Tech Transactions & Data Privacy 2022 Report
2021 shaped up to be an active and hectic time in the international privacy law arena, and despite what some privacy professionals may hope for, 2022 is likely going to turn this into a trend. As discussed in more detail in other parts of this report, data localization and cross-border transfers are two topics that have seen a particularly high level of activity. These are not the only areas of law that have seen developments, however.
A New Law in China
A major development in 2021 was China’s passage of a comprehensive privacy statute that governs the collection and “handling” of personal information. Similar in many ways to Europe’s General Data Protection Regulation (GDPR), China’s Personal Information Protection Law (PIPL) was passed in August of 2021 and entered into force on November 1, 2021. PIPL regulates how companies can use the personal information they collect from individuals and requires companies to have a legal basis for these activities. It also provides individuals with rights in the personal information that is collected about them. Notably, PIPL has extraterritorial reach, so even companies that have limited dealings with China could be subject to the law. Additionally, penalties for noncompliance are CNY50 million (approximately $7.8 million as of the writing of this report) , or 5% of a company’s annual revenue from the previous year, so the cost of violating the statute can become significant.
More specifically, organizations must provide prior notice to individuals* about: how personal information is going to be collected; the purpose for which collected information will be used; and the ability for consumers to opt into this data collection and use. The law also requires that organizations collect no more personal information than is needed for the business to conduct the task for which the information is being collected. Additionally, it requires that organizations create internal processes such as appointing a data protection officer, entering into contracts with vendors, implementing data security measures, and conducting protection impact assessments on data processing activities. Finally, it gives individuals the following rights
-
The right to access a copy of the information that the organization has about the individual;*
-
The right to have an organization correct incorrect information that the organization has about the individual;
-
The right to opt-out or object to the use of their information;*
-
The right to withdraw their consent for the use of their personal information;
-
The right to limit the use of their personal information;*
-
The right to have an organization delete the personal information it holds about the individual;
-
The right to get a copy of the personal information an organization has about the individual;* and
-
The right to freely exercise their other rights without being discriminated against for doing so.
* Indicates a right that has some limitations based on other statutes or administrative regulations.
As with other countries’ laws in this field, PIPL contains ambiguity which will require follow-up rulemaking from regulatory bodies, so we do not yet have a complete picture of how to comply with the law. Additionally, it is unclear how broadly and aggressively it will be enforced.
A New Law in Brazil
In addition to China’s PIPL, 2021 also saw Brazil’s comprehensive privacy law come into enforcement. Brazil’s General Personal Data Protection Law (the Lei Geral de Proteção de Dados Pessoais) (LGPD) is Brazil’s first comprehensive privacy and data protection regulation, and it is also modeled heavily on the EU’s GDPR. It originally came into force in September 2020, but enforcement in earnest was delayed until August 1, 2021. As with GDPR and PIPL, the LGPD also has an extraterritorial reach.
Similar to GDPR and PIPL, LGDP requires companies to provide individuals with notice about what information the company is collecting and how it is using that information. It also allows individuals to exercise the same rights as GDPR: accessing the information the company has, correcting inaccurate information, getting a copy of their data and having their data deleted. Like GDPR, LGPD also requires companies to have a legal basis for the data collection and processing, as well as to conduct data protection impact assessments and appoint a data protection officer.
LGPD establishes the National Data Protection Authority, which is tasked with issuing regulations pursuant to the statute, and subsequently enforcing the law. It has to date issued some regulations, but there are still areas where regulations are expected.
Other Statutes
In addition to China and Brazil, a number of other countries and territories (including Australia, Hong Kong, Pakistan, Sri Lanka, British Virgin Islands and the UAE) either passed, amended or considered modifications to their privacy regulations. Additionally, Russia increased the penalties for violations of its privacy laws. These laws vary in their breadth – some are focused specifically on issues such as doxing and data breach notification, while others are more comprehensive, like what we see in the LGPD and PIPL.
Implications
Together, these laws form a mixed bag in terms of the international regulatory picture: some countries have detailed laws with active enforcement, others have general laws with spotty and potentially selective enforcement, a third group has very basic or non-existent laws, while yet another group is working to transition between categories. Of those countries with laws on the books, the approach to enforcement is especially diverse. On one end of the spectrum are those countries that do not have a track record of having the ability or seeming desire to enforce their laws. On the other end of the spectrum are those countries that look to be actively pursuing alleged violations, in some instances to a degree that has observers questioning whether there are underlying political or geopolitical motivations.
As a whole, these laws reflect a debate about how to regulate a world in which there is an explosion in how much data individuals generate in the course of their daily life and how many ways there is for others to use this data. Among other positions, it reflects the desire of some to limit corporations’ ability to harness that data for their own purposes. It also reflects the value that some governments see in being able to keep their citizens’ data from leaving their borders and maintaining access to those data assets.
Most likely, 2022 will see more activity on both the legislative and enforcement fronts. Navigating this landscape will be increasingly complicated as the number of laws increases and the enforcement activity continues to get more complex.