There are few certainties in 2020 given the global geo-political, social and economic landscape. What in January looked like an already complicated year changed immeasurably as Covid-19 spread around the globe. The global response by nation states to the pandemic, unprecedented in the modern era, brought the privacy of citizens to the fore yet again as governments sought to use smart devices to track the spread of the virus by collecting and processing data about the user’s movements and behavior.
Although using data in this way is beneficial for society, the protection of the personal data of the data subjects must always be held front of mind. Governments should attempt to handle this data in a balanced way that manages both the safety and privacy concerns of their citizens. Furthermore, issues such as transparency cannot be overlooked even in these most challenging circumstances. Questions that need to be considered include what type of personal data is being shared, for what purposes, how aware citizens are of these uses and for how long it will be used.
It is timely to reflect on the impact of the GDPR on the increasing spread and impact of privacy laws globally therefore, as the GDPR reaches its second anniversary with mixed reviews. Although the GDPR has received most of the headlines, it is crucial for organizations to realize that it is not the only law that impacts data-driven businesses. Further, the increased awareness in the public and the media about privacy as a result of Covid-19 contact tracing measures means that the global privacy framework is likely to become even more complicated. Therefore, as the volume of these laws is ever-increasing, it is difficult for businesses to keep on top of compliance requirements from one market to the next.
The compliance burden
To put this in context, as of June 2020, over 20 US States have privacy Acts or developing Bills before their state legislatures, with a number of other states having privacy task forces in place. A US federal privacy law has been proposed. It is still some time away, but the momentum is growing. Brazil, South Africa and India’s new data protection laws are passed or are at an advanced stage in the legislative process, joining countries that already have modernized data protection and privacy laws, such as Canada, Russia, Japan, Singapore, South Korea, Malaysia and Nigeria - and many others which are on that journey. Although Covid-19 has delayed the legislative processes, with Brazil, South Africa and India’s laws being postponed, more than 60 counties have now introduced privacy laws in response to their citizens desire for control over their privacy and data protection rights. In increasingly globalized markets and with the ever-increasing adoption of cloud computing and PaaS, IaaS and SaaS services, few large organizations can ignore what we can call the ‘global privacy framework’.
With this evolving global privacy framework, the compliance burden is considerable. Some jurisdictions, such as Russia, have data localization laws. Others differ in subtle but significant ways from GDPR, the law which most companies seek to align to. Brazil’s LGPD has ten lawful bases of processing, compared to GDPR’s six. South Africa’s POPIA protects the data of natural (i.e. living) persons and juristic persons (i.e. corporations). When companies start to dig into the requirements of these differing laws, they realize the difficulty of a ‘one size fits all’ approach. This poses significant Boardroom-level risk. Forrester are predicting a 300 percent increase in privacy class actions. With so many different flavors and approaches to data protection, managing and analyzing data while maintaining customer trust is becoming increasingly difficult for companies with global footprints.
Abiding the law
So how can companies address the ‘compliance overhead’ associated with the global privacy framework? How do they manage, stay on top of and adhere to global regulations? There is one constant regardless of the jurisdiction: privacy laws are based on the protection of ‘personal data’. If the data is not ‘personal’ then privacy laws don’t apply. Therefore, turning to genuine anonymization of personal data is a way of assisting with compliance and building customer trust, regardless of the jurisdiction, and allows organizations to unlock the value in their data and reduce exposure to global privacy laws. The overarching themes of data privacy regulations are that the rights to use personal data are narrowing and the rights of data subjects are expanding.
It’s fair to say that technology providers can play a critical role in this new environment. By providing companies and governments with cutting edge, privacy-enhancing data analytics technologies, they can enable them to get powerful insights from their data, but in a responsible and trustworthy way. Companies can thereby drive value-generating insights from data, and governments can unlock life-saving insights from data, without sacrificing the privacy rights of its citizens. In the aftermath of the Covid-19 pandemic, this might be one of the greatest callings of technology companies– and if companies and governments have the courage to use their data innovatively, and the wisdom to choose the right partners in doing so – we will all benefit.
It is logical to assume that one potentially long-lasting impact of the pandemic will be that both the private sector and the public sector will be collecting more personal data for ever more powerful analytical insights over the coming months and years. It will therefore be imperative for companies to ensure they are abiding to global privacy laws. In this environment the risk of fines, negative brand image and drop in revenue are very real. The question isn’t how to comply with the global privacy framework, but how to avoid it altogether. There is every reason to believe that anonymization is a tool that will become essential for data-driven organizations in the next few years. It brings to mind the maxim, “fail to plan, plan to fail”: Organizations need to start thinking now how they will comply now in one, two, five or ten years as the impact of current events could change the way we do business using personal data. The compliance burden will only get harder and forward-thinking is essential.
André Thompson, Privacy and Ethics Counsel, Trūata