Data Protection: All roads lead back to the GDPR
Recent developments in data protection laws around the world highlight the increasing significance of having a robust and comprehensive framework that will adequately protect an individual’s personal data. Across the globe, jurisdictions continue to develop their data protection and privacy laws and many use the General Data Protection Regulation (“GDPR”) as a template or at least borrow concepts first seen in European law. As a recent example, in April 2021, the British Virgin Islands (“BVI”) enacted the Data Protection Act 2021 (“the DPA”) that will come into force shortly. The DPA will apply to data controllers and processors, which are concepts that the UK and the EU are very familiar with due to the GDPR. Further from home, China has adapted parts of the GDPR such as the legal principles for processing personal data into its draft Personal Information Protection Law (“PIPL”). Quite simply, the GDPR continues to serve as a template in many countries that either do not yet have their own data protection laws or are in the process of refining their own laws to ensure that their citizens’ personal data is sufficiently protected.
Cross border transfers
One key difficulty that businesses, operating in today’s global economy, need to contend with in complying with the GDPR surrounds cross border transfers of personal data. Under the GDPR, transfers of personal data to organisations outside of the European Economic Area (“EEA”) are not permitted unless either (a) the recipient country or organisation ensures an adequate level of protection; (b) the controller or processor provides appropriate safeguards (e.g. binding corporate rules or standard data protection clauses), or; (c) a derogation or exemption applies.
Organisations that engage in such transfers, most notably companies that have online IT or cloud services, must ensure that appropriate safeguards are implemented. These safeguards are commonplace within the EU, but may be problematic when such transfers involve third countries that do not have an ‘adequate’ level of data protection. This standard has risen as a result of the Schrems case (C-362/14), in which the Court of Justice of the European Union (“CJEU”) underlined that a third country must have “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR”. The CJEU judgment in the Schrems II case (16 July 2020) places a further requirement for a transfer impact assessment for organisations that engage in cross border transfers based on standard contractual clauses.
In a step towards global harmonisation of cross border transfers of personal data, an increasing number of countries have adopted a similar approach to the GDPR regarding the need for third-country recipients to have an adequate level of data protection. For instance, the draft Bill expected to enter into force in Chile in 2022, that seeks to improve data protection standards in the same way as the GDPR, provides that cross border transfers of personal data will require the third country to have similar levels of protection as the Bill itself. Meanwhile, the Personal Data Protection Act 2019 in Thailand mirrors the GDPR in permitting such transfers only if adequate personal data protection standards as permitted by the Thai Personal Data Protection Committee are implemented.
Should more countries adopt stringent provisions that meet the “equivalent” standard set out by the GDPR and the Schrems case, organisations will have more clarity on the appropriate level of protection required on their end. Alternatively, an international standard similar to that of the GDPR or the Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR) system could be established to better facilitate cross border transfers. It may be some time before we see such a harmonised standard as developing countries in particular need to establish their own local data protection laws first.
Implications for Organisations
The GDPR has given individuals more control over how their personal data can be collected, processed and stored. Individuals can request for their data to be erased (‘right to be forgotten’) or rectified (‘right to rectification’). Organisations that collect personal data must obtain an individual’s consent and provide details such as but not limited to the identity and contact details of the controller and data protection officer, where applicable and the purpose for collecting or processing the data.
Various countries have adopted similar provisions to increase transparency between controllers and data subjects. Brazil’s General Data Protection Law (“LGPD”) requires controllers to provide individuals with ‘privacy notices’ as well as ‘opt-in/opt out’ check boxes to give data subjects more control over the amount of data they are willing to provide. In Sri Lanka, under the final draft Personal Data Protection Bill (“Draft Bill”) that was released earlier this year, a data subject’s prior consent is required in order for organisations to process his/her personal data. These data subjects also have rights such as the right to withdraw consent and the rights to access, rectification and erasure that are similar to the GDPR.
A necessary measure to enforce these stringent rights are harsh penalties in the form of fines. Under the GDPR, breaches of the key data protection principles or infringements of data subjects’ rights could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is higher. In Canada, it is expected that the new Consumer Privacy Protection Act (“CPPA”) that is likely to be implemented in the coming years will increase the maximum penalties for breaches of the CPPA to either $10,000,000 or 3% of an organisation’s gross global revenue, whichever is higher. The Australian federal Attorney General has proposed amendments to the Privacy Act 1988 to increase penalties for repeated breaches to AU$10 million or 10% of a company’s annual domestic turnover. As such, international organisations in particular should be aware of changes in the laws of different countries and regions to ensure that they do not fall foul to such penalties.
UK and EU launch two-pronged attack into whether Facebook is abusing a dominant market position
The CMA and the European Commission have said that they intend to work together closely as their respective investigations develop.
Jason Saiban and Caroline Swain among contributors to the ICLG Guide on Digital Business Laws and Regulations in the UK
An overview of the laws and regulations for digital businesses operating in the UK.
Draft Online Safety Bill: Regulating the online world
On 12 May 2021, the UK government published the draft Online Safety Bill...
Counterfeit goods – online platforms and luxury brands take a new collaborative approach
Online retail has been increasing for the best part of a decade due to a shift in consumer behaviour.
Charles Russell Speechlys proud to sponsor the ‘Outstanding Achievement’ award at the final Sunday Times Virgin Fast Track 100 awards
The awards celebrated the successes of Britain’s 100 private companies with the fastest-growing sales.
New foreign ownership rules take effect on 1 June 2021
Trade Marks - what is bad faith?
In any legal dispute, the term ‘bad faith’ is often banded about.
Public Company Update - May 2021
Read the May 2021 edition of our biannual Public Company Update.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.
Playing Copycat – Why have M&S begun legal action against Aldi over Colin the Caterpillar?
M&S’s chocolate caterpillar was the first of its kind to land on our supermarket shelves, over 30 years ago.
Building Back Better: Real Estate and Restructuring
How and why should hospitality businesses re-structure post pandemic?
ESG – Searching for substance behind the acronym
ESG is an acronym much used but perhaps less understood.
Focus Antitrust - 21 April 2021
This week's competition update.
Burn After Redditting – Scottish Court of Session Lays Down Marker for Online Copyright Protection
Sky UK Ltd have successfully obtained interim protection from infringement of their broadcast rights through links posted on Reddit.
Charles Russell Speechlys advises shareholders of Modern Networks on sale to Horizon Capital
Modern Networks is a leading provider of IT support, broadband and telecoms managed services to the UK’s commercial property sector.
Paul Henty writes for New Law Journal on the often-painful experience of tackling rules of origin post-Brexit
Defining provenance post-Brexit: Paul Henty charts the often-painful experience of tackling rules of origin.
Focus Antitrust - 14 April 2021
This week's competition update.