While growing your business across state and country lines can benefit your profits, it can also be a minefield when trying to comply with each and every privacy law out there. Most privacy laws apply to personal or private information that identifies individuals. This can be as simple as email addresses or as sensitive as a Social Security Number.
Many countries have implemented privacy laws in the last 20 years. However, with the enactment of the European Union's General Data Protection Regulation (GDPR) in 2018, countries all over the world are updating and amending their own privacy laws to comply with the EU's new strict requirements.
The below countries have some of the most important and far-reaching privacy laws out there. With many countries updating their laws, paying attention to each law is even more important now when it comes to compliantly operating your business and creating your legal agreements.
- 1. Privacy Laws in Argentina
- 2. Privacy Laws in Australia
- 3. Privacy Laws in Brazil
- 4. Privacy Laws in Canada
- 5. Privacy Laws in China
- 6. Privacy Laws in Colombia
- 7. Privacy Laws in Denmark
- 8. Privacy Laws in European Union
- 9. Privacy Laws in France
- 10. Privacy Laws in Greece
- 11. Privacy Laws in Hong Kong
- 12. Privacy Laws in Iceland
- 13. Privacy Laws in India
- 14. Privacy Laws in Ireland
- 15. Privacy Laws in Japan
- 16. Privacy Laws in Malaysia
- 17. Privacy Laws in the Philippines
- 18. Privacy Laws in South Africa
- 19. Privacy Laws in South Korea
- 20. Privacy Laws in Sweden
- 21. Privacy Laws in Switzerland
- 22. Privacy Laws in United States
- 23. Privacy Laws in United Kingdom
- 24. Summary
Privacy Laws in Argentina
Argentina's Personal Data Protection Act of 2000 protects the personal data of Argentinian residents that are collected by private and public companies. "Personal data" is any information that refers to a person, such as a name or address. The act further protects the collection of "sensitive data," which includes things such as race or labor union membership.
The act applies to Argentinian companies and foreign companies. The act does not allow the transmission of personal data to companies or countries that do not meet its protection standards.
Argentina's law prohibits the collection of data without prior express consent. Before collecting any data, companies must fully inform individuals why the data is collected, what is being collected, the consequences of refusing disclosure, and the individual's rights to adjust the data collection. Failure to follow the law can result in fines from $1,000 to $100,000 pesos or possible criminal charges.
As of the summer of 2019, Argentina has presented a new bill that aligns with the regulations of the GDPR. Proposed additions to the law include adding definitions for biometric data, an explanation of automated data processing, requiring "effective identity validation mechanisms" to prove ownership of consent, and informed consent by minors.
Privacy Laws in Australia
Australia's Privacy Act of 1988 and 13 Privacy Principles (APPs) control the privacy regulations in Australia. The act and principles require companies to have an informed, transparent relationship with individuals.
Australian law requires APP entities to provide access to information when requested, except for certain instances such as public safety. Agencies have only 30 days to respond and organizations must respond within a "reasonable period" of time.
Privacy Laws in Brazil
In 2018, Brazil enacted a new privacy law to comply with the EU's GDPR. The General Data Privacy Law (LGPD in Portuguese) protects the individual rights of data collected by online companies that are either located in Brazil or internationally.
The LGPD calls for express consent before collecting data in most cases, and gives users more access and control of what data is collected. It requires a 15 day response time to a request for access to information whereas the GDPR says no more than a month. Brazil's law also includes a broader definition of private information than the GDPR does.
Any breaches of the LGPD are addressed by the newly created National Data Protection Authority and have similar fines to those of the GDPR.
Privacy Laws in Canada
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private companies that collect, use, or disclose personal information for commercial uses. "Commercial Activity" is a transaction or conduct done for commercial reasons, including selling or bartering.
Personal Information under PIPEDA includes any information that can identify an individual. Types of information included are income information, age, opinions, and credit records.
Privacy Laws in China
With one of the highest number of online and mobile users in the world, China has recently been enacting a large number of cyber standards protecting the collection and disclosure of private information. The Cybersecurity Law of 2016 requires consent before information can be collected and disclosed. The law established the basic requirements of safeguarding data and what can be collected.
The more recent Personal Information Security Specification rule lays out guidelines for how companies can collect, disclose, inform, and share information.
Privacy Laws in Colombia
Colombia's Statutory Law No. 1581 of 2012 was enacted to create a "constitutional right" to access information and update any personal data that is collected by databases.
Privacy Laws in Denmark
Denmark passed the Data Protection Act in 2018, replacing the Personal Data Processing Act in response to the enactment of the GDPR. The act includes additional provisions than the GDPR. Public authorities can be fined if they violate the act or unlawfully process sensitive information. A main divergent between the GDPR and the DPA is Denmark's law allows an exception to the right to access information if a private interest is present.
Before collecting any information, companies must inform individuals of the purpose of collecting data, the safeguards in place to protect data, and when information is disclosed to third parties.
The Danish Data Protection Agency can impose penalties on lesser violations while larger breaches of the act can be brought before Denmark courts.
Privacy Laws in European Union
The most influential and extensive privacy law in the world is the European Union's General Data Protection Regulation (GDPR) of 2018. The GDPR has affected every country's privacy laws with many countries enacting updated laws to comply with the GDPR's strict requirements.
The GDPR has increased consent requirements and what constitutes acceptable consent. Users are given a number of enhanced data protection rights. Privacy Policies now must be written in clear and transparent language.
The GDPR is worth getting familiar with since it has influenced and will continue to influence privacy laws around the world.
Privacy Laws in France
France's French Data Protection Act was enabled by France's New Decree No. 2019-536. The law follows GDPR guidelines with additional specific regulations of reinforcing the French Data Protection Authority.
The act applies to the collection of private and sensitive data, which has been broadened to include biometric data and sexual orientation to comply with the GDPR. Parental consent for children under the age of 15 is required, but any children above 15 can give consent without a parent's consent for medical research and surveys.
Companies should pay attention to the new provisions in the act that relate to the rights of individuals. Individuals now have the right to determine the disclosure and use of their personal data after death ("post-mortem right to privacy") extending a controller's obligation to protect the data.
Privacy Laws in Greece
Greece's privacy laws were updated in the summer of 2019 to comply with the deadline laid out by the GDPR and the EU Commission. The laws protect the rights of Greek residents when their personal data is processed.
The Hellenic Data Protection Authority (HDPA) is the authoritative body in Greece and can impose monetary penalties. Individuals can bring claims of a breach before local courts and judiciary committees.
Under Greek law, children over 15 can give consent without a parent's further consent. Privacy Policies should include information on how to adjust or decline consent and the right to access information.
Privacy Laws in Hong Kong
Hong Kong's Personal Data (Privacy) Ordinance (PDPO) protects privacy rights when personal information is collected. The ordinance's regulations state information should be collected fairly and individuals should be fully informed.
Under the ordinance, data users and processors must secure the collected information and collect only the "necessary" data that is needed. Individuals retain their right to access and control the collection of the data.
Violation of the ordinance can result in fines up to HK$50,000 and 2 years in prison.
Privacy Laws in Iceland
Considered a "safe haven" for privacy laws, Iceland hasn't missed the post-GDPR bandwagon and has updated its privacy laws. The Act on Data Protection and the Processing of Personal Data No. 90/2018 protects an individual's rights in the collection and movement of personal data. The act applies to the automated and manual collection of data and extends to filing systems.
The Icelandic Data Protection Authority determines any fines or violations brought by individuals or public authorities. The Authority's decision can not be repealed through the court systems if there is a disagreement.
Privacy Laws in India
Privacy laws in India are currently led by the Information Technology Act and the Information Technology Rules of 2011. The act and rules require any company or body that collects, stores, shares, and uses "sensitive information" must use "reasonable security practices" to protect the information. The law requires a Private Policy to be provided that includes how the data is collected, the name of the agency collecting the data, and opt-in and opt-out options.
As of 2018, a new law has been proposed that would expand India's privacy laws. The Personal Data Protection Bill would extend the rights of individuals in their data, cross-border regulations, and solutions for breach of the act.
Privacy Laws in Ireland
Ireland's privacy laws are controlled by the Data Protection Act 1988 - 2018 that combines the GDPR regulations, the Data Protection Act of 1988 and 2003, and new legislation. The new act creates a Data Protection Commission to regulate privacy laws.
Privacy Laws in Japan
Japan's updated Act on the Protection of Personal Information protects the privacy of personal information and includes the regulations companies must follow. The act's definition of personal information is very broad and includes things such as date of birth, identification codes, social status, and creed.
The new update extends the act's jurisdiction to companies outside of Japan that collect the private information of Japanese citizens.
Japan has a "white list" of countries and companies that meet its requirements for data transfer. It's important to check Japan's list to see if your country and company are on the list.
Violators of the act may either receive harsh monetary fines or be imprisoned for up to 2 years.
Privacy Laws in Malaysia
Malaysia's Personal Data Protection Act of 2010 protects the processing of personal data for commercial use. Before collecting private information, consent must be given. Consent can only be given after written notice that explains how the data is collected, what data is collected, and why. Failure to comply with the act can result in fines up to MR$300,000 or 2 years in prison.
Malaysia is in the process of updating its privacy laws to comply with the GDPR. A major point to pay attention to is that current Malaysian privacy laws do not apply to outside companies. However, if a new act is passed to level up with GDPR requirements, foreign companies that collect the personal data of Malaysian residents will have to comply.
Privacy Laws in the Philippines
The Privacy Act of 2012 shares similar requirements and regulations with the GDPR, making it one of the toughest in Asia.
Privacy Laws in South Africa
South Africa's Protection of Personal Information Act of 2013 (POPIA) is expected to be enacted in the near future. While only some of the act's regulations have come into force, many South African companies are already taking steps to comply with POPI Act and the GDPR.
Under POPIA, data collection is only permitted when there is a "recognized justification." Justifications covered by the act would be informed and voluntary consent or in the performance of a contract.
Privacy Laws in South Korea
The Personal Information Protection Act (PIPA) is the main privacy law of South Korea. The act protects the transmission and collection of private information of Korean citizens. Under the act, companies are required to obtain consent along with disclosing how the data is disclosed, how to opt-out of the collection, and fully inform individuals of their rights.
In addition to PIPA, South Korea recently passed the Network Act requiring foreign companies that collect data from Korean citizens to have a representative in Korea. In response to the GDPR, South Korea is also proposing amendments to PIPA to comply with the EU Commission.
Privacy Laws in Sweden
Sweden has one of the toughest privacy laws in Europe and was one of the first countries post-GDPR to hand down a fine on a company. Sweden's Personal Data Act is a broad law protecting all forms of direct or indirect identifiable data from being mishandled or misused.
The act requires companies to obtain informed consent and individuals must be fully informed before giving consent. Companies can face fines handed down by the Swedish Data Protection Authority for violating it.
Privacy Laws in Switzerland
At the time of writing, the Swiss government is debating revising the act to comply with the GDPR as well.
Privacy Laws in United States
In the US, privacy laws are left to each state and industry, not the federal government. This is why the Health Insurance Portability and Accountability Act (HIPAA) that protects the medical information of US citizens is one of the only federal privacy laws out there.
The Federal Trade Commission (FTC) applies to business privacy laws and protects US consumers. The FTC doesn't require Privacy Policies but including one is highly recommended. The FTC also has strict privacy laws relating to children. The Children's Online Privacy Protection (COPPA) applies to websites or apps that collect information from children under 13.
It can be confusing for US and foreign companies to comply with so many state laws. However, there are a few important ones you should pay close attention to.
California has the largest and most robust privacy laws of any state in the US. The California Online Privacy Protection Act (CalOPPA) protects the transmission and collection of the personal data of California residents. CalOPPA's jurisdiction extends outside of California to the US and any company that collects data from California residents.
- What data is collected
- Why the data is collected
- How companies handle Do Not Track Signals
California recently added to its list of privacy laws by enacting the California Consumer Privacy Act (CCPA). The CCPA created new consumer rights in the collection of data by for-profit businesses. Required updates to Privacy Policies include the option to opt-out of data collection, a disclosure of the sources of the collected information, and lists of data sold and data disclosed for business purposes in the last 12 months.
New York's Shield Act protects the private data of New York residents that are collected by New York and foreign companies. The New York act gives companies leeway on how to safeguard personal data, but policies must comply with the act's standards. The Shield Act extends to biometric data, emails, and financial accounts.
Washington's Privacy Act (WPA) has yet to be passed by the state, but if approved the act would have some similar requirements to California's CCPA. The WPA requires opt-out options, notification of categories of data collected, and large security practices.
Privacy Laws in United Kingdom
The United Kingdom's Data Protection Act of 2018 protects the personal information that is collected by companies, organizations, and the government. To comply with the law, you must follow the strict "data protection principles" of the act. These principles require transparency, data is used for explicit purposes, data is updated, and safeguards are in place to protect the data.
The Information Commissioner's Office (ICO) is the UK's independent authority on protecting and imposing fines on any privacy law violations.