Four years ago, the General Data Protection Regulation (“GDPR”) came into force in the EU. Since then, the GDPR has had a domino effect, as many countries in the world have used it as a model to shape their own rules on the handling of personal data. Given the rapid changes in data protection legislation around the world, legal and compliance teams of multinational organisations are under pressure to keep up with such developments as they continuously adapt their compliance programs in response.
At present, at least 20 countries (excluding EU member states) have adopted laws significantly close to the GDPR. These countries are located on each continent of the world, not just in Europe. This is in addition to the 14 countries that have obtained adequacy decisions from the European Commission because they provide a level of protection for personal data that is equivalent to the level of protection in the EU.
The incentive behind adopting GDPR-like laws is often cited as a drive to do more business with the EU. Whatever the incentive, the developments in the data protection laws result in an increased recognition of the rights of individuals to privacy and data protection.
In general, 71% of the countries in the world now have some form of data protection legislation in place, 9% are in the process of adopting data protection legislation, and only 15% remain with no data protection legislation (UNCTAD).
Our table below summarises how certain elements of the GDPR have been or are being adopted in different countries.
|Data subject rights||One thing you can be certain of, is that most countries that have adopted data protection legislation, have included the right for individuals to be informed about how their personal data are being processed. This obligation alone is taking up a lot of effort for multinationals as they assess the pros and cons of the different ways to meet this requirement. The right of access, rectification and erasure all feature quite regularly on statue books across the world. Data portability is one of the least popular rights around the world but is increasing in popularity. With countries such as India, Singapore, Indonesia, Oman and Ecuador, and states such as Colorado and Utah including it in legislation that is due to come into effect in the near future.|
|Data Protection Officer (DPO) requirement||At least 36 countries located in each continent now require organisations to designate a data protection officer to oversee their compliance with data protection rules.|
|Data breach notification requirement||Many countries have introduced mandatory requirements to issue notifications following a security breach involving personal data, either within 72 hours of such breach; at least 22 countries in Europe (excluding the EEA and the UK, Latin America, APAC, and Africa); and some require data breach notifications within 5 or 15 days. Due to the extraterritorial effect of legislation in certain jurisdictions, you should add a step in your data breach procedure to check if any of the breached personal data concern data subjects from other countries. If so, your organisation may be required to notify a data protection authority or the data subjects in those countries.|
|Extraterritorial effect of data protection laws||Multinationals that process the personal data of customers or employees in various parts of the world need to take into account that a lot of countries now have data protection laws with an extraterritorial effect. For example, Russia, China, Puerto Rico, Nigeria, and South Africa. These are countries with both GDPR-like laws and those whose data protection legislation significantly differs from the GDPR.
If a country has an extraterritorial data protection law, it means that an organisation does not necessarily need a presence in that country in order to be governed by its law. The scope of the extraterritorial effect differs between countries but, in most cases, will include at least one of the follow criteria:
|Data transfer rules||There are countries in the world that do not have restrictions on cross-border transfers or remote access to personal data. However, that is not true for the majority of countries. For cross-border transfers of personal data, some countries rely on the consent of the individuals or contractual transfer tools.
Some countries have also adopted a list of adequate territories that do not require any additional measures for cross-border transfers. For example, quite a few countries allow transfers of personal data to countries that have signed up to the Convention 108 (for example, Russia and Serbia) and a few counties recognize the EEA as an adequate territory (for example, Georgia, Albania, and Morocco).
The European Commission plans to expand the countries that it deems to be adequate, including to countries in Latin America and Europe. In the UK, the new UK Information Commissioner, John Edwards, announced that the UK is looking to issue its own adequacy decisions in relation to countries such as Brazil, Colombia, and Singapore.
When it comes to contractual transfer tools, the EU recently updated its standard contractual clauses (EU SCCs), which were later adopted by Switzerland and, to some extent, the UK (via the UK addendum).This list may increase, making it more simple for multinational organisations to comply with the world’s data protection laws,. Quite a few countries in Latin America are preparing to adopt transfer tools that will be compatible with the new EU SCCs. The Dubai International Financial Centre (DIFC) recently issued their SCCs based on a combination of the EU and the UK SCCs.
In general, there is a recognition that countries should align their cross-border transfer requirements as much as possible to facilitate economic growth and collaboration. This effort is already taking place in various regions of the world. In January 2021, the Association of Southeast Asian Nations (ASEAN) adopted the Model Contractual Clauses (MCCs) for cross-border transfers. The MCCs is a voluntary transfer tool that ensures the compliant transfer of personal data within the region and a step towards harmonising the different data transfer rules in the region.
A forum for cooperation between national data protection authorities in Latin America, the Red Iberoamericana de Protección de Datos (RIPD), prepared its own draft Model Contractual Clauses to be used for cross-border transfers in the region. The plan is for these to be compatible with the new EU SCCs as mentioned above.
On 21 April 2022, the U.S. Department of Commerce announced the launch of the Global Cross-Border Privacy Rules Forum together with Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei. The forum aims to promote interoperability between data protection and privacy frameworks of countries based on the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules and the Privacy Recognition for Processors System. The forum will be open to other countries and the plan is to establish a compliance certification system to allow free flows of data, among other things.
The work on facilitating the EU-US data transfers is ongoing as the US and the European Commission draft new safeguards as part of the new Trans-Atlantic Data Privacy Framework.
Whilst the work on harmonisation takes place on a regional level, organisations are likely to continue to have to adapt and comply with the differing data protection and privacy frameworks globally in the coming few years.
Closely linked to data transfers, organisations must also be mindful of data localisation requirements. Although localisation requirements are not, strictly speaking, included in the GDPR, they are being introduced in more and more countries across the world.
Data localisation laws generally require personal data, or at least a sub-category of personal data, e.g. health data, to be stored within the country. Some countries may permit the cross-border transfer of such data, so long as a copy remains in-country, whereas others have created an outright prohibition on cross-border transfers of localised personal data. Broad data localisation obligations (i.e. those effecting personal data more generally) can be seen in Russia and Kazakhstan, whereas more specific localisation obligations can be found in Australia (relating to data found in medical records), China (relating to data held by critical information infrastructure providers, processors of high volumes of personal data and health data) and Saudi Arabia (relating to data held by government entities).
Multinational organisations need to view their data protection obligations in conjunction with other data-related laws. This is because other laws may add to the data protection obligations and require higher standards of protection depending on the industry the organisation operates in, the type of data it handles, or the category of data subjects about whom it processes data. There might be specific requirements around cybersecurity for organisations providing essential services, or an obligation to prevent online harms, higher protections for children’s use of digital services, or higher security requirements around health data. What is clear is that the businesses will need to regularly horizon scan the markets they operate in and adapt to continuously evolving data protection and data-related legislation.
In terms of strategy, depending on the risk appetite of the business, you may decide to focus only on jurisdictions that have active enforcement or at least have data protection authorities that can enforce the data protection or related legislation. Instead, you may decide to focus on building trust amongst consumers and partners, by choosing to offer a uniform high standard across all markets. In reality though, most organisations are likely to adopt measures somewhere in between.
If your organisation needs guidance on what approach to take to comply with the data protection laws of the world, we are here to assist.