Adequacy

Following Brexit, the UK retained GDPR through the European Union (Withdrawal) Act, creating ‘UK GDPR’. Combined with the Data Protection Act 2018, this forms UK data protection law. UK GDPR mirrors EU GDPR with modifications: references to EU institutions replaced with UK equivalents, the ICO as supervisory authority, and national security exemptions reflecting UK law. The EU granted the UK adequacy status in 2021, allowing data to flow freely between EU/EEA and UK without additional safeguards. However, this adequacy is reviewed periodically and could be revoked if UK law diverges significantly from EU standards. The tension between UK GDPR’s protections and the broad surveillance powers under the Investigatory Powers Act remains a concern for EU adequacy assessments.

New Zealand’s Privacy Act 2020 modernizes the 1993 framework for contemporary data practices. Key changes include: mandatory notification of privacy breaches likely to cause serious harm (within 72 hours to the Privacy Commissioner plus affected individuals); stronger enforcement through compliance notices that are legally binding; new criminal offenses for deliberately misleading agencies about individual information requests; and enhanced cross-border disclosure rules requiring reasonable belief that recipients will protect information to comparable standards. The thirteen Information Privacy Principles remain the core framework, covering collection, storage, access, correction, retention, and disclosure. The Privacy Commissioner can issue binding compliance notices, order agencies to pay damages, and refer matters for prosecution. New Zealand maintains EU adequacy, facilitating data flows. The law applies to agencies ‘carrying on business’ in New Zealand even if based elsewhere.

PIPEDA applies to private sector organizations collecting, using, or disclosing personal information in commercial activities across Canada (except in provinces with substantially similar legislation: Quebec, BC, Alberta). It implements ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Organizations must obtain meaningful consent, which varies by sensitivity and context. Individuals have rights to access their information and challenge its accuracy. The Privacy Commissioner of Canada investigates complaints, makes recommendations, and can seek court orders for compliance. Recent amendments (Bill C-27) propose replacing PIPEDA with the Consumer Privacy Protection Act, adding stronger penalties and algorithmic transparency requirements. Canada has EU adequacy status for commercial data transfers.

South Korea’s Personal Information Protection Act provides comprehensive data protection with strong enforcement. The law applies broadly to public and private sector personal information handling. Key requirements include: specific purpose limitation, consent for collection (with strict standards for sensitive data), security measures commensurate with risk, and individual rights to access, correct, delete, and suspend processing. The Personal Information Protection Commission (PIPC) supervises compliance and can impose administrative fines up to 3% of relevant revenue plus criminal penalties for severe violations. Data breach notification is mandatory within 24 hours. Cross-border transfers require consent plus one of: adequacy determination, binding corporate rules, or PIPC-recognized certifications. Korea achieved EU adequacy in 2021. The law is notably stricter than some GDPR requirements, particularly around consent standards and data minimization.

Switzerland’s Federal Act on Data Protection underwent major revision in 2023 to align with GDPR and maintain the EU adequacy decision enabling free data flows. Unlike GDPR, FADP applies primarily to private sector processing and federal agencies (cantonal authorities have separate rules). Key changes include: expanded scope covering all processing affecting Swiss residents, mandatory breach notification within 72 hours, privacy-by-design and privacy-by-default requirements, data protection impact assessments for high-risk processing, and stronger penalties (up to CHF 250,000 for individuals). The law maintains Swiss-specific features like the definition of ‘sensitive personal data’ including trade union membership and social assistance data. Cross-border transfers require adequacy assessments or safeguards similar to GDPR. The FDPIC (Federal Data Protection and Information Commissioner) supervises compliance.

Japan’s APPI, originally enacted in 2003, was substantially revised in 2020 and 2022 to align with GDPR and strengthen protections. Business operators must specify utilization purposes, obtain consent for sensitive data, implement security measures, and respond to individual requests for disclosure, correction, and deletion. The 2020 amendments introduced rights to request deletion and usage suspension, created penalties for database theft, and strengthened the Personal Information Protection Commission’s enforcement powers. Cross-border transfers require consent plus adequacy assessment, consent plus contractual safeguards, or group company systems with equivalent protections. Japan and the EU recognize each other’s adequacy, creating a ‘data free-flow highway’ between the two economies. The PPC actively updates guidelines for emerging technologies including cookies, AI, and biometrics.