“The whole world is regulating the processing of the personal data”
– The whole world is about to regulate the processing of personal data. Europe is a positive guiding light and the GDPR is a raw model, which several countries follow when they enact their own laws and regulations regarding the processing of personal data, says Eija Warma-Lehtinen, lawyer and Nordic responsible for IAPP (International Association of Privacy Professionals) in this interview.
Eija Warma-Lehtinen has over 15 years of experience in data protection and privacy-related issues. She is currently a lawyer, partner and the head of Data Protection & Privacy at the Finnish law firm Castrén & Snellman, as well as Nordic responsible for IAPP (International Association of Privacy Professionals) and chairman of the board of the Finnish privacy platform PrivacyAnt.
She – if anyone – can really give a good view of what is happening in the world when it comes to the development of privacy and integrity.
Exciting time we live in
– It is really an exciting time we live in when it comes to privacy and processing of personal data. There is a lot happening now around the world in this area – not least in the US, she says.
Traditionally, Europe’s and the United States’ points of departure and reference points have previously been different.
– In Europe, we think and feel that privacy is an important part of our human rights, and processing of personal data has been specifically regulated in the law. In the United States, a similar approach to data protection has not existed before. The need to establish rules for how personal data can be processed has simply not been as widespread in the United States as it has been in Europe.
The whole world is changing
But slowly the United States is also changing. California is now in the process of introducing a new law that has similarities to the GDPR and several other states are on the same path.
– In Latin America, Brazil has drafted a GDPR-like law and there is already data protection legislation in several countries, such as Argentina. In Asia, India has introduced the Personal Data Protection Bill that creates the first legal framework for data protection. Japan has been recognized by the European Commission to provide adequate protection to personal data and South Korea is currently in the adequacy process.
Also, Russia and China are developing laws in this area.
– It seems that there are two schools in legislation: 1) strong protection as it is in Europe and 2) minimalistic approach without comprehensive local law. When discussing with about 130 data protection and privacy authorities around the world it seems that Europe is a guiding light and the GDPR is a model and a raw model, which several countries follow when they enact their own laws and regulations regarding the handling of personal data.
The important thing is the intention
The legislation is not the same everywhere, but the important thing is, according to Eija Warma-Lehtinen, that the logic and the spirit are the same.
– We must remember that when countries adopt new laws, they must always be based on their own country’s social and cultural norms and values. Against this background, there are many similarities between the Nordic countries’ legislation, but also differences.
What unites all international data protection laws is that they have jointly seen it as important to establish requirements for, among other things, to have data protection officers and representatives of all the companies and organizations that are responsible for handling personal data.
– It is considered extremely important that there is someone in the organization who understands the law but also understands the business and the importance of keeping all stakeholders informed about what needs to be taken into account when handling personal data.
– In other words, I do not want to claim that some countries have bad laws and other countries have good laws. They are all based on the culture that forms the basis of the countries’ own legislations. The most important thing is that data protection is seen as such an important issue that there must be a specific law in place. How the law then is formulated is always a result of the local and cultural legislative history.
Focus on frameworks and not details
Another important component, according to Eija Warma-Lehtinen, is not to complicate the law with various exceptions, but to ensure that data protection legislation is simple and general.
– We must be sufficiently competent to be able to create basic general data protection legislation with functioning laws and frameworks, to which technological development must adapt. Technology will always run faster than legislation. If you first make sure you have a working legal framework in place that focuses on the application, then developers will adapt by creating new privacy-friendly and legal technologies.
The idea of legislative tools is to build them so that they are broad enough and technology-neutral.
– Legislation should establish a framework. If we destroy that logic with lots of different types of detailed exceptions and requirements in detailed areas, the outcome will not be good, she concludes.