Back

Data protection in the world: a brief overview

08/03/2022
Federica Pucarelli

EUROPE

The entry of EU Regulation 2016/679 on data protection has allowed Europe to overcome many asymmetries created by different national regulations. 

The set of rules outlined in the new Regulation has provided Europe with the tools to facilitate the circulation of information by adapting to the evolution of technologies while remaining 'human-centric'. The Regulation aims to protect the rights and freedoms of individuals and provides them with the means to exercise active and proactive control over their data.

The essential points of the legislation are: 

  • The principle of accountability, whereby Data Controllers are responsible for their own choices regarding data protection and must at the same time be able to demonstrate their level of compliance;
  • risk approach, whereby there isn't a "to-do list" to protect data, but the Data Controller must carefully assess the risks to individuals and design a data protection system appropriate to those risks. 

What is the approach to data protection in other countries?

CHINA

Recently, China approved Personal Information Protection Law (PIPL), inspired by the European model for: 

  • the territorial application: the discipline applies to personal data processing carried out outside China, provided that the purpose of the processing is: 
    • to provide products or services to individuals in China,
    • to "analyse" or "evaluate" the behaviour of individuals in China; or 
    • for other purposes specified by laws and regulations. 

However, the general scope is broader because Chinese authorities enjoy broad discretion about identifying additional circumstances of privacy enforcement.

  • Provision of legal basisas in the GDPR.

Chinese law provides for narrower conditions of lawfulness than European law while reserving greater discretion to the data protection authority. Chinese law does not include the legal basis of legitimate interest in data processing.

  • For data transfers to foreign countries, Chinese law provides for restrictions, so much so that in some cases, transfers are permitted only with the authorization of the regulatory authorities.
  • There is a set of data subjects' rights very similar to those provided by the GDPR.

About the penalty apparatus, the fine can be up to 50 million Yuan or 5% of an organization's annual revenue for the previous financial year, in addition to potential civil and criminal liability for companies and penalties of up to 1 million Yuan for executives. Furthermore, we must read China's law in conjunction with the other two legislation, the Cybersecurity Law, effective since June 1, 2017. The second is the Data Security Law (DSL), effective September 1, 2021. China has adopted regulations relating not only to the protection of personal data but also to the protection of non-data. The regulations have two relevant purposes:

  1. the first relates to the cyber security of data
  2. the second is the protection of the digital sovereignty of the People's Republic of China!

This second aspect and the restrictions on data transfers to countries outside China suggest that the Chinese government aims to preserve its sovereignty from foreign interference.  

INDIA

India does not have a data protection law. The Information Technology Act of 2000 primarily governs cybercrime and the liability of Internet intermediaries such as social media platforms and contains some disposition about data protection. For these reasons, India's Data Protection Committee (DPC) chose to propose a bill inspired by the GDPR.

USA

The concept of "privacy" is a child of the American culture that already in 1890 theorized the so-called "right to be let alone. So, it seems controversial that today there is no federal law on privacy in the USA.

The US approach is therefore closely related to the protection of the private sphere of individuals, but this protection has not evolved into the recognition of a law that also gives individuals the right to 'control' the circulation of their data.

This regulatory 'absence' becomes relevant in the European context when a data Controller transfers data from Europe to the US. The point of collision is the FISA 702 regulation, which allows US authorities extensive access to data (even of European citizens) processed by providers of e-communication services, for control and counter-terrorism purposes. Europe considers this legislation excessively invasive, a gateway of potential large-scale monitoring of individuals and therefore in total contrast with the principles of the GDPR. For this reason, data transfers to entities subject to FISA 702 are no longer considered lawful and require careful assessments by European data controllers.

For this reason, data transfers to entities subject to FISA 702 are no longer considered lawful and require careful assessments by European data controllers.

In the healthcare field, the USA adopted in 1996 the Health Insurance Portability and Accountability Act (HIPAA). It's a federal law that defines the requirements for the treatment of health data of private individuals. Senators have recently introduced the Health Data Use and Privacy Commission Act to modernize health data use and privacy policies. This legislation is now inadequate for current technologies (apps and wearable devices) because it covers interactions between doctor and patient but does not protect health data patients record on those tools – potentially putting the information at risk. Just last September, the U.S. Federal Trade Commission declared that connected devices and health apps that use or collect consumer health information must notify the data breach to users, providing potential penalties of up to $43,792 per day.

RUSSIA

Russia adopted in 2006 Federal Law N 152-FZ dedicated to the protection of personal data in the Russian Federation. It covers the processing, storage, and access of personal data, defined as information that relates directly or indirectly to a specific natural person or that can be used to verify the identity of the person.

Law No. 152-FZ regulates almost all aspects of data protection: 

  • defines what personal data is, 
  • what kind of data it is permissible to collect and process, 
  • how and in which cases data may be collected and processed, 
  • which technical and organizational measures must be applied by those who process personal data.

Unlike EU law, the Data Protection Act does not distinguish between data controllers and data processors, so any individual or organization that processes personal data is considered a "manager" of personal data and must comply with the rules designed to protect personal data.

Alongside the main law, a few more specific technical regulations clarify and supplement its provisions.

The federal law has been updated and provides for the obligation of those who collect personal data of Russian citizens to store such personal data using exclusively databases located in Russia. This system is more closed to the circulation of information. Moreover, unlawful access to computer facilities containing data and resulting in destruction, blocking, modification, or copying of personal data is in certain cases punishable not only by payment of a fine but also up to seven years of imprisonment.

UK

Before the "Brexit" the UK adopted the "Data Protection Act 2018", legislation implementing the European Data Protection Regulation ("GDPR") that is still in force. The legislation provides the same regulatory principles of personal data protection in the EU territory.

After an uncertain moment caused by the exit of the United Kingdom from the European Union, since first January 2021, the data flows between the EU and the UK were provisionally governed by the EU-UK Trade and Cooperation Agreement (TCA). In June 2021, the European Commission adopted the adequacy decision for the data transfers in the UK: at this time, data transfers between UE and UK are legitimate.

However, in September 2021, the UK announced its intention to reform data protection legislation. The reform proposals published by the British Government have as their objectives:

  • the simplification of the regime for the data processing carried out in the context of research, Artificial Intelligence, and other cutting-edge technologies
  • the enhanced use of data for health protection purposes, particularly in the emergency context of COVID-19
  • new trade agreements and partnerships on personal data in the fastest growing economic sectors
  • providing tools to help businesses innovate and grow by increasing the security level of personal data.

We'll wait for updates.

Data Protection
Share