When the European Union (EU) regulators roll out the tougher privacy rules— known as the General Data Protection Regulation (GDPR)—on May 25, it will represent the biggest overhaul of the world’s privacy rules in more than 20 years.
The new regulations offer EU citizens sweeping new powers over how their data can be collected, used and stored, presenting global leaders outside the 28-country block with a stark choice: bring their domestic laws in line with the European Union’s new rules, or risk being shut out of a market of 500 million well-heeled consumers.
For many countries, the choice is a no-brainer. Breaking commercial ties with the world’s largest trading bloc is unthinkable, and failing to comply brings the risk of hefty fines—up to €20 million, or 4 percent of global revenue, whichever is higher—for any company with European customers that mishandles data.
In response, legislators worldwide are scrambling to update their domestic legislation to bend to Europe’s privacy rules. The data revamp will allow European Union consumers to pull their data from a company at any time, force businesses to alert customers within three days if their data is hacked and let people move information to rival services at a drop of a hat.
The Philippines is in a good position, given the fact that it signed the “Data Privacy Act” into law in 2012 and is incorporating the tough provisions of the law through the National Privacy Commission (NPC). Having said this, Philippine organizations have to make a more determined effort to implement the processes and procedures necessary to be fully compliant and avoid costly data breaches.
Since the mid-1990s, European Union policy-makers have rolled out a series of data-protection rules that quickly became the de facto global standards for most countries except for a few holdouts like China, Russia and the United States.
But, as companies like Google, Facebook and Amazon vacuumed up more of people’s private information, European lawmakers upped the ante, intent on setting a new bar for data protection worldwide.
Most multinational companies from Google to General Electric must comply with the new standards because of their existing activities in Europe. And smaller firms, even those currently with no operations in the EU, face a tough decision to either comply with the region’s stance on privacy or risk potential sanctions if European customers eventually sign up to their services.
Israel and New Zealand are among a handful of international partners that have struck deals with the European Union certifying that their data-protection rules are equal to those of Europe. Only under those conditions can data—and billions of euros of trade—flow freely between the parties.
In Argentina, for instance, legal experts say that pending data-protection reforms will put the Latin American country mostly on a par with the EU’s new rules, including guarantees linked to the independence of the country’s privacy agency.
In Japan, which is still awaiting its own adequacy decision after signing a free-trade agreement with the European Union last December, lawmakers also passed reforms last year that mirror many of Europe’s existing standards, such as imposing restrictions on international data transfers to countries whose own privacy rules do not offer equivalent protections.
Other countries, from Colombia to South Korea to the tiny island nation of Bermuda, are similarly rebooting domestic legislation. At times, that involves adopting European rules almost word for word.
While many countries’ data- protection rules are primarily based on those of Europe, many countries, including the Philippines, have to take local circumstances into consideration—including not overly burdening local small businesses without the budgets or know-how to follow complicated privacy rules.
US policy-makers argue that American data-protection standards, enshrined in the constitution and enforced aggressively by the Federal Trade Commission, do more to guard against misuse than European standards, which often can be more bark than bite.
But that didn’t stop Europe’s highest court from tearing up a 15-year-old data-transfer agreement in 2015 between the region and the US after judges ruled that American authorities did not fully protect EU citizens’ data when transferred across the Atlantic.
As Europe’s new privacy standards kick in over the coming months, Europe is expected to use its economic muscle to cajole others to follow suit.
As Philippine organizations have no choice but to comply with data-privacy laws, allow me to conclude with highlighting four ways to do so:
- You have to appoint a data- protection officer (DPO) and form a Data Protection Committee. You, hopefully, have already informed the NPC of the DPO appointment in September last year. You have to identify privacy risks to your organization.
- You need to develop good policies and practices for handling personal data.
- You must communicate, monitor and audit internal policies and processes.
- You have to learn how to handle queries or complaints and assist the NPC if necessary.
Should you need assistance in implementing the four ways, contact me under Schumacher@eitsc.com.
Flashback: On July 11 I wrote about ‘Open Government Partnership – Part of Fighting Corruption’ and made extensive reference to reports prepared by the Independent Reporting Mechanism (IRM) of the local Open Government Partnership implementation group. The reason why I used the IRM source is that the Integrity Initiative is part of the Civil Society Groups supporting the OGP Program and the reporting of the IRM. In fact, the Integrity Initiative has added progress information to the latest IRM report.
Image credits: Uthisa Kaewkajang | Dreamstime.com