International Data Protection: Processing Personal Data
The European Union has set a benchmark with the GDPR, and the rest of the world follows. Businesses operating internationally must comply with data protection laws in the United Kingdom, California, Singapore, India, Brazil, and China. We provide an overview.
Table of Contents
- European Union: General Data Protection Regulation (GDPR)
- United Kingdom
- California: California Consumer Privacy Act (CCPA)
- Brazil: Lei Geral de Proteção de Dados (LGPD)
- Singapore: Singapore Personal Data Protection Act (PDPA)
- India: Personal Data Protection Bill (PDPB)
- China: Personal Information Protection Law (PIPL)
- Switzerland: revised Data Protection Act (revDSG)
- State-of-the-art encryption
European Union: General Data Protection Regulation (GDPR)
The GDPR is a regulation of the European Union that came into force on May 25, 2018, after a two-year transition period. This required the GDPR to be transposed into national law in all member states. In Germany, this has resulted in the new Federal Data Protection Act (BDSG-neu).
The aim of the regulation is to strengthen data protection and the right to privacy of all European citizens. It also aims to standardize data protection laws across the EU. The focus lies on how companies and organizations must protect individuals' data. The term "personal data" first became known to the public because of the GDPR.
Important: The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”
Data Protection Act 2018 (DPA 2018)
The Data Protection Act is the national legislation for data protection in the United Kingdom. As a result of the UK's withdrawal from the EU (Brexit), the citizens of England, Scotland, Wales, and Northern Ireland no longer fall within the scope of the EU GDPR. Nevertheless, Parliament has created a regulation that is very closely aligned with the European Regulation. Colloquially, the term UK-GDPR is also used.
Important: Companies must appoint a UK representative if they are based outside of the country and monitor the conduct of and/or provide goods or services to UK residents. For more information, click here.
Planned Reform of UK Data Protection Policy
In August 2021, the UK announced its intention to adopt a standalone data protection law that would break away from the requirements of the GDPR. The main points are the possible abolition of cookie banners and so-called data partnerships with countries that have a high standard of data protection. It is not yet known when exactly these changes will come into force.
California: California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the first major privacy law in the United States. When it became effective, California citizens gained five new rights that give them more power over how their personal information is used. For example, they can request information, receive a copy of the data concerning them if they wish, request that the information is deleted, and oppose the sale of personal data. Also very important is the right to not be discriminated against. This is an aspect that is becoming increasingly important in light of automated data processing by algorithms.
Important: Companies that process data of more than 50,000 Californians must provide workflows and points of contact for California citizens who wish to exercise their new rights. We have more details on the CCPA (and the CPRA) for you here.
By the way, other states in the U.S. are working on implementing data privacy laws modeled on the GDPR and the CCPA, including Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, and Rhode Island.
Brazil: Lei Geral de Proteção de Dados (LGPD)
Brazil has likewise taken the GDPR as a guide and created its own, very similar law.
Just like the GDPR, the LGPD regulates the handling of personal data. Thus, consent is required for data collection (with similar exceptions to the GDPR). Data subjects also have the option to view their files, request a correction, and move their data to other services. In addition, the LGPD requires that as little data as possible should be collected.
Important: Pursuant to Article 3, the LGPD applies to any form of personal data processed by a natural or legal person, regardless of the means, country of domicile or residence, or country where the data are located, to the extent that (1) the data processing operation is carried out in Brazil, (2) the purpose of the activity is to offer or supply goods or services or to process data of individuals in Brazil, or (3) personal data that are subject of processing were collected in Brazil.
Singapore: Singapore Personal Data Protection Act (PDPA)
The Singapore Personal Date Protection Act (PDPA) is also mainly concerned with the protection of personal data. In addition, it enables every Singaporean to register with a so-called "Do Not Call" database. By making an entry, one unsubscribes from any unwanted telemarketing calls.
Important: The law applies to companies that collect, use or disclose personal data in Singapore, regardless of whether they themselves have a physical presence in Singapore or whether the company is registered in Singapore.
India: Personal Data Protection Bill (PDPB)
The passing of the India Personal Data Protection Bill was delayed by the Corona pandemic. There is still no date for the bill to come into force. However, the contents of the bill have largely been decided.
The PDPB was criticized for turning India into a surveillance state. Although the protection of personal data is the official reason for the law, central points such as the right to be forgotten have not been considered (or have been weakened by "softer" formulations and are only possible if good cause is shown). Consent to data processing by the data subject is required in principle, but there are exceptions for medical emergencies, legal proceedings and criminal prosecution, as well as for services and benefits provided by the government for individual persons (e.g., driver's license).
These exceptions lead to various problems. For example, public health insurance would not be covered by the PDPB, but a private insurance company offering the same services would. Data protectionists are also irritated by the fact that data trustees have some leeway in determining whether a data breach must be reported to the supervisory authority.
Important: According to the PDPB, there are 3 types of shareholders. The "Data Principal" is the person whose data is at stake (referred to as the "data subject" in the GDPR). "Data Fuduciary" are the data trustees, the organizations that store data (for example, corporations like Facebook or Google). "Data Processors" are the companies that use the data (for example, insurance companies).
China: Personal Information Protection Law (PIPL)
A new data protection law has been passed in China, which is to come into force on November 1, 2021. Similarities to the GDPR can be found here as well.
First and foremost, the law is intended to restrict the collection of data. Users must be fully informed about the use of their data and not too much data may be collected. In addition, they now have the right to object to automated information and marketing campaigns for the first time.
Price discrimination is also to be banned in the future. Until now, it was permitted in China to offer users different prices - depending on consumer behavior and income level.
Although the Chinese government describes the PIPL as the "strictest law in the world," there is criticism. For example, although digital companies are now subject to stricter regulation, the Chinese state apparatus can continue to read and listen in without restriction.
Important: Just as with the GDPR, the new law also applies to companies outside China that process personal data of Chinese citizens. If this is the case, a representative must be appointed in China who is responsible for issues relating to data processing.
Switzerland: revised Data Protection Act (revDSG)
A new data protection law has also been adopted in Switzerland. It is scheduled to come into force in the second half of 2022.
In principle, Switzerland is also guided by the GDPR. However, the revDSG is somewhat stricter in some areas. For example, data processing activities are to be recorded in a directory in the future. An exception to whom this obligation should not apply is still being specified. If data is transferred abroad, the recipient countries must be named. At this point, the revDSG is stricter than the GDPR. A duty to inform is also planned for decisions that are made automatically (for example, by algorithms).
Important: The law now only covers natural persons and no longer legal entities. Because the revDSG no longer covers data of legal persons, it thus excludes them from its protection.
What all of the presented laws have in common is that organizations that collect, store or process personal data must protect this information to a special degree. The best method for this is end-to-end encryption. This method guarantees that only authorized persons have access to the decrypted data. If unauthorized third parties get to an encrypted file, they will only see a meaningless string of different characters.
Our Boxcryptor encryption software uses a combination of AES-256 - one of the most widely used and secure encryption standards - and RSA encryption. These encryption standards cannot be cracked with computing power available today.
We are thankful for the support provided during this research by the attorneys Maria Lúcia Menezes and Charles Wowk from the law firm STÜSSI-NEVES ADVOGADOS
Learn more about encryption and data protection
In our article on Boxcryptor and the GDPR, you can learn more about the important role end-to-end encryption should play in your company's data protection strategy.