A One Size Fits All Approach Doesn't Work for Europe and Eurasia

In the past couple of years, many privacy regimes in Europe and Eurasia (jurisdictions outside of the European Economic Area (EEA)) have undergone significant changes in order to align their rules more closely with the European Union’s General Data Protection Regulation (GDPR).[1] We expect more to do so in the next few years. However, despite these harmonization efforts, these regimes still have some very distinct characteristics that set them apart from the EEA and other regions of the world.[2] As is true for other non-EEA regions of the world, a one size fits all approach to compliance in this region remains elusive.

Not surprisingly, given its geographic proximity and historical and cultural ties to EU Member States, this region has a longer data privacy tradition than other regions of the world. More than two-thirds of the data privacy laws in this region (17) were enacted prior to 2010, compared to the handful of laws enacted during the same period in the Americas, Asia, Africa, and the Near East.

While the laws in this region resemble the GDPR, there are some important differences. For example, the cross-border transfer requirements in this region are very diverse. In particular, the list of jurisdictions that are recognized as providing adequate protection varies widely from one law to another. Moreover, contrary to the GDPR and the trend elsewhere around the world to minimize registration requirements, two-thirds of the laws in this region still require organizations to register processing activities with a data protection authority (DPA).

These differences, coupled with some others, make it challenging for companies to develop their regional privacy compliance approaches, let alone integrate them into their global compliance programs. Nonetheless, it is important to take these differences into account when developing privacy compliance programs. This alert discusses some of the commonalities and differences among the privacy regimes in the region and identifies the jurisdictions that are likely to enact new or amended laws in the next few years.

Characteristics of the Current Regional Landscape: Commonalities and Differences

Twenty-four jurisdictions in the Europe/Eurasia region (in addition to the EU Member States) now have comprehensive data privacy laws.[3] Ten of these jurisdictions have recently amended their laws to align with the GDPR.[4] The laws in the other jurisdictions were enacted years ago, and they are based, to varying degrees, on the European Data Protection Directive, the precursor to the GDPR. As a result, these laws contain the basic elements found under the GDPR, but also have unique elements not found in other laws in the region or within the EU. Only six jurisdictions is this region are recognized by the EU as providing adequate protection: Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, and Switzerland.

Scope. Two-thirds of the laws in this region (15) apply only to processing that takes place within the jurisdiction. The remaining laws (9) have extra-territorial application in that they apply to processing by controllers established within the jurisdiction as well those not established in the jurisdiction where their processing activities are related to the supply of goods or services to individuals in that jurisdiction and/or the monitoring of their behavior. These laws, with the exception of Kosovo’s, were amended recently to conform to the GDPR.

Legal Bases. More than three-quarters of the laws (19) permit processing on the basis of the controller’s or third party’s legitimate interests, individual consent, contractual necessity, and/or a legal requirement. Armenia, Azerbaijan, and Belarus permit processing primarily on the basis of consent or a legal requirement but not contractual necessity. Andorra and Russia permit processing based on consent, contractual necessity, and legal requirements but they do not permit processing based on the controller’s or a third party’s legitimate interests.

Data Localization. Two jurisdictions, Belarus and Russia, have laws that impose data localization requirements. Under Russia’s data privacy law, personal information of Russian citizens must be stored in Russia. Companies that sell goods and services in Belarus using information networks, systems, and resources connected to the Internet must use information networks, systems, and resources located (hosted) in Belarus.

Registration. Despite the trend in the EU and around the world to minimize registration requirements, two-thirds of the jurisdictions in this region (16) still require organizations to register their processing activities with a DPA. Surprisingly, this includes three jurisdictions that have enacted GDPR-like laws. Registration is not required in Armenia, Belarus, Faroe Islands, Gibraltar, Kosovo, North Macedonia, San Marino, and Serbia.

Cross-Border Transfers. All jurisdictions in this region, except Belarus, impose restrictions on transfers of personal data outside the territory. Adequacy, appropriate safeguards, or a legal basis such as contractual necessity or consent are required to transfer personal data outside the jurisdiction.

Adequacy. Most authorities permit transfers to jurisdictions that provide adequate protection and have issued lists that include the EEA Member States and the jurisdictions subject to an EU adequacy decision. Some have also included other jurisdictions within or outside their region in their adequacy lists, and/or those jurisdictions that are party to the Convention of Europe for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention #108”).[5]

For example, both Russia and Serbia recognize the 47 signatories to Convention #108. Russia also recognizes 22 other jurisdictions that are not party to Convention #108, such as Angola, Argentina, Australia, Benin, Canada, Chile, Costa Rica, Gabon, Israel, Hong Kong, Japan, Kazakhstan, Malaysia, Mali, Mongolia, Morocco, New Zealand, Peru, Qatar, Singapore, South Africa, and South Korea.

Georgia recognizes the EEA Member States as well as Australia, Albania, Andorra, Argentina, New Zealand, Bosnia and Herzegovina, Israel, Canada, Moldova, Monaco, Montenegro, North Macedonia, Serbia, Ukraine, and Uruguay.

Five jurisdictions (Azerbaijan, Bosnia & Herzegovina, Kosovo, Moldova, and Turkey) require adequacy but have not issued a list of jurisdictions.

Appropriate Safeguards. Most of the laws in the jurisdictions in this region, except those in Andorra, Bosnia, Azerbaijan, Moldova, and Russia, permit transfers to inadequate countries based on contractual clauses. Of the 18 laws that do permit the use of contractual clauses for transfers to inadequate countries, half permit the use of the EU Standard Contractual Clauses for such transfers, and the other half permit the use of contractual clauses approved by their respective DPAs.

Legal Bases. Three-quarters of the laws (19) also provide legal bases such as consent or contractual necessity for transferring personal data to inadequate countries. However, the remaining four laws do not. Georgia and Turkey do not provide for any legal bases for such transfers; transfers to inadequate countries may only be on the basis of contractual clauses. In Armenia and Azerbaijan, consent is the only legal basis available to transfer to inadequate countries.

Individual Rights. All laws in this region (24) require access and correction rights. All but one (Belarus) require the provision of erasure rights, and 10 also require the provision of data portability rights. Almost two-thirds of the jurisdictions (15) require responses to rights requests to be provided within 30 days; six require responses within 5-15 days; and three do not specify a specific time.

Data Protection Officer (DPO). Slightly more than half of the jurisdictions (13) require the appointment of a DPO.[6]

Breach Notification. Slightly more than half of the jurisdictions (13) require notification in the event of a data security breach.[7] Of these, three-quarters (10) require notice to the DPA within 72 hours and to individuals without delay.

Security. Slightly more than three-quarters (19) of the jurisdictions have either some specific or detailed security provisions. The laws in Andorra, Armenia, Georgia, and Monaco only set forth broad security obligations.

Data Protection Impact Assessments (DPIAs). Half of the laws in the region (12) require organizations to carry out DPIAs.

Enforcement. The level of enforcement varies widely with in the region, depending on the maturity of the data privacy regime. DPAs are established in all jurisdictions except Belarus. However, some DPAs were established long after the laws were enacted. For example, Azerbaijan’s DPA recently became operational, 10 years after its law was enacted. The Georgian DPA’s enforcement powers vis-á-vis the private sector only began in late 2014, three years after the law was enacted.   

Some DPAs, such as those in Kosovo, Moldova, and North Macedonia, are more focused on building awareness of privacy rights and private and public sector obligations; although all three conduct routine inspections and issue enforcement actions when violations are found. The DPA in Bosnia & Herzegovina has been largely focused on public sector processing activities. In contrast, the Albanian DPA conducts regular inspections, issues corrective orders, conducts follow-up inspections, and issues administrative fines if necessary.

Recently Enacted Privacy Laws

Of the 10 jurisdictions that have amended to their laws to conform to the GDPR, three of them enacted those amended laws last year: Faroe Islands, North Macedonia, and Switzerland. Switzerland’s amended law, which does not go into effect until 2022, deviates in important ways from the GDPR. In particular, unlike the GDPR, and as is already the case under the current Swiss law, organizations will continue to be permitted to process personal information without consent or another legal basis where the processing does not violate “the personality of the individual.” An individual’s personality will deemed to be violated if the organization does not comply with “general data quality principles” under the amended law (e.g., transparency, proportionality, accuracy, adequate security measures, and using data only for the purposes of collection).

In addition, breach notifications to the DPA will only be required where the breach is likely to lead to a “high risk” (as opposed to a “risk” as under GDPR). Such notifications must be made “as soon as possible,” but there is no 72-hour requirement as under the GDPR.

However, like the GPDR, the amended law will require organizations to carry out DPIAs in cases of high risk processing activities, respond to similar individual rights requests, observe Privacy by Design and Privacy by Default, and maintain an inventory of processing activities.

New (Amended) Laws Expected in 2021 and Beyond

For many years, the European Union has provided financial and technical support through its Twinning Project to countries in the region in order to assist them in aligning their data privacy laws with EU law. This work has focused on current and potential candidate countries looking to join the EU as well as other countries with whom the EU seeks to partner and foster better relations. Current candidates for EU membership are Albania, Montenegro, North Macedonia, Serbia, and Turkey. Bosnia & Herzegovina and Kosovo are potential membership candidates.

The EU’s work with these countries to strengthen and/or align their data protection laws is at various states of maturity. While it is hard to predict timing, according to European Commission staff reports issued in October 2020 on the current candidate countries and their readiness to join the EU, it appears that, of the countries that have not yet amended their existing data privacy laws, Montenegro may be the furthest along in developing a new law. According to the European Commission report on Montenegro, a new GDPR-like data privacy law is currently under development. However, the current COVID-19 pandemic has created new challenges for Montenegrin authorities, forcing them to try to strike the right balance between protecting public health and respecting the confidentiality of personal health data and citizens’ right to privacy.

[1] The GDPR applies to the 27 Member States in the European Union: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Ireland, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Spain, Slovakia, Slovenia, and Sweden. In addition, the United Kingdom has agreed, effective January 1, 2021, to maintain its current GDPR data protection rules for up to six months (until June 30, 2021) under the terms of the Trade and Cooperation Agreement reached between the EU and the UK. The GDPR also applies to the non-EU members of the EEA: Norway, Iceland, and Liechtenstein.

[2] See our client alerts on privacy laws in the Americas, Asia, and Africa/Near East.

[3] These jurisdictions are Albania, Andorra, Armenia, Azerbaijan, Belarus, Bosnia and Herzegovina, Faroe Islands, Georgia, Gibraltar, Greenland, Guernsey, Isle of Man, Jersey, Kosovo, Moldova, Monaco, Montenegro, North Macedonia, Russia, San Marino, Serbia, Switzerland, Turkey, and Ukraine.

[4] Faroe Islands, Gibraltar, Guernsey, Isle of Man, Jersey, Kosovo, North Macedonia, San Marino, Serbia, and Switzerland.

[5] Signatories to Convention #108 are Albania, Andorra, Armenia, Azerbaijan, Bosnia & Herzegovina, Georgia, Monaco, Moldova, Montenegro, North Macedonia, Russia, San Marino, Serbia, Turkey, Ukraine, United Kingdom, Uruguay and the EEA Member States.

[6] Albania, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Jersey, Kosovo, Montenegro, North Macedonia, Russia, San Marino, Serbia, and Ukraine require the appointment of a DPO.

[7] Armenia, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Jersey, Kosovo, Moldova, North Macedonia, Russia, San Marino, Serbia, and Turkey.