With the growing demand for India to write laws on data protection and privacy, Business Today speaks to Shaundra Watson, Director of Policy at The Software Alliance, also known as BSA, on laws from across the globe that will support positive legislative change.
Consent is a central issue in the privacy law area but should it be all and end all basis to determine if companies can use the personal information?
Consent is certainly important. GDPR that is going to be enforced on May 25 this year has strengthened individual rights and have set the standard of consent that is fairly high. For instance, it should be clear, unambiguous, freely given. It shouldn't be just a tick in the box but the consumer needs to state that he or she is giving consent to the data.
However, relying only on consent as a legal basis for handling personal data can stymie growth and innovation in the digital economy. Also, users might simply accept whatever terms are presented to them without fully understanding the information presented to them.
Law in data protection should allow different basis (or ways) to lawfully process personal information because there can be a number of legitimate reasons to do so.
One practice is recognizing multiple bases for processing personal information. Legitimate interest is another one apart from consent. For instance, when a user uses the credit card the bank knows whether it is that owner of the card or not because they have data on their purchasing pattern. In this case, the company is using their personal information on spending patterns to detect fraud and protect the user's interest and might not seek their consent because there is a legitimate reason for them to do so.
But if companies are given the freedom to decide what is legitimate and what isn't, wouldn't that leave a lot of scope for misuse of data as we have already seen?
A fundamental question is how you protect privacy and balance it with innovation in a digital world. One way is to create clear rules for both individuals and business. Identify what consumer expectations should be, what their rights are and what company's obligations are. Baseline is to give individuals more control but at the same time recognise that there has to be some flexibility.
When companies use information on legitimate interest, it is not that they just use it because they say they have a legitimate interest. The first thing EU law says is they have to do a balancing test, something like a risk assessment test where they have to ask what is the risk of harm to an individual if their personal information is used. For instance, fraud prevention is legitimate or to protect personal identity.
Another feature to the balancing test is demonstrating accountability. Companies can record that they went through this analysis and document how privacy would be impacted by what they are proposing to do. If there is a problem later they can demonstrate to the regulator the process they underwent and they take accountability seriously.
Companies operate in multiple geographies, so, how can accountability play a role there?
When data crosses borders governments want to protect their citizens as personal information leaves the country. There are a number of other ways governments have tried to protect the data many of which are not good solutions. One is data localization.
It has been proven time and again that data locationalisation leads to negative long term effects on economic growth because it impedes companies' ability to enter a market and restrict them to use services that can reduce cost and reach consumers outside the country.
Accountability is the touchstone of modern data protection law. It is a global world and information flow is ubiquitous. That's where the principle of accountability which means company is responsible for the data no matter where it is processed. As a company it is their obligation to keep it safe no matter where it is kept or send, they are on the hook for it.
How can law ensure accountability from companies present in multiple locations or working across geographies?
There are two model ways that can be created that allows data to flow and yet enables companies to protect data.
One is Privacy Shield, an agreement between the US and the EU to provide companies on both sides of the Atlantic to flow between these two regions but also create obligations for companies to protect individual privacy.
There is another example in APEC Cross-Border Privacy Rules (CBPR) System which is a voluntary, accountability-based mechanism that certifies a company's compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies.
Currently six APEC economies have joined the CBPR system: USA, Mexico, Japan, Canada, Singapore and the Republic of Korea but it is in its early stages and is growing very fast.