This chapter is taken from Lexology GTDT’s Practice Guide to Franchise, examining key themes topical to cross border franchising.
The right to privacy is a fundamental human right that has been recognised in most jurisdictions for ages, but only in the past two decades or so has data protection and privacy become a major focus globally, resulting in legislation being enacted in most countries, which places the obligation on businesses to protect the privacy of personal data that they deal with.
Franchised businesses, like any other businesses, are obliged to comply with data privacy laws. In the case of multinational franchising, this means complying with the data privacy laws of all of the jurisdictions in which franchises are operated, which is no easy task. It is recorded that data protection and privacy laws have been passed in nearly 120 countries2 to date.
This chapter will look at the current trends in different countries with respect to data protection and privacy law, as well as the opportunities, challenges and risks brought about by the processing of data under the prevailing circumstances, particularly within the franchising industry.
Key concepts in data privacy law
The definition of ‘data’ differs from jurisdiction to jurisdiction; however, the common thread tends to be that it refers to information concerning an identifiable living, natural person.3 In South Africa, corporations are included in the definition.4Information falling within this definition includes, but is not limited to, information relating to race, gender, sexual orientation, age, an identifying number, email address, geolocation and personal opinions.
Most jurisdictions recognise the concept of sensitive or special personal information.5 This typically refers to information or data that pertains to racial or ethnic origins, political or religious beliefs, health, sexual orientation or preferences, biometric data, and data regarding minors.
The aim of data privacy laws is to regulate the processing of data. The term ‘processing’6 encompasses all activities in relation to data, including the collection, storage, modification, transfer and destruction thereof. Processing includes any online and offline processing and includes such activities as copying, filing and inputting personal information into a database.
Data privacy principles
As stated earlier, data privacy laws can protect both individuals and corporations. Reference to ‘persons’ herein therefore constitutes a reference to both.
Data protection laws7 are generally based on the following principles:
- Lawful processing: data can be collected or stored only if it is necessary for or directly related to a lawful, explicitly defined purpose and does not intrude on the privacy of the person to an unreasonable extent.
- Informed consent: persons must be informed of the purpose of any such collection and of the intended recipient of the data at the time of collection, and records of data must not be kept for longer than is necessary.
- Compatible use of data: the data must not be used in any way that is incompatible with the purpose for which it was originally collected.
- Openness: keeping persons informed as to how their data is processed.
- Accuracy: ensuring that the data is accurate, up to date and complete.
- Security safeguards: ensuring that measures are taken to safeguard against the risk of loss, damage, destruction of or unauthorised access to personal data.
- Participation: allowing persons the right to access, correct or erase their personal data, or object to it being used for certain purposes.
- Accountability: the responsibility for ensuring compliance with the aforementioned principles is placed on the party collecting the data.
Obligations of franchisors and franchisees
Franchisors and franchisees are required to bring fulfilment to the aforementioned principles upon which data protection laws are based. Below are examples of obligations flowing from these principles, which have been derived from various data protection and privacy laws.
Privacy impact assessment
A privacy impact assessment entails a business assessing its own processes and ascertaining the impact of these processes on the privacy of the persons whose data it processes.
Federal law in the United States8 stipulates that agencies are required to conduct privacy impact assessments before doing the following:
(i) developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form; or
(ii) initiating a new collection of information that –
(I) will be collected, maintained, or disseminated using information technology; and
(II) includes any information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government.
In Europe, in terms of the Regulation (EU) 2016/679 – Protection of Natural Persons with Regard to the Processing of Personal Data and the Free Movement of Such Data (GDPR), a privacy impact assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals.9
The EU and United States’ approach to privacy impact assessments reflects the general position internationally, whether specifically stated in terms of legislation in other jurisdictions or inferred from their provisions, however, the standards for privacy impact assessments tend to differ from country to country.
In certain instances, as is the case in South Africa, a greater burden is placed on businesses, and privacy impact assessments are required as a matter of course because the data protection and privacy law applies in respect of any processing of data, and not only when there is systematic or large-scale data processing, as in the circumstances of the GDPR.
Legal basis for processing
A business may only process a person’s data in the following circumstances:
- with the consent of the person concerned;
- where there is a contractual obligation in terms of a contract between the business and the person;
- in order to meet a legal obligation in terms of legislation;
- where processing is necessary for the performance of a task carried out in the public interest or in the exercise of the business’s official authority;
- to protect the vital interests of an individual; and
- for a business’s legitimate interests. If the person’s interests or fundamental rights and freedoms override the business’s interests, then processing cannot be carried out based on the business’s legitimate interest.11
The GDPR11 contains an eloquent description of the conditions for consent to the processing of data. Consent is defined as ‘a freely given, specific, informed and unambiguous indication of the person’s agreement to the processing of personal data relating to him or her’.
Whether or not consent is freely given is determined with regard to the person’s exercise of choice. Accordingly, the consent would be rendered invalid by virtue of any inappropriate pressure or influence exerted on the person that could affect the outcome of his or her choice. For consent to be informed and specific, the data subject must be provided with information regarding the business, what types of data will be processed, specifics as to how the data will be used and the purpose of the processing operations. For consent to be unambiguous, a clear affirmative act is required, and silence, pre-ticked boxes and inactivity will not be recognised as a basis for consent.
Most jurisdictions embrace principles similar to the above in respect of a person’s consent to processing of data.
Data protection officer
In most countries, for example, the EU,12 South Africa13 and Canada,14 it is a legal requirement to appoint a suitable person who is responsible for compliance with data privacy laws. This person is referred to herein as a data protection officer, however, his or her counterpart may go by another name, such as an information officer.
In a number of jurisdictions where it is not a legal requirement to appoint a data protection officer, it is usually at the very least considered best practice to appoint a data protection officer. An example of this is Australia, where the Australian Privacy Principles guidelines issued by the Privacy Commissioner recommend the appointment of a privacy officer.
A data protection officer would usually be responsible for the following tasks:
- dealing with complaints or enquiries relating to the processing of a person’s data;
- Conducting privacy impact assessments to identify and minimise the data protection risks facing the business, if applicable;
- keeping records of the business’s data processing activities;
- monitoring compliance with the relevant data protection and privacy law and with the internal policies of the business;
- assigning responsibilities, raising awareness and training staff on their obligations in relation to data protection and privacy; and
- cooperating and acting as point of contact with the country’s data protection and privacy supervisory authority.
Data must be stored for the shortest time possible in order to keep processing to a minimum.15 The time period for retention will have to take into account the reasons why it is necessary for the business to store the data (eg, because of the duration of a warranty on a product) as well as any obligations imposed by law (eg, labour law or tax law) to keep said data for a fixed period of time.
Individuals have the right to have their personal data erased in certain circumstances, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or the person withdraws his or her consent on which the processing is based or objects to the processing of his or her personal data or where the processing does not comply with data privacy and protection laws.16
Businesses have the right to refuse to comply with a request for erasure in specified circumstances, such as:
- where it is necessary for exercising the right of freedom of expression and information;
- for the purposes of compliance with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the business;
- on the grounds of public interest in the area of public health;
- for archiving purposes in the public interest;
- for scientific or historical research purposes or statistical purposes; or
- for the establishment, exercise or defence of legal claims.17
Direct marketing is marketing that is communicated directly to a consumer and may be conducted in person, via electronic communication or via telemarketing, for example, by means of cell phone text messaging, email or flyers.
The international trend is to either require persons to opt in to receiving direct marketing, or to be an existing customer of the business whose products or services are being marketed, provided that it is the same or similar products and services that are marketed to the customer in the latter instance.18
In most countries, persons have the right to object to direct marketing, and should have the option to opt out of receiving direct marketing at any time.19
Many countries also have a registry that can record persons who do not wish to receive unsolicited direct marketing, such as the National Do Not Call Registry in the United States of America.
Cross-border transfers of data
Data protection and privacy laws usually impose restrictions on the geographical transfer of personal data. It must be borne in mind that data is considered to have been transferred even if no physical transfer has occurred and if such data is only visible in another country, for example, where a franchisor is given remote access to the data of its franchisees in other countries.
Commonly, the law prescribes that similarly adequate standards for privacy protection are required to be in place in the country to which the data is transferred, or must be imposed by way of contractual obligations placed on the party to whom the data is transferred, and the responsibility for compliance with the data protection and privacy laws remains with the transferring party.20
In terms of the GDPR, the European Commission has the power to make an adequacy decision in respect of a third country, which entails determining that the country concerned provides for an adequate level of data protection, and therefore that personal data may be freely transferred to that country.21
Processing by service providers
Where third parties process data on behalf of a franchised business, for example, a company that provides cloud storage for the business’s data, the duties of such third party to the business should be specified in terms of a contract, which should stipulate, among other things, the obligation of the third party to comply with data protection and privacy laws applicable to it and to assist the business in fulfilling its duties to protect the privacy rights of the persons whose data it processes, as well as what is to happen to the data upon completion of the processing by the third party on behalf of the business.22
Data breach protocol
The term ‘data breach’ refers to the accessing of data, usually data that is sensitive in nature, by a party not authorised to do so, whether because of the hacking of a cybersecurity system, negligence on the part of a business that processes data or a system glitch. No matter the cause of the data breach, a business is legally responsible for a data breach that occurs in respect of any data for which the business is responsible.
If the personal information of individuals in the European Union is affected by a data breach, the GDPR requires the party responsible for the data to notify the supervisory authority in the EU without undue delay, and at the latest within 72 hours after becoming aware of the security breach.
The notification in this case must:
- describe the nature of the breach;
- state the categories and number of persons affected by the breach;
- state the contact details of the data protection officer where further information can be obtained;
- describe the likely consequences of the breach; and
- describe the measures taken or proposed to be taken by the company to remedy the breach, including measures to mitigate its possible adverse effects.23
In countries where it is not mandatory to notify a supervisory authority or persons affected by a data breach, such as Japan and Hong Kong, guidelines usually recommend that businesses nevertheless issue notifications.
This recommended practice makes good sense, as it would have the potential of assisting affected persons in mitigating the risks of unauthorised disclosure of their personal data.
Furthermore, if a business were to try to suppress the disclosure of a data breach, and details of the data breach were to somehow come to the attention of consumers, this could do serious harm to the reputation of the business.
Updating of franchise agreements
The nature of franchises is such that a franchisor typically prescribes the business format or system under which a franchisee operates, and therefore exercises a significant degree of control over a franchisee’s operations.
In some instances, franchisors will determine not only the purposes for which personal data is processed, but also the means by which personal data is processed. Franchisors can therefore be held liable in the event that their franchisees do not comply with data protection and privacy laws.
Even if the potential liability that a franchisor could incur were not a factor, franchisors should be actively involved in ensuring the compliance of their franchisees with data privacy laws as failure to comply with these laws can result in severe reputational damage to a business’s brand, and franchisors are ultimately responsible for the reputation and success of the brand that the franchise operates under.
Accordingly, franchise agreements should be updated to provide for data protection and privacy. In this regard, franchisors should ensure that franchise agreements contain data protection policies that stipulate how franchisees are required to process data.
Customers have never been more accessible to businesses than they are now. Through the use of tools such as mobile applications and social media, businesses are able to interact with consumers directly, which can present ideal opportunities for advertising and brand promotion as well as market research.
The above activities require the processing of consumers’ data, and, therefore, compliance with data protection and privacy laws.
Opportunities for tailored and focused direct marketing
Technological advancements that have been made in respect of data analytics tools means that the processing of data for the purposes of tailoring direct marketing to a particular consumer is easier and quicker than ever before.
Data protection and privacy laws allow businesses to still undertake tailored and focused direct marketing, provided that their provisions are complied with.
Improved quality of data
Data protection and privacy laws give persons control over their data and how it is processed. Having participation as one of the principles of data protection and privacy laws is likely to bring about improvements in the quality of data held by businesses as they allow persons to verify their data and correct any errors therein.
Gaining a competitive advantage
Businesses may use data protection and privacy laws to their advantage by marketing their implementation of data protection measures as a factor that distinguishes them from their competitors.
While data protection and privacy laws are necessary and desirable to protect a person’s right to privacy, compliance can present challenges for businesses, regardless of the jurisdiction that they operate in. Some of the challenges are discussed below.
Practicalities of compliance
In a franchised business, the responsibilities for collecting data may be shared between a franchisor and franchisee. It may therefore be unclear which party holds the duty for obtaining informed consent. This obligation should be dealt with in a franchise agreement between the parties.
The time provided to report a data breach (eg, 72 hours in terms of the GDPR’s security breach protocol) may not always be feasible for businesses to comply with. This can be particularly problematic for franchised businesses that may, because of the way they are structured, have difficulty getting to the bottom of a security breach incident and planning the action to be taken to remedy the breach. For example, a franchisor may host data belonging to its franchisees in a central database that is accessible to all franchisees, and therefore it may be difficult to determine how a data breach occurred and how far it extended.
The impact of data processing restrictions on business operations
Many businesses consider data protection and privacy laws to be too restrictive on a business’s operations. For example, where restrictions on the transferability of data within a business have to be put into place to adhere to the principle of lawful processing, such measures can be seen as limiting the ability of the business to freely operate.
In the franchising context, a franchisor cannot be granted access to personal data held by its franchisee without this explicitly being provided for in terms of a consent by the owner of the data. Thus, policies and procedures regarding data protection and privacy will have to be put into place and could result in franchisees feeling that they are unnecessarily over-regulated and tied up in endless red tape.
Decrease in user-friendliness
The requirements imposed by data protection and privacy laws could negatively affect the user experience of a customer dealing with the business, for example, where a number of consent prompts make a website less user-friendly.
Costs involved in ensuring protection and compliance
Data protection and privacy laws can be onerous to comply with, especially for small businesses. Not only are businesses required to conduct privacy impact assessments in many cases, but they are often required to appoint persons responsible for compliance with data protection laws and to put in place costly systems and security measures.
This can place a major strain on scarce resources such as time and capital.
Refusal to do business in the absence of adequate protection
The GDPR is considered by many to have set the global standard for data protection and privacy. As a result, a lot of weight is given to adequacy decisions by the European Commission that confirm a suitable level of data protection on the part of other countries. Several countries, such as Canada, Switzerland, New Zealand and the United States (if the recipient belongs to the EU–US Privacy Shield), have already been recognised as having a suitable level of data protection.
While the absence of an adequacy decision in respect of a particular country does not necessarily preclude the transfer of data to this country, provided that protection of personal data is ensured in another way (eg, contractually or by way of binding corporate rules), this presents the potential problem of negative inferences being drawn in respect of countries regarding which the European Commission has not adopted an adequacy decision.
This could potentially result in persons refusing to do business with businesses in countries where an adequacy decision has not been adopted.
Risks for franchises
Businesses have always processed a fair amount personal data, which has led to the need for data protection and privacy laws. However, technological advancements as well as the upsurge in electronic commerce has led to an increase in the risks associated with data processing. A few risks have been identified below.
Data protection and privacy laws usually provide persons with the right to approach a court to claim compensation in respect of any damages suffered in relation to their data as a result of a contravention of data protection and privacy laws.24
This increases the risk of potential litigation that can be brought against a business.
When a franchisor or franchisee has their hands full with the economic and operational aspects of running the business, data protection and privacy laws can seem insignificant in comparison to all of the other tasks vying for their attention. A business that chooses to ignore these laws does so at its peril, as this can result in the business having to pay penalties.
Supervisory authorities typically have the power to impose penalties on businesses for violating data protection and privacy laws, although the particular penalties imposed can vary significantly from jurisdiction to jurisdiction.
For instance, in the EU, the GDPR empowers supervisory authorities to impose fines of up to 4 per cent of annual worldwide turnover, or €20 million, whichever is higher, for non-compliance with:
- the basic principles for processing;
- an infringement of a person’s rights;
- a cross-border transfer of data that does not comply with the conditions espoused by the GDPR;
- a breach of the data privacy laws of one of the EU member states; and
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access to information to the supervisory authority.25
In contrast, in Japan, if a business handling personal information does not follow an order from the Personal Information Protection Commission, it will be subject to a fine of up to ¥300,000, and its representative, agent or employee who committed the act in question would face imprisonment for up to six months.26
Aside from legal compliance, because of the global trend of ever more emphasis being placed on data protection and privacy, consumers have come to expect that the businesses that deal with their personal data will protect the privacy thereof. Businesses therefore face the very real risk of reputational damage, should they not ensure adequate protection of consumers’ data.
Data breaches are a common occurrence for several reasons, namely:
- all cybersecurity systems, no matter how advanced, are susceptible to hacking, provided cybercriminals are able to apply enough time and resources to the task;
- the risk of human error that leads to a data breach is difficult to eliminate completely;
- businesses may not perceive the risk of a data breach with sufficient seriousness; and
- malicious software is increasingly sophisticated and may not be recognisable to many antivirus programmes.
Reputational and financial harm to businesses owing to a data breach is one of the major risks facing businesses today. It is therefore essential to have some form of cyber insurance in place.
While the data protection and privacy laws of different countries are sometimes compatible, there are often nuanced and important differences between them, owing to the fact that different countries have different enforcement and market surveillance infrastructure as well as different cultural norms.
It remains to be seen how many of the provisions of data protection and privacy laws will be implemented and interpreted by the courts in the various jurisdictions that have such laws in place.