Data Protection: All roads lead back to the GDPR
Recent developments in data protection laws around the world highlight the increasing significance of having a robust and comprehensive framework that will adequately protect an individual’s personal data. Across the globe, jurisdictions continue to develop their data protection and privacy laws and many use the General Data Protection Regulation (“GDPR”) as a template or at least borrow concepts first seen in European law. As a recent example, in April 2021, the British Virgin Islands (“BVI”) enacted the Data Protection Act 2021 (“the DPA”) that will come into force shortly. The DPA will apply to data controllers and processors, which are concepts that the UK and the EU are very familiar with due to the GDPR. Further from home, China has adapted parts of the GDPR such as the legal principles for processing personal data into its draft Personal Information Protection Law (“PIPL”). Quite simply, the GDPR continues to serve as a template in many countries that either do not yet have their own data protection laws or are in the process of refining their own laws to ensure that their citizens’ personal data is sufficiently protected.
Cross border transfers
One key difficulty that businesses, operating in today’s global economy, need to contend with in complying with the GDPR surrounds cross border transfers of personal data. Under the GDPR, transfers of personal data to organisations outside of the European Economic Area (“EEA”) are not permitted unless either (a) the recipient country or organisation ensures an adequate level of protection; (b) the controller or processor provides appropriate safeguards (e.g. binding corporate rules or standard data protection clauses), or; (c) a derogation or exemption applies.
Organisations that engage in such transfers, most notably companies that have online IT or cloud services, must ensure that appropriate safeguards are implemented. These safeguards are commonplace within the EU, but may be problematic when such transfers involve third countries that do not have an ‘adequate’ level of data protection. This standard has risen as a result of the Schrems case (C-362/14), in which the Court of Justice of the European Union (“CJEU”) underlined that a third country must have “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR”. The CJEU judgment in the Schrems II case (16 July 2020) places a further requirement for a transfer impact assessment for organisations that engage in cross border transfers based on standard contractual clauses.
In a step towards global harmonisation of cross border transfers of personal data, an increasing number of countries have adopted a similar approach to the GDPR regarding the need for third-country recipients to have an adequate level of data protection. For instance, the draft Bill expected to enter into force in Chile in 2022, that seeks to improve data protection standards in the same way as the GDPR, provides that cross border transfers of personal data will require the third country to have similar levels of protection as the Bill itself. Meanwhile, the Personal Data Protection Act 2019 in Thailand mirrors the GDPR in permitting such transfers only if adequate personal data protection standards as permitted by the Thai Personal Data Protection Committee are implemented.
Should more countries adopt stringent provisions that meet the “equivalent” standard set out by the GDPR and the Schrems case, organisations will have more clarity on the appropriate level of protection required on their end. Alternatively, an international standard similar to that of the GDPR or the Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR) system could be established to better facilitate cross border transfers. It may be some time before we see such a harmonised standard as developing countries in particular need to establish their own local data protection laws first.
Implications for Organisations
The GDPR has given individuals more control over how their personal data can be collected, processed and stored. Individuals can request for their data to be erased (‘right to be forgotten’) or rectified (‘right to rectification’). Organisations that collect personal data must obtain an individual’s consent and provide details such as but not limited to the identity and contact details of the controller and data protection officer, where applicable and the purpose for collecting or processing the data.
Various countries have adopted similar provisions to increase transparency between controllers and data subjects. Brazil’s General Data Protection Law (“LGPD”) requires controllers to provide individuals with ‘privacy notices’ as well as ‘opt-in/opt out’ check boxes to give data subjects more control over the amount of data they are willing to provide. In Sri Lanka, under the final draft Personal Data Protection Bill (“Draft Bill”) that was released earlier this year, a data subject’s prior consent is required in order for organisations to process his/her personal data. These data subjects also have rights such as the right to withdraw consent and the rights to access, rectification and erasure that are similar to the GDPR.
A necessary measure to enforce these stringent rights are harsh penalties in the form of fines. Under the GDPR, breaches of the key data protection principles or infringements of data subjects’ rights could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is higher. In Canada, it is expected that the new Consumer Privacy Protection Act (“CPPA”) that is likely to be implemented in the coming years will increase the maximum penalties for breaches of the CPPA to either $10,000,000 or 3% of an organisation’s gross global revenue, whichever is higher. The Australian federal Attorney General has proposed amendments to the Privacy Act 1988 to increase penalties for repeated breaches to AU$10 million or 10% of a company’s annual domestic turnover. As such, international organisations in particular should be aware of changes in the laws of different countries and regions to ensure that they do not fall foul to such penalties.
2020: Influencer, 2021: Creative Director – what could go wrong?
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Food Sector steps up on climate goals
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
UK and EU launch two-pronged attack into whether Facebook is abusing a dominant market position
The CMA and the European Commission have said that they intend to work together closely as their respective investigations develop.
Jason Saiban and Caroline Swain among contributors to the ICLG Guide on Digital Business Laws and Regulations in the UK
An overview of the laws and regulations for digital businesses operating in the UK.
Draft Online Safety Bill: Regulating the online world
On 12 May 2021, the UK government published the draft Online Safety Bill...
Counterfeit goods – online platforms and luxury brands take a new collaborative approach
Online retail has been increasing for the best part of a decade due to a shift in consumer behaviour.
Charles Russell Speechlys proud to sponsor the ‘Outstanding Achievement’ award at the final Sunday Times Virgin Fast Track 100 awards
The awards celebrated the successes of Britain’s 100 private companies with the fastest-growing sales.
New foreign ownership rules take effect on 1 June 2021
Trade Marks - what is bad faith?
In any legal dispute, the term ‘bad faith’ is often banded about.