GDPR wasn't the beginning and it certainly won't be the end. Strict data privacy legislation with extraterritorial applicability is appearing in more and more economies across the globe, meaning the list of “GDPR-free” havens is growing shorter by the day.
CISOs and other data security executives at globally operating organizations will have no choice but to adopt a cross-regulatory compliance strategy in order to keep up. Cross-regulatory compliance begins by determining in what ways data privacy regulations overlap in order to synergize compliance efforts. Some of the most common requirements include cryptographic protection of sensitive data and data protection impact assessments, clear data retention policies, and breach notifications.
To help you get started, here are seventeen examples of countries who have adopted or are considering to adopt comparable data privacy laws. Each flag contains a link to either the law itself, the respective jurisdiction's official page regarding data privacy (in English where available), or an English language news article or blog post with more information.
1. Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act came into effect in February 2018. Organizations with an annual turnover of over 3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery or faces fines of up to 1.8 million AUD (approximately 1.1 million EUR).
2. Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD) was modeled directly after GDPR and is nearly identical in terms of scope and applicability, but with less harsh financial penalties for non-compliance. Companies wishing to do business with Latin America’s largest economy will have to comply with LGPD or be subject to fines of up to 50 million BRL (approximately 11.8 million EUR). Originally, LGPD was supposed to come into effect by February 2020, but after some last minute legislative back and forth, it finally went into effect in September 2020.
3. Canada – On November 17, 2020 the Canadian government introduced a bill known as the Digital Charter Implementation Act, which would amend its data privacy policies. It has been described by Innovation Minister Navdeep Bains as an “act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.”
If implemented, the aims and objectives of the act would align with certain provisions of GDPR. For example, companies could face fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offenses. That would make the ceiling for fines even higher than with GDPR, which is capped at 4%.
4. Chile - In 2018, Chile's Constitution was amended to include data privacy as a human right. Since then, numerous bills have been introduced to update the country's data privacy law, Ley 19,628, in order to guarantee legal protections that reflect the amendment. As of March 2020, one such data protection bill has reached the final stages before becoming law.
In addition to buttressing the data privacy amendment, this bill would also bring data privacy protections in Chile up to a level comparable to GDPR. It includes the creation of a personal data protection agency, as well as regulations regarding the handling, collection, and transfer of personal data. It also has fines for non-compliance which by themselves are not especially high but can double and even triple in cases of repeat offenses or in combination with accessory sanctions.
Non-compliance would be classified in three levels of severity with corresponding penalties that range from as low as about 55 EUR for the most minor infractions, up to around 530,000 EUR for the worst*. This is a major difference to GDPR as the fines are not proportional to global annual turnover.
*As of August 2020.
5. China – The People's Republic of China passed the Personal Information Protection Law (PIPL), 中华人民共和国个人信息保护法, which came into effect in November 2021. The original draft from October 2020 already garnered significant attention across the globe as its extraterritorial applicability is much clearer than that of China's existing Cyber Security Law. Now that PIPL has taken effect, companies that do business in China, regardless of any physical presence in the country, have to comply or be subject to fines of up to 50,000,000 CNY (roughly 6 million EUR) or 5% of global annual turnover, in addition to personal fines of up to 1 million CNY for individuals found responsible. Serious violations may even result in the suspension or cancellation of business licenses.
6. Egypt – In February 2020, the Egyptian House of Representatives approved a draft of Law No. 151 to protect personal data, which was endorsed by President Abdel Fattah El Sisi later that year.
It is similar to GDPR in that it applies to those inside and outside of Egypt who collect or process the personal data of persons staying in Egypt, regardless of national origin, and sets standards for both data controllers and data processors. All data breaches must be reported within 72 hours of discovery while breaches affecting national security must be reported within 24 hours.
The fines for non-compliance however are significantly lower than GDPR with a minimum of 100,000 LE (approx. 5,560 EUR) and a maximum of 1 million LE (approx. 55,600 EUR). According to Egypt's penal code, violations of individuals' privacy may even result in prison sentences, especially when personal information is used for blackmail.
7. India - India's Personal Data Protection Bill (PDPB) was introduced to parliament in December of 2019 and is likely to pass this year. Companies all over India are already beginning to prepare. PDPB is modeled after GDPR although some of its policies aren't laid out as clearly and more discretion is given to India's Central Government to decide how it is enforced and when exceptions can be made. It is similar in terms of requiring consent of data subjects (or in PDPB's case, "data principals"), breach notification requirements, a right to be forgotten, and heavy fines for noncompliance that may be as a high as 4% of global annual turnover.
8. Israel – In addition to Israel's Protection of Privacy Law of 1981, which deals with privacy in general, handling of digitized personal data is also covered by other data privacy regulations that deal with data security (2017) and international transfer of data (2001). They include requirements to protect sensitive data with cryptography, limit retention periods, register databases containing sensitive data, and notify authorities of any breaches or security incidents. Israel's Privacy Protection Authority (PPA), הרשות להגנת הפרטיות, provides guidelines on how to conform to Israel's data privacy laws and in the future may be granted greater powers to enforce them.
In February 2018, the Israeli government approved an amendment to the existing Privacy Law which, if enacted by the Knesset, would give the PPA greater authority to investigate data privacy violations and impose fines of up to 3.2 million ILS (roughly 900,000 EUR) for violations. It is currently unclear whether the amendment will move forward.
9. Japan – Japan's Act on Protection of Personal Information, 個人情報保護法, was amended in May 2017 and now applies to both foreign and domestic companies that process the data of Japanese citizens. Companies located outside of Japan will now be subject to the strict guidelines laid down in the Act.
More recently, Japan and the European Commission reached an agreement on "reciprocal adequacy" of their respective data protection laws. Japan has created a "white list" of EU companies that exercise sufficient caution when handling personal information, while the EU has created the same for qualifying Japanese companies. This also means that data subjects in the EU have recourse for violations of their data privacy rights by companies based in Japan and vice versa.
10. New Zealand - New amendments to New Zealand's 1993 Privacy Act made their way through parliament in June 2020 and came into effect on December 1, 2020. Admittedly, it's debatable whether these amendments are actually "GDPR-like" as they are missing key provisions that the GDPR is notable for.
What's similar to GDPR is the requirement to notify authorities and affected parties of data breaches and the introduction of new restrictions to offshore data transfer, similar to Australia's Privacy Amendment from 2018. However, a few things are decidedly different which make these new amendments to New Zealand's Privacy Act significantly less threatening than GDPR.
First, the fines for non-compliance are significantly lower than with GDPR (the maximum fine is just 10,000 NZD, however there is a mechanism in place for class action suits). Second, while New Zealand is sometimes forgotten on world maps, the "right to be forgotten" is not included in the Privacy Act either, nor is the right to data portability. Finally, the restrictions on offshore data transfer don't typically apply to cloud servers, which makes a huge difference as most major cloud servers are based outside of New Zealand.
11. Nigeria – The Nigeria Data Protection Regulation (NDPR) was issued in January 2019 and in November 2020, the National Information Technology Development Agency (NITDA) provided an Implementation Framework. Nigeria, like many other members of the African Union, is working towards data privacy standards in line with the 2014 Malabo Convention, and according to NDPR, any African countries who are signatories of the convention are considered as having adequate data protection laws.
The NDPR mirrors a lot of terminology and concepts from GDPR. It applies to the processing of personal data inside and outside of Nigeria, establishes the rights of data subjects, defines obligations of data controllers and data processors, and sets standards for transfer of personal data to foreign territories.
The section on Administrative Sanctions in the Implementation Framework doesn't specify a minimum or maximum fine, but it lists the following factors being taken into account when determining the amount: the "nature, gravity and severity of the breach; the number of data subjects affected; damage suffered by data subjects; opportunity for curtailment left unexplored, and whether the breach is the first by the offending entity."
12. South Africa - South Africa's Protection of Personal Information Act (POPIA) came into effect on July 1, 2020 with an exactly one year grace period. Organizations that are already GDPR compliant will certainly have a head start in becoming compliant with POPIA, but the two regulations aren't identical.
In some ways, GDPR is stricter than POPIA while in other situations the opposite is true. For instance, GDPR has certain exemptions for SMEs, such as the requirements for having a dedicated Data Protection Officer and record keeping, while POPIA applies to all companies regardless of size. On the other hand, GDPR has requirements governing data portability, while POPIA does not.
Finally, when it comes to penalties for non-compliance, the two regulations are quite different and the question of "which is worse" depends on your perspective. GDPR has significantly higher fines (the highest fine for POPIA being 10 million ZAR or roughly 500,000 EUR), but no criminal charges, while POPIA does include criminal charges. If you're responsible for your company's bottom line, a GDPR violation may seem scarier, however if you end up in a South African jail for 10 years for a POPIA violation, your opinion on the matter might differ.
13. South Korea – For companies that process personal data of South Koreans, privacy standards on par with GDPR are nothing new. South Korea's Personal Information Protection Act, 개인정보 보호법, has been in effect since September of 2011 and from the outset has included many GDPR-like provisions, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
14. Switzerland – Switzerland's Data Protection Act "Datenschutzgesetz" (DSG) was revised in September 2020 (revDSG) and now includes stricter provisions that focus on protecting the privacy rights of individuals' data while it is being processed. After much back and forth, in September 2022 it was announced that revDSG will come into effect in September 2023.
A number of the new provisions are very similar to corresponding provisions of GDPR. These include, but are not limited to, the right to be forgotten, the right to data portability, requirements for regular data protection impact assessments (DPIA), and breach notification requirements. While not nearly as high as those from GDPR, the maximum fines for non-compliance will be increased from 10,000 CHF to 250,000 CHF or approximately 230,000 EUR.
15. Thailand - In February 2019, the National Legislative Assembly of Thailand approved and endorsed the Thailand Personal Data Protection Act (PDPA). The Act was subsequently published in the Government Gazette on May 2019 and was supposed to come into full force a year later on 27 May 2020, however a royal decree extended the grace period for an other year for key provisions and industries. The PDPA is similar to GDPR in a number of ways, including the broad definition of personal data, the requirement to establish a legal basis for collection and use of personal data, extraterritorial applicability, and potentially harsh penalties for non-compliance.
The penalties for non-compliance are a bit more complicated than GDPR. Administrative fines have a ceiling of 5 million THB, which only equates to approximately 140,000 EUR. However, there is potential for criminal penalties that can even include imprisonment for up to one year, punitive damages capped at twice the amount of actual damages, and data subjects may be able to pursue class action lawsuits. To avoid these penalties, data controllers and processors both in and outside of Thailand should ensure they are in compliance with PDPA.
16. Turkey – The Republic of Turkey's Law on Personal Data Protection (LPDP) was heavily influenced by EU Directive 95/46/EC. Since it's passage in 2016 it has been amended numerous times and is becoming more and more like GDPR. For example, there have been amendments for retaining, deleting, and anonymizing personal data; registering of data controllers; the organization of the Kişisel Verileri Koruma Kurumu (KVKK); and specifications for processing special categories of personal data.
Fines for individual violations can range from 5,000 TRY (approx. 325 EUR) to 1 million TRY (65,000 EUR) depending upon the nature and severity of the violation and in some cases the KVKK can ban certain processing activities. Similar to GDPR, LPDP has extra-territorial applicability, however the fines are significantly lower.
More recently, the KVKK has proposed amendments to clarify definitions and justified uses of health related data and to specify which countries are deemed as having adequate data protection laws when controllers wish to transfer personal data abroad. A list of countries and economic zones was not originally published leaving only the option to apply for permission from the KVKK to transfer data internationally on an individual basis.
17. USA – While there is currently no data privacy law applicable to all industries on the federal level, every state in the Union has their own data privacy laws. Some examples include the State of New York's 23 NYCRR 500, which applies to financial institutions operating in New York and the California Consumer Privacy Act (CCPA), which is much broader in scope.
CCPA has many provisions that overlap with GDPR. California may be only one state out of fifty but, as California politicians love to point out, the State has a larger population and annual GDP than most countries in the world (before you ask, I do have a source to back that up), which means the market affected by CCPA makes up a non-negligible part of not just the the US, but the global economy.
Since CCPA's passage, in several other States and on the federal level, lawmakers on both sides of the aisle have introduced a slew of similar data privacy bills and proposals. Whether any of these bills will actually become law still remains to be seen, but it appears that momentum is building. Then there are even those in the tech industry who are requesting similar legislation in the US, including Apple CEO Tim Cook.
While there had been a EU-US Privacy Shield framework in place to make GDPR compliance more understandable for organizations operating on both sides of the Atlantic, the European Court of Justice struck down the agreement, alleging that the rights of EU data subjects were not adequately protected from US surveillance. This landmark decision is also referred to as "Schrems" after the lawyer who put the case in motion.
Since then, Privacy Shield has been going back and forth between EU legislators and courts with new revisions and rejections. In our interview with Max Schrems he sees two eventual ends to this ping pong game: either the US passes it own federal data privacy law on par with GDPR, which he finds unlikely, or EU member states start cracking down on companies within their own jurisdictions that are giving US companies access to the personal data of EU data subjects.
International economic organizations such as the Organization for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC) Forum, and the African Union (AU) have come up with their own data privacy guidelines regarding the transfer of personal data across borders. These guidelines help to create an international standard for data privacy and protection in order to facilitate international trade, but they are sometimes more lax than the domestic laws of participating countries. This means that data security and compliance executives still have to come up with their own cross-regulatory compliance strategy that adheres to the stringent regulations in their target markets.
Furthermore, although many of these regulations are similar to GDPR, compliance with GDPR is not enough to guarantee full compliance with any of the above regulations as they each have their share of differences. There are no catch-all solutions and this is by no means an exhaustive list.
Editor's Note: This article was originally published in January 2019 is updated periodically as more countries introduce new data privacy legislation.