International Privacy Laws
Privacy and data protection regulations world-wide address both regional and global challenges to individual privacy rights.
Both the proliferation of technological advances in collecting, processing, and sharing personal data and increased data flows across national borders have produced a surge of new global privacy regulations. As more national and regional privacy laws, coalition agreements, and guidance on compliance with these regulations develop, the work of tracking and understanding international privacy laws grows more complex.
As part of EPIC’S International Program, EPIC tracks major international developments and trends in privacy and data protection law. In addition to reviewing proposed legislation and submitting feedback on new regulations, amendments, and guidance, EPIC also provides analysis on the strengths and weaknesses of individual laws and proposals, the efficacy of regulatory interoperability, and enforcement actions under each law. Below, we summarize some of the most substantial recent international privacy law developments, noting that privacy regulations continue to evolve and new laws are constantly introduced. For information on International Privacy beyond regulatory developments, please visit our International Privacy page.
General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (GDPR) substantially updated Europe’s privacy and data protection law and served as an impetus for several other regulations and policy changes globally. The GDPR was finalized in April 2016 and went into effect on May 25, 2018. Key elements of the GDPR include providing new data protection rights for individuals, strengthening mandated data protection requirements, and imposing significant legal responsibilities on entities handling personal data.
The scope of the GDPR is significant, applying to any entity that processes European residents’ personal data, whether or not that entity is established within Europe. The framework simplifies and consolidates legal obligations for affected entities, addressing both the public and private sectors (though certain public sector practices may fall under limited exemptions from the GDPR’s requirements). Individuals benefit from several new data protection rights, including the right to object to processing, the right to access and correct personal data, and a right to deletion, among others. The GDPR also provides enforcement powers to supervisory authorities, establishes the European Data Protection Board to oversee GDPR implementation and enforcement, mandates that entities provide a lawful basis for processing personal data, requires data breach notification within 72 hours, and allows for noncompliance penalties of up to 4% of global revenue.
The GDPR builds off of previous regulations, replacing the Data Protection Directive of 1998 (Directive 95/46) and bolstering the fundamental rights to privacy enshrined in Article 7 and data protection in Article 8 of the European Charter of Fundamental Rights. While each EU member state may build additional privacy and data protection obligations into its national-level regulations, the GDPR provides harmonized baseline protections.
While the GDPR stands out as a major development in international data protection regulations, multiple other nations and regions have similarly developed and passed significant privacy regulations, several of which build and expand on protections put forth in the GDPR.
Brazil passed the Lei Geral de Proteção de Dados Pessoais (LGPD) on August 14, 2018. The law was rolled out in stages, creating a dedicated enforcement entity, the Brazilian National Data Protection Agency (ANPD), in December 2018, activating provisions relating to data subject rights and entity obligations in September 2020, and allowing for administrative sanctions starting August 1, 2021. The LGPD shares significant similarities with the GDPR, including in scope (it applies to all processing of Brazilian residents’ personal data, whether or not the processing entity in question is located in Brazil), unique requirements related to sensitive data categories, establishing individual data protection rights, and mandating breach notification.
South Africa’s Protection of Personal Information Act (POPIA) was signed into law November 26, 2013, with an effective date of July 1, 2020, and full compliance mandated by July 1, 2021. POPIA’s scope is limited to location of data processing – entities established in South Africa or processing personal information within South Africa must comply with the regulation. However, POPIA also applies to information collected about legal entities, rather than solely individual personal data, in some circumstances. Similar to the GDPR, POPIA creates several privacy rights for individuals and sets requirements on personal data collection, uses, sharing, storage, and breach notification. POPIA expands on certain requirements, mandating that all applicable entities appoint an Information Officer (similar to a Data Protection Officer) and requiring prior authorization from South Africa’s Information Regulator before processing certain information or transferring sensitive personal data or children’s personal data to a third country without adequate protection. POPIA also makes noncompliance a criminal offence, allowing for the possibilities of fines or imprisonment for violations.
In addition to these, China passed the Personal Information Protection Law of the People’s Republic of China (PIPL) on August 20, 2021, effective on November 1, 2021. This regulation applies solely to private personal data processing (excluding government processing) and shares some similarities with the GDPR as well, including consent requirements, protections for data transfers, and heavy penalties for violations. Expanding beyond the GDPR, PIPL also includes regulations on facial recognition and is accompanied by separate proposals to address use of recommendation algorithms.
Several other privacy regulations have been proposed globally and EPIC is watching these developments. Beyond overall privacy regulations, we also engage with developing international regulations in sectors affecting privacy, such as artificial intelligence or surveillance. Please visit those topic areas for more information on our work.
Recent Documents on International Privacy Laws
The Impact of the GDPR on Content Providers
Alessandro Acquisti et al . | 2020
The Council of Europe’s Modernized Convention on Personal Data Protection: Why Canada Should Consider Accession
Colin Bennett | 2020
Privacy Laws and Privacy Levers: Online Surveillance versus Economic Development in the People’s Republic of China
2013 | Ann Bartow
EU Law in Populist Times: Crises and Prospects
Francesca Bignami | 2018
Domesticating the “Foreign” in Making Transatlantic Data Privacy La
Bilyana Petkova | 2017