COVID-19 means that more people are working remotely than ever before. And this means that data protection and privacy take on a whole new significance: Employees and contractors are using and processing extensive personal data and information in their own homes.
In this piece, we look at how different countries and international jurisdictions deal with data protection, emphasising recent developments and changes.
The different laws have many similarities: All emphasise the importance of customer consent to providing their data, having procedures in place to manage data, and compulsory notification to the authorities of data breach. However, there are also significant differences including:
- The extensive application of the European Union and California laws to other jurisdictions;
- Some jurisdictions applying obligations to all businesses (European Union and Canada), and some applying only to businesses of a certain size (Australia and California);
- Obligations to notify about financial incentives (CCPA only);
- When consent is required (for example, Canada sets out explicitly cases where consent is not required whereas the European Union and Australia leave it to be determined by companies themselves based on broad ‘principles’);
- The European Union’s General Data Protection Regulation (GDPR);
- The California Consumer Privacy Act 2018 (CCPA);
- The Australian Consumer Data Right (CDR);
- The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
1. The General Data Protection Regulation (GDPR).
The GDPR, which came into force in May 2018, is the most expansive piece of privacy and data protection regulation in the world. It not only applies to businesses in every European Union (EU) member state, but also to any organisation doing business in the EU. This concept is interpreted liberally and doesn’t simply mean selling to customers in the EU. If customers can access your company website (and you haven’t taken protective measures), you may be acquiring personal data that is covered by the GDPR.
Note also that the GDPR does not have an income threshold and applies to small and medium-sized enterprises. However, they are exempt from some of the obligations that apply to larger companies (such as the requirement to appoint a data protection officer).
So, what does the GDPR do? It sets out:
- Roles and responsibilities for ‘data controllers’ and ‘data processors’. This includes an obligation to notify authorities of personal data breaches, carrying out data protection impact assessments (‘DPIAs’) in high risk cases, appointing data protection officers in larger businesses, notifying authorities of data breaches (there have been 160,000 data breach notifications as of January 2020), and acting in accordance with the ‘principles of data protection’ (e.g. gaining consent to disclosure and use);
- Consumer data rights. Affected individuals (‘data subjects’) have the right to request the erasure of their data, a right of access to their personal data, and a right to have that data in portable form;
- Rules of transfer to third countries;
- An extensive penalty and compliance regime. Fines can be up to €20 million or 4 per cent of worldwide turnover annually. Regulators have issued hundreds of fines. Perhaps the most significant enforcement action was the 50 million euro fine issued against Google by the French regulator for noncompliance with consent requirements.
2. The California Consumer Privacy Act 2018
The California Consumer Privacy Act (CCPA), which came into effect in January 2020, provides:
- A right to ask for personal information to be deleted (similar in many respects to the GDPR);
- A right to ‘opt-out’ of having personal information sold;
- A responsibility for businesses to have procedures in place for dealing with these rights.
Note, that it does not apply to all businesses. It applies only to those that:
- Have gross revenues of $25 million or more in a year; or
- Possess personal information of 50,000 or more customers, devices or households;
- Earn more than half their revenue from selling personal information.
Several aspects of the CCPA framework are still being finalised in the form of accompanying regulations. These include:
- Obligations to disclose matters to customers, such as whether or not there are financial incentives for retaining personal information;
- Identity verification procedures;
While the CCPA is not as comprehensive as the GDPR in the data control and processing obligations it places on businesses, like the GDPR it applies to any company that ‘does business’ in California, whether or not the company is physically located there.
3. The Australian Consumer Data Right (CDR)
Australia does not currently have as extensive privacy and data laws as the EU. The Privacy Act 1988 generally only applies to businesses with a turnover of $3 million or more.
The principles-based Privacy Act 1988 specifies key principles (the ‘Australian Privacy Principles’ or ‘APPs’) for dealing with personal data (e.g. consent and fairness), mandatory data breach notification and rights of customers to delete and access information held.
More significantly, the Australian federal government is rolling out a new ‘Consumer Data Right’ (CDR). This package of legislative amendments, regulations and rules give customers the right to access their data and transport it from one party to the other. It is similar to the ‘portable data right’ contained in the GDPR.
The CDR provides individuals as well as businesses with a right to access a set package of information held about them and the ability to authorise third parties to access that data. Currently, the government is rolling it out sector-by-sector. While it began with banking it is currently being progressed in the energy and telecommunications sectors and will later be applied across the board.
4. The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
As with the United States, Canada does not have a comprehensive federal privacy or data protection law. However, PIPEDA applies in all Canadian provinces and territories except for British Columbia, Alberta and Quebec (though they have laws which are “substantially similar”).
Similar to the GDPR, PIPEDA is wide in its application to businesses. It applies to any private businesses engaged in commercial activity, as well as a range of ‘federally regulated’ industries.
PIPEDA, as with the GDPR and the Australian CDR, sets out underlying key principles for the businesses processing of information. This includes identifying the purposes of collecting information, consent, limiting collection, accuracy, individual access to that information and having processes in place to ensure compliance.
In order to comply businesses must:
- Advise customers of information that the business holds about them, and give them the right to access it and correct it;
- Obtain meaningful consent to use of personal information in many (though not all) cases;
- Take appropriate security measures to protect personal information;
- Supply services to customers where possible, even if that customer refused consent to the use of personal information;
Significant amendments to PIPEDA came into force in 2018 through the ‘Digital Privacy Act’. This includes:
- Mandatory breach reporting to the authorities;
- New definitions of when consent will be valid and when it will not;
- Explicit exceptions that do not require consent to transfer personal information including investigations/fraud, business transactions and much employee data.
- Businesses need to be familiar with the privacy and data protection laws that apply in the jurisdictions they operate in. If your company does business in the EU or California be particularly mindful of the extensive application of their laws;
- The continuous introduction of new obligations and rights puts Privacy and Data Protection laws in a state of flux internationally;
- While there are significant differences across these different laws, there are still a number of commonalities. For example, the importance of customer consent to data collection and use, customer rights to their own data and the obligation to have explicit processes in place within the business to manage personal data.