20,000. That was the approximate number of public suggestions the Indian government received in May over its crucial data privacy regulation.
What is appalling is that the suggestions come from a country where the traditional PC market reached a total of 14.9 million units in 2022, including desktops, notebooks, and workstations.
The draft of the digital data protection bill was shared in November 2022, and since then, it has become a subject of controversy due to certain provisions that granted the government exemptions from privacy protections.
This move raised eyebrows and clashed with the 2017 Supreme Court judgment that recognized privacy as a fundamental right for individuals.
Even with that kind of debate and bad press, 20,000 comes across as an abysmally low number of responses. And it’s a global phenomenon.
While people express concerns about their online privacy, they often fail to take action to safeguard it, said a report by researchers Ivano Bongiovanni, Karen Renaud, and Noura Aleisa.
This paradox is particularly evident in the context of Internet of Things (IoT) devices, which are projected to reach 75.44 billion globally by 2025, said the report.
In an experiment involving IoT devices, participants showed initial privacy concerns but did not align their behavior with those concerns. Even after evidence of privacy violations, many participants continued using the devices, the researchers reported.
Raising awareness goes a long way in helping people understand the need for privacy laws.
Firstly, education and information dissemination are key. By providing clear and accessible resources about privacy laws, their purpose, and the risks associated with privacy violations, individuals can better grasp why such laws are crucial. Real-life examples of privacy breaches can also be shared to make the importance of privacy laws more tangible.
Secondly, empowering individuals and highlighting the benefits of privacy laws are important aspects of awareness campaigns. By understanding their rights and the protections offered by privacy laws, people can make informed decisions about their personal information.
Collaboration among government bodies, industry leaders, and privacy advocates is vital in raising awareness and promoting responsible data practices. Public discussions and debates provide platforms for individuals to voice concerns and learn from experts.
Here are some of the ongoing and upcoming regulations of the year 2023, aggregated by The Cyber Express:
Digital Personal Data Protection Bill, India
In August 2022, the Indian government withdrew the Personal Data Protection Bill, 2019, due to public consultation recommendations. It was replaced by the Digital Personal Data Protection Bill, released on November 18, 2022.
This Bill is part of a series of legislations that includes IT rules, the National Data Governance Framework Policy, and a new Digital India Act. In all likelihood, the Bill will become an Act this year.
The bill covers digitized data, provides itemized notice in English or other languages specified in the Indian constitution, and imposes penalties of up to INR 500 crores (more than $60 million) for non-compliance.
It introduces provisions such as deemed consent and the right to nominate as a data subject, while obligations like data localization and privacy by design are currently omitted. The bill sets the stage for India’s data protection regime, promoting digital data usage by organizations.
“Overall, this bill provides greater emphasis and encourages organizations to digitize personal data. Additionally, it is an important and significant start for data protection regime in India,” said a KPMG assessment report.
Data Privacy Regulations in the United States
The year 2023 saw the United States witnessing a wave of comprehensive data privacy regulations, as evidenced by the recent enactments in various states.
While the official line is that these laws aim to strengthen consumer privacy rights, establish business obligations, and enhance data protection measures, the Big Tech has criticised them for being too stifling, while privacy activists lament that they are too lenient.
Here are the details of data privacy regulations enacted this year in various states.
Montana Consumer Data Privacy Act:
Montana recently became the ninth US state to enact a comprehensive data privacy law. The Montana Consumer Data Privacy Act, signed into law by Governor Greg Gianforte, will come into effect on October 1, 2024.
This law aims to safeguard consumer data by granting individuals certain rights, such as the right to know what personal information is being collected and shared, the right to opt-out of data sales, and the right to request the deletion of personal information.
Coincidentally, Montana was the first state to pass a Bill banning TikTok on privacy concerns.
“According to the bill, TikTok also gathers essential user information and could share it with foreign states. The state of Montana also believes that TikTok fails to remove content that promotes dangerous behavior,” said a Panda Security assessment of the Bill.
“The bill also expresses fears that the app could let China conduct corporate and international espionage that includes tracking adversaries of the Chinese Communist Party, including political figures, journalists, dissidents, etc.”
Tennessee Information Protection Act (TIPA):
On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) into law following its unanimous passage in both houses of the Tennessee legislature.
The law aligns with similar regulations in other states, providing individuals with greater control over their personal information. Under the TIPA, businesses must implement reasonable security measures to protect sensitive data and notify individuals in the event of a data breach.
The Tennessee Information Protection Act (TIPA) has specific criteria for its applicability. It applies to businesses that have annual revenue exceeding $25 million and either control or process personal information of at least 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal information.
Alternatively, it applies to businesses that control or process personal information of at least 175,000 consumers during a calendar year. The term “consumer” refers to a natural person residing in Tennessee who is acting in a personal context, excluding commercial or employment-related activities.
The application thresholds described above are significantly narrower than those in most other state privacy laws, noted US law firm DavisWright Treamine.
“The Virginia law, for example, applies to businesses that control or process personal data of 25,000 Virginia residents and derive over 50 percent of gross annual revenue from the sale of personal data, or that control or process the personal data of 100,000 Virginia residents in a calendar year,” it said.
“TIPA increases the second threshold to 175,000 residents and, following the Utah privacy law, adds that a business must have at least $25 million in annual revenue to be covered.”
California Privacy Rights Act Regulations (CPRA):
The California Privacy Rights Act (CPRA), which took effect on 1 January 2023, has gained attention for its comprehensive approach to privacy protection.
The recently issued CPRA Regulations provide further guidance on implementing the California Consumer Privacy Act (CCPA). These regulations offer clarity on various aspects, including the definitions of key terms, consumer rights, and business obligations related to data privacy practices.
“Under the CCPA, unless an exception applies, a transfer of personal information to a third party for monetary or other valuable consideration constitutes a “sale” and requires the business to provide the consumer with notice of that sale and provide the consumer with the right to opt out,” observed California-based law firm Atkinson, Andelson, Loya, Ruud & Romo.
“Transfers to “service providers” do not trigger the right to opt out,” the report said.
Indiana Data Privacy Law:
Following the examples set by privacy laws in Colorado, Connecticut, and Virginia, the Indiana Consumer Data Protection Act was signed into law on May 1, 2023. This new legislation establishes rights and obligations for data protection in Indiana.
Scheduled to take effect on January 1, 2026, this law grants consumers the right to access, correct, and delete their personal information held by businesses. It also establishes requirements for businesses to secure consumer data and notify individuals in case of data breaches.
Unlike states such as Virginia, the Indiana Data Privacy Law does not have a revenue threshold for entities to be subject to privacy obligations, noted global legal service firm White & Case.
“In addition, the Indiana Data Privacy Law does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private), and Gramm-Leach-Bliley Act-regulated entities and data,” the White & Case report said.
“The Indiana Data Privacy Law also does not apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.”
Iowa Data Privacy Law:
Iowa enacted the Iowa Data Privacy Law, which will become effective on January 1, 2025.
This law brings Iowa in line with other states in establishing consumer privacy rights and imposing obligations on businesses.
Similar to other state laws, it emphasizes transparency, individual control over personal data, and the need for businesses to adopt reasonable security measures.
“A business falls within the scope of the Iowa law if it controls or processes personal data of at least 100,000 Iowa consumers, about 3% of the state’s population, during a calendar year,” reported the International Association of Privacy Professionals.
“Alternatively, businesses that derive more than 50% of gross revenue from the sale of personal data fall within scope of the law if they control or process personal data of at least 25,000 Iowa consumers.”
Colorado Privacy Act (CPA):
The Colorado Privacy Act (CPA) finalized its rules, set to take effect on July 1, 2023.
This act, similar to the California and Virginia privacy laws, grants consumers certain rights and requires businesses to implement measures to protect personal data.
It introduces obligations such as data minimization, purpose limitation, and data protection assessments to ensure responsible data handling practices.
The Colorado Privacy Act (CPA) will be applicable to businesses operating in Colorado or providing products or services to Colorado residents.
It will apply to entities that meet either of the following criteria:
- Control or process personal data of 100,000 or more consumers in a year, or
- Control or process personal data of 25,000 or more consumers and receive revenue or obtain a discount on goods or services through the sale of personal data.
Like Indiana, there is no specific revenue threshold for the CPA’s applicability.
“The CPA puts in place broad requirements regarding data protection assessments,” said an assessment report by US based law firm Crowell & Moring.
“In particular, it states that controllers may not engage in data processing ‘that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities’.”
EU AI Act and the perceived impact of artificial intelligence
The European Union (EU) is taking a significant step in regulating artificial intelligence (AI) with the introduction of the EU AI Act. This proposed law, the first of its kind by a major regulator, aims to categorize AI applications based on their risk levels and establish specific legal requirements for high-risk applications.
Under the EU AI Act, applications and systems that pose unacceptable risks, such as government-run social scoring, will be banned.
High-risk applications, such as CV-scanning tools for job ranking, will be subject to stringent regulations. However, applications that are not explicitly banned or classified as high-risk will remain largely unregulated.
The impact of AI applications on various aspects of people’s lives, including online content, law enforcement, and healthcare, has driven the need for comprehensive regulations.
The EU AI Act has the potential to become a global standard, similar to the influential General Data Protection Regulation (GDPR) implemented in 2018.
While the proposed law is a significant step forward, there are concerns about certain loopholes and exceptions. The Act may require improvements to address unforeseen risks and provide more flexibility to adapt to emerging AI applications.
Similar to what GDPR did to privacy regulations across the world, the EU’s AI regulation is already making waves internationally, with Brazil’s Congress recently passing a bill inspired by the EU AI Act to create a legal framework for AI.