Understanding the privacy law in national and regional

1.defination of persaonal data in Privacy Laws

In this section, we introduce the privacy laws of several countries, including Canada’s PIPEDA and CPPA, EU’s GDPR, US’s ECPA and CCPA, China’s PIPL, Japan’s APPI, and the UK’s DPA.

1.1 GDPR

GDPR

personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1

1.2 PIPEDA

PIPEDA

In PIPEDA, “personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary actions; and
• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).” 2

1.3 CPPA

CPPA

Personal information means “information about an identifiable individual.” 3

1.4 ECPA

ECPA

Despite these amendments, there is no specific professional regulation within the ECPA that directly addresses the handling of personal information.

1.5 CCPA

CCPA

Personal information is “information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”

Sensitive personal information is “a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.” 5

1.6 PIPL

PIPL

The PIPL governs various processes related to personal information, including collection, storage, usage, processing, transmission, provision, disclosure, and other activities. Additionally, the law introduces the concept of erasure processing, emphasizing the ethical standards that personal data processors must adhere to. These standards encompass aspects such as lawfulness, legitimacy, necessity, good faith, purpose restriction, minimal necessity, openness and transparency, accuracy, and due diligence.6

1.7 APPI

APPI

Personal information means “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information including such ( information as will allow easy reference to other information and will thereby enable the identification of the specific individual.)”7

1.8 DPA

DPA

“Personal data” means “any information relating to an identified or identifiable living individual.” 8

“Identifiable living individual” means “a living individual who can be identified, directly or indirectly, in particular by reference to (a) an identifier such as a name, an identification number, location data or an online identifier, or (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

2。 Right to be Forgotten in national and regional privacy laws

Now we discuss the right to be forgotten in different privacy acts.

2.1 GDPR

In GDPR, the right to erasure is defined as “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” 1 The following grounds 1 applies:

1. Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
2. The data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing.
3. The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
4. The personal data has been unlawfully processed.
5. The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
6. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
   Data controllers have a dual responsibility when it comes to data deletion. Not only are they obligated to delete the data they directly control, but they must also ensure that any data they have publicly disseminated is removed and that third-party recipients are informed to do the same. If the controller has made personal data public and is required to erase it, they must take reasonable steps, considering available technology and implementation costs, to notify other controllers processing the data. This notification should prompt them to erase any links, copies, or replications of the personal data in question.
   The GDPR introduces the concept of the “right to be forgotten,” which is an expansion of the traditional right to erasure. It encompasses a one-to-many approach, covering both the right to have data deleted by the data controller and the right to request that the controller takes appropriate measures to delete unlawfully collected personal data. This comprehensive approach ensures that individuals have greater control over their personal information and provides them with stronger protections under the GDPR’s data protection framework.

2.2 PIPEDA

PIPEDA mentions that private sector organizations and federal institutions can collect personal information about citizens, employees, clients, and prospective clients. Meanwhile, organizations and institutions need to inform the data owners about how to use it, how long to keep it, and when and how to dispose of it. However, PIPEDA does not define the right to be forgotten or similar right that enables data owners to request the data controller to delete their data.
The PIPEDA only states that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” Moreover, Paragraph 4.7.5 specifies that “care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information, which means the organization should dispose personal information securely”. There are common methods for organizations to properly dispose of personal information, including disintegration, incineration, pulverizing, shredding, melting, overwriting, and degaussing. In short, the PIPEDA states that the data controller has the responsibility to delete the data and handle the dispose of personal information. 2

2.3 CPPA

CPPA states that “an organization must not retain personal information for a period longer than necessary to
a) fulfill the purposes for which the information was collected, used, or disclosed; or
b) comply with the requirements of this Act, of federal or provincial law or of the reasonable terms of a contract. The organization must dispose of the information as soon as feasible after that period.”
It is noticeable that the CPPA defines the similar principle of the right to be forgotten. That is, “if an organization receives a written request from an individual to dispose of their personal information that is under the organization’s control, the organization must, as soon as feasible, dispose of the information, if

(a)the information was collected, used or disclosed in contravention of this Act;
(b)the individual has withdrawn their consent, in whole or in part, to the collection, use or disclosure of the information; or
(c)the information is no longer necessary for the continued provision of a product or service requested by the individual.”
Moreover, if an organization fulfills the individual’s request to dispose of their personal information, it must also take prompt action to notify any service provider to which it had previously transferred the information. The organization must ensure that the service provider promptly disposes of the information as well. 3

2.4 ECPA

In ECPA, there is no definition about personal data or specific professional regulation that directly addresses the handling of personal information. Also, there is no definition of the right to be forgotten.

2.5 CCPA

The “Consumers’ Right to Delete Personal Information” refers to the right of consumers in California to request the deletion of their personal data. Offshore companies operating in California must have a dedicated team to promptly respond to such inquiries and maintain accurate records of the requests.

Furthermore, businesses are required to inform their customers explicitly about their right to be forgotten. When a company receives a request from a customer to delete personal information, it should verify the request’s authenticity and proceed with deleting the data. Simultaneously, the company should request that other data service providers also delete the relevant information. It’s important to note that a business is not obligated to erase personal information if it is necessary to retain it to complete a transaction or provide goods or services. This exception is significant and allows businesses to retain relevant information required for legitimate purposes. The detailed principles of the right to be forgotten are defined as follows:

• a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”
• b) A business that collects personal information about consumers shall disclose the consumer’s right to request the deletion of the consumer’s personal information.”
• c)
  • A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision a) of this section shall delete the consumer’s personal information from its records, notify any service providers or contractors to delete the consumer’s personal information from their records, and notify all third parties to whom the business has sold or shared the personal information to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.”
  • The business may maintain a confidential record of deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws or for other purposes, solely to the extent permissible under this title.”
  • A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete, or enable the business to delete and shall notify any of its own service providers or contractors to delete personal information about the consumer collected, used, processed, or retained by the service provider or the contractor. The service provider or contractor shall notify any service providers, contractors, or third parties who may have accessed personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort. A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer’s personal information in its role as a service provider or contractor to the business.” 5

2.6 PIPL

The PIPL clearly states the agreement between the individuals and the personal information handlers about data collection, storage, and usage. Article 21 of PIPL states “where personal information handlers entrust the handling of personal information, they shall conclude an agreement with the entrusted person on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person. Without the consent of the personal information handler, an entrusted person may not further entrust personal information handling to other persons.”

PIPL defines the right to be forgotten that enables individuals to request the deletion if the personal information handlers do not proactively delete them. Article 47 of PIPL states “personal information handlers shall proactively delete personal information where one of the following circumstances occurs; if the personal information handler has not deleted it, individuals have the right to request deletion:

a) The handling purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the handling purpose.
b) Personal information handlers cease the provision of products or services, or the retention period has expired.
c) The individual rescinds consent.
d) Personal information handlers handled personal information in violation of laws, administrative regulations, or agreements.
e) Other circumstances provided by laws or administrative regulations.”6

2.7 APPI

The APPI defines should keep personal data accurate and delete it if it is not needed. Specifically, Article 19 states “a personal information handling business operator shall strive to keep personal data accurate and up to date within the scope necessary to achieve a utilization purpose, and to delete the personal data without delay when such utilization has become unnecessary.” Meanwhile, Article 35-2 (5) mentions that “a pseudonymously processed information handling business operator shall strive to delete personal data that are pseudonymously processed information and deleted information etc. without delay when utilization of the personal data and the deleted information etc. has become unnecessary.”

In addition, individuals can request the business operator to make a correction, addition or deletion if the contents of retained personal data are not factual.
APPI has defined several citizens’ rights regarding their personal data 7, including:

a) “The right to request an organization cease the use or transfer of their personal data if the organization no longer has a valid reason to use the data, a data breach has occurred, or the handling of said data will infringe upon the data subject’s rights.
b) The right to access personal data an organization wishes to delete within six months.
c) The right to request access to records pertaining to data transfers to third parties.
d) The right to request a copy of any personal information relating to the data subject.”

2.8 DPA

The right to erasure or restriction of processing mentioned in DPA includes:

1) “The controller must erase personal data without undue delay if the processing of the personal data would infringe section 35, 36(1) to (3), 37, 38(1), 39(1), 40, 41 or 42, or the controller has a legal obligation to erase the data.
2) Where the controller would be required to erase personal data under subsection (1) but the personal data must be maintained for the purposes of evidence, the controller must (instead of erasing the personal data) restrict its processing.
3) Where a data subject contests the accuracy of personal data, but it is not possible to ascertain whether it is accurate or not, the controller must restrict its processing.
4) A data subject may request the controller to erase personal data or to restrict its processing (but the duties of the controller under this section apply whether or not such a request is made).” 8

Comparisons

Previous post
Survey Results Analysis Next post
Survey Results Analysis