As we have already mentioned in our previous blog post, data protection is among the global leading trends. So, let’s expand our research and check out what other data protection regulations are applicable around the world.
A global survey which took place in 2019 revealed that low percentages of people were aware of their countries’ data protection and privacy rules. For example, in France, only 4% of the participants were very aware of the applicable legislation, despite the fact that the GDPR has been enforced since May of 2018 and many companies have adjusted their policies to ensure compliance.
In 2020, the UK reported the highest budget allocated to the national data protection authority (DPA). Its value reached 61 million euros, whereas in Germany the same amount was 26.8 million euros. Someone would say that this seems reasonable, since the GDPR was entered into force in the United Kingdom on the 25th of May 2018, at which point the UK was a full Member State of the European Union. But currently speaking, the UK has left the European Union on the 31st of January 2020, so the GDPR is no longer applicable in the UK.
The UK Government is planning on implementing the GDPR into UK national law by creating the “UK GDPR” based on the EU GDPR, on the Data Protection Act of 2018, and on the Data Protection, Privacy and Electronic Communications Regulations of 2019. The Data Protection Act of 2018 (DPA) transposes the Law Enforcement Directive ((EU)2016/680) into UK law, creating a data protection regime specifically for law enforcement personal data processing. Additionally, the DPA updates the data protection regime for national security processing, and it sets out the scope of the Information Commissioner’s mandate and its enforcement powers by creating a number of criminal offences relating to personal data processing.
The EU considers that Switzerland ensures an adequate level of data protection. On December of 2011, the Federal Council approved the report on the evaluation of the Data Protection Act. Furthermore, the revision of existing laws was necessary due to the Schengen Convention. In addition to this, during 2017, the Federal Council of Switzerland has presented a draft of the Federal Act on Data Protection (FADP). Its main goal was to ensure alignment to the GDPR. The revision of the existing data protection acts was divided in two stages. The first stage was to allow for prior consultation regarding the implementation of the EU law (Directive 2016/680), which was required by the Schengen agreements. Thereafter, the data protection act was to be revised until the end of 2020.
Argentina is also considered an adequate country. The Personal Data Protection Law (PDPL) includes the basic personal data rules, and it follows international standards. Additionally, the Federal Constitution provides that any person may file an action to have access to their personal data and to information about the purpose of processing such data, and to request the suppression, correction, confidentiality or updating of their data if they are inaccurate or discriminatory. These provisions create the basic framework for data protection. Further regulations have been issued by the relevant agencies, as the Data Protection Law of 2012. Since 2019, Argentina is also a party of the Convention 108 for the protection of individuals with regard to automatic processing of personal data.
Bahrain is the first country in the Middle East that has introduced a Data Protection Law, which came into force in August of 2019. The regulation provides individuals with rights concerning how their data is collected, processed, and stored. Furthermore, there are three novelties in Bahrain’s data protection law, including its extraterritorial effect, the creation of the data protection supervisor role, and the imposition of a duty of due diligence on data managers that use data processors. However, the country is considered as non-adequate.
In 2016, Qatar became the first Gulf Cooperation Council member state to issue a generally applicable data protection law, which took effect in 2017. Additional executive regulations to ensure the implementation of this law were expected to be passed in 2020. Since the law is not yet fully implemented, Qatar is not considered an adequate country by the EU in regards to data protection. Qatar’s Data Protection Law applies to personal data which are processed electronically, obtained, collected or extracted in any other way in preparation for electronic processing, and/or processed by combining electronic processing and traditional processing. Such data may only be processed within a framework of transparency, honesty, and respect for human dignity.
In July 2018, India got closer to its first data privacy law by submitting a draft of the Personal Data Protection Bill, which forms a framework and prescribes how organizations, including the state, should collect, process and store citizens’ data. However, the bill still needs many further rounds of review before becoming a law that is comparable to the GDPR, and that is why India is not considered to ensure an adequate level of data protection recognized by EU.
On May 2019, the Personal Data Protection Act (PDPA) became law in Thailand. Under the PDPA, individual people have the right to control how their personal data is collected, stored, disseminated and protected. Consent is a requirement for data sharing, while people have the right to know which organizations have their data as well as how it is used and shared. Most of the provisions of the PDPA provide similar contents to the EU GDPR, however Thailand is also considered as a non-adequate country.
On the other hand, Japan seems to ensure an adequate level of data protection recognized by EU. The Act on the Protection of Personal Information (APPI) regulates privacy protection issues. The Personal Information Protection Commission is a central agency which acts as a supervisory governmental organization on issues of privacy protection. Japan has recently passed amendments to its data privacy law, some of which put its law closer in line with the EU’s General Data Protection Regulation.
Nowadays, it is crucial for companies around the world to manage and safeguard personal information and address their risks and legal responsibilities in relation to processing personal data. Besides the large number of laws which exist regarding data protection, there are also some organizations which are engaged in data protection promotional campaigns, such as the Commission Nationale de l’Informatique et des Libertés (CNIL), as well as international forums, such as the Global Privacy Assembly and the Organization for Economic Co-operation and Development (OECD).
We hope the article gave you an idea regarding the ways that countries around the world treat your personal data, and provided you a starting point if you want to research the subject in depth.
Until next time.