Privacy Roundup Part Two: Significant International Updates
- Regulatory & Compliance
- 6 Mins
Last week’s blog detailed the wave of state legislation that occurred in the U.S. during 2021. It is no surprise that there were also many data privacy developments abroad. It is crucial that organizations affected by international laws, regulatory actions, or court decisions stay informed and determine any influence on business practices and compliance efforts. The global privacy revolution can create new and sometimes conflicting responsibilities. Below is a summary of key international data privacy activity, including some best practices to improve compliance management efforts.
Several countries around the globe took steps to tighten consumer privacy regulation. The first round of amendments to Singapore’s privacy law became effective on Feb. 1, 2021. The law now grants consumers a private right of action, mandates data breach notification to the Personal Data Protection Commission in proscribed circumstances, expands the definition of deemed consent, and enacts new categories of actions that can result in criminal punishment. Other substantial revisions will occur later this year.
China also passed new privacy regulations. The Data Security Law fills gaps present in the country’s cybersecurity framework and broadly applies to processing activities related to personal and non-personal information that could affect national security, public interest, or lawful consumer rights. The Personal Information Protection Law more closely mirrors the EU’s GDPR and regulates personal information processing. Chinese consumers now can access, correct, and delete information. Data controllers are responsible for conducting impact assessments and there are restrictions on cross-border data transfers. Both laws are now effective and can result in heavy fines.
Canada’s proposed national privacy law remained in legislative process last year. If passed, the law would grant consumers control of their data and ensure organizations are more transparent about how they handle personal data. Although the national law is still underway, Quebec adopted its own privacy law with extraterritorial reach to increase protections and management over personal and sensitive information. Some key provisions include mandated data governance policies and procedures, consumer right to data portability, consent for data collection, and transfer restrictions. Noncompliance can result in administrative penalties of $10 million or more, penal proceedings that can result in fines of $25 million or more, and private lawsuits. While the law went into force last September, certain provisions will be phased over a three-year period.
Some other countries where data privacy laws became effective last year were Belarus, South Africa, Uganda, and Panama. This list is not exhaustive but illustrates the global privacy trend is not losing speed. Additionally, as of last August Brazil’s enforcement agency can issue administrative sanctions under the country’s newer privacy law. The agency indicated it would investigate thoroughly and levy fines when necessary. Organizations can look to guidance issued last May to inform compliance-related decisions and help avoid penalties. Several other countries passed or updated laws, or have crucial changes planned for 2022 and 2023, so it is important for organizations to monitor developments in any geographic location where they conduct business or handle personal data. Some best practices to manage varying domestic and global privacy compliance requirements include dedicating staff to create and maintain compliance plans, regular training, cybersecurity audits, and data mapping. Taking these measures can reduce risk of unprotected data and bolster compliance initiatives.
GDPR Cross-Border Data Transfers
A landmark court decision in July 2020 caused the European Commission to issue new standard contractual clauses (SCCs) this year applying to personal data transfers from EU member states to other countries. In Schrems II, a consumer activist filed a case against a big tech company regarding data transfer policies between the U.S. and Ireland, which he argued were risky. The court held that SCCs were insufficient when a country does not offer the same level of protection and consumer rights as the EU. Cross-border data transfers are only valid under the GDPR when adequate safeguards are in place to secure the data. Without an adequacy decision in place and prior mechanisms deemed invalid, the U.S. has been in limbo. Affected organizations have been waiting to see how the European Commission would alter the longstanding SCCs, as this is one of the most common ways that cross-border data transfers from the EU occur not only in the U.S. but all over the globe.
The new SCCs focus on enhanced accountability and transparency to ensure all transfers to the U.S. or other countries deemed inadequate align with the GDPR’s privacy standards. Some key features include four modular clause options, mandated data transfer impact assessments, and authorization of multi-party agreements. The new SCCs also do not restrict the physical location of the data exporter to an EU country. Organizations required to use SCCs for data transfers need to review the new requirements and create policies that will streamline future transfers. The old SCCs were repealed on Sept. 27, 2021, but already established clauses will remain effective until Dec. 27, 2022. Prior to this date, organizations should modify their contracts and provide appropriate notices to remain compliant.
2021 was a year of rigorous GDPR enforcement, with big tech companies being noticeably impacted. In July, the Luxembourg data protection supervisory authority levied its largest fine to date, for over 700 million Euros. The previous record high was 50 million in 2019. This decision has been appealed and in December, a Luxembourg judge struck down recent orders from the data protection authority saying the company would face extra daily fines for failure to implement consumer data process changes by a certain date as the judge found the authority’s directives on what needed to change to be unclear.
The second highest fine last year was levied in Ireland for 225 million Euros for deficient consumer notice about data processing practices in privacy policies. Last year, there were also nearly 20 other fines over 1 million Euros.
Two things to watch out for this year are whether heavier fines keep trending and if any appeals result in complete reversals or significant fine reductions, as this will be influential in future enforcement actions. The intermediary decision against the Luxembourg data protection supervisory authority already illustrates that additional penalties will need to be sufficiently warranted.
Being the first to comprehensively overhaul data privacy regulation, the EU has seen the most enforcement action in this space. However, with new laws carrying heavy fine potential now active in places like China, Brazil, and Canada it is crucial to monitor emerging global enforcement trends.
Large regulatory fines are also happening in other contexts, including competition. Just like the potential for big tech organizations to obtain and mishandle sensitive information is a major reason for global focus on data privacy, these organizations also hold the ability to significantly hinder market competition. In December 2021, the Italian competition authority imposed a fine of over 1billion Euros on a company for favoring merchants that used their fulfillment services and hindering sales for other organizations. It will be interesting to see big tech’s response or any changes to current policies and practices as larger fines continue with regards to privacy and competition.
With each year that passes since the GDPR’s creation, more countries reform data privacy landscapes. It will be interesting to see how enforcement affects compliance, as more organizations monitor trends and tweak compliance programs accordingly. In addition to deploying internal compliance efforts, a provider familiar with data privacy updates that can implement information management tools, detect security shortcomings, and orchestrate compliance plans can be a beneficial resource.
To learn more about data privacy, consider reading part one of this blog.