA) that amends the CCPA to establish a new privacy enforcement agency, besides making way for additional consumer rights and a new category of consumer personal information. The new law will be effective January 1, 2023 with the personal rights for individuals and mandates and requirements for businesses granted by the CCPA remaining during the transition.
The road ahead
Although a federal-level privacy legislation in the US still is not on the horizon, data privacy has clearly emerged as a bipartisan and pressing issue. Big Tech – particularly Facebook and Google — have been caught in multiple controversies and tough lawsuits in the country, which is likely to continue under the new Administration. And with Europe looking to address this year the challenges posed by the Schrems II decision, the developments of 2020 clearly point to an interesting and encouraging time on data privacy front.
ALSO READ: ‘Aww, poor baby, Facebook’, and Google’s ‘Oh sh**’ moments!