Upcoming Data Privacy Laws

24‏/10‏/2024

Article by

Why Are Data Privacy Laws Important?

Data protection and privacy have become major global concerns in a world that is rapidly digitizing. Along with the rapid growth of technology, personal data is now increasingly collected, stored, and used on a massive scale. The recent increase in data breaches and scandals involving multinational corporations has clearly demonstrated a high demand for the enforcement of strong data protection laws. Regulators at all levels of government around the world have recognized the importance of protecting the data rights of their citizens, as global efforts now aim to strike the right balance between innovation and economic growth on one hand, and the protection of privacy and control over personal data on the other.

DPDPA

India's Digital Personal Data Protection Act, 2023 (DPDPA), focuses on protecting digital personal data and sets out clear principles, such as purpose limitation and collection limitation. This means that companies (data fiduciaries) can only collect personal data for specific purposes that are communicated and agreed upon by the individual (the data principal). The Act treats all personal data equally, without differentiating between types.

Features of DPDPA

Consent is key under the DPDPA. Data fiduciaries can process personal data only with explicit, informed consent, which can be withdrawn at any time (Section 6). They must ensure data accuracy, security, and deletion once it's no longer needed or if consent is withdrawn (Sections 4 and 5). Data breaches must be reported to both the Data Protection Board of India (DPB) and affected individuals. The Act also allows personal data transfers outside India unless restricted by government policy.

Individuals have rights to access, correct, and erase their data (Sections 11 and 12). They can also seek grievance redressal (Section 13) and nominate someone to act on their behalf (Section 14). While compensation is not provided for breaches, companies face penalties of up to INR 250 crores for violations, and the DPB can block services for repeated breaches. Some exemptions exist for state security, research, and startups.

Tools like GoTrust help companies comply with the DPDPA by simplifying Data Subject Request (DSR) management. GoTrust automates responses to requests for accessing, correcting, or erasing data, ensuring companies meet DPDPA obligations, avoid penalties, and respect individuals' rights. The Act will be enforced once the rules are published.

Upcoming & Recently Implemented International Laws

Montana Consumer Data Privacy Act (MTCDPA)

Enactment and Scope: The MTCDPA was enacted in 2023 and came into effect on October 1, 2024. It applies to data controllers managing the personal information of over 50,000 Montana residents. Certain businesses are exempt, such as those processing payment transaction data or controllers with more than 25,000 consumers who earn 25% or more of their revenue from selling personal data. No minimum revenue threshold is required for compliance.

Consumer Rights: Montana residents have key rights under the MTCDPA, which include:

  • Opting out of the sale of their data

  • Accessing their personal data

  • Correcting inaccurate data

  • Deleting their data

  • Transferring (porting) their data
    They are protected from discrimination when exercising these rights.

Exemptions: Entities exempt from the MTCDPA include government agencies, higher education institutions, nonprofits, organizations subject to the GLBA and HIPAA, and national securities associations.

Enforcement and Penalties: The MTCDPA does not specify fixed fines for violations but allows the Montana Attorney General to file legal actions in court. Businesses are granted a 60-day grace period to correct violations, which ends on April 1, 2026.

Saudi Arabia's Personal Data Protection Law (PDPL)

Enactment and Applicability: The PDPL was enacted in 2023 and gives businesses in Saudi Arabia (KSA) until September 14, 2024, to ensure compliance. It applies to all processing of personal data in KSA, including organizations outside KSA that handle data of Saudi residents.

Cross-Border Data Transfers: The PDPL provides detailed rules for cross-border data transfers. Transfers are allowed if they meet specific conditions, such as national security interests. Data can be sent to countries that offer adequate protection, or appropriate safeguards (e.g., contractual clauses or certifications) must be in place for countries lacking such protection. Risk assessments are required for large-scale or sensitive data transfers.

Consent and Legal Bases: Consent is central to the PDPL, and it can only be bypassed in certain legal scenarios, like "legitimate interest." However, this exception does not extend to sensitive data processing.

Penalties for Non-Compliance: Businesses face hefty penalties for failing to comply with the PDPL, making it crucial for them to align with the law's requirements by the specified deadline.

Conclusion

Data privacy laws are crucial for protecting personal information in today’s digital world, ensuring that sensitive details like identity and financial data are handled responsibly. They give individuals control over their data and help rebuild trust with businesses. Without strong privacy laws, risks like identity theft and fraud would increase. Laws like the MTCDPA and PDPL provide rights to access, correct, or delete data while enforcing stricter rules for businesses, especially regarding cross-border transfers. GoTrust helps companies manage data subject requests efficiently, ensuring compliance and maintaining customer trust.

FAQs

  1. Why are data privacy laws important?

    Data privacy laws are important because they help keep our personal information safe in a world where we share a lot of data online. With more companies collecting our data and some major breaches occurring, these laws ensure that we have control over our information and help build trust between us and the companies we interact with.

  2. What is the Digital Personal Data Protection Act (DPDPA) in India?

    The DPDPA, passed in 2023, is a law that protects our digital personal data in India. It requires companies to obtain our clear permission before using our data. The law gives us rights to access, correct, and delete our information and includes penalties for companies that don’t follow the rules.

  3. What are the main features of the Montana Consumer Data Privacy Act (MTCDPA)?

    The MTCDPA came into effect on October 1, 2024, and affects companies handling the personal information of more than 50,000 people in Montana. It grants individuals rights such as opting out of data sales and checking their data. Companies have 60 days to fix any problems before facing legal action.

  4. What does the Personal Data Protection Law (PDPL) in Saudi Arabia say?

    The PDPL, which took effect in 2023, sets rules for handling personal data in Saudi Arabia, including data from individuals outside the country. It focuses on obtaining consent from individuals and has rules for transferring data to other countries. Businesses must comply by September 14, 2024, or they could face substantial fines.