April 28, 2025 1 min

Eliza Rohotska

What is data protection legislation, and when does it apply to your company?

Imagine yourself in the middle of a maze. Endless green walls, green grass under your feet, and you are all green as you search for a way out – that's how a company feels when it starts to navigate data protection legislation. To understand what your responsibilities are, you need to understand where those responsibilities are written.

For example, a Ukrainian co-founder of a US corporation processes European data on servers in Brazil. Which law should apply? To be on the safe side, maybe it’s better to apply them all. Below are more on the GDPR and Europe, the CCPA and the US, and laws and bills, with specific examples.

Data Privacy Framework

It all starts with the foundation on which a business is built. One could say, “register in the US, follow US law,” but unfortunately for companies and fortunately for lawyers, it’s not that simple. Business is definitely not about isolation based on where you are registered. First and foremost, business is about what a company does.

Today, virtually every country has at least some data protection legislation. And all these laws are historically based on two possible documents:

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and
The APEC Framework Principles on Privacy.

It seems that within these two frameworks, there is little room for manoeuvre in adopting diverse legislation. But privacy also adapts to changing technologies and businesses. That is why laws differ around the world.

Their Majesty GDPR and Europe

The General Data Protection Regulation (GDPR) was the first data protection law to be signed and immediately applied to 28 countries as a condition for the free movement of personal data within the European Union. The scope of the GDPR includes two criteria that companies can use to determine whether their activities fall within its scope.

Material criterion. All personal data processing activities are subject to the GDPR, regardless of how the data is processed (automatically or not).

Territorial criterion. The GDPR is an EU regulation, so its application requires partial localisation. Accordingly, we have the following options for application:

companies in the EU (even if their servers are located somewhere in China);
companies outside the EU that offer goods or services to data subjects in the EU; or
companies that monitor the behaviour of data subjects within the EU (e.g., through cookies on a website).

Let’s imagine a company that specialises in organising tourist trips. The company is registered in the US but has a large customer base in Europe. Materially, the GDPR applies to all of their processes. However, in terms of localisation, the GDPR will only apply to the processing of data of EU customers who are offered the service. In addition, the company most likely uses data about website users from the EU to optimise marketing and configure cookies. Therefore, the criteria for material and territorial scope must be assessed together.

CCPA and the States

In California, the California Consumer Privacy Act was signed in 2018, and two years later it was supplemented by the California Privacy Rights Act (today, these are collectively referred to as the “CCPA”). Although California law is federal, the CCPA helped companies rethink their approach to privacy and prompted other states to start moving toward adopting their own legislation (as Virginia did first, followed by a dozen other states).

A company is subject to the CCPA if it meets at least one of the following criteria:

The company earns more than $25 million per year (annual gross revenue).
The company annually buys, sells, or provides access to the personal information of more than 50,000 individual consumers who are California residents.
At least 50% of the company’s annual revenue is derived from the sale of consumers’ personal information.

As an example, consider a New York marketplace that specialises in online sales of home goods. It has a large customer base in California (an average of 85,000 customers per year) and actively conducts business there through its website and mobile app. Although the company is not registered in California, the CCPA requirements apply to it due to the California consumer criterion. Furthermore, New York does not have its own consumer privacy law, which makes life a little easier for the marketplace.

Not by GDPR and CCPA alone

The world of personal data protection is boundless, which is why countries (and even individual states) have many other privacy laws. At a minimum, Brazil, China, and Saudi Arabia have national data protection laws in place, and US states such as Tennessee, Minnesota, and Maryland are close to catching up with their predecessors in other states.

At the regional level, in addition to general complex privacy laws, different countries may have sectoral acts (such as in the US on finance, health, or children’s data). If a local act applies, such sectoral regulation must be taken into account for very specific types of activities, and a special law must be studied additionally. Therefore, the question of how to choose a law has a clear answer: you must choose the one that applies to your methods, territory, and results of data processing.

What about Ukraine?

We have Law No. 2297-VI “On the Protection of Personal Data.” It was adopted on the basis of Directive 95/46/EC and the provisions of Convention 108 back in 2010, so the concept is already somewhat outdated.

However, on November 20, 2024, a draft of a new Law No. 8135 was adopted as a basis, which the Verkhovna Rada of Ukraine adopted in the first reading, so we have reasonable hope for an update. Both the current law and the new draft law have the same scope as the GDPR in terms of substance, and do not contain any specific territorial restrictions.

For example, there is a company in Lviv that has developed a CRM system and provides access to it through its website. There are two scenarios here:

If the company is registered in Ukraine and sells its software exclusively to Ukrainian customers, the Law of Ukraine “On Personal Data Protection” applies and the company must comply with its requirements (of course, until draft law No. 8135 becomes law).
If the company is still registered in Ukraine but sells its software directly to customers in Poland via its website, it processes their data, so the GDPR still applies. The same applies to California residents and the CCPA, but on a much larger scale.

So what should you do when several laws apply at once?

You can try to comply with all laws at once. This is possible if the company has the capacity and resources to do so. In this case, the legal department must familiarise itself with the application of all laws or commission a legal audit to determine the next steps.

Let’s return to our co-founder of a US corporation. He still has to comply with data transfer standards between Europe, the US, and Brazil. If he starts interacting with Ukrainian data, our law will also have to be applied to such interaction. This is especially true if the corporation involves Ukrainian sole proprietors.

However, it is not always possible to hire supermen who can juggle all the laws at once without making a mistake. As an option, a company can choose the so-called highest denominator (the strictest standard) such as GDPR and comply with it. It is possible to localize data processing and work according to the laws of the head office, but adapt the processes in different countries or states. For example, in the EU, companies often use legitimate interest to process analytical and marketing data, but in Brazil, there is simply no such basis for processing. Therefore, a company may decide to adapt to local requirements and request consent from users. Then, depending on where the user is located, data may be collected differently.

Conclusion

Applying the necessary data protection law correctly is a logical process that requires some effort. Sometimes it is simply a well-designed business structure. Understanding the jurisdictions you work with is a conscious choice for a company. Just like choosing to ignore the rules and wait for a new bill with a penalty for non-compliance.

If a company is confident in its information security system, policies, and their compliance with at least one of its defining frameworks, demonstrating compliance with other privacy regulations to regulators will be much easier.

1 Subscribe to the news

More from Axon Partners

Data protection

Open personal data: how to work with it

Person 5 stretched with satisfaction: their data is safe. In the register of court decisions, they are only Person 5. But they didn’t know that the day after tomorrow, skillful marketers would get to another open registry and flood their inbox with paper spam. After all, it’s open data, so it’s okay. Why is it not? Read this article for AIN about open data and how to use it without violating the privacy of Ukrainians.

May 17, 2024 2 min

General practice

The new law “On Digital Content and Digital Services” comes into force on March 2 – what you need to know

On 2 March, the new law “On Digital Content and Digital Services” comes into force. It was adopted to harmonize Ukrainian legislation with the provisions of EU Directive 2019/770. It aims to protect the rights of consumers of digital content and digital services. In his column for AIN.UA, Axon Partners’ lawyer Dmitry Kondratiev explained what the law is about and to whom it applies.

March 3, 2024 1 min

Startups

Legal Guide for Startups: Employment Agreement vs. Civil Law Contract

May 10, 2017 1 min