10 Data Protection Regulations You Need to Know About
Concerns about privacy and protecting personal information are in the spotlight for organizations all over the world. New, more comprehensive data privacy laws have been enacted or proposed in the past few years, and it has become imperative for companies of all sizes and across all industries to prioritize the protection of personal data.
We have collected 10 data protection regulations across the globe that organizations should know about.
1. GDPR (EU)
The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and has created a far-reaching ripple effect that brought data protection into the public eye and onto legislative agendas the world over. The GDPR marks the most important change in data privacy regulation in the last 20 years and provides unprecedented protection and individual empowerment.
Europe’s new framework for data protection puts new obligations on the companies and organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases of non-compliance.
The key concepts of the GDPR include lawful, fair, and transparent processing, clear and explicit consent, mandatory breach notification, right to access, right to be forgotten, and principles like privacy by design and by default. The regulation has extraterritorial applicability, meaning that it applies to all organizations collecting and processing personal data of individuals residing in the EU, regardless of the company location.
2. PIPEDA (Canada)
Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted early in 2000. PIPEDA applies to organizations operating in the private sector and regulates, among others, how businesses collect, use and disclose personal and sensitive information. The law is broken down into ten core principles that businesses must follow.
To harmonize the Canadian requirements with the EU’s GDPR, the Government of Canada issued the Data Privacy Act, an amendment to PIPEDA, which came into force on November 1, 2018. This Act adds new rules to PIPEDA and includes consent requirements, data breach notifications, and revised scope of application.
3. CCPA (California)
Effective January 1, 2020, the California Consumer Privacy Act (CCPA) responds to the increased role of personal data in contemporary business practices and the privacy implications surrounding the collection, use, and protection of personal information. With this new data privacy law, signed into law on June 28, 2018, the Golden State gives consumers insight into and control over their personal information collected online. It forces companies that conduct business in California to implement structural changes to their privacy programs. Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy.
Among the key components of the CCPA is an extended definition of personal information, creating new data privacy rights for California residents, establishing a new statutory damages framework, and introducing new regulations when children’s personal data is used. California’s new privacy law shares many similarities with its European counterpart, the GDPR, including data subjects’ right to know what data is being collected about them and how it is being used, as well as the right to have their data erased; however, significant differences can be traced between the two laws as well, particularly concerning the scope of application and rules concerning accountability.
4. APPI (Japan)
Japan’s Act on Protection of Personal Information (APPI) was originally enacted in 2003 and came into effect in 2005. It was significantly amended ten years later, in 2015; the amendments took effect one year ahead of the EU’s GDPR, on May 30, 2017.
The APPI protects the personal data of individuals in Japan by establishing rules for governments and certain business operators to protect an individual’s rights concerning acquiring and handling an individual’s personal information. Entities operating in Japan must comply with APPI, whether or not cross-border data transfers occur. APPI is different from the GDPR in several aspects; the GDPR provides greater protection for data subjects and stricter regulations on the companies that process personal data than the APPI.
On January 23, 2019, Japan became the first country to earn an adequacy decision from the European Commission (EC) after the GDPR, which will ensure a smooth flow of data between the EU and Japan as well as facilitate the increased volume of data transfers.
5. LGPD (Brazil)
On August 14, 2018, Brazil approved the General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), slated to come into effect on August 15, 2020. The new data protection framework – highly inspired by the GDPR – creates rules for processing personal data online and offline, in public and private sectors, regardless of where the data processor is located. The legislation aims to replace and supplement existing legal norms; one of the reasons for its development was to make data treatment in Brazil compliant with European standards.
Key similarities between the LGPD and GDPR include data subjects’ rights (e.g., right to request access to their data and the right to be forgotten), the need for data protection officers, data protection impact assessments, and data breach notifications. However, there are several points, such as the legal bases and mandatory breach notifications on which the LGPD goes further than the European legislation.
6. PDPA (Singapore)
Personal data in Singapore is protected under the Personal Data Protection Act (PDPA), which was adopted in 2012 and came into full force in 2014. The PDPA applies to all private sector organizations and establishes a data protection framework that comprises various rules governing the collection, use, and disclosure of personal data.
It recognizes both the rights of individuals to protect their data and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.
Like the GDPR, the PDPA has an extraterritorial reach and is extended to those who may not have any presence in Singapore.
7. PDPA (Thailand)
Thailand’s first consolidated law to govern data protection in the country, the Personal Data Protection Act (PDPA), was published on May 27, 2019. Organizations collecting and processing personal data must ensure they are compliant with the PDPA by May 27, 2020.
Thailand’s Government has largely drawn concepts from the GDPR, with certain modifications suitable to the national perspective. It did so on purpose to demonstrate that Thailand has an “adequate” level of data protection to the EU.
The PDPA outlines, among other things, a new definition of personal information, special categories of sensitive data, consent requirements including for minors, data subjects’ rights, extraterritorial applicability, and restrictions on transfers of personal data to third countries.
8. PDPB (India)
The national government’s ‘Srikrishna Committee’ had issued its much-awaited draft legislation for a new Personal Data Protection Bill (PDPB) on July 27, 2018. The intended framework proposes to regulate the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. It also states how to collect, process, and store personal data.
The Bill is largely influenced by the GDPR and has adopted several principles like the right to access and correction, the right to portability, or the right to be forgotten; however, the individual’s rights are limited compared to the EU law. While the draft bill may suffer some amendments before it is submitted to Parliament, which may request further changes, it will serve as the basis for the final bill.
9. NDB (Australia)
The Notifiable Data Breach (NDB) Scheme came into effect on February 22, 2018, and is a part of Australia’s Privacy Act that contains 13 principles regarding entities’ obligations for the management of personal data.
Under the NDB Scheme, companies that handle personal data like bank account information or medical records are obliged to report data breaches to the Office of the Australian Information Commissioner (OAIC). They must also inform persons whose information is exposed.
Like the GDPR, the NDB Scheme aims to allow affected individuals to take necessary action to protect their personal information, and it imposes considerable penalties on organizations for failing to comply.
10. Data Security Administrative Measures (China)
On May 28, 2019, the Cyberspace Administration of China released the draft of its Data Security Administrative Measures (the “Measures”) for public comment. Thus China has joined the list of countries around the world in pushing for stricter data protection legislation.
The Measures supplement the Cybersecurity Law of China that came into effect on June 1, 2017, and provide strict and detailed rules for network operators who collect, store, transmit, process and use data within Chinese territory. Network operators who collect important data or sensitive personal information for business operation shall file with the cyberspace administrative departments. In March 2018, the Personal Information Security Specification was issued, providing detailed guidance for information processing compliance.
The Measures are intended to provide technical specifications and best practices in data security with legal force.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.