The EU’s General Data Protection Regulations was established to provide individuals and businesses protection in the online world. But do the laws go far enough, and which cohort of countries enjoy the most robust protection? Kevin Shepherdson, CEO and Founder of Straits Interactive, investigates
The digital age of today has made personal data the lifeblood of the global economy as people freely share data and information on a daily basis. To prevent unauthorised use of the personal information of individuals by organisations, data protection/privacy laws are being introduced in a growing number of jurisdictions worldwide, with a recent addition, as of 1 November 2021, being China’s Personal Information Protection Law (PIPL).
With various data privacy/protection laws in place across the world, are the laws different or are they similar in terms of the privacy and protection of personal data?
We decided to take a closer look at some of the most prominent and established data privacy/protection laws globally, the similarities and differences, and what this means for businesses operating in these jurisdictions.
Key themes of the GDPR
The European Union’s General Data Protection Regulation (EU GDPR), first adopted in 2016, can be seen as the de-facto reference standard for ASEAN data protection/privacy laws as it is one of the most comprehensive laws in the world.
The following are three of the key themes of the GDPR:
Social concerns: EU lawmakers have been concerned with the social impact in the use of personal data. For instance, the GDPR promotes fair and ethical use of artificial intelligence in relation to personal data processing, calling for trust and accountability. When AI systems process personal data the GDPR has provisions that call for individuals to be informed about such personal data processing and even be able to object to it.
Human rights: The GDPR affords individuals the right to be informed about the processing of personal data, to have access, and control over their data.
Cross-border transactions/data flows: The GDPR calls for restrictions on the transfer of personal data outside of the European Union, to third countries or international organisations, to ensure that the protection of the individual is not undermined.
EU, ASEAN, US data protection/privacy legislation
In the following table, we can see the comparison between the GDPR and the various ASEAN data protection/privacy laws.
|
EU |
SG |
MY |
PH |
TH |
ID |
|
Lawfulness of processing with stricter consent requirements |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Sensitive data / Special categories |
NRIC |
✔ |
✔ |
✔ |
✔ |
|
Requirements for DPO |
✔ |
✔* |
✔ |
✔ |
✔ |
|
Stricter requirements for processors |
✔ |
✔* |
✔ |
✔ |
✔ |
|
Data Protection Impact Assessment |
Recommended |
Recommended
|
Recommended
|
Recommended
|
Recommended |
|
Data Protection by Design |
Recommended |
Recommended |
Recommended |
Recommended |
Recommended |
|
Data Breach notification |
✔ |
Recommended |
✔ |
✔ |
✔ |
|
Records of processing (*INDO, TH) |
Best practice |
Best practice |
Best practice |
✔ |
✔ |
|
Extra-territorial application (*PHI, TH) |
N/A |
N/A |
✔* |
✔ |
N/A |
Table from Data Protection Excellence (DPEX) Network
As a quick comparison, there are many similarities between the various countries’ laws. This is likely due to the fact that the concept of personal data protection encompasses the collection, use, and storage of personal information, as well as the disclosure or transfer of that data.
It can also be seen that some of the GDPR’s key principles, such as the aforementioned themes, have been influential on ASEAN data privacy laws. However, countries will adapt and create versions that best suit the interests of their jurisdictions.
Table extracted from Varonis: https://www.varonis.com/blog/us-privacy-laws/
For example, there is no single comprehensive law that all US states and organisations have to comply with. Nevertheless, some states have their own law protecting the personal data of consumers. For instance, California has the Californian Consumer Privacy Act (CCPA). In the table from Varonis below, they gave a brief overview of a comparison of the EU’s GDPR and California’s CCPA, proving that there are similarities and differences in laws depending on their interests.
Between the GDPR and CCPA, there is common ground in provisions relating to the right to erasure, the right to be informed, the right to withdraw consent and object (also known as opt-out in the American context), the right to access, and the right to data portability.
Table extracted from Varonis: https://www.varonis.com/blog/us-privacy-laws/
Operating with different legislations
Despite the fact that the data privacy/protection laws seek to protect consumers' personal data, there are also differences according to the countries. Because of this, it is essential for organisations that have various operations across the globe to understand the requirements of the local data privacy laws and adjust their data privacy/protection management programme (DPMP) and practices accordingly.
In the absence of compliance, organisations risk falling foul of the law and even being fined by data privacy/protection regulators in countries like the European Union or Singapore.
In the digital age of today, trust is paramount to keeping consumers loyal to the organisation’s brand. Data breaches are making consumers increasingly aware of the importance of their personal data protection, and they expect the organisations they purchase goods or services from to safeguard their data and not to use it in any way beyond what they have agreed to. Hence, a sound data privacy/protection management programme is a competitive advantage for businesses to assure consumers that they are trustworthy and accountable.
