Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search

BRINK News is transitioning to This Moment platform on as of March 31, 2023. Read the update here.

In Practice

The Great Matchup: EU’s Data Law vs. the World

The European Union’s General Data Protection Regulation (GDPR) will coexist with a multitude of similar laws enacted across the globe. Businesses must now figure out how to navigate the new EU regulation vis-à-vis the laws in their home countries. Here’s a broad overview of various laws from around the world and how they match up to the GDPR, summarized from a series of in-depth articles written by members of the International Association of Privacy Professionals. 

GDPR Matchup: (U.S.) The Children’s Online Privacy Protection Act

While the GDPR isn’t focused solely on the protection of children’s data, it does have provisions that address that concern. Despite the lack of a singular focus on children’s data, the GDPR holds up against laws and regulations dedicated entirely to those ends, such as the U.S.’s Children’s Online Privacy Protection Act of 1998 (COPPA).

The two laws have fundamentally different goals. The GDPR establishes standards for data protection for all humans. In certain areas, the GDPR makes no distinction between adults and children. COPPA, on the other hand, focuses entirely on children’s data and has a more aggressive mandate of prohibiting “unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the internet,” according to the text of the law.

One of the biggest differences between GDPR and COPPA is in how the two define age of consent. GDPR uses a range—from 13 to 16 years old—to accommodate its member states. COPPA, on the other hand, sets a specific age: 13 years old. COPPA also provides more stringent guidelines regarding parental consent than GDPR. This distinction can be subverted by individual member states: If Germany, the most populous EU member state, sets an age of consent of 16 years old, other member states may be forced to comply.

As such, “the two methods of addressing children’s data may not produce as varied results as one might think,” wrote Ms. Tay Nguyen, a law student at Santa Clara University. “Both the GDPR and COPPA, at their core, provide a baseline for the protection of children’s data.”

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (Canada) Personal Information Protection and Electronic Documents Act

Currently, Canadian companies abide by the standards set by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). If these companies intend to handle the data of European Union citizens, they will have to adapt to different standards across five key areas:

  • Consent: Under PIPEDA, consent is required for the collection or use of personal data. The GDPR’s standards are more relaxed and allow companies to collect data on the basis of “the performance of a contract,” “compliance with a legal obligation” or “legitimate interests.”
  • Data portability: Both PIPEDA and the GDPR give individuals the right to access and view any personal data an organization may have about them. The GDPR additionally stipulates that individuals have a right to receive their data “in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller,” which is known as data portability. This standard will likely be difficult to comply with—given the need to format data for broad usability—but it gives users “unprecedented control over their personal information,” wrote Mr. Timothy M. Banks, a partner at Dentons Canada.
  • Right to erasure: Both PIPEDA and the GDPR include basic provisions ensuring the “right to be forgotten,” meaning that organizations can be compelled to delete personal data on a user if, for example, the data is no longer necessary for the purpose for which it was collected. The GDPR version of this provision is more stringent than the one in PIPEDA.
  • Data breach reporting: While PIPEDA doesn’t have any data breach policies on the books now, new provisions should come into effect within the next year, putting PIPEDA roughly on par with the GDPR’s data breach regulations. The differences will be minimal: The GDPR has a broader definition of a “data breach” and has a faster timeframe for reporting such breaches.
  • Employee data: Many organizations have begun storing employee data for HR purposes; however, PIPEDA does not regulate the collection of this data outside of federal employee data. The GDPR has provisions in place regarding the collection and use of all employee data.

For a more in-depth assessment of this regulatory matchup, click here.

The EU’s new data regulation will impact businesses of all sorts. Here’s how the law stacks up against the world.

GDPR Matchup: (U.S.) The Health Insurance Portability and Accountability Act

While both the GDPR and the Health Insurance Portability and Accountability Act (HIPAA) define personal health data in almost the same way—in both cases, it’s mental and physical health data that can be used to identify an individual—the standards set by the GDPR are far broader than those in HIPAA. “The scope of data and entities covered by GDPR is significantly broader than the data and entities covered by HIPAA,” wrote Mr. Sean Baird, an associate at Davis Wright Tremaine.

For example, the GDPR’s regulations regarding personal health data extends to all organizations collecting or using data on EU citizens. HIPAA’s reach, on the other hand, does not extend outside of the U.S. The GDPR is also much stricter about disclosure or use of health data across a number of areas. For example, the EU’s regulations don’t allow the sharing of personal health information for the purposes of research and have much more onerous consent requirements; HIPAA, on the other hand, “provides that [personal health information] may be used or disclosed for research purposes,” wrote Baird.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (U.S.) State Data Breach Laws

Across the U.S., state data breach laws are not standardized, meaning most organizations already have to undergo an arduous process to ensure compliance. Unfortunately, the GDPR will not make this process any easier.

Responding to a breach requires an organization to analyze the situation and respond to two key questions: Is the breach actually a “breach,” as defined by a particular jurisdiction’s definition of the term; and who needs to be contacted, when and with what information?

“While this two-part analysis is conceptually simple, small variations among breach statutes in the U.S. alone can create significant interpretive and logistical difficulties,” wrote Mr. Alex Reynolds, director and regulatory counsel for Davis Wright Tremaine. “But add the broader definitions of ‘personal data’ and 72-hour reporting timelines in the GDPR, and the complexities of an international breach are magnified.”

The definition of “breach” is defined by two characteristics: the type of data involved and the way in which the data was used in the breach. In the U.S., a breach is defined by “unauthorized access” to or “acquisition” of a previously defined type of information, such as a person’s name or their social security number. The GDPR does not explicitly define types of information. Instead, it focuses on “any information relating to an identified or identifiable natural person,” which puts the onus of interpretation on an organization.

Moreover, the GDPR has a broader understanding of what kind of event constitutes a breach. “For example, the GDPR considers it a breach if an employee, who is otherwise authorized to access personal information, accidentally deletes that information,” Mr. Reynolds wrote.

The second part of the two-part breach analysis is to determine the appropriate organizational response. In this, too, the GDPR presents an additional series of regulations: It is more stringent in terms of response time and the authorities to which an organization must answer.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (APEC) Privacy Framework and Cross-Border Privacy Rules

The APEC Privacy Framework and the Cross-Border Privacy Rules (CBPR) and the GDPR are defined by starkly differing foundational goals, and therefore different levels of regulatory stringency. The CBPR system was installed to guide the development of “effective privacy protections that avoid barriers to information flows, and ensure continued trade, and economic growth in the APEC region,” wrote Mr. Alex Wall, Global Privacy Officer and Senior Counsel at RADAR, Inc. The GDPR, on the other hand, enables “free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” The former emphasizes continued trade and economic growth; the latter focuses primarily on fundamental rights.

To that end, CBPR does not supersede a country’s laws and regulations; instead, it serves as a baseline level of data protection. The GDPR, on the other hand, applies to all organizations that handle the personal data of citizens within the EU.

CBPR also doesn’t appear to have strong regulations regarding consent. Mr. Wall summarizes CBPR’s consent rules like this: “Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information.” Compared to GDPR’s exacting standard of requiring “explicit consent” to collect data, CBPR’s consent rules are less imposing, true to its goal to serve as a baseline of minimal protection.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (Mexico) Federal Data Protection Law Held by Private Parties and Its Regulations

Mexico’s Federal Data Protection Law Held by Private Parties is remarkably similar to the European Union’s GDPR, but one key difference will require that Mexican organizations carefully navigate the space between “legitimate interest”—an acceptable basis in the GDPR for processing data—and “tacit consent,” a standard accepted by Mexican regulation.

“Mexico, as the European Union, is living a vibrant moment in data protection,” wrote Mr. Miguel Recio, LLM in Data Protection, Transparency and Access to Public Information. “Accountability is key for robust and effective data governance and data controllers in Mexico and the EU share now this principle.” Both the EU and Mexico require that data controllers—organizations that handle user data—take a proactive approach to compliance with data privacy law. Both the EU and Mexico have procedures in place to measure and respond to the risk of new technologies exposing users to increased risk and vulnerability. Finally, both the EU and Mexico require “data controller[s] and processor[s] to adopt and implement technical and organizational measures to protect personal data,” or, more simply, security measures.

Across the board, Mexican data protection regulations are more likely to outline specific acceptable security and accountability measures, whereas the GDPR mostly outlines goals and leaves implementation techniques up to organizations.

One key difference between the GDPR and Mexico’s data protection regulation rests in the distinction between “legitimate interest” and “tacit consent” as justification for processing personal data. On this, Mr. Recio deferred to future precedent-setting cases: “legitimate interest is still a developing concept that requires focusing on the balance in cases when it is overridden by the interests or fundamental rights and freedoms of the data subject,” he wrote.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (Singapore) Personal Data Protection Act

Singapore’s Personal Data Protection Act (PDPA) and the GDPR may be similar in scope (both claim extraterritorial jurisdiction) and how they define personal data (both have broad, technology-agnostic definitions) but beyond that, their similarities are few and far between. “The [PDPA] is a light touch regime that offers some control to individuals over their personal data, certainly a far cry from the rigorous requirements of the GDPR,” wrote Ms. Hannah YeeFen Lim, Associate Professor of Business Law at Nanyang Technological University.

Ms. Lim broke down the dissimilarities across several key categories:

  • Scope: While the GDPR applies to virtually all personal data processing, the PDPA’s scope is comparatively hyper-limited. The PDPA’s regulations do not apply to the public sector or any organization acting on the public sector’s behalf.
  • Consent: Both the GDPR and the PDPA treat consent as a basis for data processing; however, the PDPA provides numerous exemptions, and defines consent in a much less stringent manner than the EU’s regulations. For example, as opposed to the GDPR’s standard of explicit consent, the PDPA treats voluntary data input as consent. Moreover, the PDPA enumerates a series of exemptions that limit when receiving consent is necessary. While data subjects can revoke their consent, the PDPA states that any ramifications of that withdrawal of consent rest with the data subject, not the organization.
  • Data minimization: According to Ms. Lim, “any personal data that is remotely relevant to the purpose can be collected” under the PDPA, a far cry from the GDPR’s strict stipulation that only immediately relevant data be collected.
  • Access, correction and erasure: Although under the PDPA, users can request to access and correct data held by an organization, the PDPA provides numerous exceptions to this right to request access. Organizations can also refuse to correct data. There is also extremely limited support in the PDPA for the right to erasure of personal data.
  • Accuracy and completeness: “The PDPA requires organizations to make a reasonable effort to ensure that personal data collected by or on behalf of the organization is accurate and complete,” Ms. Lim wrote. “However, this ‘reasonable effort’ required is not an absolute requirement.”
  • Data breach reporting: Although the GDPR and the PDPA have similar requirements regarding data security, Singapore’s regulations do not require any level of data breach reporting.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (China) Cybersecurity Law

Both China and the EU passed sweeping data protection and cybersecurity legislation in 2016: China’s Cybersecurity Law (CSL) and the EU’s GDPR. The two have a key point of similarity: Both define personal information in very similar ways, meaning that data controllers impacted by both laws have an almost identical definition to work with in both cases.

The question of which data controllers are impacted by both laws, however, underlines one of the primary differences between the two regulations: their scope. “Companies located solely in China doing business in China and the EU should comply with both the CSL and the GDPR, while companies solely located in the EU would only be bound by the GDPR,” wrote Mr. Zhong Lin and Mr. Galaad Delval, both specialists in data protection, cybersecurity and telecom laws at EY Chen & Co. law firm.

Another key difference is how the two laws address cybersecurity. While the GDPR doesn’t explicitly address cybersecurity, relegating that to the Directive on security of network and information systems, the CSL “main legal focus,” according to Mr. Lin and Mr. Delval, is the establishment of a cybersecurity framework (it’s in the name).

“The CSL can be understood as a law that bridges the gap between cybersecurity and data protection to fuse them together in one law, further pushing forward the idea that cybersecurity and data protection cannot subsist without each other,” Mr. Lin and Mr. Delval wrote.

One largely overlooked aspect of the GDPR across other matchups is its punitive measures. In this area, the GDPR and CSL are very similar. The GDPR’s sanctions for noncompliance include hefty fines: One violation, for example, can result in a fine of “EUR 10,000,000, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.” While the CSL’s fines are more variable, sanctions for violators include website shutdown and the revocation or suspension of a business license.

“Would either a GDPR fine or a CSL sanction be imposed on a company, they would both have a grievous effect on the violator,” Mr. Lin and Mr. Delval warned.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (Philippines) Data Privacy Act and Its Implementing Rules and Regulations

In most conceivable ways, the Philippines’ Data Privacy Act of 2012 (DPA) is similar to the EU’s GDPR. Both laws share the same extraterritorial scope; both define personal data in roughly similar terms; both have similar provisions for data minimization, accuracy, access and correction and portability.

One of the key differences is how both laws define a breach: In this area, the DPA’s regulations seem hyper-focused on identity fraud, unlike the GDPR, which treats all breaches the same, regardless of the potential harm of the data released.

“A notifiable breach occurs when sensitive personal information … that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject,” wrote Mr. Alex Wall, Global Privacy Officer and Senior Counsel at RADAR, Inc.

This is considerably more specific—and arguably more narrow in application—than the GDPR, which treats even accidental deletions of data as a breach.

For a more in-depth assessment of this regulatory matchup, click here.

GDPR Matchup: (Hong Kong) Personal Data (Privacy) Ordinance

Hong Kong’s Personal Data (Privacy) Ordinance is guided by six data protection principles. Here’s how they align with the GDPR:

  1. Data Collection Principle: Both the GDPR and Hong Kong’s first data protection principle align on the amount of data that can be collected. The data collection principle describes “necessary but not excessive” collection, while the GDPR’s data minimization principle requires that data collected be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,” wrote Ms. ShanShan Pa of Alibaba Cloud.
  2. Accuracy & Retention Principle: Both laws are aimed at ensuring that data collected is accurate and retained for only as long as is necessary.
  3. Data Use Principle: Both laws use consent as a necessary baseline for data use and processing. According to Hong Kong law, “personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.” The GDPR is more lenient on this front, allowing for personal data to be used to other ends after consent if given.
  4. Data Security Principle: Both the GDPR and Hong Kong’s ordinance require that data controllers take steps to ensure that collected data is securely held; however, Hong Kong’s ordinance does not touch upon breaches or responsibility in the absence of adequate security.
  5. Openness Principle: Both the GDPR and Hong Kong’s fifth data principles address transparency. Under both, data subjects should have insight into what data has been collected and how it is being used.
  6. Data Access & Correction Principle: Across both the GDPR and Hong Kong’s sixth data principles, the right to access and correct data is required.

For a more in-depth assessment of this regulatory matchup, click here.

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe