Argentina
Argentina's Personal Data Protection Act 2000 (Law No. 25,326) applies to any person or entity in the country that deals with personal data. The Act states that data can only be collected if the subject has given their informed consent. In addition, the subject has the right to access, correct and delete (or request the deletion of) data. Argentina has been working on amendments to its data privacy law for a few years, but a change in administration has made the timeline and nature of these changes uncertain. New bills were presented in the Senate and the House at the end of 2020. For more information:
Australia
Australia's Privacy Act 1988 is the key privacy law that governs both the public and private sectors. The Privacy Act is based on 13 APPs (Australian Privacy Principles) that cover transparency and anonymity; the collection, use and disclosure of data; maintaining the quality of data; and the data subject's rights. In addition to the Federal Privacy Act 1988, data protection is governed by statutory privacy laws (in the majority of Australian states) and sector-specific privacy laws (depending on the data at hand). For example, organizations that collect, use or disclose health data are governed by separate Health Privacy Principles. Organizations in Queensland that deal with personal data will also be governed by the Information Privacy Act 2009. In late 2020, the country held a public consultation to review the Privacy Act. In early 2021, the government released a paper based on the comments seeking more targeted feedback. The review included aspects such as the Act's scope, effectiveness and enforcement. In late 2022, the Australian Parliament passed the Privacy Legislation Amendment Bill 2022, focused on increasing fines for data breaches and bringing current privacy laws more in alignment with competition and consumer remedies under the EU's GDPR laws. For more information:
Brazil
Brazil's data protection legislation is a patchwork of several individual laws, codes and frameworks. Article 5 of Brazil's Federal Constitution 1988 includes general provisions relating to a person's right to privacy. The Consumer Protection Code 1990 contains legislation regarding the collection, storage, processing and use of personal data. As well, the Brazilian Internet Act 2014 regulates the protection of privacy and personal data online. In August 2018, the Brazilian President, Michel Temer, signed off on the new General Data Privacy Law. Following in the EU's steps, Brazil's new legislation will have 65 articles and many similarities to the GDPR. For more information:
Canada
Canada has 28 federal, provincial or territorial statutes governing data protection and privacy in the country. At the national level, the collection, use and disclosure of personal information in the private sector is governed by Bill C-6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) 2000. PIPEDA was most recently amended in November 2018 to include mandatory data breach notification and record-keeping laws. For the public sector, such as federal departments and Crown Corps., data privacy is governed by the Privacy Act 1983. Provincially, Alberta is governed by the Personal Information Protection Act (PIPA) 2004. British Columbia is governed by an act under the same name, implemented a year earlier. Ontario has its own privacy act too, the Personal Health Information Protection Act 2004. In June 2020, Quebec proposed Bill 64, "An Act to modernize legislative provisions as regards to the protection of personal information." This included new enforcement methods as well as changes to reporting, transparency and consent requirements in the province. Bill 64 was passed on September 21, 2021. Phase one of the implementation began in September 2022, with the remaining requirements coming into effect in increments in September 2023 and September 2024. For more information:
China
China's most recent privacy law took effect in May 2018. The Information Technology - Personal Information Security Specification (GB/T 35273-2017), apparently contains more strenuous requirements than the GDPR. The law (referred to as 'The Standard') contains provisions related to transparency, personal right over data and consent. Prior to this, China's data privacy framework was made up of several federal laws including the Civil Law of the People's Republic of China 2017, Cybersecurity Law 2017, Criminal Law 2015, the Decision on Strengthening Protection of Network Information 2012, National Standard of Information Security Technology 2013 and Consumer Protection Law 2014. In 2020, the Chinese government released a draft Personal Information Protection Law for public consultation. The PIPL expands the legal bases for data processing beyond the subject's consent, increases data subjects' rights and more. It is now be the country's first comprehensive data protection law and took effect on November 1, 2021. For more information:
Colombia
Data privacy rights and protection are governed by Law 1581/12, Decree 1377/13, Law 1266/08 and Law 1273/09. Law 1581/12 awards every person the constitutional right to determine how their own data is collected, stored, used, processed or transferred. This law also regulates privacy rights relating to the collection and processing of personal data. Decree 1377/13 regulates data owner consent, policies on processing treatment of personal data, data owner rights and cross-border transfers of data. Law 1266/08 regulates data privacy rights related to commercial and financial data, whereas Law 1273/09 contains provisions relating to computer crime, making it a crime to steal, sell, buy, etc. personal data. For more information:
Denmark
Privacy laws in Denmark are regulated under the Danish Act on Data Protection 2018 Act (Law No. 502 of 23 May 2018), formerly the Danish Act on Processing of Personal Data Law (Act No. 429 of 31 May 2000). This new data protection act supplements and implements the General Data Protection Regulation (2016/679). (FYI: EU countries are required to update or enact their own federal privacy acts to match provisions in the GDPR). The Danish Data Protection Act 2018 contains provisions relating to data processing, the disclosure of personal data, the right of access, the designation of a data protection officer, limits on consent, prohibitions on data transfers, administrative penalties and more.
Finland
Data privacy in Finland is governed by the Data Protection Act 2018 (HE 9/2018 VP), replacing the Personal Data Act (523/1999). The new DPA 2018 in Finland aligns with the GDPR (2016/679) more closely than the previous act. It loosens the reins where the GDPR provides leeway and strengthening provisions where required too. However, there are other acts that focus specifically on sectors or industries such as the Act on the Protection of Privacy in Working Life (759/2004) which governs data protection within the labor force, and the Information Society Code (917/2014) which governs domain names, message confidentiality, cookies and telecommunications. For more information:
France
France's Data Protection Act 2 (Law No. 2016-1321) replaces the Data Protection Act (Act No. 78-17) to better support the GDPR and its new provisions. The Data Protection Act 2016 sets expectations for data controllers, processors and recipients regarding personal data. The act explains that all data processing must be done fairly, lawfully and for legitimate purposes, and that only the minimum amount of data necessary is collected. The Data Protection Act 2 also outlines several rights of data subjects, including the right to know the identity of the data controller, the purpose of the processing and their rights to collect or transfer the data. For more information:
Germany
Germany has been and continues to be a leader in privacy protection with robust laws that provide more protection than many other jurisdictions. The country's Federal Data Protection Act 2017 (Bundesdatenschutzgesetz - BDSG), which replaced the Federal Data Protection Act 2001, works alongside the GDPR (2016/679) to outline the general obligations of personal data collectors and processors. The provisions in the BDSG apply to public and private bodies that collect or process personal information (with several exceptions). Main provisions in the BDSG include the designation of a PDO, rules for scoring and credit checks, criminal law provisions and rules for employment-related data processing. The BDSG also contains laws regarding subject rights, transferring personal data, informed consent and more. For more information:
Greece
Greece is in the process of drafting an updated law to govern alongside the GDPR. Until the new bill is finalized, Law 2472/1997 (Data Protection Law) and its amendments will govern the collection and use of personal data in Greece. The Data Protection Law applies to both data controllers and processors. The main principles ensure that data controllers and processors must be lawful, fair, transparent, purposeful, specific, accurate and accountable in their use and collection of personal data. Sectoral directives include Law 3471/2006 (E-Privacy Directive), which outlines additional obligations, and Law 3917/2011 (Data Retention Directive) which regulates the retention of personal data. For more information:
Iceland
Iceland's data privacy legislation is exceptionally strict and upholds very high standards for privacy and security. The country's primary data privacy legislation is the Data Protection and the Processing of Personal Data (Act No. 90/2018) which replaced the Processing of Personal Data (Act No. 77/2000). The purpose of the new law is to uphold data privacy to the same standards of the GDPR. The DPA outlines numerous guidelines and rules for data privacy including how to obtain informed consent, when and how to notify the subject that their data has been processed, how to keep personal data secure and rules on transferring data across borders. For more information:
India
India has no specific legislation on privacy and data protection. Instead, India's data privacy legislation is made up of several different laws and acts. At this time, both the Information Technology Act (No. 21 of 2000) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules 2011) contain specific provisions to protect personal data and other data privacy requirements. There are also sectoral laws governing personal data collection in the banking and healthcare industries. The Data Protection Bill was withdrawn from the Lok Sabha and the Parliament as reported in the Bulletin - Part 1 No. 189 dated August 3, 2022. The withdrawal of the Data Protection Bill come with reports that a more comprehensive version of the Bill may be introduced. For more information:
Indonesia
Indonesia's data privacy legislation is pieced-together using the Electronic Information and Transactions (EIT) Law (Law No. 11 of 2008) and it's Amendment (Law No. 19 of 2016), Regulation No. 82 of 2012 (Reg. 82) and Regulation No. 20 of 2016 (the MOCI Regulation). However, Indonesia is currently making great strides to draft the Bill on the Protection of Private Personal Data, a data privacy law that's based on and inspired by provisions from EU law. If passed, it'll be the first comprehensive law for data privacy in the country. Regulations in the draft focus on written consent, data breach notifications, data deletion, direct marketing and more. For more information:
Israel
Data privacy in Israel is governed by The Basic Law: Human Dignity and Liberty (5752-1992), as well as the Privacy Protection Law (5741-1981). The former sets out the fundamental rights of privacy whereas the latter focuses on the protection of personal data and information. In December 2020, the Ministry of Justice held a public consultation to gather ideas on how the law should be updated with new technologies in mind. Similar to the comprehensive data privacy laws in other countries, the Basic Law and PPL focus on things such as transparency, the lawful basis for processing data, limiting data use, minimizing data and individual rights. Despite not having one comprehensive piece of legislation, Israel is still recognized by the EU as providing an adequate level of data protection. For more information:
Japan
In 2017, Japan's reformed privacy law took effect, replacing the former Act on Protection of Personal Information (No. 57 of 2003). The new law ("the APPI Amendment 2017") outlines basic data protection policies. Any business in Japan that holds personal data is required to abide by the APPI Amendment, with some minor exclusions. It includes provisions on third-party transfers, record-keeping, anonymity and breaches, and protects the rights of individuals in regard to their personal data. The reformed law has helped to get Japan on the EU's "safe list" of countries with adequate data protection legislation. For more information:
Malaysia
Malaysia's first comprehensive data privacy legislation came into effect in 2013. The Personal Data Protection Act 2010 (Act 709) consists of seven key points that work to protect personal and private data. These are the: General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle and the Access Principle. For consent to be valid under Act 709, the subject must receive written notice for the purpose of the data collection, information about their rights and details about who will access their data. One noticeable difference between Act 709 and the GDPR is that there is no requirement in the PDPA for companies to appoint a data protection officer. Following a year-long review, the Malaysian government conducted a public consultation on potential reforms to the PDPA. Changes to the Act could include data portability, an expanded scope and data breach notification requirements. For more information: Personal Data Protection Act 2010
Mexico
Mexico's Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private entities. The law defines "processing" to include many data activities, including the collection, use, disclosure, storage, access, management, transfer and disposal of personal data. The private sector is also regulated by the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties 2011, the Privacy Notice Guidelines 2013 and the Parameters for Self Regulation 2014. Mexico's Federal Institute for Access to Information and Data Protection (IFAI) is assigned with the duty of enforcing the law and issuing regulations. For more information:
New Zealand
Currently, data privacy in New Zealand is regulated by the 12 Information Privacy Principles outlined in the Privacy Act 1993. These principles focus on: the purpose of collecting data, how it stored and accessed, and limits on the use and disclosure of personal data. Sector-specific pieces of legislation include the Credit Reporting Privacy Code 2004, the Health Information Privacy Code 1994 and the Telecommunications Information Privacy Code 2003. However, in 2018 New Zealand began the process to replace the 25-year-old Privacy Act with Privacy Bill 2018. Key changes included mandatory reporting of breaches, compliance notices and strengthening cross-border data flow. One key piece of New Zealand's new privacy legislation is the right of any user to make a complaint and trigger an investigation into whether or not your data collection practices are lawful. The bill was passed by New Zealand's parliament on June 30, 2020. For more information:
Philippines
The Philippines is said to have one of the strictest privacy laws in the region. As of 2016, the Republic Act No. 10173 (also called the Data Privacy Act 2012) is the primary legislation governing data privacy in the country. Under this legislation, if you are collecting personal data about a person, that person has the right to know your personal identity, your purposes for collecting their data, how their data is being processed and which parties, if any, will have access to their personal data. Data collectors must also declare the reason or purpose for collecting the personal data, and get specific and informed consent from the subject. For more information:
Russia
The collection and processing of personal data are governed primarily by the Federal Law on Personal Data 2006 (Act No. 152 FZ) and the Information, Information Technologies and Information Protection Act 2006 (Act No. 149 FZ). A number of general and sectoral-specific laws include provisions regulating personal data, including the Russian Labor Code 2001, the Russian Air Code 1997 and Articles 23-24 in the Russian Constitution of 1993. Data protection laws apply to those who organize or process the data and those who determine the purposes of the processing, the content of the data and related operations. For more information:
South Africa
Data privacy issues are regulated under the Protection of Personal Information (PoPI) Act 2013, several sector-specific laws and the common law. The PoPI Act, which replaced the Electronic Communications and Transactions Act (ECTA) 2002, is based on eight principles that discuss:
- Rules for collecting, using and processing data
- Ensuring the quality of the information
- Upholding standards of transparency and openness
- Efforts to safeguard against loss, damage or destruction of data
The Constitution of the Republic of South Africa 1996 regulates more general privacy provisions. Section 14, in particular, upholds the general right that all citizens have to privacy. For more information:
