As many will already know, the EU’s General Data Protection Regulation (GDPR) has a global effect if certain criteria are met – e.g., if an organisation is processing the personal data of people in the EU in relation to offering goods and services to EU data subjects, then, regardless of whether that company has an establishment in the EU or not, GDPR compliance is necessary for that processing. But, in this scenario, the GDPR only protects the data of those people in the EU. Accordingly, many states around the world have passed national data protection laws to protect the personal data of people in their own countries. Some of these local laws provide standards of safeguards, on matters such as lawfulness and fairness of processing, transparency, storage limitation and data security which match or even exceed those of the principles and other provisions of the GDPR.
A further incentive for states to pass domestic data protection legislation which clears the benchmark of the GDPR is that this will greatly assist such nations in obtaining what is known as an ‘adequacy decision’ from the European Commission. An ‘adequacy decision’ is the formal assessment of the Commission that the data protection regime of a third country (i.e., one outside the EU) affords essentially equivalent protection to people’s data as that provided within the EU. If a third country receives an adequacy decision, then businesses in the EU can make international transfers of personal data to such countries without first applying any additional contractual or legal safeguard mechanisms to the transfer.* This saves considerable administrative costs for the entity sending the data out of the EU (the data exporter) and the overseas recipient of it (data importer). An adequacy decision from the EU is, therefore, a valued asset for many nations. Currently, there are 15 countries or territories which have been awarded adequacy decisions by the European Commission, including the UK. Following Brexit, the UK government has its own separate power to grant adequacy findings. The UK’s list of adequate countries or territories is all the EEA states plus the same 14 as on the EU’s. These are: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (private sector organisations only), Jersey, New Zealand, Republic of Korea, Switzerland, the USA (commercial organisations participating in the UK-US Data Bridge) and Uruguay.
Two countries – one in South America, the other in Asia – have recently passed national data protection laws protecting their own citizens. However, while one is probably fully GDPR compliant, and therefore likely to result in a finding of adequacy by the European Commission for the country in question at some point in the future, the other almost certainly will not facilitate an adequacy decision from the Commission.
*To learn more about how to perform international transfers of personal data in compliance with the GDPR, see our blog on Conducting Data Transfer Impact Assessments (DTIAs).
Chile’s Personal Data Protection Law 2024
The first of these new laws is the ‘Personal Data Protection Law’ (PDPL), adopted by the Chilean government on 26 August 2024. Although Chile already had data protection legislation dating back to 1999, the PDPL is a gamechanger because it, for the first time, explicitly aligns Chile’s data protection regulatory framework with the GDPR. For example, the PDPL mandates the use of appropriate risk mitigation measures, such as anonymisation and pseudonymisation of data, also favoured by the Regulation.
Like the GDPR, the PDPL also contains purpose limitation provisions and requirements for secure processing. The PDPL mirrors the GDPR’s robust suite of data subject rights, such as an individual’s right to access their personal information, keep it accurate and up to date, or have it deleted when it is no longer needed/justified. Importantly, from a data adequacy point of view, the new law also requires that where cross-border transfers of data are made from Chile, the importer country must provide an adequate level of data protection, or one of a range of derogations set out in the PDPL must apply (e.g., the data subjects have consented to the overseas sharing). The law also establishes Chile’s first national data protection authority, the Personal Data Protection Agency. The new regulator will monitor compliance with the PDPL and apply sanctions for breaches, including fines at potentially high levels.
India’s Digital Personal Data Protection Act 2023
The other new law is the Indian Digital Personal Data Protection Act 2023 (DPDPA). The DPDPA received presidential assent on 11 August 2023, and is due to come into force on notification by the Indian government (different parts of the Act may be notified on different dates by the government). It is expected that the DPDPA will come into effect sometime later this year, as in the 2024 Budget the government allocated 20m rupees to set up the new Indian data protection authority, the Data Protection Board, to start applying the Act in the 2025 Financial Year (but only in adjudication of complaints and for breach reporting purposes – all powers under the DPDPA, e.g., to impose heavy fines, lie with the government). Government-produced Rules on implementing the DPDPA are due to be issued for public consultation imminently.
Although there were data protection provisions contained in previous legislation from 2000 and 2011, the DPDPA is the first standalone, comprehensive data protection law in India. The Act applies to the processing of digital personal data within the territory of India collected in digital form, or manually and later digitised. Personal data is defined as any data in digital form about an individual who is identifiable by or in relation to such data. In an interesting and significant exclusion, the DPDPA does not cover personal data made publicly available either by the data principals themselves or by any other person due to a legal obligation. The Act also does not classify different forms of personal data based on their level of sensitivity (unlike the GDPR’s ‘special category’ data, for example).
The DPDPA introduces data subject rights such as rights to access, rectification and erasure, and obligations on data processors. It has extra-territorial application (i.e., outside India) where processing is in connection with any activity that relates to the offering of goods or services to the data subject (called the ‘data principal’ in the Act) within India.
Data controllers are known as ‘data fiduciaries’. A data processor on behalf of a data fiduciary may process the data principal’s personal data for a lawful purpose, subject to the consent (gathered to GDPR standard) of the data principal, or if the processing is for a legitimate use.
The Act provides for a special type of data fiduciaries – ‘significant data fiduciaries’ (SDFs). SDFs are assessed based on a number of factors including: they process personal data of a sensitive nature or at a higher volume than ordinary data fiduciaries; their processing may potentially impact the sovereignty and integrity of India; or it may pose a risk to electoral democracy and the security of the state. SDFs are required to appoint a data protection officer (DPO) and conduct periodic data protection impact assessments (DPIAs) and audits. The government may designate any individual a data fiduciary, or a class, as SDFs.
International transfers of data form India may be subject to sector-specific and/or country-specific restrictions under the Act. The government will maintain a ‘negative list’ of importer countries to which data flows are blocked. The conditions for barring a country from receiving Indian people’s data will be specified in the Rules when these are published.
Adequacy Decisions for Chile vs India
As may be seen, there is some overlap between the DPDPA and the GDPR (although not as much as in the case of the Chilean PDPL). However, the Indian law rather counterintuitively does not apply to the processing of foreign people’s personal data in India, so it is highly unlikely that the DPDPA will enable the Asian country to meet the requirements for achieving an adequacy decision. Other key concerns which the European Parliament had about the Act include the interference of Indian intelligence services through digital surveillance and the national parliament’s apparent lack of control over the intelligence services’ actions.
The Chilean law does not come into force for two years, and the adequacy decision granting process can itself take a number of years, so it may be the end of the decade before Chile attains the all-important adequacy status which will allow transfers of EU personal data to it unhindered. It will be interesting to see what action the Commission takes, if any, regarding re-evaluating India’s adequacy position in the light of the introduction of the DPDPA.
If you or your business would like specific advice or guidance on sending personal data outside of the UK or EU lawfully and safely, please contact URM and ask to speak to one of our specialist data protection consultants, who are all knowledgeable on international data transfers.
How URM can Help?
Consultancy
In an increasingly globalised business landscape, working with organisations in other countries is a fundamental aspect of day-to-day operations for many organisations. However, remaining compliant with the GDPR when transferring personal data to different states that are not within the GDPR’s jurisdiction can be challenging and onerous. With nearly 2 decades of experience assisting organisations to meet the requirements of data protection legislation, URM is ideally positioned to help your organisation send personal data outside of the UK and EU lawfully and safely with our GDPR consultancy services. Our team of GDPR consultants have a comprehensive knowledge and extensive experience of each stage of a GDPR-compliant international data transfer; they are, for example, adept at conducting data transfer impact assessments (DTIAs). Or, to expand your own understanding, we regularly run a ‘Conducting Data Transfer Impact Assessments (DTIAs)’ training course, where you will be taught how to perform this vital compliance activity by a qualified data protection practitioner.
However, URM’s GDPR consultancy offering extends far beyond international data transfers. To establish your current level of compliance, we can conduct a gap analysis of your processing practices, and help you develop your record of processing activities (ROPA), which is not only mandatory for almost every organisation under the GDPR, but also assists you to identify any high-risk processing. Other compliance activities our consultants can help you perform include data protection impact assessments (DPIAs) and responding to data subject access requests (DSARs). With the latter, it can sometimes be challenging to identify all the information that requires redaction before the DSAR request is fulfilled; our Team can identify the applicable legal exemptions and apply the necessary redactions so the data subject only receives information they have a right to see. For ongoing support, we offer a virtual data protection office (vDPO) service, which provides you with access to an entire team of data protection practitioners who can offer compliance guidance and support on a fully flexible basis.
Data protection training
As well as our DTIA course, URM runs a number of other data protection-related training courses. To gain an industry recognised data protection certification, we regularly deliver a BCS Foundation Certificate in Data Protection (CDP) course, which will fully prepare you to take the BCS invigilated exam. Meanwhile, Our courses on conducting DPIAs, and on responding to DSAR requests, will expand your professional skillset and teach you how to complete these key compliance activities.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.
Is there a catch-all international standard that effectively proves external verification of data protection compliance?
URM’s blog offers key advice and detailed guidance on how to balance your organisation’s needs with GDPR compliance as you perform workplace monitoring.