International data protection and cybersecurity regulations: numerous new requirements and Europe as a role model for many

Organisation & Compliance
European consumers were not the only ones for whom 25 May 2018 meant many changes. The more stringent data protection legislation also had repercussions worldwide. Countries are busily working on new provisions, as revealed by an overview of the legislation that has been proposed and implemented in recent months. In many places, better protection will be afforded to personal data. But the security of production facilities is also increasingly becoming the focus of attention.


New and stricter regulations for data privacy violations will come into force in Canada in November 2018. Companies will be obliged to report serious security breaches.


One of the strictest Data Protection Acts in the country was passed in California at the end of June 2018. The California Consumer Privacy Act of 2018 involves major changes to the way data is handled and will take effect in 2020. Companies processing large quantities of personal information will have to disclose the type of data they are collecting, as well as the reason for collecting it. Consumers will also have the opportunity to express their opposition to their data being sold.


The President of Brazil signed a new Data Protection Act in August 2018. It will come into force in 2020. In many areas, the act follows the demands of European data protection. The data processing provisions will be even more stringent than the European requirements. The specific focus here is on creditor protection and protecting health data.

Great Britain

In 2017 the Health and Safety Executive prescribed guidelines and standards for the cybersecurity of industrial systems – Operational Technology (OT). These measures focus on network and system security, as well as the functional safety of production facilities.


When the EU GDPR was introduced in the EU, it had the most stringent data protection provisions in the world. The focus is on protecting personal information and data. Reporting obligations and steep fines in the event of security incidents set new standards across the continent and beyond.

South Africa

So far, the 2013 Protection of Personal Information Act has only been partially implemented in South Africa. But in the coming months, most of the demands will now take effect.


The Data Protection Act has undergone a complete overhaul, the first stage of which includes compliance with the standards of the EU GDPR. In August 2018, the Federal Office for National Economic Supply also introduced minimum standards for improving ICT resilience. The Federal Government issued 106 direct instructions. They are aimed at the operators of critical infrastructures and other companies.


A provisional law has been in force in the Principality of Liechtenstein since June 2018. It requires the immediate use of the EU GDPR in Liechtenstein as well. The Data Protection Act is meanwhile being revised. The European regulations are being adopted and supplemented by national rules. The new Data Protection Act should come into force at the start of 2019.


A more comprehensive Data Protection Act is in the pipeline. In the initial draft legislation, data protection officers are to be established and data processing within companies is to be audited by third parties. Information security measures such as encryption will be called for. The reporting of data privacy violations will become mandatory.


A Cybersecurity Act came into force in China in June 2017. Along with data protection, its provisions also regulate the operational safety of essential and critical services. Companies are obliged to store their data within China and to leave it there. In addition to this, only software that has been approved in China can be used for data encryption.


Changes to the Act on the Protection of Personal Information have been a reality since May 2017. Companies need the agreement of their customers before they can transfer their data to another country. Sensitive information can only be forwarded with express consent.


Data protection in Australia is normally regulated by the federal states and territories. An overview reveals many parallels with the European requirements. Some reforms came into force in 2017. Particular emphasis was placed on protecting minors. At the end of February 2018, the legislators made the reporting obligation for data privacy violations mandatory.