As more policies and laws revolve around data protection, business intelligence departments are required to comply. Especially with transnational firms, researching the legal requirements of countries of operation is quite a cumbersome process.
This post aims to provide you with the information needed to work hand in hand with the PDPA and optimize your business processes.
For this post, we will be focusing on the regulatory privacy systems in Singapore, Japan, the US, and the EU. These are areas in which we want to launch Sapiengraph, which will be shared more in detail later. Malaysia and Indonesia (locations where Sapiengraph will launch) are changing their privacy regulations, and we will omit these countries from this discussion at present. For the USA, we will be focusing on the state of California, which has passed the CCPA (California Consumer Privacy Act). The CCPA more in-depth as compared to other privacy regulations in other states.
Similarities amongst all Regulatory Privacy Systems
All regulatory privacy systems have a similar purpose in mind: to safeguard against the excessive discovery of personal data. Most, if not all, regulatory systems protect the individual’s right to privacy and advocate for accuracy of information obtained by businesses and organizations.
Therefore, it is unsurprising that businesses:
- Require the consent of the individual before collecting, using and disclosing of data
- Need to respect the individual’s decision to withdraw consent
- Notify the individual of the purposes and extent of their data used
- Allow individuals to correct their data
- Should delete the individual’s data once it has served its purpose as stated
The only exceptions with which the privacy regulations do not apply are:
- Matters in which personal health and safety are concerned.
- Matters in which personal data is necessary between parties (in terms of legal, transactional issues).
Differences amongst the Privacy Regulatory Systems
Europe’s GDPR and Japan’s PIPA requires one to obtain explicit opt-in consent from their customers. Explicit consent is not necessary for California’s CCPA and Singapore’s PDPA. For example a sign on a Singaporean shop to inform individuals that: “Your presence in this building will be recorded” would satisfy PDPA in Singaporean shops, but would not sit well in Germany under GDPR. The GDPR and PIPA also recommend anonymizing data more strongly than the PDPA or CCPA.
However, there are a few differences in all privacy regulations on paper. Instead, the differences come in practice. For example, the definition of “personal data” is widely debated to mean anything that can identify a person. While IP addresses are under the “personal data” umbrella in Europe and Japan, this is still not a problem in Singapore and the USA, which is likely due to cultural differences between the countries. We strongly recommend that companies do consult lawyers from these particular countries to get more accurate information about the current practices of specific privacy laws and policies.
Do Regulatory Privacy Laws protect information from the Internet?
If personal information is public, it is deemed to be unprotected by regulatory privacy laws.
However, we recommend that companies do ultimately approach the individuals for consent and allow individuals to withdraw their consent if necessary.
Sapiengraph: How it Works Within The Confines of the Law
Currently, this is how Sapiengraph will pan out globally:
Sapiengraph uses facial recognition to identify you and crawls the web to find your public data on social media, but only if you have consented explicitly.
When you sign up for memberships at retail shops, a clause will state the intent of collecting your data for marketing analytics purposes. You may provide or withdraw your consent. If you wish to withdraw consent at any point during your membership, you may do so. The developers at Sapiengraph will promptly and permanently delete your data from all servers.
Sapiengraph only retains your data to help with market analytics, and will disclose your data to our client(s). We will not sell your data to third parties.