European Jurisdictions outside GDPR

European Jurisdictions with Lesser Known Internet Privacy Laws Outside of GDPR

Privacy has long been recognized as a fundamental human right in many societies. And in this new age of global interconnectivity enabled by the Internet, a growing number of countries are regulating the massive data collection and privacy of its residents.

The rules governing data privacy vary from one country to another. Some particular privacy laws are noted for their stringency or wide breadth of application to most businesses. While most are aware of the comprehensive privacy laws passed in the European Union (EU) and California state in the United States, many are unaware of other jurisdictions with privacy laws. For instance, the General Data Protection Regulation (GDPR) is not applicable law in all European countries. Some countries have implemented their own version of GDPR or have otherwise passed a data privacy law heavily based on GDPR principles.

The following are some European countries where the EU GDPR does not apply, but nevertheless has some data privacy law in place:

United Kingdom

The United Kingdom is no longer a member of the European Union. It left the EU on December 31, 2020. The GDPR no longer applies domestically to the UK, as it had since May 2018, while the UK was still a member state.

While the GDPR has been repealed for the UK after Brexit, this does not mean that the UK no longer has a data privacy law. The UK has its version of the EU’s GDPR that took effect on January 31, 2020. It governs all personal data processing by individuals within the United Kingdom, along with the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations (PECR).

The EU has now classified the UK as a “third nation” outside the scope of GDPR, for which transfers of data to the UK must be examined for legitimacy. However, the EU issued an adequacy decision for the UK on June 28, 2021. This decision maintains that personal data can continue to flow freely from the EU to the UK. It is a limited four-year process and will need to be renewed after expiration in June 2025.

Iceland

Iceland has had data privacy legislation in place for quite some time. Although it is not a member of the European Union, Iceland’s legislation has been updated to largely meet the GDPR’s standards, such that its citizens are likely to get the same degree of protection as their European counterparts.

To implement the GDPR, Act 80/2018 on Privacy and Processing of Personal Data (the “Act”) was passed by the Icelandic Parliament in July 2018. The Data Protection Authority oversees compliance by companies with the Act and looks for ways to improve data policies.

Norway

Norway is another country that values privacy. Like the UK and Iceland, Norway is not a member country of the EU, but a member state of the European Economic Area (EEA) where GDPR also has jurisdiction.

The GDPR was made part of Norwegian law in July 2018 by the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018.

The Norwegian Data Protection Authority (“Datatilsynet”) is an independent public authority that protects individual privacy. Datatilsynet enforces data protection regulations such as the Personal Data Act and holds organizations and others to comply with them. It can impose financial sanctions and penalties for non-compliant entities.

Switzerland

Switzerland has a well-deserved reputation for protecting the privacy of its residents’ information.

Switzerland protects its citizens’ privacy through its constitution and regulations. The Federal Act on Data Protection 1992 (FADP) was passed to protect people’s privacy. It prohibits the processing of personal data without consent from the person to whom it relates. These regulations are similar to GDPR and have been deemed adequate by the EU.

According to FADP, personal data is protected and cannot be processed unless the subject or the law allows it to be done so.

Final Thoughts

It is becoming more common for governments and business organizations to move services to the Internet to enhance efficiency and accessibility. However, these improvements will likely have a significant impact on data privacy.

More and more countries are passing some version of a comprehensive or omnibus data privacy law, while others have no such data privacy regulations. Although it is impossible to provide 100 percent security online, business owners can take initial steps to improve the secure collection and processing of information, such as first determining which laws may apply to them.

Banner for PrivSec Global: A Global Live Stream Experience. 22-23 September 2021. The Largest Data Protection, Privacy and Security Event of 2021. Businesspeople smiling in the background of the banner.

Metaverse Law Speaks at PrivSec Global

On September 23, 2021 attorney Lily Li spoke at PrivSec Global: The Largest Data Protection, Privacy and Security Event of 2021. The Global Live Stream Experience was a two day event from September 22 to September 23, 2021.

The topic of discussion was “Why Most CCPA Cases Will Fail: Five Hurdles Plaintiffs Must Clear.” For more details on the topic and to watch the presentation on-demand, click here.

Human hand holding a smartphone. AI machine in the background working on the phone.

Guidance on Artificial Intelligence and Data Protection

Image by geralt from Pixabay.

For many of us, Artificial Intelligence (“AI”) represents innovation, opportunities, and potential value to society.

For data protection professionals, however, AI also represents a range of risks involved in the use of technologies that shift processing of personal data to complex computer systems with often opaque processes and algorithms.

Data protection and information security authorities as well as governmental agencies around the world have been issuing guidelines and practical frameworks to offer guidance in developing AI technologies that will meet the leading data protection standards.

Below, we have compiled a list* of official guidance recently published by authorities around the globe.

Canada:

  • 1/17/2022 – Government of Ontario, “Beta principles for the ethical use of AI and data enhanced technologies in Ontario”
    https://www.ontario.ca/page/beta-principles-ethical-use-ai-and-data-enhanced-technologies-ontario
    The Government of Ontario released six beta principles for the ethical use of AI and data enhanced technologies in Ontario. In particular, the principles set out objectives to align the use of data enhanced technologies within the government processes, programs, and services with ethical considerations being prioritized.

China:

  • 12/12/2022 – Cyberspace Administration of China, Regulations on the Administration of Deep Synthesis of Internet Information Services
    http://www.cac.gov.cn/2022-12/11/c_1672221949354811.htm (in Chinese) and
    http://www.cac.gov.cn/2022-12/11/c_1672221949570926.htm (in Chinese)
    The Regulations target deep synthesis technology, which are synthetic algorithms that produce text, audio, video, virtual scenes, and other network information. The accompanying Regulations FAQs state that providers of deep synthesis technology must provide safe and controllable safeguards and conform with data protection obligations.
  • 9/26/2021 – Ministry of Science and Technology (“MOST”), New Generation of Artificial Intelligence Ethics Code
    http://www.most.gov.cn/kjbgz/202109/t20210926_177063.html (in Chinese)
    The Code aims to integrate ethics and morals into the full life cycle of AI systems, promote fairness, justice, harmony, and safety, and avoid problems such as prejudice, discrimination, privacy, and information leakage. The Code provides for specific ethical requirements in AI technology design, maintenance, and design.
  • 1/5/2021 – National Information Security Standardisation Technical Committee of China (“TC260”), Cybersecurity practice guide on AI ethical security risk prevention
    https://www.tc260.org.cn/upload/2021-01-05/1609818449720076535.pdf (in Chinese)
    The guide highlights ethical risks associated with AI, and provides basic requirements for AI ethical security risk prevention.

E.U.:

  • European Telecommunication Standards Institute (“ETSI”) Industry Specification Group Securing Artificial Intelligence (“ISG SAI”)
    https://www.etsi.org/committee/1640-sai
    The ISG SAI has published standards to preserve and improve the security of AI. The works focus on using AI to enhance security, mitigating against attacks that leverage AI, and securing AI itself from attack.
  • 4/21/2021 – European Commission, “Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts”
    https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=75788
    The EU Commission proposed a new AI Regulation – a set of flexible and proportionate rules that will address the specific risks posed by AI systems, intending to set the highest global standard. As an EU regulation, the rules would apply directly across all European Member States. The regulation proposal follows a risk-based approach and calls for the creation of a European enforcement agency.

France:

Germany:

Continue Reading Guidance on Artificial Intelligence and Data Protection
Checklist for GPDR Compliance

US Businesses’ Checklist for GPDR Compliance

General Data Protection Regulation (GDPR) is legislation that consists of one of the world’s strictest rules for personal data protection. If you’re a US-based business that does business with individuals in the European Union, you need to comply with this regulation. A checklist will be helpful to keep you on track!

GDPR

GDPR is a European Union data privacy law that mandates organizations to keep data safe. The regulation was implemented in May 2018. Moreover, the data privacy law allows people to have more control over how their data is used. Failure to comply with the law is subject to large fines. 

US Companies & GDPR Compliance

It’s easy to think that the GDPR law only applies in Europe. However, it applies to companies outside the EU as well due to its extra-territorial scope. 

Any company that collects personal data of people in the EU is required to comply with the GDPR. 

However, GDPR also recognizes that some non-EU companies work with EU citizens only an incidental basis. Therefore, based on Recital 23, foreign companies are only required to comply with GDPR if they target EU residents with their marketing. 

Collection of Personal Data

There are two categories in personal data under GDPR: 

  • Data controllers: A data controller is a public authority, individual, agency, or another body that determines the purpose and means of personal data processing. The controller is the one who decides how personal data will be processed. 
  • Data processor: A data processor is anyone or any organization or agency that processes personal data on behalf of the controller. In this case, they don’t make decisions about how personal data is handled. 

GDPR Compliance Checklist for US Companies

If you are a US-based company that deals with EU clients, having a GDPR checklist will help you stay on track with your GDPR compliance. That way, you can prevent large fines that can be detrimental to your finances. 

This checklist will help ensure GDPR compliance:

Information Audit for EU Personal Data

Determine what personal data you need to process and whether it belongs to people in the EU. If you find you process EU data information, determine which activities the information is related to, such as offering goods or services to data subjects regardless of whether connected to a payment. 

Let Your Clients Know

Keep in mind that using consent will involve other duties. You need to let your clients know you’re processing their data, and the easiest way to do this is through consent. Furthermore, you also need to provide clear and transparent information about activities to your data subjects, which involves updating your privacy policy. 

Evaluate Your Data Processing Activities

When you evaluate your data processing activities, you’ll be able to understand the security and privacy risks of the data you process. Through this, you can implement ways to mitigate the risks

Improve Your Protection

When you have determined your data processing activities, it’s time to start implementing data security practices, like end-to-end encryption, that will help limit your exposure to data breaches. 

Have a Data Processing Agreement with Your Vendors

You are accountable for your third-party clients should they violate their GDPR obligations. Therefore, a data processing agreement between you and your vendors is crucial. The agreement must detail the rights and responsibilities of each party. 

Have a Representative in the European Union

Non-EU organizations must appoint a representative based in one of the EU member states. On the other hand, you won’t need a representative if you only process occasionally, doesn’t include processing, on a large scale, and is unlikely to risk the rights and freedoms of natural persons. 

If you need a representative, the representative will act on your behalf and may be addressed by any supervisory authority. Keep in mind that a representative doesn’t affect your responsibility or your liability. 

Some of the tasks of the representative include cooperating with the supervisory authorities regarding actions taken to ensure compliance with GDPR. 

Have a Plan If There’s a Data Breach

Having a proper plan in place if there’s a data breach is crucial. Hackers are all over the internet and a minor vulnerability can breach your data that will affect your GDPR compliance. Don’t let this happen to you; therefore, you need to have this included in your checklist to ensure you’re prepared should anything go wrong. 

Complying with GDPR may seem like another tedious task you need to do. Instead of looking at it that way, consider this an opportunity for you to strengthen your relationship with your customers. Moreover, being GDPR-compliant can prepare you for regulations in other countries like, Japan, Brazil, and South Korea. 

Other Tips To Be GDPR-Compliant

Your GPDR compliance must be taken seriously. It’s essential you know all the data you collect and how it flows through your internal systems. You should remember that IP addresses are classified as personal data as well. So, if you’re unsure if the IP addresses you collect are personal data, refer to the supervisory authority in the EU state to be sure. 

Another thing to help you be GDPR compliant is to have a Data Register, which is a comprehensive record of how your company is practicing GDPR compliance. The day register should map the flow of data through the company, and the more details are in it, the better. So, in the event of an audit, your data register can be used as proof of compliance. Furthermore, if you suffer a data breach, the data register can be used as proof of progress towards improved data security. 

Speaking of data breaches, you should report it immediately, as this is also a mandatory GDPR requirement. Data processors should report data breaches to controllers, and the controllers will be the ones to report to a supervisory authority.

It’s crucial you evaluate your data collection requirements as well. Make sure you are gathering the data you need because when you acquire sensitive data without good reason, this can be an alarm bell for the supervisory authority. 

Be GPDR Compliant Today

If you haven’t worked on your GPDR compliance as a US business owner yet, you do business with individuals in the EU; it’s time that you do it before you face big penalties. Use this checklist to help you out. 

1 2 3 4 5 14