We’ll be at Compliance Week National 2024 in Washington, D.C., April 2-4. Learn more or schedule a time to meet with us at the show here.

#Article

A Practical Guide to Data Privacy Laws by Country [2023]


A Practical Guide to Data Privacy Laws by Country [2023]

Improve your knowledge of (and compliance with) data protection laws around the world with this introductory guide.

Privacy laws have never been as important as they are today, now that data travels the world through borderless networks. Over 120 jurisdictions now have data privacy laws, as of January 2023.

And while these protection laws are (sometimes) good news for those who have data stored or transferred online, it’s not so good for those who have to navigate the challenges resulting from inconsistent regulation.

Some countries have sectoral coverage, meaning different industries or trades in the country have their own data privacy laws. Other countries have omnibus coverage, with at least one national data protection law in addition to provincial or sectoral regulations.

This introductory guide provides an overview of the many laws, regulations, acts and decrees that regulate data protection and privacy in 30 countries around the world. Under each summary, there are links to top sources to learn more about the legislation in the country.


Don’t gamble with your company’s investigation processes.

Case IQ software is a better way to manage investigations. Case IQ is a specialized investigative case management tool to make your investigations more efficient and consistent. Request your demo of Case IQ to find out how users are saving time, closing more cases, reducing risk, and improving compliance.

Request a Demo

Argentina

Argentina’s Personal Data Protection Act 2000 (Law No. 25,326) applies to any person or entity in the country that deals with personal data.

The Act states that data can only be collected if the subject has given their informed consent. In addition, the subject has the right to access, correct and delete (or request the deletion of) data.

Argentina has been working on amendments to its data privacy law for a few years, but a change in administration has made the timeline and nature of these changes uncertain. New bills were presented in the Senate and the House at the end of 2020.

For more information:


Australia

Australia’s Privacy Act 1988 is the key privacy law that governs both the public and private sectors.

The Privacy Act is based on 13 APPs (Australian Privacy Principles) that cover transparency and anonymity; the collection, use and disclosure of data; maintaining the quality of data; and the data subject’s rights.

In addition to the Federal Privacy Act 1988, data protection is governed by statutory privacy laws (in the majority of Australian states) and sector-specific privacy laws (depending on the data at hand).

For example, organizations that collect, use or disclose health data are governed by separate Health Privacy Principles. Organizations in Queensland that deal with personal data will also be governed by the Information Privacy Act 2009.

In late 2020, the country held a public consultation to review the Privacy Act. In early 2021, the government released a paper based on the comments seeking more targeted feedback. The review included aspects such as the Act’s scope, effectiveness and enforcement.

In late 2022, the Australian Parliament passed the Privacy Legislation Amendment Bill 2022, focused on increasing fines for data breaches and bringing current privacy laws more in alignment with competition and consumer remedies under the EU’s GDPR laws.

For more information:


Brazil

Brazil's data protection legislation is a patchwork of several individual laws, codes and frameworks.

Article 5 of Brazil's Federal Constitution 1988 includes general provisions relating to a person's right to privacy. The Consumer Protection Code 1990 contains legislation regarding the collection, storage, processing and use of personal data. As well, the Brazilian Internet Act 2014 regulates the protection of privacy and personal data online.

In August 2018, the Brazilian President, Michel Temer, signed off on the new General Data Privacy Law. Following in the EU’s steps, Brazil’s new legislation will have 65 articles and many similarities to the GDPR.

For more information:


With so many rules, it's hard to be sure you're compliant.

A detailed data security policy can keep things organized. Borrow this template to develop your policy.


Get the Template

Canada

Canada has 28 federal, provincial or territorial statutes governing data protection and privacy in the country.

At the national level, the collection, use and disclosure of personal information in the private sector is governed by Bill C-6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) 2000. PIPEDA was most recently amended in November 2018 to include mandatory data breach notification and record-keeping laws. For the public sector, such as federal departments and Crown Corps., data privacy is governed by the Privacy Act 1983.

Provincially, Alberta is governed by the Personal Information Protection Act (PIPA) 2004. British Columbia is governed by an act under the same name, implemented a year earlier. Ontario has its own privacy act too, the Personal Health Information Protection Act 2004.

In June 2020, Quebec proposed Bill 64, "An Act to modernize legislative provisions as regards to the protection of personal information." This included new enforcement methods as well as changes to reporting, transparency and consent requirements in the province.

Bill 64 was passed on September 21, 2021. Phase one of the implementation began in September 2022, with the remaining requirements coming into effect in increments in September 2023 and September 2024.

For more information:


China

China's most recent privacy law took effect in May 2018. The Information Technology – Personal Information Security Specification (GB/T 35273-2017), apparently contains more strenuous requirements than the GDPR. The law (referred to as 'The Standard') contains provisions related to transparency, personal right over data and consent.

Prior to this, China's data privacy framework was made up of several federal laws including the Civil Law of the People's Republic of China 2017, Cybersecurity Law 2017, Criminal Law 2015, the Decision on Strengthening Protection of Network Information 2012, National Standard of Information Security Technology 2013 and Consumer Protection Law 2014.

In 2020, the Chinese government released a draft Personal Information Protection Law for public consultation. The PIPL expands the legal bases for data processing beyond the subject’s consent, increases data subjects’ rights and more. It is now be the country’s first comprehensive data protection law and took effect on November 1, 2021.

For more information:


Colombia

Data privacy rights and protection are governed by Law 1581/12, Decree 1377/13, Law 1266/08 and Law 1273/09.

Law 1581/12 awards every person the constitutional right to determine how their own data is collected, stored, used, processed or transferred. This law also regulates privacy rights relating to the collection and processing of personal data.

Decree 1377/13 regulates data owner consent, policies on processing treatment of personal data, data owner rights and cross-border transfers of data.

Law 1266/08 regulates data privacy rights related to commercial and financial data, whereas Law 1273/09 contains provisions relating to computer crime, making it a crime to steal, sell, buy, etc. personal data.

For more information:


Denmark

Privacy laws in Denmark are regulated under the Danish Act on Data Protection 2018 Act (Law No. 502 of 23 May 2018), formerly the Danish Act on Processing of Personal Data Law (Act No. 429 of 31 May 2000).

This new data protection act supplements and implements the General Data Protection Regulation (2016/679). (FYI: EU countries are required to update or enact their own federal privacy acts to match provisions in the GDPR).

The Danish Data Protection Act 2018 contains provisions relating to data processing, the disclosure of personal data, the right of access, the designation of a data protection officer, limits on consent, prohibitions on data transfers, administrative penalties and more.


Finland

Data privacy in Finland is governed by the Data Protection Act 2018 (HE 9/2018 VP), replacing the Personal Data Act (523/1999).

The new DPA 2018 in Finland aligns with the GDPR (2016/679) more closely than the previous act. It loosens the reins where the GDPR provides leeway and strengthening provisions where required too.

However, there are other acts that focus specifically on sectors or industries such as the Act on the Protection of Privacy in Working Life (759/2004) which governs data protection within the labor force, and the Information Society Code (917/2014) which governs domain names, message confidentiality, cookies and telecommunications.

For more information:


France

France's Data Protection Act 2 (Law No. 2016-1321) replaces the Data Protection Act (Act No. 78-17) to better support the GDPR and its new provisions. The Data Protection Act 2016 sets expectations for data controllers, processors and recipients regarding personal data.

The act explains that all data processing must be done fairly, lawfully and for legitimate purposes, and that only the minimum amount of data necessary is collected.

The Data Protection Act 2 also outlines several rights of data subjects, including the right to know the identity of the data controller, the purpose of the processing and their rights to collect or transfer the data.

For more information:


Germany

Germany has been and continues to be a leader in privacy protection with robust laws that provide more protection than many other jurisdictions.

The country’s Federal Data Protection Act 2017 (BundesdatenschutzgesetzBDSG), which replaced the Federal Data Protection Act 2001, works alongside the GDPR (2016/679) to outline the general obligations of personal data collectors and processors.

The provisions in the BDSG apply to public and private bodies that collect or process personal information (with several exceptions). Main provisions in the BDSG include the designation of a PDO, rules for scoring and credit checks, criminal law provisions and rules for employment-related data processing.

The BDSG also contains laws regarding subject rights, transferring personal data, informed consent and more.

For more information:


Greece

Greece is in the process of drafting an updated law to govern alongside the GDPR. Until the new bill is finalized, Law 2472/1997 (Data Protection Law) and its amendments will govern the collection and use of personal data in Greece.

The Data Protection Law applies to both data controllers and processors. The main principles ensure that data controllers and processors must be lawful, fair, transparent, purposeful, specific, accurate and accountable in their use and collection of personal data.

Sectoral directives include Law 3471/2006 (E-Privacy Directive), which outlines additional obligations, and Law 3917/2011 (Data Retention Directive) which regulates the retention of personal data.

For more information:


Iceland

Iceland’s data privacy legislation is exceptionally strict and upholds very high standards for privacy and security.

The country’s primary data privacy legislation is the Data Protection and the Processing of Personal Data (Act No. 90/2018) which replaced the Processing of Personal Data (Act No. 77/2000).

The purpose of the new law is to uphold data privacy to the same standards of the GDPR.

The DPA outlines numerous guidelines and rules for data privacy including how to obtain informed consent, when and how to notify the subject that their data has been processed, how to keep personal data secure and rules on transferring data across borders.

For more information:


India

India has no specific legislation on privacy and data protection. Instead, India’s data privacy legislation is made up of several different laws and acts.

At this time, both the Information Technology Act (No. 21 of 2000) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules 2011) contain specific provisions to protect personal data and other data privacy requirements.

There are also sectoral laws governing personal data collection in the banking and healthcare industries.

The Data Protection Bill was withdrawn from the Lok Sabha and the Parliament as reported in the Bulletin - Part 1 No. 189 dated August 3, 2022. The withdrawal of the Data Protection Bill come with reports that a more comprehensive version of the Bill may be introduced.

For more information:


Indonesia

Indonesia’s data privacy legislation is pieced-together using the Electronic Information and Transactions (EIT) Law (Law No. 11 of 2008) and it's Amendment (Law No. 19 of 2016), Regulation No. 82 of 2012 (Reg. 82) and Regulation No. 20 of 2016 (the MOCI Regulation).

However, Indonesia is currently making great strides to draft the Bill on the Protection of Private Personal Data, a data privacy law that’s based on and inspired by provisions from EU law. If passed, it'll be the first comprehensive law for data privacy in the country.

Regulations in the draft focus on written consent, data breach notifications, data deletion, direct marketing and more.

For more information:


Israel

Data privacy in Israel is governed by The Basic Law: Human Dignity and Liberty (5752-1992), as well as the Privacy Protection Law (5741-1981). The former sets out the fundamental rights of privacy whereas the latter focuses on the protection of personal data and information. In December 2020, the Ministry of Justice held a public consultation to gather ideas on how the law should be updated with new technologies in mind.

Similar to the comprehensive data privacy laws in other countries, the Basic Law and PPL focus on things such as transparency, the lawful basis for processing data, limiting data use, minimizing data and individual rights.

Despite not having one comprehensive piece of legislation, Israel is still recognized by the EU as providing an adequate level of data protection.

For more information:


Japan

In 2017, Japan’s reformed privacy law took effect, replacing the former Act on Protection of Personal Information (No. 57 of 2003). The new law ("the APPI Amendment 2017") outlines basic data protection policies.

Any business in Japan that holds personal data is required to abide by the APPI Amendment, with some minor exclusions. It includes provisions on third-party transfers, record-keeping, anonymity and breaches, and protects the rights of individuals in regard to their personal data.

The reformed law has helped to get Japan on the EU’s “white list” of countries with adequate data protection legislation.

For more information:


Malaysia

Malaysia’s first comprehensive data privacy legislation came into effect in 2013. The Personal Data Protection Act 2010 (Act 709) consists of seven key points that work to protect personal and private data.

These are the: General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle and the Access Principle.

For consent to be valid under Act 709, the subject must receive written notice for the purpose of the data collection, information about their rights and details about who will access their data.

One noticeable difference between Act 709 and the GDPR is that there is no requirement in the PDPA for companies to appoint a data protection officer.

Following a year-long review, the Malaysian government conducted a public consultation on potential reforms to the PDPA. Changes to the Act could include data portability, an expanded scope and data breach notification requirements.

For more information:

Personal Data Protection Act 2010


Mexico

Mexico’s Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private entities.

The law defines “processing” to include many data activities, including the collection, use, disclosure, storage, access, management, transfer and disposal of personal data.

The private sector is also regulated by the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties 2011, the Privacy Notice Guidelines 2013 and the Parameters for Self Regulation 2014.

Mexico’s Federal Institute for Access to Information and Data Protection (IFAI) is assigned with the duty of enforcing the law and issuing regulations.

For more information:


New Zealand

Currently, data privacy in New Zealand is regulated by the 12 Information Privacy Principles outlined in the Privacy Act 1993. These principles focus on: the purpose of collecting data, how it stored and accessed, and limits on the use and disclosure of personal data.

Sector-specific pieces of legislation include the Credit Reporting Privacy Code 2004, the Health Information Privacy Code 1994 and the Telecommunications Information Privacy Code 2003.

However, in 2018 New Zealand began the process to replace the 25-year-old Privacy Act with Privacy Bill 2018. Key changes included mandatory reporting of breaches, compliance notices and strengthening cross-border data flow.

One key piece of New Zealand’s new privacy legislation is the right of any user to make a complaint and trigger an investigation into whether or not your data collection practices are lawful.

The bill was passed by New Zealand’s parliament on June 30, 2020.

For more information:


Philippines

The Philippines is said to have one of the strictest privacy laws in the region.

As of 2016, the Republic Act No. 10173 (also called the Data Privacy Act 2012) is the primary legislation governing data privacy in the country.

Under this legislation, if you are collecting personal data about a person, that person has the right to know your personal identity, your purposes for collecting their data, how their data is being processed and which parties, if any, will have access to their personal data.

Data collectors must also declare the reason or purpose for collecting the personal data, and get specific and informed consent from the subject.

For more information:


Russia

The collection and processing of personal data are governed primarily by the Federal Law on Personal Data 2006 (Act No. 152 FZ) and the Information, Information Technologies and Information Protection Act 2006 (Act No. 149 FZ).

A number of general and sectoral-specific laws include provisions regulating personal data, including the Russian Labor Code 2001, the Russian Air Code 1997 and Articles 23-24 in the Russian Constitution of 1993.

Data protection laws apply to those who organize or process the data and those who determine the purposes of the processing, the content of the data and related operations.

For more information:


South Africa

Data privacy issues are regulated under the Protection of Personal Information (PoPI) Act 2013, several sector-specific laws and the common law. The PoPI Act, which replaced the Electronic Communications and Transactions Act (ECTA) 2002, is based on eight principles that discuss:

  • Rules for collecting, using and processing data
  • Ensuring the quality of the information
  • Upholding standards of transparency and openness
  • Efforts to safeguard against loss, damage or destruction of data

The Constitution of the Republic of South Africa 1996 regulates more general privacy provisions. Section 14, in particular, upholds the general right that all citizens have to privacy.

For more information:


Many countries are reforming their laws to match the GDPR.

Check out this GDPR Compliance Checklist for an overview of the new gold standard for data protection.


Get the Checklist

Spain

The Spanish Data Protection Act 1999 (Organic Law 15/1999) is currently in place but inconsistent with many of the requirements of GDPR (as Spain is an EU Member State).

The Spanish Government is in the process of developing a new Act that will work alongside the GDPR. Until this new Act is implemented, Spanish data privacy laws consist of the GDPR and a temporary executive order (“RDL 5”) that focuses mostly on procedural matters.

Both the Law of Information Society Services and Electronic Commerce (Law No. 24/2002) and the Law 9/2014 on Telecommunications have some data protection and privacy-related provisions.

For more information:


Sweden

Sweden's Personal Data Act (1998:204) was repealed in 2018 and replaced by the Swedish Data Protection Act (2018:218) and the Swedish Data Protection Regulation (2018:219) to govern alongside the EU's GDPR.

The data privacy legislation regulates data protection principles, the legal bases for processing personal data, rules around special category data and transparency requirements.

Sector- and industry-specific acts include the Debt Recovery Act 1988, the Credit Information Act 1973, the Patient Data Act (2008:355), the Criminal Data Act 2018 and the Electronic Communications Act 2003.

For more information:


Switzerland

Switzerland’s data privacy laws are governed by the Federal Act on Data Protection (FADP), which was originally implemented in 1993 and revised in 2007 to include the Data Protection Ordinance (DPO).

These laws cover general rules for data privacy and protection, rules for data processing, rules for cross-border transfers, transparency, rules for collecting data in “good faith” and more.

The DPO specifically was enacted to clarify a number of provisions in the FLDP, including more details on cross-border transfers of data.

In September 2020, a revision of the FADP was passed, which will take effect in 2022. While the new version of the Act is similar to the GDPR in many ways, it will allow organizations to process data without the subject's consent as long as it does not violate "the personality of the individual." Also unlike the GDPR, breaches are only required to be reported if they pose a "high risk" with a deadline of "as soon as possible" rather than a strict 72 hours.

For more information:


Thailand

Up until 2022, Thailand’s data privacy law is pieced together with provisions from the Constitution, the Credit Bureau Act 2002, the Child Protection Act 2003, the National Health Act 2007 and more.

Effective June 1, 2022. Thailand's first even consolidated law focused on data protection became fully enforceable. The Personal Data Protection Act was written to mirror the EU’s GDPR in various aspects, such as requiring controllers and processors of data to have valid legal reasons for doing so. Also, like the GDPR, the PDPA guarantees rights to data subjects including the right to data erasure and portability and the right to be informed, access, rectify and update data.

For more information:


United Kingdom

The U.K. is currently regulated by the Data Protection Act 2018 which incorporates the EU GDPR and supplements its provisions.

The Data Protection Act 2018 focuses significantly on data subject rights, “special category” personal data, data protection fees, data protection offenses, consent from children and enforcement.

The U.K. is no longer an EU member state as of January 31, 2020 and in July of 2022, the House of Commons introduced the Data Protection and Digital Information Bill 2022-2023. The bill is focused on updating and simplifying the UK’s current data protection framework and reduce burdens on organizations while still maintaining a high level of data protection standards.

For more information:


United States

There is no single overarching data privacy legislation in the U.S. Instead, the country follows a sectoral approach to data privacy, relying on a patchwork of sector-specific laws and state laws.

In fact, the U.S. relies on a “combination of legislation, regulation and self-regulation" rather than government intervention alone. There are approximately 20 industry- or sector-specific federal laws, and more than 100 privacy laws at the state level (in fact, there are 25 privacy-related laws in California alone).

The California Consumer Privacy Act (CCPA) gives residents of California four rights that give them more power over their personal data: right to notice, right to access, right to opt in (or out) and right to equal services. Any organization that collects the personal data of California residents, not just businesses located in the state, must comply with CCPA. Read more about complying with the CCPA here.

On January 1, 2023, the Consumer Data Protection Act (CDPA) took effect in Virginia. Under the law, companies that conduct business in the state must get permission from users process their data. It also gives consumers the rights to view, obtain, delete and correct their data. Unlike the CCPA, companies only have to allow residents to opt-out if they will sell the data for financial gain. Read more about the CDPA here.

The most prominent national laws include the Privacy Act 1974, the Privacy Protection Act 1980, the Gramm-Leach-Bliley Act 1999, the Health Insurance Portability and Accountability Act 1996, the Fair Credit Reporting Act 2018.

The U.S. also has a special "privacy shield" agreements with both the EU and Switzerland.

For more information:


Complying with regulations is only one piece of the data protection puzzle.

Download this cheat sheet to see the six other steps to address a data breach.


Get the Cheat Sheet

Uruguay

Data privacy in Uruguay is governed under the "Data Protection Act", which is made up of three parts: Law No. 18,331 on Personal Data Protection and Habeas Data Action 2008 (the primary piece of legislation), Decree No. 664/008 and Decree No. 414/009 (two clarifying decrees).

The Data Protection Act is extremely similar to the GDPR and outlines several principles for those collecting and processing personal data, including: the principle of legality, the principle of truthfulness and veracity, the purpose of limitation principle, the principle of prior consent, the principle of data security, the principle of confidentiality and the principle of liability.

For more information:


Venezuela

There is no general legislation for data privacy and protection in Venezuela. Instead, personal and private data is governed by a patchwork of federal, sector-specific and industry-specific laws.

The primary piece of legislation is Article 28 of the Constitution of the Bolivarian Republic of Venezuela 2009. According to the Constitution, there are a set of principles that every entity, person or otherwise, must guarantee if they are to collect or manage personal information.

The principles, collectively called the 'Principles', are the principle of free will, legality, purpose and quality, temporality or conservation, accuracy and self-determination, security and confidentiality, guardianship and responsibility.

For more information:


How Case IQ Can Help

If you’re still simply reacting to data breaches, you’re putting your organization, your customers/clients, and your reputation at risk.

With Case IQ’s powerful case management software, you can analyze historic case data so you can take preventive measures, reducing future incidents.

Case IQ is a flexible and configurable solution that can be integrated with your existing reporting systems and third-party hotlines, ensuring no reports slip through the cracks.

Learn more about how Case IQ can reduce resolution time and improve your organization’s investigations here.