Privacy laws
Data protection practices are significantly driven by legislation that defines how companies should collect, process, and protect personal data.
Unfortunately, many companies don’t take data protection seriously until they suffer a data breach that puts personal data at risk. As a response, more and more regulations and laws worldwide start to hold companies accountable for managing personal data responsibly.
Although privacy laws have existed in various countries since the 1970s, the General Data Protection Regulation (GDPR) of 2016 gave a significant boost to modern data protection legislation worldwide. A wave of similar laws followed, including state-level regulations in the US, such as the CCPA, as well as comprehensive data protection acts in India, China, Brazil, and other countries.
For companies operating globally, the tricky part is that data protection laws vary around the world. According to the UN Trade and Development (UNCTAD) organization, 137 countries have introduced legislation to protect data and privacy. A global company needs to comply with data protection laws of every country where it collects, processes, or stores personal data.
Based on data by the International Monetary Fund (IMF), below is the list of data protection laws in countries or regions that, combined, produce over 75% of the world’s GDP. If you’re a global company, you need to at least be aware and comply with these laws.
| Country or region | GDP (trillions USD) | % of global GDP | Data protection law |
|---|---|---|---|
| United States | 29.17 | 26.5% | California Consumer Privacy Act (CCPA) with amendments known as California Privacy Rights Act (CPRA), Health Insurance Portability and Accountability Act (HIPAA), etc. |
| EU | 19.4 | 17.6% | General Data Protection Regulation (GDPR) |
| China | 18.27 | 16.6% | Personal Information Protection Law (PIPL) |
| Japan | 4.07 | 3.7% | Act on the Protection of Personal Information (APPI) |
| India | 3.89 | 3.5% | Digital Personal Data Protection Act (DPDP) |
| United Kingdom | 3.59 | 3.3% | UK GDPR, Data Protection Act 2018 |
| Canada | 2.21 | 2.0% | Personal Information Protection and Electronic Documents Act (PIPEDA) |
| Brazil | 2.19 | 2.0% | Brazilian Data Protection Law (LGPD) |
| Totals | 82.79 | 75.2% |
The most notable international and national privacy laws include the following:
- General Data Protection Regulation (GDPR). Applies to companies processing personal data of EU residents, requiring strict measures for data protection and privacy.
- California Consumer Privacy Act (CCPA) with amendments known as California Privacy Rights Act (CPRA). Enforces data protection rights for California residents, including transparency and security requirements.
- Personal Information Protection and Electronic Documents Act (PIPEDA). Canada’s law for safeguarding personal information.
- Data Protection Act (DPA). Defines a UK-specific implementation of GDPR principles.
- Health Insurance Portability and Accountability Act (HIPAA): In the U.S., protects sensitive health information.
- Personal Information Protection Law (PIPL) in China. Covers data collected from Chinese citizens, including data transferred overseas.
- General Personal Data Protection Law (LGPD) in Brazil. Broadly applies to companies processing personal data of Brazilian residents.
- The Digital Personal Data Protection Act (DPDP) in India.
In addition to privacy laws, there are also industry-specific regulations like the Payment Card Industry Data Security Standard (PCI DSS) that set data security standards for handling payment card information.
Some countries have stricter laws than others, but global companies must meet all applicable standards. As such, for the sake of simplicity, they often choose to default to implementing the most stringent set of requirements. Since GDPR is among the strictest privacy laws worldwide, GDPR standards are often adopted globally as a baseline.
GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that was adopted by the European Union in 2016 and came into force in 2018. It governs the collection, processing, storage, and sharing of personal data.
It grants individuals rights such as access to their data, consent for the usage of their data, and the right to be forgotten (RTBF).
Companies that do not comply with the GDPR face fines that are significant even for large international corporations but can be show-stopping for smaller businesses. Fines can be up to 20 million euros, or 4% of the offending company’s total worldwide annual turnover, whichever is higher.
Notably, the GDPR applies both to companies within the EU and those outside the EU that handle the personal data of EU residents.
Here’s a simplified rundown of GDPR’s seven main principles:
- Lawfulness and transparency. Obtain and process data legally, and inform individuals about their data use.
- Purpose limitation. Collect and use data only for defined purposes. Monitor its usage.
- Data minimization. Collect only essential data, with users’ consent for its usage.
- Accuracy. Maintain data accuracy, and allow users to correct inaccuracies.
- Storage limitation. Retain data only as needed; inform users about retention policies.
- Integrity and confidentiality. Keep data secure and accessible only when necessary. Enforce security measures.
- Accountability. Demonstrate compliance through appropriate measures and record-keeping.
These principles are in place to uphold data subject rights. These rights, which include the right to access, rectify, and erase personal data, empower individuals to have greater control and transparency over their own data. By ensuring we adhere to these principles, we not only stay compliant but also respect the digital rights of our customers.
Interestingly, the GDPR treats privacy as a fundamental human right. It emphasizes individual rights, requiring strict consent standards, data minimization, and accountability from organizations handling personal data. In contrast, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), frame privacy as a consumer protection issue, emphasizing control over personal information and preventing misuse of personal information for profit.