In the 2018-2020 timeframe, the rollout of GDPR in the EU is having an impact on companies worldwide, thanks to its legislative reach beyond the EU’s borders. But companies also have to content with a wave of new data privacy legislation in the US, UK, China, and many other countries. Some laws are inspired by GDPR, while others take a unique approach that serves their country’s needs.
This outline of data privacy laws addresses seven major markets, covering the legislation in effect, how it impacts domestic and international companies, and any unique features that may cause issues for firms handling personal data.
Table of Contents
US Data Privacy Laws
- The US is unique among major countries in not having a unified set of data privacy laws. Given that a large number of global Internet companies are based in the US (Google, Facebook, etc.) the introduction of legislation is probably coming soon.
- There are two sets of laws which provide some guidance on future US regulation:
- The State of California has passed the California Consumer Privacy Act (CPA) set to go into effect in 2020, which is inspired by the European Union's GDPR.
- The US has also agreed to a minimum set of privacy standards, as defined by APEC, the Asia-Pacific partnership with 21 countries including Japan, Canada, and Mexico. The APEC standards have their own section in this post - see below.
- The California CPA holds all businesses responsible for the secure handling of personal data. It also mandates that users be informed about how that data is used, and if that data is compromised in any way.
- The US does have standards in place for healthcare information, as formalized in HIPAA legislation.
- Unique Twist: With no national laws in place, the US gives a lot of latitude to companies in the short term to set their own standards for data protection and privacy. However, those companies should be ready to adapt to changes in the long term, as the public debate around privacy and security breaches will start to shape the new laws that will take effect.
EU Data Privacy Laws
- The General Data Protection Regulation (GDPR) was signed into law in April 2016 and went effect on May 25th, 2018.
- GDPR applies to any form of personal data, defined as any data which by itself, or when combined with other data that the possessor can likely access, can be used to identify an individual.
- GDPR applies to any organization that collects, stores, or processes the personal data of EU residents, whether or not the organization is actually based in the EU.
- GDPR is meant to be an all-encompassing data privacy law for EU member countries, but each country must pass its own regulations to monitor and enforce GDPR within its borders.
- GDPR offers individuals the right to request erasure or correction of their personal data, and requires companies to comply with those requests.
- Unique Twist: There is a lot of confusion over the reach of GDPR when it comes to people or businesses outside the EU. See our in-depth GDPR overview to learn more about how the EU defines data subjects, and how that impacts the application of GDPR to personal data.
Post-Brexit UK Data Privacy Laws
- The Data Protection Act (DPA) is the UK’s implementation of the General Data Protection Regulation (GDPR), and was passed on May 23, 2018, going into effect immediately. The DPA will stay in effect regardless of the outcome of Brexit.
- DPA covers personal data, including data belonging to criminals. DPA allows profiling of individuals, while GDPR does not.
- The DPA echoes GDPR, but expands it to include intelligence gathering, immigration, and public authorities.
- NHS, the UK's national healthcare system, has established rules for all organizations working with healthcare data.
- Unique Twist: The DPA extends the fines for repeat offenders to unlimited amounts.
APEC Data Privacy Laws
- APEC is an Asia Pacific organization, counting the US, Japan, South Korea, Canada and Mexico among its 21-country membership.
- The Cross-Border Privacy Rules (CBPR) were established to provide a foundation for privacy laws within each of the APEC member countries. So far, the United States, Canada, Japan and Mexico have adopted it.
- CBPR data privacy guidelines apply to any public or private organization that handles personal data.
- Unlike the EU’s GDPR, which applies to data processors and controllers, CBPR only applies to controllers. See the graphic below for definitions of each.
- CBPR is meant to provide a minimum level of protection, useful to member countries who trade within the group. It relies on member states to build upon that framework with rules for their specific markets. (For example, HIPAA for healthcare data in the US.)
- Unique Twist: The US does not have a direct equivalent to GDPR (yet) but has agreed to the CBPR framework. So CBPR may provide a hint to what types of data privacy legislation may come next from the US Congress.
Data Privacy Laws in South Korea
- The Personal Information Protection Act (PIPA) went into effect on September 30, 2011, and joins a suite of data security laws that are perhaps the most stringent in the world.
- PIPA covers any data that can be used to identify a person, including images. It also makes a distinction for "sensitive" personal data, such as religion or sexual orientation, that could be used to infringe on personal rights.
- South Korea also has a number of data privacy laws for specific verticals:
- IT services: Act on Promotion of Information and Communication Network Utilisation and Information Protection
- Credit Info: Use and Protection of Credit Information Act
- Finance: Act on Real Name Financial Transactions and Guarantee of Secrecy
- Unique Twist: South Korea defines personal information as anything which can identify a person, just as other countries do. One unique item is that personal data which is not complete, but could be combined with other available
data, is also protected. For example, if anonymized data could be combined with another database to flag a particular person, the anonymized data would have to be handled with the same care as any other type of personal data.
China Data Protection Laws
- China's Cybersecurity Law (CSL) was passed on November 7, 2016, and went into effect on June 1, 2017.
- CSL covers all forms of personal data belonging to Chinese citizens. Storage of personal data overseas is not allowed, unless documented proof can be provided to demonstrate the need, combined with a security assessment to ensure compliance. This combination of rules makes overseas data storage impractical for most applications.
- China's CSL applies not only to conventional data handlers, but also to telecom, radio, and television operators.
- Unique Twist: Chinese authorities must be informed if data indicates any prohibited activities. In other words, personal data must be examined by the holders of that data - somewhat paradoxically in the context of data privacy.
Data Privacy Laws in Israel
- The Privacy Protection Data Security (PPDS) regulations went into effect on May 8, 2017, extending the existing Privacy Protection Act
- The PPDS requires different levels of security, depending on how many people come into contact with the data. A database which is managed by one individual requires minimal precautions, while data that can be accessed by 10+ or 100+ individuals requires more security.
- Unlike GDPR, which spells out which companies are subject to regulation, Israeli law does not have an explicit rule about geographic boundaries. The law definitely applies to servers and data with Israel, but it is unclear if data stored outside the country is also included.
- The PPDS also applies elevated standards to financial and medical data, with the latter including biometric and genetic data.
- Unique Twist: Israeli law exempts government agencies, especially security agencies, from most restrictions.