Previously we discussed the need for Federal privacy legislation in the US to clarify Washington’s position on consumer privacy and the efforts of states to fill the void with their own legislation. But what about outside of the US?
According to the UN Conference on Trade and Development, 137 out of 194 countries have enacted legislation to protect data and privacy. Here are a few recent developments to watch.
The UK Information Commissioner’s Office (ICO) recently published draft guidance on the use of Privacy Enhancing Technologies (PETs). The guidance includes information on the benefits of techniques such as anonymization, differential privacy, and use of synthetic data, such as:
- PETs help demonstrate a “data protection by design and by default” approach to processing
- PETs help enforce data minimization principles by processing only the necessary data and providing an appropriate level of security for processing
- PETs allow access to datasets which would otherwise be too sensitive to share by ensuring that individuals’ data is protected
According to John Edwards, UK Information Commissioner, “Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights.”
Additionally, the UK Parliament is currently working on a draft Data Protection and Digital Information (DPDI) bill. The goal of the new bill is to modify the current UK GDPR, which was drafted out of necessity due to Brexit and largely mirrors the EU GDPR. DPDI gives Parliament and the ICO an opportunity to customize their data protection regime in ways that will facilitate business and provide needed flexibility in ways where the EU GDPR falls short.
One primary example in the draft bill centers around transfers of UK personal data outside of the country. Traditionally, GDPR mandates that the data protection laws of the recipient country either be ‘deemed adequate’ by the data protection authority in the data controller’s home country or use methods such as standard contractual clauses—whose validity has been called into question by recent EU court rulings. One of the stated goals of Parliament is to “create a clearer regulatory environment for personal data use that will fuel responsible innovation”. This marks a departure from the traditional EU regime that is primarily focused on user privacy and attempts to balance individual interests with spurring economic growth for an independent UK.
The Trans-Atlantic Data Privacy Framework (TADPF) was announced in February 2022 as a proposed replacement for Privacy Shield, which was invalidated by the Court of Justice of the EU in a July 2020 ruling. Similar in function to Shield v1, Privacy Shield v2 attempts to resolve some of the issues raised in the CJEU ruling by:
- Including new safeguards to limit access to data by US surveillance agencies
- Creating a user redress system to investigate and resolve complaints of EU individuals on access of data by US surveillance agencies
- Creating an independent Data Protection Review Board to improve oversight of US intelligence agency access to individuals’ personal data
Resolving cross-border data transfer issues and reinstating a version of Privacy Shield was a key topic at the recent G-7 meetings, where discussions centered around how to expedite the process. If the US and EU negotiators can reach a deal in the near future, both sides are expected to move quickly in 2023 to resolve the confusion around cross-border data transfers out of the EU and establish a new mechanism that will hopefully withstand the legal challenges that are sure to arise on similar grounds as those that overturned Shield v1.
Despite being a major global player in information technology, India lacks a comprehensive data privacy law. Attempts to create a new data protection law have been underway since 2018, but efforts were paused this summer to rework the current draft legislation. The Personal Data Protection Bill is an attempt to modernize India’s data protection framework by following many of the tenets of the GDPR. One in particular, data minimization (also a principle of Privacy by Design), has spurred uproar due to India’s proposed data localization requirements. As currently drafted, private sector data deemed ‘sensitive’ would not be permitted to leave India under any circumstances. This has led to pushback from India’s technology sector due to concerns that it would stifle innovation and exclude India from the global data processing industry. As a result of the concerns about how data localization would be applied and enforced, the current bill was withdrawn from Parliament in August 2022. The bill will be redrafted to focus on data localization, consent, and other controversial provisions. There is no publicly stated timeline for the new bill’s introduction.
Cross-border data transfer is a pressing issue globally, and China is no exception. On September 1, 2022, the Cyberspace Administration of China (CAC) released the Notification Guidelines for Security Assessment on Cross-border Data Transfers. These guidelines are designed to clarify transfer provisions in the Personal Information Protection Law (PIPL) passed by China in 2021.
The biggest implication of the new guidelines is that certain companies must have their cybersecurity measures assessed by the CAC. Companies that meet any of the following conditions must be assessed:
- “Critical Information Infrastructure Operators” (CIIOs) that process more than one million individuals’ personal information;
- companies that transfer “important” data overseas; or
- companies that have exported “over 100,000 individuals’ personal information or over 10,000 individuals’ ‘sensitive personal information’” since January 1 of the preceding year.
“Important data” is described as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”. “Sensitive personal information” includes:
- Biometric data (such as fingerprints, iris and facial recognition information, and DNA)
- Data pertaining to religious beliefs or “specific identities”
- Medical history
- Financial accounts
- Location and whereabouts
- Any PI of minors under the age of 14
Critical Information Infrastructure Operators are companies engaging in important industries or fields, including:
- Public communication and information services
- Public services
- E-government services
- National defense
- Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks
Companies that are not considered CIIOs or that handle smaller volumes of data may be able to transfer data deemed personal information overseas by simply signing a ‘standard contract’ with the overseas recipient. This procedure is simpler than the CAC security review as it does not require an external audit. Companies subject to the assessment have a six month grace period for compliance, until March 2023.