A Snapshot of Data Protection Compliance Around the World
Along with the EU’s GDPR, many other jurisdictions have caught up with their privacy legislation. This effort has led to a patchwork of privacy and data protection laws that multinationals and companies that operate worldwide have to comply with. In our experience, companies’ main concerns focus on the following topics, which are subject to different approaches in the main jurisdictions around the world.
1. Consent
An analysis of the different regulatory requirements to process personal data in various jurisdictions shows that there is an appreciable overlap in the legal bases that companies may rely on to process personal data.
In particular, numerous jurisdictions consider ‘consent’ as a valid legal basis (or, even, the standard basis) to enable companies to process personal data.
However, also in these jurisdictions, the concept of valid ‘consent’ is shallow. It does not enable data subjects to provide genuine informed and free consent. In a way, this is what allows companies to rely on consent to cover a wide array of data processes in contexts where such ‘consent’ may not have been given genuinely freely (e.g., if employees give consent, or if users need to give consent in order to be able to receive a service).
Other jurisdictions, such as the EU, have adopted a more sophisticated approach towards ‘consent’. This is only compatible with the availability of other legal bases (e.g., legitimate interests, contract performance) that allow companies to process data without the data subjects’ free and informed consent. For example, only this allows companies to process data fairly and with a right legal basis, such as the processing of candidate or employee data).
Companies should therefore take account of the different regulatory specificities in the different jurisdictions worldwide, and should adapt their processes and legal bases in order to ensure that each collection and processing of personal data is compliant in each jurisdiction.
2. Data breach notifications
Obligations to report data breaches have been increasingly imposed by legislation around the world.
In May 2018, the newly applicable GDPR imposed across the EU the obligation to report data breaches. Until then, data breach notification obligations existed in some Member States (e.g., Netherlands, which included incidents not qualifying as data breaches).
Also in 2018, Alabama was the last State of the United States that established a data breach notification obligation for companies operating or processing data in its territory.
When an incident involving personal data occurs, several questions may arise regarding whether the incident qualifies as a reportable data breach, and whether the obligation to report is triggered. Companies should adapt their data breach notification policies and procedures in order to ensure that any incident is assessed properly, subject to the laws of those jurisdictions that may be applicable.
Finally, even within one jurisdiction, companies should also be aware of sector-specific legislation that may warrant more developed disclosures in addition to general data breach reporting requirements. For example, in the EU, specific disclosure obligations exist for of data breaches of telecommunication providers (e-Privacy Directive), security breaches and integrity losses of trust service providers (eIDAS Regulation), and incidents having a significant impact on the continuity of the ‘essential services’ (NIS Directive).
3. Data transfers
Nowadays, business models are increasingly relying on globalisation to grow, which implies the use of cross-border data transfer. The latter has made possible that consumers around the world can access a wider range of goods and services, regardless of where they are located.
There are still some jurisdictions around the globe that have not established any restriction for their cross-border transfer of personal data. However, numerous countries increasingly foresee that data can only be exported provided that the country of destination provides an adequate level of protection to the data.
The EU has raised as the jurisdiction of reference concerning the selection of countries that confer an adequate level of protection to personal data. Some countries, like Colombia, even refer to this selection in order to confirm that transfers to these jurisdictions satisfy an adequate level of protection.
Some countries refer to alternative means in order to validate data transfers, such as “consent”. As discussed above, this is however not an appropriate means to legalize data transfers where a lack of consent is not possible or cannot be honoured.
Other countries have imitated the EU’s approach of publishing standard contract clauses to transfer personal data (e.g., Argentina). Furthermore, data processing agreements may be required for transfers to processors (e.g., Colombia).
Companies are encouraged to map out their data transfers and to establish the best framework for the transfer of data among subsidiaries.
4. Data subject rights
Today, most jurisdictions recognize basic rights, such as to obtain information, to correct data or to opt-out from/object to certain processes.
The right to erasure has been developed in the last years in order to apply to any type of process or database, also online. However, there are increasing questions regarding the actual substantive and geographic scope of that right, which will be resolved by the EU Courts in the coming years.
By contrast, certain other rights are less common. For example, the right to data portability in the EU is one that may be replicated around the world in the near future, although its actual implementation and application by companies needs to be determined or explained by authorities.
Formalistically speaking, the GDPR requires companies to respond to exercised data subjects rights within a given period, and to fulfil certain conditions. Other similar rules are present in other countries, but the vast majority of jurisdictions do not set out specific time limits and procedures to comply with the rights. Companies will therefore have to ensure that they address data subject rights adequately and timely.
