GDPR wasn't the beginning and it certainly won't be the end. Strict data privacy legislation is appearing in more and more economies across the globe, meaning the list of “GDPR-free” havens is growing shorter by the day. CISOs and other data security executives at globally operating organizations will have no choice but to adopt a cross-regulatory compliance strategy in order to keep up. That is why Martin Kuppinger, Principal Analyst at KuppingerCole, lists cross-regulatory compliance among his top 5 topics for CISOs in 2019. Cross-regulatory compliance begins by determining in what ways data privacy regulations overlap in order to synergize compliance efforts.
To help you get started, here are six examples of countries who have adopted comparable data privacy laws:
Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD) was modeled directly after GDPR and is nearly identical in terms of scope, applicability, and financial penalties for non-compliance. Companies wishing to do business with Latin America’s largest economy will have to comply with LGPD by February 2020 or be subject to fines of up to 50 million BRL (approximately 11.8 million EUR).
Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act came into effect in February 2018. Organizations with an annual turnover of over 3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery or faces fines of up to 1.8 million AUD (approximately 1.1 million EUR).
USA – while there is currently no data privacy law applicable to all industries on the federal level, every state in the Union has their own data privacy laws. These regulations vary significantly in terms of scope, applicability, and penalties, but the strictest among them is the recent California Consumer Privacy Act (CCPA), which has many provisions that overlap with GDPR. California may be only one state out of fifty but, as California politicians love to point out, the State has a larger population and annual GDP than most countries in the world (before you ask, I do have a source to back that up), which means the market affected by CCPA makes up a non-negligible part of not just the the US, but the global economy.
Since CCPA's passage, in several other States and on the federal level, lawmakers on both sides of the aisle have introduced a slew of similar data privacy bills and proposals. Whether any of these bills will actually become law still remains to be seen, but it appears that momentum is building. Then there are even those in the tech industry who are requesting similar legislation in the US, including Apple CEO Tim Cook.
Japan – Japan's Act on Protection of Personal Information was amended in May 2017 and now applies to both foreign and domestic companies that process the data of Japanese citizens. Companies located outside of Japan will now be subject to the strict guidelines laid down in the Act.
More recently, Japan and the European Commission reached an agreement on "reciprocal adequacy" of their respective data protection laws. Japan has created a "white list" of EU companies that exercise sufficient caution when handling personal information, while the EU has created the same for qualifying Japanese companies. This also means that data subjects in the EU have recourse for violations of their data privacy rights by companies based in Japan and vice versa.
South Korea – For companies that process personal data of South Koreans, privacy standards on par with GDPR are nothing new. South Korea's Personal Information Protection Act has been in effect since September of 2011 and from the outset has included many GDPR-like provisions, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
Thailand - In February 2019, the National Legislative Assembly of Thailand approved and endorsed the Thailand Personal Data Protection Act (PDPA). The Act was subsequently published in the Government Gazette on 27 May 2019 and will come into effect exactly a year later on 27 May 2020. The PDPA is similar to GDPR in a number of ways, including the broad definition of personal data, the requirement to establish a legal basis for collection and use of personal data, extraterritorial applicability, and potentially harsh penalties for non-compliance.
The penalties for non-compliance are a bit more complicated than GDPR. Administrative fines have a ceiling of 5 million THB, which only equates to approximately 140,000 EUR. However, there is potential for criminal penalties that can even include imprisonment for up to one year, punitive damages capped at twice the amount of actual damages, and data subjects may be able to pursue class action lawsuits. To avoid these penalties, data controllers and processors both in and outside of Thailand should ensure they are in compliance with PDPA.
International economic organizations such as the Organization for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) Forum have come up with their own data privacy guidelines regarding the transfer of personal data across borders. These guidelines help to create an international standard for data privacy and protection in order to facilitate international trade, but they are oftentimes more lax than the domestic laws of participating countries. This means that data security and compliance executives still have to come up with their own cross-regulatory compliance strategy that adheres to the stringent regulations in their target markets.
Furthermore, although many of these regulations are similar to GDPR, compliance with GDPR is not enough to guarantee full compliance with any of the above regulations as they each have their share of differences.
Editor's Note: This article was updated in June 2019 to include Thailand's PDPA.