- AI and cybersecurity: new opportunities and threats in the digital age
- Similar to the GDPR data protection regulations. Pt. 2
Similar to the GDPR data protection regulations. Pt. 1
The GDPR inspired a lot of countries to strengthen their regulations and served as a benchmark.
The last few years have seen the emergence of many different pieces of data protection legislation. And the stone that created a massive ripple effect in this area was the GDPR - General Data Protection Regulation - the EU regulation, which became a benchmark for every member state and beyond the EU.
It's worth noting that the GDPR also applies in the European Economic Area (EEA), which includes Iceland, Liechtenstein and Norway in addition to the EU member states. They are fully implementing the GDPR as part of their EEA obligations, ensuring seamless data protection rules and the free flow of personal data within the EEA.
The European Commission recognises data protection in Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the UK, the USA (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as adequate (for example, the GDPR doesn't require them to adapt data protection safeguards in the event of a data transfer).
The data protection regimes in adequacy jurisdictions can either be twins of the GDPR, or significantly different.
The Swiss counterpart to the GDPR is the Federal Act on Data Protection (FADP), the revised version of which is in line with the GDPR. However, they differ due to some interpretations and differences in the governance systems of Switzerland and the European Union. You can find a comparison in our article.
There are many other countries that have implemented regulations very similar to the GDPR, reflecting a global trend towards stronger data protection laws inspired by the GDPR, but each has unique elements tailored to their legal systems and cultural contexts. Key differences often include scope, definitions of personal data, enforcement mechanisms and specific obligations for organisations.
Today we will look at the first group of regulations, namely:
1. Adequate data protection and very similar to the GDPR
Switzerland
Regulation: Federal Act on Data Protection (FADP)
Similarities:
The Swiss FADP closely follows the principles of GDPR, requiring consent for data processing and safeguarding data subjects' rights such as access, rectification and deletion of personal data. Like the GDPR, it also imposes strict restrictions on cross-border data transfers, ensuring that personal data sent abroad is adequately protected. In addition, the FADP emphasises accountability*, requiring organisations to implement security measures and ensure compliance with data protection laws.
Accountability under the GDPR means that organisations (data controllers) are responsible for complying with the GDPR’s principles for processing personal data and must be able to demonstrate their compliance. They take ownership of data protection by embedding privacy into their culture and operations.
Differences:
Unlike the GDPR, which has a broad extraterritorial scope covering data processing of EU residents worldwide, the FADP focuses primarily on data processing activities within Switzerland. This means that its reach is narrower for foreign companies. Furthermore, the penalties for non-compliance under the FADP are less severe (up to CHF250,000) compared to GDPR's hefty fines, which can reach €20 million or 4% of global turnover.
United Kingdom
Regulation: UK GDPR and Data Protection Act 2018
Similarities:
The UK GDPR is almost identical to the EU GDPR, incorporating the same core principles such as data subject rights (e.g. access, rectification and deletion), accountability and security measures. It enforces robust consent requirements, ensuring that data processing is lawful and transparent. Transparency obligations remain a cornerstone, requiring clear privacy notices to inform individuals how their data will be used and protected.
Differences:
Post-Brexit, the UK GDPR now operates as a separate framework under UK jurisdiction, although it was initially a direct copy of the EU GDPR. Future updates or policy decisions could lead to divergence, particularly as the UK government considers data protection reforms aimed at reducing the compliance burden on businesses. In addition, EU adequacy decisions are subject to periodic review, which could impact data flows if significant changes are made to the UK GDPR.
Japan
Regulation: Act on the Protection of Personal Information (APPI)
Similarities:
Japan's APPI shares many principles with the GDPR, particularly in areas such as data minimisation, which requires organisations to collect and process only the data necessary for a specific purpose. It requires breach notifications for significant data breaches, ensuring accountability and transparency in the handling of incidents. APPI also protects the rights of data subjects, such as access, correction and deletion of personal data, which aligns with GDPR's emphasis on empowering individuals.
Differences:
APPI defines sensitive data more narrowly than the GDPR, focusing primarily on specific categories such as health, criminal record, and social status, while the GDPR has a broader definition. Penalties under APPI are comparatively lower, with fines or reputational consequences serving as the primary enforcement mechanisms. Unlike GDPR, APPI lacks strict provisions for the appointment of data protection officers (DPOs), and has less stringent requirements for maintaining records of processing activities.
New Zealand
Regulation: Privacy Act 2020
Similarities:
New Zealand's Privacy Act 2020 aligns with the GDPR in its focus on accountability, requiring organisations to take responsibility for the secure and lawful management of personal data. It mandates breach notifications, ensuring that individuals and authorities are informed of significant data breaches. It also imposes restrictions on cross-border transfers, requiring organisations to ensure that personal data sent overseas is adequately protected. Transparency and privacy by design are core principles, encouraging organisations to embed privacy considerations into their operations and communications.
Differences:
The Privacy Act has a narrower scope than the GDPR, applying primarily to organisations based in or operating in New Zealand. It does not provide specific rights to data subjects, such as data portability or the right to be forgotten, which are integral parts of GDPR. In addition, penalties under the Privacy Act are much lower, capped at NZD10,000 (~€5,500), making enforcement less stringent compared to GDPR's stiff fines.
Israel
Regulation: Privacy Protection Law (PPL) & Privacy Protection Regulations (Data Security)
Similarities:
Israel's PPL and its regulations share the GDPR's commitment to securing personal data by requiring organisations to implement technical and organisational measures to protect it. The law emphasises the importance of obtaining informed consent for data processing, ensuring that individuals are aware of and consent to how their personal data will be used. Cross-border data transfers are strictly regulated, allowing transfers only to countries with adequate data protection measures or under specific legal safeguards. Accountability is a core principle, requiring organisations to document and demonstrate compliance with data protection laws.
Differences:
The PPL defines sensitive data more narrowly than the GDPR, focusing primarily on information such as health, genetic data and criminal records, while the GDPR includes a broader range of data categories, such as political opinions and biometric data. Unlike GDPR, the PPL does not require organisations to appoint data protection officers (DPOs), which reduces the regulatory burden but may limit oversight. In addition, the PPL's enforcement mechanisms and penalties are generally less severe than the GDPR's significant fines and strict compliance requirements.
Republic of Korea (South Korea)
Regulation: Personal Information Protection Act (PIPA)
Similarities:
The Republic of Korea's PIPA is one of the world's strongest data protection laws, aligned with GDPR principles such as obtaining explicit consent to process personal data, protecting sensitive data, and requiring breach notification. It also enforces strong cross-border data transfer rules, requiring recipients in other countries to provide protections comparable to PIPA. These measures underscore a commitment to robust data protection.
Differences:
PIPA imposes stricter localisation requirements for certain categories of data, such as financial data, which must remain in the country. In addition, while penalties for violations are significant, they differ in scope and severity from GDPR's global turnover-based fines, reflecting a more localised approach to enforcement.
Euro Commision’s adequacy decisions ensure that a country’s data protection framework offers comparable protection to the GDPR. Data transfers to these countries do not require additional measures like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
In the next article we will look at the following groups of regulations: Adequate data protection but different form the GDPR and Not adequate data protection but similar to the GDPR.
Sources: