Personal information has now become a means of identifying individuals and has developed into a key resource in our society. When companies with personal information interact with foreign countries, there may be cases in which they have to transfer their citizens' personal information abroad or process other people's personal information.

Then, how is personal information protection done around the world, which is now becoming a living area? Countries around the world are overhauling laws related to personal information protection. In this post, we will learn about personal information protection laws around the world.

United States

In the United States, privacy laws are enacted by states, including the California Consumer Privacy Act (CCPA) and the Consumer Data Protection Act (CDPA) in Virginia.

Let's take a look at the California Privacy Rights Act, which is considered the most powerful privacy law in the United States. The California Privacy Rights Act strengthens the content of data subjects' rights in the Consumer Privacy Act and the obligation of business operators to comply, passed on November 3, 2020, and went into effect on January 1, 2023. It is significant in that it stipulates California consumers' privacy rights and business obligations, and laid the groundwork for the establishment of the first regulatory agency in the United States in charge of privacy.

If you are processing the personal information of residents doing business in California, regardless of whether you have a business in the state, you will be covered by.

① If annual sales are equal to or greater than $25 million

② Having more than 100,000 personal information about consumers, etc

③ Where sales from the sale and sharing of personal information account for more than 50% of the total sales of the enterprise

In addition, according to the CPRA, data subjects may require operators to exclude the use of automated decision-making technology. In certain circumstances, operators have a strong right to process sensitive information, such as restricting the provision of sensitive information to third parties. Sensitive information in CPRA includes social security numbers, driver's license numbers, state ID numbers, and passport numbers.

In addition, the American Privacy Rights Act (APRA) was proposed on April 7 this year to protect personal information at the federal level. If APRA is implemented, APRA will likely take precedence over laws in each U.S. state.

China

China's Personal Information Protection Act was drafted in October 2020 and took effect in November 2021. China's Personal Information Protection Act is similar to the EU's GDPR, and it is more stringent because it includes the range of sensitive personal information, the duration of information retention, and provisions for the use of personal information for public safety.

The Personal Information Protection Act applies to providing products or services to individuals in China, and it applies to all companies doing business with China. In principle, it is a rule to store data collected by the personal information controller in Korea, and it stipulates that personal information can be transmitted overseas in special cases. In addition, the Personal Information Protection Act is required to be applied if any of the activities that process personal information of Chinese citizens outside of China falls under any of the following.

(1) If the purpose is to provide products or services to the people of China

(2) To analyze and evaluate the behavior of the Chinese people

(3) other circumstances prescribed by law, administrative regulations

China stipulated the establishment of an internal management system, the classification management of personal information, and the implementation of safety technical measures such as encryption as obligations that the personal information controller must implement. Additionally, when a foreign company processes personal information to provide a product or service to an individual in China, a special organization or representative should be designated to handle personal information protection-related affairs, and matters related to the special organization or representative should be reported to the department in charge of the government.

Japan

Japan's Personal Information Protection Act was first enacted in May 2003 and came into force in April 2005. Since then, due to the development of IT technology, personal information issues have become important, and the number of cases of transferring personal information overseas has increased, and the improved Personal Information Protection Act came into force on May 30, 2017 after improving the transfer of personal information to foreign countries and strict provision of personal information to third parties.

Since then, the partially revised "Act to Revise Part of the Act on the Protection of Personal Information" has been implemented in consideration of domestic and foreign situations.

Article 28 of Japan's Personal Information Protection Act stipulates cases where personal information is provided to third parties in foreign countries. Article 28 (Restrictions on Provision of Personal Information to Third Parties in Foreign States) requires a business operator handling personal information to obtain prior consent from the subject of personal information in providing personal data to third parties in foreign countries. In obtaining consent, the person is required to provide information on the foreign name of the place where the personal data is transferred, the foreign personal information protection system, and the measures taken by the third party.

Therefore, companies should check whether personal information is transferred outside Japan, and if personal information is transferred outside Japan, they should review whether it is necessary to write the information in the personal information processing policy.

Vietnam

The Enforcement Decree on Personal Data Protection Decree (PDPD) in Vietnam was enacted on April 17, 2023, and came into force on July 1, 2023. It presents the first comprehensive legal system for personal information protection in Vietnam, and it is significant in that it is the first single law in Vietnam. The PDPD targets domestic and foreign corporations that collect or process personal data of Vietnamese citizens, both online and offline.

According to Article 2, Paragraph 14 of the Enforcement Decree of Personal Information Protection, the transfer of personal information abroad refers to the transmission of personal information of Vietnamese citizens outside the territory of Vietnam or the processing of personal information of Vietnamese citizens outside the territory of Vietnam. The transfer of personal information abroad includes the following.

1) Transmission by an organization, enterprise, or individual to an overseas organization, enterprise, or management department to process the personal information of Vietnamese nationals in accordance with the purpose agreed by the data subject

2) The automatic system of personal information controllers, personal information controllers, and personal information controllers outside the territory of Vietnam processes personal information of Vietnamese citizens according to the purpose agreed by the data subject

Additionally, the data transmitter must prepare a cross-border information transmission impact assessment document and submit it to the DCHCP of the Ministry of Public Security at the beginning of the processing of personal information in order to transmit personal information across borders. In addition, it includes notification of the data subject before processing sensitive personal information and obtaining consent from the data subject when collecting and processing personal information.

Vietnam's privacy enforcement decree should be considered because the rules of Vietnam's privacy enforcement decree apply not only to Vietnam but also to offshore businesses.

European Union (EU)

The European General Personal Information Protection Act (GDPR) is a data protection law that requires companies and organizations to protect EU citizens' data and personal information in relation to transactions conducted within EU member states. Both the collection and processing of personal information for personal information controllers and EU citizens within the EU are subject to GDPR compliance obligations. Companies that violate GDPR regulations will be subject to legal sanctions, such as paying 20 million euros or 4% of their annual sales as a penalty.

On December 17, 2021, the EU's decision on the adequacy of the GDPR for Korea was adopted. As the EU has recognized that Korea's privacy policy is on par with the GDPR, Korean companies will be given the status equivalent to that of EU member states. Due to the decision on the adequacy of the GDPR, Korea can freely transfer the personal information of EU citizens to the EU member states without additional certification or procedures.