In the age of information and communication technologies, the flow of information is fundamental to doing business in the global economy. Business operations and consumer expectations have undergone a major shift due to development of technology and the nature of information flows. Most of the services that we receive or provide are related to collection and analysis of personal data, for example, any information relating to an identified or identifiable natural person. The economic and social integration resulting from the functioning of e-commerce has led to a substantial increase in cross-border flows of personal information. The scale of the collection and sharing of personal information has increased significantly. We share our personal information everyday by visiting a website, opening bank accounts, social media accounts, buying goods and services online, registering for emails, etc. without hesitation. It is a matter of grave concern that some organisations not only collect personal details but also store it in insecure places and share it with third parties or move this data across borders without taking customers' consent. Rapid technological developments and globalisation have brought new challenges for the protection of personal information. In the recent past, we have witnessed that British Airways owner IAG has been awarded a USD 230 million fine for the theft of data from 500,000 customers from its website last year under the General Data Protection Regulation (GDPR), which came into force in 2018. Facebook has been fined GBP 500,000 in 2018 for serious breaches of data protection law.
Article 12 of the Universal Declaration of Human Rights states that everyone has the right to the protection of law against any interference with his privacy, family or correspondence. In December 2013, the United Nations General Assembly passed a Resolution demanding that the workings of state surveillance be subject to legality through clear and precise law, which must look to safeguard the right to privacy. As expected, data protection has become a major issue for legislators, regulators and consumers worldwide that organisations can no longer afford to ignore. There are a number data privacy regulations and acts have been introduced around the world.
Firstly, the General Data Protection Regulation (GDPR) is the latest European Union (EU) parliamentary measure designed to put the highest levels of protection around personal data, which came into force in May 2018. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides. According to GDPR, companies must ensure that customers have control over their data and to be GDPR-compliant, a company must not only safeguard consumer data carefully but also provide consumers with ways to control, monitor, check and, if desired, delete any information pertaining to them. Any deviation of this could lead to imposition of fines of up to EUR 20 million or four percent of the company's global annual turnover, whichever is higher.
Secondly, the California Federal Government has enacted the California Consumer Privacy Act, 2018 (CCPA), which comes into force in January 1, 2020. Many of its provisions are similar to GDPR and require companies to institute new internal data privacy regimes. CCPA gives more control to the consumer on how their data is collected, used and deleted. CCPA applies to businesses that collect personal information about California residents, regardless of location, and meet certain thresholds.
Thirdly, the Asia Pacific Economic Cooperation (APEC) has adopted a voluntary Privacy Framework in 2005 and updated it in 2015, which aims at promoting electronic commerce throughout the APEC region. In 2011, APEC implemented the Cross Border Privacy Rules (CBPR) system which requires participating businesses to develop and implement data privacy policies consistent with the Framework. The Framework requires appropriate safeguards, while the CBPR system requires the applicant country to describe how it enforces a requirement to have technical and administrative safeguards. The CBPR system is intended to provide a minimum level of protection if there are no applicable domestic privacy protection requirements in a country.
Fourthly, the Organisation for Economic Co-operation and Development (OECD) adopted the voluntary guidelines governing the Protection of Privacy and Trans-border Flows of Personal Data in 1980, and revised in 2013 in response to growing concerns about information privacy and data protection in an increasingly technological and connected world. The OECD Guidelines apply to personal data, whether in the public or private sectors which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties. These guidelines should be regarded as minimum standards which are capable of being supplemented by additional measures for the protection of privacy and individual liberties.
According to The Software Alliance (BSA) Global Cloud Computing Scorecard, 2018 privacy laws are still absent or insufficient in several countries, although a good number of countries have data protection frameworks in place. Brazil and Thailand have no comprehensive laws, while laws in China, India, Indonesia and Vietnam remain very limited. Canada and Mexico score highest in the privacy section.
The Supreme Court of India held that privacy is a fundamental right in the case of Justice KS Puttaswamy (Retd) v Union of India on August 24, 2017, which led to the formulation of a comprehensive Personal Data Protection Bill 2019. Presently, the Information Technology Act, 2000 contains specific provisions intended to protect electronic data.
Mazharul Islam is a corporate legal practitioner. He can be reached at email@example.com.