Crossbow Labs

Data Privacy Across Boundaries

If you are doing business in your own country or across multiple countries, you should be aware of the data & privacy laws prevailing in those countries. Many countries are redoing their digital policy to be in-line with the current state of technology adoption and individual rights to digital privacy.

If you are a service provider – you are required to inform the audience about their privacy rights and how you are upholding their privacy. The business may be simple – only collecting name and email address for a newsletter subscription or using browser cookies to collect traffic information for further analysis. If you don’t inform, you may be liable for legal action from your customers / site visitors / government of that country. The liability is not easy – it comes with huge fines, loss of trust / reputation or in worst case even imprisonment.

This article is a run down on the data privacy laws implemented by various countries across the globe.

United States

In the United States, the data privacy laws are regulated at Federal level and the Federal government leaves it up to state government to make the laws specific and define it for the industry. The Federal Trade Commission (FTC) regulates business privacy laws and as a regulatory body they prevent any deceptive practices that a business may do.

Some laws that cover the data privacy are as follows:

  1. Health Information Portability and Accountability Act of 1996 (HIPAA) which deals with health related information. It defines who shall be covered, which information is to be secured, what controls to be implemented to ensure protection of health information (PHI) in all forms – physical and electronic.

  2. Children’s Online Privacy Protection Rule is applicable to those businesses that collects personal information of children under the age of 13 through the internet. The state of California has a state law – California Online Privacy Protection Act CalOPPA, effective from 2004, requiring commercial websites and online services to post a privacy policy.

    CalOPPA is applicable to any person or business whose website collects personally identifiable information of California consumers. As part of CalOPPA, the business website has to disclose privacy policy stating what information is collected, with whom it is being shared and comply with site’s privacy policy. Those businesses that fail to comply are liable to face legal actions under the state’s unfair Competition Law.

  3. California Consumer Privacy Act (CCPA) enforces to make businesses more responsible over the collection of personal information. The law provides the right to privacy for consumers in the state of California, which are:

    • Right to know
    • Right to delete
    • Right to opt-out
    • Right to non-discrimination


The Personal Information Protection and Electronic Data Act (PIPEDA) regulates businesses on how the data of online users are collected, stored and used. Businesses covered by PIPEDA must obtain consent from individuals when they collect personal data. Further, privacy policies of the businesses should be made public. The privacy policy should be easy to find, understand and should clearly define how personal data is being collected, stored and/or used.


The Personal Data Protection Act of 2000 applies to any individual or legal business entity within the jurisdiction of the Argentina dealing with personal data. Use of browser cookies is part of personal data, so if your business is tracking visitors or uses an ad network that uses cookies, then this act applies to you.

In 2018, Argentina submitted a bill (Reference: MEN-2018-147-APN-PTE) aiming to change the Personal Data Protection Act of 2000. If this bill gets approved in the Argentina parliament constituency, it will supersede the Personal Data Protection Act of 2000.


The Brazilian Internet Act passed in 2014, better known as the Brazilian Civil Rights Framework for the Internet – aims to establish the principles governing the user rights, liabilities of connection / application providers and regulate the government on the use of Internet. It emphasises on online collection, usage, storage & maintenance of personal data.

Internet service providers can store confidential connection logs for a tenure of 12 months, and for application usage, it should not be more than 6 months. In both the scenarios disclosure of stored information can only be obtained through a court order. This will of course have to be done with the consent of the user. So any legal entity / individual is obligated to get the user’s consent before collecting their personal data online.


Chile’s Act of the Protection of Personal Data, passed in 1998, states that personal data can only be collected with prior consent of the user. The legal entity must also disclose if the information they collected is shared with any third parties. The act outlines the minimum information which can be asked from the user without authorisation. Further, if you are using the data internally to provide services or for statistical or pricing purposes, it is allowed by the act.


The two fundamental personal data rights under Article 15 and 20 of Colombia’s constitution Title II – Rights, Guarantees and Duties, recognises the right to privacy and the right to data rectification. Besides them, another two statutory laws – Law 1266 of 2008 and Law 1581 of 2012 – regulates processing of personal data.

Statutory Law 1266 focuses on processing of financial data & credit records collected from the citizens of Columbia, while statutory law 1581 focus on all personal data processing that includes sensitive data and the data collected from minors. The statutory laws requires that data controllers and data processors implement the highest security controls to safeguard the personal data collected.


The Federal Law of Protection of Personal data pays emphasise on how to deal with privacy data obtained from the user – which could either be an individual or a legal entity. The private individual or legal entity should provide consent for collecting, processing and storing any personal data. Further, the rights of the user must be clearly informed to the user from whom personal data is being collected.

European Union

The EU General Data Protection Regulation law (EU GDPR), which came in effect from 25th May 2018, aims to protect the privacy of all EU citizens. It applies to all service providers and data processing agencies that hold personal data of people belonging to the European Union, regardless of the location of their operation.

It is applicable to both – data controllers and data processors, regardless of whether the processing takes place in the EU or outside the EU, thus cloud environments will be covered under GDPR Law. Business located outside the European Union processing data of EU citizens will need to appoint a representative in the EU.

United Kingdom

The Data Protection Act 2018 by the Information Commissioner’s Office mandates fair processing of the personal data by being transparent about why you are collecting the personal data and how will you be using it. For example, if your business website uses browser cookies, as part of the privacy policy it is required that the user be clearly informed about what type of cookie data is being collected, for what purpose it is used, why it is used and his consent over the usage of the cookie data.


The Personal Data Protection Bill (PDPB) 2019 (under review), the Information Technology Act 2000 (amended in 2008) and the Intermediary (amendment) rules 2018 guidelines are the data privacy regulations in the country. The Information Technology Act informs that legal entity must have privacy policy in place & published on the website irrespective of personal data collected from the user.

The Privacy policy mandates that consent from the user is required for the collection and processing of sensitive data. It should explain clearly what data you collect, it’s purpose, disclosure to any third party, security practices implemented to protect the data.


The Act on the Personal Information Protection (APPI) of Japan aims to protect the rights of individuals for their personal data. If any individual’s data is available in public directory, it is still considered as personal data as per the act. The legal entity should take consent for the individual prior to collecting personal data from the user. They should also explain the purpose of data collection and inform if the data will be shared with any third party.


The Personal Data Protection Act (PDPA) 2010 of Malaysia focuses on securing personal data of individuals. A notice must be shared with the individual stating the purpose of the personal data collected, their rights to rectify the data, which third party will have their data and whether they are required to share the data or not and the consequences if they don’t share the data, in order to keep the individual consent valid.


The Data Privacy Act of 2012 or also know as Republic Act No. 10173 states that individuals have the right to know your business identity, what personal data is being collected, purpose of the personal data collected, how it is processed, with whom it is being shared (third parties) and individual rights regarding their own data. Anyone who wishes to collect personal data should obtain the consent from the user prior to collection.


Singapore’s Personal Data Protection Act (PDPA) 2012, data protection law states various rules governing the collection, use, sharing, and care of personal data. The act recognises the rights of individuals to protect their personal data, right of access & correction, needs of business units to collect and use or share personal data for legitimate and reasonable purposes. The PDPA act emphasises on three concept – Consent, Purpose and Reasonableness.

There is a National Do Not Call (DNC) registry which allows individuals to register their Singapore call numbers to opt out of marketing phone calls and text messages (SMS).


The Personal Data Protection Act (PDPA) 2019 regulates the data privacy of citizen of Thailand. As per the law, individual person has right to control data is collected, stored, deleted and secure their privacy from the organisation collecting the personal data. Of course, the prior consent is very important and mandated by the law to the companies intending to collect personal data. The PDPA has been in effect since 27th May 2020.


Australia’s Privacy Principles (APP) is structured around 13 principles governing the handling and processing of personal information. The Office of the Australian Information Commissioner (OAIC) investigates any privacy compliant on misuse of the privacy data, based on the compliant received.

All service providers must implement a privacy policy & comply with the requirements stated in the APP. The privacy policy must explain why the personal data is collected, how it will be used, consequences of not providing personal information. It should clearly mention how individuals can access, rectify their own information, and how they can raise a complain when there is a breach of trust.

New Zealand

The Privacy Act of 1993 regulates data privacy in New Zealand. As per the act, the business entity must collect personal data directly (when not available publicly) from the individual. While getting their consent, the privacy policy must clearly state the name and address of the business, purpose of the data collection, list down the third party entities with whom the data is shared and the individual rights regarding their own data.

When doing business with the global audience and handling personal data of citizens of different countries, you need to be sure of the data privacy laws of the land and your compliance towards it. It is highly recommended to consult with a subject matter expert, who can provide guidance to implement and comply with the requirements of the various privacy laws of the different countries in which you are doing business.