Data protection legislation in 600 words
What is data sovereignty?
Data sovereignty is the principle that data is subject to the legal protections and regulations of the jurisdiction in which it is physically stored. Data sovereignty is closely related to data residency (where data is stored); and data localization (where data must remain).
The regulatory landscape
The United Nations Conference on Trade and Development (UNCTAD) promotes the interests of developing states in world trade1 , which involves tracking and making sense of 242 data privacy and protection laws around the world.
Let’s briefly run down the heritage of data privacy principles on which key current laws around the world are built.
The Fair Information Practice Principles (FIPPs) is a framework at the core of the Privacy Act of 1974. Many US states mirror these principles in their laws, as do other nations and international organizations.
In 1980, the international Organization of Economic Cooperation and Development (OECD) codified Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. A 2013 update focused on the practical implementation of privacy protection through an approach grounded in risk management.
The 1988 Privacy Act was introduced to protect and regulate individuals’ private information.
The 1995 European Union Data Protection Directive is a variation of the OECD guidelines and precursor to the General Data Protection Regulation, introduced in 2016 and enforced from 2018. GDPR is intended to enhance individuals' control and rights over their personal data and simplify the regulatory environment for international business. It addresses the transfer of personal data outside the EU and EEA areas.
In 2015, China promulgated its Cyber Security Law. It establishes a cyber security review mechanism for network products and services that may put China's national security at risk. The Law establishes pre-sale certification requirements for critical network equipment and security products. The Law also allows collection of all kinds of data and can compel individuals to use network services to submit private information for monitoring.
In 2021, the Chinese Government enacted the Personal Information Protection Law which bears some similarities to GDPR - although the cross-border data transfers require company to build independent IT facilities in China to isolate the data from its overseas offices.
In Canada, the 2000 Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private organizations collect, use and disclose personal information in the course of commerce. The Act is also intended to demonstrate adequacy to the EU when it comes to protecting the personal information of European citizens.
In January 2013, Singapore's Personal Data Protection Act came into effect. It was influenced by the 1995 EU Data Protection Directive and the OECD Guidelines on the Protection of Privacy.
The most relevant regulations for the readers of this paper are those that apply to in jurisdictions where personal data is most often processed and stored by organizations controlling the data and processing it. A high-level comparison of key regulations is depicted in the table below.
If you or your customers are required to store and process data within Europe, then you might want to consider how your detection and response data is handled. WithSecure’s Countercept Managed Detection and Response (MDR) service can secure, process and analyze your data in Europe.