“Privacy-enhancing technologies have the potential to unlock the power of data to tackle major societal challenges — from international money laundering to responding to global pandemics — in a way that respects citizens’ rights.” - Julia Lopez, Minister of State at the Department for Digital, Culture, Media & Sport (UK).
Over the past five years, a raft of global jurisdiction changes has forced multinational corporations to rethink their business practices regarding data handling.
Following the implementation of the European Union’s GDPR in 2018, a wide range of countries across the globe began to implement variants of data protection rules. The challenge for any global organization is to be aware of and remain compliant across multiple jurisdictions.
Throughout this article, we will provide a snapshot of data laws, analyzing how data protection rights are handled in different regions of the world and how these laws are driving the adoption of privacy-enhancing technologies. We will also be taking a look at what happens when companies fail to comply with changes to data protection laws.
There are three main terms that are important when understanding how data protection works and the nuances associated with the topic. These are as follows:
Data sovereignty: This refers to the laws and governance around the data due to the geographical location where the data is stored/processed. In practice, this means that if an EU-based company has a call center in a country outside the EU, the data processed and stored by this call center is subject to the laws of the country it is located in, not the EU.
Data privacy: Data privacy is a term that refers to the process of giving an individual the right to choose what data to share and who it is shared with. Typically information relating to data privacy will be names, locations, and contact information, but it can also include a number of other data points as well.
Data residency: Data residency, meanwhile, is similar to data sovereignty in the sense that it too refers to where data is located. However, unlike data sovereignty, data residency does not mean that the data is subject to local laws and regulations.
A common example of data residency is when a company chooses a particular location to base itself in - typically, this is done in order to take advantage of a better tax regime.
Businesses will then often be required to prove that they are predominately doing business and storing data within the borders of their chosen data residency in order to enjoy the benefits of their chosen location.
Every region has a different approach to how data is governed; for example, in Europe, data is governed and protected by the European Union under the General Data Protection Regulation (GDPR), which serves as a framework for how personal data is collected and processed from individuals who live both inside and outside of the EU.
Outside of Europe, several differences exist in how each region (and sometimes even individual countries within the same region) handle data.
60% of countries in Africa have data protection and privacy legislation, with 20% reporting no legislation whatsoever.
Meanwhile, in the Middle East, most nations have at least a draft form of legislation (Saudi Arabia & UAE, for example, have draft privacy and data protection legislation in place). However, as with some parts of Africa, Islamic countries operate under Sharia Law which has multiple principles regarding the divulging of personal secrets. Under the realm of privacy, Islam considers the safeguarding of people’s privacy as not only an individual duty of all people but also as the Islamic state and government’s obligation. Any violation of privacy is illegal.
Like in Africa, around 60% of countries in APAC have some form of data protection and privacy legislation. Of these, only Japan, New Zealand, and South Korea have adopted laws similar to Europe’s GDPR.
Meanwhile, Australia has a system known as the Australian Privacy Principles (APP) that covers collecting, using, and disclosing personal information. A breach of an APP is considered to interfere with an individual's privacy and can lead to a number of penalties.
Canada is the only North American nation with GDPR-like data protection legislation, while the US has legislation on a state level only.
In South America, only three countries have successfully passed GDPR-like legislation (Argentina, Brazil & Uruguay), with Paraguay also in the draft stages of creating said legislation.
Central America meanwhile has data protection and privacy legislation across most of the region, however, unlike GDPR, Central American nations’ laws are independent laws that aren't recognized outside of their respective countries borders.
Across the Americas, 75% of countries have some form of legislation in place with a further 10% implementing draft legislation.
Due to the rise in data protection laws around the world, the need for privacy-enhancing technologies (PETs) has never been greater.
As outlined by the ICO, the UK government’s independent regulatory office that deals with data protection, PETs can help organizations operate under the concept of data protection by design and by default, which is a system, product, or business practice designed to protect personal data automatically.
In addition to data and privacy laws, the adoption of PETs throughout a product's research and development stage can help an organization minimize the cost and risk associated with a major data breach. For example, suppose data is stored incorrectly in a manner that isn’t fully compliant with GDPR or a similar regulation, in that case, a data breach could have wide ramifications for both the organization's customers and business as well. All customer personal data (including name and address) could be leaked onto the internet, whilst the company could face fines of up to 17 million euros or 4% of their annual turnover, whichever is greater. However, adhering to well-established privacy techniques such as encryption methods for passwords and other such information can make it harder (and sometimes virtually impossible) for data breaches to leak personal information in their entirety.
The UK government has outlined the importance of supporting the adoption of PETs, highlighting their potential to unlock innovation by enabling valuable data sharing and analysis whilst protecting the privacy and confidentiality of sensitive data.
While most countries have their own rules and regulations regarding noncompliance, the common theme that unites them all is that failing to comply with data protection laws will result in substantial fines and penalties for infringing individuals and companies.
For example, in Uruguay, failing to comply with the country’s data protection supervisory authority carries several punishments, which include warnings, fines, and even forced closure of a company’s database.
Meanwhile, in Japan, the maximum penalty for not complying with the Act on the Protection of Personal Information (APPI) can carry up to a year in prison.
Ever-changing global data regulations are both driving innovation and the adoption of PETs as businesses seek to protect their organization from facing fines or being unable to operate in certain markets.
As seen in China, when Yahoo shut down operations in the country following the implementation of China's Personal Information Protection Law, companies are also wary of new legislation and the impact it might have on their business.
Rather than face fines or allow new legislation to potentially alter, threaten, or even ban a product, many firms will choose to cease operating in non-essential markets until a solution has been implemented or a suitable PET can be utilized to adhere to regulatory changes.