Since the entry into force of the European General Data Protection Regulation (GDPR) more than two years ago, the global data protection landscape has been changing. As a result, many international data protection laws have been newly adopted, modified or become effective.
In recent months, a lot has happened in the area of data protection. For example, several local laws have been introduced:
- In Brazil, the "Lei Geral de Proteção de Dados" (Data Protection Law; LGPD) came into force on 18 September 2020. The law brings with it many fundamentally new regulations, such as extended reporting obligations and a newly established independent data protection authority, and is clearly influenced by the GDPR.
- In California/USA, an initiative called California Privacy Rights Act (CPRA) that builds on the California Consumer Privacy Act (CCPA) was adopted by 56% of votes cast on the national election day on 3 November 2020. This will allow consumers to prevent companies from sharing personal information, to correct inaccurate personal information and to stop businesses using sensitive personal information. The CPRA will enter into force two years from now, in early 2023.
- In the Dubai International Financial Centre (DIFC), a three-month grace period expired on 1 October 2020 after the new Data Protection Act came into force. Thus, the new law is now being applied. In particular, it is intended to obtain an "adequacy finding" from the EU, which would allow the free flow of data between the DIFC and Europe.
- Egypt adopted a new law which entered into force on 15 October 2020. The law provides for various new obligations, such as consent rules, storage limitations, accuracy and the duty to appoint a representative for foreign companies processing personal data in Egypt.
- On 2 November 2020 the Parliament of Singapore passed the updated Personal Data Protection Act (PDPA). Government and Parliament aimed to promote innovation by modifying the law. For example, companies can now process personal data without consent if "legitimate purposes" indicate that this is necessary. In return, the penalties for violating the law have been increased.
There are also other international developments which may be of importance for multinational companies:
- A Joint Parliamentary Committee is currently discussing a new Personal Data Protection Bill in India. The law is expected to be passed by the Indian parliament in early 2021 and would become the country’s first comprehensive data protection law.
- A new law on personal data protection is currently being discussed in Indonesia and is expected to be adopted in the Indonesian House of Representatives in late November 2020. The draft bill is clearly leaning towards mirroring the scope of the GDPR.
- A few weeks ago, the Standing Committee of the National People’s Congress of the People’s Republic of China published its new draft of the Personal Information Protection Law for public consultation. After the consultation period, the draft will be discussed in the National People's Congress and is expected to be adopted soon after.
- In almost exactly half a year, on 27 May 2021, the Thai Data Protection Act will come fully into force. The law was already passed in 2019. This made Thailand the fourth ASEAN country with a data protection law after Singapore, Malaysia and the Philippines.
These developments are only an extract of the trends in the area of data protection. If your company operates internationally, you are advised to monitor global activities and ensure local adaptation of your data protection compliance organisation. However, should you have any questions regarding any of the above developments, please do not hesitate to contact us. PwC is happy to help you implement the various laws and regulations and can support you with its global privacy network.
Would you like to stay updated on recent developments? Sign up for our newsletter and receive our most recent insights.