Data Privacy and Corporate Governance

ABSTRACT

In today’s digital landscape, safeguarding data privacy has become a critical concern for both individuals and corporations due to the increasing value of personal data. This paper explores the significance of data privacy in contemporary society, stressing the importance of transparency and adherence to regulations in managing personal information. It assesses various legal frameworks governing data privacy, such as the GDPR, CCPA, DPDP Act, PIPEDA, and LGPD, shedding light on the penalties for non-compliance and the roles of regulatory bodies. Additionally, the paper discusses the ramifications of data privacy breaches, including damage to reputation, financial repercussions, and legal liabilities, underlining the necessity of robust risk management and corporate governance practices. It also examines forthcoming trends and advancements in corporate data privacy, taking into account technological progress, regulatory shifts, and evolving consumer expectations. Lastly, the paper underscores the role of corporate governance in preserving data privacy, outlining key strategies for identifying, assessing, mitigating, monitoring, and continually improving data privacy risks. In sum, this paper offers a comprehensive exploration of the evolving terrain of data privacy, covering its significance, legal dimensions, and forthcoming challenges and opportunities.

KEYWORDS

Data privacy, Regulatory compliance, Legal frameworks, Data breaches, corporate governance

INTRODUCTION

As digital technologies continue to advance, companies are collecting extensive amounts of data on consumers’ behaviors and interests. While some companies are transparent and open about their data practices, many prefer to maintain secrecy, prioritize control over sharing, and adopt a strategy of seeking forgiveness rather than permission. Additionally, it’s common for companies to quietly collect personal data that they may not currently need, speculating that it could hold value in the future.

In our contemporary landscape, characterized by extensive utilization of personal data by various entities, it is imperative for companies to uphold heightened levels of transparency. They ought to diligently communicate to consumers the precise nature of information being gathered, its storage locations, and the duration for which it will be retained.

According to the Blacklaw dictionary, Privacy means “The right that determines the non-intervention of secret surveillance and the protection of an individual’s information.” [1]

Data privacy is a legal concept on how, what, and up to what extent someone’s personal data can be used. It is a process that helps individuals to handle their own personal information.

Data protection has become a pressing concern in today’s globally connected society. This is a matter that deeply concerns all consumers. The transparency surrounding the collection of personal data has led to scant information regarding its storage duration, location, and purpose

The perception of data collection diverges between corporate entities and the general populace. Companies often view it as a means to gather feedback or discern consumer preferences, while individuals increasingly perceive it as a threat to their privacy.

There are many data privacy rules that have been adopted that help to protect the personal data of people like the European Union’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA). India also recently introduced legislation aimed at regulating the handling of personal data for all citizens. The Digital Data Protection Act 2023 which replaces the Information Technology Act 2000, imposes obligations on both private and governmental entities regarding the collection and utilization of personal data.

WHY DATA PRIVACY IS IMPORTANT

A data privacy breach occurs when confidential information belonging to individuals is deliberately exposed, either by individuals or organizations. So, it is very important to handle these private data with utmost caution.

Data privacy may be crucial for corporations due to the following reasons:

To maintain their reputation

Maintaining customers’ private data and information safely is of utmost importance to maintain the trust and credibility of the company. Prioritizing the data privacy of the customers fosters trust among the customers and investors. Moreover, investors and partners would engage with those companies that have a good track record of maintaining data privacy and securing personal data.

To comply with the data privacy laws

Companies are needed to comply with various data privacy laws according to the respective jurisdictions. In 2018, the “General Data Protection Regulation (GDPR)” was enacted across Europe, impacting companies conducting business in the region, irrespective of their geographical location. This expansive reach gives it global applicability. For instance, if a Canadian retailer delivers goods to a customer in Ireland, they are obligated to adhere to GDPR guidelines. Also, another major privacy law “The California Consumer Protection Act (CCPA)” safeguards the privacy of individuals residing in California. The newly amended act, The Digital Personal Data Protection Act of 2023, also referred to as the DPDP Act or DPDPA-2023 is legislation enacted by the Parliament of India to regulate personal data.

Risk in data privacy breach 

Risk management is crucial for maintaining a corporation’s success. Failing to maintain the data can lead to threats, and financial losses from being dragged to legal consequences and can also damage the reputations of the entities. Effective risk management not only prevents data breaches but also helps to maintain trust with investors and partners.

Preserving autonomy

Privacy provides a protective barrier against external influences, allowing individuals to live in alignment with their own values and beliefs. It creates a space where people can freely explore their identities and relationships without worrying about criticism. This freedom extends to various aspects of life, including career paths, lifestyle preferences, and intimate decisions. Without privacy, societal expectations could suppress authenticity and impede personal growth. By valuing privacy, we recognize and uphold everyone’s right to express themselves, fostering a culture that embraces diversity and empowerment.

Safeguarding Competitive Edge

By keeping important information private, companies reduce the chance of competitors learning too much about their inner workings. It’s not just about following the law; it’s about protecting what makes a company special. Whether it’s secret formulas, customer lists, or new inventions, keeping these things safe helps businesses make the most of what sets them apart. Plus, when employees know their ideas are safe, they feel more encouraged to come up with new ones. In the end, keeping secrets helps a company stay strong now and sets it up for success later on.

LEGAL CONSEQUENCES AND PENALTIES

In the era of globalization and technology, the penalties for corporate businesses hold a great deal of personal data with them. With more data breaches happening and data being misused, it’s crucial to make sure companies are responsible. Legal consequences are necessary to hold them accountable.

Data privacy and protection have become the most significant change for businesses nowadays. There are new laws made to keep personal data safe, and they are super important.

Data privacy regulations like the European Union’s General Data Protection Regulation (GDPR) and the United States’ California Consumer Privacy Act (CCPA) carry considerable weight, prompting numerous other jurisdictions worldwide to adopt similar frameworks.

Recently the Indian Parliament enacted the Digital Personal Data Protection (DPDP) Act, which safeguards citizens’ personal data while also ensuring a balance between their rights and the lawful processing of data.

Canada also has the Personal Information Protection and Electronic Documents Act (PIPEDA) to protect private data while Brazil has the General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais) to safeguard their citizens’ personal data.

General Data Protection Regulation (GDPR)

GDPR is a data privacy regulation that safeguards the personal data of European Union citizens and can be used either by public authorities or private entities. This act expands the scope and jurisdiction of data privacy as this may apply to anyone or any organization that collects or uses the personal information of EU citizens.

As mentioned in Article 83(5) of the GDPR, penalties for severe violations can be up to 20 million euros or 4 % of the total global turnover of the preceding fiscal year, whichever is higher. And for less severe violations outlined in Article 83(4) of GDPR fines may reach up to 10 million euros or 2% of the total global turnover from the preceding fiscal year, whichever is higher.

In 2019, the French data watchdog, CNIL fined Google 50 million euros for making it difficult for customers to manage preferences on how to use their personal information, especially for targeted advertisements. [2]

 California Consumer Privacy Act (CCPA)

CCPA is the first major data privacy law of the United States which gives the people residing in the state of California the right how to use their personal data even if they can delete it if they deem so. This law applies to the businesses which collect or store private data of the residents of California.

Now let’s talk about the penalties under this section. If the violation is intentional then the penalty can go up to $7,500 and for non-intentional violations it can be $2,500 per incident. However, these fines have the potential to increase significantly. Consider this scenario where a business sells the personal data of a lot of people without a way to say no, then it could be seen as breaking the law many times over. Suppose they do this to 10,000 folks, this could lead to fines adding up to a big amount, like $75 million. [3]

The Digital Personal Data Protection Act (DPDP) 2023

DPDP 2023 is a law passed by the Indian parliament to protect the personal data of Indian citizens. This law extends to Indian citizens and businesses that collect data from Indian residents and foreigners residing in India. Moreover, it covers data processing conducted outside of India if it involves providing goods or services within India.

Section 33 of the DPDP Act grants authority to the Digital Personal Data Protection Board (DPDPB) to impose penalties on Data Controllers or Significant Data Fiduciaries (SDFs) for significant violations of the Act or its regulations (Clause 33 (1), DPDP Act). However, it’s crucial to note that prior to imposing any penalties, the involved party is given the chance to present their case. This ensures a fair and just procedure where all viewpoints are considered before a final decision is made.

The Data Protection Board has the authority to levy the following penalties:

• A fine of INR 10,000 if a data principal fails to fulfill duties specified under the Act.
• Fines of up to INR 50 crore for violating any provision of the Act or its implementing rules, where no specific penalty is outlined.
• Fines of up to INR 250 crore for failing to implement reasonable security measures to prevent personal data breaches.

The scenarios involving invalid consent and non-compliant privacy notices are likely to result in penalties of up to INR 50 crore.[4]

Canada also has the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian data privacy law on 13^th April 2000. It regulates the collection, utilization, and disclosure of personal data by private sector entities during commercial activities.  Moreover, this legislation also includes guidelines regarding the utilization of electronic documents.

Companies found in breach of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) could incur fines of up to $100,000 CAD per infraction. Moreover, criminal charges may be pursued if they:

• Intentionally destroy data following a review request
• Retaliate against staff for adhering to PIPEDA
• Try to impede investigations [5]

General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais)

The General Personal Data Protection Law is a legal framework concerning data protection and privacy in Brazil. The LGPD encompasses rules regarding the handling of personal data, particularly for individuals within Brazil, data collected or processed in Brazil, or data used to provide goods or services to individuals in Brazil.

Penalties under this act can be up to 2% of the organization’s annual revenue and up to 50 million Brazilian reals per violation.

FUTURE TRENDS AND DEVELOPMENTS IN DATA PRIVACY BY CORPORATIONS

As technological progress propels innovation and alters business norms, the terrain of data privacy is experiencing significant evolution.

 From integrating artificial intelligence (AI) and Internet of Things (IoT) devices to implementing stringent data privacy regulations, corporations face a multifaceted challenge where safeguarding personal data takes precedence. Emerging trends and developments significantly influence the future trajectory of corporate data privacy. These factors intertwine technological advancements, regulatory changes, consumer demands, and global collaboration, collectively shaping the landscape of data protection for businesses. [10]

While these technologies undoubtedly offer convenience and efficiency, it’s essential to acknowledge that they could also pose significant threats to data privacy. AI and IoT, for instance, have the potential to gather user data without authorization and transmit it to unauthorized third parties.

AI algorithms are trained on extensive datasets, often comprising sensitive personal details like our location, browsing patterns, and purchasing behavior.

IoT devices gather extensive data concerning our daily activities, behaviors, and individual preferences, providing insights that could reveal sensitive details like our health conditions or financial standing, thereby raising concerns about privacy invasion and potential misuse of personal information.

In the age of modern technology, the key issue regarding privacy revolves around individuals being stripped down to mere data points and analyzed for research or commercial motives without their explicit consent. Such data can be utilized to build detailed profiles, which might be exchanged with third-party entities for customized marketing purposes or, in more serious scenarios, could enable identity theft.

So, it is important to be mindful of the potential hazards linked with utilizing these technologies. By being aware of these risks and taking proactive steps to prevent them, we significantly contribute to safeguarding the security of our personal information in the current digital age.

CORPORATE GOVERNMENT AND ACCOUNTABILITY

Corporate governance refers to the structure and practices that guide the direction and oversight of a corporation. It involves the establishment of rules and processes that ensure the company operates ethically and in the best interests of its stakeholders. These stakeholders include shareholders, management, employees, customers, and the wider community.

Corporate governance frameworks ought to foster a culture centered on compliance and ethical conduct, with a strong emphasis on upholding legal and ethical norms, particularly concerning data privacy.

Here are some ways corporate governance can be beneficial in safeguarding data privacy:

1. Risk Identification: Corporate governance frameworks help in recognizing potential risks linked to data privacy, including threats like unauthorized access, data breaches, and regulatory non-compliance. These structures ensure a comprehensive assessment of both internal and external factors influencing data privacy risks.
2. Risk Assessment: Following risk identification, corporate governance processes evaluate the likelihood and impact of each risk to prioritize them based on severity and probability. Factors such as data sensitivity, regulatory requirements, and the organization’s risk appetite are considered, with regular assessments to adapt to evolving threats.
3. Risk Mitigation: Corporate governance fosters proactive measures to mitigate data privacy risks, including the implementation of controls, policies, and procedures. Strategies like access controls, encryption, and employee training programs are employed, and aligned with the organization’s risk management objectives.
4. Risk Monitoring and Reporting: Governance mechanisms ensure ongoing monitoring of data privacy risks to validate the effectiveness of mitigation measures. Activities involve tracking key risk indicators, compliance assessments, and periodic control reviews. Reporting mechanisms communicate risk-related information to stakeholders, facilitating informed decision-making.
5. Continuous Improvement: Corporate governance instills a culture of continuous enhancement in data privacy risk management practices. Organizations regularly update strategies in response to evolving threats and regulatory changes. Lessons learned from privacy incidents inform future risk management efforts, fostering resilience and adaptability. [6]

RECENT CASES

Google

Recently google agreed to delete lots of data it collected from people using Incognito mode in Chrome. The deal came from a lawsuit about Google’s sneaky data collection practices, even when people thought they were browsing privately. Now, Google has to be clearer about what data it collects when you use Incognito mode, and it’ll update its privacy policy too. Google won’t pay any fine because of this, but it has to make some changes, like blocking certain cookies in Incognito mode and hiding some user details. [7]

Samsung

In November 2023, Samsung encountered a data breach due to a vulnerability in an unspecified third-party app. The breach affected customers in the UK who had made online purchases in 2020, allowing unauthorized access to personal details like names, phone numbers, emails, and residential addresses. [8]

23andME

In December 2023, 23andMe, a prominent DNA testing company, experienced a substantial breach affecting 6.9 million users. Among those impacted, 5.5 million users had activated the DNA Relatives feature, which connects individuals with similar genetic profiles, while 1.4 million users had their family trees accessed. [9]

CONCLUSION

In conclusion, the complexity of data privacy in today’s digital era requires careful attention from both corporations and regulatory bodies. With the widespread use of personal data, it’s crucial for organizations to prioritize transparency and adhere to strict legal frameworks like the GDPR, CCPA, DPDP Act, PIPEDA, and LGPD.

The potential consequences of data breaches extend beyond mere financial and reputational damage; they also carry legal repercussions. Therefore, implementing effective risk management strategies supported by robust corporate governance is essential to minimize these risks and promote ethical behavior.

Looking ahead, while emerging technologies such as AI and IoT offer promising innovations, they also introduce new challenges to data privacy. Organizations must find a balance between utilizing these technologies for progress while ensuring the protection of individuals’ privacy rights.

Ultimately, data privacy transcends legal requirements—it’s a moral imperative. Upholding principles such as transparency, accountability, and respect for individuals’ privacy rights is crucial in fostering a secure and trustworthy digital environment for all.

REFERENCES

[1] The Law Dictionary, Privacy Definition & Meaning, https://thelawdictionary.org/privacy/ (Mar. 02, 2013)

[2] General Data Protection Regulation (GDPR), GDPR-info. eu, https://gdpr-info.eu/  (publication date Sep. 27, 2022)

[3] State of California – Department of Justice – Office of the Attorney General, California Consumer Privacy Act (CCPA), https://oag.ca.gov/privacy/ccpa (last accessed Apr. 22, 2024) (publication date Mar. 13, 2024).

[4] Digital Personal Data Protection Act, 2023, https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[5] Office of the Privacy Commissioner of Canada, PIPEDA in brief, https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/ (publication date May 31, 2019).

[6] Solomon, J. (2020) Corporate governance and accountability, Google Books. Available at: https://books.google.co.in/books?hl=en&lr=&id=JAX9DwAAQBAJ&oi=fnd&pg=PR1&dq=corporate%2Bgovernance%2Band%2Baccountability&ots=ny-_3CaXW6&sig=HdaM6gdGTCQz2wSSkrj1QKAllPM#v=onepage&q=corporate%20governance%20and%20accountability&f=false.

[7] Cameron, D. (2024a) The incognito mode myth has fully unraveled, Wired. Available at: https://www.wired.com/story/google-chrome-incognito-mode-data-deletion-settlement/.

[8] Farrelly, J. (2024) High-profile company data breaches, Electric. Available at: https://www.electric.ai/blog/recent-big-company-data-breaches.

[9] Roth, E. (2023) 23andMe admits hackers accessed 6.9 million users’ DNA relatives data, The Verge. Available at: https://www.theverge.com/2023/12/4/23988050/23andme-hackers-accessed-user-data-confirmed.

[10] Khandelwal, N. (2024) Taxmann, https://www.taxmann.com. Available at: https://www.taxmann.com/research/company-and-sebi/top-story/105010000000023742/the-future-of-data-privacy-navigating-trends-and-challenges-beyond-the-digital-personal-data-protection-act-2023-experts-opinion.