Management, compliance & auditing

Ultimate guide to international data protection and privacy laws

Susan Morrow
September 14, 2020 by
Susan Morrow

Introduction 

Human beings have many things in common and we all live in one world, together. However, when it comes to data privacy laws, the saying “there are many ways to skin a cat” seems apt. 

Data privacy laws are popping up or being adapted to suit new tech environments across the globe. But there is often variation between them that reflects the focus of the country in question. What they all have in common, however, is to try to build more ethical data processing procedures that put the privacy of an individual center stage.

This guide looks at some of the most famous/infamous data privacy laws across the globe to give you a taste of each.

Data privacy laws: A privacy primer from five countries

Around 80 countries have enacted data privacy laws. This guide looks at five countries, including the arguably most famous privacy law, the EU’s GDPR. Many of these countries have set precedents that others follow.

European Union: General Data Protection Regulation (GDPR)

When was GDPR enacted? 

The GDPR was enacted on May 25th, 2018. Since then, it has had more attention than any data protection law, ever. The GDPR was brought in to reflect the changes in the technology and consumer landscape. The GDPR updates the 1995 Data Protection Directive 95/46/EC or DPA.

Who is affected by GDPR? 

GDPR applies to organizations that collect, store, share and process data that could be used to identify an individual from an EU state. It affects organizations of any size and any type no matter where they operate from in the world. Companies with less than 250 employees do have some reduced requirements for documentation.

What data is covered by GDPR? 

GDPR is all about personal data. The law classifies data into two types:

Personal data: Any data that can be used directly or in aggregated form, to identify an individual. Examples include name, address, date of birth, IP address and economic information.

Sensitive personal data: If data is deemed “sensitive” under GDPR, more stringent measures will be applied to its protection. Sensitive data includes genetic data, biometric data and data on life preferences, e.g., religious, racial or ethnic origin.

Basics of the data privacy law

The law is developed to reflect a legal basis for processing data. For example, “consent” is seen as a legal basis to use data. This results in consent being a core umbrella term in the law, organizations being required to take “explicit and affirmative consent” to process data.

The GDPR has eight core rights that are applied to the individual, also known as a “data subject”:

  1. Right to be informed (about personal data use)
  2. Right to access (data)
  3. Right to data rectification (if errors in data are found)
  4. Right to data erasure (data deletion)
  5. Right to request the restriction of data processing
  6. Right to data portability (between services and platforms)
  7. Right to object to use of data
  8. Right to say no to automated decision-making including profiling

The GDPR sets out the concepts of a data processor and data controller. Each has differing compliance requirements, based on their role in handling data.

Fines and other important points of the GDPR

The GDPR set two levels of fines. Both are onerous.

Level 1: 2% of annual global revenue or 10 million euros, whichever is higher. Applies to noncompliance in areas such as data breaches, not conducting a Data Privacy Impact Assessment (DPIA) and poor documentation.

Level 2: 4% of annual global revenue or 20 million euros. Applies to non-compliance in areas such as failing to gain consent, not upholding consumer rights under GDPR rules.

Brazil: General Data Protection Law (LGPD)

When was LGPD enacted? 

First published on August 15, 2018, this Brazilian privacy law has been postponed and is now expected to be enforced on August 4, 2020.

Who is affected by LGPD? 

All sizes of organization, irrespective of revenue, come under the reach of the LGPD. The law sets out the following criteria for covered entities:

  • Processing data within the territory of Brazil
  • Processing data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
  • Processing data collected within the territory of Brazil

What data is covered by LGPD?

Like the GDPR, LGPD has two classes of data:

Personal data: From the LGPD: “information regarding an identified or identifiable natural person”.

Sensitive data: Similar data is contained in this sub-category as in the same sub-category in GDPR, including racial or ethnic origin, religious belief, political opinion, health data and sexual preferences.

Basics of the LGPD data privacy law

Known as Brazil’s GDPR, the law is far-reaching, containing 65 articles. Where GDPR has eight data subject rights, LGPD has nine. The ninth law is in fact just the “right to be informed” split into two parts:

  1. Right to be informed of the parties the controller has shared the data with
  2. Right to be informed about the possibility of denying consent

Another commonality with the GDPR is the concept of a data processor and data controller.

Fines and other important points: Fines for non-compliance are up to 2% of the organization's global revenue; a limit of R$50 million per violation has been set.

USA: California’s Consumer Privacy Act (CCPA)

The US has a mosaic of data protection regulations. It is also expected that at some point a federal law will appear. If so, it may take a hint from California’s Consumer Privacy Act (CCPA):

When was CCPA enacted?

CCPA came into effect on January 1, 2020.

Who is affected by CCPA? 

The CCPA applies to for-profit commercial organizations that operate in California. The law states that it applies to an entity that “does business in the state of California.” Other specifics of who is impacted:

  • An organization with gross revenues over $25,000,000
  • An organization that buys or sells personal data of more than 50,000 California consumers, households or devices, per year
  • An organization that gets more than 50% of annual revenue from selling California consumers’ personal data 

What data is covered by CCPA? 

The CCPA covers personal data as defined in the law as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Basics of the CCPA data privacy law 

CCPA is seen as a “light” version of GDPR. The two laws do have some areas in common. Both are based on the rights of the data subject to control data processing. CCPA grants rights on the access, portability and deletion of data.

The CCPA supports the use of opt-out consent in certain data-processing practices but not all. The CCPA focuses on business accountability for data protection when collecting and handling personal data of users.

CCPA fines and other important points 

CCPA fines for non-compliance are:

  • $7,500 for an intentional violation of any provision
  • $2,500 for unintentional violations

 20% of fines collected are used for a "Consumer Privacy Fund" to enforce the CCPA.

Japan: Act on the Protection of Personal Information (APPI)

When was APPI enacted? 

APPI was enacted in 2003. Recently, amendments came into force on May 30, 2017.

Who is affected by APPI? 

In a similar way to the GDPR, APPI has cross-border reach. APPI applies to companies that offer goods and services in Japan both located within the country and with offices outside of Japan. The act excludes central government organizations, local government and certain types of administrative agencies.

What data is covered under APPI? 

APPI sets out two categories of information:

Personal information: Identifying data such as name, address and biometric data but also includes driver’s license numbers and similar.

“Special care-required” personal information: This is deemed to be data that could be used for discrimination or prejudice. Typical data that sits in this category are medical information, marital status, “creed,” social status, criminal records and so on.

Basics of the APPI data privacy law

Instead of a data controller and data processor, APPI has the concept of “retained personal data” by an “information handler.” This covers data subject rights over personal information control and covers the right to disclosure, correction, add or delete data, stop the use of data, erasure and stopping provision to third parties.

Consent must be collected by the information handler when processing data. However, like other privacy laws, the devil is in the details and there are several exemptions to consent collection, e.g., if the consent of a data subject could impede the execution of duties such as for health purposes.

Data subject rights are:

  • Privacy notices
  • Rights to access information
  • Right to be forgotten
  • Right to rectification

There is notably no subject right to object to direct marketing and profiling

Fines and other important points about APPI 

APPI does not specifically require data breach notifications. However, if an authority finds out about the breach, an administrative order is issued requiring the rectification of the breach. If this is not carried out, the business operator can be fined up to ¥500,000 (approximately $4,600) or imprisonment of up to one year. 

There are several sanctions and fines written into the legislature. Some carry jail sentences of up to two years. See section Chapter VII of the act, Penal Provisions, for further details.

Australia: The Privacy Act and associated Australian Privacy Principles (APPs)

Australia, like the US, has both state and federal laws on data protection. However, the Privacy Act 1988 (Privacy Act) is the main umbrella law covering business entities in Australia.

When was APPs enacted? 

The Privacy Act came into force on December 14th, 1988. It has had many amendments since, with an important overhaul in 2014, as well as the Privacy Amendment (Notifiable Data Breaches) Act of 2017. This latter amendment sets out notable breaches that are included in the notification requirement.

Who is affected by APPs? 

The Privacy Act applies to any organization that handles personal data and has an annual turnover of at least AU$3 million. It does not apply to registered political parties or state or territory authorities. If an organization with revenue less than AU$3 million processes health data, is a credit reporting agency or is associated with a commonwealth contract, they will also come under the watch of the Privacy Act.

What data is covered under APPs? 

All personal data that is processed by the covered entities under the APPs is covered. Like the EU’s GDPR, there are two categories of personal data (known as personal information in the Privacy Act):

Personal information: Covers any identifying data, identified as:

“information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a)  whether the information or opinion is true or not; and

(b)  whether the information or opinion is recorded in a material form or not.”

Sensitive information: This covers highly sensitive personal data including racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, criminal record, health data and so on. It also includes genetic data and biometric information.

Basics of the APP’s data privacy law

The Privacy Act sets out 13 Australian Privacy Principles (APPs). The APPs are split into five key areas:

  1. Consideration of personal information privacy
  2. Collection of personal information
  3. Dealing with personal information
  4. Integrity of personal information
  5. Access to, and correction of, personal information

Each area contains several APPs that define requirements. For example, Part One, APP 2:

“Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.”

Australia’s Privacy Act differs from the GDPR as it does not have the concept of a data processor and data controller. It also does not support a number of the data subject rights seen in GDPR. For example, there is no equivalent of the right to erasure under the Privacy Act.

Fines and other important points about APPs

Serious or repeated privacy violations can have fines up to AUD $2.3 million.

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

When was PIPEDA enacted?

PIPEDA as a law came into force on January 1, 2004.

Who is affected by PIPEDA?

PIPEDA is a Canadian federal law. It applies to federal works, undertakings or businesses. The law takes effect when there is any collection, use or disclosure of personal information during any commercial activity and across borders. PIPEDA also applies to employee information. PIPEDA does not apply to provincially regulated organizations within the province of Quebec.

What data is covered under PIPEDA?

Any data that can be used to identify an individual is deemed to be “personal information.” This includes name, address, medical history, education, religion and images.

Basics of the PIPEDA data privacy law

This Canadian law sets out privacy best practices. It is built upon ten core principles:

  1. Accountability: Organizations are accountable for the protection of personal information.
  2. Identify purpose: The purposes for using collected personal information must be identified during or before the collection.
  3. Consent: Consent to process any collected personal information must be collected with the full knowledge of the individual.
  4. Data minimization: Personal information collection should be limited to only that necessary for the identified purposes.
  5. Disclosure: Personal information must only be used and disclosed for the purposes for which it was collected.
  6. Accuracy: Personal information must be as accurate.
  7. Safeguards: Personal information must be protected using robust measures.
  8. Information about an organization's privacy policies and practices must be readily available to individuals upon request.
  9. Transparency: The right of access to personal information and the right to rectification.
  10. Challenge: There should be a method for an individual to challenge an organization's compliance with the law.

Fines and other important points about PIPEDA

An organization found to be in non-compliance with PIPEDA, can be fined up to CAD$100,000 per violation.

Conclusion

This is not a comprehensive look at all of the myriad laws across the world that protect the right to data privacy. However, this should give you a flavor of the general way that privacy is covered under the law.

 

Sources

  1. REGULATION (EU) 2016/… OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, data.consilium.europa.eu
  2. General Personal Data Protection Act (LGPD), lgpd-brazil.info
  3. Assembly Bill No. 375, California Legislative Information
  4. Amended Act on the Protection of Personal Information (Tentative Translation), ppc.go.jp
  5. Australian Privacy Principles, OAIC
  6. The Personal Information Protection and Electronic Documents Act (PIPEDA), Office of the Privacy Commissioner of Canada
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.