GDPR wasn't the beginning and it certainly won't be the end. Strict data privacy legislation with extraterritorial applicability is appearing in more and more economies across the globe, meaning the list of “GDPR-free” havens is growing shorter by the day.
CISOs and other data security executives at globally operating organizations will have no choice but to adopt a cross-regulatory compliance strategy in order to keep up. Cross-regulatory compliance begins by determining in what ways data privacy regulations overlap in order to synergize compliance efforts. Some of the most common requirements include cryptographic protection of sensitive data and data protection impact assessments, clear data retention policies, and breach notifications.
To help you get started, here are seventeen examples of countries who have adopted or are considering to adopt comparable data privacy laws. Each flag contains a link to either the law itself, the respective jurisdiction's official page regarding data privacy (in English where available), or an English language news article or blog post with more information.
If implemented, the aims and objectives of the act would align with certain provisions of GDPR. For example, companies could face fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offenses. That would make the ceiling for fines even higher than with GDPR, which is capped at 4%.
In addition to buttressing the data privacy amendment, this bill would also bring data privacy protections in Chile up to a level comparable to GDPR. It includes the creation of a personal data protection agency, as well as regulations regarding the handling, collection, and transfer of personal data. It also has fines for non-compliance which by themselves are not especially high but can double and even triple in cases of repeat offenses or in combination with accessory sanctions.
Non-compliance would be classified in three levels of severity with corresponding penalties that range from as low as about 55 EUR for the most minor infractions, up to around 530,000 EUR for the worst*. This is a major difference to GDPR as the fines are not proportional to global annual turnover.
*As of August 2020.
It is similar to GDPR in that it applies to those inside and outside of Egypt who collect or process the personal data of persons staying in Egypt, regardless of national origin, and sets standards for both data controllers and data processors. All data breaches must be reported within 72 hours of discovery while breaches affecting national security must be reported within 24 hours.
The fines for non-compliance however are significantly lower than GDPR with a minimum of 100,000 LE (approx. 5,560 EUR) and a maximum of 1 million LE (approx. 55,600 EUR). According to Egypt's penal code, violations of individuals' privacy may even result in prison sentences, especially when personal information is used for blackmail.
In February 2018, the Israeli government approved an amendment to the existing Privacy Law which, if enacted by the Knesset, would give the PPA greater authority to investigate data privacy violations and impose fines of up to 3.2 million ILS (roughly 900,000 EUR) for violations. It is currently unclear whether the amendment will move forward.
More recently, Japan and the European Commission reached an agreement on "reciprocal adequacy" of their respective data protection laws. Japan has created a "white list" of EU companies that exercise sufficient caution when handling personal information, while the EU has created the same for qualifying Japanese companies. This also means that data subjects in the EU have recourse for violations of their data privacy rights by companies based in Japan and vice versa.
What's similar to GDPR is the requirement to notify authorities and affected parties of data breaches and the introduction of new restrictions to offshore data transfer, similar to Australia's Privacy Amendment from 2018. However, a few things are decidedly different which make these new amendments to New Zealand's Privacy Act significantly less threatening than GDPR.
First, the fines for non-compliance are significantly lower than with GDPR (the maximum fine is just 10,000 NZD, however there is a mechanism in place for class action suits). Second, while New Zealand is sometimes forgotten on world maps, the "right to be forgotten" is not included in the Privacy Act either, nor is the right to data portability. Finally, the restrictions on offshore data transfer don't typically apply to cloud servers, which makes a huge difference as most major cloud servers are based outside of New Zealand.
The NDPR mirrors a lot of terminology and concepts from GDPR. It applies to the processing of personal data inside and outside of Nigeria, establishes the rights of data subjects, defines obligations of data controllers and data processors, and sets standards for transfer of personal data to foreign territories.
The section on Administrative Sanctions in the Implementation Framework doesn't specify a minimum or maximum fine, but it lists the following factors being taken into account when determining the amount: the "nature, gravity and severity of the breach; the number of data subjects affected; damage suffered by data subjects; opportunity for curtailment left unexplored, and whether the breach is the first by the offending entity."
In some ways, GDPR is stricter than POPIA while in other situations the opposite is true. For instance, GDPR has certain exemptions for SMEs, such as the requirements for having a dedicated Data Protection Officer and record keeping, while POPIA applies to all companies regardless of size. On the other hand, GDPR has requirements governing data portability, while POPIA does not.
Finally, when it comes to penalties for non-compliance, the two regulations are quite different and the question of "which is worse" depends on your perspective. GDPR has significantly higher fines (the highest fine for POPIA being 10 million ZAR or roughly 500,000 EUR), but no criminal charges, while POPIA does include criminal charges. If you're responsible for your company's bottom line, a GDPR violation may seem scarier, however if you end up in a South African jail for 10 years for a POPIA violation, your opinion on the matter might differ.
A number of the new provisions are very similar to corresponding provisions of GDPR. These include, but are not limited to, the right to be forgotten, the right to data portability, requirements for regular data protection impact assessments (DPIA), and breach notification requirements. While not nearly as high as those from GDPR, the maximum fines for non-compliance will be increased from 10,000 CHF to 250,000 CHF or approximately 230,000 EUR.
The penalties for non-compliance are a bit more complicated than GDPR. Administrative fines have a ceiling of 5 million THB, which only equates to approximately 140,000 EUR. However, there is potential for criminal penalties that can even include imprisonment for up to one year, punitive damages capped at twice the amount of actual damages, and data subjects may be able to pursue class action lawsuits. To avoid these penalties, data controllers and processors both in and outside of Thailand should ensure they are in compliance with PDPA.
Fines for individual violations can range from 5,000 TRY (approx. 325 EUR) to 1 million TRY (65,000 EUR) depending upon the nature and severity of the violation and in some cases the KVKK can ban certain processing activities. Similar to GDPR, LPDP has extra-territorial applicability, however the fines are significantly lower.
More recently, the KVKK has proposed amendments to clarify definitions and justified uses of health related data and to specify which countries are deemed as having adequate data protection laws when controllers wish to transfer personal data abroad. A list of countries and economic zones was not originally published leaving only the option to apply for permission from the KVKK to transfer data internationally on an individual basis.
CCPA has many provisions that overlap with GDPR. California may be only one state out of fifty but, as California politicians love to point out, the State has a larger population and annual GDP than most countries in the world (before you ask, I do have a source to back that up), which means the market affected by CCPA makes up a non-negligible part of not just the the US, but the global economy.
Since CCPA's passage, in several other States and on the federal level, lawmakers on both sides of the aisle have introduced a slew of similar data privacy bills and proposals. Whether any of these bills will actually become law still remains to be seen, but it appears that momentum is building. Then there are even those in the tech industry who are requesting similar legislation in the US, including Apple CEO Tim Cook.
While there had been a EU-US Privacy Shield framework in place to make GDPR compliance more understandable for organizations operating on both sides of the Atlantic, the European Court of Justice struck down the agreement, alleging that the rights of EU data subjects were not adequately protected from US surveillance. This landmark decision is also referred to as "Schrems" after the lawyer who put the case in motion.
Since then, Privacy Shield has been going back and forth between EU legislators and courts with new revisions and rejections. In our interview with Max Schrems he sees two eventual ends to this ping pong game: either the US passes it own federal data privacy law on par with GDPR, which he finds unlikely, or EU member states start cracking down on companies within their own jurisdictions that are giving US companies access to the personal data of EU data subjects.
International economic organizations such as the Organization for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC) Forum, and the African Union (AU) have come up with their own data privacy guidelines regarding the transfer of personal data across borders. These guidelines help to create an international standard for data privacy and protection in order to facilitate international trade, but they are sometimes more lax than the domestic laws of participating countries. This means that data security and compliance executives still have to come up with their own cross-regulatory compliance strategy that adheres to the stringent regulations in their target markets.
Furthermore, although many of these regulations are similar to GDPR, compliance with GDPR is not enough to guarantee full compliance with any of the above regulations as they each have their share of differences. There are no catch-all solutions and this is by no means an exhaustive list.
Editor's Note: This article was originally published in January 2019 is updated periodically as more countries introduce new data privacy legislation.