Website Privacy Policy Laws Per Country in 2023

Argentina

The country’s data privacy statute applies to both domestic and foreign corporations. The legislation prohibits the transfer of personal data to firms or countries that do not fulfill the act’s data protection criteria.

Argentina’s Personal Data Protection Act of 2000 forbids collecting data without prior express authorization from the user. Companies must adequately tell individuals before collecting any data the following: why the data is gathered, what is being collected, the repercussions of denying disclosure, and the individual’s right to change the data collected. Violation of the law can result in fines ranging from $1,000 to $100,000 (in Argentina peso) and criminal proceedings.

Argentina introduced a new statute in line with the GDPR standards in 2019. Proposed amendments to the legislation include definitions for biometric data, an explanation of automated data processing, confirmation of permission ownership, and informed consent by minors.

Recent Privacy Updates

On June 30, 2023, the Argentinian data protection authority (“AAIP”) announced that the Argentine Executive Branch had submitted the newly proposed Personal Data Protection Bill to the National Congress for consideration. The Bill was drafted by the AAIP, in particular, the AAIP noted that the bill is the result of a participatory, open, and transparent debate carried out by the AAIP within the process of participatory elaboration of norms, through which a total of 173 opinions, contributions, and comments from 123 stakeholders were received, and that the bill aims to amend and update Law No. 25,326 on the Protection of Personal Data to expand data subjects rights and create a framework that reconciles technological innovation, economic development, and the human right to the protection of personal data.

Notably, the bill would introduce key provisions, including on:

• A newly established principle of extraterritoriality;
• The principles of lawfulness, fairness, and transparency;
• the principles of purpose specification, data minimization, accuracy, and accountability;
• Consent and its characteristics;
• The processing of data in the public sector;
• The special protection of the personal data of children and adolescents;
• International data transfers, as the bill would establish mechanisms to allow the cross-border flow of personal data;
• Data subject rights, including the right to be informed, of access, rectification, restriction, and deletion; and
• Several obligations for data controllers, including those relating to privacy impact assessments.

Australia

The Privacy Act of 1988 and 13 Privacy Principles (“APPs”) govern Australia’s data privacy rules. These statutes compel businesses to have transparent communication with consumers.

Under the law, businesses must develop a data privacy policy that specifies:

• the type of data stored,
• its purpose,
• how a person may access the information,
• complaint procedure for policy violation,
• and information on data disclosure.

The policy must be open and straightforward.

For public safety, Australian law can compel companies to grant access to information when asked. Agencies must reply within 30 days, while corporations must answer within a “reasonable” time. The Office of the Australian Information Commissioner (OIAC) investigates all complaints and imposes penalties for violations.

Recent Privacy Updates

Over the last five years, a major reform to the Australian Privacy Act of 1988 has been in the works. Last December, amendments were quickly approved after Australia experienced a wave of harmful data breaches. Increased fines are now available and can be greater than $50 million AUD (which is about $33 USD), three times the value of the benefit derived from a breach, or 30 percent of adjusted turnover. The Office of the Australian Information Commissioner also now has expanded enforcement powers to tackle breaches more expediently and efficiently.

In February 2023, more progress was made after the Attorney General’s office completed a long-awaited review of the law and offered 116 new proposals. Overall, the goal is to keep the law intact but greatly expand consumer protections to be closer to the GDPR. Proposals include adding a right to be forgotten, availability of private actions for certain breaches, more regulation over targeted advertising, public transparency requirements, strengthening the definition of personal information, and security enhancements for international data transfers.

The public comment period on these proposals closed at the end of March, so more movement on this front is expected at some point this year.

Brazil

Brazil’s data protection legislation consists of different laws and frameworks.

Article 5 of Brazil’s Federal Constitution of 1988 contains general rules concerning the right to privacy. The Consumer Protection Code of 1990 governs personal data acquisition, storage, processing, and use. In addition, the Brazilian Internet Act 2014 oversees online privacy and personal data protection.

President Michel Temer signed the new General Data Privacy Law in August 2018. Following the EU’s footsteps, Brazil’s new law will have 65 provisions that resemble the GDPR.

Recent Privacy Updates

Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or  “LGPD”) went into effect in August 2020, but the criteria for issuing sanctions was not released until earlier this year. The LGPD applies when an organization processes personal data that is in Brazil or collected in Brazil. The LGPD has expanded consumer rights, including the ability to access information about anyone who has given their personal data and the right to request whether an organization stores certain data.

The Brazilian Data Protection Authority has received a large number of violation complaints and data breach notices, finding the presence of inadequate safeguards in eight matters as of March 2023. Enforcement is expected to pick up now that there is clarity around sanctions. Warnings, partial or total bans on data processing activities in Brazil, and financial penalties are available. Fines can be up to two percent of an organization’s revenue with a cap of 50 million Brazilian reals (which is just below one million USD) for each breach under the law.

The Brazilian Data Protection Authority has expressed it will start with warnings and small fines before issuing severe penalties. Regulators will also take various factors into fine calculation, including how serious the violation was, what type of data is at issue, whether the party made any good faith efforts to appropriately protect the data, and how quickly a party corrects infringements. This illustrates that the regulators understand compliance will take time as the landscape evolves, they will work with organizations to get their compliance programs up to par, and more leniencies will be afforded when there is evidence of good faith efforts to protect personal data.

Canada

Canada has a total of 28 legislations respecting data protection and privacy.

At the national level, Bill C-6 of the Personal Information Protection and Electronic Documents Act 2000 (“PIPEDA”) governs the private sector’s collection, use, and disclosure of personal information. In November 2018, PIPEDA was updated to include obligatory data breach notification and record-keeping rules. The Privacy Act of 1983 governs data privacy in the public sector, including federal ministries and Crown Corporations.

In November 2020, the Minister of Information, Science, and Economic Development introduced Bill C-11, the Digital Charter Implementation Act. Once approved, the Act’s amendments would include new consent standards, data probability, information deletion rights, and sanctions for violations.

Personal Information Protection Act (“PIPA”) 2004 rules in Alberta and British Columbia, while the Personal Health Information Protection Act 2004 is the governing law in Ontario.

Quebec presented Bill 64, “An Act to Modernize Legislative Provisions Regarding Personal Information Protection,” in June 2020. This would involve new enforcement tools and modifications to the province’s reporting, openness, and consent policies.

Recent Privacy Updates

In Canada, there are different federal, provincial, and territorial privacy laws, the application of which depends upon a variety of different factors (i.e., type of organization, jurisdiction of organization, type of information, cross-border transfer of information, etc.).

There are two federal privacy laws:

1. The Privacy Act, which covers how the federal government handles personal information (“PI”); and
2. The Personal Information Protection and Electronic Documents Act (“PIPEDA”), which covers how businesses handle PI.

The PIPEDA applies to:

• (i) private-sector entities across Canada that collect, use, or disclose PI in the course of commercial activity;
• (ii) PI of employees of federally regulated businesses, including banks, airlines, and telecommunications companies; and
• (iii) where PI is transferred, in the course of commercial activities, across the provincial, territorial and national borders of Canada.  

Alberta, British Columbia, and Quebec have their own private-sector privacy laws which have been deemed substantially similar to the PIPEDA:

• Alberta: Personal Information Protection Act, SA 2003, c P-6.5 (“Alberta PIPA”).
• British Columbia: Personal Information Protection Act, SBC 2003, c 63 (“BC PIPA”).
• Quebec: Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (“Quebec Act”).

Organizations that collect, use, or disclose PI from within these provinces are generally exempt from the PIPEDA.  However, the PIPEDA is applicable to organizations that transfer PI outside of these provinces (including to other provinces). 

The Quebec Act has been significantly amended by The Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, 2021, c 25 (“Law 25”), which introduces new and amended requirements for private-sector organizations in Quebec (i.e., confidentiality incident reporting, data protection officer requirements, increased penalties, and fines, etc.).  The amendments are entering into force in phases, on: September 22, 2022; September 23, 2023; and September 22, 2024.

The PIPEDA, Alberta PIPA, BC PIPA, and the Quebec Act will collectively be referred to as “principal legislation”.

Ontario, New Brunswick, Nova Scotia, Newfoundland, and Labrador have substantially similar legislation to the PIPEDA regarding the collection, use, and disclosure of personal health information.

Organizations should be aware of the proposed private-sector federal legislation, Bill C-27 (Digital Charter Implementation Act, 2022), which introduces a new consumer protection legislation, to repeal parts of the PIPEDA and replace it with a new legislative regime governing the collection, use, and disclosure of PI for commercial activity in Canada.  This bill also introduces new rules to mitigate biased outputs and potential risks and harms from high-impact artificial intelligence systems.

China

With one of the world’s most online and mobile users, China has recently enacted many laws regulating cyberspace to safeguard the acquisition and sharing of personal information. China promulgated and implemented the Data Security Law (“DSL”) and Personal Information Protection Law (“PIPL”) in 2021, together with the Cybersecurity Law that was implemented in 2017. The three aforementioned laws comprise the legal framework for managing data in the country. The Cybersecurity Law and Data Security Law focus on protecting public interests and national security. However, the PIPL safeguards individuals’ rights and interests whilst processing confidential details. 

The Data Security Law (DSL) of 2021 was enacted for the purpose of regulating data processing, ensuring data security, promoting the development and utilization of data, protecting the lawful rights and interests of individuals and organizations, and safeguarding the sovereignty, security, and development interests of the state of China.

The Personal Information Protection Law (PIPL) of 2021 was enacted for the purposes of protecting the rights and interests of personal information, regulating personal information processing activities, and promoting reasonable use of personal information. 

The Cybersecurity Law of 2017 mandates that users must give their consent before a website can collect, store, and use their data. The law defined the fundamental rules for data protection and the type of data that can be gathered.

Recent Privacy Updates

The CAC published the final version of the “Measures for the Standard Contract for Cross-border Transfer of Personal Information” (the Measures) and the “Standard Contractual Clauses for Cross-border Transfer of Personal Information” specified in the Personal Information Protection Law (PIPL SCCs) on February 22, 2023. Both the measures and PIPL SCCs will take effect on June 1, 2023. The PIPL SCCs can transfer personal data outside China without undergoing a security assessment under the country’s PIPL.

China’s six-month grace period that gave businesses time to comply with the security assessment standards stated in the PIPL and the Measures expired on March 1, 2023. Only two businesses have officially gotten approval from the CAC to send data across borders. One was for a collaborative research project between a Chinese hospital and a Dutch medical facility, while the other was from a Chinese state-owned airline. International business applications have not received approval yet.

The State Council of China revealed plans on March 7, 2023, to merge the country’s privacy functions into a single National Data Bureau to resolve the anomalies in managing China’s data and security regulations.

Colombia

The country’s Statutory Law No. 1581 of 2012 established a “constitutional right” to access and amend any personal data acquired by databases.

Decree 1377 of 2013 is another regulation requiring express and informed permission before data collection. It mandates a Privacy Policy or Privacy Notice that explains how data is collected, how they are used by third parties, and an individual’s data privacy rights. If you have a business in Colombia, your Privacy Policy should be written in English and Spanish to minimize misunderstanding.

Decree 886 of 2014 and Decree 090 of 2018 issued by the Ministry of Commerce, Industry and Tourism, regulate the National Register of Data Bases and sets deadlines for registration of existing databases in Colombia.

Recent Privacy Updates

Title V of the Sole Circular issued by the Superintendence of Industry and Commerce provides additional guidelines regarding the following matters: (i) the processing of financial data, credit records, and commercial information; (ii) the National Register of Data Bases and (iii) International Data Transfers.

Denmark

The Danish Act on Data Protection 2018 Act, previously known as the Danish Act on Processing of Personal Data Law, governs privacy regulations in Denmark.

The General Data Protection Regulation (2016/679) is supplemented and implemented by this new data protection statute. (FYI: EU nationals must amend or pass their own federal privacy statutes to align with GDPR regulations.)

The Danish Data Protection Act 2018 includes regulations on data gathering, disclosure of personal data, access rights, the appointment of a data protection officer, consent restrictions, bans on data transfers, administrative fines, and more.

Recent Privacy Updates

The judgment of the Schrems II (Case C-311/18) on 16 July 2020, requiring additional safeguards for data transfers to the US and some other non-EU countries, is still very much on the agenda.

Furthermore, the Danish Data Protection Agency (an independent authority that supervises compliance with the rules on the protection of personal data) has recently established a working group consisting of experts to identify possible and practical solutions to use cloud services within the GDPR and national regulation of personal data.

European Union Countries

The European Union’s General Data Protection Regulation (GDPR) of 2018 is the world’s most significant and comprehensive privacy regulation. The GDPR has influenced every country’s privacy regulation, with several countries passing new legislation to meet the GDPR’s stringent criteria.

The GDPR has tightened the standards for consent and provided the elements for “acceptable consent.” A variety of increased data protection rights are granted to users. Privacy policies must now be stated in plain and understandable terms.

Understanding the GDPR is crucial since it has affected and will continue to influence privacy legislation worldwide.

Recent Privacy Updates

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

In the Information Note, the EDPB confirms that from July 10, data transfers from the EU to organizations that are self-certified to the Data Privacy Framework and are included on the Data Privacy Framework Lisst, which is maintained by the U.S. Department of Commerce, may proceed based on the adequacy decision. Companies making such transfers do not need to rely on one of the alternative transfer mechanisms set forth under Article 46 of the EU General Data Protection Regulation (“GDPR”), nor do they need to implement supplementary measures.

Importantly, the Information Note clarifies the impact of the adequacy decision for companies that are not certified by the Data Privacy Framework. According to the EDPB, organizations that rely on one of the alternative transfer mechanisms set forth under Article 46 of the GDPR to transfer data from the EU to the U.S. (such as Standard Contractual Clauses or Binding Corporate Rules) should take into account the assessment conducted by the European Commission in the context of the adequacy decision when drafting their transfer risk assessments. 

As a result of the Schrems II judgment, controllers relying on a transfer mechanism under Article 46 of the GDPR to transfer personal data outside the European Economic Area (“EEA”) must verify, on a case-by-case basis and in collaboration with the data importers, as appropriate, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to the EEA’s protections (i.e., conduct transfer risk assessments). If not, supplementary measures must be implemented to help ensure that the requisite level of protection is in place. The task of conducting and documenting transfer risk assessments may therefore be simplified for data exporters transferring personal data to the U.S.

The Information Note also clarifies the procedures for data subjects to submit complaints and make use of the new redress mechanism.

France

The New Decree No. 2019-536 paved the way for the creation of the French Data Protection Act. The law adheres to GDPR requirements while strengthening the French Data Protection Authority.

In compliance with the GDPR, the legislation applies to gathering private and sensitive data, which has been expanded to include biometric data and sexual orientation. Parental consent is necessary for minors under 15. However, children beyond this age can assent without parental consent for medical research and surveys.

Companies should be aware of the new provisions in the legislation relating to individual rights. Subjects now have the right to regulate the disclosure and use of their personal data after death (“post-mortem right to privacy”).

Recent Privacy Updates

Mobile apps, artificial intelligence, and cybersecurity will be the main focus areas of France’s data protection authority, the Commission Nationale de l’informatique et des libertés (CNIL), in the coming years. During the IAPP Data Protection Intensive: France this week in Paris, CNIL Secretary General Louis Dutheillet de Lamothe laid out the regulator’s focus areas, as well as the projects it has or will soon launch in those key areas. According to Dutheillet de Lamothe, the EU General Data Protection Regulation brought a revolution for accountability and, though it led to progress, it still needs to be solidified in practice.

The DPA still faces some operational challenges, which have incentivized it to change how it accompanies organizations through compliance. Among others, the CNIL is adjusting its sandbox process. Launched in early 2022, this process started thematically, first addressing data protection and privacy questions raised on health data and then advertising technology. It received positive feedback about the sandbox, including that it is a useful tool and has attracted a lot of candidates, but it is also resource-intensive for the CNIL.

Currently, the CNIL is moving to a nonthematic approach and will select projects based on several criteria, primarily ones that could impact personal data protection, convey innovative ideas raising questions of legal certainty, and benefit from the regulator’s help. The CNIL will test the system in 2023. Dutheillet de Lamothe reassured DPI delegates and said the CNIL is implementing walls between its legal support and control teams, to give participating organizations confidence that they do not need to be concerned by the CNIL’s control arm if they implement the sandbox team’s recommendations.

The CNIL also introduced a simplified, nonpublic procedure that will be faster than a standard procedure. In this context, the CNIL can launch “dry procedures” to notify a compliance breach to an organization. When it is “sufficiently certain” there is a problem, the CNIL can issue a nonpublic formal notice, without an enforcement nature, to incentivize the organization to bring its practices into compliance. In this system, the formal notice will be reserved for a limited number of specific cases.

As a prolific regulator, the CNIL also faces a communication challenge in ensuring the privacy community and wider public are aware of and can access, its positions and decisions to better apprehend the full extent of its doctrine. To that end, it embarked on a massive project to catalog all its decisions, positions, and relevant jurisprudence and aims to publish the guide in French towards the end of the year.

Finland

The Data Protection Act 2018, which repealed the Personal Data Act, is Finland’s new governing law in data privacy.

The said law is more aligned with the GDPR than the previous act, easing the restraints where the GDPR gives discretion and tightening restrictions where necessary.

Other legislation, such as the Act on the Protection of Privacy in Working Life, rules for data protection in the labor sector. Meanwhile, the Information Society Code covers domain names, message confidentiality, cookies, and telecommunications and applies to most industries.

Recent Privacy Updates

Other key Finnish laws concerning data privacy and protection are:

The Act on Electronic Communication Services 917/2014 (Laki sähköisen viestinnän palveluista) of January 1, 2015, which aims to, inter alia, ensure the confidentiality of electronic communication and the protection of privacy; 

The Act on the Protection of Privacy in Working Life 759/2004 (‘Working Life Act’) (Laki yksityisyyden suojasta työelämässä), which aims to promote the protection of privacy and other rights safeguarding privacy in working life, and; 

The Act on the Processing of Personal Data in Criminal Cases and in connection with Maintaining National Security 1054/2018 (Laki henkilötietojen käsittelystä rikosasioissa ja kansallisen turvallisuuden ylläpitämisen yhteydessä), which entered into force on January 1, 2019 along with the Data Protection Act.

The Working Life Act includes some specific provisions on privacy issues relating to employment and work environments such as the right to monitor employees’ email communication. The protection of employees’ privacy has traditionally been strict in Finland and Finland uses the national leeway provided in the GDPR with regard to processing of personal data in the context of employment and maintains the specific law concerning privacy in working life.

Germany

Germany is a trailblazer in privacy protection, enacting laws that are more stringent than in many other nations.

The Federal Data Protection Act of 2017 (“BDSG”), which superseded the Federal Data Protection Act of 2001, works in accordance with the GDPR to define the broad duties of user information collectors and controllers.

The BDSG requirements apply to public and commercial entities that gather or process personal information (with exceptions). The BDSG’s main components are the designation score and credit check standards, provisions in criminal law, and restrictions on job-related data processing.

The BDSG also includes legislation governing subject rights, personal data transfers, informed consent, and other topics.

Recent Privacy Updates

A rise in enforcement activity by the data protection authorities is expected, e.g., in the context of the use of cookies. In addition, it is likely that data protection authorities will perform more random audits to monitor compliance with data protection law, particularly if triggered by individual complaints or prompted through personal data breaches.  Finally, the outlines of a rise in damage claims for non-material damages can be observed.

In Germany, a regulation on consent management services under the Telecommunications Telemedia Data Protection Act has been initiated.  This draft is based on Section 26 (2) of the TTDSG but has not yet been adopted by the Federal Government.

Other essential laws include both legislative acts, the EU’s Data Act and the regulation of artificial intelligence are currently in draft form, with the EU’s Data Act reaching the final stages of negotiation and being subject to criticism e.g., due to unresolved questions regarding the relationship between the Data Act and the GDPR.  Finally, the European Data Governance Regulation was adopted in May 2022.  

Herein, the European Commission laid the foundations for improved data use, in particular, to ensure the continued use of public-sector data in compliance with the given legal provisions.  To date, however, the German legislature has not yet implemented the Data Governance Regulation.  It has until 24 September 2023 to do so.

Greece

Greece’s laws were amended in 2019 to meet the GDPR and EU Commission deadlines. When residents’ sensitive data are processed, the laws safeguard their rights.

The Hellenic Data Protection Authority (“HDPA”) is the governing agency in Greece. It has the authority to levy monetary fines. Individuals can file claims for violations with local courts and judicial committees.

Under the law, children above 15 can consent without a parent’s approval. Procedures on how to amend or deny consent and the right to access data should be included in privacy policies.

Recent Privacy Updates

This year the HDPA has been concerned with data protection issues arising in the context of data processing for the purpose of political communication by issuing Guidelines 1/2023, on the lawfulness of processing and the principle of accountability, Decision 1/2023 on the right to be forgotten, in a related complaint against Google LLC.  Privacy and data processing issues are expected to arise from the ChatGPT application, the best-known relational AI software that can simulate and process human conversations.  HDPA’s position on this issue is expected in the near future.

Hong Kong

When sensitive information is gathered, Hong Kong’s Personal Data Ordinance (“PDPO”) safeguards privacy rights. According to the ordinance’s requirements, data should be appropriately obtained, and people should be adequately informed.

The regulation requires data users and processors to encrypt gathered information and capture only “necessary” data. Individuals maintain the right to access and restrict data gathering.

One of the most significant principles of the PDPO is transparency. Companies are required to take “reasonable steps” to educate individuals about information gathering, which may be accomplished by establishing a Privacy Policy.

Violations of the ordinance are punishable by penalties of up to HK$50,000 and a maximum of two years in jail.

Recent Privacy Updates

In a report on its work in 2022 to the Legislative Council, the Office of the Privacy Commissioner for Personal Data (“PCPD”) said that it is working closely with the Hong Kong SAR administration to review the PDPO in some specific areas. These include setting up a mandatory data breach notification mechanism, requiring a data retention policy, empowering the Privacy Commissioner to impose administrative fines, and introducing direct regulation of data processors. The PCPD is aiming to publish more substantive plans in the coming months.

Technology expert Jennifer Wu of Pinsent Masons said: “With cybersecurity being a priority in Hong Kong SAR, it is not surprising that mandatory data breach notification is on the cards for amendments. This time around, companies should make sure their internal data policies and group data policies are in order before these changes occur. 2023 is the time to get cyber-ready.”

Apart from amending the current PDPO, data security and cybersecurity issues will be another strategic focus of the PCPD in 2023. As a recap of PCPD’s work in this area, the PCPD published a guidance note on data security measures around information and communications technology in August 2022.  This guidance note set out the PCPD’s recommended data security measures to ensure compliance with the PDPO and offered useful pointers for data users – known as data controllers – on how to formulate and strengthen their data security systems.

In regional and international collaboration, the PCPD has been keen on collaborating with the wider privacy protection community, both regionally and internationally. In 2022 the PCPD signed a renewed Memorandum of Understanding (MOU) with the Personal Data Protection Commission of Singapore to strengthen the liaison and collaboration between the two regulatory authorities. This is done by facilitating the exchange and sharing of best practices of data protection policies and enforcement actions, coordination of mutual assistance in joint investigations into cross-border personal data incidents, and cooperation in education and training.

Iceland

Iceland’s data privacy law is extremely stringent and enforces high security and confidentiality requirements.

The Act on Data Protection and the Processing of Personal Data of 2018, which superseded the Processing of Personal Data, is Iceland’s fundamental data security legislation.  The law aims to hold privacy protection to the same levels as the GDPR.

The DPA defines several data privacy standards and laws, such as how to acquire informed permission, how and when to tell consumers their data has been handled, how to keep private details safe, and rules for moving data across borders.

India

The Information Technology Act and the Information Technology Rules of 2011 control privacy laws in India. The laws and guidelines compel any corporation or organization that gathers, maintains, shares, or utilizes “sensitive information” to employ “reasonable security methods” to secure the data. The legislation mandates the provision of a Private Policy outlining how the data is gathered, the identity of the organization collecting the data, and opt-in and opt-out choices.

In 2018, a new bill was suggested to broaden India’s privacy rules. The Personal Data Protection Bill will expand individuals’ data rights, provide cross-border regulations, and provide solutions for violations of the act.

Recent Privacy Updates

On 18 November 2022, the Ministry of Electronics and Information Technology, Government of India introduced a draft of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) for public comments. The DPDP Bill has been built on the principles of (a) fair and lawful use, (b) purpose limitation, (c) data minimization, (d) accuracy, (e) storage limitation, (f) reasonable safeguards, and (g) accountability. The DPDP Bill comes after its predecessor, the Personal Data Protection Bill, 2019, which was withdrawn by the government in August 2022, following pushback from stakeholders and multiple changes recommended by a joint parliamentary committee set up to review this bill.

The DPDP Bill provides for the manner in which personal data must be collected, stored, processed, and transferred. It introduces concepts such as data fiduciary (similar to a data controller), data principal (similar to a data subject), and data processor. It also sets out the rights of data principals and the obligations of data fiduciaries and processors while collecting and processing data. The DPDP Bill also provides certain restrictions on the transfer of personal data outside India. It also proposes to introduce significant monetary penalties for material contraventions.

While there is no definitive timeline for the DPDP Bill to come into effect, we expect the DPDP Bill to come into effect by 2023.

Indonesia

The Indonesian government has enacted the Personal Data Protection Bill (“PDP”). The PDP Law took effect on 17 October 2022 with a two-year transitional period from the date of its enactment (i.e., until 17 October 2024), within which all parties that conduct personal data processing must carry out adjustments to be in conformity with the PDP Law.

The PDP Law is intended to provide more certainty and clarity on personal data protection in Indonesia, with the aim of providing better protection to data subjects. On the flip side, the PDP Law will affect how businesses can and should process personal data.

The PDP Law will not apply to personal data processing by individuals on private or household matters. There is no further guidance on this yet, and we will need to see how the authorities will interpret and implement this in practice.

Recent Privacy Updates

An assumption is that the two-year transitional period applies to most of the provisions of the PDP Law. There is still no news on whether any part or provision of the PDP Law will be immediately enforced by the government given the transitional period.

During the two-year transitional period, the government aims to establish the data protection authority and draft and issue the mandated implementing regulations.

Based on the PDP Law, we expect implementing regulations covering the following issues to be issued by the government within the next 24 months:

1. Automatic processing of personal data
2. Data subjects’ rights to seek damages for any violations of data processing requirements.
3. Data subject’s rights to use and transmit personal data to other data controllers
4. Technical implementation of data processing
5. Data privacy Impact assessment
6. Data storage, transfer, and deletion issues when a data controller is dissolved as a company
7. Data protection officer
8. Personal data transfer
9. Procedures for imposing administrative sanctions by the data protection authority
10. The scope of authority and functions of the data protection authority

In addition to the above, there is also a government regulation that is currently in the works (spearheaded by the Ministry of Communications and Informatics (MOCI)) that will cover the assessment and calculation of administrative sanctions under MOCI-related matters and regulations (including data privacy).

Ireland

The Data Protection Act 1988 – 2018, which includes the GDPR requirements, the Data Protection Acts of 1988 and 2003, and additional legislation, governs Ireland’s privacy acts. The new statute establishes the Data Protection Commission (“DPC”) to oversee privacy rules.

A Privacy Policy, often known as a data protection policy, should specify the scope of data collecting, the accessibility of personal data, and the length of time the data is held. Companies must use reasonable safeguards when employing automated collection technologies and third-party vendors. The data collector must keep a documented record of all data obtained and why it was collected.

Recent Privacy Updates

On 28 June 2023, the Irish Parliament approved amendments to the Courts and Civil Law (Miscellaneous Provisions) Bill 2022, which allow the Irish Data Protection Commission (“DPC”) to declare almost all its procedures ‘confidential’ and make most reporting about DPC procedures or decisions a crime. These provisions significantly reduce the public accountability of the DPC, a supervisory authority already under heavy criticism for failing to enforce the General Data Protection Regulation (“GDPR”).

Japan

The revised Act Protection of Personal Information (“APPI”) in Japan protects personal details. It provides the restrictions that businesses must follow. Personal information is defined broadly under the legislation. It includes dates of birth, identifying numbers, socioeconomic standing, and creed.

The latest modification broadens the act’s authority to include firms outside Japan that gather personal information about Japanese residents.

Japan maintains a “white list” of nations and businesses that fulfill its data transfer criteria. It is critical to verify Japan’s list to determine if your country and firm are included.

Violations of the statute may result in hefty monetary penalties or imprisonment for up to two years.

The Amendment Act to the current APPI (Act on the Protection of Personal Information) was approved on June 5th, 2020. While provisions in relation to penalties came into force on December 12th, 2020, additional requirements were scheduled to become effective on April 1st, 2022.  

The Personal Information Protection Commission (‘PPC’), which oversees and enforces the APPI, has released many revised guidelines in anticipation of the entry into effect, to assist organizations comply with the amended APPI. 

With the amendments to the APPI including increased data breach reporting obligations, stricter data transfer requirements, increased access rights for data subjects, and more, businesses will need to re-examine their existing programs. This includes improving processes around international data transfers, consent requests from data subjects for the use and/or transfer of personal data, and improved reporting templates. 

Recent Privacy Updates

In addition to the amendment of the APPI in April 2022, additional requirements under the Telecommunications Business Act became applicable to many web or application services in June 2023.  These legislative amendments are designed to protect users’ information in light of increased and new risks linked to growing digitalization.  Since the amended Telecommunications Business Act became applicable to many web or application services, the providers of such services must address the new requirements.

Malaysia

In 2013, Malaysia’s first detailed data privacy regulation went into force. The Personal Data Protection Act of 2010 (Act 709) comprises seven essential components that work together to secure personal and sensitive data.

To be legal under Act 709, the subject must be given written notice of the objective of the data collection, along with information about his rights and who will have access to their records.

The PDPA does not require enterprises to designate a data protection officer, a notable distinction between Act 709 and the GDPR.

Following a year-long assessment, the Malaysian government held a public consultation on prospective PDPA changes. Changes to the Law might include data transfer, a broader scope, and reporting requirements for data breaches.

Recent Privacy Updates

On 2 December 2022, Fahmi Fadzil became the new Minister of Communications and Digital (“Minister“), with oversight of the JPDP. There have been substantial developments in this space since then:

• Introduction of the General Code of Practice of Personal Data Protection (“General CoP”)

The General CoP was issued by the Personal Data Protection Commissioner (“Commissioner“) and took effect on 15 December 2022. The General CoP (which appears to apply to selected classes of data users) introduces new legal requirements to be complied with, including additional mandatory information for inclusion into personal data protection notices, and further seeks to provide best practice recommendations with respect to the implementation of principles under the PDPA and its subsidiary legislation. 

• Proposed Upgrades to the JPDP and New Cybersecurity Commission

The Minister had announced his plans of turning the JPDP into a statutory department to ensure that it has sufficient resources to tackle among others, personal data leaks and execute its functions more effectively. At present, the JPDP is merely a government department under the Ministry of Communications and Digital (“Ministry“).

There are also plans to establish a Malaysian Cyber Security Commission as a move to strengthen cyber security, with the Ministry working together with related agencies such as CyberSecurity Malaysia to set up such a commission. This proposal is currently still in the preliminary stages but may be tabled with the Malaysian Parliament in June 2023.

Mexico

The Federal Law on the Protection of Personal Data Held by Private Properties governs the handling of private details for private entities.

The term “processing” is defined under the legislation to comprise a wide range of data activities, such as the collection, application, disclosure, storage, use, control, transfer, and deletion of private information.

The Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011, the Privacy Notice Guidelines 2013, and the Parameters for Self-Regulation 2014 also apply to the private sector.

The Federal Institute for Access to Information and Data Protection (IFAI) of Mexico is charged with implementing the law and creating rules for its enforcement.

New Zealand

Data security in the country is governed by the Privacy Act 1993’s 12 Information Privacy Principles. These principles address the following topics: the aim of data collection, how information is recorded and accessed, and limitations on using and disseminating personal information.

The Credit Reporting Privacy Code 2004, the Health Information Privacy Code 1994, and the Telecommunications Information Privacy Code 2003 are all industry-specific legislations.

On the other hand, New Zealand aims to replace the 25-year-old Privacy Act with the Privacy Bill 2018. Fundamental changes include obligatory breach reporting, compliance notifications, and increased cross-border data movement.

The power of any user to lodge a complaint and initiate an inquiry into whether or not the data-gathering methods are legitimate is a crucial component of the country’s new privacy law.

Philippines

The Philippines’ Data Privacy Act of 2012 is an exhaustive and stringent law protecting the basic human right to privacy to information that is acquired electronically and held in file systems. The statute requires businesses to have a Privacy Policy or an agreement in place that provides protections to secure data. The scope of the law encompasses both domestic and international corporations.

The 2012 Privacy Act has identical rules and restrictions to the GDPR, making it among the most stringent in Asia.

Recent Privacy Updates

In 2022, two bills (House Bill No. 892 and House Bill No. 898) were filed in the House of Representatives of the Philippines, seeking to amend the DPA. The proposed amendments under House Bill No. 892 broadly include:

• Increasing the penalties (both the period of imprisonment and monetary fines) for violations of the DPA; and
• Providing for perpetual absolute disqualification as a penalty for a public official or employee who violates provisions of the DPA.

On the other hand, the proposed amendments under House Bill No. 898 broadly include:

• Defining biometric and genetic data.
• Expanding the exclusions on the applicability of the DPA.
• Redefining “sensitive personal information” to include biometric and genetic data, and labor affiliation. Clarifying the extraterritorial application of the DPA by specifying clear instances when the processing of personal data of Philippine citizens and/or residents is concerned.
• Defining the digital age of consent to process personal information as more than fifteen (15) years, applicable where information society services are provided and offered directly to a child.
• Including the performance of a contract as a new criterion of the lawful basis for processing of sensitive personal information.
• Allowing Personal Information Controllers (“PIC”) outside of the Philippines to authorize Personal Information Processors (“PIP”) or any other third party in the country, in writing, to report data breaches to the National Privacy Commission (“NPC”) on behalf of the PIC.
• Modifying criminal penalties under the DPA, giving the proper courts the option to impose either imprisonment or fine upon its sound judgment.

The said bill remains pending before the Philippine House of Representatives.

A further bill was filed in 2022 and is pending before the Philippine Senate (Senate No. 1367) likewise seeking to amend the DPA. Specifically, the bill seeks to exclude the applicability of the DPA to personal information and sensitive personal information that are necessary to address a health crisis during a period of a declared national emergency or pandemic.

Given the rigorous process of passing a law in the Philippines, there are no indications that any of these pending bills will be passed into law within the next 12 months.

Russia

Personal data gathering and management are controlled mainly by the Federal Law on Personal Data 2006 and the Information, Information Technologies, and Information Protection Act 2006.

Personal data are regulated by many universal and sector-specific legislation, such as the Russian Labor Code 2001, the Russian Air Code 1997, and Articles 23-24 of the 1993 Russian Constitution.

Data protection rules apply to individuals who collect or process data and establish the purposes of the processing, data content, and associated operations.

Recent Privacy Updates

The Russian State Duma passed Russian Federal Law No. 152-FZ in July 2006. It was one of the few data protection laws in place before the General Data Protection Regulation (“GDPR”) came into effect.

Since the Federal Law on Personal Data 2006 and the Information, Information Technologies, and Information Protection Act 2006 has passed, several amendments have been introduced to ensure that the law is well-equipped to deal with the current technological and data privacy challenges. 

One of the amendments is regarding the data localization requirement that requires storing and retaining data belonging to Russian citizens in databases within Russia. This still allows data to be transferred across borders if cross-border transfer conditions are met.

As per the recent amendment 266-FZ that comes into effect on 1 September 2022, the processing of personal data via contractual arrangements between the data subject and the operator is possible only if the contract does not contain any conditions restricting the right and freedoms of data subjects.

Spain

The Spanish Data Protection Act 1999 (Organic Law 15/1999) is now in effect; however, it contradicts several of the GDPR standards (Spain is a member of the EU).

The Spanish government is working on a new law that will function together with the GDPR. Until this new Act takes effect, Spanish data privacy rules are comprised of the GDPR and a temporary executive order (“RDL 5”), which focuses primarily on procedural issues.

Information security and privacy regulations are included in the Law of Information Society Services and Electronic Commerce (Law No. 24/2002) and Law 9/2014 on Telecommunications.

Recent Privacy Updates

Law 11/2023 of 8 May 2023 on the transposition of European Union Directives on the accessibility of certain products and services, migration of highly qualified persons, taxation, and digitalization of notarial and registry actions was published in the Official State Gazette (“BOE”).

The Law provides, amongst other amendments, for the modification of certain aspects contained in Constitutional Law 3/2018, of 5 December 2018, on the Protection of Personal Data and the guarantee of digital rights (“LOPDgdd“) and in Law 34/2002, of 11 July 2002, on information society services and electronic commerce (“LSSI“).

As part of the sanctions and corrective measures available under the LOPDgdd, the Spanish Data Protection Agency (“AEPD”) contemplated the possibility of sanctioning controllers or processors of personal data with a “reprimand” in the event of a breach of the European General Data Protection Regulation (“GDPR”).

This warning process has been amended to become a measure of a non-punitive nature, subject to a more agile processing procedure that allows for a quicker response to complaints from the public.

South Africa

While only some parts Protection of Personal Information Act of 2013 (“POPIA”) have been implemented, many businesses are already complying with the said law and the GDPR.

Data gathering is only permissible under POPIA if there is a justified purpose.  The statute covers justifications such as conscious and voluntary consent or fulfillment of a contract.

Companies must demonstrate “due care” in compliance with the act by publishing a Privacy Policy. The policy must explain why data is gathered, how it is protected, and people’s rights to remove or modify access to information.

Recent Privacy Updates

POPIA came into force on 1 July 2020 but was subject to a 12-month grace period, which ended on 30 June 2021. POPIA is now accordingly in force in its entirety with the provisions regarding prior authorization having come into effect on 1 February 2022. This means that all responsible parties (i.e. data controllers) that conduct processing activities that are subject to prior authorization now need to submit an application for prior authorization and will need to cease such processing activities until such time as prior authorization is obtained.

A number of other developments occurred in 2022 including:

• The issuance of codes of conduct for the banking and credit reporting sectors by the Information Regulator in October 2022;
• The establishment by the Information Regulator of an Enforcement Committee and the initiation of investigations by the Information Regulator into various possible violations of POPIA;
• The issuance of Guidelines on notifications of security compromises to the Information Regulator; and
• Greater scrutiny by the Information Regulator into security compromises including the establishment of a security compromise register.

South Korea

The country’s primary privacy law is the Personal Information Protection Act (“PIPA”). The statute regulates the transfer and gathering of citizens’ private information. Companies are mandated under the act to acquire consent, explain how the data is shared, decline data collection, and fully notify consumers of their rights.

In conjunction with PIPA, South Korea recently approved the Network Act, which requires foreign corporations that gather data from Korean residents to have a representative in the country. South Korea is proposing PIPA adjustments concerning the GDPR to comply with the EU Commission.

Recent Privacy Updates

The Personal Information Protection Commission (“PIPC”) in South Korea has released a draft decree for public consultation, proposing changes to the Personal Information Protection Act (PIPA). The draft decree aims to enhance citizens’ rights to control the processing of their personal data. It emphasizes the importance of obtaining freely given consent from data subjects and ensuring clear communication about their right to consent. The draft decree also seeks to establish a “technology-neutral” approach, unifying online and offline personal data processing regulations to align with the digital society.

Furthermore, the draft decree introduces criteria for assessing the severity of Personal Information Protection Act (PIPA) violations, including the nature and degree of the violation, the type of personal data affected, and the impact on the data subject. It also requires timely notification of data breaches to the PIPC and affected data subjects within 72 hours, regardless of the breach’s scale.

Regarding cross-border data transfers, the PIPC will have the authority to issue stop orders to prevent or halt non-compliant transfers. The draft decree also imposes stricter data protection standards on the public sector, including personal data file registrations, impact assessments, and implementing safety measures.

Businesses processing personal data in South Korea will be affected by these proposed amendments and need to ensure compliance before the updated law takes effect. The public can provide comments and feedback on the draft decree until 28 June 2023.

Sweden

The General Data Protection Regulation (“GDPR”) is a European Union law that entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

In addition to the GDPR, the Data Protection Act and the Data Protection Ordinance apply. The Data Protection Act regulates general aspects of data protection where the GDPR allows, e.g. processing of personal identity numbers and processing of data relating to criminal convictions and offenses. The Data Protection Act entered into force on 25 May 2018. In addition to the Data Protection Act and the Data Protection Ordinance, there are sector and processing-specific regulations.

Switzerland

The Federal Act on Data Protection (“FADP”), which was first adopted in 1993 and was updated in 2007 to incorporate the Data Protection Ordinance (“DPO”), governs data privacy in the country.

These laws address general data privacy and security requirements, rules for data acquisition and cross-border transfers, accessibility, rules for data collection in “good faith,” and other topics.

The DPO was intended to clarify various aspects of the FADP, including additional information on cross-border data transfers.

The FADP was revised in September 2020 and became effective in 2022. On 31 August  2022, the Swiss Federal Council adopted the revised Data Protection Ordinance (“revDPO“) and informed that the revised Federal Act on Data Protection (“revFADP“) and the revDPO will enter into force on 1 September 2023.

The revFADP introduces significant changes compared to the current FADP and is a “GDPR-like” legislation. The changes mainly concern governance obligations and new, higher fines. However, certain “Swiss finishes” remain. 

Thailand

Following postponements by the Thai Government due to the COVID-19 pandemic, Thailand’s Personal Data Protection Act B.E 2562 of 2019 (“PDPA”) finally came into effect on 1 June 2022. The PDPA provides a set of comprehensive obligations regarding the collection, use, disclosure, and cross-border transfer of personal data, as well as the rights of data subjects.

After the effective date of the PDPA, certain sub-regulations were issued by Thailand’s competent authority, the Personal Data Protection Committee (“PDPC”), which was established on 18 January 2022, and announced in the Royal Gazette. There are a number of sub-regulations that are still under consideration. Once all sub-regulations are issued, this should give more clarity on compliance with the PDPA and will aid organizations in effectively protecting the personal data they hold.

Recent Privacy Updates

To date, various infographics to educate the public and create awareness regarding specific topics under the PDPA continue to be published by the PDPC via its official resources. In addition, the PDPC is open to the public for discussion and consultation on compliance with the PDPA and its sub-regulations. Since the effective date of the PDPA, there have been several data breach incidents in a number of industries and such breach notifications have been issued to the PDPC and data subjects. 

For any organizations operating in Thailand and overseas-based organizations targeting Thai data subjects regulated under the PDPA that have yet to implement the measures set out in the PDPA and its sub-regulations, it is imperative that they promptly do so and raise awareness among their personnel to allow them to competently deal with any data protection issues that may arise in future, as the Thai PDPA has finally come into effect and a lot of sub-regulations have been issued.

United States

Privacy rules in the United States are state and sectoral-created rather than national coverage. The Health Insurance Portability and Accountability Act (“HIPAA”), which protects citizens’ medical information, is one of the privacy laws enforced by the federal government.

The Federal Trade Commission (“FTC”) implements company privacy rules while protecting US consumers. The FTC does not mandate Privacy Policies, although incorporating one is strongly advised. The FTC also has stringent privacy standards in place for minors. The Children’s Online Privacy Protection Act (“COPPA”) governs websites and applications that collect information from children under thirteen.

Compliance with several state rules may perplex US and international businesses. However, there have been a few crucial ones you should be aware of.

California has the most comprehensive and toughest privacy regulations in the United States. The California Online Privacy Protection Act (“CalOPPA”) secures California residents’ personal data transfer and collection. CalOPPA’s authority extends beyond California and any firm that gathers information from California citizens.

CalOPPA mandates, in addition to a Privacy Policy, the following:

• What information is gathered?
• Why is data collected?
• How to modify preferences in the privacy policy.
• What do firms do with Do Not Track Signals.

California just added the California Consumer Privacy Act to its roster of privacy laws (CCPA). The CCPA established new protections in data gathering for organizations. The opportunity to opt out of data collection, a statement of the sources of the obtained information, and listings of data sold and released for commercial reasons in the last 12 months are all required under the revised policies.

The Shield Act of New York safeguards the private data of New York citizens gathered by the city government and international corporations. The New York statute allows businesses to protect personal data, but practices must adhere to the act’s criteria. The Shield Act covers biometric information, emails, and bank accounts.

The state of Washington has yet to enact the Privacy Legislation (“WPA”). If approved, the act would contain several restrictions comparable to California’s CCPA. The WPA mandates opt-out alternatives, disclosure of data collection categories, and extensive security standards.

The Delaware Online Privacy and Protection Act (“DOPPA”) safeguards Delaware individuals’ personal information privacy rights. DOPPA, like CalOPPA, demands the publication of a Privacy Policy and the protection of children. DOPPA’s reach includes internet businesses, applications, and ebooks.

Recent Privacy Updates

Significant changes to the US privacy law landscape are expected to continue in 2023, with the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) both effective from 1 January 2023. On 1 July 2023, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (“CTDPA”) become effective, and the Utah Consumer Privacy Act (“UCPA”) becomes effective on 31 December 2023. The CPRA, which amends and strengthens the California Consumer Privacy Act (“CCPA”) is the most far-reaching of the new laws, as it includes business-to-business and human resources data. We are also seeing interest at the state level in biometrics laws, similar to the Illinois’ Biometric Information Privacy Act, and renewed interest at the federal level in a comprehensive federal privacy law, after the American Data Privacy and Protection Act, gained traction in 2022.

There is also a focus on US-Europe data transfers. On 13 December 2022, the European Commission (EC) announced a draft decision on the adequacy of the US data protection regime to protect the personal data of European Union (EU) residents, the EU-US Data Privacy Framework (“DPF”). We expect that the DPF will be finalized in 2023 and that US companies will quickly move toward certifying compliance with the DPF. Although we expect that certification to the DPF will be similar to its predecessor, the Privacy Shield, the specifics have not been finalized.

Venezuela

There is no national regulation governing data privacy and protection in the country.  Private data protection is controlled by an assembly of federal, sector-specific, and industry-specific legislation.

However, Article 28 of the 2009 Constitution of Venezuela provides that every business, person or otherwise, that collects or manages personal details must adhere to a set of criteria.

United Kingdom

The Data Protection Act of 2018 guards personal information gathered by businesses, institutions, and the state. To comply with the legislation, you must adhere to the act’s rigorous “data protection principles.” These principles advocate openness, using data for specific goals, updating data, and implementing protections to preserve the data.

The Information Commissioner’s Office (ICO) is an independent body that safeguards and enforces privacy laws.

Recent Privacy Updates

The UK government introduced the Data Protection & Digital Information (No.2) Bill (the Bill) on 8 March 2023, withdrawing the Data Protection & Digital Information Bill that was introduced in June 2022, but paused. This client alert summarises the key issues and practical points for data controllers and data processors.

Post-Brexit, the Bill is intended to make the EU General Data Protection Regulation (“GDPR”) more practicable and less burdensome in lower-risk situations, while maintaining high data protection standards. It contains many clarifications and brings several GDPR recitals into the operative text. All being well, the legislative process will culminate in a new Act sometime in the next 12 months.

Summary

Adopting a Privacy Policy is critical with the increasing number of exchanging personal data across borders. The GDPR’s implementation has dramatically altered the landscape of data protection. Countries are enacting stronger and broader privacy regulations to comply with the law and defend the rights of all people.

Creating and updating your privacy policy is a must to stay updated and avoid conflict with a country’s legislation or regulation. GetTerms makes it easy to create your own tailored Privacy Policy today in less than 5 minutes.