Study On Data Protection Law And Business Growth: International Perspective

Introduction

Life without computers and smartphone is not possible in this current digital era. Whether it is to pay the electricity bill, do online grocery, or do official work, computers and the internet are mandatory to perform work efficiently and effectively. We communicate with different countries within a few seconds with the help of the internet and electronic devices. Whether personal or official, we communicate by sending data in word format, pictures, videos, etc., and within a second, a massive amount of data is uploaded and downloaded via the World Wide Web globally.

With the help of the devices, our daily work is handled effectively, efficiently, and speedily, but we are unaware of the importance of data breaches, data protection, and data privacy unless we face serious data breaches like financial or reputational losses. When hackers compromise a company server or website, the entire Digital Assets of the company are at significant risk. It is to be noted that the consumer’s data stored within the company will also be at risk, and the consumer will face irreparable loss.

As we are pleased about the digital revolution and evolution, we are not cautious about the consequences of data breaches and the importance of data privacy and protection. We spread our business globally, but do we have Internationally binding governing law to protect consumers globally? If yes, how far are we protected? If not, what are the remedies available as per domestic laws?

Understanding Data Protection and Data Privacy

As we all know, the primary legal and regulatory issues related to Data are cybercrime and data breaches, Trademarks, Patents, Copyright, Licensing, intellectual property rights, Trans-border data flow, and Privacy. Data is nothing but Information, whereas personal data means personal information which is not available in the public domain. Personal data privacy means Information Privacy while handling, processing, and storing customers’ data. It is the confidentiality of customer-sensitive data stored on Endpoints. Data Security is the method and policy to secure personal data from any breach. Data Security is a prior request to Data privacy. Failure to protect data will lead to severe risks such as Financial Risk, Reputation Risk, Strategic Risks, and Legal Compliance Risks.

Effective Information security Protection means it must have three principles, mainly confidentiality, where the information is not disclosed to any unauthorized person. Integrity is where the data is modified only by the authorized person, and Availability is the principle where the authorized person or the data principle is granted permission to access the information wherever required.

In this digital era, economic growth is based on uninterrupted international transactions. To perform cross-border transactions successfully, data security, and personal data privacy protection are considered inevitable. Therefore, Personal Data Privacy Laws and legal compliance play a significant role in uninterrupted effective digital business transactions, on national as well as international platforms. Thus, legal compliance must be effective enough to protect the data and the personal data from a breach as well as efficient enough to perform business transactions effortlessly. Business-friendly legal compliance is extremely important to promote Cross-border digital business transactions.

Data Protection Law and its Global Evolvement

US Data Protection Laws

The United States’ main data protection priority is on sensitive data protection such as health information, financial information, and Children’s online privacy protection under 13 and 18 years of age. Some of the major United State federal data privacy and security laws include CAN-SPAM Act, Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Section 5 of the Federal Trade Commission Act (FTC Act), Telemarketing Sales Rule (TSR), Telephone Consumer Protection Act (TCPA), Video Privacy Protection Act, Family Educational Rights and Privacy Act and Privacy Act of 1947.

The State laws establish data privacy and security requirements for the protection of Social Security Numbers, financial account numbers, health/medical data, and other sensitive personal data. Some of the State data privacy and security laws include California Privacy Laws (e.g., the California Consumer Privacy Act (CCPA), the California Online Privacy Protection Act (CalOPPA), the New York Privacy Act 2021, Delaware Online Privacy and Protection Act (DOPPA) which applies to the companies targeting Children under the age of 18 in Delaware.

As we can see, there is a development in the data privacy law and its implementation procedures mainly the penal provisions such as a civil penalty under the California Consumer Privacy Act 2018 (CCPA), which is Up to $7,500 per intentional violation and up to $2,500 per unintentional violation. The penalty under New York Privacy Act 2021 is Up to $15,000 per violation. The NY SHIELD (Stop Hacks and Improve Electronic Data Security) Act is also an important Act that requires businesses to adopt security programs to reduce the risks of a data breach. If an organization fails to implement a compliant information security program, it can result in injunctive relief and civil penalties of up to $5,000 per violation.

UK Data Protection Laws

General Data Protection Regulation (GDPR) is the major data privacy regulation governing EU countries. On 25 May 2018, General Data Protection Regulation came into effect. It consists of 99 Articles 11 Chapters 260 pages, and it applies to all EU member states. The motto behind this regulation is to promote Digital business, proper processing of personal data and free movement of such data, and availability of the data whenever required. It is governed by European Union Data Protection Board and guards the personal data of its citizens. GDPR applies not only to the entities established in the EU but also entities established outside the EU, offering goods/services to individuals in the EU or monitoring them.

The list of the right of Data Subjects as per GDPR is the right to be informed; the right to access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; Rights about automated decision making and profiling, but the Rights of Data Subjects are not absolute rights. Data Protection Principal rules must be followed by those who are handling, controlling, and processing personal data, the data must be used for lawful means with transparency and fairness.

The supervisory authorities can impose fines for breach and non-compliance with the GDPR, which may go up to 4% of the total worldwide turnover of the preceding years or GBP 17.5 million. And up to GBP 8.7 million or, in the case of an undertaking, up to 2% of the total worldwide turnover of the preceding year.[1]

India Data Protection Laws

India does not have a comprehensive data privacy law yet, India is in the process of implementing more effective Personal Data Protection laws, as we all know that the Personal Data Bill 2018 / Data Protection Act 2019 has been withdrawn recently and The Digital Personal Data Protection Bill, 2022 has been initiated with high penalties for breach of personal data and non-compliance with the said Act. Apart from the above mentioned, data privacy and protection are governed by some of the major Acts and rules such as IT (Reasonable Security Practices and Procedures) Rules 2011 of the IT Act 2000.[2] Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules).[3] The Data Security Council of India (DSCI) is a not-for-profit, industry body on data protection in India, set up by NASSCOM, committed to making cyberspace safe and secure.

Impact of Data Protection on Business Growth

The impact of Data Protection on Business Growth is visible from some of the major judgments and fines imposed by the enforcement government agencies of that country throughout the world. The Business Impacts include Financial, Operational, Compliance, and Reputational impacts. Some of the important data privacy breaches are as follows:

Capital One Data Breach

In August 2019, a massive data breach at financial company capital one, Virginia, U.S. exposed the personal information of approximately 106 million people. Office of the Comptroller of the Currency imposed a huge fine of nearly $80 million for the Bank’s failure to secure its data in the Cloud. Data were in the Amazon Cloud, and the sensitive data breach includes credit card and bank account numbers, along with addresses, names, telephone numbers, ages, and social security numbers.[4]

Paige Thompson, a former employee of Amazon Web Services involved in the data breach. She was sharing information about her activities on the internet and uploaded stolen information on GitHub. She took advantage of the firewall misconfiguration, and the data was stolen from the AWS S3 bucket, yet the AWS system was not compromised. It clearly shows that the Cloud Security Control configuration was set to Public instead of Private.

United States v. Microsoft Corporation (2018)

This case deals with the importance of data privacy of an individual and national security threat. The question is whether the federal government has the power to serve warrants to Microsoft to produce the sensitive personal data of an individual when there is a threat to national security. Especially when the data is stored on foreign soil.

In this current scenario, Microsoft was served a warrant under 18 U.S.C. § 2703, Stored Communications Act, Title II of the Electronic Communication Privacy Act of 1986 (ECPA) by the federal government requiring email records of an individual who is suspected to be involved in illegal drug trafficking. Microsoft on the other hand contended that the data is stored in Microsoft’s Dublin, Ireland, data center and warrants to be quashed. Meanwhile, on March 2018, President Trump’s administration passed the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) which permits foreign partners to enter into bilateral agreements for Mutual legal assistance requests, based on the said agreement data from the Foreign Soils can be retrieved for the Extraterritorial Law Enforcement. Under the new Act fresh warrant has been served to Microsoft to furnish the details of the suspected email account. This case shows that National security supersedes data privacy laws.[5]

Zoom Credentials & Dark web

In April 2020, there was distressing news that 5,00,000 zoom Credentials are available for sale in the dark web crime forums.[6]

Rocky Mountain Bank v. Google (2011)[7]

In this case, Rocky Mountain Bank sued Google to disclose the information of an employee who is a Gmail user and had mistakenly sent an electronic mail to an unknown Gmail user with an attached file containing sensitive data of more than 1000 customers of the Rocky Mountain Bank. The sensitive data also includes social security account numbers. Based on the Bank’s submission the Trial Judge granted a temporary restraining order in favor of the bank, with complete relief that Google should furnish all the information, take necessary steps to remove the missent data and produce the compliance report to the court.

The major issue here is the compliance report, where Google said that furnishing a compliance report to court will come under public view, which is against the privacy policy of Google as the report contains all the sensitive data. Meanwhile, the public citizen filed a motion on behalf of Media Post Communications against the non-compliance motion of Google.

Appellate Court remanded back to the Trial Court stating that by using the special protocol such as the data redaction process, the sensitive identifiable data must be removed from the document and to be made available to the public, as the compliance report is the Judicial document.

NIC (National Informatics Centre) Computers Security Breach

In this current scenario, sensitive data relating to Indian national security including data of Prime mister, Indian citizens, and senior government functionaries have been breached.[8]

Conclusion

WhatsApp data breach sees nearly 500 million user records up for sale, including India more than 32 million of the leaked records are said to be from users in the US, with 11 million from UK users, Egypt (45 million), Saudi Arabia (29 million), Italy (35 million), France (20 million), Turkey (20 million), and Russia (10 million).[9] Farrer Park Hospital fined $58k over leaked patient data, and medical records.[10] There is a Data Breach in Disability Services of the Southwest healthcare company[11]. Local authorities are one of the top offenders for data breaches across the UK, a new analysis has revealed.[12]

The above are some of the current scenarios on data breaches which clearly explain the failure of data privacy laws and their implementation procedures throughout the world. Even after setting up ISO (The International Organization for Standardization) certification standards, Cyber security management requirements, and legal compliance protocols, we still lack complete protection from sensitive data breaches. The data protection and privacy laws are not effective enough to protect data and personal sensitive data despite having high penal provisions. We call our era as digital era, where the promotion of international digital business growth is the primary goal, but we are not efficient enough to protect the personal sensitive data of the consumers. This not only diminishes digital business growth but also cross-border transactions. Even after reasonable progress in data protection and privacy law, we still have a long way to go.

References

1.     Law. Law in United States – DLA Piper Global Data Protection Laws of the World. (n.d.). Retrieved November 28, 2022, from https://www.dlapiperdataprotection.com/index.html?c=US&c2=&go-button=GO&t=law

2.     The information technology (reasonable security practices and … (n.d.). Retrieved November 27, 2022, from https://indiankanoon.org/doc/114407484/

3.     Law. Law in United Kingdom – DLA Piper Global Data Protection Laws of the World. (n.d.). Retrieved November 28, 2022, from https://www.dlapiperdataprotection.com/index.html?t=law&c=GB&c2=

4.     Law. Law in India – DLA Piper Global Data Protection Laws of the World. (n.d.). Retrieved November 28, 2022, from https://www.dlapiperdataprotection.com/index.html?t=law&c=IN&c2=

5.     EU Data Protection Rules. European Commission – European Commission. (2020, July 7). Retrieved November 28, 2022, from https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en#relatedlinks

6.     Hale, C. (2022, November 26). WhatsApp data breach sees nearly 500 million user records up for sale. Retrieved November 28, 2022, from https://www.msn.com/en-gb/money/technology/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale/ar-AA14yRG5

7.     (n.d.). Retrieved November 28, 2022, from https://www.govinfo.gov/content/pkg/USCODE-2010-title18/html/USCODE-2010-title18-partI-chap121.htm

8.     United States v. Microsoft Corp., 584 U.S. ___ (2018). Justia Law. (n.d.). Retrieved November 28, 2022, from https://supreme.justia.com/cases/federal/us/584/17-2/

Rocky Mountain Bank v. Google, inc.. Legal research tools from Casetext. (2011, April 15). Retrieved November 28, 2022, from https://casetext.com/case/rocky-mountain-bank-v-google-inc