Data privacy regulations globally aim to address the customer concerns towards transparent and fair processing of personal data. Although various regulations have their respective territorial applicability provisions, yet Lawful, fair and transparent processing is the one of the fundamental processing principles which most of the regulations speak about.
In this article we touch upon some of the prominent data privacy regulations globally including the geographies where ValueMentor has its foothold.
EU GENERAL DATA PROTECTION REGULATION (EU GDPR)
Since the time it came into force in May 2018, GDPR has been the benchmark for data protection practices. GDPR includes the principle of processing personal data, lawful basis of processing, speaks about conditions of consent, responsibilities of controller and processor and rights of data subject, among other things
- Applicability: It applies to establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Beyond the EU establishments, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects (“an identified or identifiable person to whom the ‘personal data’ relates”), even if for free, or that monitor the Data Subjects’ behavior within the EU.
- Penalty: Potential fines under the GDPR can reach €20m or 4% of global turnover – whichever is greater.
Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021 (DPR 2021)
Abu Dhabi Global Market (ADGM), enacted Data Protection Regulations 2021 on 11 February 2021. When preparing the DPR 2021, the ADGM carried out an international benchmarking study of international standards and best practice and concluded that the EU’s GDPR is the leading international standard and represents best practice for robust data protection legislation. The DPR 2021 are closely based on the GDPR, adapted to meet the needs of the ADGM.
- Applicability: The DPR 2021 applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in ADGM, regardless of whether the processing takes place in ADGM or not.” The location and nationality of the data subjects whose data is being processed is not relevant to the question of whether the DPR 2021 apply to any processing activity.
- Penalty: Controller or processor can attract monetary penalties of up to $28,000,000 for intentionally or negligent contravention of the provision of DPR 2021
Personal Data Protection Law, Federal Decree Law No. 45 of 2021 (UAE PDPL)
UAE PDPL constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of individuals in the UAE. It provides a proper governance for data management and protection and defines the rights and duties of all parties concerned.
The law defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or to carry out any of the legal procedures and rights.
- Applicability: The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by:
- any Data Subject who resides or has a place of business in the State (UAE)
- any Controller or Processor located in the State who carries out the activities of Processing Personal Data of Data Subjects inside or outside the State
- any Controller or Processor located outside the State who carries out the activities of Processing Personal Data of Data Subjects inside the State.
- Penalty: Administrative penalties are not out yet.
Indian Digital Personal Data Protection Act, 2023 (DPDP 2023)
DPDP Act, 2023 was enacted on 11 August 2023. Act regulates the governance of personal data collected by organisations and aims at protecting the individual’s privacy by empowering them with rights over the way their data is processed.
- Applicability: The Act applies to Within Indian territory – to the processing of digital personal data within the territory of India, where the personal data is collected in a:
- digital form
- personal data collected is in non-digital form and digitised subsequently.2. outside the Indian territory- to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to data principals within the territory of India.
- Penalty: The Indian Data Protection Board has the power to issue penalties up to INR 250 crore.
Saudi Arabia Personal Data Protection Law
The Kingdom of Saudi Arabia has enacted the Personal Data Protection Law (“PDPL”) 14 September 2023. PDPL aims to ensure the confidentiality of information and protect the privacy of individuals.
- Applicability: The PDPL provides that it shall be applicable to the processing of personal data by companies or public entities,
- takes place in the Kingdom of Saudi Arabia; or
- relates to the personal data of residents of the Kingdom by companies located outside the Kingdom.
- Penalty: For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million
