Data Protections Have Entered the Chat: A Round-Up of 2022 Legal Changes
Social and economic online activity rocketed to sky-high levels over the past three decades, with an estimated 5 billion users on the internet. New internet viewership and participation continue to grow as well –– on any given day in the past five years, there were an average of 640,000 people online for the very first time. Users are constantly accessing, and generating data at record levels, but what efforts are governments making to protect their citizens’ and consumers’ private data?
The German state of Hessia enacted the world’s first data protection regulation in 1970. Since then, 137 out of 194 countries have adopted some level of legislation to protect data and privacy within their borders. Gartner® reports that by 2023, over 65% of the world’s population will have its personal data covered under modern privacy regulations.
Here’s a round-up of important global data protection changes enacted during 2022.
1. Europe Updates Standard Contractual Clauses under GDPR
The General Data Protection Regulation (GDPR) is one of the most comprehensive data protection regulations in the world. With applications for nations inside and outside of the EU, any organization seeking to work with European companies or users must comply with requirements set forth by the GDPR.
Standard contractual clauses (SCCs) ensure appropriate data protection safeguards can be used as a baseline for data transfers from the EU to third countries. Previous SCCs were repealed on September 27th, 2021, and replaced with the following:
- Businesses must use updated SCCs for all new contracts and processing activities entered into as of September 27th, 2021.
- Businesses must migrate all contracts entered into before September 27th, 2021, that use old SCCs into updated SCCs by December 27th, 2022.
- Data importers must confirm that they will only disclose personal data to third parties outside of the European Economic Area when the party has consented to these clauses or a specific derogation applies.
- Additional parties may be added to SCCs under a “docking clause,” which typically applies to new acquisitions.
2. Japan Amends The Act on The Protection of Personal Information
Japan’s Act on The Protection of Personal Information (APPI) was originally passed in 2003, rendering it one of the earliest privacy and data protection laws. Its most recent amendment focuses on further regulation of cross-border data transfers, requiring opt-in consent, and creating new categories of information regulated under the law. Additional changes include:
- Businesses that transfer personal information to third-party vendors overseas must ensure that the third party complies with safeguards and measures, including notice to the individual.
- Opt-in consent notifications must be effective and operative, meaning businesses must provide comprehensive information regarding transfers, safeguards, and maintenance for the protection of personal information.
- The implementation of “Personal related information” as a category, which includes any information related to an individual that does not fall within the scope of personal information, pseudonymous information, or anonymous information.
- Businesses must promptly report data breaches if the breach includes sensitive information, information that could result in significant economic loss or information collected through unjust means.
3. Kenya Updates 2019 Data Protection Act
Kenya’s Data Protection Act of 2019 sets out data subject rights, principles of data processing, obligations related to data transfers, direct marketing, and breach notifications. Additional sector-specific legislation addresses data protection in key areas such as the IT & Communications industry, the health sector, and the financial sector. Revisions to Kenya’s Data Protection Act, which came into effect in February of 2022, include
- Complaints Handling and Enforcement Procedures, which facilitate fair, impartial, and expeditious investigations and hearings of complaints.
- Registration of Data Controllers and Data Processors, which provides procedures and requirements for the registration of data controllers and processors in Kenya.
4. Eswatini Implements The Data Protection Act No. 5 of 2022
Eswatini’s first comprehensive privacy legislation governs the collection, processing, and disclosure of personal data. It establishes foundational data subject rights, such as the right to access and correct personal information. “The Act” also sets strict requirements in relation to retention periods and data security requirements, in addition to general provisions on unsolicited electronic communications and automated decision making.
5. Thailand’s Personal Data Protection Act Comes into Force
Thailand’s Personal Data Protection Act was initially enacted in 2019, with a grace period of one year for covered institutions. However, as a result of the COVID-19 pandemic, the Thai government issued royal decrees to extend compliance deadlines to June 1st, 2022. The PDPA applies to both entities in Thailand and abroad that process personal data for the provision of products and services in Thailand, much like the GDPR. Requirements and provisions include:
- Data controllers and processors must have a valid legal basis for processing personal data.
- If personal data includes sensitive personal data (such as health data, race, religion, sexual preference, criminal record, or biometric data), data controllers and processors must ensure data subjects grant explicit consent for the collection, use, or disclosure of data.
- Data subjects must be guaranteed foundational data rights, such as the right to be informed, access, rectify and update data; restrict or object processing; and the right to erasure and portability.
How could new privacy regulations impact your organization?
New and updated privacy regulations are necessary to protect sensitive consumer data, but could create a series of moving compliance targets for your organization. Navigating local, state, federal, and international regulations could give your legal team (or entire organization) quite the headache –– resulting in an unused repository of critical information. Not to mention that compliance is also costly. Industry spending on compliance is estimated at $270 billion per year, with 87% of business leaders expecting investment in compliance to increase over the next three years.
The rise in internet usage, data creation, data analysis, and machine learning provides golden opportunities for innovation across sectors, including healthcare and financial services. It’s more important than ever for organizations to harness the intellectual property value of sensitive data for novel solutions –– without compromising the privacy rights of individuals around the world.
What is the TripleBlind Solution?
The TripleBlind Solution solves for regulatory compliance with privacy-enhancing technology. We offer data collaboration without data transmission, allowing for regulated data to be used without violating regulations such as The GDPR or HIPAA. By one-way encrypting and never decrypting private data, the TripleBlind Solution affords a fast, secure, and simplified approach to data analysis, machine learning, and neural network training with sensitive information.
With privacy-enhancing computation, TripleBlind is able to provide robust, sustainable measures to analyze, pool, process, or collaborate with data. Imagine if your organization could develop new pharmaceuticals at a fraction of the cost, drastically reduce cases of credit card fraud, or simply analyze regulated data from antiquated legacy systems. As the data economy booms, so will use cases of our complete and scalable technology –– and we’d love to connect with your organization to foster innovation for the future.
To learn more about the TripleBlind solution, schedule a demo with us or download our whitepaper.