- Over 80 countries and territories have adopted their own privacy and security laws, with GDPR still considered the gold standard
- Countries are using GDPR as a jumping off point for their own data privacy laws
- Learn how China’s PIPL compares (and differs) from GDPR
Read more below.
Data Lawmakers Still Look to the EU as Privacy and Security Gold Standard, but China’s PIPL Is about to Make Waves
(See the full regulatory trends update here)
Over 80 countries and territories have now adopted their own data privacy and security laws, with more coming to the table every year. As those in the data privacy and security community review emerging laws, the first question asked about new legislation is usually, “How does it compare to the GDPR?”
Originally made effective in 2018, and updated this year by the European Commission, the European Union’s (EU) General Data Protection Regulation–or GDPR–remains the gold standard for countries creating new privacy and data standards.
Let’s take a quick look at how countries have used the GDPR as a jumping off point for their own data privacy laws in the last 18 months:
- Jamaica became the 15th Caribbean nation to enact privacy laws, aligning with the GDPR in most areas, including the requirement to have a data representative designated on Jamaican soil and requiring a 72-hour breach reporting window.
- India is currently voting on its own Personal Data Protection Bill (PDP), a revamp of its 2000 law that looks closely at the GDPR for updates and clarifications.
- Brazil’s 2020 legislation, the General Personal Data Protection Law (LGPD), shows similarities to the GDPR and unifies Brazil’s 40 pre-existing laws regulating the processing of personal data.
Elsewhere, EU near neighbors Switzerland and the United Kingdom are adding their own special sauce to the GDPR.
Switzerland’s Swiss Data Protection Act (revDPA) offers broader guidance, with more abstract terminology and definitions, which could make it harder to adhere to or enforce. Meanwhile, in the wake of Brexit, the United Kingdom has four years to make good on its stated intention to reduce barriers to innovation and data flow in it’s own updated version of a GDPR-compliant data policy.
While we don’t expect to see the GDPR’s influence on emerging privacy legislation lessen anytime soon, there is a new major player on the scene: China’s sweeping new Personal Information Protection Law (PIPL), which will take effect on November 1, 2021.
Asia’s Role in Defining Worldwide Privacy Standards Expands Under China’s New Laws
China isn’t the first Asian nation to enact major data legislation. Thailand’s Personal Data Protection Act (PDPA, May 2020) is largely based on the GDPR, but also provides for imprisonment for up to one year as a punishment for violations.
South Korea was an early actor in data privacy legislation, passing laws in 2011 and adding updates in 2020 that provided needed clarifications while also supporting the emerging data economy by describing broader allowable uses of ‘pseudonymised data.’
Singapore also updated its Personal Data Protection Act (PDPA) in 2020, including clarifications around consent and the transfer of data offshore, making the PDPA one of Southeast Asia’s strictest data protection acts.
And just this summer, Japan published guidance clarifying the 2020 amendments to its Protection of Personal Information (APPI) law, strengthening penalties and introducing mandatory reporting for qualifying breaches.
While not first, China is certainly the largest and most dominant Asian nation to pass sweeping data privacy and security legislation. Given that China makes up 18% of the world population, nearly one in every five human beings is now protected by China’s two new data laws, the Data Security Law (effective September 1, 2021) and the Personal Information Protection Law of the People’s Republic of China (PIPL), which takes effect November 1, 2021.
Compared to GDPR, PIPL Grants Chinese Government a Wider Latitude to Investigate and Sanction
Like the GDPR, the PIPL requires organizations to give individuals choices about how their information will be used and offers similar protections and restrictions on data collection and transfer. In many ways, however, the PIPL goes further than the GDPR.
Given China’s mobile-first economy, it’s no surprise that the PIPL pays particular attention to how applications and app developers collect and process data.
In addition, under PIPL:
- Added layers of consent are required for specified uses of data.
- “Legitimate interests” aren’t a justifiable basis for processing data.
- Transfer of data outside the country is subject to tighter national security oversight.
- Responsible individuals within a company can be personally fined the equivalent of $1,500 to $155,000 USD for violations.
Overall, China’s new laws carry more restrictions and penalties than the GDPR, and the government is given broader discretion in interpreting and enforcing the provisions.
China watchers speculate that the Chinese government may use PIPL to curtail the power of the technology sector, creating grounds with which to challenge overly aggressive data collectors and users.
Also, given that the Chinese government itself is known to be a fervent collector of information on its own citizens, it remains to be seen how much it will abide by its own guidance.
What does seem likely, however, is that just as the GDPR served as an early model for other nations, China’s sweeping new legislation may drive more restrictions in Asia and worldwide, leading to greater regulatory complexity.
China Poised to Enforce Faster than the EU, Where Budget Shortfalls Cause Bottlenecks and Inconsistencies
Recent reports have revealed that in spite of the EU’s leadership on regulatory guidance, when it comes to enforcement, declining budgets and inadequate staffing of Data Protection Commissions (DPCs) in EU member states are creating massive bottlenecks.
In Ireland, where favorable tax laws have attracted many US companies to establish their European headquarters, 98% of GDPR cases remain unresolved. Across the EU, DPCs act inconsistently, often without the necessary technical experts to handle their caseload.
While consumer privacy advocates call for the EU to take a hard look at its failures to enforce, China shows early signs of taking the opposite approach. Whereas GDPR offered a multi-year grace period between the passing and the enactment of the law, China’s PIPL goes into effect in November 2021, only three months after it passed, giving companies a very short runway for making any significant changes to data architecture or processing practices.
What’s more, China recently issued a list of 15 Chinese tech companies deemed to be managing data improperly, giving these companies only 15 days to take corrective action. Compare this to a host of closed EU investigations–56% according to reports–that did not call for any corrective action.
Whether China will be able to outperform the EU when it comes to staffing its enforcement body or acting with consistency to apply PIPL is yet to be seen; but if early indications prove true, we won’t have to wait long for answers.
We will take a deeper dive into EU and US data compliance enforcement trends in our next RadarFirst blog post later this month.