The EU General Data Protection Regulation (GDPR) is the most significant development in data protection globally in more than 20 years. The extra-territorial application of the GDPR has caught the attention of companies around the world. However the GDPR’s ripple effect extends further than its direct application to global businesses. Two and a half years after it was born, and six months after it was finally released from the incubator, the GDPR now has a passport and is gaining an appetite for travel.
The most direct, and easily traceable, influence of the GDPR has been in the shaping of the new draft Personal Data Protection Bill in India, released on 27 July 2018 together with a report of India’s Committee of Experts led by Justice B. N. Srikrishna (the Srikrishna Report).
The Bill, when enacted, will be India’s first comprehensive data privacy legislation. The Srikrishna Report was founded on the premise that India “must formulate a legal framework relating to personal data that can work as a template for the developing world”. Nevertheless, the Bill borrows heavily from the GDPR. The Bill is currently under review by India’s Ministry of Electronics and Information Technology.
The Bill contains a number of direct crossovers with the GDPR. These include: (i) two of the GDPR’s data subject rights, namely variations on the right to be forgotten and the right of data portability; (ii) mandatory obligations to notify data breaches that are likely to cause harm to an individual; (iii) a mandatory obligation for ‘significant’ data controllers to appoint a data protection officer; (v) a high standard for consent (free, informed, specific and clear); (vi) adoption of the principle of privacy-by-design; (vii) a requirement on significant data controllers to carry out a privacy impact assessment before conducting high risk processing activities; and (viii) rigorous enforcement powers including significant fines (up to one hundred and fifty million rupees (more than USD 2,000,000) or four per cent of the organisation’s total world-wide turnover during the preceding financial year) calculated in relation to the organisation’s world-wide turnover.
Under the GDPR, businesses are required to have a data protection officer (DPO) where their core activities involve the large scale systematic monitoring of individuals or the large scale processing of sensitive personal data. Privacy impact assessments are mandatory under the GPDR for each potentially high-risk data processing project, in particular when using new technologies, and especially in the case of (i) systematic and extensive evaluations based on automated processing, including profiling, that affect the legal rights and interests of an individual, and (ii) processing of special categories of data on a large scale.
The Srikrishna Report recommends a variation on this approach. The Committee proposed that ‘significant’ data controllers should be made subject to heightened organisational measures in order to minimise the adverse impact of their activities on personal privacy.
In this way, only such significant data controllers will be required to appoint an identified DPO and to conduct privacy impact assessments before undertaking processing involving new technologies, large-scale profiling, or the use of sensitive personal data or any other processing that carries a risk of significant harm to data subjects. Significant data controllers will also be required to submit to an annual independent audit of their policies and processing activities. In India, privacy impact assessments will also have to be shared with the new data protection authority, whereas the GDPR only requires assessments to be shared when the assessment indicates a high data processing risk. Significant data controllers in India will also be required to register with the data protection authority.
The Indian Bill requires a copy of all personal data to be stored on a server in India, which is another clear point of departure from the GDPR (but similar to requirements in Russia). The Government is empowered to both notify categories of personal data as critical personal data that can only be processed in India (similar to Chinese law).
Conversely, certain rights under the GDPR have not been transposed into the Bill. Notable absences include the rights to object to profiling and automated decision making.
India’s Committee of Experts recommended against the inclusion of special rights in relation to automated decision making. The Committee interpreted these GDPR rights as “as response to emerging challenges from Big Data and AI”. While recognising this as a legitimate rationale aimed at curbing harms due to prejudice and discrimination, in the view of the Committee the objective of avoiding discrimination would be better achieved through the adoption of an organisational accountability framework designed to identify discrimination when making evaluative decisions through automated means. They regarded such an accountability framework as a constituent element of privacy-by-design.
The Srikrishna Report also declined to recommend the adoption of an equivalent right to the GDPR’s right to object to profiling, given the more limited grounds upon which processing will be permitted without consent. The Committee considered that recourse to the Indian courts would provide a more suitable remedy in circumstances where the profiling produces inaccurate results.
The Committee of Experts similarly declined to recommend the adoption of special rights to object to direct marketing. The Committee was however of the view that direct marketing could only be lawfully conducted on the basis of a freely-given consent within the framework of the new law.
The law will apply to the processing of personal data that is collected either in India or outside of India. However, the Government is given the power to exempt the application of the law to personal data collected outside of India that is processed pursuant to a contract with a foreign party (designed to protect India’s offshore BPO industry). It is remains to be seen whether an exemption will be granted for intra-group processing, which is a significant issue given the number of multi-national companies with back-office facilities in India.
The law will also be applied extra-territorially on essentially the same basis as under the GDPR.
A month before the GDPR came into effect, China introduced new non-binding rules governing the collection, storage, use, sharing, transfer and disclosure of personal information in the form of the Personal Information Security Specification. The leader of the standardisation project (Dr. Yanqing Hong, research director at the Internet Development Research Institute, Peking University) has acknowledged publicly that the rules were influenced by the GDPR. The drafters also stated that they had sought to make the Specification more permissive and business-friendly than the GDPR in other ways.
The Specification requires organisations to provide a detailed and complete personal information collection statement using clear and plain language that delineates different processing activities. Valid consent requires a written statement or other affirmatory confirmation from the data subject.
As with the Indian Bill, the Chinese Specification adopted the right to be forgotten and the right of data portability, with a local spin.
Data subjects have the right to ask the personal data controller to cease all use and to erase personal data if the personal data controller has breached its legal obligations or an agreement with the data subject. Personal data should also be deleted or anonymised when users close down their accounts.
The Specification provides that data controllers should enable individuals to have their personal data ported to a third party if technically feasible (comparable to the GDPR’s right of data portability). This right is of more limited scope than under the GDPR, applying only to (i) basic personal data and personal identity information, (ii) health and physiological information, and (iii) education and employment information.
The Specification sets a baseline expectation of 30 days for a response to an access, correction, erasure or data portability request as standard (or such other period as may be specified by regulation). In contrast, the default timeline under the GDPR for responding to data subject requests is one month, but this can be extended by an additional two months depending on the complexity and number of requests.
The Specification also provides that organisations collecting personal data in China must provide for an appeal mechanism in relation to automated decisions that directly impact the rights and interests of an individual (a variation on the approach taken under the GDPR). The specific examples given of such automated decision are automated credit rating decisions and screenings of job applicants.
The Specification requires data controllers to conduct a privacy impact assessment at least once a year or in conjunction with any major change in their operating model, information systems or following a data security incident. On the face of it this requirement is more limited than under the GDPR, where impact assessments are generally required for each potentially high-risk data processing project.
The Specification lays down non-binding guidelines and does not impose penalties for breach. It nevertheless has a high status and can be expected to become the starting point for any discussion with a regulator concerning an organisation’s compliance with enforceable Chinese law.
The Philippines, as one of the world’s leading offshore outsourced data processing locations, upgraded its data privacy rules in anticipation of the GDPR. The Philippines Data Privacy Act of 2012 was supplemented through Implementing Rules and Regulations in 2016, shortly after the GDPR was adopted, to incorporate some of the basic tenets of the GDPR, including the right of data portability (although not the other data subject rights) and mandatory breach notification requirements.
Companies affected by a data breach are now required to notify the National Privacy Commission and affected individuals within 72 hours of becoming aware of an unauthorised acquisition of sensitive personal information that is likely to give rise to a real risk of serious harm to an affected individual. The 72-hour timescale is similar to that which applies to data protection authority notifications under the GDPR, although the threshold for notification is higher in the Philippines.
The Philippines Act applies to the processing of the data of Philippine citizens and residents outside of the territorial area of the Philippines (which might be news to the employers of Filipino workers around the world). Conversely, but in keeping with the Philippines’ intention to make itself attractive for offshore outsourcing, personal information originally collected from residents of foreign jurisdictions has been explicitly exempted from the application of the Philippines Act.
The California Consumer Privacy Act 2018 similarly appears to have been informed by the GDPR. The Act was brought into law in April 2018 and will take effect in 2020. The Act introduces a limited right of data portability. The right is comparable only in the sense that if personal data access requests are satisfied electronically, the information has to be made portable and, to the extent feasible, in a readily usable format. However, in most other respects the California Consumer Privacy Act takes a markedly more liberal approach to that of the GDPR and has a more limited application, only applying to businesses that either (i) have annual gross revenues in excess of $25million, (ii) annually obtain for commercial purposes the personal information of 50,000 or more California residents, households or devices, or (iii) generate 50% or more of annual revenues from selling California residents’ personal information.
The California Consumer Privacy Act is nevertheless closest that any US State has come to the GDPR and provides consumers with rights that they do not have elsewhere in the US. Affected business are in the process of considering whether they will, in practice, need to comply with the Californian legislation in relation to all data processing activities in the US, given the difficulties of segregating data from different source States.
Another jurisdiction that has introduced large fines based on global revenue (2%) is Brazil. Its comprehensive data protection legislation was enacted in August 2018 (Lei Geral de Proteção de Dados Pessoais). As in India, the Brazilian legislation closely tracks certain provisions of the GDPR, including variations on the right of data portability and rights in relation to automated processing that has a legal effect on an individual (coupled with a presumption that automated decision making based on profiling has such an effect). Consents must be freely given, informed, unambiguous and specific, and distinguishable from other terms and conditions of a service.
The Brazilian legislation also has a similar scope of extra-territorial application to the GDPR.
A Report of the Parliamentary Standing Committee on Access to Information, Privacy and Ethics issued in February 2018 made multiple recommendations to update Canada’s Personal Information Protection and Electronic Documents Act (‘Towards Privacy by Design: Review of the Personal Information and Electronic Documents Act’). The Report contains numerous references to the GDPR and is conceived with the twin objectives of making ‘privacy by design’ a central principle of Canadian law and preserving Canada’s adequacy status in respect of personal data transfers from the European Union. One of the recommendations in the report is explicit that “the Government of Canada determine what, if any, changes to the Personal Information Protection and Electronic Documents Act will be required in order to maintain its adequacy status under the General Data Protection Regulation”.
The Report recommended the adoption of a right of data portability into Canadian law on the precise terms of the GDPR. It also recommended the adoption of framework for a right of erasure and de-indexing “based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down… [and in respect] of personal information posted online by individuals when they were minors”.
Opt-in consent is proposed as the default standard for any use of personal information and with a GDPR-level threshold for valid consent. While the Report does not directly tackle profiling and automated decision making as such, it does include extensive discussion of algorithmic processing, noting in particular “the risk that their use of personal information will perpetuate prejudices or discriminatory practices”. No precise recommendation was made for the measures to achieve the improvement in ‘algorithmic transparency’ that the Standing Committee advocates.
The Canadian Government accepted the Report’s findings overall (and each of the proposals outlined above, individually), and also announced regulations in April 2018 to implement mandatory data breach reporting under the existing Act.
Data privacy regulators have been asking for some time to be given better ammunition to compel business to make a step change in their approach to transparency and privacy hygiene. It is therefore no surprise that they are attracted to the set of tools that the GDPR offers.
Taking an overview of developments worldwide, the conditions of consent and certain data subject rights, including the right to be forgotten, are the most widely travelled of the GDPR provisions. Data portability has also been particularly widely replicated in one form or another from Brazil to California and many jurisdictions in between.
Conversely, the special rights in relation to profiling and automated decision making have been much less widely taken up, or only reflected in only a watered down form (e.g. China). These data subject rights together will arguably have the deepest impact on data-driven businesses and business models that are reliant on data analytics in those jurisdictions that adopt them.
Many countries are also implementing significantly larger fines for data breaches, with India moving to the GDPR’s worldwide turnover threshold.
Nevertheless, as the GDPR grows up and continues its travels, it may find that while many of the parts of the world feel familiar to home, many differences in approach to data protection will also remain for some time.
“… a combination of the elements outlined above would deliver a personal data protection law that protects individual privacy, ensures autonomy, allows data flows for a growing data ecosystem and creates a free and fair digital economy. In other words, it sets the foundations for a growing, digital India that is at home in the 21st century. This is distinct from the approaches in the US, EU and China and represents a fourth path.” (Srikrishna Report)