Download the PDF
Data trends 2024
Data trends 2024
Chapter 2: Global trends in privacy laws: different routes taken along the same regulatory pathway
By Rachael Annear, Richard Bird, Claudia Chan, Hannah Family, Adam Gillert, Christine Lyon, Jackson Myers and Philipp Roos
IN BRIEF
The Economist commented in its 23 September 2023 edition that the EU’s General Data Protection Regulation (GDPR) ‘became the model for most of the world’s 150 privacy laws’ after it was proposed in early 2012. But is it this simple?
The GDPR introduced many new approaches to the regulation of data privacy that have now become conventional around the world (such as privacy impact assessments, enhanced transparency and consent requirements and specific governance requirements) and has been the predominant influence over the development of global privacy laws across the past decade. However, every jurisdiction has continued to develop its own take on privacy regulation. While the GDPR has tended to serve as a menu of tools for legislators to choose from, no other major jurisdiction has simply copied this legislation.
In general, there are many more common elements to any selection of privacy laws than there are differences. The overriding theme is that privacy laws have become increasingly onerous for organisations that are collecting and using personal data.
In this article, we highlight several significant regulatory trends that we are seeing across multiple jurisdictions:
Privacy laws tend to share several core concepts, such as transparency, legal basis/consent, individual rights (although the extent of individual rights provided can vary a great deal from one jurisdiction to the next), data security and breach notification obligations.
Christine Lyon
Partner
The GDPR has always rested on the principle of accountability, requiring organisations to take documented measures to demonstrate their compliance. Many countries have been required by the GDPR to implement more formal operational privacy requirements of this nature, such as requiring the appointment of a data protection officer (DPO) in certain contexts and requiring formal impact assessments to be carried out.
(Source: United Nations Conference on Trade and Development)
A large proportion of major jurisdictions outside of the EU (eg, Japan, China, Brazil, Indonesia, several other countries in Asia and certain US states) have adopted—as either a formal or recommended requirement—the GDPR concept of requiring a documented data protection impact assessment (DPIA) of high-risk processing activities or activities that may have a significant impact on the rights and interests of individuals.
High-risk activities may include the processing of sensitive data on a large scale or using personal data in automated decision-making that could have legal or other significant effects on individuals, and include other personal data processing activities that may have a significant impact on individuals. In a variation on this approach, in India, a class of designated ‘Significant Data Fiduciaries’ will be required to undertake ‘periodic’ DPIAs and privacy audits under the recently passed Digital Personal Data Protection Act 2023.
This trend reflects the growing importance for organisations of performing and maintaining documented assessments of privacy risks.
In the EU, organisations are required to appoint a DPO if their core activities consist of certain high-risk activities such as processing sensitive personal data on a large scale. The DPO has a high level of autonomy. For example, organisations may not give instructions to the DPO on how they should perform their duties or penalise or dismiss the DPO for performing their task. Guidance from EU authorities also makes clear that DPOs cannot undertake any other tasks which can result in a conflict of interest, such as a DPO having a C-suite function.
Other jurisdictions have begun requiring the appointment of DPOs, but the nature of the role can differ. In China, for example, an influential predecessor to the Personal Information Protection Law (the PIPL) adopted in 2021, namely the Personal Information Security Specification 2020 edition (a government-issued Chinese national standard), provides that the responsibilities of a DPO include taking the lead in preparing internal policies, establishing the organisation’s approach to data security, conducting DPIAs, and setting rules and procedures for handling data subject requests. This represents a much more hands-on (and perhaps less independent) role than under the GDPR, even if the core statutory function remains to supervise the organisation’s data processing activities and the protective measures taken. The detailed implementing rules for DPOs under the PIPL have yet to be issued, but following the approach seen in most other areas of the PIPL it is expected that the PIPL will retain the broad lines of the Personal Information Security Specification.
Similarly, under the new Law on Personal Data Protection in Indonesia enacted in October 2022, in circumstances where organisations are required to appoint a DPO, the DPO will have direct responsibility for ensuring the organisation’s compliance with the law. The new law in India also takes a similar approach to that of China.
Data governance has been placed at the heart of emerging approaches to the regulation of AI services around the world.
The EU’s proposed AI Act is built around key tenets of transparency, human oversight, and accountability. Similarly, the Federal Trade Commission in the US has declared that the use of AI should be ‘transparent, explainable, fair, and empirically sound while fostering accountability.’
As was the case with the GDPR, the draft EU AI Act is already having an influence on the development of AI regulation in other countries. China’s new AI regulations in effect since August 2023, Brazil’s AI Law published in December 2022, and Canada’s proposed Artificial Intelligence and Data Act (AIDA) issued in June 2022 are all strongly orientated towards the approach being proposed in the EU’s AI Act.
At the end of October 2023, the Biden Administration issued an Executive Order that instructs US government agencies to implement rule-setting. The Executive Order picks up on many of the same themes as the Chinese and EU approaches and represents a further pointer that a consensus is beginning to emerge in at least the key tenets of the regulation of AI. But with no prospect of genuine international harmonisation of laws in the short-to medium-term, it will be important for companies to track these rapid developments closely and to identity the areas of difference that affect them most in the markets in which they operate.
For further details, please see chapter 1.
Privacy laws typically require an organisation to establish a legal basis for any processing of personal data, which may include the individual’s consent to that processing activity. The GDPR has made it more difficult for organisations to rely on consent, by setting high standards for obtaining a valid consent (eg, requiring a separate consent for each processing activity for which consent is needed, rather than seeking a single blanket consent to the privacy policy).
In contrast, privacy laws in many countries (particularly in Asia and Latin America) still rely heavily on consent as the primary basis for processing personal data (and consent may also be withdrawn). The standards of transparency and explicitness that need to be met for a valid consent have nevertheless often also been raised in line with those of the GDPR.
That said, many newly introduced or recently revised privacy laws have added more flexibility in the range of permissible legal grounds for the collection and use of personal data. This flexibility is achieved by bringing in some combination of the more expansive grounds from the GDPR of ‘legitimate interest’ and of processing required to fulfil a contractual obligation with the individual (or related grounds), eg, Indonesia, Korea, India, the Philippines and Thailand. By contrast, both China and Vietnam still mandate that an individual’s consent is to be obtained in most cases. Similarly, various countries in Latin America, such as Argentina and Uruguay, continue to require consent in most cases, and do not provide the same type of ‘legitimate interests’ basis as the GDPR for processing of personal data without consent despite looking significantly to EU privacy principles in other respects in creating their privacy laws. By contrast, consent is only one of the six lawful bases for processing personal data in the UK and EU. In most cases, consent is often used in the UK and EU for processing special category data or processing data in a potentially intrusive way.
Singapore has permitted processing based on either deemed consent in an expanded range of circumstances or legitimate interests since early 2021. However, in conjunction with this, Singapore law requires organisations to conduct a specific DPIA when planning to rely on either of these bases for processing.
(Source: Freshfields data collected July 2023)
Cross-border data transfers have been a particular focus of EU data protection authorities, and cross-border data transfers are a growing focus of regulation in other jurisdictions as well.
The EU standard contractual clauses remain the most common mechanism for cross-border data transfers of personal data out of the EU, and many other countries have now issued or proposed to issue their own model clauses for cross-border transfers of personal data (eg, the UK, Brazil, China, the ASEAN, Hong Kong and Thailand).
Separately, a smaller subset of countries (such as China, Russia, Indonesia, Vietnam and certain countries in Africa) impose data localisation requirements for certain categories of data or applicable to certain categories of organisation/sector. These rules generally require copies of data to be maintained in-country, or prohibit the transfer of data out of the jurisdiction without government approval.
These data localisation requirements can prevent the cross-border transfer of covered data even if the requirements under privacy laws have been met. For example, even if an organisation uses China’s approved standard contract for cross-border transfers of personal data under the PIPL, the organisation may still be prohibited from transferring personal data above certain volume thresholds or if the organisation has been designated an operator of critical information infrastructure.
As a result of the growing role of data transfer and localisation restrictions, organisations need a holistic understanding of a jurisdiction’s data laws, rather than focusing exclusively on privacy laws.
Philipp Roos
Principal Associate
However, the march of restrictions on cross-border data transfer may already be in retreat.
Earlier versions of what eventually became the India Digital Personal Data Protection Act 2023 had proposed a combination of the Russian and Chinese approaches; namely a requirement to maintain a copy of all personal data on a server in India (ie, as is the case in Russia), coupled with powers for the government to notify certain categories of critical personal data that could only be processed in India (ie, similar to the Chinese rules). Both proposed requirements were dropped before the final legislation passed in August 2023. The final Act instead adopts a ‘black-list’ approach that would prohibit transfers of personal data to certain jurisdictions designated by the government.
Vietnam’s expansive requirement for local data storage by organisations providing services over networks (including the internet)—which has been in place since 2019—was narrowed down in August 2022 to apply only to ten digital sectors and only to certain types of user and service data. The impact of the rule does nevertheless remain significant, and uncertainty remains as to whether these kinds of data can only be stored in Vietnam. The new Vietnamese Decree No. 13 on the Protection of Personal Data issued in April 2023 allows personal data to be transferred overseas by mere notification to the government. The government does, however, reserve the right to discontinue specific data transfers, including on national security grounds. This indicates a further liberalisation in Vietnam’s thinking, although the 2019 rule remains in force.
Similarly, while Indonesia has certain sectoral data localisation rules, it relaxed the key restriction in 2019 as it had applied to private networks and information systems (GR 71/2019). The new privacy law has also avoided imposing any unusually strict restrictions on cross-border data transfer.
In a surprise announcement on 28 September 2023, China also revealed that it was planning to relax its rules on cross-border data transfers in certain circumstances. See here for further details of the new proposal.
While the EU’s GDPR continues to assert a strong influence over other global privacy regimes, as the number and sophistication of privacy laws grows around the world, we are seeing growing divergence and diversity, not least in Asia.
Richard Bird
Partner
Privacy laws do tend to share several core concepts, such as:
As new privacy laws and regimes expand and mature, we expect to see countries continuing to take inspiration from other jurisdictions’ privacy laws, and it can be expected that the GDPR will remain a primary reference point. At the same time, we will continue to see many examples of jurisdictions tailoring their legislation to their own political, historical, and cultural contexts.
When it comes to data regulation, no two journeys are exactly alike. A ‘GDPR is the high watermark’ approach to compliance is therefore unlikely to achieve complete compliance across any basket of jurisdictions in which an organisation operates. Compliance programmes that do not also recognise the nuances on common privacy questions in certain jurisdictions will generally fall short of an ideal standard.