There are over 190 independent states worldwide, and most of them have their own data privacy regulations. This is why, from a business perspective, we need to ask ourselves what to consider in terms of data protection when setting up a new business venture or subsidiary in a foreign country, and the potential of developing a management model and privacy compliance program that is globally scalable.
The privacy team of ECIX GROUP has carried out a comparative analysis focused on the existing different data protection regulations thinking in those clients of the firm with an international presence. In addition, the following map includes the regulations that have been the object of analysis.
WORLD DATA PRIVACY RULES MAP: ecixgroup.com/wp-content/uploads/2022/09/PRIVACYREGULATIONSMAP.pdf
The main conclusions of this analysis are:
1. ALIGNMENT WITH THE GDPR
Regarding the above-mentioned international privacy map, we should note that the principles of the GDPR have inspired several countries, to adjust their domestic regulations to some of its requirements. The aims of this alignment are, in our view, mainly two:
- The desire to extend the protection of the rights of its citizens,
- A competitive race to avoid the regulatory barriers that could block the market for their companies and pursue an information exchange from and towards the European Union.
2. PRIVACY BY DESIGN
In this sense, it is remarkable how these brand-new domestic regulations (mainly in Latin America) have adopted one of the key new features introduced by the GDPR. That is the Privacy by Design and by Default principle, which is an essential requirement for any company that runs products or services involving personal data processing. As a result of this principle, any initiative that includes the use of personal data must consider the privacy regulations from the beginning. For this reason, producers, developers, and suppliers must always take it into account if they are planning to market their products and services in the European Union territory.
3. PRIVACY AS A FACTOR IN INTERNATIONALISATION
Indeed, since the text of the European Regulation was made public in 2016, companies have sought to build scalable compliance management models, based on the GDPR as a global framework, and to implement them in their international subsidiaries, adapting these models to the local legal requirements.
ECIX's experience in this kind of situation shows us how the volume of projects complying with this standard has significantly increased in recent years. Thanks, above other things to our membership of international collaboration networks - such as the International Network of Privacy Law Professionals (INPLP) - which allows us to respond effectively to the international projects and other kinds of needs that our clients have. This goal is well achieved by teaming up with experts in different countries coordinated from our headquarters in Spain, and transmitting homogeneous instructions to its subsidiaries, mainly when the GDPR topics are complex and technical.
Notwithstanding the “global" nature of the GDPR and its direct application in many countries, it is essential to identify the features of the member states’ domestic laws and data protection authorities’ guidelines. The GDPR allows us to ensure a high level of compliance and legal certainty to the organization despite its complex structure.
4. GDPR FOR EUROPEAN COUNTRIES, OPPORTUNITY OR LIMITS?
The GDPR was born to unify the different existing data protection regulations all around Europe. All began in 1970 with the first data protection law that was passed in the German state of Hesse.
The 10th recital of the GDPR embodies this spirit across the Union, enabling Member States to maintain or adopt domestic provisions to further specify some aspects of the GDPR according to this continental regulation.
In its effort to legislate, almost all Member States have developed their own domestic laws, with the information provided below:
- Spain, Germany, Italy, France, Portugal, Poland, and Germany are the countries that have extended the GDPR the most through their domestic laws. They have regulated issues such as, adding functions and obligations for DPOs (for example, not all countries are obliged to have a Register of DPOs); Digital rights within the workplace (rules on video surveillance, use of devices, etc.); Restrictions on the processing of special category of data; or the enhancement of the data protection rights of deceased persons.
- Each country has regulated, as required by the GDPR, the minimum age of consent. We find disparities in this minimum age ranging from 13 years in the case of Sweden, to 16 years under the regulation of countries such as Germany or Slovakia.
- Regarding sanctions, some countries such as Poland or Germany have criminal provisions for non-compliance with data protection rules.
- In the countries that have expanded their regulations the most, mentioned above, we find Guidelines, Directives, Resolutions and Orders issued by their national Data Protection Authorities by which they made easier the personal data use by their citizens, companies, and organizations.
5. MORE INFORMATION:
You can obtain more information about this issue accessing to the following interactive map with details of the particularities of some EU national regulations in relation to the GDPR: https://public.flourish.studio/visualisation/11296968/
Article provided by INPLP members: Francisco Perez Bes and Esmeralda Saracibar (ECIX Group, Spain)
Dr. Tobias Höllwarth (Managing Director INPLP)