The protection of personal data is becoming an increasingly important topic in a globalized world. As part of a project with an American client, one of our tasks was to do research on the topic of Personal Data Protection in Non-EU Countries.
During the research, we found out what are the differences or similarities with the Regulation on the protection of personal data that applies in the European Union.
Although the European Union has one of the strictest data protection laws (GDPR), many countries outside the European Union have also adopted similar laws to protect the privacy of their citizens.
We will provide some examples of key provisions from the laws in the United Kingdom, California (USA) and South Korea that differ from the EU GDPR.
United Kingdom
After Brexit, the UK has retained many of the provisions of the GDPR through the UK GDPR, which is almost identical to the EU GDPR but with adjustments to match the UK legislative framework. The Personal Data Protection Act entered into force on May 25, 2018. The last amendment was on 1 January 2021 to the regulations under the Law on Withdrawal from the European Union.
Examples of key provisions that differ from the EU GDPR:
Data subject rights: The right to access, rectification, erasure, and data portability.
International data transfers: Transfers of personal data outside the UK require appropriate safeguards, such as standard contractual clauses or adequacy decisions. International data transfers may be permitted for important reasons of public interest.
Possibility to exempt from restrictions and adjust the application of the rules of the UK GDPR.
Fines: Serious breaches of data protection principles can be fined up to £17.5 million or 4% of annual turnover worldwide, whichever is higher.
Age of consent: the minimum age of consent to process a person’s data is 13 years old
California (USA)
California is a leader in privacy protection in the United States. The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and is further strengthened by the California Privacy Rights Act (CPRA), which went into effect on January 1, 2023, and applies to all organizations that collect data from California residents.
Examples of key provisions that differ from the EU GDPR:
Consumer rights: the right to access, delete, opt out, rectify and restrict the sale of personal data.
Notices and transparency: organisations are obliged to inform consumers about the collection and use of their data and give them the option to opt-out of the sale of personal data at a later date (opt-out).
Legal basis for the processing of personal data: there is no specific legal basis, but it provides exceptions and allows the use of personal data for business and commercial purposes.
Fines: Fines can be up to $2,500 for each unintentional offense and up to $7,500 for intentional violations. Also, consumers have the right to claim legal damages ranging from $100 to $750 per incident or actual damage, whichever is greater or the measure of injunction.
South Korea
South Korea has one of the strictest data protection laws in Asia, known as the Personal Information Protection Act (PIPA). PIPA was first adopted in 2011 and was significantly revised in 2020 and 2023 to align with international standards.
Examples of key provisions that differ from the EU GDPR:
Data subject rights: the right to access, rectification, exclusion from automated decision-making and deletion of personal data.
Obligations of the controller: Controllers are obliged to notify data subjects of the breach without delay before informing the relevant authority.
International data transfers: The transfer of personal data outside of South Korea requires appropriate safeguards, such as standard contractual clauses or adequacy decisions.
Penalties: Penalties can be up to KRW 3 billion (approximately USD 2.2 million) or 3% of the organization’s annual revenue, whichever is greater.
Harmonization with the Personal Data Protection Act, regardless of the country in question, requires several mandatory documents that ensure transparency and accountability in the processing of personal data.
Each of the countries mentioned above shares similarities with the GDPR in the EU, but with certain adjustments and specific requirements.
For more information on this topic, please contact us at sales@boost.hr
