The data privacy regimes in Russia, China, and the United States are very different from the regimes elsewhere. The financial lure of selling to, or processing data on, EU residents is strong, which has led other countries to adopt the General Data Protection Regulation (GDPR) or something like it. Russia, China, and the United States are large enough for other forces to dominate, including the desire to have their citizens’ data stored locally, as we’ll see.
Russia has constitutional protections for data privacy and a data privacy act (DPA) going back to 2006 (152-FZ). The DPA was substantially modified in 2014 and became known as the Data Localization Law for reasons we’ll see.
The key feature of the Data Localization Law is the requirement that data on Russian citizens must be kept in Russia, which includes cookie tracking data. The law contains a provision enabling the country to block websites that don’t process Russian data in Russia, which as you might expect led to a boom in Russian data center usage. The initial punishment for breaching the law was just $160, but this was increased to $100,000 in 2019. At the time of writing, it seems the exact rules on compliance are vague.
Similar to the GDPR, Russian law defines categories of sensitive data which may not be collected or processed without the user’s consent. A big difference from the GDPR is the absence of any requirement to report data breaches.
The Cybersecurity Law of the People’s Republic of China came into effect on June 1st, 2017, and introduced mandatory reporting of data breaches to the state, but did not mandate informing affected individuals. There is a concept of more sensitive personal data, but it’s more nebulous than the precise definition provided in the GDPR and the rules are vague. Similar to Russian law, Chinese law has rules on data export, in this case requiring a copy of the data to reside in China at all times and data processors must obtain the consent of individuals to have their data processed overseas.
The situation in China may change substantially with the passage of the Personal Information Protection Law which was published in draft form on October 21st, 2020. This proposed law cleans up and clarifies Chinese law. It has some key new provisions beyond the existing legislation:
- Extra-territoriality claims when overseas companies process Chinese citizen’s data outside of China.
- Individual consent is required for third-party data processing.
- Rules on automated decision-making.
- The provision for the Chinese regulator to take countermeasures against any country that adopts unreasonable policies against China with regard to processing personal data.
- Personal data must be stored in China.
- A requirement to inform individuals if their data has been breached.
At the time of writing, we have no information of when this draft might become law.
The United States is a special case when it comes to data privacy, and as befits a special case, the picture is complicated. The legal framework is a patchwork of federal and state rules, with the laws in the largest state, California, dominating.
The Federal View
At the time of writing, the US does not have a federal privacy law, though various efforts are underway to create one. The closest legislation is the Health Insurance Portability and Accountability Act of 1996 which applies to medical records.
The absence of federal laws makes it riskier for American companies to process EU residents’ data in the United States. The GDPR clearly lays out requirements for overseas data processing and in 2016, the European Commission and the United States reached a blanket agreement on data export and processing (Privacy Shield). In 2020, the European Court of Justice (ECJ) found this EU-US agreement to be invalid, and currently, data processing relies on legal contracts. A federal privacy law that was compatible with the GDPR would make processing of EU residents’ data easier and less prone to legal risk
The State View
Most states have some form of privacy law that requires companies to notify state authorities of breaches, for example, the Breach Notification Law in Massachusetts, but the details of laws vary from state to state.
The most important state law is the California Consumer Privacy Act (CCPA), which introduced many, but not all, of the ideas of the GDPR into US state law. Here are some of the rights from the CCPA:
- On request, businesses must disclose what personal data they hold on California residents and what they do with it.
- Businesses must delete data if requested to do so, and may not sell personal data if requested.
- Parental consent must be obtained to collect the data of children under 13.
Notably, the law doesn’t apply to all for-profit businesses (again, a big difference from the GDPR). One or more of the following has to be true for the law to apply:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
In 2020, California voters passed Proposition 24 which led to the California Privacy Rights Act of 2020. This will come into force in 2023, adding more rights to the CCPA. The law defines ‘sensitive’ data in a similar way to the GDPR and creates a new regulator, taking the law in California closer to the GDPR, but there are still key differences.
The law in California only applies to California residents, but in reality, it’s too difficult for most firms to have different rules for processing data on residents of different states, so the most restrictive rules apply to everyone in the US. In other words, California sets the standard.
The data privacy situation in China, Russia, and the United States is complex and changing rapidly. All three countries have different internal forces at work which may pull their legislation in different directions. It’s a fair bet that individual states within the United States may pass more data privacy legislation regardless of what goes on at the federal level. Of course, the joker in the pack is the legal framework for processing EU residents’ data in the US which is up in the air at the moment.