Does the GDPR Satisfy All Other Privacy Laws?
While the European Union’s General Data Protection Regulation is one of the strictest data data protection laws enacted in the world, it is not the only privacy or security-related law companies must follow. Tech companies in Silicon Valley that do business in Europe are in an especially difficult situation of satisfying the demands of potentially three masters, primarily federal requirements on specific sectors, California’s own data privacy and security laws, and those in force by the European Union. Foreign countries have their own data protection laws, which may differ from GDPR and US federal and state laws in important aspects.
Naturally, many tech companies now wonder if GDPR compliance will keep them compliant with all other privacy laws. Unfortunately, the answer is no.
Other countries and regions are creating their own data privacy laws. While they do adapt some GDPR privacy policy requirements, there are key differences. Here is a quick rundown of how the EU GDPR measures up to other privacy laws around the world.
The GDPR Versus Other Data Privacy Laws
The EU is not alone in enacting laws that protect consumer privacy. Here is a list of some of the privacy laws that govern commerce in other countries or regions:
Australia passed its Privacy Act in 1988. It governs how organizations obtain, use and share personal data in both the private and public sectors. The most recent updates to its privacy laws were made in 2012.
Canada has roughly 30 statutes at the territorial, provincial and federal levels that govern data protection and privacy. The two most well-known are the Privacy Act and the Personal Information Protection and Electronic Documents Act.
China’s privacy law came into effect in May 2018 and has much stricter regulations than the GDPR.
The Data Protection Act 2018 governs the UK and is actually a combination of the GDPR with its own supplemental requirements for areas where it determined the GDPR fell short.
Note that this is not a full list of the many data privacy laws that have been enacted all across the world since the Internet age began. Also, several countries are now scrambling to change their laws to follow the GDPR guidelines, which is being hailed as the gold standard. Examples include Japan and South Korea. Harmonization with GDPR will make it much easier for companies to operate across international borders but may take some time to be realized. So far, the UK is one of the first regions to accomplish this and China has allegedly put even stricter requirements in place. This is explained in greater detail below.
Provisions in Other Data Mandates Missing from the GDPR
To understand what data mandates are missing from the GDPR, it is best to look at the regions that felt it necessary to add to the GDPR rather than adopt it as is. For this purpose, consider how the UK and China made changes to the GDPR to suit their own needs.
Data Privacy in China
According to the Center for Strategic International Studies, China’s privacy laws protect all personal data, as does GDPR. Secondly, China’s privacy laws have specific testing requirements to ensure data privacy, while GDPR is still grappling with certification schemes and issuing accreditations. Overall, the main difference between China’s data protection regime and the EU GDPR is that the EU focuses on consumer privacy and freedom, while China focuses on national security.
United Kingdom
The UK ICO concedes that the UK’s DPA 2018 actually has more provisions than the GDPR. First among them is that the DPA makes specific provisions for data processing, whereas the GDPR does not. Secondly, the UK incorporated the EU Data Protection Directive into domestic law, which may allow them to pursue criminal charges instead of — or in addition to — fines. Finally, like China, the UK approached its amendments from a national security point of view, instead of only looking at consumer protections and freedoms.
Future of Data Privacy in the United States
Currently, most laws and regulations within the United States have a focus on business and organizational functions. Because of this, laws and regulations tend to be industry or activity-specific, such as the well-known Health Insurance Portability and Accountability Act. At the state level, however, California has become the first to pass a significant new broad-reaching privacy law of its own on U.S. soil.
Like in China and the United Kingdom, the California Consumer Privacy Act is reminiscent of GDPR with some key differences. For example, the Golden State does not seek to cover small businesses making less than $25 million in annual revenue. To date, the GDPR makes no such exceptions for U.S. companies doing business in the EU.
Many people believe that the United States will soon follow the European Union and the Golden State’s examples by putting its own federal privacy and security laws in place. It is also a fair prediction that any legislation enacted by the U.S. government, will have to account for the domestic intelligence community’s needs for continued ability to protect national security and prosecute cybercrime, while protecting the interests of individual consumers.