By Devansh Pandit, a IIIrd year B.A. LLB (Hons.) student at Symbiosis Law School, NOIDA (Symbiosis International University, Pune).
INTRODUCTION:
We are currently in an age where data, is currency and the advent of this age has led to an unprecedented increase in the amount of data that can be created and stored. This data is not only restricted to algorithms and machine learning but can also be used to identify a natural person. One’s likes, dislikes and preferences can either be in the form of data, or multiple pieces of information can be used to infer these factors about an individual. On one hand, this increase in accuracy is conducive for technological advancement, but on the other, it exposes individuals to vulnerable data leaks, thus requiring state intervention in the form of legislation. One of the initial steps in this direction was taken by the European Union (EU). The EU, in January 2012, subsequent to a four-year deliberation, reached an agreement on what data protection actually involved and how it will be enforced. The key outcome of such a plan for reform was the General Data Protection Regulation (GDPR). This landmark regulation has led to over 500 actions being taken against non-compliant companies, and over a billion euros in fines have been levied. Subsequent to the legislation, the concept of ‘GDPR compliance’ started to emerge as major global conglomerates (eg. Amazon, Google etc.) had to be compliant with the regulation in order to operate in the EU. GDPR initiated a global conversation that revolved around the integrity of personal data (PI) and was likely to have domino effect on other jurisdictions as well.
Now, over 100 jurisdictions have enacted their own data privacy laws. These localized GDPR’s will add up to a global maze of legal obligations that will disrupt the operations of any global company. India is also midway in introducing a legislation specifically pertaining to data protection with The Personal Data Protection Bill, 2019 which is being deliberated on rigorously; the latest development being the tabling of the Joint Parliamentary Committee Report on the bill. Steadily, data protection will take the form of a second set of tax codes involving high costs, high risk with cumbersome execution and non-compliance not even being an option. Compliance would require additional resources of an organization to ensure that it is not exposing itself to any violation. This article will deliberate upon the novel challenges that might be encountered by organizations which operate on a global level. It will also elaborate on certain steps by which these challenges can be reduced to move towards a pro-data compliance regime.
CHALLENGES INVOLVED IN GLOBAL DATA COMPLIANCE:
Problem of Extra Territorial Application:
It is evident that Data Protection Legislations of various countries find their origin in GDPR but one of the major similarities in these legislations is that almost all of them have extra territorial application. This leads to the issue of country-specific data compliance which can be a major challenge for any organization which processes or handles data of citizens globally. Following is a list of some of the Data Protection Legislations having extra territorial application.
In terms of its application, GDPR applies to all companies, no matter where they are based, who collect and process personal data on EU residents. Non-EU companies have to appoint a GDPR representative and will be liable for all fines and sanctions.
CCPA was enacted with the intent to secure privacy and consumer rights of residents of California, United States. It regulates data belonging to individuals, such as internet activity, cookies, IP addresses, and biometric data, as well as “household data” generated by IoT devices in the home. Its applicability extends to any organization that could potentially possess the data of a California resident.
After a long journey, the Joint Parliamentary Committee Report on Personal Data Protection Bill, 2019 has arrived with certain recommendations. It is likely that in the near future, India will also see a comprehensive data regime. Besides governing the processing of personal data by the Government and companies incorporated in India, Section 2 (A)(c) of the bill also extends its applicability on foreign companies dealing with personal data of individuals in India. Thus, if the data belongs to an individual in India, the foreign company processing such data would have to comply with PDP Bill, 2019.
Data privacy in China was previously governed by a broad patchwork of different laws, but the PIPL now provides an overarching data privacy law. PIPL also has extra-territorial jurisdiction. As per Article 3 of the Act, if an organization is targeting individuals in China, it has to comply with PIPL.
These are four legislations, out of the 100+ countries that have already adopted Data Protection Legislations. As for 2022, the data by United Nations Conference on Trade and Development indicates that 69% countries already have fully applicable Data Protection Legislations and 10% countries have draft legislations. Thus, on one hand, an increase in Data Protection Legislations will strengthen the integrity of PI, but on the other, it would be a challenge for companies and business to comply with the requirement of each jurisdiction.
Administrative and Financial Burden on Companies:
The inference that can be drawn from the above data is that, if a company is processing or handling data of any citizen, it should be compliant to the data protection legislation of the nation to which that citizen belongs. The probable outcome of such global compliance is an increased financial and administrative burden on the organization. A study by Ponemon Institute LLC on data compliance by 53 multi-national organizations found that the cost of compliance can range from $5.5 million to almost $22 million. The reason for this is the substantial diversion of resources to initiate compliance.
A major administrative challenge leading to higher cost is compliance reporting, which would require localized expertise of the jurisdiction in which compliance is required. Moreover, a continuous check will be required on the amendments in the Data Protection Legislations which are rapidly being introduced; this would further entail additional manpower. Furthermore, diversion of time and commitment from the core business to data compliance also contributes to the administrative burden of the organization. Some jurisdictions also have data localization requirements. Therefore, maintenance of servers in every jurisdiction will also contribute to mounting costs.
RECOMMENDATIONS TO MITIGATE THE PROBLEMS:
It is imperative to understand that just like tax codes, date legislations are also not optional to comply with. Even though they entail significant financial and administrative burden on the organization, there are certain ways in which these problems can be mitigated.
- Commonalities of certain provisions in all jurisdictions.
Even though there are multiple Data Protection Legislations, there are some common provisions in almost all of these legislations, such as-
- Consent- Before data is used for a specific purpose, consent must also be obtained for that specific purpose. This is an extremely common provision which minimizes surplus data connection and creates a reasonable nexus between the data itself, and the consent for collection.
- Transparency- Individuals need to be consistently made aware as to how their data is being used. If an organization collects personal data for a particular purpose and it now requires its processing for another purpose, it should be communicated prior to data subject giving him appropriate opportunity to either object to it, or opt-out.
- Data Localization- Data, whether captured from within or outside the jurisdiction, must be stored and processed within the country of data-subject. Data Localization however, is not a universal requirement of every jurisdiction, but an organization would be on the safer side of compliance if it practices data localization voluntarily. For example, The Personal Data Protection Bill, 2019, India by virtue of Section 33 requires sensitive personal data to be stored in India but the GDPR however, does not have any stringent localization requirement pertaining to personal data.
- Security and integrity of the data must be maintained
- Privacy Officers- Some jurisdictions require every company which passes a threshold to appoint Chief Privacy Officers. Article 52 of the PIPL requires personal information handlers who process personal information reaching quantities provided by the cyber-space administration to appoint Personal Information Protection Officers. A similar requirement is envisaged by Section 30 of The Personal Data Protection Bill, 2019 which mandates significant data fiduciaries to appoint a data protection officer.
Thus, if a company is designing or modifying its privacy policy, it must take into account certain common provisions that are applicable in almost all jurisdictions. A policy which incorporates basic data protection principles will reduce the probability of frequent modifications and amendments that might result if certain basic principles are excluded.
- Conduct Emergency Compliance Measure
Considering the rapid growth in data protection laws, it is likely that a company would be out of compliance with some of the legislations of certain jurisdictions. Thus, an emergency compliance measure should be conducted to check vulnerabilities in the data protection policy. This will allow an organization to make immediate modifications to ensure compliance.
- Establish a separate Data Protection Compliance Wing (DPCW)
Setting up of a separated DPCW which will specifically deal with data compliance can mitigate risks and promote rapid compliance and modifications of privacy policies. Even if an organization cannot allocate the financial resources to set up a separate DPCW, professionals already in teams of Corporate Advisory and IT can form such DPCW. Such wing can either be central, or can be individualized in branches in respective countries.
- Data Protection Policy Certification
To save manpower and resources, a company can create a privacy policy by design which covers the basic principles of data protection and submit it to data protection authorities of various jurisdictions. It can also create a data protection policy and get it certified by the authorities of respective state to increase legitimacy and reduce constant measures to modify data protection policies. For example, Section 22 (2) of the Draft Personal Data Protection Bill, 2019, allows the data fiduciary to submit its privacy by design policy to the data protection authority for certification. Such type of certification will further legitimize the individual data protection policies of organizations.
CONCLUSION:
On one hand, an increase in Data Protection Legislations is leading to a robust privacy framework, but it is equally creating a hurdle for companies to operate globally. The way forward to be data-compliant is to consider data regulations as the new tax legislations. Even though data compliance is not as complex as tax codes, but in both, an option to not comply does not exist. Thus, all organizations operating globally must adopt certain basic principles of data protection and divert certain resources to be pro-compliance. In either way, the world is heading towards an era where data cannot be treated in a casual manner and the onus will be on global conglomerates to process it with integrity and safety.