Since its inception, the EU’s General Data Protection Regulation (GDPR) has been deemed by experts as the world’s strongest collection of data protection rules. As our online presence increases through social media, digital banking, and other means, nations around the globe have come to realize that they cannot be left behind when it comes to the safeguard of their citizen’s personal data.
GDPR was adopted in Europe on the 24th of May 2016 and became fully enforceable on the 25th of May 2018. Built upon previous European laws of the 90’s, GDPR aims at harmonizing data privacy laws across the EU and providing greater protection to its citizens through 7 core principles, including transparency, purpose limitation, accuracy, and others.
What makes GDPR unique is that its scope extends beyond the borders of the EU, meaning that any company handling an EU’s citizens personal data is subjected to the European law, no matter where in the world it is situated. 3 years following its application, In the third quarter of 2021, GDPR penalties have totalled €1 billion globally, amounting to 20 times greater the number of the first two quarters of the year combined. The largest fine in the history of the regulation was presented to Amazon in 2021 for a staggering €746 million.
GDPR is not only making a difference for the inhabitants of the EU, but it is also inspiring other nations to amend or adopt privacy laws modelled on its European counterpart. From Brazil’s LGDP to Qatar’s Law No. 13 of 2016, GDPR is proving to be the leading privacy law in the world.
How is GDPR the standard for privacy laws?
Elizabeth Denham, UK’s Information Commissioner, has described GDPR as evolutionary instead of revolutionary. While privacy laws have existed in various parts of the world, with the German state of Hessia being the first to adopt one in 1970, GDPR has built upon their foundations by toughening certain standards and introducing novel approaches to data protection. Notions such as consent from data subjects has set it apart from its predecessors.
Professors Chris Jay Hoofnagle, Bart van der Sloot, and Frederik Zuiderveen Borgesius have described GDPR in their 2019 paper “The European Union general data protection regulation: what it is and what it means” as “the most consequential regulatory development in information policy in a generation.” Moreover, they believe that GDPR will bring “personal data into a detailed regulatory regime, that will influence personal data usage worldwide.”
While GDPR is by no means perfect – as is shown by the criticism towards its vague provisions, lack of guidance, and ambiguity concerning international data flow – it is currently one of the strongest data protection laws in the world.
What are similar legislations to GDPR?
Below is a list of nations that have altered their data privacy laws or introduced new ones inspired by GDPR. While there are differences between the European regulation and these laws, below are listed a few of the similarities.Country
Name
Acronym
Date
Similarities
Qatar
Law No. 13 of 2016
N/A
13/11/2016
Right to delete or correct personal data and right to withdraw consent of personal data. Requirement for organisations to consider privacy issues when designing and developing products, systems, and services - privacy by design.
Mauritius
Data Protection Act
N/A
15/01/2018
Lawful processing of personal data. Right to consent regarding personal data, right to object, right of access, and right to rectify incomplete or inaccurate data. Encryption and pseudonymisation of personal data.
United Kingdom
United Kingdom General Data Protection Regulation
UKGDPR
23/05/2018 (became UKGDPR post-Brexit)
Processing of personal data like to GDPR. Notion of controllers and processors. Protection of children’s data. Key principles, rights, and obligation like GDPR.
Nigeria
Data Protection Regulation
NDPR
25/01/2019
Definitions of data controller and data subject quite similar. Sensitive personal data similar in scope and definition to GDPR's special categories of personal data. Persons involved in data processing, or the control of data must develop security measures to protect data. Personal data must be collected for specific, legitimate, and lawful purposes.
Uganda
Data Protection and Privacy Act, 2019
N/A
01/03/2019
Extends to all Ugandan citizens even if not living in Uganda. Designation of a data protection officer. Rights of data subjects like GDPR.
Bahrain
Personal Data Protection Law
PDPL
01/08/2019
Right to correct wrong personal data, right to erase personal data under certain conditions, and right to object automated decision-making.
Kenya
Data Protection Act
N/A
08/11/2019
Applies to all companies processing data inside Kenya regardless of physical location. Data subjects can request right to withdrawal and right to be forgotten. They can also ask how their data is being used. A Data Protection Officer must also be appointed.
South Africa
Protection of Personal Information Act
POPIA
01/07/2020
Implementation of appropriate technical and organizational measures to protect personal data. Information Officer like DPO. Reporting of data breaches like GDPR. Obligation to follow law even if no domicile in South Africa. Written contracts between data subject and data operator.
Brazil
General Personal Data Protection Law 13709/2018
LGPD
18/09/2020
Applies to the processing of personal data processed in Brazil if the purpose of such processing is to provide or offer goods/services to Brazil's residents. Consent and processing like GDPR. Data subject rights like GDPR.
New Zealand
Privacy Act 2020
N/A
01/12/2020
Foreign entities doing business in NZ are subject to the Act's obligations even if no presence in country. The transfer of personal information overseas without the individual’s express consent is not allowed.
Thailand
Personal Data Protection Act
PDPA
31/05/2021
Similar definitions to GDPR. Obligation to follow law for organisations collecting or using of personal data in Thailand regardless of whether they are domiciled in the country. Right to object. Information that a data controller must record is like the one described in GDPR.
China
Personal Information Protection Law
PIPL
22/11/2021
Definition of “personal information” and “processing” like GDPR. Territorial scope extends to Chinese citizens outside the country. Requires entities to have lawful basis for processing personal information. Cross-border transfer of personal information similar to GDPR.
How is GDPR inspiring U.S. privacy laws?
Data protection regulation in the United States is a patchwork of different legislations brought about independently by states without an overall national law. According to the International Association of Privacy Professionals, 20 U.S. states have introduced their own privacy bills in 2021, many taking inspiration from GDPR.
The California Privacy Rights Act of 2020 (CPRA), approved on November 3, 2020, and which builds upon the previous California Consumer Privacy Act of 2018, shares several similarities with its European counterpart. The Act provides rights to children’s personal information and their use, the notion of collecting, transferring, and deleting personal information, and the possibility of fines for data breaches, amongst others. It is considered user-centric by granting further rights and protection to Californian citizens. The law will enter into force in 2023.
In 2023, the state of Virginia will adopt the Virginia’s Consumer Data Protection Act (CDPA). The Act grants consumers the right to access, obtain, delete, and rectify personal data collected by a company. It also includes the definition of “sensitive data” in the same vein as GDPR.
In a 2021 poll by Morning Consult, it was shown that 83% of U.S. voters believed that passing a national data privacy legislation was a “top” or “important, but low” priority.
What is the future of data protection laws?
With a rapidly evolving technological landscape and the willing to safeguard the personal rights of individuals worldwide, data protection regulations will continue to evolve. The European Union is at the forefront of this push, having announced in 2021 a series of draft legislations that will add further to GDPR. These include the Digital Governance Act, the Data Act, the Cybersecurity Act, and the ePrivacy Regulation, amongst others. Time will tell how these acts will have an impact on an international scale.
India is also set to debut its Data Protection Bill in the near future. Taking inspiration from GDPR, its similarities can be found in the definition of consent and data fiduciary as well as the timing needed to report a data breach, amongst others. Forbes India has criticized the bill for giving “the government blanket powers to access citizens' data." However, Estelle Masse, a senior policy analyst at digital rights group Access Now, has stated in an CNBC article that India’s regulation will have a strong impact internationally “because of the sheer amount of people and the role that this country would have in a global data economy.”
As the world shifts towards a more digital reality following the Covid-19 pandemic, data protection and the rights of our personal information will become further embedded into national laws, ever evolving with new technologies and international regulatory landscapes.
ComplianceCompliance expertData Protection AuthorityData Protection WatchdogEUEuropean CommissionGDPRPrivacyPersonal DataData Security
