By Thomas Boué, Aaron Cooper, Kate Goodloe, Venkatesh Krishnamoorthy, Eunice Lim, Antonio Eduardo Mendes Da Silva, Tomoko Naoe, Meghan Pensyl, Jared Ragland, and Tham Shen Hong
January 28 marks international Data Privacy Day. To strengthen the global conversation on privacy, BSA experts in Asia, Australia, Europe, and the Americas share their regional insights on the most impactful policy developments to follow in 2022 and why governments should place data protection rules at the top of their digital agendas.
WHAT PRIVACY DEVELOPMENTS SHOULD THE WORLD BE WATCHING IN THE APAC REGION?
Jared Ragland: APAC’s privacy landscape is dynamic. Several countries are either passing privacy and data protection laws for the first time or updating their current regimes. For example, China enacted its first national privacy law last year, Japan and Korea recently amended their data protection rules, and Australia is conducting a comprehensive review of its 34-year-old Privacy Act. What’s driving this activity is governments’ recognition of the need to keep up with developments in technology, especially given the pace of digital transformation over the last two years.
Countries in APAC are taking reference from several model privacy frameworks, including the EU’s General Data Protection Regulation (GDPR), the Organisation for Economic Co-operation and Development’s Privacy Framework, and the Asia Pacific Economic Cooperation Privacy Framework, which share many common principles. But as governments adapt different aspects of these frameworks to suit their local context — or depart from shared principles entirely — there is a risk of significant divergence in privacy laws in the region.
The concern is that privacy laws in APAC may not work across jurisdictions, creating compliance challenges and regulatory uncertainties for companies that operate in multiple markets. Data breach laws are a good example: consumers may live in one country but provide their personal information to companies located in another, putting a premium on ensuring businesses can quickly notify consumers in line with laws across the region when a breach occurs. This issue is particularly important for SMEs and startups that are looking to expand beyond their domestic markets but may not have the resources and experience to deal with complex regulations that diverge significantly.
One of the key issues BSA will continue to focus on this year is the need for interoperability across the various privacy frameworks within APAC. To be clear, privacy laws in different countries should take into consideration different cultural or societal specific conceptions of privacy — but those laws must also work together to protect consumers across the region.
―Jared Ragland is Senior Director, Policy — APAC at BSA, based in Singapore.
WILL INDIA’S DRAFT PERSONAL DATA PROTECTION ACT BECOME LAW THIS YEAR?
Venkatesh Krishnamoorthy: Building a trillion-dollar digital economy by 2025 is a key target of Prime Minister Modi’s Digital India mission. And central to that digital growth story is safeguarding the privacy of Indian citizens through new personal data protection legislation.
After nearly two years of deliberation, the Joint Parliamentary Committee presented its much-awaited report on the Personal Data Protection Bill 2019 to the Indian Parliament in December. Yet concerns remain about provisions on data localization, restrictions on cross-border data transfers, and the inclusion of non-personal data — which is why BSA recently asked for additional consultations on the draft legislation.
BSA has long voiced its support for a robust and comprehensive data protection law in India that both protects privacy and promotes innovation. If remaining concerns around the Personal Data Protection Bill are addressed, there is a real opportunity for the Government of India to achieve just that in 2022.
―Venkatesh Krishnamoorthy is Country Manager — India at BSA, based in New Delhi.
HOW IS CHINA IMPACTING THE PRIVACY LANDSCAPE?
Eunice Lim: China’s Personal Information Protection Law (PIPL) came into force on November 1, 2021. Sometimes called “China’s GDPR,” several aspects of the PIPL resemble Europe’s regulation — on data subject rights and principles of personal information protection, for example. But with its strong emphasis on national security, the PIPL attempts to serve multiple functions that are incompatible with international, interoperable privacy law. In fact, the PIPL, together with China’s Data Security Law and the Cybersecurity Law, now underpins Beijing’s overarching data governance framework, which has created an increasingly complicated web of obligations for companies doing business in China.
Article 12 of PIPL also encourages China’s official participation in international personal data protection rulemaking and the promotion of mutual recognition of personal information protection laws. It remains unclear whether Chinese regulators are looking to facilitate interoperability between the PIPL and other jurisdictions’ regimes, bring international privacy frameworks more in line with China’s approach, or both.
In the coming months, we expect Chinese regulators to issue more implementing measures and guidelines under the PIPL, including cross-border data transfer security assessments. It remains to be seen whether these rules will help companies — both domestic and multinational — navigate the complex regulatory environment in China or whether they will drive Beijing’s privacy protection regime further from emerging international approaches.
―Eunice Lim is Senior Manager, Policy — APAC at BSA, based in Singapore.
IN AUSTRALIA, WHAT ARE THE BIG QUESTIONS FACING THE GOVERNMENT AS IT REVIEWS THE PRIVACY ACT?
Tham Shen Hong: Australia first introduced the Privacy Act back in 1988. Since then, innovations in technology have led to a vast increase in the amount of personal information being used and collected. Canberra is now undertaking a fundamental review of the Privacy Act to ensure it is responsive to emerging privacy risks.
One key question is whether the Privacy Act should distinguish entities that decide how and when to collect personal information (controllers) from those that process collected personal information on behalf of others (processors). This distinction is present in many other jurisdictions, including the EU, Japan, Hong Kong, and Singapore. Making a distinction between controllers and processors would align Australia with leading global data protection frameworks, while benefiting both consumers and entities by clarifying their obligations under the Privacy Act.
Another important question for Australian policymakers is whether to recognize “legitimate interests” as a lawful basis for processing personal information. This basis addresses situations where it is unsuitable or inappropriate for the controller to obtain consent to collect information (e.g., fraud detection). Recognizing this basis will reduce the burden on consumers to consent to each expected use of their personal information. Consent is then reserved for situations in which it is most meaningful to consumers — for example, when businesses collect personal information of a particularly sensitive nature, such as health or financial data.
By incorporating these and other emerging international practices, the current review of Australia’s Privacy Act has the potential to bring the country’s law in better alignment with key trading partners, enhancing both consumer protections and business opportunities for Australians.
―Tham Shen Hong is Manager, Policy — APAC at BSA, based in Singapore.
WHAT ARE THE LATEST PRIVACY DEVELOPMENTS IN JAPAN, AND HOW IS TOKYO DRIVING INTERNATIONAL COOPERATION ON DATA FREE FLOW WITH TRUST?
Tomoko Naoe: There are two legislative developments on data protection to follow in Japan this year. First, Japan’s 2020 amended Act on the Protection of Personal Information (APPI) will come into full effect in April. Changes include expanding the rights of individuals to request disclosure, suspension of use, and deletion of personal information, to name a few. The amendments will obligate business operators to report certain data breaches and provide more transparency to consumers when transferring personal data internationally. While strengthening protection, the amendments also introduce pseudonymized information as a category of personal information and promotes the use of such data by businesses.
Second, Japan is harmonizing data protection obligations for the public and private sectors. The Act on the Arrangement of Related Acts for the Formation of a Digital Society consolidates the rules for public organizations and local governments, which were previously established in separate laws and ordinances. The provisions applicable to the central government will become effective this April and provisions applicable to local governments in 2023.
More broadly, Japan is also driving several efforts to develop strong international data protection standards. For example, Japan’s Digital Agency, established in September 2021, is advocating for Data Free Flow with Trust (DFFT) internationally. The Agency is currently working on proposals to establish interoperable frameworks that reduce barriers to cross-border data transfers by addressing privacy, among other issues, and Tokyo may put forward these frameworks in 2023, when it chairs the G7.
Japan was the first country to obtain an adequacy recognition under the EU’s GDPR, in 2019, and the first review of the Japan-EU mutual adequacy arrangement is currently underway. This puts Japan in a strong position to advocate for other governments — in the Asia-Pacific region and beyond — to adopt effective legal regimes that protect consumer privacy while stimulating responsible data transfers and digital trade and the international data transfers upon which it relies.
―Tomoko Naoe is Senior Policy Manager — Japan at BSA, based in Tokyo.
WILL US CONGRESS MOVE FORWARD ON NATIONAL PRIVACY LEGISLATION BEFORE THE MIDTERM ELECTIONS?
Kate Goodloe: There is widespread agreement from industry groups and civil society that the United States needs a federal privacy law — and soon. But Congress has been forced to prioritize a range of broader issues, given the COVID-19 pandemic and its economic consequences. Last year, the Biden Administration worked quietly to examine the connection between data privacy and civil rights, including through a series of listening sessions in December. That activity has renewed hopes that a push for privacy legislation will materialize this spring, before the fall elections, but the window is tight.
In the absence of a federal privacy law, the Federal Trade Commission (FTC) is expected to aggressively interpret its existing authorities and to focus particularly on privacy and technology issues. The FTC has also signaled interest in creating new regulations on data privacy, although the agency’s authority to conduct rulemakings is both procedurally burdensome and seldom used.
At the same time, state legislatures are coming into session, and there is a flood of new privacy proposals at the state level. Last year, Colorado and Virginia became the second and third states to enact consumer privacy laws, both of which take effect in 2023.
―Kate Goodloe is Senior Director, Policy at BSA, based in Washington, DC.
HOW MANY US STATES WILL PASS PRIVACY LAWS IN 2022?
Meghan Pensyl: For those following privacy legislation in the United States, this is the million-dollar question. We’re seeing more activity on state privacy issues every session, including from states that have spent years drafting privacy legislation, like in Washington, and from those introducing brand-new bills for the first time, as in Indiana. Last year alone, BSA tracked over 50 consumer privacy bills across 25 US states. In the absence of a federal privacy law, more state policymakers are looking to provide their constituents with strong consumer privacy rights and place robust obligations on the companies that handle consumers’ personal data.
We’re also seeing a wide range of ideas and approaches in the consumer privacy bills state lawmakers are promoting. A significant number of states continue to draw from the model in California — including many considering a version of California Consumer Privacy Act, but without standing up a new privacy regulator. Others, like Minnesota, North Carolina, Pennsylvania, Tennessee, and Wisconsin, show interest in the Virginia and Colorado models, which are both inspired by an earlier bill in Washington state. And some states are creating their own approaches, including bills in Massachusetts, New York, and Ohio.
Ultimately, the number of US states that succeed in enacting consumer privacy legislation will depend on the ability of state legislators to navigate the complicated debates surrounding consumer privacy — including substantive issues around the scope of those bills, whether they include global opt-out mechanisms, how they may apply to publicly available data, whether they contain civil rights provisions, as well as broader questions about how privacy laws are enforced. One thing is certain: expect consumer privacy to become an increasingly important issue at the state level in 2022.
―Meghan Pensyl is Manager, Policy at BSA, based in Washington, DC.
IN BRAZIL, WHAT ISSUES IS THE DATA PROTECTION AGENCY PRIORITIZING AS IT IMPLEMENTS A NEW NATIONAL PRIVACY LAW?
Antonio Eduardo Mendes Da Silva: The National Data Protection Authority (ANPD) has taken a phased approach to implementing the Brazilian Personal Data Protection Law (LGPD), which took effect in late 2020. Last year, the agency prioritized standing up its own internal rules, strategic planning, and draft regulations addressing its sanctions and compliance authorities. It also dove into substantive areas including data breach notification. This year, ANPD expects to focus on many issues that are top-of-mind for privacy professionals, including regulations addressing international data transfers and the implementation of data subject rights. The LGPD’s approach to both areas is based on Europe’s GDPR, so there is a great deal of attention focused on when ANPD will take the lead of EU regulators and where it may depart.
―Antonio Eduardo Mendes Da Silva is Country Manager, Brazil at BSA, based in Sao Paulo
SCHREMS II CONTINUES TO DOMINATE PRIVACY DEBATES IN EUROPE. WILL A LONG-TERM SOLUTION TO THE CJEU DECISION BE FOUND THIS YEAR?
Thomas Boué: Eighteen months after the CJEU’s Schrems II decision, companies face a complicated landscape around international data transfers. While negotiations on a future EU-US Privacy Shield agreement are underway, the timeline for concluding that process remains unclear.
In the absence of an enhanced Privacy Shield, companies and organizations in all industries now rely on other mechanisms to transfer data outside of the European Economic Area (all 27 EU member states, plus Iceland, Norway, and Lichtenstein). The focus is on adopting additional safeguards, when needed and on a case-by-case basis, to ensure that any personal data transferred is subject to levels of data protection considered adequate by the EU. New standard contractual clauses (SCCs) issued by the European Commission in June 2021 help to clarify those safeguards, which is crucial for the thousands of businesses and organizations that rely on SCCs — not just in Europe, but worldwide.
Yet many of the fundamental concerns underlying data transfer discussions are not about the misuse or mismanagement of personal data by companies. Rather, they are about the access that democratically elected governments should or should not have to citizens’ personal data, particularly in the context of criminal investigations and national security. The issue boils down to how the digital world is governed, which has become a defining geopolitical question of the decade.
Building a set of shared values on the norms and safeguards around government access would help increase long-term stability in international data transfers. For that reason, BSA supports work by like-minded governments to recognize the need for and importance of articulating these shared principles.
One example is the OECD’s workstream to develop principles on government access to personal data held by the private sector. An agreement among the 38 member states of the OECD will never be a silver bullet. But the potential for so many democratic governments to commit to a common set of principles would be a significant step forward. It could even become a basis for deeper political and legal arrangements that support responsible international data transfers and provide clear compliance solutions for organizations.
―Thomas Boué is Director-General, Policy — EMEA at BSA, based in Brussels.
WHAT DO ALL OF THESE PRIVACY DEVELOPMENTS MEAN FOR CONSUMERS AND FOR BUSINESSES WORLDWIDE?
Aaron Cooper: Across the globe, individuals are more likely to be protected by strong data privacy laws today than at any other time in history. Whether that is because countries like Brazil and Thailand recently enacted new data protection legislation, or countries like Japan and Australia are updating existing privacy laws, there is a clear emphasis from governments worldwide on strengthening privacy rules — a very positive sign to celebrate on Data Privacy Day.
Of course, there is no single data privacy law that every country should adopt. Privacy and data protection laws must account for different cultural expectations and legal traditions, which vary widely across the globe. At the same time, like-minded countries are contributing to a common recognition of international norms and practices around core aspects of personal data protection, including the importance of placing obligations on businesses to handle data in responsible ways and providing consumers with rights relating to their personal information.
Strengthening the global conversation on these core privacy principles — and how they can be implemented in different countries, with different legal systems — is critical to ensuring strong standards of data protection worldwide. What’s more, these global discussions can also help avoid a fragmented approach to key privacy issues, which risks both undermining new and existing laws and creating a host of obligations that may not ultimately work together.
As governments consider, revise, and enact privacy and data protection laws over the coming year, the importance of convergence around high standards of data protection cannot be overstated.
―Aaron Cooper is Vice President, Global Policy at BSA, based in Washington, DC.
