GDPR wasn't the beginning and it certainly won't be the end. Strict data privacy legislation is appearing in more and more economies across the globe, meaning the list of “GDPR-free” havens is growing shorter by the day. CISOs and other data security executives at globally operating organizations will have no choice but to adopt a cross-regulatory compliance strategy in order to keep up. That is why Martin Kuppinger, Principal Analyst at KuppingerCole, lists cross-regulatory compliance among his top 5 topics for CISOs in 2019. Cross-regulatory compliance begins by determining in what ways data privacy regulations overlap in order to synergize compliance efforts.
To help you get started, here are twelve examples of countries who have adopted or are close to adopting comparable data privacy laws:
Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD) was modeled directly after GDPR and is nearly identical in terms of scope and applicability, but with less harsh financial penalties for non-compliance. Companies wishing to do business with Latin America’s largest economy will have to comply with LGPD or be subject to fines of up to 50 million BRL (approximately 11.8 million EUR). Originally, LGPD was supposed to come into effect by February 2020, but after some last minute legislative back and forth, it finally went into effect in September 2020.
Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act came into effect in February 2018. Organizations with an annual turnover of over 3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery or faces fines of up to 1.8 million AUD (approximately 1.1 million EUR).
USA – while there is currently no data privacy law applicable to all industries on the federal level, every state in the Union has their own data privacy laws. These regulations vary significantly in terms of scope, applicability, and penalties, but the strictest among them is the recent California Consumer Privacy Act (CCPA), which has many provisions that overlap with GDPR. California may be only one state out of fifty but, as California politicians love to point out, the State has a larger population and annual GDP than most countries in the world (before you ask, I do have a source to back that up), which means the market affected by CCPA makes up a non-negligible part of not just the the US, but the global economy.
Since CCPA's passage, in several other States and on the federal level, lawmakers on both sides of the aisle have introduced a slew of similar data privacy bills and proposals. Whether any of these bills will actually become law still remains to be seen, but it appears that momentum is building. Then there are even those in the tech industry who are requesting similar legislation in the US, including Apple CEO Tim Cook.
While there had been a EU-US Privacy Shield framework in place to make GDPR compliance more understandable for organizations operating on both sides of the Atlantic, the European Court of Justice struck down the agreement, alleging that the rights of EU data subjects were not adequately protected from US surveillance. The EU and US have reentered talks on how to come to a new agreement given the ECJ's recent decision.
Japan – Japan's Act on Protection of Personal Information, 個人情報保護法, was amended in May 2017 and now applies to both foreign and domestic companies that process the data of Japanese citizens. Companies located outside of Japan will now be subject to the strict guidelines laid down in the Act.
More recently, Japan and the European Commission reached an agreement on "reciprocal adequacy" of their respective data protection laws. Japan has created a "white list" of EU companies that exercise sufficient caution when handling personal information, while the EU has created the same for qualifying Japanese companies. This also means that data subjects in the EU have recourse for violations of their data privacy rights by companies based in Japan and vice versa.
South Korea – For companies that process personal data of South Koreans, privacy standards on par with GDPR are nothing new. South Korea's Personal Information Protection Act, 개인정보 보호법, has been in effect since September of 2011 and from the outset has included many GDPR-like provisions, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
Thailand - In February 2019, the National Legislative Assembly of Thailand approved and endorsed the Thailand Personal Data Protection Act (PDPA). The Act was subsequently published in the Government Gazette on May 2019 and was supposed to come into full force a year later on 27 May 2020, however a royal decree has extended the grace period for an other year for key provisions and industries. The PDPA is similar to GDPR in a number of ways, including the broad definition of personal data, the requirement to establish a legal basis for collection and use of personal data, extraterritorial applicability, and potentially harsh penalties for non-compliance.
The penalties for non-compliance are a bit more complicated than GDPR. Administrative fines have a ceiling of 5 million THB, which only equates to approximately 140,000 EUR. However, there is potential for criminal penalties that can even include imprisonment for up to one year, punitive damages capped at twice the amount of actual damages, and data subjects may be able to pursue class action lawsuits. To avoid these penalties, data controllers and processors both in and outside of Thailand should ensure they are in compliance with PDPA.
Chile - In 2018, Chile's Constitution was amended to include data privacy as a human right. Since then, numerous bills have been introduced to update the country's data privacy law, Ley 19,628, in order to guarantee legal protections that reflect the amendment. As of March 2020, one such data protection bill has reached the final stages before becoming law.
In addition to buttressing the data privacy amendment, this bill would also bring data privacy protections in Chile up to a level comparable to GDPR. It includes the creation of a personal data protection agency, as well as regulations regarding the handling, collection, and transfer of personal data. It also has fines for non-compliance which by themselves are not especially high but can double and even triple in cases of repeat offenses or in combination with accessory sanctions.
Non-compliance would be classified in three levels of severity with corresponding penalties that range from as low as about 55 EUR for the most minor infractions, up to around 530,000 EUR for the worst*. This is a major difference to GDPR as the fines are not proportional to global annual turnover.
*As of August 2020.
New Zealand - New amendments to New Zealand's 1993 Privacy Act made their way through parliament in June 2020 and came into effect on December 1, 2020. Admittedly, it's debatable whether these amendments are actually "GDPR-like" as they are missing key provisions that the GDPR is notable for.
What's similar to GDPR is the requirement to notify authorities and affected parties of data breaches and the introduction of new restrictions to offshore data transfer, similar to Australia's Privacy Amendment from 2018. However, a few things are decidedly different which make these new amendments to New Zealand's Privacy Act significantly less threatening than GDPR.
First, the fines for non-compliance are significantly lower than with GDPR (the maximum fine is just 10,000 NZD, however there is a mechanism in place for class action suits). Second, while New Zealand is sometimes forgotten on world maps, the "right to be forgotten" is not included in the Privacy Act either, nor is the right to data portability. Finally, the restrictions on offshore data transfer don't typically apply to cloud servers, which makes a huge difference as most major cloud servers are based outside of New Zealand.
India - India's Personal Data Protection Bill (PDPB) was introduced to parliament in December of 2019 and is likely to pass this year. Companies all over India are already beginning to prepare. PDPB is modeled after GDPR although some of its policies aren't laid out as clearly and more discretion is given to India's Central Government to decide how it is enforced and when exceptions can be made. It is similar in terms of requiring consent of data subjects (or in PDPB's case, "data principals"), breach notification requirements, a right to be forgotten, and heavy fines for noncompliance that may be as a high as 4% of global annual turnover.
South Africa - South Africa's Protection of Personal Information Act (POPIA) came into effect on July 1, 2020 with an exactly one year grace period. Organizations that are already GDPR compliant will certainly have a head start in becoming compliant with POPIA, but the two regulations aren't identical.
In some ways, GDPR is stricter than POPIA while in other situations the opposite is true. For instance, GDPR has certain exemptions for SMEs, such as the requirements for having a dedicated Data Protection Officer and record keeping, while POPIA applies to all companies regardless of size. On the other hand, GDPR has requirements governing data portability, while POPIA does not.
Finally, when it comes to penalties for non-compliance, the two regulations are quite different and the question of "which is worse" depends on your perspective. GDPR has significantly higher fines (the highest fine for POPIA being 10 million ZAR or roughly 500,000 EUR), but no criminal charges, while POPIA does include criminal charges. If you're responsible for your company's bottom line, a GDPR violation may seem scarier, however if you end up in jail for 10 years for a POPIA violation, your opinion on the matter might differ.
China – In October 2020, the People's Republic of China publicly released a draft of its Personal Data Protection Law, PDPL. This draft has garnered more attention across the globe as its extraterritorial applicability is much clearer than that of China's existing Cyber Security Law. If passed, companies that do business in China, regardless of any physical presence in the country, would have to comply or be subject to fines of up to 50,000,000 CNY (roughly 6 million EUR) or 5% of global annual turnover, in addition to personal fines of up to 1 million CNY for individuals found responsible.
Canada – On November 17, 2020 the Canadian government introduced a bill known as the Digital Charter Implementation Act, which would amend its data privacy policies. It has been described by Innovation Minister Navdeep Bains as an “act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.”
If implemented, the aims and objectives of the act would align with certain provisions of GDPR. For example, companies could face fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offenses. That would make the ceiling for fines even higher than with GDPR, which is capped at 4%.
International economic organizations such as the Organization for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) Forum have come up with their own data privacy guidelines regarding the transfer of personal data across borders. These guidelines help to create an international standard for data privacy and protection in order to facilitate international trade, but they are oftentimes more lax than the domestic laws of participating countries. This means that data security and compliance executives still have to come up with their own cross-regulatory compliance strategy that adheres to the stringent regulations in their target markets.
Furthermore, although many of these regulations are similar to GDPR, compliance with GDPR is not enough to guarantee full compliance with any of the above regulations as they each have their share of differences.
Editor's Note: This article is updated periodically as more countries adopt stricter data privacy legislation.