If you are doing business in your own country or across multiple countries, you should be aware of the data & privacy laws prevailing in those countries. Many countries are redoing their digital policy to be in-line with the current state of technology adoption and individual rights to digital privacy.
If you are a service provider – you are required to inform the audience about their privacy rights and how you are upholding their privacy. The business may be simple – only collecting name and email address for a newsletter subscription or using browser cookies to collect traffic information for further analysis. If you don’t inform, you may be liable for legal action from your customers / site visitors / government of that country. The liability is not easy – it comes with huge fines, loss of trust / reputation or in worst case even imprisonment.
This article is a run down on the data privacy laws implemented by various countries across the globe.
In the United States, the data privacy laws are regulated at Federal level and the Federal government leaves it up to state government to make the laws specific and define it for the industry. The Federal Trade Commission (FTC) regulates business privacy laws and as a regulatory body they prevent any deceptive practices that a business may do.
Some laws that cover the data privacy are as follows:
Health Information Portability and Accountability Act of 1996 (HIPAA) which deals with health related information. It defines who shall be covered, which information is to be secured, what controls to be implemented to ensure protection of health information (PHI) in all forms – physical and electronic.
California Consumer Privacy Act (CCPA) enforces to make businesses more responsible over the collection of personal information. The law provides the right to privacy for consumers in the state of California, which are:
- Right to know
- Right to delete
- Right to opt-out
- Right to non-discrimination
In 2018, Argentina submitted a bill (Reference: MEN-2018-147-APN-PTE) aiming to change the Personal Data Protection Act of 2000. If this bill gets approved in the Argentina parliament constituency, it will supersede the Personal Data Protection Act of 2000.
The Brazilian Internet Act passed in 2014, better known as the Brazilian Civil Rights Framework for the Internet – aims to establish the principles governing the user rights, liabilities of connection / application providers and regulate the government on the use of Internet. It emphasises on online collection, usage, storage & maintenance of personal data.
Internet service providers can store confidential connection logs for a tenure of 12 months, and for application usage, it should not be more than 6 months. In both the scenarios disclosure of stored information can only be obtained through a court order. This will of course have to be done with the consent of the user. So any legal entity / individual is obligated to get the user’s consent before collecting their personal data online.
Chile’s Act of the Protection of Personal Data, passed in 1998, states that personal data can only be collected with prior consent of the user. The legal entity must also disclose if the information they collected is shared with any third parties. The act outlines the minimum information which can be asked from the user without authorisation. Further, if you are using the data internally to provide services or for statistical or pricing purposes, it is allowed by the act.
The two fundamental personal data rights under Article 15 and 20 of Colombia’s constitution Title II – Rights, Guarantees and Duties, recognises the right to privacy and the right to data rectification. Besides them, another two statutory laws – Law 1266 of 2008 and Law 1581 of 2012 – regulates processing of personal data.
Statutory Law 1266 focuses on processing of financial data & credit records collected from the citizens of Columbia, while statutory law 1581 focus on all personal data processing that includes sensitive data and the data collected from minors. The statutory laws requires that data controllers and data processors implement the highest security controls to safeguard the personal data collected.
The Federal Law of Protection of Personal data pays emphasise on how to deal with privacy data obtained from the user – which could either be an individual or a legal entity. The private individual or legal entity should provide consent for collecting, processing and storing any personal data. Further, the rights of the user must be clearly informed to the user from whom personal data is being collected.
The EU General Data Protection Regulation law (EU GDPR), which came in effect from 25th May 2018, aims to protect the privacy of all EU citizens. It applies to all service providers and data processing agencies that hold personal data of people belonging to the European Union, regardless of the location of their operation.
It is applicable to both – data controllers and data processors, regardless of whether the processing takes place in the EU or outside the EU, thus cloud environments will be covered under GDPR Law. Business located outside the European Union processing data of EU citizens will need to appoint a representative in the EU.
The Act on the Personal Information Protection (APPI) of Japan aims to protect the rights of individuals for their personal data. If any individual’s data is available in public directory, it is still considered as personal data as per the act. The legal entity should take consent for the individual prior to collecting personal data from the user. They should also explain the purpose of data collection and inform if the data will be shared with any third party.
The Personal Data Protection Act (PDPA) 2010 of Malaysia focuses on securing personal data of individuals. A notice must be shared with the individual stating the purpose of the personal data collected, their rights to rectify the data, which third party will have their data and whether they are required to share the data or not and the consequences if they don’t share the data, in order to keep the individual consent valid.
The Data Privacy Act of 2012 or also know as Republic Act No. 10173 states that individuals have the right to know your business identity, what personal data is being collected, purpose of the personal data collected, how it is processed, with whom it is being shared (third parties) and individual rights regarding their own data. Anyone who wishes to collect personal data should obtain the consent from the user prior to collection.
Singapore’s Personal Data Protection Act (PDPA) 2012, data protection law states various rules governing the collection, use, sharing, and care of personal data. The act recognises the rights of individuals to protect their personal data, right of access & correction, needs of business units to collect and use or share personal data for legitimate and reasonable purposes. The PDPA act emphasises on three concept – Consent, Purpose and Reasonableness.
There is a National Do Not Call (DNC) registry which allows individuals to register their Singapore call numbers to opt out of marketing phone calls and text messages (SMS).
The Personal Data Protection Act (PDPA) 2019 regulates the data privacy of citizen of Thailand. As per the law, individual person has right to control data is collected, stored, deleted and secure their privacy from the organisation collecting the personal data. Of course, the prior consent is very important and mandated by the law to the companies intending to collect personal data. The PDPA has been in effect since 27th May 2020.
Australia’s Privacy Principles (APP) is structured around 13 principles governing the handling and processing of personal information. The Office of the Australian Information Commissioner (OAIC) investigates any privacy compliant on misuse of the privacy data, based on the compliant received.
When doing business with the global audience and handling personal data of citizens of different countries, you need to be sure of the data privacy laws of the land and your compliance towards it. It is highly recommended to consult with a subject matter expert, who can provide guidance to implement and comply with the requirements of the various privacy laws of the different countries in which you are doing business.