This blogpost will try to provide an overview regarding data protection regulations which are applicable around the world, and additional information on which countries are considered by the EU to ensure an adequate level of data protection.
Nowadays, the importance of privacy and data protection is increasingly recognized since most of our activities take place online.
But what does this mean for our personal data? It seems that most countries have taken into consideration our concerns and, one way or another, data protection is one of the leading trends around the world.
Specifically, a study from the United Nations Conference on Trade and Development (UNCTAD) which was conducted on April 2020 shows that 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. It is projected that within the next 3 years a total of 65% of the global population will have its personal data covered under privacy regulations.
The EU’s General Data Protection Regulation (GDPR), implemented in May 2018, has introduced new rights for individuals, inspiring lawmakers worldwide to follow its lead. However, to be completely precise, the GDPR was not the first law on data protection. There were many other laws enforced prior to the GDPR, but the specific regulation was the first one with a global impact.
Even if the GDPR is not the first data protection regulation, still Europe has the lead on this. Europeans have many reasons to celebrate the Data Protection Day annually on January 28th, because on that day back in the year 1981, the Convention 108 was opened for signature.
The Convention was the first legally binding international instrument in the data protection field, and it is, until today, the only international legally binding agreement on data protection. Its updated version, the Convention 108+, opened for signature on October of 2018, and was signed by all 47 members of the Council of Europe. Additionally, 8 non-Council of Europe states, Argentina, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia, and Uruguay, have acceded to the treaty.
But signing the Convention is still not enough for EU member states to consider that their citizens’ data are adequately protected by third countries in cases where data transfers are required. For example, Russia is not considered by the EU to ensure an adequate level of data protection, although it has ratified the Convention in 2006.
The US is also considered an inadequate country in regards to data transfers from the EU, since the EU Court of Justice (CJEU) invalidated the Privacy Shield that secured unrestricted EU-US data flow. On July 2020, the CJEU challenged the mechanisms for personal data transfers between the EU and the US based on the argument that US law cannot adequately ensure protection of EU personal data.
With over 313 million internet users, the United States is among the leading online markets in the world. Someone would think that the US would also lead in the data privacy field. But sadly, this is only partially true.
US privacy law is a complex mix of national privacy laws and regulations addressed to specific sectors, state laws, and federal and state prohibitions against unfair or deceptive business practices. There is not a principal data legislation in place, and state privacy and security laws are too diverse to summarize fully. However, we have to mention that there are hundreds of privacy and data security regulations among its 50 states and territories such as data safeguards, privacy policies, appropriate use of social security numbers, and data breach notification requirements. At the federal level, the Federal Trade Commission Act (FTC Act) empowers the Federal Trade Commission to enforce actions to protect consumers against unfair or deceptive practices and to enforce privacy and data protection regulations.
Additionally, some states are starting to enforce data protection acts. California enacted in 2018 the California Consumer Privacy Act (CCPA), which came into effect on January 2020. The state has also approved the California Privacy Rights Act (CPRA), which will be fully enforceable on 2023 and it works as an addendum to the CCPA. New York has expanded its data breach notification law to include the enforcement of safeguards to protect the security, confidentiality, and integrity of private information. Massachusetts has strong data protection regulations requiring any entity that processes its residents’ data to implement and maintain a written information security plan (WISP) addressing 10 core standards. Illinois has in place the Biometric Information Privacy Act (BIPA), which imposes specific security requirements on businesses that collect biometric information.
Besides the US, the EU also considers China and Australia to be inadequate countries. Despite the fact that both have provisions regarding data privacy and protection.
On June 2017, the People’s Republic of China (PRC) Cybersecurity Law came into effect, and became the first national-level law to address cybersecurity and data privacy protection. On May 2018, the National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification) came into effect which serves as the new de facto standard for practical data protection handling, by complementing and clarifying many existing data protection laws, and describing practical compliance steps.
Australia regulates data privacy and protection through a mix of federal, state and territory laws. The Federal Privacy Act 1988 (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector entities under specific provisions, and all Commonwealth Government and Australian Capital Territory Government agencies. In addition to the Privacy Act/APPs, there is a Privacy Regulation effective since 2013, and the legally binding Privacy (Credit Reporting) Code. A set of additional rules and guidelines are also in place, which have the force of law and apply in specific areas or to specific types of information.
Canada, on the other hand, is partially recognized as ensuring an adequate level of data protection by EU for certain specific processing (performed as part of business activities). The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activity. All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities, as well as federally regulated organizations that conduct business in Canada, are subject to PIPEDA, unless other laws are enforceable (i.e., the Privacy Act).
During our research, we have discovered a large number of existing data protection laws. However, it seems that most people are not fully aware of them. During a 2019 survey, 49% of respondents in Europe were very, or somewhat aware of their domestic data protection and privacy rules, whereas only 29% of respondents from North America stated the same.
We hope the article gave you an idea regarding the ways that countries around the world treat your personal data, and provided you with a starting point if you want to research the subject in depth. A second part will soon follow including more data protection laws.
Until next time.