Before the Pandemic I used to go to a local hairdressing salon to get my hair cut. I’d tried a few barbers, but it was the thought of a cup of coffee whilst being pampered that did it for me. Anyway, it was the last place I expected to be confronted with the GDPR. But sure enough, I was asked to consent to the processing of my personal data for hairdressing purposes. Leaving aside the question of whether that was the most appropriate lawful basis, it does illustrate the huge degree of awareness that the GDPR generated amongst the general population and in particular businesses, back in the run up to it becoming law in May 2018. Obviously in the UK we’ve had Brexit since then, which has further muddied the waters of privacy legislation, with the UK (so far) adopting the same rules with only minor tweaks to reflect changes to the institutions involved.
But if the GDPR is the young rock star of privacy legislation, it rather disguises the fact that there have been many less well-known bands treading the circuit for quite a few years beforehand. In this article we wanted to highlight a few of the more established players before providing a status update on the latest entrants to the privacy charts.
Anyone with an interest in the history of data protection will be familiar with the precursors to the GDPR, going all the way back to the post-war European Convention on Human Rights and the 1995 Data Protection Directive. But in other parts of the world legislators have been turning their attention to privacy too, with mixed results. And let’s not forget that if you sell internationally then these laws may affect you too. Before we look at a few examples, it’s worth making a number of general points.
So if you have the impression by now that privacy worldwide is complicated, you’d be right.
There are many countries we could choose, but here are a few that have existing data privacy laws, to give you an idea of the variety of legislation out there.
In Australia the Privacy Act became a federal law in 1988 and applies to organizations with an annual turnover exceeding AU$3 million. It is policed by the Privacy Commissioner and although a data protection officer is not required, it is recommended that one is appointed. Breach notification is mandatory and fines of up to AU$2.2 million can be levied on corporations. Many of the states and territories across Australia have their own privacy legislation too, mainly with an emphasis on government agencies.
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted back in 2000 and broadly applies to all organizations processing the personal data of Canadian citizens. You’ll need a data protection officer and breach notification is mandatory, with the option of damages being paid to those affected by a breach. Provinces such as Alberta and British Columbia have their own privacy legislation too.
If you’re trading in Japan, the Act on the Protection of Personal Information (APPI) of 2003 may apply. Governed by the Personal Information Protection Commission (PPC), the APPI requires you to tell them about any breaches (subject to criteria) and enforcement includes not only fines but the possibility of a year’s imprisonment for those held responsible. They take privacy seriously in Japan.
China chooses to spread its privacy regulation across three main laws, the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL) and the Data Security Law (DSL). Each of these came into effect at different times, starting with the CSL in 2017. The consequences of breaking any of the laws vary widely, from fines of 5% of revenue, to criminal charges to your social credit score being affected.
In the Ukraine the Law of Ukraine No. 2297-VI ‘On Personal Data Protection’ (Data Protection Law) was enacted on 1 June 2010 and has many similarities to the EU Data Protection Directive which preceded the GDPR. The political desire for greater closeness to the European Union presumably comes into play here. The Ukrainian Parliament’s Commissioner for Human Rights oversees compliance with the legislation although there is no breach notification requirement at present.
The Russian Data Protection Act of 2006 was amended in 2015 to require that Russian personal data must be stored in Russia. Failure to do this will result in access to the offending website being blocked. However breaches don’t need to be reported and the maximum fine is currently 75,000 Rubles (less than US$ 1,000).
Over the last few years a number of countries and states have stepped further into the privacy legislation arena.
In Brazil, they now have the LGPD (General Data Protection Law) which came into force in 2020. This is generally accepted to be similar in nature to the EU GDPR and is policed by the National Data Protection Authority (ANPD). With mandatory breach notification, fines of up to 2% of revenue may be levied.
In the USA, the state of California has enacted the California Consumer Privacy Act (CCPA) and followed it up with the California Consumer Privacy Rights Act (CPRA) which expands consumer rights further. Other states with recent privacy laws include Virginia and Colorado.
The South African Protection of Personal Information Act 2013 (POPIA) actually came into force mid 2021 and requires that you tell the Information Regulator about breaches. Possibly taking a lead from Japan, the consequences of such a breach could include up to ten years in jail.
There’s a lot of activity worldwide in the privacy space and the next few years could see a number of changes.
In Australia much bigger fines could be on their way under proposals currently being considered.
The Canadian PIPEDA legislation may be replaced with a law that is more similar to the GDPR and the Californian CCPA.
In Japan, amendments to the APPI come into force in April 2022.
A USA federal law that applies to all 50 states could finally be on its way, although the US political process still has some way to go before signatures are applied.
So it looks like being a busy old time in the world of privacy for some time to come. As technology advances develop (such as the Metaverse), corporate advertising interests evolve and privacy expectations change with upcoming generations, it’s hard to say where the balance will be struck. Perhaps in a world that is still shrinking due to globalisation some common ground will emerge across countries but whether that will look like a super-GDPR is anyone’s guess.
We have a variety of toolkits available depending on your privacy requirements. CertiKit’s award-winning toolkits are used in thousands of organisations globally, and they include all of the guides and template documents you’ll need for easy compliance.
Our privacy toolkits include: