Recent developments in data protection laws around the world highlight the increasing significance of having a robust and comprehensive framework that will adequately protect an individual’s personal data. Across the globe, jurisdictions continue to develop their data protection and privacy laws and many use the General Data Protection Regulation (“GDPR”) as a template or at least borrow concepts first seen in European law. As a recent example, in April 2021, the British Virgin Islands (“BVI”) enacted the Data Protection Act 2021 (“the DPA”) that will come into force shortly. The DPA will apply to data controllers and processors, which are concepts that the UK and the EU are very familiar with due to the GDPR. Further from home, China has adapted parts of the GDPR such as the legal principles for processing personal data into its draft Personal Information Protection Law (“PIPL”). Quite simply, the GDPR continues to serve as a template in many countries that either do not yet have their own data protection laws or are in the process of refining their own laws to ensure that their citizens’ personal data is sufficiently protected.
Cross border transfers
One key difficulty that businesses, operating in today’s global economy, need to contend with in complying with the GDPR surrounds cross border transfers of personal data. Under the GDPR, transfers of personal data to organisations outside of the European Economic Area (“EEA”) are not permitted unless either (a) the recipient country or organisation ensures an adequate level of protection; (b) the controller or processor provides appropriate safeguards (e.g. binding corporate rules or standard data protection clauses), or; (c) a derogation or exemption applies.
Organisations that engage in such transfers, most notably companies that have online IT or cloud services, must ensure that appropriate safeguards are implemented. These safeguards are commonplace within the EU, but may be problematic when such transfers involve third countries that do not have an ‘adequate’ level of data protection. This standard has risen as a result of the Schrems case (C-362/14), in which the Court of Justice of the European Union (“CJEU”) underlined that a third country must have “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR”. The CJEU judgment in the Schrems II case (16 July 2020) places a further requirement for a transfer impact assessment for organisations that engage in cross border transfers based on standard contractual clauses.
In a step towards global harmonisation of cross border transfers of personal data, an increasing number of countries have adopted a similar approach to the GDPR regarding the need for third-country recipients to have an adequate level of data protection. For instance, the draft Bill expected to enter into force in Chile in 2022, that seeks to improve data protection standards in the same way as the GDPR, provides that cross border transfers of personal data will require the third country to have similar levels of protection as the Bill itself. Meanwhile, the Personal Data Protection Act 2019 in Thailand mirrors the GDPR in permitting such transfers only if adequate personal data protection standards as permitted by the Thai Personal Data Protection Committee are implemented.
Should more countries adopt stringent provisions that meet the “equivalent” standard set out by the GDPR and the Schrems case, organisations will have more clarity on the appropriate level of protection required on their end. Alternatively, an international standard similar to that of the GDPR or the Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR) system could be established to better facilitate cross border transfers. It may be some time before we see such a harmonised standard as developing countries in particular need to establish their own local data protection laws first.
Implications for Organisations
The GDPR has given individuals more control over how their personal data can be collected, processed and stored. Individuals can request for their data to be erased (‘right to be forgotten’) or rectified (‘right to rectification’). Organisations that collect personal data must obtain an individual’s consent and provide details such as but not limited to the identity and contact details of the controller and data protection officer, where applicable and the purpose for collecting or processing the data.
Various countries have adopted similar provisions to increase transparency between controllers and data subjects. Brazil’s General Data Protection Law (“LGPD”) requires controllers to provide individuals with ‘privacy notices’ as well as ‘opt-in/opt out’ check boxes to give data subjects more control over the amount of data they are willing to provide. In Sri Lanka, under the final draft Personal Data Protection Bill (“Draft Bill”) that was released earlier this year, a data subject’s prior consent is required in order for organisations to process his/her personal data. These data subjects also have rights such as the right to withdraw consent and the rights to access, rectification and erasure that are similar to the GDPR.
A necessary measure to enforce these stringent rights are harsh penalties in the form of fines. Under the GDPR, breaches of the key data protection principles or infringements of data subjects’ rights could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is higher. In Canada, it is expected that the new Consumer Privacy Protection Act (“CPPA”) that is likely to be implemented in the coming years will increase the maximum penalties for breaches of the CPPA to either $10,000,000 or 3% of an organisation’s gross global revenue, whichever is higher. The Australian federal Attorney General has proposed amendments to the Privacy Act 1988 to increase penalties for repeated breaches to AU$10 million or 10% of a company’s annual domestic turnover. As such, international organisations in particular should be aware of changes in the laws of different countries and regions to ensure that they do not fall foul to such penalties.