“Change is the only constant in life.” – Heraclitus. The Greek Philosopher’s words aptly apply to compliance as well.
The latest developments in compliance are no less than paradigm shift. I have written about the impact of 2018 EU GDPR regulation in one of my previous blogs. GDPR has forced many companies to change their strategy in dealing with personal data pertaining to EU citizens. Another example is introduction of GST in India back in 2017. It has simplified tax compliance requirement to a large extent.
Time is ripe now to ponder over some of the fundamental shifts happening in compliance. Questions coming to my mind are about the Future of Compliance.
- How data residency regulations across geographies are going to change business landscape?
- What will be the impact of Industry 4.0 in compliance framework?
- How will the regulators deal with bias and adversarial attacks in machine learning and AI models?
- Who will ensure responsible use of artificial intelligence?
- How will companies ensure secure use of confidential data when millions of people are working from home forced by COVID 19 pandemic?
This blog series will delve deeper into the key trends in regulations and examine different aspects related to Compliance in 3 parts.
Part 1 – Regulations across countries
Part 2 – Impact due to technical advancement
Part 3 – Way forward for companies to meet the new challenges
Of late, Internet giants have been under scrutiny over alleged monopolistic practices in several countries. There are lawsuits by US Justice Department against Google. “Facebook must be broken up”, the US government says in a ground breaking recent anti-trust lawsuit. EU have been imposing fine on some of them. Competition Commission of India (CCI) has questioned some of them several times. Government of India has blocked access to 59 mobile apps in June 2020, 118 more apps in September 2020, and 43 more apps in November 2020 under section 69A of the Information Technology Act. These examples demonstrate how regulators have been evolving as assertive powers and trying to solve dynamic and complex compliance problems, which are truly global in nature today.
With increased use of cloud computing, data analytics and AI/ML, focus has been rapidly shifting towards data. Data has become lifeblood of modern global economy. Countries and regions are coming up with different sets of rules to protect data privacy. In general, data residency laws require companies to store a copy of the data locally, process data locally and mandate individual or government consent for data transfers.
In coming days, all companies including traditional businesses, SaaS or e-commerce businesses will have to be cognizant about regulations pertaining to cross-border data flows. Business leaders will have to deal with varied maturity levels of regulatory environments across countries, which can be very complex, inconsistent, and sometimes contradictory.1
European Union (EU)
One of the stated aims of GDPR is to increase harmonisation, and ensure a consistent and high level of protection of personal data throughout the EU. According to GDPR, companies have to keep the data secure inside the EU and if the data is to be transferred outside of the EU, then it can only be transferred to countries or organisations that have signed up to equivalent privacy protection. A transfer means that the source data was moved to a machine outside the EU. Even access of data from outside European Economic Area (EEA) will count as transfer.2,3
Key point needs to be observed that GDPR also provides flexibility to member states with a large number of provisions to design their own rules related to national security, regulations of the press and other specific areas. This type of national variations of GDPR compliance will continuously evolve, and companies operating in different countries of EU region have to deal with the both clauses – identical privacy and data protection rules across member states, as well as country specific rules.
In addition, exit of UK from the EU poses new risks for companies transferring data from the EU to the UK. Effective EU data localization could lead to significant barrier to open internet, as this will involve an extra set of costs in setting up technology infrastructure to meet new regulations.
United States (US)
Data protection regulation in US is more jumbled with hundred of laws enacted on both the federal and state levels. At the federal level, Federal Trade Commission (FTC), as per Federal Trade Commission Act, can bring enforcement actions to protect consumers against unfair or deceptive practices. There are sector specific regulations as well, such as healthcare and financial services. In addition to federal regime, state-level regulations protect a wide range of privacy rights of individual residents. A number of states have brought discrete laws to protect citizens from unlawful surveillance which includes cellular location tracking, drone photography, and smart TV snooping features.4
Businesses operating in US must note that some states are more active than others when it comes to data protection. For example, Massachusetts has very strong data protection regulations, and in 2019, they have updated its data breach notification law requiring companies to disclose whether they maintain the required comprehensive written information security plan (WISP) and corresponding updates related to incidents.
New York, in 2019, has enhanced its data breach notification law to protect security, integrity and confidentiality of private information. New York’s SHIELD Act, if implemented, will expand administrative, technical and physical safeguards under the law.
The Illinois’ Biometric Information Privacy Act (BIPA) is a unique state law regulating biometric usage and keeps the provision for private individuals to recover damages for violations.
California Consumer Privacy Act (CCPA) became effective on 1st January, 2020, and this law, in future, is expected to force changes to data-driven business models and introduce series of operational compliance procedures.
India is gradually shifting towards data protection regime with slew of regulatory developments. The amendment of Information Technology Act in 2000 provides a right to compensation for improper personal information disclosure. Aadhaar Act, 2016 governs Aadhaar, or the biometric-based unique identification number, which is one of the largest citizen’s database in the world. In 2018, the Reserve Bank of India (RBI) has issued a circular mandating all payment system providers to store payment data locally only in India.5,6
Now India is in the final stage of framing data protection regulation. The new Data Protection Bill may be significantly different from Europe’s GDPR, and companies will likely need to invest an additional resources for data compliance under this law.
In coming days, India will witness multi-fold increase in data centre capacity to meet data storage and processing requirements. According to a CRISIL research, India’s data centre industry is likely to witness a 25%-30% rise to $4.5-$5 billion by the fiscal year 2025 due to the additional future demand.
NITI Aayog is working on data empowerment and protection architecture (DEPA) for fintech sector, and released a draft framework for this in August, 2020 with the aim of instituting a mechanism for secure consent-based data sharing in the fintech sector. This will enable individuals to share their financial data across investors, tax collectors, banks, insurers, lenders, mutual fund houses and pension funds in a secure manner.
In 2020, government has rolled out a Health Data ManagementPolicy (HDM) for management and sharing of health data. The HDM policy mandates data fiduciaries (similar to data controllers under GDPR) to abide by the basic data protection principles and establishes certain compliance requirements including security practices and impact assessments. With the growing adoption of telemedicine sector, the HDM will play significant role in protecting and governing data in the ecosystem pertaining to medical and pharmaceutical industry.
The government is also in the final stage of setting up an e-commerce regulator with slew of regulatory proposals on use of consumer data, violations, anti-piracy, cross border data flows, sharing source codes, algorithms and other data with the Government.
These developments are not limited to EU, US and India only, I have found similar regulations are coming up in many countries and regions across the globe. For example, Roscomnadzor, the regulatory body in Russia, controls how companies fulfil their localisation duties in Russia, and can launch an off- or on-site audit to check the place where databases are stored. As per data localization laws in UAE, personal data can be transferred to third parties inside and/or outside of the UAE, if the concerned person has consented in writing to such transfer. Companies who work with regulated data in Vietnam should obtain consent before collecting, sharing, disclosing or transmitting personal data to a third party. In Saudi Arabia, data protection is primarily governed by Cloud Computing Framework (CCF). Cloud customer information can be subject to different levels of information security, depending on the required level of preservation of the information’s confidentiality, integrity, and availability.3
This analysis shows how data localization comes in many forms: while some countries enact blanket bans on data transfers, many are sector specific, covering personal, health, financial, e-commerce data. I can convincingly predict that regional differences in privacy laws are likely to increase in coming days, and companies having global operations will have to embrace this complexity and ambiguity of compliance regimes to successfully run their businesses.
(To be continued …)
Based on research input by Manas Bairagi