Who Protects Your Personal Data in the Digital World?

By Sebastian Fernandez Quezada, CTPO?

Since the dawn of human societies, we have established rules to live together as harmoniously and justly as possible. These laws have evolved over time and adapted to every new circumstance we faced. In recent times, technological advances have led us to a point where it has also become necessary to legislate the online world.?

Today, the GDPR (General Data Protection Regulation) is the European regulation that safeguards the rights and freedoms of individuals in the digital realm. Since 2018, it has applied to all companies established in the European Union and to those outside its territory that offer products or services to residents within it.?

Personal data constitutes our identity. Before such regulations existed, when we entered a website to make an online purchase and filled out a form with our name, email, address, and more, we were handing over our identity without knowing what would be done with it. Can you imagine what would happen if, to pay in a physical store, we had to leave the seller a copy of our credit card and ID???

In fact, in countries without updated regulations, companies that collect our information can trade it and conduct business where we are the commodity. Often, we only find out when we realize, in the best-case scenario, that we are in a database of a company that won't stop calling or emailing us to buy their products or services.?

The Value of Consent?

In this context, the GDPR considers the processing of information lawful only if we give consent through a written, verbal, or electronic declaration, such as checking a box on a website. Pre-checked boxes, silence, or inaction do not constitute consent under this regulation.?

Within this framework, companies must inform us if they are processing our data and must allow us to rectify it if it is inaccurate, among other rights we have over our digital identity. To emphasize its importance, fines for non-compliance range from 1 million to 20 million euros or 2% to 4% of the company’s annual turnover.?

Additionally, significant work has been done on various definitions to determine the importance of certain personal data or users. For instance, there is special consideration for minors and the processing of their information, recognizing their maturity to give consent differs from that of adults.?

Brazil's Pioneering Step in LATAM?

Currently, the GDPR is the most important regulation worldwide and serves as a model in other regions, such as Brazil, where a few years ago, the LGPD (General Data Protection Law) came into effect, with the same goal of safeguarding individuals' privacy in all areas.??

The implementation of LGPD represents a significant advancement in personal data regulations for Latin America, where many countries have had national laws for over a decade, most of which are now outdated.?

In this context, Brazil's example is crucial as it has encouraged its continental neighbors to work on projects to reform existing regulations. Argentina, for example, is on the path to amending Law 25.326, enacted in 2000, when the particularities of the current digital world were unimaginable.?

The California Privacy Law?

Another case is the CCPA (California Consumer Privacy Act). Approved in 2018, it applies only to businesses and certain nonprofit organizations that handle personal information of California residents, according to the purposes and means of processing said data.?

The GDPR, LGPD, and CCPA are very similar regarding users' general rights and the obligations imposed on responsible parties, companies, and service providers. Additionally, CPRA (California Privacy Rights Act) is also in effect, complementing the CCPA.?

Although the CCPA has always been criticized compared to the GDPR, it has helped other American states create their own laws in this area. These states include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia. Currently, more states are planning similar laws, potentially leading to a federal data protection law in the United States.?

The Case of China?

In November 2021, PIPL (Personal Information Protection Law) came into effect in China, which applies globally to any company processing information originating in this Asian country.??

This law is undoubtedly significant given the origin of its data. Moreover, the fines it proposes are much more substantial than those of the GDPR and can even lead to imprisonment.???

New Challenges Must Accompany Advances in the Digital Era?

I believe it is crucial for such regulations to be implemented in every country because they help users become aware of the importance of their personal data and the necessity of keeping it secure.?

Beyond the sanctions or obligations imposed on companies, the most significant advancement these regulations brought in the digital era is preventing any company from freely accessing our personal information without consent and using that data freely for commercial purposes.?

While there are prospects for evolution in the short and medium term, all these regulations face two future challenges. Firstly, transforming who owns the data, as companies and organizations are currently the custodians of our data, and this needs to change. The identity validation model should be based on the premise that individuals are the custodians of their information and authorize or deny access to those who request it.?

Secondly, staying relevant over time, which is much more difficult given historical trends and the rapid pace of change in the digital world.??

VU Solutions for Organizations?

To avoid financial losses and reputational damage, VU Inc.'s solutions enable organizations to comply with all current regulations. Does your company protect data in the digital world? As Digital Identity Advisors, we can help you: https://acortar.link/2b7HXD.?