10 Data Protection Regulations You Need to Know About
Concerns about privacy and protecting personal information are in the spotlight for organisations all over the world. New, more comprehensive data privacy laws have been enacted or proposed in the past few years and it has become an imperative for companies of all sizes and across all industries to prioritize the protection of personal data.
We have collected 10 data protection regulations across the globe that organisations should know about.
1. GDPR (EU)
The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018 and has created a far-reaching ripple effect that brought data protection into the public eye and onto legislative agendas the world over. GDPR marks the most important change in data privacy regulation in the last 20 years and provides a level of protection and individual empowerment that are unprecedented.
Europe’s new framework for data protection puts new obligations on the companies and organisations in order to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases of non-compliance.
The key concepts of the GDPR include lawful, fair and transparent processing, clear and explicit consent, mandatory breach notification, right to access, right to be forgotten and principles like privacy by design and by default. The regulation has extraterritorial applicability, meaning that it applies to all organizations collecting and processing personal data of individuals residing in the EU, regardless of the company location.
2. PIPEDA (Canada)
Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted as early as 2000. PIPEDA applies to organizations operating in the private sector and regulates, among others, how businesses collect, use and disclose personal and sensitive information. The law is broken down into 10 core principles that businesses must follow.
In order to harmonize the Canadian requirements with the EU’s GDPR, the Government of Canada issued the Data Privacy Act, an amendment to PIPEDA, which came into force on November 1st, 2018. This Act adds new rules to PIPEDA and includes consent requirements, data breach notifications and revised scope of application.
3. CCPA (California)
Effective January 1, 2020, the California Consumer Privacy Act (CCPA) comes as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information. With this new data privacy law, signed into law on June 28, 2018, the Golden State gives consumers insight into and control of their personal information collected online and it forces companies that conduct business in the state of California to implement structural changes to their privacy programs. Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy.
Among the key components of the CCPA are an extended definition of personal information, creating new data privacy rights for California residents, establishing a new statutory damages framework and introducing new regulations when children’s personal data is used. California’s new privacy law shares many similarities with its European counterpart, the GDPR, including data subjects’ right to know what data is being collected about them and how it is being used as well as the right to have their data erased; however significant differences can be traced between the two laws as well, particularly with regard to the scope of application and rules concerning accountability.
4. APPI (Japan)
Japan’s Act on Protection of Personal Information (APPI) was originally enacted in 2003 and came into effect in 2005. It was significantly amended ten years later, in 2015; the amendments took effect one year ahead of the EU’s GDPR, on May 30, 2017.
The APPI protects the personal data of individuals in Japan by establishing rules for governments and certain business operators to protect an individual’s rights with respect to the acquiring and handling an individual’s personal information. Entities operating in Japan must comply with APPI, whether or not cross-border data transfers occur. APPI is different from the GDPR in several aspects; the GDPR provides greater protection for data subjects and stricter regulations on the companies that process personal data than the APPI.
On January 23, 2019, Japan became the first country to earn an adequacy decision from the European Commission (EC) after the GDPR, which will ensure a smooth flow of data between the EU and Japan as well as facilitate the increased volume of data transfers.
5. LGPD (Brazil)
On August 14, 2018 Brazil approved the General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), slated to come into effect on August 15, 2020. The new data protection framework – highly inspired by the GDPR – creates rules for the processing of personal data online and offline, in both public and private sectors, regardless of where the data processor is located. The legislation aims to replace and supplement existing legal norms; one of the reasons for its development was to make data treatment in Brazil compliant with European standards.
Key similarities between the LGPD and GDPR include data subjects’ rights (e.g. right to request access to their data as well as the right to be forgotten), the need for data protection officers, data protection impact assessments and data breach notifications. However there are several points such as the legal bases and mandatory breach notifications on which the LGPD goes further than the European legislation.
6. PDPA (Singapore)
Personal data in Singapore is protected under the Personal Data Protection Act (PDPA), which was adopted in 2012 came into full force in 2014. The PDPA applies to all private sector organisations and establishes a data protection framework that comprises various rules governing the collection, use, disclosure and care of personal data.
It recognises both the rights of individuals to protect their personal data, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
Like the GDPR, the PDPA has extraterritorial reach and is extended to those who may not have any presence in Singapore.
7. PDPA (Thailand)
Thailand’s very first consolidated law to govern data protection in the country, the Personal Data Protection Act (PDPA) has been published on May 27, 2019. Organizations collecting and processing personal data must ensure they are compliant with the PDPA by May 27, 2020.
Thailand’s Government has largely drawn concepts from the GDPR, with certain modifications suitable to the national perspective. It did so on purpose, in order to demonstrate that Thailand has an “adequate” level of data protection to the EU.
The PDPA outlines, among other things, a new definition of personal information, special categories of sensitive data, consent requirements including for minors, data subjects’ rights, extraterritorial applicability and restrictions on transfers of personal data to third countries.
8. PDPB (India)
The national government’s ‘Srikrishna Committee’ has issued its much-awaited draft legislation for a new Personal Data Protection Bill (PDPB) on July 27, 2018. The intended framework proposes to regulate the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. It also states how to collect, process and store personal data.
The Bill is largely influenced by the GDPR and has adopted several principles like the right to access and correction, right to portability or the right to be forgotten; however, the individual’s rights are limited compared to the EU law. While the draft bill may suffer some amendments before it will be submitted to Parliament, which in turn may request further changes, it will serve as the basis for the final bill.
9. NDB (Australia)
The Notifiable Data Breach (NDB) Scheme came into effect on February 22, 2018 and is a part of Australia’s Privacy Act that contains 13 principles, regarding entities’ obligations for the management of personal data.
Under the NDB Scheme companies that handle personal data like bank account information or medical records, are obliged to report data breaches to the Office of the Australian Information Commissioner (OAIC). They must also inform persons whose information is exposed.
Like the GDPR, the NDB Scheme is intended to allow affected individuals to take necessary action to protect their personal information, and it imposes considerable penalties on organisations for failing to comply.
10. Data Security Administrative Measures (China)
On May 28, 2019, the Cyberspace Administration of China released the draft of its Data Security Administrative Measures (the “Measures”) for public comment. Thus China has joined the list of countries around the world in pushing for stricter data protection legislation.
The Measures supplement the Cybersecurity Law of China that came into effect on June 1, 2017 and provide strict and detailed rules for network operators who collect, store, transmit, process and use data within Chinese territory. Network operators who collect important data or sensitive personal information for the purpose of business operation shall file with the cyberspace administrative departments. In March 2018, the Personal Information Security Specification was issued, which provided detailed guidance for compliance in information processing.
The Measures are intended to provide technical specifications and best practices in the field of data security with legal force.