Last updated May 2021 - estimated reading time 5 minutes
Schrems II and beyond GDPR: International privacy laws for data protection in 2021
Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection to ensure that citizens and their data are offered more rigorous protections and controls. With the process, it’s clear that international privacy laws for data protection will continue to evolve and develop to ensure personal data protection across all use cases and situations, even those that have yet to present themselves.
But what are these international privacy laws and why do they matter?
The international privacy laws for data protection generally follow, or are guided by, the five global privacy principles of:
1. Notice – advising users, visitors, readers and users of the policies in place to protect personal information.
2. Choice and consent – providing people with choices and consent around the use, storage, management and collection of personal information.
3. Access and participation – ensuring the information is accessed and used by the correct people within the right security protocols.
4. Integrity and security – ensuring that the data is secure and that there is no unauthorised access.
5. Enforcement – ensuring that the service, site, solution and platform are aligned with some form of regulation that enforces compliance.
What are the benefits of international privacy regulation?
In 2018, the General Data Protection Regulation (GDPR) broke ground as the most forward thinking and extensive legal provision for the protection of personal data and its ongoing security. This law is an international privacy law for data protection that impacted any organisation that processed any personal data from any EU citizen.
It set the standard and has shaped the trends that dominate this sector today.
Data protection ultimately focuses on protecting data and information from both internal and external threats. It mitigates the risks of fraud, compromise and corruption, and protects the individual.
As the amount of data being stored and created continues to increase exponentially, increased data protection has become critical, and indispensable.
This has driven international data protection laws, and offers the following benefits:
• Valuable data is protected from leaks, loss and theft
• Companies can increase confidence from public, investors and customers
• Brand value is inherent and implicit in a robust policy and framework
• Good governance improves a company’s competitive advantage
• Improvements in automation, digitisation and innovation due to business process transformation
• Increased trust and credibility across multiple markets and customers
• Deeper understanding of the data, its value, and the benefits it offers
• Improved data management and control, resulting in improved innovation and transformation
So where do the laws lie, and which ones are the most well-known?
The regulations that impact on personal data protection vary significantly from region to region or even country to country.
Some regions, like Europe have embedded stringent controls that impose heavy fines on those that break the rules while countries, like the United States, are still wrestling with formal and centralised laws that deliver cohesive protection.
The enforcement of GDPR created a seismic global shift in how countries, organisations and individuals viewed data privacy and saw a rapid global move towards more rigorous controls and protections.
Here are some of the top line regions and countries that currently have international privacy laws for data protection:
• Europe – The GDRP law was less a localised layer of security and compliance and more an international privacy law for data protection that impacted any organisation that processed any personal data from any EU citizen. Today, with global enforcement of security and data protection controls, the future of data protection is defined by stricter regulations, bigger fines, and more reputational damage if compliance is ignored. After several companies ignored the GDPR and some were hit by extensive fines and organisations sat up and paid attention. The enforcement of GDPR and the hefty fines, and reputational damage that came with them, has meant that organisations are facing a challenging time. They have to be compliant, and they need the right support to achieve it.
• The USA – while the country doesn’t have formal laws at the federal level, there is some federal legislation that protects data on a more general level. With the devolution of power to the state level, several US states have created their own data-related laws. California’s legislation is considered among the most forward thinking with the California Consumer Privacy Act (CCPA) providing robust privacy rights and consumer protection. The law allows for residents of the state to establish precisely how their personal data is being collected and what it is being used for. Other states with bills in place, or in the process of being passed, include Alabama, Connecticut, Florida, New York, Washington, Illinois, Texas and Virginia. A comprehensive list of the US privacy laws and their status can be found here.
• Brazil has the General Data Protection Law that supports and supplements the extensive list of more than 40 data privacy-related laws that have been implemented over the years. This legislation irons out the conflicts between the different laws, clearly defines the concepts of personal data and public data, outlines clear liabilities, and is applied to all sectors of the country. This regulation also requires that companies adopt Data Protection Officers, have rigorous security protocols in place, and upgrade security measures to ensure comprehensive compliance. Brazil’s Lei Geral de Proteção de Dados (LGPD) came into effect on September 18th last year and creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. However, its administrative sanctions are likely only to be enforced from August 2021, making this year the testing ground for how the Autoridade Nacional de Proteção de Dados (ANPD), will enforce the LGPD.
• South Africa has implemented the Protection of Personal Information Act (POPIA) with equally stringent and rigorous personal data protection controls in place. The Act has undergone several iterations and evolutions since it was first proposed in 2013 and is set to harden the final layers of the Act in July 2021. The privacy laws and protections outlined in POPIA are of as rigorous a standard as those in the GDPR.
• Bahrain has the Data Protection Law that has the honour of being the first of its kind to be introduced in the Middle East and that provides individuals with rights concerning how their data is collected, processed and stored.
• The Philippines has the Data Privacy Act of 2012 that has many of the components that define the EU Data Protection Directive and that ensures the protection of personal information by organisations.
• Canada implemented the Personal Information Protection and Electronic Documents Act (PIPEDA) that is aligned with EU data protection law. The Act is very much in line with the five global privacy principles and offers consumers significant protection for their personal information. The Digital Charter Implementation Act (DCIA) was introduced by the Canadian Minister of Information, Science and Economic Development on 17 November 2020. If this passes, it will replace PIPEDA and introduce several interesting changes to privacy legislation in the country. This includes a private right to action and fines that could exceed those of the GDPR. This is set to be reviewed in 2021.
• In the United Kingdom, the GDPR will apply until 31 July 2021 and thereafter different regulations will apply thanks to Brexit. However, the Data Protection Act 2018 has already implemented the requirements of the EU’s GDPR into UK law from 01 January 2021. The Data Protection, Privacy, and Electronic Communications (DPPEC) Regulations of 2019 changed the DPA 2018 with the GDPR to create a holistic, UK-specific data protection system that applies within the UK context and is known as the UK GDPR.
• India has enacted a data protection bill called the Personal Data Protection bill that embeds many of the tenets of GDPR within the country’s context. These include requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. However, in 2017, a supreme court judge ruled that it was unconstitutional for private companies to use Aadhaar data – a platform that was unveiled in 2009 and forms a massive part of the country’s biometric identification programme. As every resident has their own 12-digit Aadhaar number, it has become a single, universal digital identity number that any registered entity can use to authenticate an Indian resident. Now, the Aadhar number can be used for verification, but prevents private companies from collecting the individual’s details.
Other international privacy laws for data protection include Australia, Angola, British Virgin Islands, Denmark, Finland, Nigeria and Israel. A comprehensive breakdown of the various international privacy laws for data protection across country and regulation can be found here.
The Schrems II ruling
Schrems II, a ruling that addressed the flow of information from the European Union to the United States, has had an immense impact on global international privacy regulations and approaches. This ruling is reshaping how global organisations that operate across multiple countries and legislations approach the protection of personal information. Schrems II is set to have long-lasting impact across the US and beyond, shifting how organisation and country approaches data protection within global commerce and underscoring the importance of investing into privacy toolkits, technology and professionals to ensure absolute compliance to the letter of any local law.
There are numerous analyses of Schrems II and how this ruling is set to change the letter of the law, and how information is managed. The first is by Mukesh Chandak – in this article, the Thales Business Development Director unpacks the aftermath of the Schrems II ruling and what it means for organisations looking to secure information and maintain privacy in the future. As he points out, ‘Schrems II will have a great impact not only in the U.S. but across the world’. SVP, Cloud Protection and Licensing at Thales, Sebastian Cano, discusses a solution to Schrems II and the security of transatlantic data flows in his insightful unpacking of the ruling. As he suggests, “Ultimately, the security of data flows between the U.S. and EU comes down to a lack of trust due to different data privacy regimes on both sides of the pond”, which requires a different approach to the future.
Change is afoot: international privacy regulation 2021 Trends
In addition to the changes being introduced in Canada, Brazil, the UK and India, California voters passed a supplement to the CCPA in November 2020 known as the California Privacy Rights Act (CPRA). When this comes into effect, it will significantly change the CCPA and provide California residents with even more control over their personal information. It will also impose additional control over businesses falling under the jurisdiction of the CCPA. While most of these provisions will likely only be enforced in 2023, California’s privacy laws will continue make waves over the year ahead.
In October 2020, the National People’s Congress in China released a draft of the Personal Information Protection Law (PIPL). This is an exciting shift in the country’s approach to developing a fully realised and comprehensive privacy and data governance platform. The law is set to change the privacy landscape in China, but will likely have as significant an impact on the global privacy landscape.
Currently, the global privacy regulation landscape can be defined as in flux. Regulations are constantly changing and adapting to trends, international best practice, and, in the case of Schrems II, regulatory rulings. For some experts, the globally diverse regulations won’t work, they will simply open up more gaps than corporates can fill. However, as these changes continue, it’s likely that global requirements will align with one another more tightly to provide both country, citizen and organisation with a more solid regulatory footing.