Data, Privacy and Practices Through Changing Times
-An event review-
This month, three of our qLegal volunteer students are reviewing an event they attended earlier this year. The event: ‘The Fundamentals of International Legal Business Practice Part 4: Data privacy’ was hosted by International Bar Association (IBA) on 11th February 2022. The organiser’s aims were to help attendees better appreciate data protection and current legal issues, and to structure a basic understanding of this complex topic. Scholars, policymakers, and judges contributed to the inspiring conversation.
Foreword: The increasing importance of cybersecurity and data security
Cybersecurity and data security are critical to society these days and have become a key concern for all countries. Recent global conflicts have heightened awareness of cyber warfare and the possibility of causing mass disruption by targeting critical online infrastructure such as government and banking websites.
Along with the rise of digital technologies such as big data and cloud computing, competition between countries has expanded from traditional areas to the digital space, and the European Union (EU) has begun to realise the enormous influence of digital services. At the legislative level, the EU has introduced a series of laws and policies such as the General Data Protection Regulation (GDPR), the Digital Service Act (DSA) and the Digital Market Act (DMA) to build up the EU’s “digital sovereignty”, strengthen the internal data infrastructure, protect the EU’s internal data, and enhance its strategic autonomy in the digital domain.
Five years after the GDPR, a movement of data protection has started all over the world. Legislation and policies related to data protection have evolved dramatically in many jurisdictions.
Event Review: The Fundamentals of International Legal Business Practice Part 4: Data privacy
The event convened moderator Satyajit Gupta, and speakers Sun Hee Kim, Hin Han Shum, Nehaa Chaudhari, and B N Srikrishna. This session focused on issues such as the harmonisation of privacy and data protection laws, the disclosure of uses of collected personal information, the fiduciary responsibilities of companies and processes for grievance redressal from three jurisdictions- Hong Kong, Korea, and India.
Data privacy in Hong Kong
Hin Han is a Hong Kong qualified lawyer and solicitor advocate practicing in the Technology, Media and Telecommunications (TMT) group at an international law firm. She introduced a data privacy regime that is modelled on the Organisation for Economic Cooperation and Development (OECD) guidelines that were issued in the 1980s. Although Hong Kong did have legislation of data protection for a long time, it is still not at the stage of the GDPR. As for now, Hong Kong is considering and updating its laws so that it can accurately match up with the GDPR and other jurisdictions around the world. She noted as an example that the definition of personal data needs to be updated.
Data privacy in Korea
Sun Hee Kim is a partner at Yulchon who focuses her practice on cybersecurity and data privacy matters, M&As and investments, particularly for companies and businesses that actively utilise personal data or big data. She introduced the Korean Data Privacy Law as discussed from the harmonisation perspective. The privacy law in Korea itself is famous for its strictness, but it is difficult for people to utilise legitimate interests like that. Sun Hee Kim, however, contends that many definitions in the Korean privacy law should be amended, like the data portability right.
Data privacy in India
Nehaa Chaudhari from India is an Equity partner at Ikigai Law and has been named as a ‘Leading Individual for Data’ by The Legal 500. Additionally, Nehaa has been recognised as a prominent TMT lawyer by Chambers & Partners. On the Indian front, Nehaa was supported by B N Srikrishna, a retired judge of the Supreme Court of India who has been a pioneer in the drafting of a bill for data protection. At present, B N Srikrishna is the chairperson of the Financial Sector Legislative Reforms Commission (FSLRC) and works as an independent arbitrator. The two speakers provided the audience with a flavour of data protection and its legislation from an Indian perspective.
They claimed that India may not have enacted legislation regarding data protection, but comprehensive efforts are being undertaken to legislate a Personal Data Protection Bill (DPB) that will encompass various concepts of data privacy. With the active recognition that the right to privacy is like any other fundamental right, data protection has taken centerstage in India with comprehensive initiatives to enforce the same via the DPB.
The different approaches taken to data protection
Different jurisdictions have different policies and legislations, therefore the speakers shared insights into how each jurisdiction governs its disclosure and use of personal data, and the collection of personal data.
From the Korean perspective, there are several grey areas. Policymakers have introduced a new provision to protect the consumers where the platform operator would have to collect the contact information of the seller. Sun Hee Kim believes data localisation requirements, especially in the financial sector, but also in other sectors, can hurt the industry.
Since India is still in the process of finalising what its specific data protection legislation should look like, there has been a shift in the last couple of years surrounding the general concept of data protection. The overall aim, however, is that both personal and non-personal data should be regulated. Since personal data is best suited to supervision by a single regulator, the government hopes of framing a regulation that sits well within the parent regulation and not the Personal Data Protection Act.
In terms of data localisation control, India shares a similar experience with Korea. Nehaa Chaudhari and B N Srikrishna discussed the issue concerning data localisation control since bringing back data into India is vital for privacy advocates and members of civil society. The issue of data localisation is particularly pressing for international companies operating in India.
For Hong Kong, regulation is much more durable than the GDPR. Speaker Hin Han concluded the data collection regime in Hong Kong includes five data protection principles. The most important principle is, however, to ensure that victims are protected and are appropriately compensated if necessary.
The role and responsibilities of companies when it comes to data protection.
The speakers also shed light on the specific role and responsibilities of companies when it comes to personal data protection. There was a general consensus that companies are supposed to only use the data stored for the purposes for which it was obtained, thereby ensuring that the data protection principle is complied with. Transparency is thus key with the requirement that consent is needed for obtaining any new data along with the adoption of technical and operational safeguards.
For Hong Kong, any breach by the company could result in the allocation of an enforcement notice which sets out conditions for what must be rectified. If there is a further breach, then a fine could be set out at 1 million Hong Kong Dollars along with the possibility of imprisonment. Further, compensation could also be sought but would be subject to a duty of care for the breach of contract.
In India, the lack of specific legislation around data protection has not prevented comprehensive measures to enforce responsibility on behalf of companies. At present, data continues to be protected under the rules of the Information Technology Act (ITA).
Correspondingly, a breach could result in the imposition of an exorbitant fine with the possibility to claim administrative action. Such action could result in the appointment of an adjudicating officer who would decide the level of the breach on several factors based on the individual case concerned. Nehaa Chaudhari also noted that criminal penalty is slowly finding its way as a method of compensation, although limited.
In Korea, however, there are additional specific measures that need to be complied with for enforcing the same, and a breach could result in administrative and criminal penalty even without a causal relationship. Furthermore, special officers are being appointed to assess the breach and how much compensation should be provided. There is also the possibility of criminal penalty, which can be instituted by the Data Protection Authority if there is repeated flout on several occasions. Sun Hee Kim thus claims that the Korean data protection law is one of the strictest in the world.
The speakers concluded the webinar by upholding the theme that data protection continues to remain an important contemporary topic that is likely to witness added reforms owing to continuous developments in various sectors. It is also an area where sovereignty becomes important with the view that each jurisdiction will adjudicate on different mechanisms to enforce data protection, whether it be personal or non-personal. A futuristic outlook may also pave the way for an international agreement on data protection that could ensure a level playing field.
** This article was written by Yuan Zhong, Libing Yan, Intellectual Property Law LLM and Archana Nair, Energy and Natural Resources LLM Candidates and members of the qLegal Public Legal Education Team at Queen Mary University of London. This article is a write up of a webinar. It does not constitute legal advice and should not be relied upon as a source of legal advice. **
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
qLegal provides pro bono legal advice and legal education to start-ups and entrepreneurs on intellectual property, data protection, corporate and commercial law. See the qLegal website (http://www.qlegal.qmul.ac.uk/) for more details and to book your appointment now. Follow us on Twitter and LinkedIn for regular updates on issues relevant to your business.