3 minute read
UPDATE 2: The Data Privacy Periodic Table
By Sophie Chase-Borthwick on 28 January 2019
To read the latest update (August 2021) to The Periodic Table of Data Privacy, click here.
Today is Data Protection Day, or Data Privacy Day if you are outside Europe.
It is a special day in the privacy industry calendar. It marks the Council of Europe’s Convention 108 and it being opened for signature on this day in 1981, and celebrates how far we as a global industry have come since – while reminding us how much work there is still to do.
Convention 108, or the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data for the purists, was the first binding international regulation that protected data subjects from the unjust collection or processing of their personal data. It was the precursor to all the data legislation we have today.
As we all know, that is rather a lot of legislation. Still not enough, but that is a topic for another time. But because there are so many regulations and legal instruments, there is a great deal of confusion and conflict between them all.
Hence the launch some months ago of our Data Privacy Periodic Table – Calligo’s open, pan-industry initiative to create a regularly updated and easily-understood catalogue of the key elements of data privacy.
Specially for Data Protection Day, we are today launching an updated version of the table, acknowledging some of the recent changes in legislation and addressing some input from the wider industry.
As anticipated when we first launched this project, the majority of updates are occurring in the Core Legislation and Future Developments section. These two areas will after all inherently experience the most change.
Interestingly, despite Japan’s adequacy now being adopted, there are still questions yet to be answered and debates going on in the background.
All three of the European Data Protection Board, the European Parliament and the Committee on Civil Liberties, Justice and Home Affairs (aka LIBE Committee) have raised a number of concerns over Japan’s data protection framework, including the Japanese government’s use of indiscriminate citizen surveillance, and have demanded “further clarifications to ensure safe data transfers to Japan.” In effect, the three bodies are questioning Japan’s suitability for adequacy, so this story is not finished yet.
Recategorisation and introduction of new legislation – California, Brazil and Bahrain
We have decided to move the California Consumer Protection Act (CCPA) to the Future Developments section. In retrospect, we were perhaps rather overenthusiastic to place it immediately in the Core Legislation section. This is not just because its enforcement date is 1st January 2020, but primarily because much of the regulation’s wording is actually still in question. The Attorney General of California is now holding a series of public hearings in early 2019 where comments and requests will be heard and considered. We are perhaps a long way from the final wording, and certainly a long way from the end of this news cycle.
Similarly, the Indian Data Protection Bill 2018 is yet to be fully debated in Parliament, and so could well be amended dramatically, hence it staying in the Future Developments section. After all, there were more than 600 sets of feedback – including one from the US government – following a public consultation on the Bill.
In contrast, Bahrain and Brazil’s new privacy laws are confirmed and solidified. They may only come into force in August 2019 and August 2020 respectively (the latter pending a new Congress vote to confirm a delay from the original February 2020 go-live date, and also to confirm its data protection body’s structure), but in neither case is the wording under any further scrutiny. Organisations for whom these laws are relevant should now be working towards pre-emptive adherence, so we have therefore added them to the Core Legislation section.
Making room for the above
As with every update to the Periodic Table, we have to make some compromises in order to fit everything into only 118 elements. Seeing as the sections that we dedicated to Core Legislation and Future Developments together comprise only 25 elements, we are particularly restrained.
We needed room in Core Legislation for the Bahrain and Brazil laws. Removing CCPA gave us one slot, and we then combined the two Channel Islands legislative frameworks for Jersey and Guernsey into a single element (#32) due to their similarity and geographical proximity.