Cross-Border Data Protection: Beyond the GDPR
In recent years, cross-border data protection laws have sprung up to guarantee the safe movement of personal data around the world. Data protection and privacy laws now exist in over 130 countries.
The best known of these laws is the European Union’s General Data Protection Regulation (GDPR). But many other countries have also implemented their own standards and regulations, including:
- Brazil’s General Data Protection Law (LGPD)
- India’s Digital Personal Data Protection Act (still a draft bill)
- Japan’s Act on the Protection of Personal Information (APPI)
- South Africa’s Protection of Personal Information Act (PoPIA)
- South Korea’s Personal Information Protection Act (PIPA)
Some international organizations have also released data privacy guidelines for their member states. For example, the Organization for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC), and the African Union have all designed privacy frameworks to protect citizens’ personal data.
In this post, we’ll cover five major cross-border data protection laws outside of the GDPR. We’ll also suggest a way to improve your data protection — wherever in the world your company is.
Cross-border data protection: an overview
Generally speaking, the goal of a good cross-border data protection law is to protect the personal data of citizens, residents, and visitors from cyberattacks and unlawful processing — while simultaneously not restricting global commerce and communication. The Global Data Alliance suggests that “Governments should work toward legal frameworks that support a cross-border digital environment that is both open and secure, where cross-border data transfers enhance online security and privacy, so that everyone can engage in remote interactions without fear of compromise.”
The World Trade Organization’s Global Privacy Assembly notes that, although the mechanisms used to achieve data protection vary widely, there are strong philosophical similarities among many cross-border data frameworks. Most organizations will need to take similar steps to ensure compliance:
- Determine their individual data protection responsibilities.
- Review their data retention policies.
- Draft binding corporate rules or data processing agreements as necessary.
- Receive the clear, informed consent of data subjects.
- Report data breaches to the relevant government agency.
- Implement strong data security safeguards.
- And more.
Brazil: The General Data Protection Law
The 2020 General Data Protection Law (LGPD) governs the personal data of individuals located in Brazil, individuals whose data is being collected or processed in Brazil, and individuals who are being offered goods or services in Brazil.
With 65 articles, the LGPD legally defines the concepts of personal data and sensitive personal data. It also outlines the conditions under which data can be collected, processed, and stored, and it explains the rights of data subjects, including the right to:
- Confirm whether their personal data is being processed.
- Access their own personal data.
- Delete their own personal data.
- Correct incomplete or incorrect personal data.
- Receive information about how their personal data has been shared.
- Withdraw consent to process their personal data.
To maintain compliance with the LGPD, organizations processing personal data in Brazil must perform data protection impact assessments, use the principle of privacy-by-design, and maintain records of processing activities. They must also report security incidents to the National Data Protection Authority (ANPD) and adopt technical and administrative safeguards for personal data. Failure to comply with the LGPD can bring a maximum fine of 2% of a company’s annual revenue in Brazil, up to a maximum of 50 million reais (over $9 million USD).
India: The Digital Personal Data Protection Act
Still a draft bill, India’s Digital Personal Data Protection Act will regulate the processing of personal data. With a Data Protection Board to oversee compliance, the act will levy fines of up to 5 billion rupees (over $61 million) if passed.
Like the GDPR and the CCPA (California Consumer Privacy Act), India’s bill would apply both to businesses operating within its jurisdiction and to any entities processing the data of its citizens. The bill would also prohibit companies from storing data perpetually by default and require them to use personal data only for the original purpose for which it was collected.
Japan: The Act on the Protection of Personal Information
Passed in 2005 and with major amendments in 2015 and 2020, the Japan Act on the Protection of Personal Information (APPI) applies to any business that obtains and handles the personal information of Japanese residents. The most updated version of the act, which took effect in April 2022, established the independent Personal Information Protection Commission (PPC) to protect the rights of individuals and their personal data.
The APPI has several key components that are similar to the GDPR and other cross-border data regulations. Thanks to these similarities, Japan became the first country to earn an adequacy decision from the European Commission (EC) under the GDPR. Under its rules, business operators are required to:
- Comply with a mandatory data breach notification policy, reporting any breaches to both the PPC and the affected data subjects.
- Guarantee the security of personal information with both cybersecurity and physical safeguards.
- Obtain direct consent from data subjects before they transfer data to third parties.
- Promptly handle data subjects’ requests.
South Africa: The Protection of Personal Information Act
Created in 2013 and fully enforced in 2021, the Protection of Personal Information Act (PoPIA) shares features with several other major cross-border data regulations. The act established an independent government agency, the Information Regulator, to monitor and enforce compliance.
Among the core obligations of the PoPIA:
- Organizations must ensure they meet minimum safety requirements.
- Organizations must appoint a staff member to ensure compliance.
- Companies that break compliance may be fined up to ZAR 10 million (approximately $580,000 USD) or may be subject to civil or criminal liability.
- Organizations must report data leaks both to the affected people and the Information Regulator.
- With a few exceptions, personal information can only be processed with the consent of the data subject.
- Cross-border transfers of personal data and direct marketing are restricted.
South Korea: The Personal Information Protection Act
Enacted in 2011 and amended in 2020, South Korea’s Personal Information Protection Act (PIPA) is a highly strict and well-enforced privacy regime. Like other cross-border data protection laws, it emphasizes data subject consent and heavy fines for noncompliance.
The PIPA also established the Personal Information Protection Commission, an independent regulatory agency, to govern data processing in South Korea. The commission recently fined Google 69.2 billion KRW ($50 million) and Meta 30.8 billion KRW ($22 million) for data privacy violations.
Stronger cross-border data protection with ShardSecure
Data is king. But maintaining compliance with the growing number of laws regulating that data is challenging.
ShardSecure’s Microshard™ technology supports cross-border regulatory compliance with advanced data protection and privacy. By splitting data into very small microshards and distributing those microshards across multiple storage locations, we make sensitive personal data unintelligible to unauthorized users.
We also leave companies in control of their own data and allow them to choose whichever providers, geographic locations, and jurisdictions they want to use for data storage. We even help protect against cross-border cybercrime, with self-healing data that reconstructs affected storage locations even if they’re hit with attacks and outages from other countries.
For more information about microsharding — including how we help ease the burden of compliance with the GDPR and Schrems II — check out our FAQs and white papers.