In the latest UK Data Protection Index report, it was revealed that the majority of privacy professionals do not feel confident advising their organisations on data protection laws in jurisdictions other than the UK and EU. When asked how confident they were that they could advise their organisation on data protection legislation being introduced globally, only 42% scored themselves 8 or more out of 10. Whilst this was up from the 40% recorded last quarter, it still leaves a large chunk of respondents (58%), feeling unconvinced about their abilities in this area. Given the increasingly global nature of data flows, this seems rather problematic, particularly given the UK’s new TransferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another. Risk Assessment and the EU’s Transfer Impact Assessment requirements. However, it is not surprising seeing as the global data protection landscape is changing every day as more and more countries introduce, update and add to their data protection laws.
In this blog we talk about three examples of countries where new laws are coming into force in the near future, and how they compare with the GDPR requirements we’re familiar with within the EU.
Although Switzerland has a pretty cohesive data protection regime, it is in the processA series of actions or steps taken in order to achieve a particular end. of updating its 1993 Swiss Federal Data Protection Act (DPA) with a view to bring it in line with GDPR standards and ensuring that the legislation is up to date with current technological advancements. Alongside the revised DPA, the Swiss Penal Code, the Swiss Telecommunications Act, and the Swiss Unfair Competition Act also provides provisions on data protection.
The revised DPA will come into effect from 1st September 2023, but the Swiss Federal Government may choose to release it sooner. It will most likely not have an implementation period, so it is crucial that DPOs whose organisations have operations in Switzerland are aware of these developments before it comes into force.
Revised DPA vs GDPR
All in all, the revised legislation is largely similar to the GDPR; introducing requirements around record keeping, breach reporting, conducting Data Protection Impact Assessments; and the rights to data portability and review of solely automated decisions. It also has introduced new obligations similar to those enshrined in Article 27 GDPR for certain foreign controllers to appoint a Swiss representative, especially if the processing is extensive, regular, involves a considerable risk to the personality of the data subjects, is connected to offering goods and services in Switzerland, or is monitor the behaviour of the data subjects in Switzerland.
However, the updated DPA does differ from the GDPR in some key ways. Most notably, fines for non-compliance with the DPA (of up to CHF/€250,000/~GBP210,000) are imposed on the decision-maker who is responsible for the non-compliance, not the company – however, only if it was intentional. Whilst the fine size is miniscule compared to those under the GDPR, given that they will be levied at individuals rather than organisations, it is thought that they will act as a better deterrent.
The revised DPA also differs from the GDPR when it comes to the requirement, or lack thereof, to document a lawful basis; a less restrictive definition of consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.; no requirement to appoint a Data Protection Officer; and less prescriptive requirements for controller-processor contracts. Overall, however, where the new DPA differs from the GDPR, it generally imposes less strict obligations on organisations, meaning that if an organisation is complying with the GDPR already, there should not be too many issues in moving into the Swiss market.
India’s current data protection laws are somewhat of an integration of different laws that regulate various aspects of personal dataInformation which relates to an identified or identifiable natural person.. However, India’s new Personal Data Protection BillIn the UK, a proposed version of the Data Protection Act prior to it becoming the law. 2021 (PDP) aims to create a more cohesive data protection regime. The new Bill will consolidate the current laws and seeks to be a comprehensive instruction of the collection, transfer, storage and the use of personal data in India. The Bill covers topics such as consent, data breach notifications, transparency, individual rights, technical security, and purpose-based processing. The PDP will give individuals more say over how their data is being processed, allowing them to correct, remove and access their data. The new PDP will likely afford people in India similar rights to those in the UK and EU.
PDP vs GDPR
Although the new PDP takes some inspiration from the GDPR, there are some key differences that need to be considered if processing personal data of people in India. The personal data types considered special category are much broader than those in the GDPR, encompassing things relevant to India’s societal norms like caste and tribe, and also spells out more clearly some categories also covered in the GDPR’s Article 9 such as those relating to sex life – where intersex status and whether the data subjectAn individual who can be identified or is identifiable from data. is transgender is explicitly mentioned. In addition, in the PDP anyone under 18 is considered a child, whereas the GDPR sets it at 16 as standard but with room for member states to diverge – a key point that organisations targeting older children will need to be aware of.
In terms of lawful bases, an important difference is that the PDP requires consent in most instances, providing only for a limited number of exemptions. Finally, organisations must also be mindful of the differences in terminology between the two laws, with the PDP introducing novel terms such as data fiduciary (data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.) and data principle (data subject).
With India set to become a key data-trading partner with the UK, understanding and abiding by the new Indian PDP will be vital for many organisations when it eventually comes into force, although a date has yet to be finalised.
Please note, this article was correct as of 11th of July 2022. However, as of 3rd of August 2022, it was announced that the The Personal Data Protection Bill of India has been withdrawn for now. A new one will be released for public consultation at a later date. We’ll update this article when we find out more information.
The US is one of the biggest markets for trade in the world, however, transferring data to the US has remained one of the most controversial areas of data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data. since the EU GDPR entered into force. In addition to the well-known issues around government surveillance, data protection law in the US is further complicated by its sheer diversity between states and a lack of data protection law at a federal level. Whilst some states have legislation that would seemingly rival the GDPR, others have very little to nothing in place. Industries also have specific laws like the Healthcare Insurance Portability AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. Act (HIPAA) to contend with.
Now, whilst nothing concrete is yet in place, there are two main developments currently in the works that DPOs will need to be aware of. The first is the newly proposed EU-US Trans-Atlantic Data Privacy Framework, which intends to address the concerns raised in Schrems I and Schrems II – how? We have yet to find out. The second is the possibility of a new bipartisan federal data protection law, which, if implemented, could truly transform the US’s data protection landscape to create something more coherent, if not completely uniform. What this data protection legislation will look like is yet to be publicised, but it is likely to promote consumer awareness, data subject rights, transparency, data security and specialised rights for minors.
It is now a waiting game to see how these proposals play out, but DPOs should follow these developments carefully, especially given that this is likely to pave the way to a “Schrems III” challenge.
The above example jurisdictions clearly demonstrate the extremely changeable period that data protection legislation is currently undergoing globally, making the job of the DPO (Data Protection Officer) extremely challenging in organisations that operate in more than one country. The DPO Centre DPOs have expertise across a range of different industries and jurisdictions. For support with cross-border data transfers and multi-jurisdiction processing, find out how we can help by filling in the form below.
NB: The UK Data Protection Index report is brought to you by The DPO Centre and Data Protection World Forum, based on a quarterly survey of over 500 UK privacy professionals. If you are a data privacy professional and want to be involved in the Data Protection Index, you can sign up here. You can find the latest set of results here.
Fill in your details below and we’ll get back to you as soon as possible