Quantar Blog

The regulations that may apply to your company

News & Events

Companies globally are facing increasing business challenges posed by emerging data protection laws

We live today in a global digital economy that is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. With this immense growth comes a requirement for public confidence in the ability of nation state governments to protect this information. Complying with increasing data protection laws requires significant time and effort, but there are positive implications to such regulations.

The Challenge

As more countries implement data protection laws coupled with increasingly onerous limitations on the use, storage and transmission of data, so the risks of regulatory prosecution increase. Managing the shifts in the legal environment is not simply a task for a legal team or the DPO, since processes change and systems are increasingly sophisticated in the way they acquire and process data.

The Solution

Increasing litigation, greater numbers of opportunities to fall foul of a country’s data protection regulations creates the need for a dedicated activity within your GDPR program. A method labelled environmental scanning can be used to analyse what are the trends across a large number of data-related laws and create commonality of taxonomy and provisions.

Using this as a baseline within your organization can assist in forecasting what the frameworks focus on – many draw heavily upon the GDPR in their format, definitions, requirements and penalties already. There is a clear emphasis across existing and draft regulations and plotting these against business processes and data flows will make it more apparent which will require new impact assessments and which can be labelled with a lower priority, freeing up resources and budgets for managing the high risk areas.

The Regulations that May Affect Your Business

The summaries of international regulations listed below are intended solely as indicative provisions that may impact your business and in no way represent the full and detailed extent of the regulations per country.

United States of America: Jan. 1, 2020, the new California Consumer Privacy Act (CCPA) went into effect and takes a broader view than the GDPR of what constitutes private data. The California law also takes a broader approach to what constitutes sensitive data than the GDPR. For example, olfactory information is covered, as well as browsing history and records of a visitor’s interactions with a website or application.

China: A detailed national standard known as the Personal Information Security Specification (the PI Security Specification) entered into effect on 1 May 2018. This non-binding guideline contains detailed requirements on data handling and data protection. It imposes data privacy obligations on network operators and applies to all organisations in China that provide services over the internet or another information network. Additionally, under the Administrative Provisions on Information Services of Mobile Internet Application Programs (effective 28 June 2016), app providers must clearly indicate to customers if they are collecting geolocation data, accessing address books on their smartphones, or making use of cameras, or activating audio recording, or other functions, and obtain the user’s unforced consent. The Provisions also prohibit (The activation of functions unrelated to the service is also prohibited).

Singapore: The Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”) establishes a general data protection law which applies to all private sector organisations. It sets out obligations of organisations in respect of the collection, use, disclosure, access, correction, care, protection, retention, and transfer of personal data (including transfers of personal data out of Singapore). Additionally, the Spam Control Act (Cap. 311A) (“SCA”) regulates the bulk sending of unsolicited commercial electronic messages to email addresses or mobile telephone numbers. The PDPA applies to all organisations which are not a public agency, or acting on behalf of a public agency, whether or not formed or recognised under the laws of Singapore, or resident or having an office or a place of business in Singapore

India: The Indian government finally introduced its Personal Data Protection Bill in Parliament on Dec. 11, 2019, after more than two years of fierce debate on the bill’s provisions. The country is seeking to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India. Many of the consent-related provisions in India’s data protection bill sound quite similar to those enshrined in the European Union’s General Data Protection Regulation (GDPR). A major difference though is the bid to regulate social media corporations, with the bill proposing the creation of a special class of significant “data fiduciaries” known as “social media intermediaries.” These are defined as entities whose primary purpose is enabling online interaction among users. Further, the legislation requires that certain types of data must be stored in India. “Critical personal data,” must be stored and processed only in India. “Sensitive personal information,” must be stored within India, but can be copied elsewhere provided certain conditions are met.

Thailand: The Personal Data Protection Act, or the PDPA, is a prescriptive and detailed data security regime that sets high standards for protecting personal information. It grants individuals greater rights over how their data is collected and used and equips the regulators with the power to impose heavy fines on companies for non-compliance. The PDPA is modeled after the General Data Protection Regulation (679/2016/EU).