Data Privacy Regulations

Data Privacy Regulations on 4 Continents

What Are Data Privacy Regulations?

Data privacy relates to the regulation of sensitive or personally identifiable information (PII), including how it is stored and used. PII includes any data that can be directly tied to a user, including name, ID numbers, date of birth, address or location, and phone number. It may also refer to associated information, including social media posts, profile photos, or IP addresses.  

Data privacy regulations are laws for enforcing data privacy protections. These regulations vary by location, with some covering specific states and others collections of countries.

Data privacy regulations around the world include:

USA Data Privacy Laws

Despite several regulations being introduced, there is currently no federal law universally regulating data privacy in the US. There are, however, several acts that protect specific types or uses of data. These include:

  • Federal Trade Commission Act—prohibits deceptive practices related to privacy policies, failure to provide sufficient protections for privacy, and misleading advertising.
  • Children’s Online Privacy Protection Act—regulates the collection of data related to minors.
  • Health Insurance Portability and Accounting Act (HIPAA)—regulates the storage, privacy, and use of health information.
  • Gramm Leach Bliley Act—regulates personal information collected and stored by financial institutions and banks.
  • Fair Credit Reporting Act—regulates the collection, use, and accessibility of credit histories and information.

Additionally, the US Federal Trade Commission (FTC) oversees users' protection from deceptive or unfair trade practices, including data security and privacy. The FTC can define regulations, enforce laws, punish noncompliance, and investigate organizations suspected of fraud or violation.

USA State-Level Data Privacy Laws

In addition to federal guidelines, 25 states also have various laws regulating data. Depending on the law, regulations apply to government organizations, private organizations, or both.

The most notable example of state-level privacy laws is the California Consumer Privacy Act (CCPA). This act went into effect in January 2020 and provides numerous protections to California residents. These protections include the ability to access data, opt out of collection or sale, and request the deletion of data.

Canada Data Privacy Laws

Canada has 28 statues dedicated to data privacy, spread across a combination of territorial, provincial, and federal bodies. These statues vary widely in scope and guidelines, but all define broad coverage of actions related to the collection, use, or disclosure of personal data.

Canada’s most notable statutes include: 

  • Personal Information Protection and Identity Theft Prevention Act (PIPITPA)
  • Personal Information Protection Act (PIPA BC)
  • Personal Information Protection Act (PIPA Alberta)
  • Quebec Privacy Act
  • Personal Information Protection and Electronic Documents Act (PIPEDA)

Of these statues, PIPEDA is the broadest and applies to:

  • Organizations performing federal or business activities
  • Organizations operating in areas that do not have “substantially similar” legislation in place (i.e., PIPA BC, PIPA Alberta or the Quebec Privacy Act)
  • Organizations operating interprovincially or internationally

EU Data Privacy Laws

The most notable privacy law in the EU is the General Data Protection Regulation (GDPR). This regulation addresses the collection, use, storage, security, and transfer of data related to any resident of the EU. It applies to data handled by organizations regardless of location, including those operating outside the EU. Breaches of the guidelines can result in fines of up to 4% of global turnover or 20€ million. 

The primary goals of GDPR include:

  • Establishing privacy for personal data as a basic human right
  • Enforcing baseline requirements of privacy
  • Standardizing how privacy rules are applied

GDPR includes protections for the following data types:

  • Personally identifiable information (PII) including names, ID numbers, date of birth, and addresses
  • Web data including IP addresses, cookies, and location
  • Health information including diagnoses and health summaries
  • Biometric data including voice data, DNA, fingerprints, or gait information
  • Private communications
  • Photos and videos
  • Cultural, social, or economic data

Related content: learn more in our guide to GDPR Subject Access Requests

China Data Privacy Laws

China does not have a federal law relating to data privacy but does have a framework of regulations and laws that cover many cases. For example, the Tort Liability Law and the General Principles of Civil Law both have provisions which have been interpreted to cover privacy or reputation as protections that should be applied to data. 

In addition to general protections, there have also been multiple specific regulations and guidelines that have been implemented or proposed. These include: 

  • People’s Republic of China Cybersecurity Law
  • National Standard of Information Security Technology – Personal Information Security Specification
  • Guidelines on Internet Personal Information Security Protection
  • Draft National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment

Australia Data Privacy Laws

Australia has a variety of data protection and privacy laws at the territory, state, and federal levels. These include the Australian Privacy Principles (APPs) and the The Federal Privacy Act of 1988. These guidelines apply to all government organizations and private organizations with an annual turnover of AU$3 million.

In addition to the general guidelines, most Australian territories and states also have their own regulations. The exceptions are South and Western Australia. The acts that have been passed include: 

  • Information Privacy Act (Australian Capital Territory)
  • Information Act (Northern Territory)
  • Privacy and Data Protection Act (Victoria)
  • Personal Information Protection Act (Tasmania)
  • Privacy and Personal Information Protection Act (New South Wales)
  • Information Privacy Act (Queensland)

Singapore Data Privacy Laws

Singapore’s data privacy laws are covered under one act; the Personal Data Protection Act (PDPA). This act regulates the collection, care, use, and disclosure of personal information.

PDPA is a general law that establishes a baseline of protections that stack on sector or industry specific regulations. It aims to balance users' rights with the goals of organizations, provided those goals include reasonable and legitimate data use. Additionally, the PDPA includes the creation of a national do not call registry that enables users to opt out of marketing communications.

Data Privacy Regulations with NetApp Cloud Compliance

NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with data privacy regulations such as the GDPR and the CCPA.

Learn more about NetApp Cloud Compliance

Learn More About Data Privacy Regulations

Continue exploring in our series of articles about data privacy regulations and how to manage your data effectively for compliance.

California Consumer Privacy Act
As the availability and value of personal data increases, many consumers are expressing concern over how their data is collected and used. To ensure that consumers are protected and retain rights related to their data, governments like the State of California are creating regulations like CCPA.

This article explains what the CCPA is, what rights it grants, how compliance is enforced, how it compares to GDPR, and how you can ensure that your organization is compliant.

Read more: California Consumer Privacy Act

GDPR Subject Access Request
GDPR is one of several data privacy regulations that organizations need to be aware of and responsive to. As part of this regulation, organizations are responsible for responding to requests from consumers seeking to obtain their personal data from the organization. These requests are referred to as DSARs.

This article explains what DSARs are, how to handle requests, how to deny requests, and what responses need to contain.

Read more: GDPR Subject Access Request

New call-to-action

Senior Marketing and Strategy Manager

-