Coming into force on May 25th, 2018, the General Data Protection Regulation (GDPR) was a landmark for data protection. Trading blocs, governments, and privacy organizations took note, and over the last three years, GDPR has inspired new data privacy legislation worldwide. In my view, there are two very commercial reasons why a country might adopt a version of the GDPR (aside from data protection for its citizens):
- Extra-territoriality: The GDPR applies to the processing of European residents’ data (technically, all residents of the EU plus residents of the other European countries that have adopted the GDPR), no matter where in the world the data processing takes place. If you want to sell to European residents, you need to be compliant with the GDPR, and what better way to be compliant than to adopt it.
- Data export: The GDPR export rule is simple: data on European residents can only be exported to places with similar data protection rules (technically, the European Commission (EC) determines if your rules are adequate). If you want the commercial benefits of processing European residents’ data then you need to adopt the GDPR or something like it.
(Countries with GDPR-like laws in blue - as of May 2021.)
Let’s take a trip around the world and see where things stand three years after the GDPR came into force. To keep things short, I’ll only discuss 16 countries that have enacted national GDPR-like legislation.
The Middle East & Africa
The picture in the Middle East is patchy, with some countries adopting data privacy laws and others not. Here are some of the countries with GDPR-like legislation.
The law includes a possible jail term of up to a year for unlawfully transferring personal data outside of Bahrain.
The regulations have some of the same ideas as the GDPR but contain features not in the GDPR (for example, rules on passwords and penetration testing). However, the EC has decided that Israel’s data protection rules are adequate for data export under the GDPR, meaning Israeli companies can process European residents’ data – a significant boost for Israeli data companies.
The first data protection law in the Middle East.
The Turkish law was based on the prior (pre-2018) version of the GDPR
Other Middle Eastern countries have no formal legislation or ‘just’ have constitutional rights to privacy (e.g. the United Arab Emirates).
In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection which was modeled on the GDPR. The intention was for African countries to adopt the convention into their national laws but progress has been inconsistent. Here are five African countries that have adopted GDPR-like laws.
The Kenyan constitution has a right to privacy provision - article 31.
The Nigerian constitution contains a privacy section
The South African Protection of Personal Information (POPI) Act is similar to a number of other African data privacy laws in terms of its differences from the GDPR. The GDPR is extra-territorial, but POPI only applies to South African companies and when data is processed in South Africa. Similar to the GDPR, POPI defines categories of special personal information that require extra protection (e.g. religious beliefs, politics, health, sex, biometrics, etc.), but unlike the GDPR the consent rules for more general data are more relaxed.
Although only a handful of Asian nations have adopted GDPR-like laws, it’s notable that two of them have secured data adequacy agreements with the EC.
The EC considers the New Zealand Privacy Act adequate for export of European data
Personal Information Protection Act (PIPA) 2011
2011, revised in 2020
Pre-dates the GDPR, but as modified in 2020, is similar in many ways. Considered to be one of the strictest privacy rules in the world. Adequacy talks with the EC were concluded on March 30th, 2021 and it’s likely an agreement on data export adequacy will be reached.
Thailand’s Personal Data Protection Act is due to come into force on May 31, 2021 and contains similar provisions to the GDPR, including extra-territoriality.
In 2019, the European Union (EU) and the South American trading bloc MERCOSUR negotiated a blockbuster trade deal that included data processing export arrangements, but data export was conditional on MERCOSUR nations passing GDPR-like legislation. At the time of writing, three have.
Personal Data Protection Act No 25,326, constitutional protections
EC considers the legal regime in Argentina adequate for data export. Bills to update the existing law are in Congress.
General Data Protection Law LGPD
Very similar to the GDPR, including extra-territoriality provisions.
2008, but subsequently modified
EC considers the law adequate for data export.
The other MERCOSUR nation, Paraguay, has legislation in the works.
The only country that’s adopted anything like the GDPR is Canada. In the United States, there’s no federal-level statute like the GDPR, but states have adopted their own legislation, most notably the CCPA in California.
The EC has considered the PIPEDA as adequate for EU data export.
You’ll note that I haven’t discussed China, Russia, or the United States. In the United States, there are some privacy laws at the federal level (for example, HIPPA), and most states have some form of data protection or breach notification laws, giving a complex picture. Russia’s privacy laws contain terms requiring at least initial data processing to take place in Russia and have provisions to block offending websites. Similar to the Russian rules, the draft Chinese Personal Information Protection Law would require data processors to at least maintain copies of data in China and allows for countermeasures against nations under some conditions. These are complex topics and deserve a separate blog post.
Where to next?
The picture on GDPR adoption is patchy, but the trend is clear. Smaller countries are adopting it as a trading measure with the EU. My guess is that we’ll see more adoption of the GDPR motivated by money: if companies and countries want a slice of the EU data processing market or want to sell to European residents, they’ll have to follow the EC laws, which in this case means following the GDPR.