ICLG has published its Guide to Data Protection, which covers 42 jurisdictions, with White & Case providing the contributing editors, and the country chapters for the UK and the U.S.
Privacy and data protection laws have changed markedly over the last two decades. The highly networked and interconnected world in which we live today was merely a glimmer on the horizon in the mid-1990s. The internet itself was still a fairly new innovation to many people. Many businesses did not yet have public websites. Concepts such as online social media platforms did not exist. Smartphones, wearable technology and artificial intelligence have all made vast leaps over the last 20 years – all driven by new ways of obtaining and processing data. Consequently, courts and regulatory authorities have increasingly had to adapt ageing data protection laws to fit an ever-changing world for which they were simply not designed. Moreover, to avoid the risk of enacting policies today which will rapidly lose relevance as technology continues to evolve with the rise of artificial intelligence and decentralized computing, policymakers are forced to design privacy and data protection laws that are flexible and, thus, broad by nature.
Developments in the EU – the GDPR
It is in this context that the European Union drafted and finalised Regulation (EU) 2017/679 (the General Data Protection Regulation, or "GDPR"), introducing major changes to the compliance burden borne by businesses. It is difficult to overstate the importance of this law. Its subject-matter scope is wide-ranging. The GDPR applies to all “personal data”, encompassing any information that relates to any living individual who is identified or identifiable from that information, whether in isolation or in combination with any other available information. Furthermore, the GDPR has an extremely broad territorial scope. It applies to businesses that are established in the EU, as well as businesses located outside the EU that (i) offer goods or services to individuals in the EU; (ii) monitor the behaviour of individuals in the EU; or (iii) are established in a place where EU law applies by virtue of public international law.
The stakes of non-compliance are significant as the GDPR carries serious penalties. In recent days, the UK Information Commissioner's Office (the "ICO") announced its intention to issue fines totalling more than £250 million, to companies in the transportation and leisure industries, for personal data breaches under GDPR. For those who expected a continuation of the relatively modest penalties imposed under GDPR’s predecessor, the Directive 95/46/EC, this may have come as a surprise. The cost of non-compliance under GDPR has been ramped up to match the increasing importance of data to businesses and to individuals.
Developments outside the EU
It is also important to note that, while the EU may have issued the most far-reaching data protection law to date, a large number of other jurisdictions are in the process of introducing laws to tackle the challenges that modern technology presents in a privacy and data protection context. The nature and scale of these laws varies significantly, with the result that businesses continue to face different data protection compliance obligations from one jurisdiction to the next.
Where should businesses start?
The key message for businesses is that there is an inexorable move towards a world in which laws and regulations will more tightly restrict the ways in which personal data can be used. Many of these laws and regulations present unknown future risks, and give rise to uncertainty. However, commerce is increasingly dependent upon data. Businesses that, a mere five years ago, seemed immune to the technological transformations that propelled high tech companies to the top of the stock market – businesses like super markets and taxi cab operators; clothing retailers and toy stores – are facing a reality in which consumers, investors, and regulators expect data driven technology services to be seamlessly integrated into ageless commercial enterprises. Therefore, caught between a dependence on data, and the risk of laws that restrict the use of such data, businesses should be forward-thinking, and plan ahead.
Businesses should start by:
- identifying the biggest compliance risks they face under applicable privacy laws, and addressing those risks in order of severity of impact; and
- building awareness of data protection and privacy expectations and requirements among their staff members, and ensuring that the operational impact is well understood by staff who process personal data.
Business should also see this as an opportunity. A well-planned and well-executed privacy compliance programme can provide a competitive advantage by helping a business to ensure that its customers, suppliers and employees feel confident in allowing that business access to their data – which is increasingly the lifeblood of today’s digital world.
The International Comparative Legal Guide to Data Protection 2019
The International Comparative Legal Guide to Data Protection 2019 covers 42 jurisdictions. It outlines and compares data protection legislation, including competent authorities, territorial scope, key principles, individual rights, registration formalities, and the appointment of a data protection officer and of processors.