Privacy has long been recognized as a fundamental human right in many societies. And in this new age of global interconnectivity enabled by the Internet, a growing number of countries are regulating the massive data collection and privacy of its residents.
The rules governing data privacy vary from one country to another. Some particular privacy laws are noted for their stringency or wide breadth of application to most businesses. While most are aware of the comprehensive privacy laws passed in the European Union (EU) and California state in the United States, many are unaware of other jurisdictions with privacy laws. For instance, the General Data Protection Regulation (GDPR) is not applicable law in all European countries. Some countries have implemented their own version of GDPR or have otherwise passed a data privacy law heavily based on GDPR principles.
The following are some European countries where the EU GDPR does not apply, but nevertheless has some data privacy law in place:
The United Kingdom is no longer a member of the European Union. It left the EU on December 31, 2020. The GDPR no longer applies domestically to the UK, as it had since May 2018, while the UK was still a member state.
While the GDPR has been repealed for the UK after Brexit, this does not mean that the UK no longer has a data privacy law. The UK has its version of the EU’s GDPR that took effect on January 31, 2020. It governs all personal data processing by individuals within the United Kingdom, along with the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations (PECR).
The EU has now classified the UK as a “third nation” outside the scope of GDPR, for which transfers of data to the UK must be examined for legitimacy. However, the EU issued an adequacy decision for the UK on June 28, 2021. This decision maintains that personal data can continue to flow freely from the EU to the UK. It is a limited four-year process and will need to be renewed after expiration in June 2025.
Iceland has had data privacy legislation in place for quite some time. Although it is not a member of the European Union, Iceland’s legislation has been updated to largely meet the GDPR’s standards, such that its citizens are likely to get the same degree of protection as their European counterparts.
To implement the GDPR, Act 80/2018 on Privacy and Processing of Personal Data (the “Act”) was passed by the Icelandic Parliament in July 2018. The Data Protection Authority oversees compliance by companies with the Act and looks for ways to improve data policies.
Norway is another country that values privacy. Like the UK and Iceland, Norway is not a member country of the EU, but a member state of the European Economic Area (EEA) where GDPR also has jurisdiction.
The GDPR was made part of Norwegian law in July 2018 by the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018.
The Norwegian Data Protection Authority (“Datatilsynet”) is an independent public authority that protects individual privacy. Datatilsynet enforces data protection regulations such as the Personal Data Act and holds organizations and others to comply with them. It can impose financial sanctions and penalties for non-compliant entities.
Switzerland has a well-deserved reputation for protecting the privacy of its residents’ information.
Switzerland protects its citizens’ privacy through its constitution and regulations. The Federal Act on Data Protection 1992 (FADP) was passed to protect people’s privacy. It prohibits the processing of personal data without consent from the person to whom it relates. These regulations are similar to GDPR and have been deemed adequate by the EU.
According to FADP, personal data is protected and cannot be processed unless the subject or the law allows it to be done so.
It is becoming more common for governments and business organizations to move services to the Internet to enhance efficiency and accessibility. However, these improvements will likely have a significant impact on data privacy.
More and more countries are passing some version of a comprehensive or omnibus data privacy law, while others have no such data privacy regulations. Although it is impossible to provide 100 percent security online, business owners can take initial steps to improve the secure collection and processing of information, such as first determining which laws may apply to them.