A high-level guide to writing Terms and Conditions for your website.
This primer overviews the numerous laws and decrees that govern data protection and privacy in different countries. There are links to prominent sources to know more about the country’s legislation.
The country’s data privacy statute applies to both domestic and foreign corporations. The legislation prohibits the transfer of personal data to firms or countries that do not fulfil the act’s data protection criteria.
Argentina’s Personal Data Protection Act of 2000 forbids collecting data without prior express authorization from the user. Companies must adequately tell individuals before collecting any data the following: why the data is gathered, what is being collected, the repercussions of denying disclosure, and the individual’s right to change the data collected. Violation of the law can result in fines ranging from $1,000 to $100,000 (in Argentina peso) and criminal proceedings.
Argentina introduced a new statute in line with the GDPR standards in 2019. Proposed amendments to the legislation include definitions for biometric data, an explanation of automated data processing, confirmation of permission ownership, and informed consent by minors.
The policy must be open and straightforward.
For public safety, Australian law can compel companies to grant access to information when asked. Agencies must reply within 30 days, while corporations must answer within a “reasonable” time. The Office of the Australian Information Commissioner (OIAC) investigates all complaints and imposes penalties for violations.
Brazil’s data protection legislation consists of different laws and frameworks.
Article 5 of Brazil’s Federal Constitution of 1988 contains general rules concerning the right to privacy. The Consumer Protection Code of 1990 governs personal data acquisition, storage, processing, and use. In addition, the Brazilian Internet Act 2014 oversees online privacy and personal data protection.
President Michel Temer signed the new General Data Privacy Law in August 2018. Following the EU’s footsteps, Brazil’s new law will have 65 provisions that resemble the GDPR.
Canada has a total of 28 legislations respecting data protection and privacy.
At the national level, Bill C-6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) 2000 governs the private sector’s collection, use, and disclosure of personal information. In November 2018, PIPEDA was updated to include obligatory data breach notification and record-keeping rules. The Privacy Act of 1983 governs data privacy in the public sector, including federal ministries and Crown Corporations.
In November 2020, the Minister of Information, Science, and Economic Development introduced Bill C-11, the Digital Charter Implementation Act. Once approved, the Act’s amendments would include new consent standards, data probability, information deletion rights, and sanctions for violations.
Personal Information Protection Act (PIPA) 2004 rules in Alberta and British Columbia, while the Personal Health Information Protection Act 2004 is the governing law in Ontario.
Quebec presented Bill 64, “An Act to Modernize Legislative Provisions Regarding Personal Information Protection,” in June 2020. This would involve new enforcement tools and modifications to the province’s reporting, openness, and consent policies.
With one of the world’s most online and mobile users, China has recently enacted many laws regulating cyberspace to safeguard the acquisition and sharing of personal information. The Cybersecurity Law of 2017 mandates that users must give their consent before a website can collect, store, and use their data. The law defined the fundamental rules for data protection and the type of data that can be gathered.
The most recent Personal Information Security Specification regulation establishes criteria on how businesses can collect, divulge, inform, and exchange data.
The country’s Statutory Law No. 1581 of 2012 established a “constitutional right” to access and amend any personal data acquired by databases.
The Danish Act on Data Protection 2018 Act, previously known as the Danish Act on Processing of Personal Data Law, governs privacy regulations in Denmark.
The General Data Protection Regulation (2016/679) is supplemented and implemented by this new data protection statute. (FYI: EU nationals must amend or pass their own federal privacy statutes to align with GDPR regulations.)
The Danish Data Protection Act 2018 includes regulations on data gathering, disclosure of personal data, access rights, the appointment of a data protection officer, consent restrictions, bans on data transfers, administrative fines, and more.
The European Union’s General Data Protection Regulation (GDPR) of 2018 is the world’s most significant and comprehensive privacy regulation. The GDPR has influenced every country’s privacy regulation, with several countries passing new legislation to meet the GDPR’s stringent criteria.
The GDPR has tightened the standards for consent and provided the elements for an “acceptable consent.” A variety of increased data protection rights are granted to users. Privacy policies must now be stated in plain and understandable terms.
Understanding the GDPR is crucial since it has affected and will continue to influence privacy legislation worldwide.
The New Decree No. 2019-536 paved the way for the creation of the French Data Protection Act. The law adheres to GDPR requirements while strengthening the French Data Protection Authority.
In compliance with the GDPR, the legislation applies to gathering private and sensitive data, which has been expanded to include biometric data and sexual orientation. Parental consent is necessary for minors under 15. However, children beyond this age can assent without parental consent for medical research and surveys.
Companies should be aware of the new provisions in the legislation relating to individual rights. Subjects now have the right to regulate the disclosure and use of their personal data after death (“post-mortem right to privacy”).
The Data Protection Act 2018, which repealed the Personal Data Act, is Finland’s new governing law in data privacy.
The said law is more aligned with the GDPR than the previous act, easing the restraints where the GDPR gives discretion and tightening restrictions where necessary.
Other legislation, such as the Act on the Protection of Privacy in Working Life, rules data protection in the labor sector. Meanwhile, the Information Society Code covers domain names, message confidentiality, cookies, and telecommunications and applies to most industries.
Germany is a trailblazer in privacy protection, enacting laws that are more stringent than in many other nations.
The Federal Data Protection Act of 2017, which superseded the Federal Data Protection Act of 2001, works in accordance with the GDPR to define the broad duties of user information collectors and controllers.
The BDSG requirements apply to public and commercial entities that gather or process personal information (with exceptions). The BDSG’s main components are the designation score and credit check standards, provisions in criminal law, and restrictions on job-related data processing.
The BDSG also includes legislation governing subject rights, personal data transfers, informed consent, and other topics.
Greece’s laws were amended in 2019 to meet the GDPR and EU Commission deadlines. When residents’ sensitive data are processed, the laws safeguard their rights.
The Hellenic Data Protection Authority (HDPA) is the governing agency in Greece. It has the authority to levy monetary fines. Individuals can file claims for violations with local courts and judicial committees.
Under the law, children above 15 can consent without a parent’s approval. Procedures on how to amend or deny consent and the right to access data should be included in privacy policies.
When sensitive information is gathered, Hong Kong’s Personal Data Ordinance (PDPO) safeguards privacy rights. According to the ordinance’s requirements, data should be appropriately obtained, and people should be adequately informed.
The regulation requires data users and processors to encrypt gathered information and capture only “necessary” data. Individuals maintain the right to access and restrict data gathering.
Violations of the ordinance are punishable by penalties of up to HK$50,000 and a maximum of two years in jail.
Iceland’s data privacy law is extremely stringent and enforces high security and confidentiality requirements.
The Data Protection and the Processing of Personal Data, which superseded the Processing of Personal Data, is Iceland’s fundamental data security legislation. The law aims to hold privacy protection to the same levels as the GDPR.
The DPA defines several data privacy standards and laws, such as how to acquire informed permission, how and when to tell consumers their data has been handled, how to keep private details safe, and rules for moving data across borders.
The Information Technology Act and the Information Technology Rules of 2011 control privacy laws in India. The laws and guidelines compel any corporation or organization that gathers, maintains, shares, or utilizes “sensitive information” to employ “reasonable security methods” to secure the data. The legislation mandates the provision of a Private Policy outlining how the data is gathered, the identity of the organization collecting the data, and opt-in and opt-out choices.
In 2018, a new bill was suggested to broaden India’s privacy rules. The Personal Data Protection Bill will expand individuals’ data rights, provide cross-border regulations, and provide solutions for violations of the act.
The Electronic Information and Transactions (EIT) Law (Law No. 11 of 2008) and its Amendment (Law No. 19 of 2016), Regulation No. 82 of 2012 (Reg. 82), and Regulation No. 20 of 2016 comprise Indonesia’s data protection laws (the MOCI Regulation).
However, Indonesia is working hard to design the bill on the Protection of Private Personal Data, a data security law based on and inspired by EU law requirements. If enacted, it will be the country’s first detailed data privacy law.
The draft rules address written permission, data breach notifications, modification, digital selling, and other issues.
The Data Protection Act 1988 – 2018, which includes the GDPR requirements, the Data Protection Acts of 1988 and 2003, and additional legislation, governs Ireland’s privacy acts. The new statute establishes the Data Protection Commission to oversee privacy rules.
The revised Act Protection of Personal Information (APPI) in Japan protects personal details. It provides the restrictions that businesses must follow. Personal information is defined broadly under the legislation. It includes dates of birth, identifying numbers, socioeconomic standing, and creed.
The latest modification broadens the act’s authority to include firms outside Japan that gather personal information about Japanese residents.
Japan maintains a “white list” of nations and businesses that fulfill its data transfer criteria. It is critical to verify Japan’s list to determine if your country and firm are included.
Violations of the statute may result in hefty monetary penalties or imprisonment for up to two years.
In 2013, Malaysia’s first detailed data privacy regulation went into force. The Personal Data Protection Act of 2010 (Act 709) comprises seven essential components that work together to secure personal and sensitive data.
To be legal under Act 709, the subject must be given written notice of the objective of the data collection, along with information about his rights and who will have access to their records.
The PDPA does not require enterprises to designate a data protection officer, a notable distinction between Act 709 and the GDPR.
Following a year-long assessment, the Malaysian government held a public consultation on prospective PDPA changes. Changes to the Law might include data transfer, a broader scope, and reporting requirements for data breaches.
The Federal Law on the Protection of Personal Data Held by Private Properties governs the handling of private details for private entities.
The term “processing” is defined under the legislation to comprise a wide range of data activities, such as the collection, application, disclosure, storage, use, control, transfer, and deletion of private information.
The Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011, the Privacy Notice Guidelines 2013, and the Parameters for Self-Regulation 2014 also apply to the private sector.
The Federal Institute for Access to Information and Data Protection (IFAI) of Mexico is charged with implementing the law and creating rules for its enforcement.
Data security in the country is governed by the Privacy Act 1993’s 12 Information Privacy Principles. These principles address the following topics: the aim of data collection, how information is recorded and accessed, and limitations on using and disseminating personal information.
The Credit Reporting Privacy Code 2004, the Health Information Privacy Code 1994, and the Telecommunications Information Privacy Code 2003 are all industry-specific legislations.
On the other hand, New Zealand aims to replace the 25-year-old Privacy Act with the Privacy Bill 2018. Fundamental changes include obligatory breach reporting, compliance notifications, and increased cross-border data movement.
The power of any user to lodge a complaint and initiate an inquiry into whether or not the data gathering methods are legitimate is a crucial component of the country’s new privacy law.
The 2012 Privacy Act has identical rules and restrictions to the GDPR, making it among the most stringent in Asia.
Personal data are regulated by many universal and sector-specific legislation, such as the Russian Labor Code 2001, the Russian Air Code 1997, and Articles 23-24 of the 1993 Russian Constitution.
Data protection rules apply to individuals who collect or process data and establish the purposes of the processing, data content, and associated operations.
The Spanish Data Protection Act 1999 (Organic Law 15/1999) is now in effect; however, it contradicts several of the GDPR standards (Spain is a member of the EU).
The Spanish government is working on a new law that will function together with the GDPR. Until this new Act takes effect, Spanish data privacy rules are comprised of the GDPR and a temporary executive order (“RDL 5”), which focuses primarily on procedural issues.
Information security and privacy regulations are included in the Law of Information Society Services and Electronic Commerce (Law No. 24/2002) and Law 9/2014 on Telecommunications.
While only some parts Protection of Personal Information Act of 2013 (POPIA) have been implemented, many businesses are already complying with the said law and the GDPR.
Data gathering is only permissible under POPIA if there is a justified purpose. The statute covers justifications such as conscious and voluntary consent or fulfillment of a contract.
The country’s primary privacy law is the Personal Information Protection Act (PIPA). The statute regulates the transfer and gathering of citizens’ private information. Companies are mandated under the act to acquire consent, explain how the data is shared, decline data collection, and fully notify consumers of their rights.
In conjunction with PIPA, South Korea recently approved the Network Act, which requires foreign corporations that gather data from Korean residents to have a representative in the country. South Korea is proposing PIPA adjustments concerning the GDPR to comply with the EU Commission.
Sweden has one of the strictest privacy rules in Europe and was among the first nations to punish a company following the implementation of the GDPR. The Personal Data Act protects all types of user information against mishandling or exploitation.
According to the statute, companies must get informed permission, and consumers must be informed appropriately before granting consent. Companies who violate it may face fines from the Swedish Data Protection Authority.
The Federal Act on Data Protection (FADP), which was first adopted in 1993 and was updated in 2007 to incorporate the Data Protection Ordinance (DPO), governs data privacy in the country.
These laws address general data privacy and security requirements, rules for data acquisition and cross-border transfers, accessibility, rules for data collection in “good faith,” and other topics.
The DPO was intended to clarify various aspects of the FADP, including additional information on cross-border data transfers.
The FADP was revised in September 2020 and became effective in 2022. While the revised version of the Act is comparable to the GDPR, it would enable companies to handle data without the subject’s approval, provided that it does not violate the individual’s personality. But unlike GDPR, breaches must be disclosed only if they present a “high risk,” with a deadline of “as soon as possible” rather than a mandatory 72 hours.
The Thai Cabinet is preparing and passing the country’s first detailed data privacy and protection legislation.
The Personal Data Protection Bill demands data subjects’ consent before use, levies fines for illegal procedures, and asks for the establishment of a commission to supervise compliance.
Meanwhile, Thailand’s data privacy legislation is a patchwork of rules from the Constitution, the Credit Bureau Act of 2002, the Child Protection Act of 2003, and the National Health Act of 2007.
Privacy rules in the United States are state and sectoral-created rather than national coverage. The Health Insurance Portability and Accountability Act (HIPAA), which protects citizens’ medical information, is one of the privacy laws enforced by the federal government.
The Federal Trade Commission (FTC) implements company privacy rules while protecting US consumers. The FTC does not mandate Privacy Policies, although incorporating one is strongly advised. The FTC also has stringent privacy standards in place for minors. The Children’s Online Privacy Protection Act (COPPA) governs websites and applications that collect information from children under thirteen.
Compliance with several state rules may perplex US and international businesses. However, there have been a few crucial ones you should be aware of.
California has the most comprehensive and toughest privacy regulations in the United States. The California Online Privacy Protection Act (CalOPPA) secures California residents’ personal data transfer and collecting. CalOPPA’s authority extends beyond California and any firm that gathers information from California citizens.
California just added the California Consumer Privacy Act to its roster of privacy laws (CCPA). The CCPA established new protections in data gathering for organizations. The opportunity to opt-out of data collection, a statement of the sources of the obtained information, and listings of data sold and released for commercial reasons in the last 12 months are all required under the revised policies.
The Shield Act of New York safeguards the private data of New York citizens gathered by the city government and international corporations. The New York statute allows businesses to protect personal data, but practices must adhere to the act’s criteria. The Shield Act covers biometric information, emails, and bank accounts.
The state of Washington has yet to enact the Privacy Legislation (WPA). If approved, the act would contain several restrictions comparable to California’s CCPA. The WPA mandates opt-out alternatives, disclosure of data collection categories, and extensive security standards.
There is no national regulation governing data privacy and protection in the country. Private data protection is controlled by an assembly of federal, sector-specific, and industry-specific legislation.
However, Article 28 of the 2009 Constitution of Venezuela provides that every business, person or otherwise, that collects or manages personal details must adhere to a set of criteria.
The Data Protection Act of 2018 guards personal information gathered by businesses, institutions, and the state. To comply with the legislation, you must adhere to the act’s rigorous “data protection principles.” These principles advocate openness, using data for specific goals, updating data, and implementing protections to preserve the data.
The Information Commissioner’s Office (ICO) is an independent body that safeguards and enforces privacy laws.