Living trusts, wills, asset protection and business planning California lawyer at your fingertips!

Contact Us

4935 Hillsdale Circle, Suite 400, El Dorado Hills, CA 95762

Monday - Friday, 9am - 6pm PST; CLOSED on weekends and observed holidays.

Call Us 24/7: 8002851140

Follow Us

Phone us now.

Major Data Privacy Laws Around the World: A High-Level Overview

  • Home
  • Privacy Law
  • Major Data Privacy Laws Around the World: A High-Level Overview

As the digital age continues to evolve, the need to protect personal information and data privacy has become increasingly important. Governments around the world have enacted various laws and regulations to address these concerns. This article provides a comprehensive overview of some of the most significant data privacy laws enacted globally, highlighting their key provisions and impact on businesses and individuals.

General Data Protection Regulation (GDPR) – European Union

The GDPR, which took effect in May 2018, is one of the most comprehensive data protection laws in the world. It applies to businesses operating within the EU, as well as those offering goods or services to EU citizens. Key provisions of the GDPR include:

  • Consent: Organizations must obtain explicit and informed consent from individuals before collecting and processing their personal data.
  • Right to be forgotten: Individuals have the right to request the deletion of their personal data under certain circumstances.
  • Data breach notification: Organizations must notify the relevant data protection authority within 72 hours of discovering a data breach.
  • Data protection officers: Certain organizations are required to appoint a Data Protection Officer (DPO) to ensure compliance with the GDPR.
  • Fines: Non-compliance can result in fines of up to €20 million or 4% of the company’s global annual revenue, whichever is higher.

Since its implementation in May 2018, the GDPR has led to several high-profile cases of severe violations resulting in significant fines. Here are a few examples:

  1. Google LLC: In January 2019, the French data protection authority, CNIL, fined Google €50 million for violating the GDPR. The violation stemmed from a lack of transparency, inadequate information, and a failure to obtain valid consent for ad personalization. This fine is significant because it was the first major penalty imposed under the GDPR and involved one of the world’s largest technology companies.
  2. British Airways: In October 2020, the UK’s Information Commissioner’s Office (ICO) issued a fine of £20 million against British Airways for a data breach that exposed the personal information of approximately 400,000 customers. The breach occurred due to poor security measures, and the ICO cited the airline’s failure to protect customer data adequately, resulting in one of the largest fines under the GDPR.
  3. Marriott International: In October 2020, the ICO fined Marriott International £18.4 million for a data breach that affected approximately 339 million customers worldwide. The breach resulted from a cyberattack on Starwood Hotels and Resorts Worldwide’s systems, which Marriott acquired in 2016. The ICO found that Marriott failed to implement appropriate security measures and did not conduct proper due diligence during the acquisition process.
  4. TIM (Telecom Italia): In January 2020, the Italian Data Protection Authority (Garante) imposed a fine of €27.8 million on Telecom Italia (TIM) for multiple GDPR violations. The violations included unlawful data processing, non-compliance with data retention limits, invalid consent for marketing purposes, and inadequate security measures. The case involved more than 2,000 complaints filed by individuals against the company.

These examples demonstrate that GDPR violations can result in substantial fines and reputational damage for companies. As such, it is essential for organizations to prioritize data privacy and security and ensure compliance with GDPR requirements.

California Consumer Privacy Act (CCPA) – United States

The CCPA, which came into effect in January 2020, is a significant data privacy law in the United States, specifically in California. Key provisions of the CCPA include:

  • Consumer rights: California residents have the right to access, delete, and opt-out of the sale of their personal information.
  • Transparency: Businesses must disclose the categories of personal information they collect, the purpose of collecting it, and with whom they share it.
  • Non-discrimination: Companies cannot discriminate against consumers who exercise their privacy rights under the CCPA.
  • Financial incentives: Businesses can offer financial incentives to consumers for the collection or sale of their personal information, provided they comply with specific requirements and obtain consent.
  • Penalties: Non-compliance can result in civil penalties of up to $7,500 per intentional violation and $2,500 per unintentional violation.

While the California Consumer Privacy Act (CCPA) took effect in January 2020, and its enforcement began in July 2020, there have been fewer high-profile cases compared to GDPR. There have not been many publicly reported cases of severe violations and fines under the CCPA. However, several lawsuits and settlements related to CCPA have emerged, which could potentially lead to future enforcement actions. Here are a few examples:

  • Zoom Video Communications: In March 2020, Zoom faced a class-action lawsuit for alleged CCPA violations. The plaintiff claimed that Zoom had failed to implement reasonable security measures to protect users’ personal information and did not properly disclose the sharing of users’ personal information with third parties, including Facebook. In February 2021, Zoom agreed to an $85 million settlement, which included improving its security measures and providing clearer privacy disclosures.
  • TikTok Inc.: In June 2020, TikTok faced a class-action lawsuit alleging that the company had violated the CCPA by collecting and sharing users’ personal data without obtaining proper consent. While the case has not yet reached a final resolution, it highlights the potential risks of non-compliance with the CCPA.
  • Walmart Inc.: In July 2020, Walmart faced a class-action lawsuit alleging that the company had failed to implement and maintain reasonable security measures, resulting in a data breach that affected customers’ personal information. The lawsuit claimed that Walmart violated the CCPA by not adequately protecting customer data, and while the case is still pending, it could lead to significant fines if the company is found to be in violation of the CCPA.

These examples showcase that the CCPA has the potential to result in substantial legal actions, fines, and reputational damage for companies. As enforcement continues to develop under the CCPA, organizations must prioritize data privacy and security to ensure compliance with the law.

Personal Data Protection Act (PDPA) – Singapore

The PDPA, enacted in 2012, governs the collection, use, and disclosure of personal data by organizations in Singapore. Key provisions of the PDPA include:

  • Consent: Organizations must obtain the individual’s consent before collecting, using, or disclosing their personal data.
  • Notification: Individuals must be informed of the purpose of data collection, use, and disclosure.
  • Access and correction: Individuals have the right to access and correct their personal data held by an organization.
  • Data protection: Organizations must take reasonable measures to protect personal data from unauthorized access, disclosure, or destruction.
  • Do Not Call (DNC) Registry: The PDPA includes provisions for the establishment of a DNC Registry, allowing individuals to opt-out of receiving marketing messages.
  • Penalties: Non-compliance can result in fines of up to SGD 1 million.

Since its enactment in 2012, the Personal Data Protection Act (PDPA) in Singapore has seen several notable cases involving severe violations. Here are a few examples:

  1. IHiS and SingHealth: In January 2019, the Personal Data Protection Commission (PDPC) imposed fines on Integrated Health Information Systems (IHiS) and Singapore Health Services (SingHealth) amounting to SGD 750,000 and SGD 250,000, respectively. These fines were a result of a massive data breach in 2018 that affected 1.5 million SingHealth patients, including the then Prime Minister of Singapore. The PDPC found that both organizations had failed to implement adequate security measures to protect patient data.
  2. K Box Entertainment Group: In September 2014, the PDPC fined K Box Entertainment Group SGD 50,000 for a data breach that compromised the personal data of more than 300,000 customers. The breach occurred due to inadequate security measures, and the PDPC found that K Box had failed to put in place reasonable data protection policies and practices.
  3. Metro Pte Ltd: In February 2016, the PDPC fined Metro SGD 60,000 for a data breach involving the unauthorized access and disclosure of 223 customers’ personal data. Metro was found to have failed to implement proper security measures to protect its customers’ data from unauthorized access.
  4. Singapore Red Cross: In May 2019, the Singapore Red Cross suffered a data breach that exposed the personal information of over 4,200 blood donors. While no fine was imposed, the PDPC found that the organization had failed to put in place reasonable security arrangements to protect the personal data in its possession.

These cases highlight the importance of complying with the PDPA and implementing adequate security measures to protect personal data. Organizations operating in Singapore must ensure they have appropriate data protection policies and practices in place to avoid severe penalties and reputational damage.

Lei Geral de Proteção de Dados (LGPD) – Brazil

Brazil’s LGPD, which took effect in September 2020, is a comprehensive data protection law modeled after the GDPR. The LGPD applies to businesses operating in Brazil or processing the personal data of individuals located in Brazil. Key provisions of the LGPD include:

  • Consent: Organizations must obtain clear and informed consent from individuals before collecting and processing their personal data.
  • Data protection officer: Organizations must appoint a Data Protection Officer (DPO) to ensure compliance with the LGPD.
  • Data subjects’ rights: Individuals have the right to access, rectify, delete, and restrict the processing of their personal data, as well as the right to data portability and the right to object to processing.
  • Data breach notification: Organizations must notify the relevant data protection authority and affected individuals within a reasonable time after discovering a data breach.
  • Sanctions: Non-compliance can result in fines of up to 2% of the company’s revenue in Brazil or up to BRL 50 million per violation, as well as other penalties, such as the suspension or prohibition of data processing activities.

As the Lei Geral de Proteção de Dados (LGPD) came into effect in September 2020, there have been a limited number of cases involving severe violations. However, some noteworthy cases have started to emerge:

  1. Hospital Albert Einstein: In October 2020, the Brazilian Health Regulatory Agency (ANVISA) fined the Hospital Albert Einstein BRL 1,500 for violating patient privacy rights. The case involved the disclosure of a patient’s COVID-19 test results to an employer without the patient’s consent. While the fine may not seem large, it is significant as one of the first enforcement actions under the LGPD.
  2. Vivo (Telefônica Brasil): In August 2021, the São Paulo Court of Justice ordered Vivo to pay BRL 5.5 million in compensation for a data leak involving the personal information of over 24 million customers. Although the ruling did not explicitly mention the LGPD, the decision was based on the constitutional right to privacy and data protection principles that align with the LGPD.
  3. Backer Brewery: In November 2020, Backer Brewery faced a lawsuit under the LGPD for a data breach that affected over 3,000 consumers. The breach exposed personal data, including customers’ names, ID numbers, and addresses. The case is still pending, but it illustrates how companies may be held liable for not adequately protecting personal data under the LGPD.

As enforcement of the LGPD continues to develop, more cases involving severe violations may emerge. It is essential for organizations operating in Brazil to prioritize data privacy and security to ensure compliance with the LGPD and avoid potential fines and legal actions.

Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada

PIPEDA, enacted in 2000, governs the collection, use, and disclosure of personal information by private-sector organizations in Canada. Key provisions of PIPEDA include:

  • Consent: Organizations must obtain informed consent from individuals before collecting, using, or disclosing their personal information.
  • Limiting collection: The collection of personal information must be limited to what is necessary for the identified purposes.
  • Access and correction: Individuals have the right to access their personal information held by an organization and request corrections if needed.
  • Security safeguards: Organizations must implement appropriate security measures to protect personal information.
  • Accountability: Organizations must designate a privacy officer responsible for ensuring compliance with PIPEDA and handling privacy-related inquiries.
  • Penalties: Non-compliance can result in complaints to the Office of the Privacy Commissioner of Canada (OPC), which can lead to investigations, recommendations, and potential legal action.

Since its enactment in 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada has seen several notable cases involving significant violations. Here are a few examples:

  1. Equifax: In 2017, Equifax, a credit reporting agency, suffered a massive data breach that affected approximately 19,000 Canadians and 143 million people worldwide. In April 2019, the Office of the Privacy Commissioner of Canada (OPC) concluded its investigation, finding that Equifax had violated PIPEDA by failing to implement adequate security measures to protect personal information. Although no fines were imposed due to PIPEDA’s lack of financial penalty provisions at the time, the OPC mandated Equifax to enter into a compliance agreement to address its security shortcomings.
  2. Facebook: In April 2019, the OPC released a report detailing its investigation into Facebook’s handling of the Cambridge Analytica scandal. The OPC found that Facebook had violated PIPEDA by failing to obtain meaningful consent for the disclosure of personal information and not adequately protecting user data. While no fines were imposed, the OPC took the matter to the Federal Court of Canada to enforce its recommendations. However, Facebook later reached an agreement with the OPC in 2021 to resolve the privacy concerns.
  3. Ashley Madison: In August 2015, Ashley Madison, an online dating service for married individuals, experienced a significant data breach that exposed the personal information of millions of users worldwide. In December 2015, the OPC found that Ashley Madison had violated PIPEDA by failing to implement reasonable security measures to protect personal information. While no fines were imposed under PIPEDA, Ashley Madison reached a settlement with several countries, including Canada, agreeing to pay a total of USD 1.6 million in penalties.

These cases highlight the importance of complying with PIPEDA and implementing adequate security measures to protect personal information. As the enforcement of privacy regulations continues to evolve in Canada, organizations must prioritize data privacy and security to avoid potential penalties and reputational damage.

Data Protection Act 2018 (DPA 2018) – United Kingdom

The DPA 2018, which came into effect in May 2018 alongside the GDPR, serves as the UK’s primary data protection legislation. The DPA 2018 not only incorporates the provisions of the GDPR but also addresses specific data protection issues relevant to the UK. Key provisions of the DPA 2018 include:

  • Consent: Organizations must obtain clear and informed consent from individuals before collecting and processing their personal data.
  • Data subjects’ rights: Individuals have rights similar to those under the GDPR, including the right to access, rectify, delete, and restrict the processing of their personal data.
  • Data protection officer: Organizations may be required to appoint a Data Protection Officer (DPO) to ensure compliance with the DPA 2018.
  • Data breach notification: Organizations must notify the Information Commissioner’s Office (ICO) within 72 hours of discovering a data breach.
  • Fines: Non-compliance can result in fines of up to £17.5 million or 4% of the company’s global annual revenue, whichever is higher.

The Data Protection Act 2018 (DPA 2018) is the UK’s primary data protection legislation, incorporating provisions from the GDPR. Several high-profile cases have involved severe violations under the DPA 2018:

  1. British Airways: As mentioned in a previous answer, the UK’s Information Commissioner’s Office (ICO) issued a fine of £20 million against British Airways in October 2020 for a data breach that exposed the personal information of approximately 400,000 customers. The breach occurred due to poor security measures, and the ICO cited the airline’s failure to protect customer data adequately, resulting in one of the largest fines under the DPA 2018.
  2. Marriott International: Also mentioned previously, the ICO fined Marriott International £18.4 million in October 2020 for a data breach that affected approximately 339 million customers worldwide. The breach resulted from a cyberattack on Starwood Hotels and Resorts Worldwide’s systems, which Marriott acquired in 2016. The ICO found that Marriott failed to implement appropriate security measures and did not conduct proper due diligence during the acquisition process.
  3. Ticketmaster UK: In November 2020, the ICO fined Ticketmaster UK £1.25 million for a data breach that affected millions of customers worldwide. The breach occurred due to a cyberattack on Ticketmaster’s chatbot software, which exposed personal data, including payment information. The ICO found that Ticketmaster failed to implement adequate security measures to protect customer data.
  4. DSG Retail Limited: In January 2020, the ICO imposed a fine of £500,000 on DSG Retail Limited, the parent company of Currys PC World and Dixons Travel, for a data breach that affected 14 million customers. The breach occurred due to poor security measures, and the ICO found that the company had failed to implement appropriate security measures to protect customer data.

These cases demonstrate that DPA 2018 violations can result in substantial fines and reputational damage for companies.

As this overview demonstrates, countries around the world have enacted various data privacy laws to protect individuals’ personal information and regulate the ways businesses collect, use, and disclose such data. While these laws share some similarities, they also have unique provisions tailored to each jurisdiction’s specific needs and concerns. As a result, businesses operating globally must be aware of the data protection laws in each country they operate in and ensure compliance with those laws. By understanding and adhering to these regulations, businesses can not only avoid fines and penalties but also foster trust and transparency with their customers and partners. As data privacy concerns continue to grow in the digital age, staying informed and up-to-date on these laws and their implications is essential for both businesses and individuals alike.

Share: