+41 41 521 80 00 | info@lexcellence.swiss

Open jobs!

The short guide on the state of data protection regulations around the world in 2020

 

With the emergence of new technologies, increasingly intelligent algorithms, and greater than ever cyber threats, data protection is becoming a key issue for governments all around the world. From the moment the EU’s General Data Protection Regulation (GDPR) was implemented, it was clear that other countries would follow suit. Data became the new oil and digitalization invited comfort into our lives but in exchange for sensitive information — access to our e-mails, credit cards, and surnames. With new data protection laws in place, companies and organizations are legally obliged to guard our private information with the utmost care. Regulations are meant to protect customers but put pressure on businesses to comply with the law and take extra precautions to ensure data security. How do different data protection regulations look in practice all around the world? Let us explore data protection policies in 10 different countries to discover how personal information is protected all around the world. 

Different global approaches to data protection 

1. Switzerland 

In September 2020, the Swiss Parliament passed the new Swiss Data Protection Act 2020 (DPA), which is expected to come into force in 2022. Similar to GDPR, DPA obliges companies to keep records of their data processing activities and report any data security breaches and data losses. The governmental body responsible for cases related to data security is the Federal Data Protection and Information Commissioner (FDPIC). Additionally, companies processing sensitive information are required to conduct data protection impact assessments (“DPIA”). Requirements set by DPA are similar to provisions under GDPR, but the Swiss approached the issue of data protection of legal entities differently than the EU, allowing for free data processing in the private sector. GDPR prohibits the processing of information unless there is a direct need to do so, for example, the performance of a contract. Moreover, Swiss companies are not legally obliged to appoint a data protection officer, although it is often recommended. 

2. Poland

Poland, as part of the EU, is subject to GDPR regulations and has its own Personal Data Protection Office, which is the man governmental body responsible for data protection. They monitor data security levels in Poland and educate citizens on the importance of data privacy, targeting many of their campaigns towards school children. Data protection is actively enforced in Poland: The Main Geodesist of Poland (GGK) was fined around 22,000 euros for non-compliance with regulations related to the processing of personal data and sharing personal data on the website GEOPORTAL2 without a legal basis. GGK shared records of land and buildings, which allowed to potentially identify parties involved, and that is fundamentally against GDPR’s provisions.  

3. France

As an EU member state, France is subject to GDPR regulations. The French “Constitutional Council”, which is responsible for reviewing French regulations, decided the processing of health data during the COVID-19 pandemics is necessary for combating the virus, so data processing does not violate any privacy rights. Consequently, a certain type of data can be processed without consent, as long as it is directly connected to fighting the pandemic. Such data processing is acceptable until the declared state of emergency is finished and has to end no later than 6 months from the moment the pandemic finished. 

 

4.Germany

As yet another EU member, Germany follows GDPR regulations. In May 2020, the First Senate of the Federal Constitutional Court ruled that privacy laws also apply to surveillance of telecommunications conducted abroad by foreigners for the purposes of the Federal Intelligence Service. Concerns raised about data privacy include insufficient security levels of data transfers and the lack of independent control under objective law, and they apply to both collection and processing of the data. The proposed solution for increasing data protection was the construct of the relevant legal basis for international telecommunication intelligence. 

 

5. Austria

Austria is an EU state member, which means it is subject to GDPR. Data protection laws are enforced in Austria, and it was established that serious first-time data protection violations cannot be excused and a mere warning is not enough to punish the crime. In the court case, the driver was fined for unlawful processing of personal data, as he kept video surveillance on his vehicle, recording people without their knowledge. 

6. The USA

The USA has no single data protection legislation, but rather numerous laws enforced on both federal and state level. The Federal Trade Commission Act enforces privacy laws and protects customers’ interests, when necessary, for example, fining organizations, which fail to follow adequate data security and their published privacy policy. There is also The Children's Online Privacy Protection Act (COPPA), which regulates collecting information about minors, The Health Insurance Portability and Accounting Act governing the processing and collecting of health information, and The Gramm Leach Bliley Act, which organizes the way banks and financial institutions process collected personal data. Since 2020, California Consumer Privacy Act (CCPA) and New York SHIELD Act are fully enforceable, and they offer extended data privacy protection for California and New York residents. 

 

7. The UK

As the UK left the European Union, it is likely to continue amending its data privacy policies. Currently, companies are asked to follow standards established by  The General Data Protection Regulation (GDPR) and the UK’s own Data Protection Act 2018. Until stated otherwise, there are no changes in the way of sending personal data to the EU/EEA countries, but some UK data controllers and processors may be required to appoint EU-based representatives to continue their international operations. At the moment, data protection laws applicable in the UK and EU are aligned, so companies are not required to drastically change their data protection practices. 

 

8. Singapore

Singapore introduced its Personal Data Protection Act (PDA) back in 2012 and amended it for the first time in 2020 obliging companies to publicly inform users of data breaches within three days and seek customer consent upon every use of their personal data for new purposes, as well as increasing financial penalties for non-compliance up to either 10% of the annual turnover or 1 million dollars, depending on which number is higher. 

 

9. United Arab Emirates 

In 2020, Dubai International Financial Center (DIFC) introduced a new Data Protection Law, which is aligned with EU’s GDPR and California’s (CCPA). The law came into force on 1st July 2020, but the active enforcement of the law started at the end of the year to give businesses time to adapt to new regulations. The new law requires greater accountability from businesses, mandates Data Protection Officers, and gives the data subject more rights, stating that “consent must now be freely given and unambiguous, and can be withdrawn by the data subject at any time”.

 

10. Russia

The main law regulating data protection in Russia is federal law on personal data passed back in 2006. The Russian Personal Data Law does not make any distinction between direct and indirect personal information, and it applies to both automated and non-automated data records. In 2020, authorities were working on new laws introducing greater penalties for disclosing sensitive information. 

 

Data privacy matters more than ever 

 

The constant development of new technologies, alongside increasing data flow between countries, institutions, and jurisdictions, pushed governments all around the world to establish and amend their data protection regulations to better answer the challenges of the modern world. With the growing importance of data, the legal landscape of data collecting and processing is likely to undergo dynamic changes within the next few years, no matter where we are based and which governments we answer to.

 

 

Sources: 

  1. https://www.datenschutzstelle.li/application/files/3316/0827/8380/Judikaturspiegel_2018_-_2020.pdf
  2. https://www.gdprregister.eu/news/swiss-data-protection-act-2020/
  3. https://uodo.gov.pl/pl/138/1671
  4. https://www.bundesverfassungsgericht.de/SharedDocs/Pressemitteilungen/DE/2020/bvg20-037.html
  5. https://www.osano.com/articles/data-privacy-laws
  6. https://www.gov.uk/guidance/using-personal-data-in-your-business-or-other-organisation
  7. https://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/11/opening-speech-by-minister-iswaran-at-the-second-reading-of-pdp-(amendment)-bill-2020
  8. https://iclg.com/practice-areas/data-protection-laws-and-regulations/russia
  9. https://www.gorodissky.com/publications/articles/data-protection-in-the-russian-federation-overview-tr2020/
  10. https://home.kpmg/ae/en/home/insights/2020/07/the-difc-data-protection-law-2020.html
  11. https://assets.kpmg/content/dam/kpmg/ae/pdf-2020/07/difc-data-protection-law-2020.pdf
1
2
3
4
1
2
3
4