Data protection policies have become a focal point over the past few years, and have had to evolve to stay ahead of current trends. Digital data protection has become an increasing theme recently, and will continue to be a part of our future.
Different countries (and in some cases even different states, territories, and provinces) have their own data protection laws that vary greatly. Some countries are very progressive when it comes to data protection, while others are quite relaxed. Here is our list of the five most important data protection policies that are currently in effect.
5. Privacy Act 1988 – Australia
The Australian Privacy Act was created in 1988 and is made up up thirteen Australian Privacy Principles (APPs). The Privacy Act and APPs aim to give consumers greater knowledge about who has access to their personal information and how it may be used. Consumers are also able to stay anonymous in some cases, and request that incorrect data be corrected. Notably, consumers cannot request that their data be deleted in any way. Some states and territories within Australia also have their own data protection policies in addition to the Privacy Act.
Companies, including government agencies, with a revenue of A$3 million or more are expected to be compliant. Smaller businesses that deal with private health care, credit, or which buy/sell personal information are also subject to the Privacy Act. Organizations also have the option to opt-in to the Privacy Act as a gesture of good faith.
The Office of the Australian Information Commissioner (OIAC) is the authority responsible for ensuring compliance. Under the Privacy Act, consumers can file complaints against companies they believe to be non-compliant, and the OIAC is responsible for conducting investigations. The fine structure for non-compliance is a little complicated, but earlier this year the government raised the maximum fine amount. Companies can now be charged up to A$10 million or 10% of their annual turnover for non-compliance.
4. Personal Information Protection and Electronic Documents Act – Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s main federal law that covers data protection. The provinces of Alberta, British Columbia, and Quebec have their own provincial data protection policies that are deemed to be an equivalent of PIPEDA.
This policy is made up of ten fair information principles. In essence, PIPEDA requires companies to obtain consent for the use of personal information, and gives consumers the right to access and correct said data. Data protection itself is also a big part of the act.
Companies who are in the private sector that collect, use or disclose personal information need to comply with PIPEDA. All businesses that operate within Canada or handle the personal information of Canadian residents need to comply as well. Notably, any personal data collected and used by the government and its agents, political parties, and charity groups are not covered by PIPEDA.
PIPEDA was most recently updated in 2018, adding new provisions for data breach reporting. Any data breach must now be reported to the Office of the Privacy Commissioner. Failure to report a data breach could result in a $100,000 CAD fine.
3. California Consumer Privacy Act – USA
The United States as a whole does not have a federal data protection policy. There are some specific policies, such as HIPAA to protect medical information and COPPA to protect children’s data. However, on January 1st, 2020 the California Consumer Privacy Act (CCPA) will come into effect.
The CCPA has been referred to as a lesser version of the GDPR. It is important to note that this act only applies to the data protection of California residents, but it is expected to lay the groundwork for more stringent laws in the wider USA.
This act will allow Californian consumers to see what information on them a company has saved, as well as who they share that information with. Consumers are also given the right to revoke their consent when it comes to the processing and sharing of their personal data. Additionally, the CCPA allows consumers to sue companies if the privacy guidelines are violated.
All companies that serve California residents (regardless of where the company is based) and have a total revenue of over $25 million need to comply with the CCPA. Companies of any size that process data of more than 50,000 people also need to comply. While the law comes into effect on January 1st, there is a six month grace period for companies to become compliant. The fines for non-compliance are up to $7,500 for each violation, which could add up quickly.
Facebook is currently claiming that they are already compliant and plan to make no changes to how they collect and process data. We’re highly sceptical that this is the case given Facebook’s history of not caring about data protection.
2. Personal Information Protection Act – South Korea
South Korea did not have any data protection and privacy laws until 2011, when the Personal Information Protection Act (PIPA) came into effect. The country is now known to have some of the strictest data protection laws in the world, and PIPA is commonly compared to the GDPR. South Korea also has additional data protection laws for industries like finance, telecommunications, and credit information.
PIPA applies to anyone who handles personal information for business or work purposes, and even includes the government. Like the GDPR, any organization that operates within South Korea and/or targets South Korean consumers must be compliant. Additionally, companies must outline why they are collecting consumer data, how long they will keep it, and what it will be used for. Consumers also have the right to withdraw consent and to have their data deleted under PIPA.
South Korea takes its data protection laws very seriously and the authorities are not afraid to issue big punishments for non-compliance. Fines over $4 million have been issued for failure to comply with PIPA, and criminal prosecution is also possible. A recent update allows the government to charge companies even higher penalties for sending data internationally without consumer consent.
1. General Data Protection Regulation – Europe
We’ve talked quite extensively about the General Data Protection Regulation (GDPR) here, as it is the most comprehensive data protection policy to date. The GDPR puts consumers largely back in control of how and where their data is processed and stored, and requires companies to take a far more proactive approach when it comes to data protection.
A landmark addition to the GDPR was the right to be forgotten (also known as the right to erasure). If European consumers meet a number of special conditions, they are entitled to have search results about themselves removed from Google. To date, Google has removed 43% of links that were reported under this law.
Companies need to comply with GDPR if they are based in the European Union, if they are targeting and offering goods or services to consumers in the EU, or if they are monitoring the behaviors of EU consumers. If your business does any of the above, you are legally required to be GDPR compliant.
The fines for non-compliance can be steep, although authorities have yet to go to the maximum amount for fines. Fines can reach up to 4% of a company’s annual worldwide profits or €20 million, whichever is higher. The penalties have been steadily increasing, and it would behoove companies to follow the law.
With the United Kingdom set to leave the European Union in 2020, it is unclear what will happen to the nation’s data protection policies. The UK did pass its own equivalent of the GDPR in 2018 called the Data Protection Act. However, the EU will need to determine if the UK has adequate data protection policies in place after they leave the union, which could take some time.
Conclusion – Laws are getting stricter
Over the past decade, data protection laws have been enacted and updated to reflect the digital era we live in. As time goes on, we can only expect these policies to become stricter. To date, most of the Western world (except for the United States) has some of the strongest data protection laws in place. It’s unclear if we can expect the rest of the world to follow suit.
The United States will certainly be an interesting case study with the CCPA coming into effect in January. Given the country’s lack of a comprehensive federal data protection law, they would do well to follow in California’s footsteps. It is the duty of the government to protect its citizens, and that now includes doing so digitally.
While fines are steadily increasing for non-compliance, it would be nice to see authorities taking a stricter approach and hitting companies where it hurts. Organizations are far more likely to follow the law when they know that the punishment could genuinely hurt their business. Both South Korean and European regulators are starting to do so, and it would be great to see the rest of the world follow suit.