Oh, Not Again!!
Whilst you were amidst your deepest slumber or that engaging conversation, have you ever been hounded by calls offering you unsolicited loans, overdraft or balance transfer facilities? Did it stop after you subscribed for DND (Do Not Disturb) registry? Has it become worse that you are now a chronic victim of automated tele-marketing calls that harass you endlessly? Did you ever wonder how your sensitive personal information (name, phone number and email) got shared with random third parties without your explicit consent?
As more social and economic activities take place online, the importance of privacy and data protection is being increasingly recognised. Penalties for violations have become steep while the battery of professionals safeguarding privacy has increased. Still, the damage has been jolting the big daddies: Cellular companies, Amazon, Facebook, Uber, Google, JP Morgan, and WhatsApp.
Shh!!! Be Quiet. Do not share this.
How you know such personal information?
The primary concern has been the collection, use and transfer of personal information to third parties without any notice or prior explicit consent of consumers (called data subjects).
When we book our air ticket, our PII (personally identifiable information) flows from the local portal to the airline’s hospitality partners, cab rentals, insurance companies, intermediaries, and consortiums (eg, alliance air) without we ever realising it. Because we might have earlier checked the ‘I Agree’ option, our data is no more ours anymore — it has travelled transborder.
If you walk into a big chain store, you would invariably be forced to share your mobile number, a sensitive personal information, without which you cannot even buy a Re 1 item. Surprisingly, there is no other way billing happens today. However, things are not very different elsewhere. In the US, the same chain might give you an incentive card to obtain your mobile number, which also reveals your social security number. Similarly, most front desk forever maintains visitor details (PII) in unencrypted form. Data subjects (visitors, vendors and candidates) don’t get to know for how long their personal data would be retained and eventually be purged.
The global data privacy landscape has witnessed sea changes in recent times. Of all the countries in the world, 66% have put legislations to secure protection of data and privacy, 10% have drafted legislations while 19% (ie, 37 countries) alarmingly still don’t have any such laws.
Europe has been working on data privacy post the second world war (1945). In the European Union (EU), private life and associated freedoms are considered fundamental human rights. While the General Data Protection Regulation (GDPR) is an overarching law across EEA (European Economic Area), each country also has additional privacy laws.
Post-Brexit, while the UK is no more under the GDPR ambit, it has developed its own strict regulation. Thirteen countries have proven themselves with adequate privacy regimens. Therefore, the EU nations don’t hesitate to transfer data across these countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, the United Kingdom and Uruguay.
Amongst the 50 US states, only 3 (California, Virginia and Colorado) have comprehensive data privacy law; 16 (32%) don’t even have any form of a data privacy bill, task force or statute in place. This means companies in these 16 states don’t need to abide by any regulation; they don’t need to seek permission from users to share their data and they don’t need to give individuals the rights to access, delete, modify, or control their personal data, principles sacrosanct in privacy laws globally. On a lighter note, given its size, Bangladesh with no such legislation today has a better chance of getting a law enacted sooner than the US getting it done in its entirety. No wonder a Canadian, EU or a UK company is uncomfortable transferring its data to the US today.
Interestingly, while many developed/developing countries don’t meet the privacy guidelines, at least 23 under-developed nations have adopted data protection legislations. One classic example is Senegal. With 34% of its population living below the poverty line and with 75% of its families suffering from chronic poverty, Senegal bolsters a robust data privacy regulation.
India has been at the forefront with the PDPB (Personal Data Protection Bill) tabled in 2019. With Prime Minister Modi at the helm, enforcement is expected soon. Chile has amended the Constitution to make data privacy a human right. Iceland has adopted GDPR with additional stringent requirements. China, Sri Lanka and Pakistan have made recent strides with their draft Data Protection Bills in 2021.
However, there are implications of newer laws as they get enforced. The Chinese law, tabled in August 2021 and effective November 1, 2021, didn’t give time to prepare. Entities that already follow GDPR globally will have an easier time complying with China’s new requirements. But firms that haven’t implemented GDPR practices will need to quickly consider adopting something similar. With newer restrictions in the Chinese law, companies will need to be careful while accessing and transferring any PII out of China.
Like any other change, this will not be smooth. With limitations in decision making, bureaucratic support and technology execution, privacy implementation will not be agile.
Once more and more countries strictly enforce the privacy regimens, better days would loom ahead for the common man. With the rapidly evolving technology landscape (IoT, AI, blockchain among others), social media, M&A, regulations and ever-changing geopolitical equations, data privacy will undoubtedly be the dynamic space to watch out for — something that will keep businesses, regulators and governments on tenterhooks.