Last Updated: October 2018
In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts.
GDPR matchup: The APEC Privacy Framework and Cross-Border Privacy Rules
In this installment, Alex Wall, CIPP/E, CIPP/US, compares the principles of the APEC Privacy Framework with the principles expressed by the GDPR.
GDPR matchup: Argentina’s draft Data Protection Act
In this installment, Pablo Palazzi and Andrés Chomczyk of Allende & Brea compare Argentina’s draft Data Protection Act with the GDPR.
GDPR matchup: Australia's Privacy Act 1988
In this installment, elevenM’s Tim de Sousa compares Australia’s Privacy Act 1988 with the GDPR. Following the Australian Privacy Principles, de Sousa offers a one-on-one comparison with articles from the GDPR. One major difference, de Sousa notes, is that "Unlike the GDPR, the Privacy Act does not distinguish between data controllers and data processors — any APP entity that holds personal information must comply with the APPs."
GDPR matchup: Brazil's General Data Protection Law
In this installment, Bruno Bioni, Maria Cecília Oliveira Gomes and Renato Leite Monteiro, CIPP/E, CIPM, compare Brazil's General Data Protection Law, or LGPD, and the GDPR. "The Brazilian General Data Protection Law is very similar to the GDPR in context, structure and ultimate rational: to protect the fundamental rights and freedoms of natural persons, especially the development of natural persons' personality. However, its differences make the law unique," the authors write.
GDPR matchup: The California Consumer Privacy Act 2018
In this installment, Santa Clara University School of Law Professor Lydia de la Torre, CIPP/US, compares the new California Consumer Privacy Act of 2018 to the GDPR. Offering a side-by-side comparison chart of certain definitions and provisions, de la Torre writes, "Although the CCPA incorporates some concepts that data protection professionals are familiar with, it is not modeled after the GDPR. Thus, compliance with the GDPR does not equate compliance with the CCPA."
GDPR matchup: Canada's Personal Information Protection and Electronic Documents Act
In this installment, Timothy Banks, CIPM, CIPP/C, compares key provisions of the Canadian Personal Information Protection and Electronic Documents Act with the EU GDPR.
GDPR matchup: China’s Cybersecurity Law
In this installment, Partner Zhong Lin and Researcher Galaad Delval, CIPP/E, both specialists in data protection, cybersecurity and telecom laws at EY Chen & Co. Law Firm, compare key provisions of the Cybersecurity Law of the People's Republic of China with the EU GDPR.
GDPR matchup: Hong Kong’s Personal Data (Privacy) Ordinance
In this installment, Alibaba Cloud's ShanShan Pa, CIPP/E, CIPP/US, CIPM, FIP, compares Hong Kong's Personal Data (Privacy) Ordinance with the GDPR.
GDPR matchup: Japan’s Act on the Protection of Personal Information
In this installment, Kensaku Takase of Baker McKenzie compares the Japanese Act on the Protection of Personal Information with the principles expressed by the GDPR. Japan's APPI came into effect in May, and with it came a "white list" of countries that provide adequate data protection, similar to that of the EU. "The mutual recognition will add Japan to EU's white list, and make the EU, Japan's first 'white listed' jurisdiction," Takase writes, adding, "Even so, there remain a large number of differences between the privacy laws of the EU and Japan."
GDPR matchup: Mexico's Federal Data Protection Law Held by Private Parties and its Regulations
In this installment, Miguel Recio, LLM in Data Protection, Transparency and Access to Public Information, compares key provisions of the Federal Data Protection Law Held by Private Parties and its Regulations with the EU GDPR.
GDPR matchup: New Zealand's Privacy Act 1993
In this installment, Nicola Hermansson, EY NZ data privacy leader, and William Fussey, EY Law privacy solicitor, compare key provisions of the New Zealand Privacy Act 1993 with the EU’s GDPR.
GDPR matchup: Philippines’ Data Privacy Act and its Implementing Rules and Regulations
In this installment, Radar Global Privacy Officer and Senior Counsel Alex Wall, CIPP/E, CIPP/US, CIPM, compares the Philippines’ Data Privacy Act of 2012, as supplemented by the Implementing Rules and Regulations, with the principles expressed by the GDPR. In a table format, Wall breaks down provisions of both regulations in a side-by-side comparison.
GDPR matchup: Singapore’s Personal Data Protection Act
In this installment, Professor Hannah YeeFen Lim offers a comparison of Singapore’s Personal Data Protection Act with the GDPR.
GDPR matchup: South Africa's Protection of Personal Information Act
In this installment, Russell Nel, CIPP/US, CIPT, principal consultant at Privacy Consulting, compares South Africa’s Protection of Personal Information Act with the GDPR. Nel writes that while POPIA was being finalized, early iterations of the GDPR had been published, meaning the laws share certain concepts. However, several changes were written into the final GDPR, "and so the South African law differs from the GDPR in some key ways that South African companies need to be cognizant of to comply with the GDPR."
GDPR matchup: Turkey's Data Protection Law
In this installment, co-founder of the Turkish technology law initiative Statjus.com, Yusuf Mansur Özer, compares Turkey's Data Protection Law with the GDPR.
GDPR matchup: The US Children's Online Privacy Protection Act
In this first installment, Tay Nguyen, CIPP/US, explores the relationship between provisions of the U.S. Children's Online Privacy Protection Act and rules for handling children's data in the GDPR.
GDPR matchup: US financial privacy laws
In this installment, Katy Liu, CIPP/E, CIPP/G, CIPP/US, CIPT, compares two major U.S. federal financial privacy laws and the recent New York Cybersecurity Regulation with the GDPR. Liu notes that while "the GDPR places great responsibility on controllers and processors to respond to the requests of data subjects" U.S. financial privacy laws "have generally focused on requiring organizations to implement information security or cybersecurity programs that will protect data from unauthorized access."
GDPR matchup: The US Health Insurance Portability and Accountability Act
In this installment, Sean Baird examines the similarities and differences in the requirements for the collection, use and protection of information subject to the U.S. Health Insurance Portability and Accountability Act, and the treatment of health information as “sensitive personal data” under the GDPR, including “data concerning health” — namely the scope of information covered, the entities covered and the permissible uses of the covered data.
GDPR matchup: US state data breach laws
In this installment, Alex Reynolds, CIPP/US, explains the relationship between U.S. state data breach laws and the GDPR’s breach provisions, Articles 33 and 34.