In Sophic Capital’s Governments Stemming What’s Collected About You report, we highlighted new privacy laws in the United States to safeguard the collection and use of consumer data. In this report, our focus shifts to the international community, which will be followed by how Big Tech is reacting and then we will tie this all back to Sophic Capital client Reklaim (MYID-TSXV; MYIDF-OTC) who is very well positioned to benefit from all of these market changes.
More Governments Are Introducing Data Privacy Laws
In July 2022, the European Parliament announced two new legislative packages, setting unprecedented standards on the accountability of online companies:
- Digital Services Act (DSA) sets clear obligations for digital service providers to tackle the spread of illegal content, online disinformation, and other societal risks. Penalties can be up to 6% of worldwide turnover and the EU Commission has exclusive power to demand compliance from platforms with more than 45 million users
- Digital Markets Act (DMA) sets obligations for large online platforms acting as “gatekeepers” (like Google, Amazon, Meta) on the digital market to ensure a fairer business environment and more services for consumers. Penalties can be up to 10% of worldwide turnover and 20% in case of repeated infringements.
While these laws are limited to Europe, the sentiment will likely get echoed on American soil. The majority of the gatekeeper companies are anchored in the U.S., and if they want to continue doing business in Europe, they will have to comply with the new DSA and DMA rules. The two new laws have some overlap with the existing GDPR, meaning companies that do not comply may now be fined with multiple violations at once.
Canada introduced the Digital Charter Implementation Act (Bill C-27) on June 16, 2022, to strengthen the country’s private sector privacy laws and responsible artificial intelligence development. The new laws would enable Canadians to have more control of their data, providing strict rules around the use of personal information to ensure companies are acting responsibly.
Bill C-27 further reiterates Canada’s Digital Charter to make a competitive, data-driven economy through the proposal of three acts:
- Consumer Privacy Protection Act (C-PPA) aims to provide consumers with more control over their data and give better transparency into how organizations use and transfer consumer data, while establishing stronger protections for kids. Canadians would have the right to access their data profiles from an organization and request that their data be deleted with C-PPA violations resulting in fines up to C$25 million or 5% of global revenue.
- Personal Information and Data Protection Tribunal Act (PIDPTA) will be created to enforce the C-PPA and hold organizations accountable.
- Artificial Intelligence and Data Act (AIDA) will introduce rules surrounding the development and deployment of AI systems with specific reference to unlawful data obtained for AI development and the mitigation of harm and bias.
Germany’s Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) of December 2021 consolidates laws concerning the processing of personal data and privacy protection in electronic communications. TTDSG regulates the protection of confidentiality and privacy when using internet-ready terminal infrastructure such as websites, messenger services, smart home devices, and even Internet-of-Things (IoT) devices such as connected cars and smart appliances. This means that companies like Alphabet and Facebook cannot parse emails and messages for data to target ads. The use of non-mandatory cookies (small files that hold data use to identify your computer to outsiders) on a website requires user consent. And companies must ensure consumers are not unduly influenced to provide their personal information through means that include complicating the refusal of consent to data collection.
On January 2, 2022 , the UAE enacted the Personal Data Protection Law (PDPL) to maintain the confidentiality of information and protect the privacy of individuals in the UAE. The law applies to domestic companies as well as foreign enterprises that communicate with Emiratis. PDPL prohibits personal data processing without the consent of the data subject unless certain specific exclusions apply. It also establishes requirements for cross-border transfer and sharing of personal data for processing purposes. The law gives the owner of the data the right to request corrections of inaccurate personal data and to restrict or stop the processing of personal data. Specifically, data processing records must be kept and should include the duration, limitation, and scope of the processing, mechanisms for personal data erasure or modification, the purpose of the processing, disclosures about cross-border information transfer, and a description of data security procedures and technologies. These records should be available for the Data Office whenever it requests to see it. When data breaches occur, companies must immediately notify the UAE Data Office as well as the subjects whose data was exposed.
China’s Personal Information Protection Law (PIPL), which came into effect on November 1, 2021, establishes a framework governing cybersecurity and data privacy protection in China. The law stipulates the collection and use of personal data within China while also governing the actions of companies hoping to move data out of China. Prior to PIPL, China did not have comprehensive legislation that protected personal data. PIPL violators can face fines of up to 5% of annual revenue of the previous year or CNY 50 million (~US$7.2 million). Recently, the National Information Security Standardization Technical Committee of China issued a draft version of the Cybersecurity Standard Practice Guidelines. Companies must ensure:
- There are legally binding agreements and contracts between the parties
- There is a designated Personal Information Protection Officer in the organization
- They must address the impact on people and their accordance with Chinese Law
- They obtain consent from individuals.
The Bottom Line
The flow of data will only continue to increase as more countries undergo digital transformation. With the digital economy front and centre on the world stage, political leaders are beginning to understand that data safety and trust must be the foundation for data privacy legislation. Legal frameworks are being put in place around the globe to protect data privacy, requiring consent for the collection, storage, usage, sharing, and disclosure of personal data. As datasets become more complex, legislation will continue to evolve, giving power back to the people. Nothing keeps a company focused like the threat of losing customers.
In our next Data Privacy Report, we’ll learn how technology companies are stopping the collection and use of consumer data.
Access more data privacy reports HERE
Sign up for Sophic Capital’s reports HERE
Reklaim [TSXV:MYID, OTC:MYIDF] has contracted Sophic Capital for capital markets advisory and investor relations services.