Although the volume of data that flows between the EU and the U.S. ensures that EU privacy law occupies most of the spotlight on the world stage, other countries have their own privacy laws worth noting as well.
Different Types of Privacy Regimes
As a preliminary matter, it is important to keep in mind that most countries’ privacy regimes can be grouped into two categories: sectoral and comprehensive. As mentioned in the previous post, privacy law in the U.S. is sectoral, meaning that different laws and regulations govern data from one industry to the next. For example, the Health Insurance Portability and Accountability Act (HIPAA) includes a Privacy Rule and a Security Rule meant to protect people’s medical records; the Family Educational Rights and Privacy Act (FERPA) regulates the release of students’ educational records; and the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act applies to the financial industry. Further complicating matters is the fact that both the state and the federal governments may enact privacy laws, which has led to varying privacy-related requirements across the country. The U.S. is not the only country in the world that takes a sectoral approach. China, for example, also regulates privacy through multiple laws targeting different industries and types of data, and Canadian provinces may enact their own privacy laws that vary from one another to some degree. It can be particularly tricky to navigate the privacy laws of a foreign country that takes the sectoral approach, as there is always the risk of glossing over or missing a law or regulation governing a given set of data due to lack of familiarity with that country’s legislative system. Therefore, it is especially important to consult a privacy lawyer and/or local counsel in those jurisdictions.
In contrast, the EU Directive, discussed in the first post in this series, is an example of a more comprehensive approach to privacy. It is designed to serve as a single law governing data protection across the board. In recent years, many jurisdictions have adopted a similar approach in crafting their own privacy laws, with countries such as Switzerland (which is not an EU Member State), Malaysia, and South Africa enacting comprehensive data protection laws. Although these laws may seem fairly straightforward, they often contain complicated (or confusing) exceptions or, as is in the case of the EU Directive, allow certain jurisdictions that otherwise adhere to the regime some freedom in developing their own laws or regulations. Again, it is important to consult with a privacy lawyer for the most up-to-date information.
Beware of Free Zones!
Sometimes a country’s privacy law regime does not extend to all areas of that country, no matter how comprehensive it may be. That is because some countries have “free zones” that effectively operate under their own laws. One of the most prominent examples is the Dubai International Financial Centre (DIFC), a financial free zone that operates according to its own common law-based legal system, apart from that of the Emirate of Dubai or the United Arab Emirates. The DIFC has enacted its own Data Protection Law that governs the transfer of data out of the DIFC, and this law is quite different from the data protection laws otherwise in place in the larger UAE. Therefore, when looking to export data from the UAE, a U.S.-based litigator must be aware of the differing legal regimes at play and determine which one applies to the situation, rather than simply assuming that all data being exported from a particular city is subject to its home country’s laws.
Data Localization Laws
One of the emerging hurdles on the global privacy scene is the rise of data localization laws, which generally represent countries’ efforts to establish sovereignty over certain types of data by mandating that the data be stored and processed in-country. These laws can cause headaches for multinational firms that do business (read: collect personal data) from those countries because the localization laws may require the firm to establish and maintain servers in that country in order to store and process the data that originates there. Some of these laws are fairly limited in scope. For example, Australia’s Personally Controlled Electronic Health Records Act prohibits the transfer or processing of health data outside Australia in some situations, and Nigeria requires all government data to be hosted within Nigeria. However, Russia made major waves last year when it enacted its own, very broad data localization law requiring “operators” that collect, store, and process Russian citizens’ personal data to store and process that data using databases located within Russia. Commercial litigators based in the U.S., therefore, should be aware that data localization laws exist in multiple jurisdictions worldwide, and must take those laws into account.