Data Protection Laws Around The World – Evolution And Disadvantages

Introduction

It is almost impossible for any person today to live without digital and technological aid, it will be very hard to refrain from using social media apps, shopping apps, transaction apps today as we are heavily dependent on them. Thinking about our life without these aids is almost unimaginable. Along with the great ease and facility that this digital era provides us, there is a word of caution which each of us should be aware of. The data which we provide for anything has a great chance to be altered or misused against the individual to invade our privacy or harm us in any possible way. The incidents of cybercrime are very common making India among the top 5 countries to be affected by cybercrime.

To address this very main issue, the Data Protection Acts come into play to protect the interests, rights, and privacy of the people. These legislations govern the collection, use, transmission, and dissemination of that data, regulates the compilation, recording, organization, storage, updating or alteration, consultation, retrieval, usage, consolidation, blocking, erasure, or destruction of personal data while maintaining the free flow of information to facilitate creativity and growth.

Data can be divided into two categories: public data and personal data. Public data is information that is available to the general public, such as court records, birth records, death records, and basic business information. Private data, on the other hand, is confidential to an entity or agency and cannot be publicly disseminated by others without the subject’s consent. Financial data, family information, browsing details, interests, psychological traits, locations and travel experience, attitudes, skills, photos, aptitudes, and similar information are all included. It may be a mixture of these characteristics or even inferences based on the distilled results.

History And Evolution of Data Protection Laws

In 1970, the German state of Hessia passed the world’s first data protection law. The term “informational self-determination” was first used in Germany in the course of a constitutional decision concerning personal data gathered during the 1983 census.

However, a significant shift in privacy legislation occurred in 1995, when the European Union (EU) passed Directive 95/46/EC for the first time. This directive established an organized framework for EU member countries for inter-country personal data transfer/flow, protection against unlawful processing of personal data, data processing regulation, and classification and protection of sensitive data, but it was recently superseded by the all-new EU Act — General Data Protection Regulation (GDPR), which took effect on May 25, 2018.

Thereafter, many countries came up with legislation for regulating and protecting the data. The Philippines passed The Data Privacy Act of 2012, Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA), 2001 Brazil’s General Personal Data Protection Law (LGPD) became law on September 18, 2020, India came up with The Data Protection Bill, 2019 which is still to be passed by parliament.

Data Protection Laws Around The World

International Legislation

There is no international law to regulate data protection currently. The United Nation Conference on Trade and Development (UNCTAD) is a UN body which partially looks upon this issue by way of surveys and providing data of the legislation across the world. UNCTAD’s Cyberlaw Tracker, launched in 2015,  provides a repository of relevant laws in four legal areas essential for building trust in e-commerce: e-transactions, cybercrime, consumer protection, as well as data and privacy protection.

According to the data of the United Nations Conference On Trade And Development(UNCTAD), 66% of total countries have legislation on data protection, 10% have draft legislation, and 19% of countries with no legislation.[1]

European Union’s, General Data Protection Regulation (GDPR) can be considered as legislation that is followed by a large number of countries. It is strictly followed by 27 members of the Union and has inspired the rest of the countries around the world to model their legislation on these lines.

India

In Justice K S Puttaswamy and Anr. Vs. Union of India and Ors.[2], the Hon’ble Supreme Court of India ruled that the right to privacy is a constitutional right protected by Article 21 of the Constitution. Following that, a committee led by Justice B.N. Srikrishna was formed to investigate the problems around data security in India. The act aims to modernize India’s existing data security legislation, which is regulated by the Information Technology Act of 2000. It proposes to regulate the collection of personal data of individuals by the Indian government, Indian companies, and foreign companies. The Personal Data Protection Bill (PDPB), 2019 is broadly modeled after EU General Data Protection Regulation (GDPR).

The bill divides data into three classifications: Critical, Sensitive, and General. Sensitive personal data[3] includes financial data, health data, sex life, sexual orientation, biometric data, transgender status, caste or tribe, religious and political affiliations, etc. With the user’s express permission, sensitive data can be stored outside of India. Critical personal data[4] will be notified by the government every once in a while and must be stored and handled only in India. Every non-critical and non-sensitive data is classified as general data, which has no restrictions on where it can be processed or handled.

The bill provides its subject certain rights, which are:

  • The right to request confirmation from the fiduciary as to whether or not their sensitive data has been processed.
  • The right to seek correction of inaccurate, incomplete, or out-of-date personal data.
  • The right to have personal data transferred to any other data fiduciary in certain circumstances
  • The right to limit a fiduciary’s continued disclosure of their personal details if it is no longer required or consent has been revoked.

Social Media

The bill describes social media intermediaries[5] as services that enable two or more users to share, distribute, upload, disseminate, or generate content. This would allow the government to designate them as data fiduciaries, requiring them to abide by the provisions of the Bill.

Data Protection Authority And Exemptions

The bill calls for the creation of a Data Protection Authority[6] to safeguard data subjects’ interests, discourage abuse of personal data, ensure compliance, and raise data protection awareness. The authority will have the power to keep a database on its website with the names of important data fiduciaries and a ranking in the form of a data trust score that will show whether or not they are complying with the bill’s provisions.[7]

Every legislation has some exemptions’ because the blanket protection of an individual’s right is not possible, and these exceptions are required for the smooth running of the administration. The bill consists of the regulatory sandbox[8], under which some authorities and entities are exempted from complying with the provisions of the act. A sandbox is mandated by the data protection authority to support and facilitate artificial intelligence, machine learning, and other emerging technologies.

Fine And Penalty:

The bill carries stiff penalties. For collecting or transferring personal data in breach of the Act[9], a fine of INR 15 crores or 4% of the data fiduciary’s annual revenue, whichever is greater, will be levied. In the event that the data fiduciary fails to perform a data audit, a fine of INR 5 crores or 2% of the data fiduciary’s annual revenue, whichever is greater, will be levied.[10]

Concerns

The government has the right to access personal information for a variety of purposes, including national security, sovereignty, and dignity. This might lead to the state intruding into citizens’ lives, defeating the bill’s intent. The process for appointing members is still a source of contention.

European Union

The General Data Protection Regulation (GDPR) went into effect in 2018 and is the world’s most comprehensive privacy statute to date. It has since inspired the revision of existing legislation and the development of new ones all over the world. Countries like Brazil, Australia, Japan, South Korea, India, the USA, Thailand, Chile, New Zealand, South Africa, and Canada have revisited their existing law and created data protection laws inspired by GDPR.

Article 17 of the General Data Protection Regulations (“GDPR”), as well as Recitals 65 and 66, guarantee the Right to be forgotten.  It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. The non-compliance to the rules will attract punitive punishments and hefty penalties for the companies, businesses, or whoever violates the law.

Some Key Differences Between PDPB And GDPR

1. The GDPR does not apply to non-personal or anonymized data, but under clause 91 of the bill, the government is allowed to request non-personal data from data fiduciaries and data principals in order to make policy decisions.

2. Financial information is not included in the GDPR definition of sensitive personal data, although it is included in clause 2(36) of the bill’s definition of sensitive personal data. As a result, the bill’s concept of sensitive personal data is broader than GDPR.

3. There is no similar clause in the GDPR for the classification of ‘critical personal data.’ Under Indian law, the central government will be able to classify what constitutes “critical personal data.”

4. The GDPR requires that data be stored in a recognizable form, with an allowance for extending the storage period. If data needs to be kept for a longer period of time, the bill includes express “consent” from the data principal.

The United States

In the United States, there is no comprehensive set of privacy rights or standards that cover the use, storage, and dissemination of data. Instead, there is just a small amount of sector oversight. Second,  the approach towards data protection varies for the public and private sectors. The government’s actions and powers in relation to personal information are clearly established and addressed by large, sweeping legislation such as the Privacy Act and the Electronic Communications Privacy Act, among others. Certain industry-specific norms exist for the private sector, such as The Federal Trade Commission Act (FTC) protects consumers from unfair business practices.

The US model allows the collection of personal information as long as the individual is informed of such collection and use. However, it has been viewed as inadequate in key respects of regulation.

Privacy law, in the United States, is often a messy combination of public regulation, private self-regulation, and regulations that vary by state. Also, the duty of enforcement of these regulations is under several different government organizations Federal Communications Commissions (FCC) and Health Insurance Portability and Accountability Act (HIPAA). There is no uniform law or rule to decide the storing period of data, companies can keep the data indefinitely depending upon their own terms and conditions.

The recent California Consumer Privacy Act (CCPA), has many provisions that overlap with GDPR. California may be only one State out of fifty, but it has inspired legislators on both sides of the spectrum to launch a slew of parallel data protection bills and legislation in other states and at the federal level.

Other Countries

Iceland:- Iceland has often been referred to as ‘Switzerland of data’. The Data Protection Act of 2000 in the Nordic Island nation is stringent about obtaining ‘unambiguous and informed consent’ before harvesting personal data.

Ireland:- The Data Protection Act of 1988 gave the island nation a head start on data privacy legislation, and the ePrivacy Regulations of 2011 built on the foundation.

Australia:- The Australian Privacy Principles (APP) is a compilation of 13 principles that regulate the gathering of personal information, and it is backed by the powerful office of the Australian Information Commissioner, which will hear public complaints and undertake free inquiries.

Denmark:- Denmark’s citizens’ privacy is protected by a federal body called the Danish Data Protection Agency, which is based on the Personal Data Processing Act of 2000. Personal data should only be obtained with the user’s express permission, and it can’t be revealed to third parties for commercial purposes without their consent, according to this rule.

Canada:- The Personal Information Protection and Electronic Data Act (PIPEDA), which requires privacy policy to specify the processing, storage, and use of personal information and to be easy to identify and understand, is the country’s primary safeguard. The government publishes a Privacy Guide for Business to help businesses comply with PIPEDA, which is based on a set of ten guiding principles concerning personal information.

Switzerland:- Switzerland is a hotbed for cloud computing because its rules and traditions align with the needs of enterprises that revolve around data security. Individual privacy is protected by the country’s constitution, and the Federal Data Protection Act requires businesses to inform people that they are storing their personal data and for what purpose.

Disadvantages Of Data Protection Laws

As every coin has two sides, every legislation has its pros and cons. With the protection of the basic human right of privacy, the data protection laws have some negatives in their account. Firstly, the data networks today are not confined to limited territories, they are globally spread but the data protection laws are local limited to every jurisdiction. The laws and penalties of the data protection law apply in the same way to small businesses or commercial entities as it applies to big multinationals and companies. Small businesses are not financially and economically in a position to comply with all the necessities of the law and neither do they have the capacity to pay the penalties and fines.

Conclusion

Any piece of legislation in the world cannot satisfactorily address the needs of all sections of society at once, there is always a fraction of society that benefits from that act and the other fraction remains on the disadvantaged or dissatisfied side. The Data protection legislations are no exception to this, in the process of protection of privacy of the fellow customers and people there will be some business and commercial rights that will get affected. But we have to choose between the basic human rights of individuals or the rights of some profit-making big companies. Data protection laws, therefore, are beneficial pieces of legislation to secure privacy and protect the vulnerability of individuals from misuse of their data. The only thing that can make these laws better is to bridge the gap between the advantaged and disadvantaged side, by considering the issues of both sides and addressing them so that none of the sides feels dissatisfied.

[1] https://unctad.org/page/data-protection-and-privacy-legislation-worldwide

[2] Writ Petition (Civil) No 494 of 2012

[3] Clause 2(36) of the Bill

[4] Explanation to Clause 33(2) of the Bill

[5]  Explanation to Clause 26 (4) of the Bill.

[6] Clause 41 of the Bill.

[7] India: Personal Data Protection Bill, 2019, by Vijay Pal Dalmia, https://www.mondaq.com/india/data-protection/1024292/personal-data-protection-bill-2019#_ftn1.

[8] Clause 40 of the Bill.

[9] Clause 51(2) of the Bill

[10] Clause 52(3) of the Bill

This article has been written by Astha Jain, B.A. LL.B student at National Law Institute University.

Also Read – The Age of Artificial Intelligence: Data Safety Challenges and the Need for Evolving an Adequate Legal Framework

Law Corner