Canaan Bridges Consulting Inc. | Long Read
Listen to this article
One of the impacts of the fourth industrial revolution is the increased use of technology to
create or refine goods and services including to provide innovative means to access services. The transfer of large bodies of information, some of which are sensitive because of who or what they pertain to across business sectors and countries, means that without adequate safeguards, this information can be vulnerable to unauthorized uses and access. This can have an impact on how solid a connection there is between technology (as agents of innovation) and development policy. Our smartphones, online purchases, healthcare, banking, and insurance services often require us to share personal and sensitive information. How this information is recorded, stored, and the circumstances under which it is accessible and shared with third parties is one of the most topical issues in data rights conversations.
In recent years, several countries have developed or are updating their data laws. Data protection awareness also resonates with technology users. Technology users are increasingly concerned about how their sensitive information is handled by companies they do business with, and whether it’s being sold or used in an unauthorized way. Discussions about data protection and privacy may relate to: what should be safeguarded as sensitive data, the extent of safeguarding and control gatekeepers should have in relation to personal data, how cross-border data transfers should be dealt with, the role of third parties in data transfers, or even what constitutes personal data. Here are two foundational points that are essential to an understanding of data protection for users’ of technology:
Data Protection: A Definition
The term “data protection” refers to laws, policies, and/or rules about what information is collected, stored, shared, accessed, and used by others. Most data protection and privacy concerns arise in a commercial, or contractual context, but there are also moves by some jurisdictions to include charitable organizations as having an obligation to protect personal information that is disclosed to them. Data privacy concerns are likely to intensify as more companies carry out business on digital platforms. It is impossible to discuss data protection without talking about what type of data “protection” applies to or should apply to.
Personal data is personal information that relates to an identified or identifiable person. This
includes information that directly or indirectly identifies a natural person. Examples include
medical records, information about a person’s online shopping activities and behaviour and records relating to financial transactions. Newer technological innovations like the Metaverse also produce user generated data that may range from information about gaming habits, shopping habits to human personality behaviours. These dynamics raise concerns over how user data is generated and what uses are made with these information. Personal data is identifiable if it can be used to identify a person (such as an email address, home address, IP address, driver’s license number). The consumer data protection laws do not apply to company data. Companies are not natural persons. While companies have a legal personality, they are not human beings. However, if company data identifies information about a natural person, then the data would likely fall under the definition of personal information.
Nature of Data Protection: Users’ Right
Most data protection laws are guided by specific principles. There are several principles here: accountability, limited collection and use of personal info, meaningful consent, and identifying the purpose of using and disclosing data. As overarching principles, they are intended to frame how businesses or entities engage with consumers’ personal information. By far there is no harmonization of data protection laws. The extent of rights that consumers have over their data will differ across countries, depending on whether and the type of data protection law that exist, how much the law represent the interests of consumers, in particular, whether they are useful to address the concerns of consumers.
A more expansive and representative approach to data protection will hold users’ personal data as protected in other jurisdictions, that is, when the data crosses borders. In these situations, the onus is on both the company transferring the data to other countries, and the receiving party to have due diligence practices in place to protect the information being transferred or disclosed. Driving change at the business level then, can influence national outlooks on data rights. The rights users have over their personal information include the right to opt out the sale of their information to third parties, the right to withdraw consent, the right to request the personal data that the data controller or other parties have collected on them, the right for inaccurate data to be corrected, and the right to erase data. These rights do not exist in all countries. For example, in the United States, there is no stand alone law on data protection at the federal level. However, five states (California, Colorado, Connecticut, Utah and Virginia) have enacted legislation on data protection and privacy. California’s consumer protection act applies to businesses with annual gross revenues of over USD 25million. There is no similar threshold in Utah and Virginia’s Personal Privacy Information Acts. In Canada and the EU, no revenue threshold applies for data protection obligations to exist. Continued scrutiny and developments of data governance will increase in importance in most countries.
……………………………………..
To drive technological development in their economies, businesses and policymakers will likely need to place a keen emphasis on data protection.