When introduced in 2018, the GDPR was a ground-breaking data privacy law, marking a global shift towards more aggressive data privacy laws and enforcement. The scheduled two-year evaluation report by the European Commission (EC), published June 24, 2020, heralds the GDPR’s success in strengthening individuals’ rights to personal data protection. It also finds that the GDPR is proving flexible to support digital solutions in unforeseen circumstances, such as the development of tracing apps during the COVID-19 pandemic.
The evaluation notes the existence of “inconsistencies” between guidelines provided by the European Data Protection Board (EDPB) and at the national level, and emphasizes the need for Member States to “allocate sufficient human, financial and technical resources to national data protection authorities” so that they can effectively perform their work and ensure that national guidelines are fully consistent with those issued by the EDPB.
It also recognizes the challenges the GDPR may present for small and medium sized enterprises (SMEs), and calls for “intensified and widespread” provision of tools and initiatives by data protection authorities to help support SME compliance efforts.
The impact of the GDPR can be seen in cyber insurance claims. There has been an uptick in data privacy losses in Europe, based on Marsh clients’ experience, but business interruption incidents like ransomware attacks continue to account for the lion’s share of large cyber event losses in Europe. Still, data breaches, while generally resulting in lower losses than other cyber events such as business interruption, require more work by organizations to prepare for and respond to under GDPR requirements.
Spurring Global Regulations
Even as interpretation and enforcement of the GDPR continues to evolve, it has put data privacy squarely on the global map. For many countries, GDPR has served as a catalyst and a reference point for drafting new data privacy laws, overhauling existing laws. While there are variations, these data protection laws follow common themes — increased privacy rights for consumers, new and/or stricter obligations for businesses, and greater powers for regulators.
The following is a non-exhaustive summary of notable developments in several countries:
While there is no overarching federal data privacy law in the US, individual states are beefing up their laws. One of the most significant data privacy laws passed after GDPR implementation is the California Consumer Privacy Act (CCPA). The CCPA became effective on January 1 and enforced as of July 1, 2020 and enacts some of the broadest privacy protections in the US. Much like the GDPR, the CCPA introduces new privacy rights for consumers, with significant financial implications for non-compliance and the risk of legal private right of action in the event of a data breach. Other states are expected to eventually adopt similar laws.
Last year the government published its landmark Digital Charter, which kickstarted the process of modernizing the country’s main data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Current proposals could significantly broaden the scope of federal privacy law in Canada by potentially imposing severe monetary penalties, new statutory rights and giving far greater enforcement powers and resources to regulators.
Brazil was one of the first countries to closely emulate the EU’s GDPR when it passed Lei Geral de Proteção de Dados (LGPD), its first comprehensive data protection regulation. This will establish a new National Data Protection Authority, create fundamental rights for individuals, and require businesses to report data breaches. Like the GDPR, the LGPD is extra-territorial in its reach, as it applies to any business processing the personal data of Brazilians, regardless of where the organization is located.
Australia introduced tough data breach notification requirements in 2018. The latest proposals would establish more stringent laws regarding organizations’ use of data. The ongoing review of the 1988 Privacy Act will consider strengthening consumer rights by broadening the definition of personal information and introducing concepts such as consent and the right to be forgotten.
New Zealand’s long-awaited Privacy Bill was passed through Parliament in late June and is due to be implemented on December 1, 2020. Among the key reforms is the introduction of mandatory notification of harmful privacy breaches to increase transparency.. This means that if organizations have a privacy breach that poses a risk of serious harm, they are required by law to notify the Privacy Commissioner and affected parties.
India introduced its first-ever comprehensive data privacy law, the Personal Data Protection Bill, in 2018. The bill, yet to pass, is based largely on the GDPR and contains many similar concepts, including breach notification requirements, rights for data subjects, and an extra-territorial scope. It also envisages the creation of a new regulator, the Data Protection Authority of India, with substantial enforcement powers
Key proposed amendments to the Singapore Personal Data Protection Act (PDPA) include the increment of financial penalties and enhanced enforcement powers. Currently, organizations in breach of the PDPA are liable for financial penalties of up to S$1 million. The draft bill outlines a maximum financial penalty of the greater of 10% of an organization’s annual turnover or S$1 million. Proposed changes include a mandatory notification regime which requires organizations to notify regulators and the affected individuals of data breaches within a specified timeline.
Thailand’s Personal Data Protection Act (PDPA) was published on May 27, 2019, with most but the government has temporarily postponed its application due to COVID-19. The PDPA, which has extra-territorial jurisdiction, includes provisions on collecting, consent, use, and disclosure of personal data; rights of data subjects; liabilities; and penalties. This legislation allows for criminal penalties — including up to one year imprisonment — and civil liabilities, including punitive damages of up to twice the value of the actual damage.
There is no single comprehensive law on data privacy in China. Data privacy and regulation is covered under a number of sector specific, consumer, and cybersecurity laws and regulations regarding data handling practices, supplemented by a number of non-binding national standards. However, in December 2019, Chinese authorities announced that the enactment of new Personal Data Protection Law and a new Data Security Law would be a matter of priority in 2020. It is expected that the legislation will consolidate existing data protection principles in China.
In December 2019, Vietnam published a draft Decree on Personal Data Protection, future versions of which are expected to include elaboration on the rights of data subjects, measures to protect personal data and the establishment of competent authorities responsible for personal information protection. Foreign and domestic online service providers are already required to store the personal data of citizens in Vietnam. Offshore service providers are required to open representative offices in Vietnam to meet the data localization laws and comply with cybersecurity laws.
South Korea’s Personal Information Protection Act (PIPA) imposes strict security requirements on organizations that hold or process personal data, and places tight limits on the sharing and use of such data. In January 2020, the government amended PIPA to clarify the concept of personal data and strengthened the regulator’s powers. The country is in the process of rolling out the Cyber Liability Insurance Regulation, which requires companies operating in certain sectors — including financial institutions and information communication service providers — to carry cyber liability insurance or alternative means to compensate damages.
Monitoring and preparing for more regulation
In this fast-evolving regulatory landscape, organizations must stay informed, continually assess which regulations they are subject to, and implement compliance action plans that include an assessment of related enterprise risk. Doing so for new regulations may be a lighter lift for those organizations that have already performed this exercise for GDPR or other regulations. Even companies that are not presently subject to new regulations should assess their data collection practices as there is a strong likelihood that more nations will soon pass their own legislation.
Risk professionals should consult their advisors and insurance brokers about adopting insurance policy terms and conditions to address their organizations’ widening exposures. Companies should review applicable insurance wordings, with a focus on the potential insurability of fines, penalties, and financial liabilities.