In the age of information and communication technologies, the flow of information is fundamental to doing business in the global economy. Business operations and consumer expectations have undergone a major shift due to development of technology and the nature of information flows. Most of the services that we receive or provide are related to collection and analysis of personal data e.g. any information relating to an identified or identifiable natural person. The economic and social integration resulting from the functioning of e-commerce has led to a substantial increase in cross-border flows of personal information. The scale of the collection and sharing of personal information has increased significantly. We share our personal information everyday by visiting a website, opening bank account, social media account, buying goods and services from online, registering for email, etc. without hesitation. It is matter of grave concern that some organisations not only collect personal details but also store it in insecure place and share it with third parties or move this data across borders without taking customers' consent. Rapid technological developments and globalisation have brought new challenges for the protection of personal information. In the recent past, we have witnessed that British Airways owner IAG has been awarded $230 million fine for the theft of data from 500,000 customers from its website last year under the General Data Protection Regulation (GDPR) which came into force in 2018. Facebook has been fined 500,000 pounds in 2018 for serious breaches of data protection law.(The Daily Star)
According to article 12 of the Universal Declaration of Human Rights, everyone has the right to protection of law against any interference with his privacy. In December 2013, the United Nations General Assembly passed a Resolution demanding that working of State Surveillance be subject to legality through clear and precise law, which must look to safeguard the right to privacy. As expected, data protection has become a major issue for legislators, regulators and consumers worldwide that organizations can no longer afford to ignore. There are a number data privacy regulations and acts have been introduced around the world.
Firstly, the General Data Protection Regulation (GDPR) is the latest European Union (EU) parliamentary measures designed to put the highest levels of protection around personal data which came into force in May, 2018. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides. According to GDPR, companies must ensure that customers have control over their data and to be GDPR-compliant, a company must not only safeguard consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them. Any deviation of which could cause imposition of fines of up to €20 million or 4.0 per cent of the company's global annual turnover whichever is higher.
Secondly, California Federal Government has enacted the California Consumer Privacy Act, 2018 (CCPA), which came into force on January 01, 2020. Many of its provisions are similar to GDPR and required companies to institute new internal data privacy regimes. CCPA gives more control to the consumer on how their data is collected, used, and deleted. CCPA applies to businesses that collect personal information about California residents, regardless of location, and meet certain thresholds. Thirdly, Asia Pacific Economic Cooperation (APEC) has adopted a voluntary Privacy Framework (the Framework) in 2005 and updated in 2015 which aims at promoting electronic commerce throughout the APEC region. In 2011, APEC implemented the Cross Border Privacy Rules (CBPR) System which requires participating businesses to develop and implement data privacy policies consistent with the Framework. The Framework requires appropriate safeguards while CBPR system requires the applicant country to describe how it enforces a requirement to have technical and administrative safeguards. The CBPR system is intended to provide a minimum level of protection if there are no applicable domestic privacy protection requirements in a country.
Fourthly, the Organisation for Economic Co-operation and Development (OECD) adopted the voluntary guidelines governing the Protection of Privacy and Trans-border Flows of Personal Data (OECD Guidelines) in 1980 and revised in 2013 in response to growing concerns about information privacy and data protection in an increasingly technological and connected world. OECD Guidelines apply to personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties. These Guidelines should be regarded as minimum standards which are capable of being supplemented by additional measures for the protection of privacy and individual liberties.
According to the BSA Global Cloud Computing Scorecard, 2018 privacy laws are still absent or insufficient in several countries though a good number of countries have data protection frameworks in place. Brazil and Thailand have no comprehensive laws, while laws in China, India, Indonesia, and Vietnam remain very limited. Canada and Mexico score highest in the privacy section.
The Supreme Court of India held that privacy is a fundamental right in the case of Justice K.S.Puttaswamy (Retd.) v. Union of India on August 24, 2017, which led to the formulation of a comprehensive Personal Data Protection Bill 2019. However, presently the Information Technology Act, 2000 contains specific provisions intended to protect electronic data.
It is unfortunate that there is no law, regulation or guideline for ensuring data privacy in Bangladesh which is applicable for all sectors irrespective of their nature. As a result, individuals are concerned about the harmful consequences that may arise from the use and misuse of their information. The technological developments require a strong and more coherent data protection framework, backed by strong enforcement, to ensure continued trade and economic development without imposing unnecessary barriers to information flows. Enterprises are required to introduce integrated privacy policy and effective data retention policy.
Mazharul Islam is a Corporate Legal Practitioner