New laws are shaping the landscape of Privacy

The General Data Protection Regulation (GDPR), which in Europe has been in effect since 2018, serves as a model for other privacy and data protection regulations around the world. In this article, we will highlight some of the most relevant features of different regulatory frameworks implemented in recent years.

O

nline privacy is at the forefront of debate like never before. The protection of minors, the use of personal information by companies for selling products, and the government interference resulting from the vast amount of information on online platforms are concerns for citizens, leading to the emergence and modification of regulations in many ways. Germany, China, New Zealand, and Switzerland have made efforts to design and improve their regulatory frameworks, adapting them to their respective cultures and circumstances. 

 California 

• Scope. The State of California introduced its California Privacy Rights Act (CPRA) in January 2023. The CPRA is an enhanced and expanded version of the California Consumer Privacy Act (CCPA), which had been in effect since 2018. It applies to companies that collect data from 100,000 or more users and derive direct benefits from the exchange of this data. 
• SPI. One of the most interesting aspects addressed by the CPRA is Sensitive Personal Information (SPI), a special category that includes geolocation data, religious beliefs, ethnic origin, biometric information, health reports, or data on sex or sexual orientation. SPI requires specific security measures, and consumers have the right to request limitations on its use. 
• Minors. The CPRA considers various responsibilities regarding the processing of data from minors (under 16 years old). Companies must provide the option to opt out of sharing or selling their data to third parties, and in the event a minor exercises this right, companies must wait a minimum of 12 months before requesting consent again. 
• Rights. In general, users have the right to request a record of all personal data held by companies. They can also request the deletion or cessation of sharing of any data, as well as information on how long the data is stored. 
• Security. California residents have the right to sue companies that misuse their data or experience a data breach, especially if the companies have neglected the proper encryption of the data. 

 New Zealand 

• Scope. In effect since 2020, the New Zealand Privacy Act applies to all companies or organizations (including religious groups, schools, etc.) that process data from New Zealand citizens, regardless of whether they live in the country or not. 
• Breaches. When a data breach occurs and exceeds a certain threshold, the organization is obligated to notify both the affected individuals and the Privacy Commissioner. The Privacy Commissioner, established in 1993, is an agency responsible for administering and ensuring the proper enforcement of the Privacy Act. 
• Cross-border sata transfer. The regulations prohibit the disclosure of personal data abroad unless the receiving organization commits to treating the data appropriately, is subject to laws similar to those in New Zealand and obtains explicit permission from the data subject. 
• Limitations. The New Zealand law is not as robust as the GDPR, as it does not provide internet users with the option to accept or decline the tracking of their data. Additionally, the Privacy Commissioner has certain limitations in their authority. For example, they cannot impose penalties for data breaches or violations. 

Singapore 

• Scope. The Personal Data Protection Act (PDPA) of Singapore has an extraterritorial scope. It applies to any company or organization that processes data from Singapore residents or citizens. The PDPA does make certain exceptions, such as employees who handle sensitive information as part of their job or public entities that operate under their own regulatory frameworks. 
• Definition. Singapore defines a wide variety of data as “personal information,” including locations, cookies, internet search histories, email addresses, as well as references to sex, age, political and religious beliefs. 
• Consent. The collection of data must always have the consent of the user. There are two types of consent: active and implied. Active consent requires the user to check a box or use a similar method to indicate their agreement to the data collection. Implied consent is activated when the user is informed but does not explicitly express agreement or disagreement. 
• Respect. Organizations are banned from contacting individuals listed in the national Do Not Call registry, unless a business relationship exists, or explicit consent has been obtained. 

 Germany 

• Scope. The German Telecommunications and Media Act on Data Protection (TTDSG) resulted from consolidating various laws into one single, comprehensive framework. In effect since 2021, it has a broad scope and regulates the handling of confidential data on the internet by organizations established in or outside of Germany in relation to the country. 
• Consent. The active and informed permission of the user, through visible banners on the screen providing unambiguous information about the purpose of access, is required for the reading and storage of personal data. The characteristics of these banners are strictly regulated by law. For example, the “accept” button for tracking must be at the same level and in the same format as the “reject” button. 
• Freedom. The regulations include numerous measures to provide flexibility in consent and ensure that consumers have control. Companies must offer consumers options to terminate their relationships and services at any time, to pay anonymously or to use a pseudonym. 

 Switzerland 

• Scope. Unlike other regulatory frameworks, the new Swiss Federal Act on Data Protection (nFADP), set to be implemented in September 2023, is limited to companies and organizations that process data from Swiss citizens or are established in Switzerland. Furthermore, the nFADP focuses on protecting sensitive information of individuals rather than legal entities. 

 Canada 

• Scope. One of the newest regulatory projects, still in the approval process, is the Canadian Consumer Privacy Protection Act (CPPA). The framework considers any identifiable information of a person, living or deceased, as personal information. Income, social media opinions, rental agreements, or financial transactions are among the data that must be protected under this law. The CPPA does not cover records used for artistic or journalistic purposes or information provided for employment or business purposes. 
• Responsibility. The CPPA holds companies responsible for the security of data, whether they manage it themselves or have another organization process it on their behalf. Additionally, each organization must have a dedicated department for privacy protection, and the security measures must be adapted to the sensitivity of the stored or accessed information. 
• Consent. Canada also distinguishes between active and implied consent. The choice of consent type should be based on the sensitivity of the data being accessed. Consent messages presented to users must include details such as the type of personal information to be collected, its purpose, third parties with whom it will be shared, and the consequences of disclosure, among other concepts. All organizations must maintain records of these consents in easily accessible formats for audit purposes. 
• Rights. The law specifies that users have the right to transfer their personal information between banks or insurers, or to delete it at any time. 

As new privacy laws are enacted or existing regulations are updated, it is crucial to understand that society in general, as well as technology providers and companies, must be prepared to comply with all requirements and obligations. This entails staying informed on legal changes, adapting business practices to meet privacy and security standards that vary in each country or culture, and adopting appropriate technological solutions to effectively protect personal data. Being prepared and compliant with these regulations not only helps ensure the respect for individuals’ privacy rights, but also promotes trust and transparency in the digital environment for the benefit of all parties involved.