A Practical Guide to Data Privacy Laws by Country

Improve your knowledge of (and compliance with) data protection laws around the world with this introductory guide.

Posted by Katie Yahnke in on November 5th, 2018

Privacy laws have never been as important as they are today, now that data travels the world through borderless networks. According to Deloitte, the number of privacy laws has grown from 20 to 100 in recent years.

And while these protection laws are (sometimes) good news for those who have data stored or transferred online, it’s not so good for those who have to navigate this mess of inconsistent regulation.

Some countries have sectoral coverage, meaning different industries or trades in the country have their own data privacy laws. Other countries have omnibus coverage, with at least one national data protection law in addition to provincial or sectoral regulations.

With so many rules, it’s hard to be sure you’re compliant. A detailed data security policy can keep things organized. Borrow this template to develop your policy.

This introductory guide provides an overview of the many laws, regulations, acts and decrees that regulate data protection and privacy in 30 countries around the world. Under each summary, there are links to top sources to learn more about the legislation in the country.

Jump to a country:


Argentina

Argentina Flag

Argentina’s Personal Data Protection Act 2000 (Law No. 25,326) applies to any person or entity in the country that deals with personal data.

The Act states that data can only be collected if the subject has given their informed consent. In addition, the subject has the right to access, correct and delete (or request the deletion of) data.

Argentina’s executive branch is currently drafting a new data protection bill to replace the current regime. The new bill will align closely with the GDPR, building on current legislation with a more comprehensive approach, new concepts and stricter obligations.

Many countries are reforming their laws to match the GDPR. Check out this GDPR Compliance Checklist for an overview of the new gold standard for data protection.

For more information:


Australia

Australia Flag

Australia’s Privacy Act 1988 is the key privacy law that governs both the public and private sectors.

The Privacy Act is based on 13 APPs (Australian Privacy Principles) that cover transparency and anonymity; the collection, use and disclosure of data; maintaining the quality of data; and the data subject’s rights.

In addition to the Federal Privacy Act 1988, data protection is governed by statutory privacy laws (in the majority of Australian states) and sector-specific privacy laws (depending on the data at hand).

For example, organizations that collect, use or disclose health data are governed by separate Health Privacy Principles. Organizations in Queensland that deal with personal data will also be governed by the Information Privacy Act 2009.

For more information:


Brazil

Brazil Flag

Brazil’s data protection legislation is a patchwork of several individual laws, codes and frameworks.

Article 5 of Brazil’s Federal Constitution 1988 includes general provisions relating to a person’s right to privacy. The Consumer Protection Code 1990 contains legislation regarding the collection, storage, processing and use of personal data. As well, the Brazilian Internet Act 2014 regulates the protection of privacy and personal data online.

In August 2018, the Brazilian President, Michel Temer, signed off on the new General Data Privacy Law. Following in the EU’s steps, Brazil’s new legislation will have 65 articles and many similarities to the GDPR.

For more information:


Canada

Canada Flag

Canada has 28 federal, provincial or territorial statutes governing data protection and privacy in the country.

At the national level, the collection, use and disclosure of personal information in the private sector is governed by Bill C-6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) 2000. PIPEDA was most recently amended in November 2018 to include mandatory data breach notification and record-keeping laws. For the public sector, such as federal departments and Crown Corps., data privacy is governed by the Privacy Act 1983.

Provincially, Alberta is governed by the Personal Information Protection Act (PIPA) 2004. British Columbia is governed by an act under the same name, implemented a year earlier. Ontario has its own privacy act too, the Personal Health Information Protection Act 2004.

For more information:


China

China Flag

The Standardization Administration of China unveiled the final version of a new privacy bill in January 2018 and by May 2018 the law was in effect.

The new data privacy law, Information Technology – Personal Information Security Specification (GB/T 35273-2017), apparently contains more strenuous requirements than the GDPR. The law (referred to as ‘The Standard’) contains provisions related to transparency, personal right over data and consent.

Prior to this, China’s data privacy framework was made up of several federal laws including the Civil Law of the People’s Republic of China 2017, Cybersecurity Law 2017, Criminal Law 2015, the Decision on Strengthening Protection of Network Information 2012, National Standard of Information Security Technology 2013 and Consumer Protection Law 2014.

For more information:


Colombia

Colombia Flag

Data privacy rights and protection are governed by Law 1581/12, Decree 1377/13, Law 1266/08 and Law 1273/09.

Law 1581/12 awards every person the constitutional right to determine how their own data is collected, stored, used, processed or transferred. This law also regulates privacy rights relating to the collection and processing of personal data.

Decree 1377/13 regulates data owner consent, policies on processing treatment of personal data, data owner rights and cross-border transfers of data.

Law 1266/08 regulates data privacy rights related to commercial and financial data, whereas Law 1273/09 contains provisions relating to computer crime, making it a crime to steal, sell, buy, etc. personal data.

For more information:


Denmark

Denmark Flag

Privacy laws in Denmark are regulated under the Danish Act on Data Protection 2018 Act (Law No. 502 of 23 May 2018), formerly the Danish Act on Processing of Personal Data Law (Act No. 429 of 31 May 2000).

This new data protection act supplements and implements the General Data Protection Regulation (2016/679). (FYI: EU countries are required to update or enact their own federal privacy acts to match provisions in the GDPR).

The Danish Data Protection Act 2018 contains provisions relating to data processing, the disclosure of personal data, the right of access, the designation of a data protection officer, limits on consent, prohibitions on data transfers, administrative penalties and more.


Finland

Finland Flag

Data privacy in Finland will soon be governed by the Data Protection Act 2018 (HE 9/2018 VP), which will repeal and replace the Personal Data Act (523/1999).

The new DPA 2018 in Finland will align with the GDPR (2016/679) more closely than the previous act, loosening the reins where the GDPR provides leeway and strengthening provisions where required too.

However, there are other acts that focus specifically on sectors or industries such as the Act on the Protection of Privacy in Working Life (759/2004) which governs data protection within the labor force, and the Information Society Code (917/2014) which governs domain names, message confidentiality, cookies and telecommunications.

For more information:


France

France Flag

France’s Data Protection Act 2 (Law No. 2016-1321) replaces the Data Protection Act (Act No. 78-17) to better support the GDPR and its new provisions. The Data Protection Act 2016 sets expectations for data controllers, processors and recipients regarding personal data.

The act explains that all data processing must be done fairly, lawfully and for legitimate purposes, and that only the minimum amount of data necessary is collected.

TheData Protection Act 2 also outlines several rights of data subjects, including the right to know the identity of the data controller, the purpose of the processing and their rights to collect or transfer the data.

For more information:


Germany

Germany Flag

Germany has been and continues to be a leader in privacy protection with robust laws that provide more protection than many other jurisdictions.

The country’s Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG), which replaced the Federal Data Protection Act 2001, works alongside the GDPR (2016/679) to outline the general obligations of personal data collectors and processors.

The provisions in the BDSG apply to public and private bodies that collect or process personal information (with several exceptions). Main provisions in the BDSG include the designation of a PDO, rules for scoring and credit checks, criminal law provisions and rules for employment-related data processing.

The BDSG also contains laws regarding subject rights, transferring personal data, informed consent and more.

For more information:


Greece

Greece Flag

Greece is in the process of drafting an updated law to govern alongside the GDPR. Until the new bill is finalized, Law 2472/1997 (Data Protection Law) and its amendments will govern the collection and use of personal data in Greece.

The Data Protection Law applies to both data controllers and processors. The main principles ensure that data controllers and processors must be lawful, fair, transparent, purposeful, specific, accurate and accountable in their use and collection of personal data.

Sectoral directives include Law 3471/2006 (E-Privacy Directive), which outlines additional obligations, and Law 3917/2011 (Data Retention Directive) which regulates the retention of personal data.

For more information:


Iceland

Iceland Flag

Iceland’s data privacy legislation is exceptionally strict and upholds very high standards for privacy and security.

The country’s primary data privacy legislation is the Data Protection and the Processing of Personal Data (Act No. 90/2018) which replaced the Processing of Personal Data (Act No. 77/2000).

The purpose of the new law is to uphold data privacy to the same standards of the GDPR.

The DPA outlines numerous guidelines and rules for data privacy including how to obtain informed consent, when and how to notify the subject that their data has been processed, how to keep personal data secure and rules on transferring data across borders.

For more information:


India

India Flag

India has no specific legislation on privacy and data protection. Instead, India’s data privacy legislation is made up of several different laws and acts.

At this time, both the Information Technology Act (No. 21 of 2000) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules 2011) contain specific provisions to protect personal data and other data privacy requirements.

There are also sectoral laws governing personal data collection in the banking and healthcare industries.

India is currently in the midst of drafting one single, comprehensive piece of legislation for data privacy, titled the Indian Personal Data Protection Bill 2018.

For more information:


Indonesia

Indonesia Flag

Indonesia’s data privacy legislation is pieced-together using the Electronic Information and Transactions (EIT) Law (Law No. 11 of 2008) and it’s Amendment (Law No. 19 of 2016), Regulation No. 82 of 2012 (Reg. 82) and Regulation No. 20 of 2016 (the MOCI Regulation).

However, Indonesia is currently making great strides to draft the Bill on the Protection of Private Personal Data, a data privacy law that’s based on and inspired by provisions from EU law. If passed, it’ll be the first comprehensive law for data privacy in the country.

Regulations in the draft focus on written consent, data breach notifications, data deletion, direct marketing and more.

For more information:


Israel

Israel Flag

Data privacy in Israel is governed by The Basic Law: Human Dignity and Liberty (5752-1992), as well as the Privacy Protection Law (5741-1981). The former sets out the fundamental rights of privacy whereas the latter focuses on the protection of personal data and information.

Similar to the comprehensive data privacy laws in other countries, the Basic Law and PPL focus on things such as transparency, lawful basis for processing data, limiting data use, minimizing data and individual rights.

Despite not having one comprehensive piece of legislation, Israel is still recognized by the EU as providing an adequate level of data protection.

For more information:


Japan

Japan Flag

In 2017, Japan’s reformed privacy law took effect, replacing the former Act on Protection of Personal Information (No. 57 of 2003). The new law (“the APPI Amendment 2017”) outlines basic data protection policies.

Any business in Japan that holds personal data is required to abide by the APPI Amendment, with some minor exclusions. It includes provisions on third-party transfers, record-keeping, anonymity and breaches, and protects the rights of individuals in regard to their personal data.

The reformed law has helped to get Japan on the EU’s “white list” of countries with adequate data protection legislation.

For more information:


Malaysia

Malaysia Flag

Malaysia’s first comprehensive data privacy legislation came into effect in 2013. The Personal Data Protection Act 2010 (Act 709) consists of seven key points that work to protect personal and private data.

These are the: General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle and the Access Principle.

For consent to be valid under Act 709, the subject must receive written notice for the purpose of the data collection, information about their rights and details about who will access their data.

One noticeable difference between the Act 709 and the GDPR is that there is no requirement in the PDPA for companies to appoint a data protection officer.

For more information:


Mexico

Mexico Flag

Mexico’s Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private entities.

The law defines “processing” to include many data activities, including the collection, use, disclosure, storage, access, management, transfer and disposal of personal data.

The private sector is also regulated by the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties 2011, the Privacy Notice Guidelines 2013 and the Parameters for Self Regulation 2014.

Mexico’s Federal Institute for Access to Information and Data Protection (IFAI) is assigned with the duty of enforcing the law and issuing regulations.

For more information:


New Zealand

New Zealand Flag

Currently, data privacy in New Zealand is regulated by the 12 Information Privacy Principles outlined in the Privacy Act 1993. These principles focus on: the purpose of collecting data, how it stored and accessed, and limits on the use and disclosure of personal data.

Sector-specific pieces of legislation include the Credit Reporting Privacy Code 2004, the Health Information Privacy Code 1994 and the Telecommunications Information Privacy Code 2003.

However, New Zealand intends to replace the 25-year-old Privacy Act with the Privacy Bill 2018. Key changes include mandatory reporting of breaches, compliance notices and strengthening cross-border data flow.

One key piece of New Zealand’s new privacy legislation is the right of any user to make a complaint and trigger an investigation into whether or not your data collection practices are lawful.

For more information:


Philippines

Philippines Flag

The Philippines is said to have one of the strictest privacy laws in the region.

As of 2016, the Republic Act No. 10173 (also called the Data Privacy Act 2012) is the primary legislation governing data privacy in the country.

Under this legislation, if you are collecting personal data about a person, that person has the right to know your personal identity, your purposes for collecting their data, how their data is being processed and which parties, if any, will have access to their personal data.

Data collectors must also declare the reason or purpose for collecting the personal data, and get specific and informed consent from the subject.

For more information:


Russia

Russia Flag

The collection and processing of personal data are governed primarily by the Federal Law on Personal Data 2006 (Act No. 152 FZ) and the Information, Information Technologies and Information Protection Act 2006 (Act No. 149 FZ).

A number of general and sectoral-specific laws include provisions regulating personal data, including the Russian Labor Code 2001, the Russian Air Code 1997 and Articles 23-24 in the Russian Constitution of 1993.

Data protection laws apply to those who organize or process the data and those who determine the purposes of processing, the content of the data and related operations.

For more information:


South Africa

South Africa Flag

Data privacy issues are regulated under the Protection of Personal Information (PoPI) Act 2013, several sector-specific laws and the common law. The PoPI Act, which replaced the Electronic Communications and Transactions Act (ECTA) 2002, is based on eight principles that discuss:

  • Rules for collecting, using and processing data
  • Ensuring the quality of the information
  • Upholding standards of transparency and openness
  • Efforts to safeguard against loss, damage or destruction of data

The Constitution of the Republic of South Africa 1996 regulates more general privacy provisions. Section 14, in particular, upholds the general right that all citizens have to privacy.

For more information:


Spain

Spain Flag

The Spanish Data Protection Act 1999 (Organic Law 15/1999) is currently in place but inconsistent with many of the requirements of GDPR (as Spain is an EU Member State).

The Spanish Government is in the process of developing a new Act that will work alongside the GDPR. Until this new Act is implemented, Spanish data privacy laws consist of the GDPR and a temporary executive order (“RDL 5”) that focuses mostly on procedural matters.

Both the Law of Information Society Services and Electronic Commerce (Law No. 24/2002) and the Law 9/2014 on Telecommunications have some data protection and privacy-related provisions.

For more information:


Sweden

Sweden Flag

Sweden’s Personal Data Act (1998:204) was repealed in 2018 and replaced by the Swedish Data Protection Act (2018:218) and the Swedish Data Protection Regulation (2018:219) to govern alongside the EU’s GDPR.

The data privacy legislation regulates data protection principles, the legal bases for processing personal data, rules around special category data and transparency requirements.

Sector- and industry-specific acts include the Debt Recovery Act 1988, the Credit Information Act 1973, the Patient Data Act (2008:355), the Criminal Data Act 2018 and the Electronic Communications Act 2003.

For more information:


Switzerland

Switzerland Flag

Switzerland’s data privacy laws are governed by the Federal Law on Data Protection (FLDP), which was originally implemented in 1993 and revised in 2007 to include the Data Protection Ordinance (DPO).

The Swiss data protection law is currently being revised again to align more closely with the GDPR and to ensure the EU continues to see Switzerland’s data protection laws as adequate.

These laws cover general rules for data privacy and protection, rules for data processing, rules for cross-border transfers, transparency, rules for collecting data in “good faith” and more.

The DPO specifically was enacted to clarify a number of provisions in the FLDP, including more details on cross-border transfers of data.

For more information:


Thailand

Thailand Flag

The Thai Cabinet is in the midst of drafting and approving the country’s first comprehensive data privacy and protection law.

The Personal Data Protection Bill, as it may be called, requires consent from data subjects prior to collection, imposes penalties for improper practices and calls for instating a commission to regulate compliance.

In the meantime, Thailand’s data privacy law is pieced together with provisions from the Constitution, the Credit Bureau Act 2002, the Child Protection Act 2003, the National Health Act 2007 and more.

For more information:


United Kingdom

United Kingdom Flag

The U.K. is currently regulated by the Data Protection Act 2018 which incorporates the EU GDPR and supplements its provisions.

The Data Protection Act 2018 focuses significantly on data subject rights, “special category” personal data, data protection fees, data protection offenses, consent from children and enforcement.

The U.K. will no longer be an EU member state as of March 29, 2019. However, there has been no word that the U.K. will change its existing data privacy laws.

For more information:


United States

United States Flag

There is no single overarching data privacy legislation in the U.S. Instead, the country follows a sectoral approach to data privacy, relying on a patchwork of sector-specific laws and state laws.

In fact, the U.S. relies on a “combination of legislation, regulation and self-regulation” rather than governmental intervention alone. There are approximately 20 industry- or sector-specific federal laws, and more than 100 privacy laws at the state level (in fact, there are 25 privacy-related laws in California alone).

The most prominent national laws include the Privacy Act 1974, the Privacy Protection Act 1980, the Gramm-Leach-Bliley Act 1999, the Health Insurance Portability and Accountability Act 1996, the Fair Credit Reporting Act 2018.

Complying with regulations is only one piece of the data protection puzzle. Download this cheat sheet to see the 6 other Steps to Address a Data Breach.

The U.S. also has a special “privacy shield” agreements with both the EU and Switzerland.

For more information:


Uruguay

Uruguay Flag

Data privacy in Uruguay is governed under the “Data Protection Act”, which is made up of three parts: Law No. 18,331 on Personal Data Protection and Habeas Data Action 2008 (the primary piece of legislation), Decree No. 664/008 and Decree No. 414/009 (two clarifying decrees).

The Data Protection Act is extremely similar to the GDPR and outlines several principles for those collecting and processing personal data, including: the principle of legality, the principle of truthfulness and veracity, the purpose of limitation principle, the principle of prior consent, the principle of data security, the principle of confidentiality and the principle of liability.

For more information:


Venezuela

Venezuela Flag

There is no general legislation for data privacy and protection in Venezuela. Instead, personal and private data is governed by a patchwork of federal, sector-specific and industry-specific laws.

The primary piece of legislation is Article 28 of the Constitution of the Bolivarian Republic of Venezuela 2009. According to the Constitution, there are a set of principles that every entity, person or otherwise, must guarantee if they are to collect or manage personal information.

The principles, collectively called the ‘Principles’, are the principle of free will, legality, purpose and quality, temporality or conservation, accuracy and self-determination, security and confidentiality, guardianship and responsibility.

For more information:


Katie Yahnke
Katie Yahnke

Marketing Writer

Katie is the marketing writer at i-Sight. She writes on topics that range from fraud, corporate security and workplace investigations to corporate culture, ethics and compliance.

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.