If you operate in Europe, chances are you’ve heard of ‘GDPR’. In 2018 (and the two years before it became directly applicable law in all member states) it was all anyone could talk about. Well, that and a certain word beginning with ‘B’…
For those not so familiar, the General Data Protection Regulation is a European Union law which entered into force in 2016 and, following a two-year transition period, became implemented through national law on the 25th of May 2018.
The application of the GDPR primarily depends on whether or not an organisation is established in the EU. ‘Established’ could mean several things though — it doesn’t necessarily mean a legal entity registered in an EU member state. That being said, the GDPR also has extra-territorial effect. If an organisation isn’t established within the EU but processes personal data of data subjects who are in the union, it will still be subject to the GDPR.
GDPR and the UK
Here’s where things get a little more complicated. When the GDPR came into force in 2018, the UK was still a full member state of the European Union (although the population had voted to leave the EU by then — there’s that ‘B’ word again).
As of the 31st of January 2020, the UK has officially left the EU and is no longer a member state. However, the country is still in a ‘transition period’, during which time EU law (including the GDPR) continues to apply. Once this period comes to an end, EU law will cease to apply in the UK.
Instead, the UK Government will implement the GDPR into UK national law (creating what will effectively be the ‘UK GDPR’), subject to a few technical changes. Alongside the GDPR, the UK has also instated a new national data protection law, known as the Data Protection Act 2018. This act covers areas such as personal data processing for law enforcement and a data protection regime for national security processing.
What about data protection in other countries?
As well as being the year countries were plunged into lockdown to contain the coronavirus pandemic, 2020 is also shaping up to be a momentous year for data protection legislation around the world.
In the US, the year started with a bang as the California Consumer Privacy Act (CCPA) officially came into force. The CCPA gives consumers a private right of action and statutory damages (which can range from $100 to $750 per consumer per incident) against businesses that suffer data breaches due to a failure on their part to implement and maintain reasonable security procedures and practices. Consumers wishing to initiate litigation must give companies notice of the violation and 30 days to rectify the breach. The enforcement is likely to set the tone for further US legislation at state and federal level.
Brazil’s Lei Geral de Proteção de Dados (LGPD) is also due to come into effect on the 15th of August 2020. Much like the GDPR, the law will apply to all companies that handle the personal information of Brazilian residents, whether they are physically located within the country or not.
Several other data protection legislation initiatives are likely to go through the final approval stages in 2020, too — with countries such as India and South Korea keen to join the global movement for stricter data protection laws.
India’s controversial Personal Data Protection Bill 2018 (PDPB) was first drafted in 2018. However, it has been contested by international businesses due to its data localisation policy, which would require any company processing the personal data of an Indian data subject to store a copy of that data on Indian territory.
South Korea is also looking to align its existing data privacy laws with the GDPR in the hopes of receiving an adequacy decision from the European Commission in the coming year. A positive ruling would mean data could travel freely between South Korea and Europe, facilitating cross-border data transfers and business operations.
The fall of the Privacy Shield
In stark contrast, data flows from the EU to the US could see severe disruption following the decision by the European Court of Justice to invalidate the EU-US Privacy Shield agreement.
For the past 20 years, unrestricted transfers of personal data have been able to flow freely from the EU to over 5,300 US-based companies, which sign up to more rigorous data protection standards than US law requires. However, on the 16th of July, the agreement was overturned on the grounds that the US is not a safe haven for EU citizens’ data due to disproportionate surveillance practices.
This ruling could hamper EU-US data flows, which underpin a significant amount of economic activity in both regions. For the UK, the fall of the Privacy Shield could also cause some additional problems. The UK wants unrestricted data transfers with both the EU and the US — but if the EU is concerned the UK will become a backdoor to unprotected US data transfers, it won’t grant adequacy.
Want to know how data regulations could impact your international employment journey? Whether you’re looking for a PEO in the UK or India, we can ensure you remain on the right side of compliance through our expert employment services. Contact us today to find out more.