Enhanced requirements for governance and accountability

The GDPR has always rested on the principle of accountability, requiring organisations to take documented measures to demonstrate their compliance. Many countries have been required by the GDPR to implement more formal operational privacy requirements of this nature, such as requiring the appointment of a data protection officer (DPO) in certain contexts and requiring formal impact assessments to be carried out.

(Source: United Nations Conference on Trade and Development)

Diverging role of consent between the EU/UK and other jurisdictions

Privacy laws typically require an organisation to establish a legal basis for any processing of personal data, which may include the individual’s consent to that processing activity. The GDPR has made it more difficult for organisations to rely on consent, by setting high standards for obtaining a valid consent (eg, requiring a separate consent for each processing activity for which consent is needed, rather than seeking a single blanket consent to the privacy policy).

In contrast, privacy laws in many countries (particularly in Asia and Latin America) still rely heavily on consent as the primary basis for processing personal data (and consent may also be withdrawn). The standards of transparency and explicitness that need to be met for a valid consent have nevertheless often also been raised in line with those of the GDPR.

That said, many newly introduced or recently revised privacy laws have added more flexibility in the range of permissible legal grounds for the collection and use of personal data. This flexibility is achieved by bringing in some combination of the more expansive grounds from the GDPR of ‘legitimate interest’ and of processing required to fulfil a contractual obligation with the individual (or related grounds), eg, Indonesia, Korea, India, the Philippines and Thailand. By contrast, both China and Vietnam still mandate that an individual’s consent is to be obtained in most cases. Similarly, various countries in Latin America, such as Argentina and Uruguay, continue to require consent in most cases, and do not provide the same type of ‘legitimate interests’ basis as the GDPR for processing of personal data without consent despite looking significantly to EU privacy principles in other respects in creating their privacy laws. By contrast, consent is only one of the six lawful bases for processing personal data in the UK and EU. In most cases, consent is often used in the UK and EU for processing special category data or processing data in a potentially intrusive way.

Singapore has permitted processing based on either deemed consent in an expanded range of circumstances or legitimate interests since early 2021. However, in conjunction with this, Singapore law requires organisations to conduct a specific DPIA when planning to rely on either of these bases for processing.

Greater restrictions on cross-border data transfers and separate data localisation requirements

(Source: Freshfields data collected July 2023)

Cross-border data transfers have been a particular focus of EU data protection authorities, and cross-border data transfers are a growing focus of regulation in other jurisdictions as well.

The EU standard contractual clauses remain the most common mechanism for cross-border data transfers of personal data out of the EU, and many other countries have now issued or proposed to issue their own model clauses for cross-border transfers of personal data (eg, the UK, Brazil, China, the ASEAN, Hong Kong and Thailand).

Separately, a smaller subset of countries (such as China, Russia, Indonesia, Vietnam and certain countries in Africa) impose data localisation requirements for certain categories of data or applicable to certain categories of organisation/sector. These rules generally require copies of data to be maintained in-country, or prohibit the transfer of data out of the jurisdiction without government approval.

These data localisation requirements can prevent the cross-border transfer of covered data even if the requirements under privacy laws have been met. For example, even if an organisation uses China’s approved standard contract for cross-border transfers of personal data under the PIPL, the organisation may still be prohibited from transferring personal data above certain volume thresholds or if the organisation has been designated an operator of critical information infrastructure.

However, the march of restrictions on cross-border data transfer may already be in retreat.

Earlier versions of what eventually became the India Digital Personal Data Protection Act 2023 had proposed a combination of the Russian and Chinese approaches; namely a requirement to maintain a copy of all personal data on a server in India (ie, as is the case in Russia), coupled with powers for the government to notify certain categories of critical personal data that could only be processed in India (ie, similar to the Chinese rules). Both proposed requirements were dropped before the final legislation passed in August 2023. The final Act instead adopts a ‘black-list’ approach that would prohibit transfers of personal data to certain jurisdictions designated by the government.

Vietnam’s expansive requirement for local data storage by organisations providing services over networks (including the internet)—which has been in place since 2019—was narrowed down in August 2022 to apply only to ten digital sectors and only to certain types of user and service data. The impact of the rule does nevertheless remain significant, and uncertainty remains as to whether these kinds of data can only be stored in Vietnam. The new Vietnamese Decree No. 13 on the Protection of Personal Data issued in April 2023 allows personal data to be transferred overseas by mere notification to the government. The government does, however, reserve the right to discontinue specific data transfers, including on national security grounds. This indicates a further liberalisation in Vietnam’s thinking, although the 2019 rule remains in force.

Similarly, while Indonesia has certain sectoral data localisation rules, it relaxed the key restriction in 2019 as it had applied to private networks and information systems (GR 71/2019). The new privacy law has also avoided imposing any unusually strict restrictions on cross-border data transfer.

In a surprise announcement on 28 September 2023, China also revealed that it was planning to relax its rules on cross-border data transfers in certain circumstances. See here for further details of the new proposal.

Looking ahead

Privacy laws do tend to share several core concepts, such as:

• Transparency.
• Legal basis/consent.
• Individual rights (although the extent of individual rights provided for can vary a great deal from one jurisdiction to the next).
• Data security.
• Breach notification obligations.  

As new privacy laws and regimes expand and mature, we expect to see countries continuing to take inspiration from other jurisdictions’ privacy laws, and it can be expected that the GDPR will remain a primary reference point. At the same time, we will continue to see many examples of jurisdictions tailoring their legislation to their own political, historical, and cultural contexts.

When it comes to data regulation, no two journeys are exactly alike. A ‘GDPR is the high watermark’ approach to compliance is therefore unlikely to achieve complete compliance across any basket of jurisdictions in which an organisation operates. Compliance programmes that do not also recognise the nuances on common privacy questions in certain jurisdictions will generally fall short of an ideal standard.

Back to top.