How do global privacy laws stack up to GDPR?

With many organisations still struggling to keep up with GDPR, we take a look at four other international privacy policies to see if they're doing things any differently.

In a contemporary compliance realm that can only be described as ‘post-GDPR', the importance for organisations to be responsible for their Personally Identifiable Information (PII) cannot be overstated. Consumers are hyper-aware of their data rights and the fines for non-compliance to privacy laws can be severe and fundamentally damaging to organisations of all sizes. 

However, while the information is well and truly out there now, many organisations are still struggling to keep up. Looking to GDPR, a survey by the International Association of Privacy Professionals - released in October - showed that more than half (56%) of 550 respondents believed themselves to be far from compliant, or will never fully comply, to the regulation. This is a worrying result when considering the maximum penalties of non-compliance to GDPR are €20 million or 4% of annual turnover (whichever is higher).

Furthermore, the EU's famed regulatory masterstroke isn't the only thing companies need to take note of, with more and more countries and jurisdictions updating their own data laws over the past few years and in response to GDPR. This has created a complex web of international data regulation that is increasingly affecting organisations of all sizes and especially those operating in multiple geographies. Essentially, everyone needs to be thinking about privacy and how best to manage the data - and specifically PII - of their customers.

Many would class GDPR as the gold standard of privacy law for citizens, however as organisations struggle to keep up, it begs the question of whether other jurisdictions are doing things any differently. Here, we compare four countries in terms of how their privacy laws are likely to affect the companies that are operating there and how they compare to GDPR. While it must be stated that the privacy laws of individual countries obviously differ slightly in terms of scope (i.e. countries within the EU can opt to enforce stricter privacy laws if need be), it can still be useful to be aware of how other systems work, to fine tune enterprise compliance structures.

 

Australia

Major laws/policies

Notifiable Data Breach and Privacy Act 1988

Punishments for non-compliance

Fines can be issued of up to $2.1 million for non-compliance.

Overview

Australia's laws regarding privacy and the handling of data are driven by the country's Privacy Act of 1988, which dictates how personal information is handled. The Australian government defines personal information as ‘'information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.'' Examples of which are an individual's name, signature, address, telephone number, date of birth, medical records, bank account details, and commentary or opinion about a person.

GDPR similarities and differences

There are a range of similarities pertaining to the collection, storage, access and management of PII between GDPR and the Privacy Act. For instance, both policies include requirements for organisations to be open and transparent with users (clearly expressed privacy policy) and impose disclosure of use regulations. However, the Privacy Act does not include a couple of important features of GDPR, such as the right to be forgotten and data portability.

Crucially, last year saw the introduction of the Notifiable Data Breaches Scheme in Australia, which requires organisations to notify individuals whose personal information is involved in a data breach, as well as the Australian information commissioner. All public institutions and private organisations with an annual turnover of $3 million and some small businesses must adhere to regulations in the privacy act and NBD. This is an interesting distinction from GDPR which governs the processing of PII from companies of all sizes.

Another key difference can be found in mandatory reporting timeframes as the Australian government allows a maximum of 30 calendar days to assess the breach and report to the commissioner. GDPR, in contrast, allows no longer than 72 hours without the stipulation of an assessment period.

 

China

Major laws/policies

Cyber Security Law

Punishments for non-compliance

Up to 10 times the illegal gains of the activity as well as operational punishments.

Overview

Where privacy is concerned, China has traditionally had a patchwork of rules found in various laws, measures and sector-specific regulations that have formed its overall framework. This has given the country an extensive list of data protection provisions that cover various industries, including Administrative Measures for Online Trading for e-commerce and the Administrative Provisions on Short Message Services for SMS (amongst others). However, in June 2017, a new law with a bit more scope came into effect. Dubbed the Cyber Security Law (CSL), the new regulations serve in a general, over-arching sense, encompassing all personal data collection, processing, storage, security, and transmission.

As well as this, another national standard came into effect last year, known as the Personal Information Security specification (PI Security Specification). While this is a non-binding agreement with no punishments for non-compliance, it contains a comprehensive, best-practice guideline for Chinese companies wishing to comply with all of the country's data privacy laws. The PI Security Specification was drafted with reference to GDPR and includes many of its elements including data portability, right to be forgotten, and the requirement for clear privacy policies.

GDPR similarities and differences

Firstly, a similarity between GDPR and CSL can be found in how the two regulations define personal data. CSL defines personal data as that which can be used to identify a natural person, either by itself or in combination with other information. It includes a person's name, address, telephone number, date of birth, identity card number and biometric identifiers. This directly mirrors the elements of GDPR which defines PD as ‘any information relating to a natural person' that can be used to identify.

Similarities can also be found in the outcomes of the two regulations for citizens. These include mandatory breach notifications, notification of use, consent to gather data, the appointment of compliance personnel within organisations, and strict financial penalties. The latter can even extend to terms of imprisonment and heavy operational sanctions and seizure of assets.

However, there are a few fundamental differences between CSL and GDPR in terms of their purpose. As the International Association of Privacy Professionals reports, CSL is largely positioned as a way for the Chinese government to ‘bridge the gap' between cybersecurity and data protection and fuse them together in one law, although it's reasons for this are likely to do with cyber sovereignty. Article 9 of the law states that ‘network operators must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.' The wording of this stipulation thus reveals a primary concern of CSL for foreign organizations operating in China, that it is being used to further facilitate government intervention.

Further to this, CSL regulations outline a strict approach to data localisation that requires personal data to be stored on Chinese regulated local servers. Such regulation has lead Apple - for instance - to relocate its iCloud services to a new government approved data centre. These operations can be costly for international firms and can cause a lot of headaches for those grappling with the privacy laws of multiple regions. It's also in stark contrast with GDPR, which allows personal data to be moved outside of the EU to select approved countries. Ultimately, there is a concern with whether CSL will make it unviable for some international firms to operate in China at all.

 

India

Major laws/policies

The Information Technology Act, 2000 and (Drafted) Personal Data Protection Bill, 2018

Punishments for non-compliance

Up to 150,000,000 INR or 5% of annual turnover (whichever is higher).

Overview

Up until last year, India had one principle piece of legislation that governed the collection and usage of personal data known as the Information Technology Act of 2000. The bill essentially looks at cybercrime and electronic commerce, prescribing compensation payments and criminal punishments in cases involving the wrongful disclosure and misuse of personal data of Indian citizens. As outlined in an amendment to the bill, corporate entities responsible for possessing, dealing or handling ‘sensitive' personal data or information are held liable for any damages or wrongful loss caused to users through ‘negligent security practices.'

In 2011, India also published a set of rules that are designed to ensure that organisations provide rigid privacy policies for handling and dealing with personal information. However, these rules only cover ‘sensitive' data, described as passwords, financial information, health condition information, sexual orientation, medical records, and biometric information.

While perhaps a little limited in the past, the implementation of GDPR inspired India - which currently has approximately 500 million active internet users - to institute a new set of laws pertaining specifically to PII known as the Personal Data Protection Bill (PDPB). The bill, which directly mirrors GDPR in many ways, will look further into issues such as storage techniques, user consent, and processing. Although the bill is still in the early draft stages and may be subject to change.

GDPR similarities and differences

Overall, while India's Information Technology Act served as a basis of protection, covering elements of data collection and usage, it fell short on reach and failed to provide regulation for things like data storage and user consent. The Personal Data Protection Bill aims to change that, with the new regulations including provisions for the clear purpose of processing personal data, the appointment of Data Protection Officers, data portability, the right to be forgotten, mandatory breach notifications and a big focus on ensuring consent. The bill also proposes major fines for organisations which fail to adhere to compliance requirements (RS 5 Crore or 2% of worldwide turnover) or standards for processing personal or sensitive data (RS 15 Crore or 5% of worldwide turnover).

However, there are a few key differences between the PDBP and GDPR. One of the most controversial aspects of PDBP is the bill's approach to data localisation as the bill requires a copy of all personal data to be on local data centres. This means that organisations who operate internationally will have to store any PII or user data of Indian citizens they possess on Indian data centres with no exceptions. This presents challenges to organisations in terms of cost as well as how to separate personal data from non-personal, as an inability to do so will mean larger data sets will have to be stored in India.

 As well as this, if an Indian company is processing EU citizen data, it also clashes with GDPR's restrictions on transferring data out the EU. Privacy experts have noted that localisation in this manner has been implemented to allow easy state-access to data. Further to this issue, PDPB allows the processing of personal data by state authorities under certain conditions pertaining to security, with permission authorised by those authorities. These factors all present fundamental privacy concerns, although it must be noted that the bill is still subject to amendment before implementation.

 

United States

Major laws/policies

Multiple (No federal/unified privacy act)

Overview

The US has a patchwork of laws that apply to different sectors, including the Children's Online Protection Act, the Health Insurance Portability and Accountability Act for medical information, the Gramm-Leach-Biley Act for financial services and the Privacy Act of 1974 for PII held by government agencies. There are also state laws governing privacy, with dozens of different definitions of what constitutes a breach.

GDPR similarities and differences

The nature of US-governed privacy law presents a fundamental problem in that while some states may be up to GDPR standards, others are not. Last year, California signed off on new legislation - called the California Consumer Privacy Act (CCPA) - that was designed to mirror that of GDPR. Due to come into effect in 2020, the Californian law applies to all ‘'controllers'' (institutions or organisations) that do business in the state, to the extent that those businesses process data of Californian residents.

While there are some obvious differences, the CCPA is perhaps the most robust state-enforced privacy policy in the country. The impending implementation of CCPA has led some to believe that other states might follow suit, although this could be a nightmare for organisations trying to navigate through the laws of multiple states.

It must also be mentioned that the US and the EU have another agreement in place known as the ‘Privacy Shield', which is a program that determines specific US-based companies to have adequate data protection. However, while participants of this system will have had a head start on GDPR compliance, the initiative is completely opt-in (not regulation) and not enforceable by law.

Related: