The world has seen a swathe of new data privacy and cybersecurity legislation and enforcement actions in recent times. Many query if their global privacy programs should comply with the GDPR framework. In this session of our Deciphering Data Webinar Series, we address this and also highlight the crucial elements to look out for in the key laws and regulations across regions including the GDPR and the CCPA, based on our global team’s wide experience working with our international clients.
We share key takeaways from the Journey Around the World: Data Privacy Global Update webinar that we believe you will find useful. Note that the webinar was held in two time zones but the content and discussions in both sessions are aligned. View the recordings.
Key takeaways: So now what?
- The regulators are unregulated when it comes to data privacy law. There is no overarching treaty or limits on what countries can do in the name of data privacy regulation. While there are organizations like the World Trade Organization which regulate trade issues, the challenge is that many of those regulations give broad exceptions for regulation of personal data.
- The European General Data Protection Law (GDPR) has sparked a global privacy trend. GDPR entered into force in 2018. In the years since we have seen a wave of privacy bills in the US and Latin America. Meanwhile, Asia Pacific jurisdictions including China, Japan, and Australia have undertaken a review of existing privacy laws.
- Many enforcement actions arise following data breach notifications. GDPR and similar regulations impose requirements on organizations to notify the data protection authority of a data breach incident. In many cases, the resulting investigation uncovers failures on the part of the organization to comply with data protection obligations, resulting in an enforcement action by the data protection authority.
- The Court of Justice of the European Union decision in Schrems II has brought data transfer issues into the spotlight. The ruling invalidated the EC’s decision approving the EU-US Privacy Shield Arrangement (Privacy Shield) as providing adequate protection for cross-border data transfers to the US. Following the landmark decision, data processors and controllers are required to ensure that the jurisdiction receiving the data has equivalent data protection standards as those mandated by GDPR.
- The European Commission recently issued revised Standard Contractual Clauses (SCCs) for data transfers to third countries. The SCCs are a mechanism companies can use to address restrictions on cross-border transfer of personal data under GDPR.
- Post-Brexit, data transfers between the EU and the UK must meet additional requirements. Fortunately, the EU and UK agreed to an interim agreement, which was followed by an adequacy decision by the European Commission which will be valid for a period of four years. However, any additional changes by the UK to their GDPR may impact the validity of this adequacy decision.
- Latin America has mirrored the EU's GDPR through a practical approach to data privacy issues. Even where legislation on data privacy may not yet be in place, regulatory authorities are using decisions made under GDPR as standards to guide their actions. At the same time, a wave of data privacy legislation has swept the region with recent developments including Brazil's LGPD which entered into force on 18 September 2020.