Personal Data Protection Laws: Another spice added to business compliance basket?
Since the implementation of General Data Protection Regulation (GDPR) in Europe much has been debated on personal data protection whether it is an opportunity for the businesses or else it’s just another added layer of already existing pool of compliance requirements. Apart from Europe, other countries/jurisdictions either have their respective laws on the personal data protection or the same are under the development process. The crux of the need to have laws on personal data protection may be traced back to 1948 when United Nations General Assembly adopted the Universal Declaration of Human Rights. Article 12 of this declaration provided the very foot stone for evolving and developing the legal framework on this subject as the one exists now. When we read Article 12 of the Universal Declaration of Human Rights with GDPR and similar laws of other jurisdictions the element in common is their application on a natural person. GDPR and other similar laws are centered on “data subject”, which means none but a natural person. GDPR and these laws confer many rights on natural persons to protect their privacy and that their personal information may not be used without their specific consent and at the same time may not be accessed or transmitted by and to unauthorized persons.
Having said that GDPR and other similar laws found their roots to 1948 and that these are natural person centered, then why its importance is felt with such enthusiasm now in recent years? Was there no universal need earlier then now to have such laws all around the world?
The answer to above question is directly linked with rise in transacting business through electronic means, that is not only confined to e-Commerce but government to citizen services through electronic means and also doing personal (non business) transactions using electronic means. Going a step further, cross-border business and personal transactions through electronic means is yet another a compelling reason in this era of technology that necessitated the need to have laws on personal data protection in recent years. This brings us to another and a much bigger (in scope) worldwide phenomena, the cybersecurity.
Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It is also known as information technology security or electronic information security. One can easily observe a direct link between laws on personal data protection and cybersecurity. Laws on personal data protection are aimed to protect the privacy of natural persons concerning their personal data, on the other side the cybersecurity (and its related laws) tend to govern the framework how to protect devices and systems which contain data in electronic means and that very data may include the personal data of natural persons (whilst the list is an all-inclusive to include financial data, business plans, business secrets, management discussions and so on). This means that laws on personal data protection may be classified as a sub-set of laws on cybersecurity. In this view of the matter the businesses will need to comply with a much larger scope encompassing cybersecurity including that of personal data of natural persons.
The vital difference, however, between the cybersecurity and personal data protection laws is that in case of former the hackers/intruders are to be held liable for their wrong doing while in the case of later it is the natural person (data subject) who is to bring an action against those (data controllers/data processors) who may be responsible for any breach related to personal data. As stated earlier, the personal data protection laws are natural person centered and therefore they confer significant rights on the natural persons, violation whereof attracts penalties to the persons responsible for any violation.
With above background in mind, it is easy to understand the nature and extent of rights that have been conferred upon the natural persons under the personal data protection laws. These rights include a fair and transparent access to personal data, correction of personal data, right of withdrawal of consent, not to disclose the personal data to unauthorized parties, prevent the processing that is likely to cause damage or distress, right to erase the personal data.
Consequently, to implement and enforce these rights certain obligations are placed over those who are processing or using the personal data of natural persons. The persons who are processing or using the personal data are termed as data controllers/data processors in the laws relating to personal data protection. These obligations include the foremost obligation to have an informed consent of the natural person and a clear and known exercise of choice by the natural person to allow the data controllers/data processors to process their personal data. The other obligations include non-disclosure, taking security measures, data integrity, record keeping, notifying the data breach to relevant government authorities (and to the data subjects in some jurisdictions).
Logically enough, non-compliance or violation of rights of the natural person’s entail penalties on data controller’s/data processors as the penalties tend to serve as deterrent to have compliance of related law.
In todays regulated environment, businesses are faced with many general and sector specific compliance requirements. To name a few, anti-money laundering, unfair trade practices to distort the competition, taxation, foreign exchange, labour & employment, corporate social responsibility etc. Laws on personal data protection, thus, added a few more compliance requirements on the businesses.
Importantly, the compliance requirements under the personal data protection laws are totally focused on natural persons in contrast to the compliance requirements under other laws which are more of institutional oriented. This leads to bring a sense of privacy protection in our society, as the society is nothing but aggregation of human beings (natural persons). Notwithstanding the extent of advancement in technology “human element” from this world cannot be eliminated. Therefore, the laws on personal data protection which may on the one side place certain compliance requirements on the businesses but on a broader spectrum aim to protect the society (or more precisely the human beings) at large.
Follow LexTalk World for more news and updated from International Legal Industry.