The General Data Protection Regulation governs data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
The GDPR offers people in the EU a higher level of protection and control over their personal information than anywhere else in the world. It is widely viewed as the current gold standard for data protection and as a result, affects how other regions and countries approach data protection.
How does GDPR impact data protection regulations around the world?
GDPR has already become a model for national data protection laws in Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), which came into effect on 1 January 2020, also shares many similarities with GDPR.
Wondering what national privacy acts your organization may be subject to and how they compare to GDRP?
POPI Act – South Africa
The goal of South Africa’s Protection of Personal Information Act (often called the POPI Act or POPIA) is to “protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.”
The Act outlines eight principles that South African data processors must respect to lawfully process the personal data of South Africans. Failure to do so can result in fines of up to R10 million and/or imprisonment of up to 10 years for a more serious offense.
Despite predating the GDPR, POPI is often called “South Africa’s GDPR” because it shares quite a few similarities. That said, a couple of key differences exist. The first pertains to sensitive company information (POPI protects this, GRDP doesn’t).
Borealis stakeholder engagement software treats all data as sensitive and protects it according to the highest privacy standards, making it both GDPR and POPI compliant.
The second difference is that under POPI, organizations are not required to get consent before processing most types of personal data. A third notable difference is the punishment for non-compliance. POPI Penalties can extend beyond monetary fines to prison sentences of up to 10 years.
Privacy Act – Australia
The Privacy Act 1988 protects the privacy of individuals by regulating how government agencies and organizations in Australia handle personal information. The Act also covers things like consumer credit reporting, tax file numbers, and health and medical research.
Similar to the GDPR and the data privacy acts of other countries, the Privacy Act outlines a set of principles (“Australian Privacy Principles” or APPs) that organizations must comply with. These principles include rules on transparency, direct marketing, and the security of personal information.
While Australia’s Privacy Act is similar in many ways to the spirit and intent of the GDPR, in substance they are quite different. For example, both laws require organizations to have a privacy policy and obtain consent from individuals before collecting their information. However, the requirements under the GDPR are more extensive. The APP recognizes both implied and express consent, whereas the GDPR only recognizes the latter.
The maximum penalty for failing to comply with the Privacy Act is currently AU$2.1 million (or AU$420,000 for individuals). The Australian Government has recently been looking to increase this maximum penalty for serious and/or repeated interferences to the greater of:
- AU$10 million
- three times the value of any benefit obtained through the misuse of information
- 10% of the breaching entity’s annual domestic turnover
This increase would bring the Privacy Act more in line with the penalties applied under other similar laws such as the GDPR. Currently, serious infringements of the General Data Protection Regulation can result in fines of up €20 million or 4% of the company’s total worldwide annual turnover, whichever is higher.
PIPEDA – Canada
PIPEDA – or the Personal Information Protection and Electronic Documents Act – can be roughly described as Canada’s version of GDPR.
A quick comparison of the two shows that both acts focus on accountability and transparency. However, their key similarities essentially end there.
Unlike the GDPR, which applies to any organization that deals with personally protected data, PIPEDA mainly governs private-sector industries that conduct commercial activities. It also applies to some federal entities.
Rather than having one law to rule them all, Canada has taken a two-layered approach, with some Canadian provinces also enacting their own private-sector privacy laws. Many of these provincial laws are substantially similar to PIPEDA with respect to how personal inform is collected, used or disclosed within that province.
Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA – on the provision this personal information does not cross provincial or national borders in the course of commercial activities. Otherwise, PIPEDA legislation prevails.
In comparison to the EU’s GDPR, PIPEDA applies a much broader definition of what is considered “commercial activities.” Essentially: “any organization that collects, uses, and sells data.” This can include non-profits that sell, barter, or lease membership, donor, or other fundraising lists. A company could therefore be GDPR compliant but still not meet PIPEDA standards.
While the GDPR is completely transparent in its privacy policy, PIPEDA has gone with somewhat murkier wording: “Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort.”
Also unlike the GDPR, which requires organizations to obtain an individual’s express consent, under PIPEDA, organizations only need implied consent. It’s worth noting that third-party vendors working on an organization’s behalf must also get this consent. Failure to do so can result in penalties for the contracting organization.
Under PIPEDA, fines for non-compliance can reach up to $100,000, although it’s likely this relatively low maximum amount will increase over time.
US Privacy Laws
There is no single data protection law in the US. Instead, the country relies on a hodge-podge of hundreds of federal and state laws to protect the personal data of its citizens.
The Federal Trade Commission Act enforces federal privacy and data protection regulations designed to safeguard consumers from unfair or deceptive practices such as misleading advertising, failing to adequately protect personal information or not complying with one’s own published privacy policies.
Personal information is also protected at the federal level by a number of sector-specific data protection laws. Two better-known examples are the Gramm-Leach-Bliley Act (or GLBA), which requires financial institutions to explain to customers how they share and protect their private information, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which governs the privacy and security of certain health information.
Still other federal laws focus on specific types of data, such as the Driver’s Privacy Protection Act, which governs the privacy and disclosure of personal information gathered by each state’s Department of Motor Vehicles. Another data-specific law is the Children’s Online Privacy Protection Rule, which prohibits companies from collecting any information from children under the age of 13 online and from digitally connected devices.
Added to these federal laws are a number of state laws, some being stricter than others. The states of Massachusetts, New York, Illinois, and California are notable for their expansive and privacy-forward legislation.
Do all organizations need a GDPR compliance strategy?
Many businesses outside of the EU rightfully wonder whether the GDPR applies to them if they are complying with their own country’s data privacy laws. The short answer is YES.
In today’s globalized world, vast amounts of personal data not just crosses borders, but sometimes gets stored on servers in other countries. Companies need to understand that the GDRP travels with data. In other words, the rules protecting personal data continue to apply regardless of where the data “lands” – even if it’s in a country outside of the EU.
How can organizations demonstrate they are GDPR compliant?
What rules apply if my organization transfers data outside the EU?
Let’s say you’re a French company looking to expand to Argentina – a “third country” in the eyes of the GDPR because it is outside of the EU. Before transferring any data outside the EU, your first step should be to check whether Argentina has been issued a GDPR Adequacy Decision. An Adequacy Decision is issued when the GDPR Commission deems a third country – in this case, Argentina – is able to ensure an adequate level of data protection. If it has, your company can transfer personal data to this third country without any specific authorization.
If the third country has not been issued an Adequacy Decision, you may still be able to transfer data, but only under certain conditions and after implementing specific safeguards.
The topic of data security and privacy can be daunting for any organization. Having the right tools and policies in place will help protect your business.
Contact us to learn more about how we protect your sensitive data and that of your stakeholders.
