Status of data privacy laws across the world

Status of data privacy laws across the world

It would be an understatement to say that the growth of the internet and the world wide web has had a profound positive impact on access to information and knowledge. How people interact, network, conduct business, etc., has changed dramatically since the advent of the internet.

The flip side to that is a large-scale intrusion on people’s privacy. A select few companies have hoarded massive amounts of users’ personal information and continue to do so in an unrestricted manner. Data breaches have had a massive impact on people’s privacy. Another unintentional or maybe intentional consequence of such massive data collection operations was sharing or selling personal data to data brokers or third parties, often without the users’ consent.

That has made a large section of web users wary about sharing personal data. With privacy concerns reaching alarming levels, governments across more than half the world’s nations have had to step in with the data privacy compliance or laws for these companies to abide by. Of 194 countries, 128 have put together some form of privacy law on a central or statewide basis.

The inception of data privacy laws

Back in 2018, the General Data Protection Regulation or GDPR was enforced in the European Union (EU). It was a landmark step when it came to shaking up the existing practices of data collection, data residency, data governance, and privacy protection in most countries. There are certain principles these laws require companies to follow when it comes to collecting, using, and selling user data.

Websites and apps now have to provide transparency to users about how their data is being collected, what it is being used for and whether the data is processed by and/or shared with a third party. A vital factor of these legislations is consent. Users should decide whether or not the companies can use their data and if the same data can be shared with third parties. Lastly, companies collecting data should have security measures to stop the unrestricted or unauthorized access of the said data. Any breach of those will invite significant fines.

What are some of the existing data privacy laws across the world and what’s their current status?

GDPR compliance in the EU ushered most countries to come up with their data privacy laws. As of today, many countries have already passed a data privacy law or are in the process of legislating one. Let us take a look at them and their current status.

General Data Protection Regulation (GDPR)

The GDPR applies to all the countries that are a part of the European Union. A continent-wide privacy compliance means that countries do not have to develop their own set of laws. It must be noted that the UK too was under the umbrella of this law but not anymore after the Brexit.

Salient points:

  • The GDPR applies to any company which processes personal data of EU citizens or residents, or markets goods or services to such people. You are bound by GDPR even if you are not in EU.
  • There are 11 chapters and 91 articles that specify GDPR compliance. Most important legal terms which have been elaborated at length are: Personal data (what constitutes as personal data), Data processing (any action performed on data), Data subject (person whose data is processed), Data controller (person responsible for decisions on why and how the personal data is processed), Data processor (Applies to third-party companies who processes personal data on behalf of a Data controller), Consent (explicit consent from data subject on the data collected and how it is processed), Data Protection officer (person assigned to advise and ensure compliance with GDPR).
  •  Failure to comply with GDPR will result in fines ranging from 2% or 4% of the company’s total global annual turnover or €10m or €20m, whichever is the higher. [GU1] 

US based state privacy laws (CCPA, CDPA, CPA)

In the US, the Federal government has increased scrutiny of existing data collection practices and privacy protection. Lawmakers have held sessions with the tech industry heads, and some of those discussions have prompted a call for a nationwide data privacy law. Today, there is no overarching US federal law that covers the privacy of all types of data.

However, there are a lot of vertical-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA) to regulate health insurance, the Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (GLBA), FCRA, FERPA, ECPA, and VPPA, designed to target only specific types of data.

In that regard, several states have taken the lead on this and have started legislating privacy laws to protect their residents. The California Consumer Privacy Act (CCPA) was among the first laws to be passed and took effect from 2020. The Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) are the two other significant laws expected to be enforced from January 1st, 2023 and July 1st, 2023, respectively.

Personal Information Protection Law (PIPL)

A close follow-up of the GDPR and heavily influenced by it, the PIPL is China’s data privacy law that took effect from November 2021. The law was passed by the Standing Committee of the National People’s Congress to ensure greater security of personal information.

Salient points:

  • PIPL applies to companies within and outside China that are handling the data of the people of the country.
  • The different factor here is that companies are dealing with Personal Information (PI) or Sensitive PI.
  • Any companies acting as PI handers must disclose to the individual its PI handling policies and provide rights like consent and so on.
  • Non-compliance with the PIPL will result in fines of $7.7 million or up to 5% of the company’s previous year’s turnover.

Brazilian General Data Protection Law (LGPD)

Lei Geral de Protecao de Dados (LGPD) is Brazil’s General Data Protection Law. Much like GDPR, it has laws that aim to protect the personal and sensitive information of the residents of Brazil.

Salient points:            

  • It is a collection of 40 different data governance stipulations.              
  • Similar to most of the other laws, it applies to companies collecting the data of Brazilian residents.
  • One of the differences from GDPR is that the LGPD has six lawful bases for data processing.
  • Fines for breaching the LGPD are not as severe as the laws of other countries.

Consumer Privacy Protection Act (CPPA)

The CCPA is Canada’s updated data privacy law from the Personal Information Protection and Electronic Documents Act (PIPEDA). The latter has been effective since 2000 and has gone through some amendments over the years.

Salient points:

  • The CPPA will have some changes but will retain the definition of what is personal info.
  • Accountability and consent are two of the primary compliance features.     
  • For now, the CPPA remains in a draft stage, and it’s not clear when it will be passed.

Saudi Arabia’s Personal Data Protection Law (PDPL)

Recently, in September 2021, Saudi Arabia passed its Personal Data Protection Law. The said law will take effect on March 23rd, 2022.

Salient points:

  • It is aimed to protect the data being collected and prevent any form of use that the user does not give consent to.
  • However, public authorities are exempt from this law.            
  • There are also restrictions on data transfers outside the country, and only under particular circumstances, it is allowed.   
  • Violations of the PDPL could result in imprisonment or fines in the   range of USD 250,000 – 1.3 million.

Australia’s Privacy Act and Online Code 

The Privacy Act of Australia was passed back in 1988 but only recently came under review for amendments. Back in 2019, Online Privacy code legislation was passed as a response to Cambridge Analytica / Facebook scandal. The Federal government published a discussion paper to align Australia’s privacy laws more in line with EU GDPR. The Attorney General has published a draft copy of the legislation to bring social media companies, dating, content websites and other platforms under the jurisdiction of Online Privacy Code. Not only that, but data brokering firms and companies that rely on user data are also being brought under that umbrella.

Salient points:

  • Organizations that collect the data of more than 2.5 million   Australian residents have to comply with this code.          
  • Individuals can request companies not to share their info.
  • However, they might not get to ask for a complete deletion of that data.
  • The code also aims to correct the data collection method from children under 16.
  • Should the code be breached, hefty fines of $10 million or more can be imposed, criminal penalties are also chargeable, and data can be shared with law enforcement.

Rest of the world

Other major countries have also taken steps when it comes to passing data privacy laws. New Zealand has passed a new ‘New Zealand Privacy Act’ replacing the outdated one. Numerous Asian countries such as Singapore, India, and Thailand have suitable laws in that regard.

Data privacy is here to stay and companies need to find a way to live with that

As more and more data privacy laws are being enacted, it has become a challenge for companies to comply with them. They have to find effective mechanisms to capture consent-driven data that complies with the law of the specific country and/or state.

Any company that operates across the globe or a business in geography protected under a privacy law will have to look for a solution that can cover multiple facets. They will need to collect data and achieve privacy compliance as well.

Using traditional Tag Management Systems, it can take anywhere between a few weeks to months to be compliant to each law. With MagicPixel, compliance to any privacy law can be achieved in a matter of hours. Automating data privacy and security compliance shouldn’t give you the sweats. Book a demo to learn more about our solutions.