Similar to the GDPR data protection regulations. Pt. 2
Continuing our review of GDPR-like regulations around the world.
In the first part of the article, we learned that the European Commission recognises data protection in Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, the United States and Uruguay as adequate (on a par with the GDPR). Moreover, we scrutinised the regulations most similar to the GDPR that have been implemented in the countries approved by the Euro Commission.
Today it is the turn of the other two groups of regulations.
2. Adequate data protection but different form the GDPR
Argentina
Regulation: Personal Data Protection Act (PDPA)
Similarities:
Argentina's PDPA closely follows the GDPR by requiring explicit consent for the processing of personal data, ensuring that individuals are informed and have control over their data. The law also imposes strict conditions on cross-border data transfers, allowing such transfers only to countries with adequate levels of protection. In addition, the PDPA guarantees basic data subject rights such as access, rectification and deletion, reflecting the GDPR's focus on empowering individuals.
Differences:
The PDPA imposes lower penalties for non-compliance compared to the GDPR's hefty fines, which can reach up to €20 million or 4% of global turnover. Its scope is narrower, focusing primarily on domestic data processing without the extraterritorial reach of the GDPR. In addition, while the PDPA ensures data protection, it lacks some of the modern provisions of the GDPR, such as detailed requirements for accountability and data portability. Updates to bring it more in line with the GDPR are being considered.
Canada (Commercial Organizations)
Regulation: Personal Information Protection and Electronic Documents Act (PIPEDA)
Similarities:
PIPEDA aligns with the GDPR by ensuring data subject rights, such as the ability to access and correct personal information. It emphasises accountability, requiring organisations to implement privacy management programs and designate individuals responsible for compliance. Transparency is a key principle under PIPEDA, requiring clear privacy policies and notices to inform individuals about how their data is collected, used and shared.
Differences:
Unlike the GDPR, PIPEDA applies only to commercial organisations, excluding public sector bodies and not-for-profit organisations from its scope. It does not include certain GDPR rights, such as data portability or the right to be forgotten, limiting the control individuals have over their data. Penalties for non-compliance under PIPEDA are lower than the GDPR fines, focusing more on reputational consequences and corrective action rather than severe fines.
California (USA)
Regulation: California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
Similarities:
California's CCPA and CPRA protect consumer rights by giving individuals the ability to access, delete, and correct personal information, similar to the GDPR. Both laws mandate transparency, requiring organisations to inform individuals about how their data is collected, used, and shared. For sensitive personal data, organisations must obtain explicit consent or provide consumers with the ability to limit its use, ensuring an additional layer of protection.
Differences:
Unlike the GDPR, California's regulations focus heavily on the sale of personal data rather than broader processing activities, making its scope narrower in some respects. The protections are limited to California residents, whereas the GDPR applies to all EU residents and has an extraterritorial reach. In addition, CPRA introduces concepts such as 'data minimisation' and 'purpose limitation', but these are not enforced as comprehensively as in the GDPR. Penalties in California are generally lower, and enforcement mechanisms are less stringent than the overarching framework of the GDPR.
3. Not adequate data protection but similar to the GDPR
Brazil
Regulation: General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - LGPD)
Similarities:
Brazil's LGPD mirrors the GDPR by establishing clear rules for obtaining consent, ensuring that individuals are informed and can control how their data is processed. It enforces accountability by requiring organisations to implement governance programmes and, where applicable, appoint a data protection officer (DPO). The LGPD also mandates transparency, requiring clear privacy policies and strong safeguards for sensitive data, such as health and biometric information, to protect individuals' privacy.
Differences:
The LGPD provides fewer enforcement mechanisms than the GDPR, with the data protection authority, the ANPD (National Data Protection Authority), having more limited investigative and punitive powers. Penalties under the LGPD are capped at 2% of a company's revenue in Brazil or R$50 million (~€8 million), which is lower than the maximum fines under the GDPR. In addition, the LGPD offers broader exemptions for small businesses and public entities, reducing the regulatory burden for certain organisations. Unlike the GDPR, its scope does not include explicit provisions for data portability or a comprehensive right to be forgotten.
The Republic of South Africa
Regulation: Protection of Personal Information Act (PoPIA)
Similarities:
South Africa's PoPIA shares core principles with the GDPR, emphasising the lawful processing of personal data and requiring organisations to have a valid legal basis for collecting and using data. It enforces accountability, requiring organizations to implement measures to ensure compliance and protect personal data. PoPIA also regulates cross-border data transfers, allowing them only if adequate safeguards are in place. In addition, it ensures the rights of data subjects, such as access to personal data and the ability to request corrections.
Differences:
Penalties under PoPIA are significantly lower than those under the GDPR, with fines capped at ZAR10 million (~€500,000) compared to those under the GDPR. PoPIA also provides more exemptions for certain types of data processing, such as for journalistic, artistic or literary purposes, and for public bodies in the exercise of their functions. Unlike the GDPR, PoPIA lacks a comprehensive right to data portability and places less emphasis on strict breach notification requirements.
Australia
Regulation: Privacy Act 1988
Similarities:
Australia's Privacy Act 1988, with amendments, aligns with the GDPR by emphasising the importance of consent and requiring organisations to obtain permission before collecting or using personal information. Transparency is a core principle, requiring clear privacy notices to inform individuals about how their data will be used. The Act also enforces accountability, requiring organisations to protect personal data with appropriate security measures and to report significant data breaches to both affected individuals and the Australian Information Commissioner.
Differences:
The Privacy Act lacks GDPR-style rights such as data portability, the right to erasure (commonly referred to as the right to be forgotten), and detailed rules on automated decision making. Its scope is more limited, as it applies primarily to Australian organisations or businesses with an annual turnover of more than A$3 million (~€1.8 million), excluding many smaller businesses. Furthermore, while the GDPR applies extraterritorially to organisations processing the data of EU residents, the Privacy Act has no such provisions, limiting its reach outside Australia.
Singapore
Regulation: Personal Data Protection Act (PDPA)
Similarities:
Singapore's PDPA aligns with the GDPR by emphasising consent as the legal basis for the collection and processing of personal data, ensuring that individuals remain in control of their information. Transparency is another key principle, requiring organisations to provide clear information about how personal data is used and shared. The PDPA also enforces accountability, requiring organisations to appoint a data protection officer (DPO) and implement data protection policies to ensure compliance.
Differences:
Penalties under the PDPA are significantly lower than under the GDPR, with fines capped at SGD1 million (~€690,000) for most breaches, compared to the GDPR fines. In addition, the PDPA's protections for sensitive data are narrower because, unlike the GDPR, it does not explicitly categorise or provide specific protections for sensitive data such as health or biometric information. The law focuses more on general data protection, rather than providing comprehensive rights such as data portability or the right to erasure.
Thailand
Regulation: Personal Data Protection Act (PDPA)
Similarities:
Thailand's PDPA is heavily influenced by the GDPR and shares key principles, such as requiring consent for the collection and processing of personal data. It enforces data subject rights, including the right to access, rectify and delete personal data, ensuring that individuals retain control over their data. The law also mandates breach notification, requiring organisations to promptly notify affected individuals and authorities in the event of significant data breaches, promoting accountability and transparency.
Differences:
Enforcement of Thailand's PDPA is still maturing, with delays in implementation and some provisions not yet fully operational. Penalties under the law are lower than under the GDPR, with maximum fines capped at THB5 million (~€130,000). Unlike the GDPR, the PDPA does not yet provide the same level of clarity or consistency in enforcement, and certain elements, such as rules on cross-border transfers, are still evolving. It also lacks provisions for more advanced rights, such as data portability and detailed protections for automated decision-making.
This comparison highlights the global impact of the GDPR, as well as the ongoing trend of personal data protection. Knowing these differences and similarities is a must for businesses operating in different countries, as it will help to make all the necessary precautions before acquiring customers and establishing partnerships.
Sources:
Canadian PIPEDA: link 1, link 2
Australian Privacy Act: link 1, link 2
Thailand’s PDPA: link 1, link 2