Since the GDPR passed in 2018, we have seen an ongoing worldwide ripple effect, as other jurisdictions have begun passing their own data protection laws that mirror, or in many respects comply with GDPR requirements. Here are a few such new or upcoming laws worth noting:
Brazil – General Data Protection Law (LGPD) (Law No. 13,709/2018) – Approved in August 2018, the law originally was supposed to take effect on August 15, 2020. However, due to COVID-19 concerns, the majority of the law will not go into effect until May 2021, with the enforcement of sanctions beginning August 1, 2021. Similar in many respects to the GDPR, the LGPD is Brazil’s first comprehensive data protection law bringing clarification and consolidation to data protection requirements spread across a variety of Brazilian laws and regulations. It has the stated purpose of safeguarding “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”
This law sets forth the rights of data subjects and covers many of the same issues covered in the GDPR, including setting up an enforcement authority and penalties for those who don’t comply.
The LGPD broadly applies to natural persons as well as legal entities (including any public or private business or organization) that process personal data of people in Brazil, even if the processing entity is based outside of Brazil.
Link to the law (English version): https://www.lgpdbrasil.com.br/wp-content/uploads/2019/06/LGPD-english-version.pdf
Dubai International Financial Centre (DIFC) – Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020: In effect on July 1, 2020, this law replaces DIFC Law No. 1 of 2007. Due to COVID-19 considerations, it grants a three-month grace period for companies to start complying by October 1, 2020. This law (and its accompanying regulations) is intended to help make sure the DIFC, which is a major financial hub in the Middle East, Africa, and South Asia, stays up-to-date with data protection best practices. It incorporates various provisions from the GDPR and the CCPA (California Consumer Privacy Act) to achieve this objective. This new law also helps ensure the DIFC has adequate data protection in place to receive “adequacy” recognition from the UK and European Commission, which eases compliance requirements for personal data being transferred to the DIFC.
Among other things the law beefs up the accountability of data controllers and processors, clarifies enhanced rights of individuals, removes permit options for cross-border data transfer and special category personal data processing, allows data sharing between government authorities, and introduces new penalties and fines.
The law applies to companies both incorporated in the DIFC, and those incorporated elsewhere who process personal data in the DIFC as a part of “stable arrangements.”
Link to the enacted law: https://www.difc.ae/files/6115/9358/6486/Data_Protection_Law_DIFC_Law_No.5_of_2020.pdf
Egypt – Personal Data Protection Law (“PDPL”): Passed on July 13, 2020, this law comes into effect on October 14, 2020, with its attached Executive Regulations expected to follow in April 2021. Largely modeled off the GDPR, the PDPL aims to “keep pace with the current international standard for the protection of personal data”, as stated in its preamble. It aims specifically to protect online or electronically processed personal data of persons/consumers. This law is a major development in Egypt’s data protection framework, as prior to its passage, Egypt had no specific legislation regulating the protection of personal data.
Taking cues from the GDPR, the PDPL law introduces a number of compliance requirements and penalty provisions for data processors and controllers, with respect to any personal data or “sensitive” data processed. It prohibits processing personal data except with the consent of the data subject or where otherwise permitted by law. It sets forth various rights of data subjects. It also appoints a data protection authority and implements significant sanctions for non-compliance.
The PDPL applies to Egyptian citizens and non-Egyptian citizens who reside in Egypt.
Link to the law (in Arabic): https://www.cc.gov.eg/i/l/404171.pdf
Thailand – Personal Data Protection Act (PDPA) B.E. 2562: This law was passed on May 28, 2019, but has granted deferred compliance for certain data controllers (as enumerated in the Royal Decree on Agencies and Business Not Subject to the PDPA B.E. 2563) until May 31, 2021, giving organizations another year to come into compliance with the law. The law aims to protect data owners (similar to “data subjects” referred to in the GDPR) in Thailand and applies to data processors located both inside and outside of Thailand, that process personal data of individuals in Thailand.
Most provisions in the PDPA are similar to GDPR requirements. It includes various requirements such as setting forth lawful purposes for the processing of personal data, rights of data owners, obligations of data controllers, restrictions on cross border data transfer, breach notification requirements, and penalties for non-compliance. The PDPA also sets up a Personal Data Protection Committee (PDPC) to enforce and provide guidance for the PDPA.
Link to the law: https://www.etda.or.th/app/webroot/content_files/13/files/The%20Personal%20Data%20Protection%20Act.pdf
Contact Zasio today to see how our host of software solutions and consulting services can help you stay compliant with your data retention policies and practices.