1. EU
The General Data Protection Regulation (GDPR) is a personal information protection act that applies to the EU member states. It can be considered that the history of GDPR has begun with the Data Protection Directive (DPD 95/46 EC) adopted and enforced on October 24, 1995. Since the DPD requires legislation by each member state, there are differences in the level of regulations between the member states.
The DPD consists of 72 recitals and 34 articles across 7 chapters. In 2012, the EU countries began to discuss legal amendments, taking the Internet technology environment into account. After four years’ discussion, they adopted the new General Data Protection Regulation (GDPR) on May 24, 2015 and the GDPR took effect on May 25, 2016.
The GDPR is composed of 11 chapters, 173 recitals, and 99 articles, focusing on the rights of data subjects and the strengthening of corporate responsibilities. The GDPR applies to enterprises processing abroad the personal information of the residents of the EU member states through e-commerce, etc. as well as enterprises running business in EU. It stipulates that an administrative fine is imposed in case of an infringement. General infringements shall be subject to administrative fines up to EUR 10 million (approx. KRW 12.5 billion), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Significant infringements shall be subject to administrative fines up to EUR 20 million (approx. KRW 25 billion), or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
2. The United States of
America
The Privacy Act of 1974, amended in 1974, is one of the first national legislations that regulate the federal governments’ personal information processing. However, the personal information protection system of the U.S. is based on self-regulation. They do not have any comprehensive act encompassing both the public and private sectors like the GDPR of the EU and the Personal Information Protection Act of the Republic of Korea. The federal law consists of the personal information protection laws of different fields such as the public, finance, communications, education, medical care, video surveillance, and employee information. In addition, each state has their own privacy protection laws.
The federal law has an individual law-based legal system that specifies personal information protection, divided into the public sector and private sector. In the public sector, the Federal Privacy Act (1974), a personal information protection act owned by the federal agency, acts as a general law.
In the private sector, individual laws are enacted whenever the need for each field such as finance and ICT arises. The Federal Trade Commission (FTC) investigates into incidents related to public interests, prevents monopoly, and protects consumers (including their personal information) based on the Federal Trade Commission Act (2006) just like the Korea Consumer Agency, the Korea Fair Trade Commission, and the Consumer Dispute Mediation Commission.
The U.S. concentrates on private enforcement such as damage compensation suits filed by victims and class action, whereas the Republic of Korea focuses on public enforcement such as penalty surcharges and criminal penalties. If a large number of consumers are damaged due to a specific incident in the U.S., a class action is filed to compensate for their damage. In addition, the FTC enforces the laws, publishes researches and reports, hosts educational programs and workshops, gives testimony at the Congress, puts forward opinions in regard to law, and takes part in international cooperation (EU-US Privacy Shield and APEC CBPR).
Just like the federal law, each state of the U.S. do not have general or comprehensive laws such as the GDPR of the EU and the Personal Information Protection Act of the Republic of Korea. Therefore, individual personal information acts have been enacted in each field. California has adopted the California Consumer Privacy Act of 2018 on June 28, 2018. This act, which stipulates consumers’ personal information protection rights and business operators’ duties to protect personal information, has taken effect in January 2020. It can be deemed America’s first general law in the private sector, which is differentiated from preexisting industrial regulatory systems. However, since the act does not apply to those who reside outside the territory of California, it is different from the Personal Information Protection Act of the Republic of Korea and the GDPR of the EU that applies outside the EU member states as well.
3. Germany
Germany amends and enforces its data protection act on a German Confederation and state level based on the General Data Protection Regulation (GDPR). The newly amended Bundesdatenschutzgesetz (BDSG) specifies the opening clauses which can be modified and reflected by each EU member state depending on their situations in line with the enforcement of the GDPR. They have enforced their preexisting legal law on May 25, 2018 in accordance with the GDPR and amend the personal information protection act of each state based on the GDPR and the new BDSG.
The BDSG is the central law of Germany’s personal information protection legal system. It consists of 4 parts, 19 chapters, 2 sub-chapters, and 85 sections. Part 1 is about common provisions and Part 2 stipulates implementing provisions for the GDPR. Part 3 is about implementing provisions of Directive (EU) 2016/680 in the EU criminal proceedings and Part 4 stipulates special provisions for processing personal information outside the scope where the GDPR and Directive (EU) 2016/680 in the EU criminal proceedings do not apply.
The BDSG does not apply to the scope where the GDPR is directly applied. The BDSG preferentially applies to the individual delegation provisions provided for in the GDPR, including the reflection of the specificity of employment relationship, the designation of Data Protection Officer (DPO), the exception of the purpose limitation principle, Germany’s legal basis for processing sensitive personal information, and exceptional provisions related to personal information impact assessment.
4. Japan
As privacy breach issues, such as the divulgence of personal information owned by enterprises and the illegal sale and distribution of personal information, are raised, public interest and anxiety about personal information processing are on the rise. To prevent the violation of the public rights and duties, the Act on the Protection of Personal Information has been enacted in May 2003 and has taken effect in April 2005.
As the information society environment has changed, the allowable scope for the free utilization of personal information, the scope of personal information subject to protection, and the principles to be observed by business entities have become unclear. Consequently, there is a rising need for a system which can reassure consumers by clarifying protection subjects and principles. Japan has extensively amended and announced the Act on the Protection of Personal Information on September 9, 2015 in order to protect personal information and accelerate new industrial development. Individual provisions including the installation of the PIPC took effect in order in January 2016 and the amendments went fully into effect on May 30, 2017. On June 5, 2020, the National Diet of Japan made partial amendments to the Act on the Protection of Personal Information so as to substantialize the protection of data subjects’ rights, strengthen the committee’s right to supervise domestic and overseas business operators, and promote the use and utilization of data throughout Japan’s entire economy and society. The amendments will take effect in the first half of 2022.
Major amendments include: the strengthening of data subjects’ rights to personal data handling; the strengthening of the right of control over and transparency in the provision of personal data to third parties; the strengthening of obligations of businesses handling personal data in regard to the divulgence, etc. of personal data; the promotion of autonomous activities of businesses handling personal data; the expansion and promotion of the safe use and utilization of personal data; the strengthening of penalty provisions related to violation of the Act on the Protection of Personal Information; and the application of the Act on the Protection of Personal Information out of Japan and the strengthening of overseas transfer regulations.
On January 23, 2019, Japan was certified for adequacy decision for the first time in the world in which the European Commission acknowledged that the personal information protection system of Japan and the General Data Protection Regulation (GDPR) of the EU are equivalent to each other. On March 30, 2021, the Republic of Korea passed the first (initial) phase of adequacy decision of the European Commission.
5. Singapore
In Singapore, personal data protection is handled under the Personal Data Protection Act (PDPA) and the Info-communications Media Development Act. Details are stipulated by relevant provisions, exceptional orders, and subsidiary legislations.
In Singapore, personal data means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organization has or is likely to have access. In other words, all personal information is considered personal data, whether true or not, regardless of data types such as electronic information. Unlike the Personal Information Protection Act (PIPA) of the Republic of Korea, the PDPA defines an “individual” as a natural person, whether living or deceased. Although personal information of the deceased is included in personal data, the PDPA restrictively applies to such data.
What is worth noting is that if an individual acts for his/her home or family, the PDPA does not apply to employees acting for any business purpose of an organization, public institutions, and institutions acting as a proxy for a public institution in regard to the collection, use, or disclosure of personal data.
6. Canada
Canada does not have a framework act on personal information protection which applies to both the public and private sectors; instead, there are separate acts applying to the two different sectors.
Whereas the Privacy Act applies to the public sector, in the private sector, the statues on the collection, use, and disclosure of personal information include the Personal Information Protection and Electronic Documents Act (PIPEDA), the Alberta’s Personal Information Protection Act (PIPA Alberta), the British Columbia’s Personal Information Protection Act (PIPA BC), and the Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act), which are collectively called the Canadian Privacy Statutes.
The PIPEDA stipulates about the collection, use, disclosure, and management of provincial and international information. It applies to all organizations that collect, use, and disclose information for commercial activities in each province. If a province has its own act about this field, the act preferentially applies and the PIPEDA is ruled out. In other words, the status of special acts are acknowledged between the federal and provincial acts, which includes Ontario, New Brunswick, and Newfoundland.
In Canada, personal information is defined as information about an identifiable individual. However, it does not include the names, position names or titles, work addresses, and work telephone numbers of employees of private institutions. The PIPEDA separately stipulates the concept of personal health information. Personal health information, with respect to an individual, whether living or decreased, means (a) information concerning the physical or mental health of the individual; (b) information concerning any health service provided to the individual; (c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual; (d) information that is collected in the course of providing health services to the individual; or (e) information that is collected incidentally to the provision of health services to the individual.
* Source & Reference*
KISA GDPR Response Support Center (https://gdpr.kisa.or.kr)
Personal Information Protection International Cooperation Center under the Personal Information Protection Commission (https://www.privacy.go.kr/pic)
KISA 2021 Key Issue Prospect Report, Major Content and Implications of the Amended Act on the Protection of Personal Information of Japan (Yi Chang-beom / Guest professor at Dongguk University Graduate School of International Affairs & Information Security)