Data Protection Laws Around the World
Most UK business owners and organisations are familiar with UK GDPR but many won’t have had experience with personal data laws in other countries. We know that the business world holds no limits when it comes to distance and that international data transfers are happening more frequently.
It is predicted by Gartner that by the end of 2023, around 65% of the global population will be subject to existing data protection regulations regarding their personal data. Because of this, if you hold data on Data Subjects from other countries it is important to familiarise yourself with those privacy laws to ensure that you comply where necessary.
In this article, we have outlined the current privacy laws for some of the most common jurisdictions across the world, and offer handy tips on how to best comply with the individual country's policies.
- Video: “Data Protection Around the World”
- General global data protection issues to be aware of
- Data protection legislation in China
- Data protection legislation in the USA
- Data protection legislation in Canada
- Data protection legislation in Singapore
- Data protection legislation in Switzerland
Every country across the world has different levels of privacy laws. Some, including Europe and America, have very robust policies that protect the personal information of the individual, whilst other countries, such as Africa and certain parts of South America have very limited data protection laws. Therefore, it is vitally important not to assume that all countries have the same laws as those you are used to. Our map below provides a helpful guide to demonstrate the different levels of data protection laws.
It is also worth bearing in mind that you do not have to be a resident of a country to be required to comply with their laws. If you process personal information within the organisations of that country, you will be required to comply with their data protection laws.
Nothing within the article should be construed as legal advice and it should be noted that Data protection laws change frequently. Therefore, it is always important to regularly review your data handling measures with a data protection or legal expert to ensure you are complying with the Data protection laws of a given territory.
Chinese data protection laws strongly resemble the UK GDPR laws that we are familiar with. Personal Information Protection Law (PIPL) came into effect in November 2021 and has four official goals:
- To protect the rights and interests of individuals
- To regulate personal information processing activities
- To safeguard the lawful and orderly flow of data
- To facilitate reasonable use of personal information
China has strict provisions in place for international data transfer and we have some top tips to help you navigate their data protection laws:
- Conduct a gap analysis to identify any additional requirements that need to be implemented to ensure compliance with PIPL Make sure you compare GDPR and PIPL and fill in any gaps
- Appoint a representative in China where you have no physical presence
- Conduct a personal information protection impact assessment before you transfer personal information outside of China
Data protection laws have been present in the USA since the 1974 Privacy Act. Since then the laws have changed to reflect an evolving world with the Children’s Online Privacy Act being passed in 2000.
Data protection laws in the USA operate on a state-by-state basis and whilst some states have similar laws, they are all different so it is important that you check the specific laws of the state you are operating in. The IAAP has created a comprehensive guide showing the different privacy rights and obligations for each US State. It is a helpful tool and comes from the IAAP US State Privacy Legislation Tracker.
We suggest that before carrying out data processing either in the USA or of USA Data Subjects, you check that you:
- Comply with the data protection laws of the relevant states
- Provide individuals with the option to ‘opt out’ of the sale of their personal data
A lot of the elements of GDPR that we are familiar with here in the UK have come from Canadian privacy regulations.
The current Consumer Privacy Protection Act does cover personal information but does not include sensitive information. In the digital era we live in now, it was realised that cyber security needs to be a part of any future policy and because of this, The Digital Charter Implementation Act was re-introduced on 22nd June 2022. However, this law is still in the draft stages so the Consumer Privacy Protection currently still stands.
Canada policies include:
- A much broader definition of personal details than the UK
- The collection, use and sharing of personal information for commercial purposes
- The collection, use and sharing of personal information about employees and job candidates
In order to comply with Canadian privacy laws you must:
- Ensure you have implemented appropriate, physical, organisational and technical measures to protect personal information
- Put measures in place to cover how you protect personal information, how you manage individual rights and complaints and what training you provide to your staff
- Bear in mind that the current legislation is due to change
- Remember that Canadian privacy laws are very similar to UK GDPR so you should be familiar with some elements of the policies
The Personal Data Protection Act was put in place on 1st February 2021 and handles data by:
As with many other countries, you do not have to be a resident of Singapore to comply with the laws. If personal data is transferred to or from Singapore, regardless of residency, the law must be complied with.
Any individual can request information about how their personal data is handled. At a user’s request, Data Processors or Data Controllers must:
- Inform what data they have
- Be able to explain how their data has been used up to a year before the request was made
- Rectify any errors
To ensure that you are complying with the Personal Data Protection Act in Singapore, you must:
- Ensure your privacy policies are up to date
- Check that any personal data transfer is to a country that has a comparable data protection regime
- Make sure that you have measures in place to report any data breaches to PDPC (Personal Data Protection Commission) and users within 3 days and have a process to rectify them
The Federal Act on Data Protection Act is currently will be put into place on 1st September 2023 will replace the original Swiss Federal Data Protection Act and will reflect the digital world we now live in. It aims to give the individual more rights to information about their data, to ensure that it is protected and that mistakes are rectified.
Any individual who intentionally breaches the personal data law can be fined CHF 250,000 which helps to make sure that not only are people’s data handled safely with the best interest of the individual, but people will also be deterred from attempting to breach laws with the threat of a large fine.
Individuals have the rights to:
- Access their personal data
- Know the purpose of processing
- Data portability
- Intervene when automated decision-making impacts data subjects
Need Help With Your International Data Compliance?
Databasix can provide bespoke training, guidance and support to help with international data compliance. Contact us to find out about the services we offer.