eDiscovery Daily Blog

Data Privacy Compliance Isn’t Just for Europe or California Anymore: Data Privacy Trends

We have covered Europe’s General Data Protection Regulation (GDPR) over several posts the past couple of years and even conducted a webcast on the topic last year.  And, we have covered the California Consumer Privacy Act (CCPA) several times as well, including as recently as last week.  But, what about the rest of the wide, wide world?  Do countries in other parts of the world have data privacy policies as well?  Yes.  Do they mimic GDPR policies?  Not necessarily.

As reported in Legaltech News (Data Protection Laws Take Center Stage For Global GC, written by Caroline Spiezio), lawyers are saying that ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions.  For example, Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn’t allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain’s consent-based version of the 1995 Data Protection Directive (the predecessor to GDPR in Europe) to shape their regulations.

“When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data,” Tobón said. “When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn’t include legitimate interest. So what you ended up seeing in Latin America was a consent-based model.”

However, Brazil’s General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection, which closely aligns that country’s laws with Europe’s.  And, other countries in Latin America are working on changes as well.  Chile recently voted to create a national data protection authority. Panama’s National Assembly approved a national data protection regulation last year that currently awaits the president’s signature. An updated Argentine bill to bring the country’s data protection regulations closer to Europe’s with a legitimate interest model and data protection officer requirement is also in the works, with a draft standing in front of Congress.

Beyond Latin America, other countries are making (or considering making) changes as well.  The Corporate Counsel Association of South Africa’s chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.  Unlike GDPR, POPIA asserts companies also have “personal data” that requires protection. South Africa currently doesn’t require explicit consent to collect data or legitimate interest, but it does require some form of consent.  Nigeria could also see data protection changes, as it has long attempted to pass a specific data protection bill.

So, what about Asia Pacific (APAC)?  Scott Thiel, a Hong Kong-based DLA Piper partner, said, since GDPR’s implementation, he’s increasingly asked questions about data protection in Asia.

“Everyone is sort of finally taking a breath and going, ‘OK, we got through GDPR, we’re somewhere near compliance and that’s great. I assume that works everywhere, does it?’ And the short answer is no, it doesn’t,” Thiel said. “A lot of the approaches to data compliance that work in Europe don’t work in the Asian markets.”

He said many companies have tried applying their GDPR policies to China and other Asian countries and it “just doesn’t” work.  Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said.  Nonetheless, cybersecurity laws are changing in APAC, as well.  The article has several more details regarding data privacy changes in Latin America, Africa and APAC.  GDPR, with its heavy fines, has gotten a lot of the coverage regarding data privacy compliance, but you can’t ignore requirements in the rest of the world if you’re a multi-national company.  I’m sure Antarctica will come out with their data privacy laws any day now.  ;o)

So, what do you think?  Are you prepared for data privacy changes around the rest of the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.