Data privacy and protection initiatives have assumed greater significance globally as banking systems are opened to third parties and the number of digital payments grows. The EU GDPR was proposed in 2012 and formally approved by the European Parliament in May 2016. In force from May 2018, the Regulation mandates higher penalties for organizations that breach its rules—up to 4% of annual global turnover or €20 million for the severe data breaches or 2% of the annual global turnover or €10 million for less severe breaches. The aim of the GDPR is to unify EU regulations in ways that will place control of personal data on a customer level, and simplify the ways data is stored, shared and transacted within and without the EU.
Although GDPR holds well at a pan-European level, individual countries including Spain, the Netherlands, France, Germany, and the U.K. are driving legislative initiatives to bring their data protection laws and acts up to the GDPR standards. The U.K.’s House of Lords passed a Data Protection bill in September 2017 mandating the adoption of GDPR regulation until the U.K. leaves the EU. After this, a new Data Protection Act, similar to the GDPR, is expected to be introduced. The EU’s Electronic Privacy Regulation (ePR) sets security rules for all the electronic communication in the EU and aims to reinforce trust and security in the digital single market by updating the existing ePrivacy legislation. It includes all definitions of privacy and data that were introduced by the GDPR and acts to clarify and enhance the definitions set out in the GDPR. Originally scheduled for introduction on 25 May 2018, a number of issues have delayed introduction of the ePrivacy Regulation. These issues include the link with the GDPR, the consent requirement, the applicability to ancillary services and to machine-to-machine communications. A new text was proposed early in May 2018, which clarified that the Regulation does not lower the level of protection enjoyed under the GDPR. The intention is for the ePrivacy Regulation to be adopted by the end of 2018. Other countries such as Canada, Japan, and Israel are working towards data privacy and protection laws that are on par with GDPR standards. In July 2017, the Singapore Government sought opinions on amendments of the Personal Data Protection Act (PDPDA). Similarly, in Indonesia, the Personal Data Protection (PDP) regulation introduced a new requirement that all electronic system providers that manage personal data electronically must certify their electronic systems according to the applicable standards under the Indonesian law.