India has enacted its long-awaited privacy legislation, the Digital Personal Data Protection Act on August 12. While there are various aspects of this Act which distinguish it from other privacy laws in the world, one that is particularly interesting is its approach towards user consent.
Senior Counsel Data Privacy at ABB
Piotr is a global data protection/privacy professional and author of publications. He is a fully qualified attorney-at-law (Poland) and has been working as a lawyer since 2006, and since 2013 in privacy/data protection. Piotr studied law at the Jagiellonian University in Krakow where he also worked for several years as an advocate, after which, in 2016, he moved to in-house global privacy roles in international corporations of various industries, including IT services and technology. His areas of interest include communication, process and operational management issues, as well as integrating legal, ethical and technical aspects.
The laws and regulations of the future will increasingly be read, analyzed and implemented by AI or by lawyers augmented with AI, and also by technology and business people, especially for SMEs who cannot afford lawyers.
Amid great number of existing frameworks in the area of risk management, compliance, privacy and security, new are still drafted and existing ones updated and refined. This is first and for all for big and global companies on which there is most pressure to stay compliant and ethical in whatever they do or intend to do.
We are at the stage where the most fundamental and basic controls on which all privacy and security programs rest to some extent, are at a risk of becoming illusory, outdated, not read and used by a great majority of relevant stakeholders. How can we apply more sophisticated approach and tools?
We should strive for a human-centric, value-driven, yet flexible and business friendly standards backed by laws and regulatory enforcement. Yet abandoning the old ways of relying on privacy notices and consent forms will remain contentious, controversial and, if it happens, still take a lot of time.
Both countries, while accepting the EU standard contractual clauses as a compliance transfer mechanism still requires the clauses to be amended to reflect their own legal requirements. The big difference is that the Swiss requirements are very simple.
As the bonds and the economic cooperation go deeper and deeper, there are many avenues and initiatives for cooperation and discussion. EU-US privacy alignment in the immediate future is not only possible but de facto inevitable.
Changes in the risk and compliance arena are accelerating in the recent years. With these developments it is urgently needed to redefine the place of privacy and the privacy team in this evolving landscape just the same as establishing links with overlapping, adjacent and related areas of risk and compliance.