Due to the expanding utilisation of technology, the digital economy’s growth, and the enlarging fragmentation in the payment chain, safeguarding personal information has become a significant concern for both individuals, organisations and governments. Not only is it crucial to safeguard the privacy rights of individuals, but it also has significant implications for businesses, as data breaches can result in serious financial losses, damage to reputation and loss of customer trust.
Source: Visual Capitalist.
So, given the growing importance of data privacy and regulatory developments globally, as well as their significance for central banks, we would like to explore in this blog the key major data privacy regulations, their impact on financial services and how they intersect with central bank digital currencies (CBDC).
Understanding data privacy, anonymity and global data privacy regulatory developments
It is important to note that data privacy and anonymity are related but distinct concepts in the context of personal information and online activities. Data privacy refers to the right of individuals to control the collection, use and dissemination of their personal information. It encompasses various aspects of personal information protection, such as informed consent, data security, data minimisation and data protection by design. The objective of data privacy is to ensure that personal information is collected, used and shared in a manner that respects individual privacy rights and supports trust in the digital environment. Anonymity, on the other hand, refers to the state of being unidentifiable or not attributable to a specific person. When a person is anonymous, their identity is hidden or masked, and their personal information is not directly linked to them. Anonymity is often sought in online activities, such as browsing the web, participating in online forums, or making transactions, to protect personal information from being collected and misused. Hence, data privacy concerns the protection of personal information, while anonymity focuses on concealing personal information to prevent identification. Both concepts play important roles in protecting individual privacy rights in the digital environment.
The digital age has made protecting personal information a complex and crucial issue. The rise of Open Finance, for instance, allows for the sharing of payment data with third parties, creating more opportunities for data to be stored and used for various purposes. This fragmentation in the data chain makes it challenging to keep track of the data and increases the risk of misuse. The risk of misuse could include, among others, risk profiling that can result in discrimination and higher costs for consumers. Hence, a lack of transparency makes it difficult for individuals to know who has access to their data. To address this and various other growing concerns, governments around the world have passed data privacy laws and regulations to ensure the security of their citizens’ personal data.
Navigating the world of privacy laws
With the increasing amount of personal information being shared online, privacy has become a major concern for individuals and businesses alike. And it is essential to understand the privacy laws that are in place to offer protection. These laws vary by country, making it important for businesses and citizens to stay informed and up to date on the latest developments. The world of privacy laws can be complex and overwhelming, and it becomes even more challenging when navigating the different privacy laws from one region to another. We’ll examine some privacy laws and evaluate their similarities and differences.
Europe: The home of the GDPR (General Data Protection Regulation)
The GDPR, a landmark privacy law, governs data protection and privacy for individuals within the European Union (EU). Implemented in May 2018, it mandates organisations operating within the EU to obtain consent before collecting personal data, provide individuals with the right to access, correct or delete their data, and implement appropriate technical and organisational measures to protect it. The GDPR applies to all organisations operating in the EU and is known for its stringent requirements, making it one of the strongest privacy laws in the world. Its impact extends globally, shaping the data privacy landscape, and outlining the rights and responsibilities of individuals and organisations in relation to personal data. Overall, the GDPR has had a far-reaching impact on privacy regulations globally, inspiring many countries to adopt similar principles and provide their citizens with stronger privacy protections.
- For example, the California Consumer Privacy Act (CCPA), which became effective in 2020, was heavily influenced by the GDPR. The CCPA provides California residents with the same rights that are provided to EU citizens under the GDPR, such as the right to know what personal information is being collected about them and the right to request that it be deleted. In Asia, the Personal Data Protection Commission (PDPC) of Singapore has taken a similar approach to the GDPR in developing their privacy regulations. The PDPC has been working to implement new guidelines for organisations handling personal data that are aligned with the principles of the GDPR. The Canadian government has also been influenced by the GDPR and has taken steps to enhance the country’s privacy laws. The Personal Information Protection and Electronic Documents Act (PIPEDA) has been amended to include new provisions that align with the GDPR, such as mandatory breach reporting and increased fines for non-compliance. In South America, Brazil has introduced a comprehensive privacy law called the General Data Protection Law (LGPD), which went into effect in 2020. The LGPD was inspired by the GDPR and provides individuals with similar rights, such as the right to access, correct or delete their personal data. Overall, it is considered one of the strongest data protection laws in the world.
Asia: The region is undergoing a dynamic evolution in terms of privacy laws
In contrast to Europe, Asia is a region that is still in the dynamic process of developing privacy laws. Some countries, such as Japan and South Korea, have had privacy laws in place already for many years, while others have recently passed laws. For example, Japan’s Personal Information Protection Act (PIPA) has been in place since 2005, and it requires organisations to obtain consent from individuals before collecting their personal data. Similarly,South Korea’s Personal Information Protection Act (PIPA) demands organisations to take measures to protect personal data, and it gives individuals the right to access and control their personal data. On the other hand, China has quite recently enacted several significant laws related to data protection, including the Personal Information Protection Law (PIPL) that took effect on 1 November 2021, and the Data Security Law (DSL) that became effective on 1 September 2021. These laws are accompanied by several implementing regulations and administrative rules. The PIPL establishes a comprehensive regulatory framework for the protection of personal information in China, mandating consent as the primary basis for data collection and management. The Personal Data Protection Act governs privacy and data protection in Malaysia and requires organisations to obtain consent from individuals before collecting, using or disclosing their personal data and imposes penalties for non-compliance. India, being the world’s second largest internet market, released the highly anticipated fourth draft of its proposed privacy law, the Digital Personal Data Protection Bill on 18 November 2022. To the surprise of many experts, this draft was entirely new and not a revision of previous drafts, being notably shorter and straightforward in its language. Despite this departure from the widely utilised GDPR model for privacy laws, the trend in Asia is towards increasingly stringent privacy regulations, with numerous countries in the region adopting similar data protection standards inspired by the EU.
United States of America
Privacy regulations in the US are mainly controlled by industry-specific rules. For instance, the Health Insurance Portability and Accountability Act (HIPAA) oversees the management of medical data, while the Children’s Online Privacy Protection Act (COPPA) ensures the privacy rights of children who are below 13 years old. Despite this fragmented approach, some states have introduced their own privacy laws, as has been mentioned earlier, such as the California Consumer Privacy Act (CCPA) in California.
South American countries
Each country has its own specific laws that govern data protection, privacy and the collection, storage, and use of personal information. For example, in Argentina, the Personal Data Protection Law governs data protection, privacy and the collection, storage and use of personal information. In Brazil, the General Data Protection Law (LGPD) governs data protection and privacy, and it is considered one of the strongest data protection laws in the world. Colombia has a Personal Data Protection Statute and Chile has a Personal Data Protection Act, which are similar in scope to the laws in Argentina and Brazil. It is important to note that these laws are constantly evolving, and businesses operating in these countries need to follow the latest regulations to ensure they comply.
These are just a few examples of the key data privacy regulations around the world. Each of these regulations has a significant impact in their jurisdictions on the way organisations collect, store and use personal information, and they are a critical part of efforts to protect personal privacy and maintain trust in the digital age. For businesses operating globally, it is a challenging task to be aware of privacy laws in each country where they operate. This may require a significant investment in legal and technical resources, but it is an essential obligation to ensure compliance with local laws and to protect the privacy of individuals.
Financial services and data privacy: managing the risks, responsibilities and challenges
Financial services firms have distinctive duties and liabilities regarding data privacy, as they routinely deal with large quantities of confidential financial and personal data. As a result, data privacy laws have a profound effect on financial services businesses, influencing their collection, storage and utilisation of personal information. Some of the obstacles they face include, but are not limited to, the expense of conforming to regulations and the requirement for continuous adaptation and innovation.
One of the key impacts of data privacy regulations is the increased responsibility of financial services firms to ensure the security and protection of personal information. This includes taking measures to prevent data breaches, theft and unauthorised access to personal information. Financial services firms must also implement robust privacy policies and procedures to ensure they follow data privacy regulations.
Another impact of data privacy regulations is the obligation to provide customers with greater control over their personal information. This includes the right to access, modify and delete personal information, as well as the right to opt-out of the collection and use of personal information for marketing purposes. Financial services firms must also be transparent about their data collection and use practices and provide customers with clear and easy-to-understand privacy policies.
Data privacy regulations also place obligations on financial services firms to respect the privacy of individuals and to handle personal information in a responsible and ethical manner. This includes avoiding the use of personal information for purposes that are not explicitly consented to by the individual and ensuring that personal information is only used for legitimate business purposes.
In summary, data privacy regulations have a significant impact on financial services firms and require them to take a proactive approach to protecting personal information and ensuring customer privacy. That is why these firms must be fully aware of their responsibilities and obligations under data privacy regulations and take the necessary steps to comply with these regulations and protect personal information.
Some examples of the challenges faced by financial services firms regarding data privacy regulations are:
- Cost of compliance: Compliance with data privacy regulations can be expensive and resource-intensive, requiring significant investments in technology, infrastructure, and personnel. Financial services firms must allocate significant resources to ensure that they comply with data privacy regulations and maintain their privacy policies and procedures.
- Complex regulations: Data privacy regulations can be complex and challenging to understand, making it difficult for financial services firms to stay in compliance. This requires a significant investment of time and resources to understand the regulations and develop effective strategies for compliance.
- Ongoing adaptation and innovation: Data privacy regulations are constantly evolving, requiring financial services firms to continuously adapt and innovate their privacy policies and procedures. This ongoing effort can be time-consuming and resource-intensive, as firms must stay up to date with changes in the law and emerging privacy issues.
- Balancing privacy and innovation: Financial services firms must strike a balance between protecting personal privacy and leveraging innovative technologies and services. This can be challenging, as the rapid pace of technological change often outpaces the development of privacy regulations.
- Maintaining customer trust: Financial services firms must maintain the trust of their customers by ensuring the security and protection of personal information. Data privacy regulations place a significant burden on financial services firms to ensure the security of personal information, and any security incidents or privacy violations can damage the reputation of the company and erode customer trust.
The cost of being in compliance with data protection regulation
Source: Ponemon Institute and Globalscape (2017).
How data privacy regulations reshape business practices
The implementation of data privacy regulations has resulted in changes to business practices, particularly those that rely on collecting and analysing data. For instance, businesses that previously collected vast amounts of data now need to justify their need for the information they collect, ensuring it is relevant and necessary for their operations. This shift has led to a more cautious approach in data collection, as businesses are mindful of the potential legal and financial consequences of non-compliance. For instance, the financial industry, responsible for handling large amounts of personal and financial data, is considerably affected by these regulations. In essence, the data privacy regulations necessitated financial service companies to be more vigilant in safeguarding data privacy and security, leading to a transformation in their approach to data privacy.
For example, the GDPR has encouraged financial services firms to be more transparent about their data collection and use practices and has given customers greater control over their personal information. Financial services firms must now comply with strict requirements for data protection and must implement robust security measures to protect against data breaches and theft. The GDPR has also driven innovation in the financial services sector, as firms seek to find new and more secure ways of handling personal information. For example, blockchain technology has the potential to support data privacy in financial services, by providing more secure and transparent way of storing and managing personal information.
In addition, data privacy regulations have encouraged businesses to adopt robust cybersecurity practices to safeguard their customers’ data. Companies are required to implement appropriate security measures to protect data from unauthorised access, alteration, or disclosure. This requirement has resulted in businesses investing in cybersecurity tools, such as firewalls, encryption and intrusion detection systems, to secure their data and prevent data breaches.
Moreover, data privacy regulations have created new business opportunities, particularly for tech companies that offer data protection services. These companies provide solutions to help businesses comply with data protection regulations, such as data encryption and secure cloud storage. They also assist businesses in creating data privacy policies and conducting data privacy assessments.
In conclusion, data privacy regulations have forced businesses to prioritise data privacy and adopt more transparent and accountable data collection which has resulted in significant changes in business operations. While these changes may come with a cost, the benefits of data privacy regulations include greater trust among customers, which can enhance a company’s reputation and increase customer loyalty.
Is there an economic gain from data privacy laws?
According to some recent studies, there can be an economic gain from data privacy laws as well. Data privacy regulations could create economic benefits for both consumers and businesses. But it is important to exercise caution when drawing immediate conclusions as regulations like the GDPR has only recently become enforceable. Some of the initial costs of adhering, such as compliance costs, and impact on firms’ performance may be the result of temporary adjustment costs. Nevertheless, the cost of compliance can be high, particularly for small and medium-sized businesses. Thus, it is possible that the impact of the GDPR on firm performance could diminish over time. Nonetheless, businesses that invest in data privacy can reap the benefits of increased customer trust and loyalty, as well as new business opportunities.
For consumers, data privacy regulations can provide increased control over their personal information, enhanced protection against data breaches and theft, and the assurance that their personal data is being used in accordance with their rights and interests. This can lead to increased trust in digital services, which can in turn drive demand and create new business opportunities.
For businesses, data privacy regulations could have the potential to bring economic benefits, although the costs of compliance can be significant. Adhering to data privacy regulations can help businesses build trust and credibility with customers, which can increase customer loyalty and lead to new business opportunities and investments. For example, following the enactment of Kenya’s Data Protection Act in 2019, Amazon Web Services made new investments in the country, including setting up its data cloud infrastructure in Nairobi. The company acknowledged the significance of the law, which paved the way for its investment. In addition, data privacy regulations can help businesses avoid the reputational damage and financial losses that can result from data breaches and other privacy violations.
Privacy in the digital age: CBDCs and personal data protection
Governments and central banks worldwide are actively exploring the potential for central bank digital currencies (CBDCs) as the digital version of traditional fiat money. But as countries around the world consider the idea of issuing their own digital fiat money, questions and concerns about data privacy, anonymity and compliance with anti-money laundering (AML) and counter-terrorism financing (CFT) regulations have emerged.
While CBDCs offer several advantages for central banks, it is essential to prioritise privacy in payments. As noted, CBDCs are a digital form of a country’s currency issued and supported by the central bank, offering a secure and efficient way of conducting transactions. They have the potential to eventually replace cash, but a significant concern associated with CBDCs is their likely implication for data privacy.
As CBDC transactions are likely to be centrally stored, individuals’ transactional data could be vulnerable to misuse, surveillance or compromise by malicious actors. Data privacy regulations are in place to safeguard individuals’ personal information from unauthorised access, misuse and disclosure. Therefore, it is crucial for central banks and governments to prioritise and implement strong data privacy protections to ensure that individuals’ personal information is safeguarded while using CBDCs.
In addition, there has been active participation in discussions regarding the privacy and anonymity implications of CBDCs by multiple researchers and global experts, who are suggesting various design elements that could potentially provide workable solutions.
Examples of such design solutions could comprise:
User control: Users should have the ability to control their personal data and transactions, with options to select the degree of anonymity or privacy they desire.
Encryption: Transactions should be encrypted to prevent unauthorised access or tracking of user activity.
Limited data collection: CBDCs can be designed to collect only the necessary data for transaction processing while avoiding the collection of unnecessary personal information.
Anonymous wallets: CBDCs could have the option of anonymous wallets that do not require identity verification.
Decentralisation: A decentralised CBDC architecture can be designed to prevent centralised surveillance of user activity.
Offline transactions: Offline transactions can be allowed to protect against network surveillance and potential data breaches.
Differential privacy: Differential privacy techniques can be used to ensure that transaction data is anonymised and cannot be traced back to individual users. In summary, while CBDCs offer numerous advantages, it is essential to prioritise data privacy to protect individuals’ personal information from unauthorised access, misuse and disclosure. Central banks and governments must prioritise and implement strong data privacy protections to ensure that CBDCs are safe, secure and trusted by users.
 A data breach is an incident in which sensitive or confidential information is copied, transmitted, or stolen by an unauthorised entity. This can occur because of malware attacks, payment card fraud, insider leaks or unintended disclosure. The targeted data is often customer PII (personally identifiable information), employee PII, intellectual property, corporate data or government agency data. The largest data breach recorded occurred in 2013, when all three billion Yahoo accounts had their information compromised. In that cyberattack, the hackers were able to gather the personal information and passwords of users. While the full extent of the Yahoo data breach is still not fully realised, subsequent cybercrimes across the globe have been linked to the stolen information.
 For outsiders, the difference between privacy and anonymity is not always clear. For example, for the Dutch Data Protection Authority (DPA), privacy is strictly processing of personal data. It is data that can be related to persons and processed in an automated or non-automated way. That is the DPA’s area of oversight, where the aim is to protect the data and safeguard all other rights of consumers. In other words, citizens must retain control over who else can see their data. Anonymity, on the other hand, is a concept developed in case law. Anonymisation techniques define what anonymity is. Advice on this is currently being rewritten by the European Data Protection Board (EDPB). It is expected that the new guidance will be formulated a bit more strictly as the advent of more and more data sources and the possibilities of machine learning make it increasingly easy to trace data back to individuals from datasets that are supposedly anonymised. What is popularly called ‘anonymised’ will often legally qualify as ‘pseudonymised’ (a term defined in Art. 4 of the AVG).
Some examples of tech companies that offer data protection services are: Microsoft – provides data protection services through its Azure Information Protection and Office 365 Advanced Data Governance solutions. Amazon Web Services (AWS) – offers data protection services through its AWS Key Management Service (KMS) and AWS Certificate Manager. Google – provides data protection services through its Google Cloud Data Loss Prevention (DLP) and Google Vault solutions. Symantec – offers data protection services through its Endpoint Encryption and Data Loss Prevention solutions. McAfee – provides data protection services through its Total Protection and Endpoint Protection solutions. IBM – offers data protection services through its Guardium Data Protection and IBM Cloud Security solutions. Tencent – offers data protection services through its Tencent Cloud Data Security solution. Alibaba Cloud – provides data protection services through its Cloud Security Centre and Anti-DDoS Pro solutions. NTT Communications – offers data protection services through its Security Management and Log Management solutions. NEC Corporation – provides data protection services through its Cloud Security and Data Encryption solutions. Hitachi Systems Security – offers data protection services through its Managed Security Services and Security Compliance solutions.
 References in this regard include Ciriani (2015), Forbes Technology Council (2018), Chen et al. (2022), Dutta (2022), Johnson (2022), Narayanadas (2022) and Shuptrine (2022).
 References in this regard include Engert and Fung (2017), Engert et al. (2018), Agur et al. (2019), BIS (2020), Raghuveera (2020) and Hansen and Delak (2022).
Ayse Sungur is a Senior Financial Sector Specialist in the Financial Stability, Supervision, and Payments Pillar at the SEACEN Centre.