Author: Aaron Green LLB CIPD, Operations Manager.
Data Protection across the globe
The General Data Protection Regulations (GDPR) came in to force across Europe on 25 May 2018 and was enshrined in UK Law under the Data Protection Act (DPA) 2018. This legislation created a buzz of activity across Europe as businesses rushed (often last minute) to be compliant with the legislation, concerned about facing severe fines and penalties for non-compliance.
GDPR was widely considered a ground breaking piece of legislation which forced all organisations, no matter how big or small and no matter what sector they operated in, to review how they handle personal and sensitive data and created a “culture of compliance” across industry.
The success of GDPR has led it to be used as a model for many other data protection legislations across the globe, but GDPR was not the first piece of data protection legislation, nor is it the most comprehensive. There are degrees of data protection legislation across the globe, some of which have been determined to be “adequate” under GDPR in that they grant the same or similar rights to individuals and requirements of controllers and processors, meaning companies do not need to have further appropriate safeguards such as Binding Corporate Regulations or Standard Contractual Clauses in order to transfer data to these countries, and some countries have no legislation at all. This inconsistency across the globe can lead to confusion and ultimately potential breaches of GDPR legislation.
So what does Data Protection Legislation look like around the world?
Across the wider EMEA sphere, excluding EU and EEA countries, there is a wide variation of implementation of data protection laws.
Turkey has introduced a Data Protection law that is modelled on GDPR and Israel has had data protection laws since 1981 which have been supplemented in 2001 and 2017 and deemed “adequate” for third party transfers.
The UAE has just introduced the first national law on data protection having previously relied upon sector specific (such as healthcare) or area specific laws – Law 45 of 2021 is similar to GDPR but has fewer transparency obligations.
Qatar’s Law 13 of 2016 is inline with GDPR and states that data must be handled with transparency, honesty, legitimately and with respect for the dignity of the individual. Oman’s Royal Decree 6/2022 brings in strict legislation for data protection, particularly around consent and legitimate interest and introduces a permit for processing sensitive data.
Saudi Arabia has laws similar to GDPR but removes the legitimate interest reason for processing data. Bahrain introduced data protection law 30 of 2018 which gives rights for subjects and responsibilities for processors, but national security services are exempt from the legislation.
Kuwait seems to be the outlier where there is no data protection law although some rights given to protect from data breach are available in other legislation.
Into Africa, Egypt, Like Oman, requires a permit for processing sensitive data in their 2020 legislation which uses GDPR as a base but has lower fines for non-compliance.
The African Union, which comprises 55 member states from continental Africa, has affirmed its desire to harmonise all members data protection legislation following its ratifying of the Council of Europe Data protection conventions in 2014.
So far, Kenya, Mauritius, Malawi and Uganda have laws that align with GDPR and South Africa goes even further, making data breaches a criminal offence. Cape Verde, Mauritius, Morocco, Senegal and Tunisia have ratified the Council of Europe Conventions.
The following list shows which African Union states have implemented data protection legislation:
Cape Verde (2001, amended in 2013 and in 2021), Seychelles (2003), Burkina Faso (2004, under revision), Mauritius (2004, amended in 2017), Tunisia (2004, under revision), Senegal (2008, under revision), Benin (2009, amended in 2017), Morocco (2009, under revision), Angola (2011), Gabon (2011), Lesotho (2011), Ghana (2012), Ivory Coast (2013), Mali (2013, amended in 2017), South Africa (2013), Madagascar (2014), Chad (2015), Equatorial Guinea (2016), São Tomé and Principe (2016), Guinea (Conakry) (2016), Mauritania (2017), Niger (2017), Algeria (2018), Botswana (2018), Nigeria (Data Protection Regulation 2019, Data Protection Bill in discussion), Uganda (2019), Kenya (2019), Congo-Brazzaville (Republic of Congo) (2019), Togo (2019), Egypt (2020), Rwanda (2021) and Zambia (2021).
Across Asia Pacific, most countries have, or are in the process of implementing, data protection laws. Myanmar and Brunei are outliers of this, although Brunei is governed by Data Protection Principles just not legislation. Myanmar is currently process of implementing Data Protection Laws.
Across the rest of the Association of South East Asian Nations, there is legislation in place and in some cases, such as with Malaysia and Singapore it has been in place since early 2010s. Singapore amended their Data Protection legislation in 2020 to bring it inline with GDPR as has Malaysia. Thailand, Vietnam, Indonesia, Cambodia and The Philippines all have data protection legislation in place.
Wider across APAC, China has recently implemented data security legislation and Personal Information Protection Law which is similar to GDPR but in places lacks the same clarity of terms than GDPR (particularly within individual’s rights)
Hong Kong introduced Personal Data Protection Ordinance legislation in 1995 which is broadly similar in rights and obligations to GDPR as is Australia’s Privacy Act, although Australia’s Privacy Act includes implied consent and less comprehensive individual rights.
India introduced a data privacy law in 2019 which is modelled on GDPR but the terms are not as accurately defined and more discretion is given to the government to allow exemptions.
Japan, New Zealand and South Korea all have data protection legislation that has been deemed to be “adequate” under GDPR through Japan’s Act on Protection of Personal Information, New Zealand’s Privacy Act and South Korea’s Personal Information Protection Act.
Into North America, the United States has no federal laws governing data protection with the exception of the US Privacy Act (1974) which is limited to certain citizens and covers Federal Agencies only. Data protection laws in the US are limited by sector (such as financial or healthcare) or by location (such as the California Consumer Privacy Act). It is worth noting at this point that since SCHREMS II, the Privacy Shield that allowed for data to pass between the EU and US was invalidated immediately meaning further safeguards, such as Standard Contractual Clauses, are required.
Canada has had data protection laws in place since 2000 and has updated legislation as of 2020 to further align with GDPR. Canada has been determined to be “adequate” by the EU for commercial organisations only.
In Latin and South America there are countries such as Chile who have had long standing data protection laws (originally 1999 but was added to the constitution in 2018 as the 1999 law was obsolete) which are comparable to GDPR to Venezuela who have no specific legislation to protect data.
Mexico, like a lot of countries, has laws that are similar to GDPR (private companies in 2010 and public in 2017) but remove the legitimate interest lawful means of processing data. Peru also restricts legitimate interest defence in the 2011 law and 2017 guidelines issued on data protection. Colombia is another country that denies the legitimate interest means of processing data in the 2012 update to the 2008 data protection laws.
Brazil introduced legislation in 2018 for data protection and Uruguay’s 2008 legislation is similar to GDPR. Argentina updated their existing legislation in 2020 and the Argentinian data protection laws are deemed to be “adequate” for GDPR purposes.
In countries where “adequacy” with GDPR has not been granted, it is vital that companies take additional measures to display reasonable compliance with GDPR and DPA. For any inter-company transfers, Binding Corporate Regulations must be in place to ensure the data is processed in line with GDPR requirements and for any external transfers, Standard Contractual Clauses must be in place. This is all following a robust Data Protection Impact Assessment and Risk Assessment to determine whether the data can be transferred.
As part of the Brexit deal, the UK agreed to adopt the adequacy decision of the European Commission as well as determining that the EU is adequate for data transfers. The full list of “adequate” countries is:
Andorra
Argentina
Canada (commercial organisations)
European Union Members
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Switzerland
Uruguay
Sources.
ASEAN Insiders Series 2019 – Personal Data Protection – Asia Law Portal
Hogan_Lovells_APAC_Privacy_and_Cybersecurity_Guide_2021.pdf (datasrvr.com)
Analyzing China’s PIPL and how it compares to the EU’s GDPR (iapp.org)
GDPR matchup: Hong Kong’s Personal Data (Privacy) Ordinance (iapp.org)
Data Protection 2021 | Laws and Regulations | Korea | ICLG
Data Protection Law issued in Oman : Clyde & Co (clydeco.com)
GSMA-Data-Privacy-in-MENA-Exec-Summary.pdf
Law in Colombia – DLA Piper Global Data Protection Laws of the World (dlapiperdataprotection.com)
17 Countries with GDPR-like Data Privacy Laws (comforte.com)