The global data protection landscape is growing increasingly complex. With the proliferation of privacy laws across jurisdictions, organisations face a daunting challenge in ensuring compliance.
From the foundational GDPR, the evolving US state-level regulations, to new regulations in emerging markets, businesses with cross-border presence must navigate a maze of requirements to protect consumer data. This complexity, coupled with the rapid pace of regulatory change, requires proactive and strategic approaches to data management and protection.
GDPR: The Catalyst for Global Data Privacy
At the forefront of this global push for data privacy stands the General Data Protection Regulation (GDPR) – a landmark legislation that has reshaped data governance both within the EU and beyond. It has become a de facto standard for data management, influencing the creation of similar laws in countries like India, China, and regions such as Southeast Asia and the US.
However, the GDPR is evolving to tackle new challenges and incorporate lessons from past data breaches. Amendments aim to enhance enforcement, especially in cross-border cases, expedite complaint handling, and strengthen breach penalties. Amendments to the GDPR in 2024 focus on improving enforcement efficiency. The One-Stop-Shop mechanism will be strengthened for better handling of cross-border data processing, with clearer guidelines for lead supervisory authority and faster information sharing. Deadlines for cross-border decisions will be shortened, and Data Protection Authorities (DPAs) must cooperate more closely. Rules for data transfers to third countries will be clarified, and DPAs will have stronger enforcement powers, including higher fines for non-compliance.
For organisations, these changes mean increased scrutiny and potential penalties due to faster investigations. Improved DPA cooperation can lead to more consistent enforcement across the EU, making it crucial to stay updated and adjust data protection practices. While aiming for more efficient GDPR enforcement, these changes may also increase compliance costs.
GDPR’s Global Impact: Shaping Data Privacy Laws Worldwide
Despite being drafted by the EU, the GDPR has global implications, influencing data privacy laws worldwide, including in Canada and the US.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) governs how the private sector handles personal data, emphasising data minimisation and imposing fines of up to USD 75,000 for non-compliance.
The US data protection landscape is a patchwork of state laws influenced by the GDPR and PIPEDA. The California Privacy Rights Act (CPRA) and other state laws like Virginia’s CDPA and Colorado’s CPA reflect GDPR principles, requiring transparency and limiting data use. Proposed federal legislation, such as the American Data Privacy and Protection Act (ADPPA), aims to establish a national standard similar to PIPEDA.
The GDPR’s impact extends beyond EU borders, significantly influencing data protection laws in non-EU European countries. Countries like Switzerland, Norway, and Iceland have closely aligned their regulations with GDPR to maintain data flows with the EU. Switzerland, for instance, revised its Federal Data Protection Act to ensure compatibility with GDPR standards. The UK, post-Brexit, retained a modified version of GDPR in its domestic law through the UK GDPR and Data Protection Act 2018. Even countries like Serbia and North Macedonia, aspiring for EU membership, have modeled their data protection laws on GDPR principles.
Data Privacy: A Local Flavour in Emerging Markets
Emerging markets are recognising the critical need for robust data protection frameworks. These countries are not just following in the footsteps of established regulations but are creating laws that address their unique economic and cultural contexts while aligning with global standards.
Brazil has over 140 million internet users – the 4th largest in the world. Any data collection or processing within the country is protected by the Lei Geral de Proteção de Dados (or LGPD), even from data processors located outside of Brazil. The LGPD also mandates organisations to appoint a Data Protection Officer (DPO) and establishes the National Data Protection Authority (ANPD) to oversee compliance and enforcement.
Saudi Arabia’s Personal Data Protection Law (PDPL) requires explicit consent for data collection and use, aligning with global norms. However, it is tailored to support Saudi Arabia’s digital transformation goals. The PDPL is overseen by the Saudi Data and Artificial Intelligence Authority (SDAIA), linking data protection with the country’s broader AI and digital innovation initiatives.
Closer Home: Changes in Asia Pacific Regulations
The Asia Pacific region is experiencing a surge in data privacy regulations as countries strive to protect consumer rights and align with global standards.
Japan. Japan’s Act on the Protection of Personal Information (APPI) is set for a major overhaul in 2025. Certified organisations will have more time to report data breaches, while personal data might be used for AI training without consent. Enhanced data rights are also being considered, giving individuals greater control over biometric and children’s data. The government is still contemplating the introduction of administrative fines and collective action rights, though businesses have expressed concerns about potential negative impacts.
South Korea. South Korea has strengthened its data protection laws with significant amendments to the Personal Information Protection Act (PIPA), aiming to provide stronger safeguards for individual personal data. Key changes include stricter consent requirements, mandatory breach notifications within 72 hours, expanded data subject rights, refined data processing guidelines, and robust safeguards for emerging technologies like AI and IoT. There are also increased penalties for non-compliance.
China. China’s Personal Information Protection Law (PIPL) imposes stringent data privacy controls, emphasising user consent, data minimisation, and restricted cross-border data transfers. Severe penalties underscore the nation’s determination to safeguard personal information.
Southeast Asia. Southeast Asian countries are actively enhancing their data privacy landscapes. Singapore’s PDPA mandates breach notifications and increased fines. Malaysia is overhauling its data protection law, while Thailand’s PDPA has also recently come into effect.
Spotlight: India’s DPDP Act
The Digital Personal Data Protection Act, 2023 (DPDP Act), officially notified about a year ago, is anticipated to come into effect soon. This principles-based legislation shares similarities with the GDPR and applies to personal data that identifies individuals, whether collected digitally or digitised later. It excludes data used for personal or domestic purposes, aggregated research data, and publicly available information. The Act adopts GDPR-like territorial rules but does not extend to entities outside India that monitor behaviour within the country.
Consent under the DPDP Act must be free, informed, and specific, with companies required to provide a clear and itemised notice. Unlike the GDPR, the Act permits processing without consent for certain legitimate uses, such as legal obligations or emergencies. It also categorises data fiduciaries based on the volume and sensitivity of the data they handle, imposing additional obligations on significant data fiduciaries while offering exemptions for smaller entities. The Act simplifies cross-border data transfers compared to the GDPR, allowing transfers to all countries unless restricted by the Indian Government. It also provides broad exemptions to the State for data processing under specific conditions. Penalties for breaches are turnover agnostic, with considerations for breach severity and mitigating actions. The full impact of the DPDP Act will be clearer once the rules are finalised and the Board becomes operational, but 97% of Indian organisations acknowledge that it will affect them.
Conclusion
Data breaches pose significant risks to organisations, requiring a strong data protection strategy that combines technology and best practices. Key technological safeguards include encryption, identity access management (IAM), firewalls, data loss prevention (DLP) tools, tokenisation, and endpoint protection platforms (EPP). Along with technology, organisations should adopt best practices such as inventorying and classifying data, minimising data collection, maintaining transparency with customers, providing choices, and developing comprehensive privacy policies. Training employees and designing privacy-focused processes are also essential. By integrating robust technology with informed human practices, organisations can enhance their overall data protection strategy.
