Data privacy protections are on the rise globally, and every new law and amendment will add to the challenge of maintaining data privacy compliance. Morrison & Foerster’s Cynthia Rich discusses recent changes and what to expect this year and beyond.
Looking back over the past 10 years, the increase in the number of data privacy laws around the world has been staggering. Today, there are now 30 more data privacy laws around the world than there were five years ago, and 60 more than 10 years ago. Currently, 133 jurisdictions around the world have enacted omnibus data privacy laws; 102 of those laws[1] are in jurisdictions outside the European Economic Area (EEA).[2]
The number of new and amended laws will continue to increase in 2021 and beyond. In the next couple of years alone, we may see as many as 12 or more new or updated laws enacted or introduced into national legislatures. While most of these laws share the same core data protection principles, they each have their own specific rules that differ from each other and make it challenging for companies to develop global or regional privacy compliance approaches.
If keeping up with these new data privacy laws is not challenging enough, the Schrems II decision issued last summer by the European Court of Justice has made data privacy compliance even more complicated. Organizations now face the daunting task of also assessing how existing surveillance laws and regulations may impact the adequacy of data protection provided in these 102 jurisdictions and then adopting on a case-by-case basis the appropriate contractual, technical or organizational supplementary measures to protect their data transfers to those jurisdictions.
Practically speaking, though, there is very little organizations can do to address foreign governments’ potential access to personal information transferred to their jurisdictions. This issue is more appropriately addressed by governments; however, until governments can work out a political solution, organizations will need to continuously monitor developments related to potential foreign government access to their transferred data and modify their supplementary measures as needed.
Furthermore, despite the fact that few data privacy laws currently impose data localization requirements, concerns about foreign surveillance are pushing some multinational organizations to consider localizing more of their processing activities. At the same time, there are countervailing winds against increased data localization brought on by the global pandemic. To contain the spread of the coronavirus, it has become evident that more rather than less global cooperation and information sharing are needed. Forcing the creation of regional or national data silos will only impede organizations’ ability to deploy and share information obtained from valuable health tools, such as contact tracing apps or research on new virus strains or the development of new COVID-19 vaccines.
Data localization raises similar concerns with respect to ongoing efforts to combat cybercrime. Massive cyberattacks, such as those that occurred recently in the United States, will continue to increase. They pose enormous threats to the economic and political well-being of everyone around the world. The best way to protect against future attacks is more rather than less global cooperation and information sharing. Moreover, data localization requirements can increase security risk by forcing companies to use local data centers run by companies that lack the necessary capacity and expertise. Having data centers that are not subject to the same high level of security creates vulnerabilities and may make them appealing targets for hackers.
Lastly, another significant issue that companies and governments will continue to grapple with is the conflict between the use of end-to-end encryption as a means to protect individuals’ privacy of communications and the need for law enforcement access to such communications in order to carry out their counterterrorism and criminal investigations.
It remains unclear the extent to which concerns about foreign governments’ potential access to personal information will drive governments’ privacy enforcement activities and efforts to impose data localization requirements, or whether governments will seek to strike a balance between the needs of society in times of such crises and individuals’ rights to privacy. Therefore, organizations should keep a close watch on the direction of those prevailing winds in the coming months before making significant changes to their information systems and compliance programs. In addition, companies will want to track some key jurisdictions that are already in the process of enacting new laws or amending existing laws in the next couple of years because, if enacted, these new laws may require important changes to existing global or regional privacy compliance programs.
The following provides an overview of the current worldwide privacy landscape and identifies some of the jurisdictions where we expect to see new laws enacted soon.
The Current International Privacy Landscape
One hundred and two jurisdictions outside the EEA[3] have now enacted omnibus data privacy laws, bringing the total number of jurisdictions around the world with data privacy laws to 133.[4] One-third of the laws (34) are in the Africa and the Near East region, while the rest of the laws are distributed relatively equally among the Americas (25), Europe/Eurasia (24) and Asia‑Pacific (19). Of all four regions, the Africa and Near East region has seen the most explosive growth of data privacy laws in the past five to 10 years, with more than two-thirds of the 34 laws enacted in the past 10 years, and more than half of those laws enacted in the past five years.
Europe/Eurasia Region – Ten of the 24 jurisdictions in this region have recently amended their laws to align with the European Union’s GDPR. The laws in the other jurisdictions were enacted years ago, and they are based, to varying degrees, on the European Data Protection Directive, the precursor to the GDPR. As a result, these laws contain the basic elements found under the GDPR, but they also have unique elements not found in other laws in the region or within the EU. Only six jurisdictions in this region are recognized by the EU as providing adequate protection: Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey and Switzerland.
Americas – The laws in Barbados, Bermuda, Brazil, Cayman Islands, Jamaica and Panama are the most recent additions. Canada, Costa Rica, Peru and Uruguay were amended within the last five years. Two of the countries in this region, Argentina and Uruguay, are recognized by the EU as providing adequate protection.
Asia – The newest laws enacted in this region are Thailand and Uzbekistan. The laws in Japan, Kazakhstan, Korea, New Zealand and Singapore were amended recently, and Korea is in the process of amending its law yet again in order to secure an EU adequacy decision. At present, New Zealand and Japan are the only countries in the region to be found adequate by the EU. In addition to South Korea, Taiwan is currently seeking to obtain an EU adequacy decision.
Africa and the Near East – The newest laws enacted are in the Republic of the Congo, Egypt, Kenya, Nigeria, Togo and Uganda. In addition, the laws in Benin, Mauritius and the UAE (DIFC and ADGM) were amended within the past three years. Israel is the only country in the region to be found adequate by the EU.
Scope. In contrast to the laws in the EEA, all of which have extraterritorial application, three‑quarters of the laws in the rest of the world apply only to processing that takes place within their respective jurisdictions. Not surprisingly, given Europe/Eurasia’s geographical proximity and historical and cultural ties to the EEA, a higher proportion of the laws in this region have extraterritorial provisions (15 out of 24 laws), compared to the Americas (six out of 25 laws) and Asia-Pacific (five out of 19 laws).
Notable jurisdictions with extraterritorial provisions include: Australia, Japan, New Zealand, Philippines and Thailand in Asia-Pacific; Brazil, Jamaica and Uruguay in the Americas; and Benin, Qatar and Uganda in Africa and the Near East.
Legal Bases. Every privacy law requires organizations to have a legal basis on which to process personal information. Legal bases under the GDPR include the following: the individual has consented to the processing (consent); the processing is necessary to fulfill a contract (contractual necessity); the processing is necessary to pursue a legitimate interest of the controller (legitimate interests); the processing is necessary to protect the vital interests of the individual (vital interests); or the processing is necessary to comply with a legal requirement (legal requirement).
However, outside the EEA, the legal bases vary widely from one law to another. One of the most notable differences between the EEA laws and the laws in the other regions of the world is the absence of legitimate interests as a legal basis in half of the laws outside of the EEA. This absence is the most common in Asia-Pacific and the Americas where three-quarters and two-thirds of the laws respectively do not provide for this legal basis. A significant number of the laws in these regions also do not provide for contractual necessity as a legal basis. In contrast, half of the laws in Africa do not permit processing on the basis of legitimate interests, but most do permit processing based on contractual necessity. In Europe/Eurasia, only one-quarter of the laws do not permit processing the basis of legitimate interests but almost all do permit processing based on contractual necessity.
Consequently, because of the absence of legitimate interests and/or contractual necessity as legal bases for processing, consent is typically the primary basis used for processing outside of the EEA. This is particularly true in the Americas and Asia.
Data Localization. Despite concerns that data localization requirements are growing, such requirements are currently limited to a handful of jurisdictions. To date, Belarus, China, Kazakhstan and Russia are the only countries that impose data localization requirements. Under Russia’s data privacy law, personal information of Russian citizens must be stored in Russia. Companies that sell goods and services in Belarus using information networks, systems and resources connected to the internet must use information networks, systems and resources located (hosted) in Belarus. Kazakhstan’s privacy law requires companies to store their data locally and China’s Cybersecurity Law requires operators of critical infrastructure to store within China both personal information and “important data” collected and produced in the course of their business operations.
Registration. Despite the trend in the EEA to eliminate registration requirements, more than half of the jurisdictions outside the EEA (61) require registration of processing activities. Registration requirements are most common in Africa and the Near East, where most of the laws in the region (31) require organizations to register processing activities with a DPA. Surprisingly, in Europe/Eurasia, two-thirds of the laws (16) still require organizations to register their processing activities. This includes three jurisdictions that have enacted GDPR-like laws: Guernsey, Isle of Man and Jersey. In the Americas, slightly more than one-third of the laws (9) require organizations to register processing activities with the DPA. In addition, Barbados, Brazil and Panama require organizations to maintain internal records of their processing activities, which must be made available to the DPA upon request. In Asia, only one-quarter of the jurisdictions impose registration requirements.
Cross-Border Transfers. Similar to the EEA laws, most of the laws outside of the EEA (86) restrict cross-border transfers to jurisdictions that provide adequate protection or where the transferring organizations provide adequate protection through other means. Where a jurisdiction does not provide adequate protection, organizations must rely on either appropriate safeguards, such as contractual clauses or binding corporate rules (BCRs), or a legal basis, such as contractual necessity or consent, to transfer personal data outside the jurisdiction. In Europe, 23 out of 24 laws in the region (96 percent) impose such restrictions, compared to 31 out of 34 laws in Africa and the Near East (91 percent), 15 out of 19 laws in the Asia‑Pacific (79 percent) and 17 out of 25 laws in the Americas (68 percent).
Adequacy. Almost all of the laws in Europe/Eurasia and Africa and the Near East that have cross-border restrictions permit transfers to jurisdictions that provide adequate protection. In Asia and the Americas, three-quarters and two-thirds of the laws respectively permit such transfers. However, more than half (49) of all of these jurisdictions have not yet issued their list of adequate countries.
Appropriate Safeguards. Similarly, in Europe/Eurasia and Africa and the Near East, most of the laws permit the use of contractual safeguards; in Asia-Pacific and the Americas, slightly more than half of the laws provide for the use of contractual clauses.
Legal Bases. Most of the laws provide legal bases for cross-border transfers such as consent, contractual necessity, vital interests and/or legal claims; however, the available legal bases can vary widely from one jurisdiction to another.
Individual Rights. Virtually all laws outside of the EEA provide individuals with access and correction rights. Three-quarters (73) also provide for erasure rights, but only one-quarter (26) provides for data portability rights. The timeframe for responding to individual rights request varies widely: 42 laws require responses within 30 days or more; 22 within 21 days; 13 in less than 10 days; and 23 do not specify a time period.
Data Protection Officer (DPO). One-third of the laws (37) require the appointment of a DPO.
Breach Notification. Half of the laws outside of the EEA (49) require notification in the event of a data breach. These laws are relatively evenly spread across these four jurisdictions. Twenty‑two of the 49 laws require notification within 72 hours. The timeframes required in the other laws range from five to 15 days or do not specify a time frame.
Security. More than three-quarters of the laws outside of the EEA have either some specific or detailed security provisions. Some, such as the laws in Benin, Cote D’Ivoire and Nigeria, require the submission of security compliance or audit reports annually to the DPA.
Data Protection Impact Assessments (DPIAs). DPIAs are not typically required in the Americas, Africa/Near East and Asia-Pacific except in some of the jurisdictions that recently enacted new laws or amended their laws. Jurisdictions that require DPIAs include Brazil, Jamaica, Uruguay, Korea, Philippines, Singapore, Israel, Kenya and South Africa.
New or Amended Laws Expected in 2021 and Beyond
In the Americas, Argentina, Canada, and Chile are the most likely to amend their existing laws in the near future; however, it is not possible to predict yet whether these amendments will be enacted in one or more of these jurisdictions this year or next.
Ecuador and Suriname, which have no data privacy laws, have introduced draft legislation into their legislatures, but currently there is no clear timetable for their enactment.
In Asia, China and India have comprehensive bills under consideration. These bills could both be enacted in 2021 or shortly thereafter. If enacted, they would have the greatest impact on business compliance programs. Indonesia has legislation pending in the legislature and enactment in 2021 is likely.
Australia is also working on amendments to its existing law, but we are not likely to see action on those amendments in 2021.
Hong Kong and Malaysia have plans to amend their laws, but we are unlikely to see changes this year.
The Sri Lankan government is working on a draft text but has not yet submitted it to the legislature for approval.
In Vietnam, the Ministry of Public Security (MPS) is tasked with developing a decree on personal data protection and is presenting its draft in the first quarter of 2021.
In Europe/Eurasia, Montenegro appears to be the furthest along in developing a new law.
In Africa and the Near East, Israel is working to update its 40-year-old law, Protection of Privacy Law, 5741-1981. The Israeli Ministry of Justice held a consultation in December 2020 to solicit input from the public on the ways in which the law should be amended. In addition, efforts to improve and update the DPA’s supervisory and enforcement capabilities have been underway since 2018.
In the next couple of years, we expect to see more new laws enacted, possibly in Jordan, Namibia, Nigeria, Saudi Arabia and Zimbabwe.
[1] This includes three jurisdictions (China, India, and Indonesia) that have de facto national privacy laws and one jurisdiction (the United Arab Emirates) that has omnibus privacy laws applicable to their two free trade zones.
[2] With the departure of the United Kingdom from the European Union (EU) in January 2020, there are now 30 Member States of the EEA: the current 27 EU Member States (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Ireland, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Spain, Slovakia, Slovenia, and Sweden), Iceland, Liechtenstein, and Norway. The EU General Data Protection Regulation (GDPR) applies in all EEA countries. Effective January 1, 2021, the UK has agreed to maintain its current General Data Protection Regulation (GDPR) data protection rules for up to six months (until June 30, 2021) under the terms of the Trade and Cooperation Agreement reached between the EU and the UK. Therefore, we are still grouping the UK together with the EEA Member States in this article for the purpose of distinguishing between jurisdictions covered by the GDPR and those that are not.
[3] With the departure of the United Kingdom from the European Union (EU) in January 2020, there are now 30 Member States of the European Economic Area (EEA): the current 27 EU Member States (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Ireland, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Spain, Slovakia, Slovenia, and Sweden), Iceland, Liechtenstein, and Norway. The EU General Data Protection Regulation (GDPR) applies in all EEA countries. Effective January 1, 2021, the UK has agreed to maintain its current General Data Protection Regulation (GDPR) data protection rules for up to six months (until June 30, 2021) under the terms of the Trade and Cooperation Agreement reached between the EU and the UK. Therefore, we are still grouping the UK together with the EEA Member States in this article for the purpose of distinguishing between jurisdictions with GDPR laws and those with non-GDPR laws.
[4] This includes two jurisdictions (China and Indonesia) that have de facto national privacy laws and one jurisdiction (the United Arab Emirates) that has omnibus privacy laws applicable to their two free trade zones.