It has been four years since the General Data Protection Regulation (GDPR) came into effect, and discourse on privacy has significantly evolved since then. Discussions have gradually moved away from questions around the initial emphasis on the importance of protection for personal information to what more can be done to enhance the protection available. So, what are governments looking at in terms of enhanced protection?
Australia’s Online Privacy Code
Whilst reviewing its Privacy Act, Australia ran a consultation in the last quarter of 2021 that explores introducing an Online Privacy Code. According to accompanying documents, concerns over privacy incidents like the Cambridge Analytica scandal and a lack of knowledge amongst consumers about how their data is collected and used suggest that newer measures need to be introduced to address the gaps. The Online Privacy Code would cover how certain private sector organisations (termed “OP organisations”) must comply with the Privacy Act’s Privacy Principles and other obligations. The proposed scope is also broad and raises alarm bells among industry players who did not think they fall under what is typically defined as social media companies.
India’s Evolved Personal Data Protection Bill
In India, the Joint Parliamentary Committee had released its long-anticipated report in December 2021, and a particular recommendation that stood out was the suggestion that the Personal Data Protection Bill should include Non-Personal Data. The proposal has since been referred to as the “Data Protection Bill” and is thought to be at risk of further delay due to the broadening of the scope. There are no doubts rules over Personal Data Protection alone will take time to roll out as stakeholders will need educating on their obligations and the rights of the individuals. There is also the risk that combining the concept of Non-Personal Data and Personal Data may only muddy the actual implementation of the final law. The Ministry of Electronics and IT is expected to share a note that will cover its views on the bill, which is likely to be reviewed by other ministers before being presented to Parliament in the next February budget session.
EU GDPR Adequacy Decision for Korea
On 17 December 2021, the European Commission adopted an adequacy decision for the free flow of personal data from the European Union to South Korea under the GDPR. The decision was made at the conclusion of a five-year discussion and the Personal Information Protection Act of Korea was amended to ensure a high level of data protection. Notably, the adequacy decision complements the EU – Republic of Korea Free Trade Agreement with respect to personal data flows, demonstrating the importance of promoting high standards for data protection whilst pushing for greater trade flows. This is an encouraging development especially for other countries that may be vying for similar adequacy decisions.
What does it mean for you as a privacy practitioner?
The updates above show how diverse privacy developments are in different markets. Several common threads among these updates include the fact that discussions over each of these issues took a span of a few years before settling on a form of decision or outcome. Another commonality is that privacy is still very much a domestic-driven issue where each regulator determines what is most lacking in their markets and what types of mechanisms work best for them. Here are some ways you, as a privacy practitioner, can constructively contribute to the debate:
- Engage with regulators consistently and understand the local nuances: Each country has different policy goals and varying concerns around privacy. It is important to try to capture what those are and demonstrate how some of your suggestions feed into their goals or address their concerns.
- Share best practices with government stakeholders: If there is a certain mechanism that works better for your company or if there are practices you have observed in other markets that work better in helping your firm implement privacy protections, share with government stakeholders what that might be. Receiving feedback from the ground up is often useful in policy development.
- Translate what you see on the ground for your company: As a privacy practitioner, you play an essential role in translating policy developments and what it means for your companies’ practices or operations. Are there gaps to be addressed? How do you constantly put privacy by design at the top of the minds of your developers and operation staff to ensure personal information is well-managed within the company?
Privacy laws will continue to change, and it is especially challenging for a market like APAC, where there are multiple countries with diverse cultures and regulatory developments.
Subscribe to our news alerts here.