The push for data privacy has exploded in recent years, with regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) leading the charge. This means consumers around the globe are gaining rights regarding how their data is collected, stored, processed and sold, as well as more ways to hold companies accountable when poor data security practices lead to data breaches involving personally identifiable information (PII).
With GDPR covering the EU and CCPA covering California, those who aren’t residents of those regions may wonder if any data privacy regulations protect them. The answer is, “It depends.” Not every U.S. state or country has data privacy regulations.
However, there’s a lot to be optimistic about. Gartner predicts that by 2024, modern privacy regulation will cover the majority of consumer data. However, the same report predicts that less than 10% of companies will have successfully leveraged privacy as a competitive advantage. Contrary to what many businesses assume, new privacy regulations are business enablers, not enemies. This is because they can help you optimize business processes, improve data management and achieve cost efficiencies.
As data flows become increasingly globalized, companies must gain a strong understanding of international data privacy laws. Otherwise, they may be slapped with steep fines and other penalties. They will also fail to provide consumers with the data protection they deserve, damaging ability to attract and retain customers.
Read this guide to learn more about data privacy laws around the world — and how meet their requirements to ensure compliance.
Data Privacy Challenges
Companies around the world are generating and gathering more information than ever before. According to Statista, the amount of information created, copied, captured and consumed worldwide will go from 120 zettabytes in 2023 to 181 zettabytes in 2025. (One zettabyte is one trillion gigabytes.)
As data continues to be stored and created in greater volumes, and as data sharing becomes increasingly globalized, it has become easier for nation states and criminal hackers to exploit companies’ cybersecurity vulnerabilities and gaps. If companies don’t take proper precautions, malicious actors can gain unauthorized access to their IT systems and view, share, edit and delete individuals’ information, leading to identity theft and unauthorized data sharing. This, in turn, can lead to expensive fines, lawsuits and reputation damage.
To address these data privacy challenges, companies must implement legal and technology frameworks to comply with relevant privacy laws. Depending on their users’ locations and jurisdictions, these laws may include U.S. state laws like the CPRA and CCPA, as well as regional laws like the GDPR.
The Common Logic of Data Privacy Laws
Organizations are often intimidated by the sheer number of data privacy laws they need to know to achieve compliance. However, despite the laws’ varying origins and specificities, they share similar objectives and fundamental principles.
Data privacy laws are designed to protect individuals’ personal information. They also aim to seek a balance between promoting innovation and protecting privacy rights.
Fundamental Principles
Besides sharing similar objectives, data privacy laws share several fundamental principles, including:
- Consent — Obtaining informed consent from individuals before sharing or storing their information is a core principle across data privacy laws. Consent is meant to empower individuals and give them control over their personal data.
- Purpose limitation — Data privacy laws restrict the use of personal data to specific, legitimate purposes. This helps prevent unauthorized data processing and ensure that what companies do with the data matches the data subjects’ reasonable expectations.
- Data minimization — Organizations may collect and retain only necessary personal data. This helps reduce the risk of unauthorized access or breaches.
- Individual rights — This principle requires companies to grant individuals rights over their personal data, including rights to access, rectification and erasure. These rights empower individuals to have greater control and transparency over their information.
Data Privacy Laws and Regulations
Now that you have a clear understanding of how data privacy laws generally work, here are summaries of the most important data privacy laws around the world.
European Union (EU): General Data Protection Regulation (GDPR)
The GDPR is the toughest security law in the world. It came into effect on May 25, 2018, and imposes obligations on any companies in the world that collects or processes data related to residents of the EU.
The main principles, obligations and rights under the GDPR are as follows:
- Data minimization — Companies should not collect more personal data than necessary from their users.
- Integrity and confidentiality (security) — Companies must protect personal data against unlawful or unauthorized processing, as well as accidental damage, loss or destruction.
- Accountability — Companies must document how personal data is handled, and limit data access to people who actually need to access that information.
- Access to data — Companies must respond to data subjects’ requests for copies of their personal data within a month.
- Right to edit information — Data subjects have the right to have a company edit their personal data if it is inaccurate.
- Right to deletion — Data subjects also have the power to request the deletion of their personal data.
- Limitations on automated processing —The GDPR gives data subjects the right not to be subject to automatic decisions that can produce a significant effect on them.
- Data portability — Data subjects have the right to switch easily to other service providers.
The fines for violating the GDPR are very high. Less severe infringements may result in a fine of up to 10 million euros or 2% of the company’s worldwide annual revenue from the preceding financial year, whichever is higher. More serious infringements may result in a fine of up to 20 million euros or 4% of the company’s worldwide annual revenue from the preceding financial year, whichever is higher.
United States: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Unlike the EU, the United States does not have a comprehensive privacy law like the GDPR. However, various states, including California, have passed data privacy laws and regulations to protect citizens’ personal information. These include the CCPA and its predecessor, the CPRA.
The CCPA was passed in 2018 and gives Californian consumers more control over the personal data that companies collect about them. Since January 1, 2023, it has been amended by the CPRA.
The CPRA applies to companies that meet the following requirements:
- Have a gross annual revenue of over $25 million
- Share, buy or sell the personal data of at least 100,000 California residents
- Derive 50% or more of their annual revenue from selling or sharing personal data
Like the GDPR, the CPRA gives consumers the right to:
- Know who is collecting their personal information, how it’s used and to whom it is disclosed or shared
- Limit the use of their personal data
- Delete or correct their personal data
Similarly, it requires businesses to:
- Inform consumers how their personal data is collected and processed
- Only collect personal data for legitimate disclosed purposes and to a relevant extent
- Allow consumers to delete, obtain, correct and share their personal information
Companies that fail to follow the CPRA’s requirements may be fined up to $7,500 per willful offense and $2,500 per unintentional violation.
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada’s federal privacy law, PIPEDA, was enacted in 2000. It applies to private-sector organizations in Canada that use, collect or disclose personal data during commercial activities.
- PIPEDA defines a commercial activity as any transaction, conduct or act of a commercial character, including leasing, bartering or selling membership, donor or fundraising lists.
- Under PIPEDA, personal information includes any subjective or factual information, recorded or not, about an identifiable person. This includes age, income, name, blood type, employee files, opinions and disciplinary actions.
Companies must follow the 10 fair information principles to comply with PIPEDA:
- Accountability — Organizations must comply with all 10 fair information principles, appoint someone for your company’s PIPEDA compliance, and develop and implement personal information practices and policies.
- Identifying purposes — Companies must identify and document their purposes for collecting personal information, and tell customers why they need their personal information.
- Consent — Companies must obtain each person’s consent before gathering their information.
- Limitations on data collection — Organizations may collect only the information they need to fulfill a legitimate, identified purpose.
- Limited use, disclosure and retention — Companies may use or disclose personal data only for the identified purposes for which it was gathered.
- Accuracy — Companies must minimize the chance of using incorrect data when making a decision about a person or disclosing information to third parties.
- Safeguards — Organizations must protect personal data according to its sensitivity, and protect all personal data against theft, loss, and unauthorized access, copying, disclosure, modification or use.
- Openness — Companies must have detailed personal information management practices that are clear, easy to understand and readily available.
- Individual access — Individuals have the right to access the personal data that a company has about them.
- Right to challenge compliance — Individuals have the right to challenge a company’s compliance with fair information principles.
Organizations may be fined up to $100,000 Canadian for each violation.
Brazil: General Data Protection Law (LGPD)
Brazil’s LGPD is closely modeled after the EU’s GDPR and is the largest data privacy regulation in the world after GDPR and CCPA. Its primary goal is to unify 40 different regulations, often industry-specific, and resolve conflicts that occur due to the sheer number of different data privacy regulations in the country.
The regulation applies to organizations that process data in Brazil, process personal data collected in Brazil, or process personal data while providing goods or services in Brazil. Like GDPR and CCPA, a company does not need to be headquartered in Brazil to be affected by LGPD.
Under LGPD, the person to whom personal data applies is considered a holder, and holders gain many rights regarding their personal data. This includes, but is not limited to:
- Access to one’s personal data
- Correction of outdated or otherwise inaccurate personal data
- Deletion or anonymization of personal data not in compliance with LGPD or processed without the consent of the holder
- The ability to revoke one’s prior consent
- Information about how one’s data is used and with whom that data is shared
Article 18 of LGPD covers all data holder rights under the regulation, and additional articles cover fines and other penalties for those found not in compliance.
Emerging Data Privacy Laws and Global Impact
Besides the laws above, you should also keep an eye on the following emerging data privacy laws.
India: Personal Data Protection Bill (PDPB)
This bill is still in draft form but it’s worth discussing as it’s also modeled after the GDPR, the current gold standard for data privacy regulation. If enacted, PDPB will apply to organizations processing personal data collected, disclosed or processed in India, so, like the GDPR, it has international impact.
What’s covered under PDPB resembles GDPR as well. Consumers gain rights to access, correct and delete their data, along with the right to be forgotten and data portability between organizations.
However, just because an organization is prepared for GDPR doesn’t necessarily mean they’re ready for PDPB. The two regulations have slight scope differences, and PDPB hasn’t been finalized yet. The specifics of the regulation are bound to change, and any organizations with ties to India should be keeping an eye on it.
Other Noteworthy Data Privacy Laws
Other data protection laws worth mentioning include:
- Australia’s Privacy Act 1988
- China’s Personal Information Protection Law (PIPL)
- South Africa’s Protection of Personal Information Act (POPIA)
- U.S. industry-specific laws, such as:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm–Leach–Bliley Act (GLBA)
- Sarbanes–Oxley Act (SOX)
- Federal Information Security Management Act of 2002 (FISMA)
- Children’s Online Privacy Protection Act (COPPA)
Frameworks
There are also frameworks that can help organizations achieve compliance with data privacy legislation, including:
- National Institute of Standards and Technology’s (NIST) Privacy Framework is a voluntary tool to help companies spot and manage privacy risks.
- Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR)creates a framework for regional cooperation in the enforcement of privacy laws.
- ISO/IEC 27001 is the world’s best-known standard for an information security management system (ISMS).
How Netwrix Can Help You Comply With Data Privacy Laws
Compliance with applicable global data privacy laws is vital to avoiding expensive fines, reputation damage, lawsuits other costs. One of the most cost-effective ways to achieve, maintain and prove compliance is to adopt the Netwrix Compliance Audit Solution. This reliable, powerful and intuitive solution minimizes the stress and time of audit preparation and empowers you to answer questions during compliance audits quickly. You can:
- Find out where your regulated data is and lock down access to it.
- Enforce strong password policies.
- Detect threats in their early stages.
- Establish and maintain secure system configurations.
- Produce easy-to-read evidence for auditors.
Interested in learning more about how Netwrix’s Compliance Audit Solution can help your organization? Request your one-to-one demo today.
Frequently Asked Questions
How many countries have privacy laws?
According to the United Nations Conference on Trade and Development (UNCTAD), 137 out of 194 countries have implemented data privacy legislation. In total, 71% of countries have privacy regulations, 9% of countries have draft legislation, and 15% of countries have no legislation.
Because most countries have privacy laws and information flow is becoming increasingly globalized, companies must establish policies to ensure compliance with these laws. Otherwise, they may be slapped with expensive fines and suffer reputational loss.
Is there international law on data privacy?
Yes. The European Union’s General Data Protection Regulation (GDPR) is an international privacy law that affects any organization that processes or stores the information of any EU resident.
Other state, federal and regional data privacy laws with international applications include the California Consumer Privacy Act (CPRA), China’s Personal Information Protection Law (PIPL), and Australia’s Privacy Act 1988.
What are the major global data privacy laws?
Major world privacy laws include:
- The European Union’s General Data Protection Regulation (GDPR)
- Brazil’s General Data Protection Law
- China’s Personal Information Protection Law (PIPL)
- California Consumer Privacy Act (CPRA)
- Australia’s Privacy Act 1988
How many global data privacy laws are there?
At least 17 countries and regions have existing or pending global data privacy laws similar to the GDPR. As such, you should start preparing your company for compliance with GDPR, PIPL and other global data privacy regulations.
What are the principles of privacy laws?
Despite their surface differences, every privacy law is based upon the same principles. These include:
- Consent — Companies must obtain informed consent from individuals before storing or sharing their information. Consent gives individuals control over their personal data.
- Purpose limitation — Organizations must limit the use of personal data for specific, legitimate purposes. This ensures that what you do with data subjects’ data matches what you told them.
- Data minimization — Companies may gather and retain only necessary personal data. This reduces the impact of a breach.
- Individual rights — Organizations must give data subjects rights over their personal data, including the right to access, rectification and erasure.
