One world, one internet – many laws. Given the furore over the EU-US Privacy Shield and the GDPR, you could be forgiven for thinking that data protection and privacy is something for the Atlantic power blocs to sort out, with every other country following suit. That's not the case.
"Internet communication has made the whole discussion on data privacy a global interest," says Lillian Pang, Senior Director, Legal, Rackspace. "Data privacy is no longer a local discussion."
Some of the very same emerging economies constantly being talked about as 'tomorrow's markets' (so of critical interest to all international and web-based tech and IT businesses) are legislating around data privacy in drastically different ways. "Rules and regulations vary widely geographically," says Robert Stroud, Director on ISACA's board and Principal Analyst, Forrester Research. "There are no consistent guidelines and rules … even neighbouring legislative regions have different policies."
Who are the world leaders in data privacy?
The European Union's negotiations with the US in recent years has seen the continent of Europe painted as the bulwark of data privacy laws. "It just happens that because of the developed markets in the EU, which has the most progressive laws on data protection globally, and the US, which has the vast majority of the technology industry benefiting from the creation of data, that the data flow between them is particularly under scrutiny," says Ross Woodham, Director, Legal Affairs and Privacy, Cogeco Peer 1.
Europe definitely sets the tone, but it's important to remember that the bloc has defined its reaction to data privacy in relation to the US. That's not an exclusive standpoint.
For example, Canada's Digital Privacy Act came into force in 2015 to help guard Canadians' private data stored by US-based services like Facebook, Gmail, Twitter and YouTube, though individual provinces in Canada do have their own requirements.
"Canada and Europe tend to lead the world in terms of legislating personal data," says Pang, but the rest of the world is catching up fast, though hugely unevenly. "Many countries outside of the EU have enacted data protection laws in recent years, including Malaysia, South Korea, Singapore, and Turkey," says Janine Regan, Associate at Charles Russell Speechlys. "Many of these laws are very similar to the EU Data Protection Directive, although these jurisdictions often carry incredibly heavy sanctions for non-compliance – including prison sentences."
However, the European Commission thinks only Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay offer EU citizens adequate protection.
What about Asia?
Some areas of the world have modelled their response to data privacy on the EU's battle with the US, and that certainly applies to Asia, which goes straight to the top of the list of concern for the IT and tech industry. After all, around 28% of the world's middle class already lives in Asia, and that's about to double in just the next 14 years. That's a huge global demographic shift.
In recent years, several Asian countries have undergone a major change in data privacy regulation, and that's mostly due to the Asia-Pacific Economic Co-Operation (APEC) Privacy Framework. "APEC agreed on a privacy framework in 2005," explains Malcolm Harkins, Global CISO from Cylance. Early leaders in Asia Pacific data protection were Australia, New Zealand, and Hong Kong, all of which passed strong data privacy laws in the 1990s."
More recently, China, Taiwan, South Korea, Malaysia, Singapore, and the Philippines have passed comprehensive legislation of their own. "The APEC Privacy Framework has provided some rough signposts for a common approach to principle-based regulation, but priorities for policymaking and enforcement vary significantly by jurisdiction," says Bill Stroud, principal engineer at Covata.
However, there are efforts to harmonise Asia and the EU. "The WP29 is in talks with Asia to see how they can work together to make these two labels become mutually recognised," says Elodie Dowling, VP, EMEA general counsel, BMC Software. Still, no harmonisation has happened thus far.