Living life on your phone? Change is coming
The United States: The California Consumer Privacy Act
Following the withdrawal of a ballot initiative8 that would have yielded much stricter protections, the California Consumer Privacy Act (CCPA) was passed by the state legislature in 2018, coming into force on 1 January 2020.
As with the GDPR, the CCPA was a dramatic step forward for consumer privacy not only within its own territory, but in adjacent jurisdictions, with many companies extending measures taken to comply with the CCPA across all their US operations.9
CCPA does not grant consumers the right to correct erroneous data, object to or restrict processing, nor prevent automated decision-making. It also does not insist that firms have a 'legal basis' for collecting and using personal data or restrict the processing of held data in other countries, whereas GDPR places strict requirements around the conditions under which the data of EU nationals can be stored or processed offshore.
California was the first US state to institute such sweeping reform to privacy laws, and a number of others are now following suit. This has led to calls for overarching Federal legislation10 to minimise the cost of compliance to US businesses, although a number of companies, including Microsoft and Apple, are instituting CCPA compliance across the country.11
|The 'eight rights' – key elements of the GDPR|
|Fundamental to the consumer protection elements of the GDPR, are eight rights, many of which had not been formally established under previous regimes:|
Other initiatives to consider
A number of other jurisdictions are undertaking reform in the area of privacy and data protection.
Following the report of the recent Digital Platforms Inquiry, the Australian Government has committed to a review of the country’s Privacy Act,12 intended to strengthen requirements around notification and consent, increase penalties for breaches, and allow a right of direct action for consumers whose privacy has been breached.
Brazil’s own version of the GDPR also comes into effect in 2020. The legislation largely mirrors its EU counterpart,13 with further exemptions carved out for credit assessment and a somewhat less punitive schedule of penalties.
India also has a new Personal Data Protection Bill before Parliament, which is notable for mandating storage of information on local severs and raising concerns about the considerable latitude given to government agencies14 under the pretext of national security and public order.
As with the GDPR, the CCPA was a dramatic step forward for consumer privacy not only within its own territory, but in adjacent jurisdictions, with many companies extending measures taken to comply with the CCPA across all their US operations.”
Despite the progress made over recent years to empower consumers in relation to the use of their personal information, it is likely that these reforms will be an ongoing process. Not every aspect of these measures has been straightforward to implement; data portability, in particular, is a work in progress for many jurisdictions.
In addition, despite the additional requirements around notification and consent, it is difficult to imagine that, given the volume and complexity of such information served at consumers on a daily basis, consent is truly informed and freely given. It is more likely that very few of us are reading each of these statements in detail, and that the average data subject is not significantly more informed about the ways in which their personal information is being used than was the case before these reforms were implemented.
Solutions to these issues may be more likely to come from the private sector than for government, and many tech companies are already staking out positions on privacy as part of their USP.15 Under this paradigm, users place their trust in a brand to protect their right to privacy rather than understanding every detail as to how their data is used.
Regardless of whether the answer lies in regulation or in reputation, the 'wild west' era of unfettered use of online data is well and truly over, and as our lives become ever-increasingly connected it will be essential that consumers can be more confident of their rights in this space and the measures being taken to uphold them. People in their various capacities – as private citizens, company directors, business owners – and the like – will not escape the far-reaching net of change.
|Exploring the GDPR's impact|
|Using a cross-section of consumers and organisations across 11 countries inside and outside the EU, Deloitte conducted a survey to gain insights into attitudes towards privacy six months on from the GDPR being enforced. Some observations included:|
1 Gordon S. & Ram A. (2018), Information wars: How Europe became the world’s data police, Financial Times, 20 May 2018
3 European Commission (2019), General Data Protection Regulation: one year on, Media Release, 22 May 2019
4 Gordon S. & Ram A. (2018), Information wars: How Europe became the world’s data police, Financial Times, 20 May 2018
11 California gets tough on data privacy breaches. The Australian, December 2019
15 Yahoo Finance, Apple card privacy security. August 2019
While every care has been taken in the preparation of these articles, AMP Capital Investors Limited (ABN 59 001 777 591, AFSL 232497) makes no representation or warranty as to the accuracy or completeness of any statement in them including, without limitation, any forecasts. Past performance is not a reliable indicator of future performance. Performance goals are merely goals. There is no guarantee that the strategy will achieve that level of performance. The information in this document contains statements that are the author’s beliefs and/or opinions. Any beliefs and/or opinions shared are as at the date shown and are subject to change without notice. These articles have been prepared for the purpose of providing general information, without taking account of any particular investor’s objectives, financial situation or needs. They should not be construed as investment advice or investment recommendations. An investor should, before making any investment decisions, consider the appropriateness of the information in this document, and seek professional advice, having regard to the investor’s objectives, financial situation and needs. This document is solely for the use of the party to whom it is provided and must not be provided to any other person or entity without the express written consent of AMP Capital.