International Data Protection: Processing Personal Data
The European Union has set a benchmark with the GDPR, and the rest of the world follows. Businesses operating internationally must comply with data protection laws in the United Kingdom, California, Singapore, India, and Brazil. We provide an overview.
Table of Contents
- European Union: General Data Protection Regulation (GDPR)
- United Kingdom: Data Protection Act 2018 (DPA 2018)
- California: California Consumer Privacy Act (CCPA)
- Brazil: Lei Geral de Proteção de Dados (LGPD)
- Singapore: Singapore Personal Data Protection Act (PDPA)
- India: Personal Data Protection Bill (PDPB)
- State-of-the-art encryption
European Union: General Data Protection Regulation (GDPR)
The GDPR is a regulation of the European Union that came into force on May 25, 2018, after a two-year transition period. This required the GDPR to be transposed into national law in all member states. In Germany, this has resulted in the new Federal Data Protection Act (BDSG-neu). The aim of the regulation is to strengthen data protection and the right to privacy of all European citizens. It also aims to standardize data protection laws across the EU. The focus lies on how companies and organizations must protect individuals' data. The term "personal data" first became known to the public because of the GDPR.
Important: The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”
United Kingdom: Data Protection Act 2018 (DPA 2018)
The Data Protection Act is the national legislation for data protection in the United Kingdom. As a result of the UK's withdrawal from the EU (Brexit), the citizens of England, Scotland, Wales, and Northern Ireland no longer fall within the scope of the EU GDPR. Nevertheless, Parliament has created a regulation that is very closely aligned with the European Regulation. Colloquially, the term UK-GDPR is also used.
Important: Companies must appoint a UK representative if they are based outside of the country and monitor the conduct of and/or provide goods or services to UK residents. For more information, click here.
California: California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the first major privacy law in the United States. When it became effective, California citizens gained five new rights that give them more power over how their personal information is used. For example, they can request information, receive a copy of the data concerning them if they wish, request that the information is deleted, and oppose the sale of personal data. Also very important is the right to not be discriminated against. This is an aspect that is becoming increasingly important in light of automated data processing by algorithms.
Important: Companies that process data of more than 50,000 Californians must provide workflows and points of contact for California citizens who wish to exercise their new rights. We have more details on the CCPA (and the CPRA) for you here.
By the way, other states in the U.S. are working on implementing data privacy laws modeled on the GDPR and the CCPA, including Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, and Rhode Island.
Brazil: Lei Geral de Proteção de Dados (LGPD)
Brazil has likewise taken the GDPR as a guide and created its own, very similar law.
Just like the GDPR, the LGPD regulates the handling of personal data. Thus, consent is required for data collection (with similar exceptions to the GDPR). Data subjects also have the option to view their files, request a correction, and move their data to other services. In addition, the LGPD requires that as little data as possible should be collected.
Important: Pursuant to Article 3, the LGPD applies to any form of personal data processed by a natural or legal person, regardless of the means, country of domicile or residence, or country where the data are located, to the extent that (1) the data processing operation is carried out in Brazil, (2) the purpose of the activity is to offer or supply goods or services or to process data of individuals in Brazil, or (3) personal data that are subject of processing were collected in Brazil.
Singapore: Singapore Personal Data Protection Act (PDPA)
The Singapore Personal Date Protection Act (PDPA) is also mainly concerned with the protection of personal data. In addition, it enables every Singaporean to register with a so-called "Do Not Call" database. By making an entry, one unsubscribes from any unwanted telemarketing calls.
Important: The law applies to companies that collect, use or disclose personal data in Singapore, regardless of whether they themselves have a physical presence in Singapore or whether the company is registered in Singapore.
India: Personal Data Protection Bill (PDPB)
The passing of the India Personal Data Protection Bill was delayed by the Corona pandemic. There is still no date for the bill to come into force. However, the contents of the bill have largely been decided. The PDPB was criticized for turning India into a surveillance state. Although the protection of personal data is the official reason for the law, central points such as the right to be forgotten have not been considered (or have been weakened by "softer" formulations and are only possible if good cause is shown). Consent to data processing by the data subject is required in principle, but there are exceptions for medical emergencies, legal proceedings and criminal prosecution, as well as for services and benefits provided by the government for individual persons (e.g., driver's license).
These exceptions lead to various problems. For example, public health insurance would not be covered by the PDPB, but a private insurance company offering the same services would. Data protectionists are also irritated by the fact that data trustees have some leeway in determining whether a data breach must be reported to the supervisory authority.
Important: According to the PDPB, there are 3 types of shareholders. The "Data Principal" is the person whose data is at stake (referred to as the "data subject" in the GDPR). "Data Fuduciary" are the data trustees, the organizations that store data (for example, corporations like Facebook or Google). "Data Processors" are the companies that use the data (for example, insurance companies).
What all of the presented laws have in common is that organizations that collect, store or process personal data must protect this information to a special degree. The best method for this is end-to-end encryption. This method guarantees that only authorized persons have access to the decrypted data. If unauthorized third parties get to an encrypted file, they will only see a meaningless string of different characters.
Our Boxcryptor encryption software uses a combination of AES-256 - one of the most widely used and secure encryption standards - and RSA encryption. These encryption standards cannot be cracked with computing power available today.
We are thankful for the support provided during this research by the attorneys Maria Lúcia Menezes and Charles Wowk from the law firm STÜSSI-NEVES ADVOGADOS
Learn more about encryption and data protection
In our article on Boxcryptor and the GDPR, you can learn more about the important role end-to-end encryption should play in your company's data protection strategy.