Effectiveness of privacy proposals in India, Australia and the US depend on details
Observers of privacy legislation expected or planned next year around the globe are not finding a lot to be hopeful for when it comes to competent and effective regulation.
An opinion column about expected updates to the 54-year-old Australian Privacy Act, written by a privacy advocate, paints a picture of legislators comfortable with a largely out-of-date law.
A large data breach with broad implications for consumers appears to have roused lawmakers, prompting them to propose a rewrite for the act, says Digital Rights Watch program lead Samantha Floreani in Context, a public policy forum of the Thompson Reuters Foundation.
Floreani is not impressed with the results so far. Substantive changes are absent.
The legislation “mostly just increases the penalties for privacy infringements under the existing” law, she writes. She also points out that fines for “serious or repeated” violations are capped at AUS$50 million ($33.3 million), 300 percent of the value of ill-gotten proceeds or 30 percent of an entity’s profit when it was operating illegally – whichever is greatest.
Floreani feels that, although the proposed penalty would be a multiple of what is called for in the European Union’s General Data Protection Regulation, the enforcement triggers are as “weak, unclear, and unenforced” as existing provisions.
Language that leaves no doubt about recriminations “may not sound as cool as bigger fines” but it is as important.
The government is not starving for opinions on the matter. Australian researchers in September published a model law regulating facial recognition.
In India, analysis of a proposed update to the Data Protection Bill takes perhaps an even darker view of new regulation. To clear up any confusion, the Data Protection Bill is has not passed into law, and it is the product of three prior, unsuccessful bills.
An opinion piece in the Financial Express, an Indian business news publication, says the current draft is “impervious to criticisms” and introduces rules “that would undermine people’s right to privacy.”
Here, too, lawmakers are talking about higher fines, but careful language reportedly would give consumers a smaller privacy and control pedestal to stand on in court.
The bill also would make a local-storage mandate more malleable for businesses that might want to put personal data outside the reach of Indian regulators, according to the article. It also would give cybercriminals more opportunity to steal personal information.
Consent rules also are weakened in the draft. It calls for “deemed consent,” which would give data fiduciaries the power to assume consent in several ways. A fiduciary could control in situations considered in the public interest or in the “legitimate interests” of the fiduciary itself, according to the article.
Biometric data would get less protection, too. Sensitive personal data would not be a category, meaning extra protection could not be applied to face, finger and iris prints.
US State sorting out details of passed law
In the U.S. state of Colorado, uncertainty reigns as the Attorney General’s Office writes technical standards for Colorado Privacy Act, which was signed by the governor in July 2021. The Attorney General has until next July to turn its drafts into final rules. The act goes into effect after that.
News agency Reuters has created a breakdown of key concepts and definitions of a draft that is out for public comment.
The article notes that the state is introducing terms – biometric data and identifiers – that are integral to the state of Illinois’ Biometric Information Privacy Act. According to Reuters, the California Privacy Rights Act does not recognize the terms. This is significant because California generally is considered out front in the United States when it comes to consumer protection.
Data controllers in Colorado would have to get a person’s informed consent before they touch someone’s data, according to Reuters.
And they have to spell out “express purposes” for how each category of personal data is harvested and used. They would have to give consumers a “meaningful understanding of how their personal data is used and why it is necessary to use that data.
Dark patterns would be illegal under the proposed rules.