A Guide to Privacy Laws by Country

As the digital world grows every day, creating Privacy Policies, Terms and Conditions, and Cookies Policies are more important than ever to protect your company.

While growing your business across state and country lines can benefit your profits, it can also be a minefield when trying to comply with each and every privacy law out there. Most privacy laws apply to personal or private information that identifies individuals. This can be as simple as email addresses or as sensitive as a Social Security Number.

Many countries have implemented privacy laws in the last 20 years. However, with the enactment of the European Union's General Data Protection Regulation (GDPR) in 2018, countries all over the world are updating and amending their own privacy laws to comply with the EU's new strict requirements.

The below countries have some of the most important and far-reaching privacy laws out there. With many countries updating their laws, paying attention to each law is even more important now when it comes to compliantly operating your business and creating your legal agreements.

Privacy Laws in Argentina

Argentina's Personal Data Protection Act of 2000 protects the personal data of Argentinian residents that are collected by private and public companies. "Personal data" is any information that refers to a person, such as a name or address. The act further protects the collection of "sensitive data," which includes things such as race or labor union membership.

The act applies to Argentinian companies and foreign companies. The act does not allow the transmission of personal data to companies or countries that do not meet its protection standards.

Argentina's law prohibits the collection of data without prior express consent. Before collecting any data, companies must fully inform individuals why the data is collected, what is being collected, the consequences of refusing disclosure, and the individual's rights to adjust the data collection. Failure to follow the law can result in fines from $1,000 to $100,000 pesos or possible criminal charges.

As of the summer of 2019, Argentina has presented a new bill that aligns with the regulations of the GDPR. Proposed additions to the law include adding definitions for biometric data, an explanation of automated data processing, requiring "effective identity validation mechanisms" to prove ownership of consent, and informed consent by minors.

Privacy Laws in Australia

Australia's Privacy Act of 1988 and 13 Privacy Principles (APPs) control the privacy regulations in Australia. The act and principles require companies to have an informed, transparent relationship with individuals.

To do this, companies must create a Privacy Policy that discloses the type of data collected, purposes for collection, how a person can access the information, how a person can complain about a breach of the policy, and information on the disclosure of data. The policy must be free and easily accessible.

Australian law requires APP entities to provide access to information when requested, except for certain instances such as public safety. Agencies have only 30 days to respond and organizations must respond within a "reasonable period" of time.

The Office of the Australian Information Commissioner (OIAC) handles all complaints and imposes restrictions on any breaches. To avoid facing penalties or legal issues, providing a robust and clear Privacy Policy is the best choice of action.

Privacy Laws in Brazil

In 2018, Brazil enacted a new privacy law to comply with the EU's GDPR. The General Data Privacy Law (LGPD in Portuguese) protects the individual rights of data collected by online companies that are either located in Brazil or internationally.

The LGPD calls for express consent before collecting data in most cases, and gives users more access and control of what data is collected. It requires a 15 day response time to a request for access to information whereas the GDPR says no more than a month. Brazil's law also includes a broader definition of private information than the GDPR does.

Any breaches of the LGPD are addressed by the newly created National Data Protection Authority and have similar fines to those of the GDPR.

Privacy Laws in Canada

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private companies that collect, use, or disclose personal information for commercial uses. "Commercial Activity" is a transaction or conduct done for commercial reasons, including selling or bartering.

Personal Information under PIPEDA includes any information that can identify an individual. Types of information included are income information, age, opinions, and credit records.

To comply with PIPEDA your Privacy Policy should comply with the law's 10 Fair Information Principles that dictate the collection, disclosure, and use of the information. The Office of the Privacy Commissioner of Canada lays out how to fully comply with each of the Principles.

Privacy Laws in China

With one of the highest number of online and mobile users in the world, China has recently been enacting a large number of cyber standards protecting the collection and disclosure of private information. The Cybersecurity Law of 2016 requires consent before information can be collected and disclosed. The law established the basic requirements of safeguarding data and what can be collected.

The more recent Personal Information Security Specification rule lays out guidelines for how companies can collect, disclose, inform, and share information.

Privacy Laws in Colombia

Colombia's Statutory Law No. 1581 of 2012 was enacted to create a "constitutional right" to access information and update any personal data that is collected by databases.

Colombia's Decree 1377 of 2013 is an additional law requiring explicit and informed consent before collecting information. Decree 1377 requires a Privacy Policy or Privacy Notice that discloses how data is collected, the use of third parties, and an individual's privacy rights to data. If your company does business in Colombia, it's also recommended your Privacy Policy is in both English and Spanish to avoid any confusion.

Privacy Laws in Denmark

Denmark passed the Data Protection Act in 2018, replacing the Personal Data Processing Act in response to the enactment of the GDPR. The act includes additional provisions than the GDPR. Public authorities can be fined if they violate the act or unlawfully process sensitive information. A main divergent between the GDPR and the DPA is Denmark's law allows an exception to the right to access information if a private interest is present.

Before collecting any information, companies must inform individuals of the purpose of collecting data, the safeguards in place to protect data, and when information is disclosed to third parties.

The Danish Data Protection Agency can impose penalties on lesser violations while larger breaches of the act can be brought before Denmark courts.

Privacy Laws in European Union

The most influential and extensive privacy law in the world is the European Union's General Data Protection Regulation (GDPR) of 2018. The GDPR has affected every country's privacy laws with many countries enacting updated laws to comply with the GDPR's strict requirements.

The GDPR has increased consent requirements and what constitutes acceptable consent. Users are given a number of enhanced data protection rights. Privacy Policies now must be written in clear and transparent language.

The GDPR is worth getting familiar with since it has influenced and will continue to influence privacy laws around the world.

Privacy Laws in France

France's French Data Protection Act was enabled by France's New Decree No. 2019-536. The law follows GDPR guidelines with additional specific regulations of reinforcing the French Data Protection Authority.

The act applies to the collection of private and sensitive data, which has been broadened to include biometric data and sexual orientation to comply with the GDPR. Parental consent for children under the age of 15 is required, but any children above 15 can give consent without a parent's consent for medical research and surveys.

Companies should pay attention to the new provisions in the act that relate to the rights of individuals. Individuals now have the right to determine the disclosure and use of their personal data after death ("post-mortem right to privacy") extending a controller's obligation to protect the data.

Privacy Laws in Greece

Greece's privacy laws were updated in the summer of 2019 to comply with the deadline laid out by the GDPR and the EU Commission. The laws protect the rights of Greek residents when their personal data is processed.

The Hellenic Data Protection Authority (HDPA) is the authoritative body in Greece and can impose monetary penalties. Individuals can bring claims of a breach before local courts and judiciary committees.

Under Greek law, children over 15 can give consent without a parent's further consent. Privacy Policies should include information on how to adjust or decline consent and the right to access information.

Privacy Laws in Hong Kong

Hong Kong's Personal Data (Privacy) Ordinance (PDPO) protects privacy rights when personal information is collected. The ordinance's regulations state information should be collected fairly and individuals should be fully informed.

Under the ordinance, data users and processors must secure the collected information and collect only the "necessary" data that is needed. Individuals retain their right to access and control the collection of the data.

The openness principle of the ordinance is one of the most important of the PDPO. Companies must take "reasonable steps" to inform individuals about data collection, which can be done through providing a Privacy Policy.

Violation of the ordinance can result in fines up to HK$50,000 and 2 years in prison.

Privacy Laws in Iceland

Considered a "safe haven" for privacy laws, Iceland hasn't missed the post-GDPR bandwagon and has updated its privacy laws. The Act on Data Protection and the Processing of Personal Data No. 90/2018 protects an individual's rights in the collection and movement of personal data. The act applies to the automated and manual collection of data and extends to filing systems.

The Icelandic Data Protection Authority determines any fines or violations brought by individuals or public authorities. The Authority's decision can not be repealed through the court systems if there is a disagreement.

Privacy Laws in India

Privacy laws in India are currently led by the Information Technology Act and the Information Technology Rules of 2011. The act and rules require any company or body that collects, stores, shares, and uses "sensitive information" must use "reasonable security practices" to protect the information. The law requires a Private Policy to be provided that includes how the data is collected, the name of the agency collecting the data, and opt-in and opt-out options.

As of 2018, a new law has been proposed that would expand India's privacy laws. The Personal Data Protection Bill would extend the rights of individuals in their data, cross-border regulations, and solutions for breach of the act.

Privacy Laws in Ireland

Ireland's privacy laws are controlled by the Data Protection Act 1988 - 2018 that combines the GDPR regulations, the Data Protection Act of 1988 and 2003, and new legislation. The new act creates a Data Protection Commission to regulate privacy laws.

A Privacy Policy, or data protection policy, should include the extent of the collection of data, accessibility of personal data, and the amount of time the data is stored. Companies must reasonably safeguard data when using automated collection systems and using third parties. The data collector must maintain a written report of all the data collected and why.

Privacy Laws in Japan

Japan's updated Act on the Protection of Personal Information protects the privacy of personal information and includes the regulations companies must follow. The act's definition of personal information is very broad and includes things such as date of birth, identification codes, social status, and creed.

The new update extends the act's jurisdiction to companies outside of Japan that collect the private information of Japanese citizens.

Japan has a "white list" of countries and companies that meet its requirements for data transfer. It's important to check Japan's list to see if your country and company are on the list.

Violators of the act may either receive harsh monetary fines or be imprisoned for up to 2 years.

Privacy Laws in Malaysia

Malaysia's Personal Data Protection Act of 2010 protects the processing of personal data for commercial use. Before collecting private information, consent must be given. Consent can only be given after written notice that explains how the data is collected, what data is collected, and why. Failure to comply with the act can result in fines up to MR$300,000 or 2 years in prison.

Malaysia is in the process of updating its privacy laws to comply with the GDPR. A major point to pay attention to is that current Malaysian privacy laws do not apply to outside companies. However, if a new act is passed to level up with GDPR requirements, foreign companies that collect the personal data of Malaysian residents will have to comply.

Privacy Laws in the Philippines

The Data Privacy Act of 2012 out of the Philippines is a broad and strict act meant to protect the "fundamental human right of privacy" to information that is collected electronically and stored in filing systems. The act requires that companies have a Privacy Policy or agreement providing safeguards to protect the data. The act's scope covers both domestic and foreign companies.

The Privacy Act of 2012 shares similar requirements and regulations with the GDPR, making it one of the toughest in Asia.

Privacy Laws in South Africa

South Africa's Protection of Personal Information Act of 2013 (POPIA) is expected to be enacted in the near future. While only some of the act's regulations have come into force, many South African companies are already taking steps to comply with POPI Act and the GDPR.

Under POPIA, data collection is only permitted when there is a "recognized justification." Justifications covered by the act would be informed and voluntary consent or in the performance of a contract.

Companies must show "due diligence" in complying with the act by including a Privacy Policy that divulges why the data is collected, protection of the data, and rights of individuals to delete or change access to data.

Privacy Laws in South Korea

The Personal Information Protection Act (PIPA) is the main privacy law of South Korea. The act protects the transmission and collection of private information of Korean citizens. Under the act, companies are required to obtain consent along with disclosing how the data is disclosed, how to opt-out of the collection, and fully inform individuals of their rights.

In addition to PIPA, South Korea recently passed the Network Act requiring foreign companies that collect data from Korean citizens to have a representative in Korea. In response to the GDPR, South Korea is also proposing amendments to PIPA to comply with the EU Commission.

Privacy Laws in Sweden

Sweden has one of the toughest privacy laws in Europe and was one of the first countries post-GDPR to hand down a fine on a company. Sweden's Personal Data Act is a broad law protecting all forms of direct or indirect identifiable data from being mishandled or misused.

The act requires companies to obtain informed consent and individuals must be fully informed before giving consent. Companies can face fines handed down by the Swedish Data Protection Authority for violating it.

Privacy Laws in Switzerland

The Swiss Federal Data Protection Act is the main privacy law in Switzerland that requires transparency between companies and individuals along with express consent. Individuals must be clearly notified before data is collected of the purpose, what is collected, and if there are any third parties involved. If your company uses cookies, individuals must be able to decline the use of cookies through an opt-out page or link.

At the time of writing, the Swiss government is debating revising the act to comply with the GDPR as well.

Privacy Laws in United States

In the US, privacy laws are left to each state and industry, not the federal government. This is why the Health Insurance Portability and Accountability Act (HIPAA) that protects the medical information of US citizens is one of the only federal privacy laws out there.

The Federal Trade Commission (FTC) applies to business privacy laws and protects US consumers. The FTC doesn't require Privacy Policies but including one is highly recommended. The FTC also has strict privacy laws relating to children. The Children's Online Privacy Protection (COPPA) applies to websites or apps that collect information from children under 13.

It can be confusing for US and foreign companies to comply with so many state laws. However, there are a few important ones you should pay close attention to.

California has the largest and most robust privacy laws of any state in the US. The California Online Privacy Protection Act (CalOPPA) protects the transmission and collection of the personal data of California residents. CalOPPA's jurisdiction extends outside of California to the US and any company that collects data from California residents.

Along with requiring a Privacy Policy, CalOPPA also requires:

• What data is collected
• Why the data is collected
• How to update and change preferences in the privacy policy
• How companies handle Do Not Track Signals

California recently added to its list of privacy laws by enacting the California Consumer Privacy Act (CCPA). The CCPA created new consumer rights in the collection of data by for-profit businesses. Required updates to Privacy Policies include the option to opt-out of data collection, a disclosure of the sources of the collected information, and lists of data sold and data disclosed for business purposes in the last 12 months.

New York's Shield Act protects the private data of New York residents that are collected by New York and foreign companies. The New York act gives companies leeway on how to safeguard personal data, but policies must comply with the act's standards. The Shield Act extends to biometric data, emails, and financial accounts.

Washington's Privacy Act (WPA) has yet to be passed by the state, but if approved the act would have some similar requirements to California's CCPA. The WPA requires opt-out options, notification of categories of data collected, and large security practices.

The Delaware Online Privacy and Protection Act (DOPPA) protects Delaware residents' privacy rights in their personal information. Like CalOPPA, DOPPA requires posting a Privacy Policy and protection to children. DOPPA's reach extends to online companies, apps, and ebooks.

Privacy Laws in United Kingdom

The United Kingdom's Data Protection Act of 2018 protects the personal information that is collected by companies, organizations, and the government. To comply with the law, you must follow the strict "data protection principles" of the act. These principles require transparency, data is used for explicit purposes, data is updated, and safeguards are in place to protect the data.

The Information Commissioner's Office (ICO) is the UK's independent authority on protecting and imposing fines on any privacy law violations.

Summary

With the growing exchange of personal information across borders, creating a Privacy Policy is extremely important. The enactment of the GDPR has completely changed the privacy law landscape. Countries are creating stricter and broader privacy laws to comply and protect their citizens' rights.

To stay with the times and keep your company out of the hot seat with a country's law or regulation, updating and maintaining your Privacy Policy is an absolute must for most current and certainly future privacy laws around the world.