Data Protection Laws Around The World - A Quick Guide
Glass world sphere in top of a laptop keyworld

Data Protection Laws Around the World

Most UK business owners and organisations are familiar with UK GDPR but many won’t have had experience with personal data laws in other countries. We know that the business world holds no limits when it comes to distance and that international data transfers are happening more frequently.

It is predicted by Gartner that by the end of 2023, around 65% of the global population will be subject to existing data protection regulations regarding their personal data. Because of this, if you hold data on Data Subjects from other countries it is important to familiarise yourself with those privacy laws to ensure that you comply where necessary. 

In this article, we have outlined the current privacy laws for some of the most common jurisdictions across the world, and offer handy tips on how to best comply with the individual country's policies.

Watch our “Data Protection Around The World” Webinar

General global data protection issues to be aware of

Every country across the world has different levels of privacy laws. Some, including Europe and America, have very robust policies that protect the personal information of the individual, whilst other countries, such as Africa and certain parts of South America have very limited data protection laws. Therefore, it is vitally important not to assume that all countries have the same laws as those you are used to. Our map below provides a helpful guide to demonstrate the different levels of data protection laws.

data protection around the world map

It is also worth bearing in mind that you do not have to be a resident of a country to be required to comply with their laws. If you process personal information within the organisations of that country, you will be required to comply with their data protection laws.

Nothing within the article should be construed as legal advice and it should be noted that Data protection laws change frequently. Therefore, it is always important to regularly review your data handling measures with a data protection or legal expert to ensure you are complying with the Data protection laws of a given territory.

Data Protection Legislation in China

Chinese data protection laws strongly resemble the UK GDPR laws that we are familiar with. Personal Information Protection Law (PIPL) came into effect in November 2021 and has four official goals:

  1. To protect the rights and interests of individuals
  2. To regulate personal information processing activities
  3. To safeguard the lawful and orderly flow of data
  4. To facilitate reasonable use of personal information

China has strict provisions in place for international data transfer and we have some top tips to help you navigate their data protection laws:

  • Conduct a gap analysis to identify any additional requirements that need to be implemented to ensure compliance with PIPL Make sure you compare GDPR and PIPL and fill in any gaps
  • Appoint a representative in China where you have no physical presence
  • Conduct a personal information protection impact assessment before you transfer personal information outside of China

Data Protection Legislation in the USA

Data protection laws have been present in the USA since the 1974 Privacy Act. Since then the laws have changed to reflect an evolving world with the Children’s Online Privacy Act being passed in 2000. 

Data protection laws in the USA operate on a state-by-state basis and whilst some states have similar laws, they are all different so it is important that you check the specific laws of the state you are operating in. The IAAP has created a comprehensive guide showing the different privacy rights and obligations for each US State. It is a helpful tool and comes from the IAAP US State Privacy Legislation Tracker.

We suggest that before carrying out data processing either in the USA or of USA Data Subjects, you check that you:

  • Comply with the data protection laws of the relevant states
  • Ensure your privacy policy meets any additional requirements for those territories
  • Have a privacy notice that includes a “Do Not Track” section and that your websites,  apps and analytics support this functionality. This means not tracking individuals across different websites and can be helped by having an efficient cookie policy and effective cookie management
  • Provide individuals with the option to ‘opt out’ of the sale of their personal data

Data Protection Legislation in Canada

A lot of the elements of GDPR that we are familiar with here in the UK have come from Canadian privacy regulations. 

The current Consumer Privacy Protection Act does cover personal information but does not include sensitive information. In the digital era we live in now, it was realised that cyber security needs to be a part of any future policy and because of this, The Digital Charter Implementation Act was re-introduced on 22nd June 2022. However, this law is still in the draft stages so the Consumer Privacy Protection currently still stands. 

Canada policies include:

  • A much broader definition of personal details than the UK
  • The collection, use and sharing of personal information for commercial purposes
  • The collection, use and sharing of personal information about employees and job candidates

In order to comply with Canadian privacy laws you must:

  • Ensure you have implemented appropriate, physical, organisational and technical measures to protect personal information 
  • Put measures in place to cover how you protect personal information, how you manage individual rights and complaints and what training you provide to your staff
  • Bear in mind that the current legislation is due to change
  • Remember that Canadian privacy laws are very similar to UK GDPR so you should be familiar with some elements of the policies

Data Protection Legislation in Singapore

The Personal Data Protection Act was put in place on 1st February 2021 and handles data by:

  • Regulating
  • Collecting
  • Using
  • Disclosing

As with many other countries, you do not have to be a resident of Singapore to comply with the laws. If personal data is transferred to or from Singapore, regardless of residency, the law must be complied with. 

Any individual can request information about how their personal data is handled. At a user’s request, Data Processors or Data Controllers must:

  • Inform what data they have
  • Be able to explain how their data has been used up to a year before the request was made
  • Rectify any errors

To ensure that you are complying with the Personal Data Protection Act in Singapore, you must:

  • Ensure your privacy policies are up to date
  • Check that any personal data transfer is to a country that has a comparable data protection regime
  • Make sure that you have measures in place to report any data breaches to PDPC (Personal Data Protection Commission) and users within 3 days and have a process to rectify them

Data Protection Legislation in Switzerland

The Federal Act on Data Protection Act is currently will be put into place on 1st September 2023 will replace the original Swiss Federal Data Protection Act and will reflect the digital world we now live in. It aims to give the individual more rights to information about their data, to ensure that it is protected and that mistakes are rectified. 

Any individual who intentionally breaches the personal data law can be fined CHF 250,000 which helps to make sure that not only are people’s data handled safely with the best interest of the individual, but people will also be deterred from attempting to breach laws with the threat of a large fine. 

Individuals have the rights to:

  • Access their personal data
  • Know the purpose of processing
  • Deletion
  • Data portability
  • Intervene when automated decision-making impacts data subjects 

Need Help With Your International Data Compliance?

Databasix can provide bespoke training, guidance and support to help with international data compliance. Contact us to find out about the services we offer.

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Contact Databasix

Tel 01865 346080

Get Data Protection Services t/a Databasix
is a registered company in England & Wales.
Registration No. 15292208

Unit B Oakwood
Oakfield Industrial Estate
OX29 4TH

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business