In the age of information and communication technologies, flow of information is fundamental to doing business in the global economy. Business operations and consumer expectations have undergone a major shift due to the development of technology and the nature of information flows.
Most of the services that we receive or provide are related to collection and analysis of personal data. The economic and social integration resulting from the functioning of e-commerce has led to a substantial increase in cross-border flows of personal information. The scale of the collection and sharing of personal information has increased significantly.
We share our personal information every day by visiting a website, opening a bank account, social media account, buying goods and services online, registering for email etc., without any hesitation. It is a matter of grave concern that some organisations not only collect personal details but also store it in insecure places and share it with third parties, or move this data across borders without taking customers' consent.
Rapid technological development and globalisation have brought new challenges for the protection of personal information. Recently, British Airways owner IAG was fined $230 million for the theft of data from 500,000 customers from its website last year, under the General Data Protection Regulation (GDPR), which came into force in 2018. Facebook was also fined 500,000 pounds in 2018 for serious breaches of data protection law.
According to article 12 of the Universal Declaration of Human Rights, everyone has the right of protection of the law against any interference with his privacy. In December 2013, the United Nations General Assembly passed a resolution demanding state surveillance to be subjected to legality through clear and precise law, which must look to safeguard the right to privacy.
As expected, data protection has become a major issue for legislators, regulators and consumers worldwide that organisations can no longer afford to ignore. There are a number of data privacy regulations and acts that have been introduced around the world.
The General Data Protection Regulation (GDPR) is the latest European Union (EU) parliamentary measures designed to put the highest levels of protection around personal data, which came in to force in May 2018. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides.
According to GDPR, companies must ensure that customers have control over their data, and to be GDPR-compliant, a company must not only safeguard consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them. Any deviation of that could cause the imposition of fines of up to €20 million or 4% of the company's global annual turnover, whichever is higher.
California Federal Government of the United States of America has enacted the California Consumer Privacy Act, 2018 (CCPA), which comes in to force on January 1, 2020. Many of its provisions are similar to the GDPR and required companies to institute new internal data privacy regimes.
The CCPA gives more control to the consumer on how their data is collected, used, and deleted. The act applies to businesses that collect personal information about California residents, regardless of location, and meet certain thresholds.
The Asia Pacific Economic Cooperation (APEC) has adopted a voluntary Privacy Framework in 2005 and updated in 2015 which aims at promoting electronic commerce throughout the APEC region. In 2011, the APEC implemented the Cross Border Privacy Rules (CBPR) which requires participating businesses to develop and implement data privacy policies consistent with the framework.
The Organisation for Economic Co-operation and Development adopted the voluntary guidelines governing the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines) in 1980 and revised in 2013.
The OECD Guidelines apply to personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties. These guidelines should be regarded as minimum standards which are capable of being supplemented by additional measures for the protection of privacy and individual liberties.
According to the BSA Global Cloud Computing Scorecard, 2018, privacy laws are still absent or insufficient in several countries though a good number of countries have data protection frameworks in place. Brazil and Thailand have no comprehensive laws, while laws in China, India, Indonesia, and Vietnam remain very limited. Canada and Mexico score highest in the privacy section.
The Supreme Court of India held that privacy is a fundamental right in the case of Justice KS Puttaswamy (Retd.) vs Union of India on August 24, 2017, which led to the formulation of a comprehensive Personal Data Protection Bill 2019. However, currently, the Information Technology Act 2000 contains specific provisions intended to protect electronic data.
It is unfortunate that there is no law, regulation or guideline for ensuring data privacy in Bangladesh which is applicable for all sectors, irrespective of their nature. As a result, individuals have become concerned about the harmful consequences that may arise from the use and misuse of their information.
Mazharul Islam is a Corporate Legal Practitioner; e-mail: [email protected].