Data-Protection

Following Brexit, the UK retained GDPR through the European Union (Withdrawal) Act, creating ‘UK GDPR’. Combined with the Data Protection Act 2018, this forms UK data protection law. UK GDPR mirrors EU GDPR with modifications: references to EU institutions replaced with UK equivalents, the ICO as supervisory authority, and national security exemptions reflecting UK law. The EU granted the UK adequacy status in 2021, allowing data to flow freely between EU/EEA and UK without additional safeguards. However, this adequacy is reviewed periodically and could be revoked if UK law diverges significantly from EU standards. The tension between UK GDPR’s protections and the broad surveillance powers under the Investigatory Powers Act remains a concern for EU adequacy assessments.

New Zealand’s Privacy Act 2020 modernizes the 1993 framework for contemporary data practices. Key changes include: mandatory notification of privacy breaches likely to cause serious harm (within 72 hours to the Privacy Commissioner plus affected individuals); stronger enforcement through compliance notices that are legally binding; new criminal offenses for deliberately misleading agencies about individual information requests; and enhanced cross-border disclosure rules requiring reasonable belief that recipients will protect information to comparable standards. The thirteen Information Privacy Principles remain the core framework, covering collection, storage, access, correction, retention, and disclosure. The Privacy Commissioner can issue binding compliance notices, order agencies to pay damages, and refer matters for prosecution. New Zealand maintains EU adequacy, facilitating data flows. The law applies to agencies ‘carrying on business’ in New Zealand even if based elsewhere.

South Korea’s Personal Information Protection Act provides comprehensive data protection with strong enforcement. The law applies broadly to public and private sector personal information handling. Key requirements include: specific purpose limitation, consent for collection (with strict standards for sensitive data), security measures commensurate with risk, and individual rights to access, correct, delete, and suspend processing. The Personal Information Protection Commission (PIPC) supervises compliance and can impose administrative fines up to 3% of relevant revenue plus criminal penalties for severe violations. Data breach notification is mandatory within 24 hours. Cross-border transfers require consent plus one of: adequacy determination, binding corporate rules, or PIPC-recognized certifications. Korea achieved EU adequacy in 2021. The law is notably stricter than some GDPR requirements, particularly around consent standards and data minimization.

The Norwegian Personal Data Act (Personopplysningsloven) implements GDPR in Norway through the EEA Agreement mechanism. While GDPR forms the core of Norwegian data protection law, the Act includes supplementary national rules where GDPR permits flexibility: age of consent for children’s data (13 years), national identification numbers, processing for archiving and research purposes, and employment-related processing. Datatilsynet serves as Norway’s independent supervisory authority with powers to investigate, issue orders, and impose administrative fines. The Act interacts with other Norwegian legislation including Sikkerhetsloven (national security) and Ekomloven (electronic communications), creating a comprehensive framework for data protection in Norway.

The Law Enforcement Directive regulates personal data processing by police, prosecutors, and courts for criminal law purposes. Unlike the GDPR which excludes law enforcement, the LED provides targeted protections balanced against public security needs. Individuals have rights to access their data, request correction, and lodge complaints, though these may be restricted during active investigations. Controllers must implement appropriate safeguards, distinguish between different categories of data subjects (suspects, victims, witnesses), and ensure data quality and purpose limitation. Transfers to third countries require adequacy decisions or appropriate safeguards. Member states supervise compliance through their data protection authorities, with some exceptions for judicial activities. The LED ensures that law enforcement cooperation across EU borders occurs within a consistent data protection framework.

Switzerland’s Federal Act on Data Protection underwent major revision in 2023 to align with GDPR and maintain the EU adequacy decision enabling free data flows. Unlike GDPR, FADP applies primarily to private sector processing and federal agencies (cantonal authorities have separate rules). Key changes include: expanded scope covering all processing affecting Swiss residents, mandatory breach notification within 72 hours, privacy-by-design and privacy-by-default requirements, data protection impact assessments for high-risk processing, and stronger penalties (up to CHF 250,000 for individuals). The law maintains Swiss-specific features like the definition of ‘sensitive personal data’ including trade union membership and social assistance data. Cross-border transfers require adequacy assessments or safeguards similar to GDPR. The FDPIC (Federal Data Protection and Information Commissioner) supervises compliance.

India’s Digital Personal Data Protection Act 2023 creates the country’s first comprehensive data protection framework. It establishes rights for ‘data principals’ including informed consent, access to information, correction and erasure, and grievance redress. ‘Data fiduciaries’ (similar to controllers) must process personal data lawfully, implement security safeguards, and fulfill data principal requests. The Act creates a Data Protection Board to adjudicate complaints and impose penalties up to ₹250 crore (~$30M). However, Section 17 gives the central government sweeping exemption powers for state security, sovereignty, public order, and other specified purposes. This means the strong protections can be bypassed for government activities. Cross-border transfer is permitted to countries not blacklisted by the government. The interaction between DPDP and the IT Act’s surveillance powers creates a regime where individual protections coexist with extensive government access.

Germany’s Federal Data Protection Act (BDSG) works alongside GDPR to form the complete data protection framework in Germany. While GDPR provides the primary rules, BDSG exercises national opening clauses for specific areas. Employment data processing receives detailed regulation, covering recruitment, employee monitoring, and works council involvement. Public sector processing rules address federal agencies’ specific obligations. Video surveillance in publicly accessible areas has enhanced requirements. The BDSG also specifies when data protection officers are mandatory (beyond GDPR minimums), addresses credit scoring, and sets rules for automated decision-making. Germany’s federal structure means enforcement is split between the BfDI (Federal Commissioner) for federal bodies and sixteen state authorities for private sector and state-level public bodies.

Japan’s APPI, originally enacted in 2003, was substantially revised in 2020 and 2022 to align with GDPR and strengthen protections. Business operators must specify utilization purposes, obtain consent for sensitive data, implement security measures, and respond to individual requests for disclosure, correction, and deletion. The 2020 amendments introduced rights to request deletion and usage suspension, created penalties for database theft, and strengthened the Personal Information Protection Commission’s enforcement powers. Cross-border transfers require consent plus adequacy assessment, consent plus contractual safeguards, or group company systems with equivalent protections. Japan and the EU recognize each other’s adequacy, creating a ‘data free-flow highway’ between the two economies. The PPC actively updates guidelines for emerging technologies including cookies, AI, and biometrics.