GDPR, and the marketing implications of restrictive data privacy regulations, is often considered to be the limited reserve of the European Union.
This is somewhat of a misconception, however, with the EU-established legislation revolving around the protection of “data belonging to EU citizens and residents” - and not merely the protection of data that remains within the borders of the EU.
Indeed, Article 3 outlines in detail the territorial scope of GDPR, which includes two key instances where GDPR is in play outside of the EU:
- When offering goods and services to EU citizens and residents
- When monitoring the online behavior of EU citizens and residents
Beyond these exceptions, there is also the existence of similar, often GDPR-inspired, legislation in other parts of the world.
1. California (Yes, We Know, Not a Country)
Probably the most talked about GDPR-esque privacy law outside the EU is the California Consumer Privacy Act (CCPA).
Though, clearly California is a state and not a country, the popularity of this state legislation has led to a number of other states planning the roll-out of similar policies in 2022.
Indeed, a total of 15 states have either confirmed that the drafting of a similar bill is planned for this year, or have a similar bill already in process.
Such states include Maryland, Florida, Washington, and Mississippi, while there are several others who - while not committing to delivery in 2022 - are exploring the potential of following suit.
2. Sweden (the First Data Privacy Law)
So, while of course Sweden is a member of the European Union and thus falls under the provision of GDPR, it is also worth looking back to the world’s first national data privacy law.
Yes, believe it or not, data privacy law in the digital age is itself now approaching its 50th birthday.
Along with the Germans, the Swedes played a key role in early data privacy lawmaking. This included the passing of the first national data privacy law, the Data Act, back in 1973.
Developed to “criminalize data theft and give data subjects freedom to access their records”, the creation of the Data Act was catalyzed by the digital processing of census data as early as 1969.
A combination of Sweden’s early adoption of computers in public office and a culture built upon transparency and openness paved the way for the legislation.
3. Canada and PIPEDA
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is often considered to be the closest data privacy law to GDPR.
In fact, the evolution of the Act was partially guided by the ambition to appease EU policymakers and ease the transfer of data between Canada and the EU.
While similar to GDPR, there are a few key differentiators, some of which are considered to be responsible for limiting PIPEDA’s international appeal.
These differences revolve around seven main areas:
- Applicability criteria
- Consent for data processing
- The right to be forgotten
- Data portability
- Data breach notifications
On that last point, the size of fines related to GDPR breaches has become almost legendary and acted as a key catalyst for the creation of GDPR-compliant software solutions and data processing consultancies.
There is a giant chasm between the fines that can be imposed through GDPR - up to €20 million or 4% of annual worldwide turnover - and PIPEDA fines, which are limited to CAD$100,000 (approx. €70,000).
PIPEDA is built upon its 10 Fair Information Principles:
- Identifying purposes for which personal data is being collected
- Individuals’ consent for the collection, use, or disclosure of personal information
- Limiting data collection to that necessary for the purpose identified by the organization
- Limiting use, disclosure, and retention
- Accuracy of personal information
- Safeguarding personal information against loss or theft, unauthorized access, etc.
- Openness about policies and practices relating to the management of personal data
- Individual access upon request
- Challenging compliance with PIPEDA’s principles
When we look to the Middle East & Africa as a whole, there are several different countries and regions that have established data privacy laws.
Israel’s Data Security Regulations are considered to be the most aligned with GDPR, despite containing several features - such as rules on passwords and penetration (or pen) testing - not present in the EU law.
Despite this, Israel’s data protection laws are considered adequate by the European Commission (EC) and thus enable the processing of EU resident data.
This puts the country alongside just 13 other “third countries” with an EC-confirmed level of data protection. Others include New Zealand, Canada (as aforementioned), South Korea, and the UK.
There have also been several updates made to these laws in recent years, with a new draft bill that seeks to bring the somewhat archaic Privacy Protection Law in line with the digital age published as recently as January 2022.
Aside from Israel, Middle East countries with some form of national privacy law include Bahrain, Qatar, and Turkey - the latter having been largely based on the pre-2018 version of GDPR.
5. Kenya (and The African Union)
The African Union (AU) adopted the GDPR-like Convention on Cyber Security and Personal Data Protection back in 2014, with the intention of compelling individual AU countries to adopt national privacy laws.
Despite this, the initiative has had rather stunted progress, with only five countries following suit by developing and adopting privacy laws of their own.
These include Kenya’s Data Protection Act, which came into effect in 2019 and has been evolved and enhanced in the time since.
At the time of passing, Joe Mucheru, Kenya’s Minister for Information, Technology, and Communication stated that, “Kenya has joined the global community in terms of data protection standards”.
Other African countries to have adopted some form of data privacy law include Nigeria, Mauritius, South Africa, and Uganda.
Other National Data Privacy Laws & What Lies Ahead
Besides these five examples, there are several other countries that have adopted GDPR-like data privacy laws.
As mentioned earlier in the article, a total of 14 third countries have standards deemed compatible, and in compliance, with GDPR.
On top of those previously mentioned, other countries to have similar data privacy laws include Japan, Brazil, Uruguay, Switzerland, Andorra, the Faroe Islands, Guernsey, Isle of Man, Jersey, and Argentina.
With the topic of digital data protection and privacy becoming an increasingly global and widely discussed issue, it is likely that more countries will be imposed to pass or enhance similar laws before too long.