The exemption for personal data of foreign origin with adequate protection is a critical factor in determining the applicability of data protection laws. This factor is used to ensure that personal data collected from foreign jurisdictions, where such data is adequately protected according to the laws of those jurisdictions, is not subject to the data protection laws of the jurisdiction where the data is being processed. This approach helps to avoid conflicts between different legal regimes and ensures that data processing is not unnecessarily hindered by overlapping legal requirements.

Provision Examples

Philippines

"DPA of 2012 Sec.4(2g): This Act does not apply to the following: (g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines."

Brazil

"LGPD Art.4(iv): This Law does not apply to the processing of personal data that: IV– have their origin outside the national territory and are not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country other than the origin, since the country of origin provides a level of personal data protection adequate to that established in this Law."

Description

The exemption for personal data of foreign origin with adequate protection is incorporated into laws to ensure that data protection standards are consistent and do not create unnecessary barriers to international data flows. This factor is based on the principle of mutual recognition of data protection standards, where jurisdictions recognize and respect the data protection laws of other countries that provide an adequate level of protection.

• Rationale: The primary rationale behind this factor is to avoid duplication of legal requirements and to facilitate the free flow of data across borders. By exempting personal data that is adequately protected under foreign laws, jurisdictions can ensure that data processing is not subject to conflicting legal regimes, thereby promoting efficiency and compliance.
• Commonalities: Both the Philippines and Brazil have provisions that exempt personal data originally collected from foreign jurisdictions if such data is adequately protected. For instance, the Philippines' DPA of 2012 Sec.4(2g) states that the Act does not apply to personal information collected from foreign jurisdictions in accordance with their laws, including any applicable data privacy laws. Similarly, Brazil's LGPD Art.4(iv) does not apply to personal data that originates outside the national territory and is not communicated, shared, or transferred to Brazil, provided the country of origin offers adequate protection.
• Different Approaches: While both jurisdictions exempt personal data from foreign jurisdictions with adequate protection, there are subtle differences in their approaches. The Philippines focuses on the processing of personal information in accordance with foreign laws, including any applicable data privacy laws. In contrast, Brazil's LGPD specifically mentions that the exemption applies if the data is not communicated, shared, or transferred to Brazil, emphasizing the territorial aspect of data processing.

Implications

The exemption for personal data of foreign origin with adequate protection has significant implications for businesses operating in these jurisdictions. For example:

• Case 1: A company in the Philippines processes personal data collected from residents of the European Union. If the data was collected in accordance with the General Data Protection Regulation (GDPR), the Philippines' DPA of 2012 would not apply to this data, as it is adequately protected under EU laws. This allows the company to process the data without additional legal hurdles.
• Case 2: A Brazilian company processes personal data collected from residents of the United States. If the data was collected in accordance with the California Consumer Privacy Act (CCPA) and is not communicated, shared, or transferred to Brazil, the LGPD would not apply to this data. This exemption ensures that the company can process the data without needing to comply with additional Brazilian data protection regulations.

These examples illustrate how the exemption for personal data of foreign origin with adequate protection can streamline data processing operations for businesses, ensuring compliance with relevant data protection laws without unnecessary duplication of legal requirements.