Global privacy laws overview¶

Understanding global privacy regulations is foundational to operating a compliant organization. This guide covers the major privacy laws affecting businesses worldwide, their scope, key requirements, and enforcement mechanisms.

GDPR (General Data Protection Regulation)¶

Jurisdiction¶

Applies to all organizations processing personal data of EU residents, regardless of where the organization is located.

Scope¶

• Data Subjects: Any individual in the EU whose personal data is processed
• Data Controllers & Processors: Any entity determining purposes/means (controller) or processing on behalf (processor)
• Personal Data: Any information relating to an identified or identifiable natural person
• Geographic Reach: Extraterritorial—applies to non-EU companies processing EU resident data

Key features¶

• Lawful Basis: Data processing requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests)
• Privacy by Design: You must implement privacy safeguards throughout data lifecycle
• Data Protection Impact Assessments (DPIAs): Required for high-risk processing
• Data Protection Officer: Mandatory for public authorities; recommended for large-scale processing
• Accountability: You must demonstrate compliance through documentation and audit trails

Data subject rights¶

• Right to access personal data and processing information
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

Fines and penalties¶

• Tier 1: Up to €10 million or 2% of global revenue (procedural violations)
• Tier 2: Up to €20 million or 4% of global revenue (substantive violations)
• Enforcement: By Data Protection Authorities in each member state

Organizational obligations¶

• Privacy notices at point of collection
• Data retention policies
• Vendor/processor agreements
• Breach notification within 72 hours
• Consent mechanisms (explicit, granular, withdrawable)

CCPA/CPRA (California Privacy Rights Act)¶

Jurisdiction¶

Applies to for-profit businesses collecting personal information of California residents, if they: - Have annual revenue exceeding $25 million, OR - Buy, sell, or share personal information of 100,000+ people/households, OR - Derive 50%+ of revenue from selling/sharing residents' personal information

Scope¶

• Data Subjects: California residents (individuals)
• Personal Information: Information that identifies, relates to, describes, or could be reasonably linked with an individual
• Consumers: Data subjects in California
• Businesses: For-profit entities collecting consumer data

Key features (CCPA)¶

• Sale and Sharing: Restrictions on selling or sharing personal information
• Privacy Notice: Clear, accessible privacy policies required
• Opt-Out Mechanisms: Consumers must be able to opt out of sale/sharing
• Non-Discrimination: No price or service differentiation for privacy choices
• Data Minimization: Collection limited to what's necessary for disclosed purposes

CPRA enhancements (Effective 2023)¶

• Explicit Opt-In: Required for sensitive personal information (SSN, health data, biometrics, precise location)
• Automated Decision-Making: Additional protections and opt-out rights
• Service Providers vs. Third Parties: Clearer distinctions affecting obligations
• California Privacy Protection Agency: New enforcement agency with broader authority
• Higher Penalties: Up to $10,000 per intentional violation

Data subject rights (Consumers)¶

• Right to know what personal information is collected
• Right to access collected personal information
• Right to delete personal information
• Right to opt-out of sale/sharing
• Right to correction of inaccurate information
• Right to limit use of sensitive information
• Right to non-discrimination for exercising rights

Fines and penalties¶

• CCPA: Up to \(7,500 per intentional violation; private right of action for data breaches (\)100-$750 per consumer per incident)
• CPRA: Up to $10,000 per violation; civil penalties of \(2,500-\)7,500 per violation

Organizational obligations¶

• Detailed privacy notices
• Respond to consumer rights requests within 45 days
• Honor opt-out requests within 45 days
• Limit employee access to personal information
• Annual verification of compliance
• Data breach notification

UK Data Protection Act (UK DPA)¶

Jurisdiction¶

Applies to organizations processing personal data of UK residents. Post-Brexit, operates alongside UK GDPR with specific national exemptions.

Scope¶

• Data Subjects: UK residents and individuals
• Personal Data: As defined in UK GDPR
• Data Controllers & Processors: Similar to GDPR

Key features¶

• UK GDPR Compliance: Substantially aligned with EU GDPR
• Adequacy Determinations: UK-specific rules for international transfers
• National Security: Additional derogations for national security purposes
• Exemptions: Broader exemptions than EU GDPR for certain processing (journalism, research, statistics)
• Information Commissioner's Office (ICO): Primary enforcement authority

Data subject rights¶

Substantially same as GDPR with some UK-specific modifications.

Fines and penalties¶

• Up to £20 million or 4% of global turnover (Type A violations)
• Up to £10 million or 2% of global turnover (Type B violations)
• Enforcement by ICO

Organizational obligations¶

• UK-based Data Protection Officer for certain organizations
• Privacy Impact Assessments for high-risk processing
• UK representative for non-UK established organizations
• Documented compliance records

PDPA (Personal Data Protection Act - Singapore)¶

Jurisdiction¶

Applies to organizations in or outside Singapore that collect, use, or disclose personal data of Singapore residents.

Scope¶

• Data Subjects: Singapore residents
• Personal Data: Information relating to an individual
• Organizations: Any entity collecting/processing personal data of Singapore residents

Key features¶

• Consent Requirement: Generally required for collection and disclosure, with specified exceptions
• Purpose Limitation: Data used only for disclosed purposes (with exceptions)
• Notification: You must provide privacy notices
• Access & Correction: Individuals can request access and correction
• Accuracy: You must take reasonable steps to ensure data accuracy
• Protection: Reasonable security measures required
• Retention: Data retained only as long as necessary

Data subject rights¶

• Right to be informed about personal data collection
• Right to access personal data
• Right to correct inaccurate personal data
• Right to withdraw consent
• Right to know about third-party disclosures
• Right to request not to receive marketing messages

Fines and penalties¶

• Up to SGD $1 million or fine not exceeding SGD $1 million (first offense)
• Up to SGD $1 million or imprisonment for 3 years (subsequent offense)
• Enforcement by Personal Data Protection Commission (PDPC)

Organizational obligations¶

• Privacy notices at point of collection
• Consent management systems
• Data access request procedures
• Security safeguards
• Data breach notification to PDPC and affected individuals

APPI (Act on Protection of Personal Information - Japan)¶

Jurisdiction¶

Applies to organizations in Japan and some overseas organizations processing personal data of Japanese residents.

Scope¶

• Data Subjects: Individuals (Japanese residents or visitors)
• Personal Information: Information identifying an individual
• Organizations: Businesses processing personal data (with employee exemption)

Key features¶

• Purpose Specification: Clear, limited purposes for data collection
• Appropriate Means: Collection through lawful and appropriate means
• Use Limitation: Use only for specified purposes
• Data Quality: Accuracy and freshness of personal data
• Security Measures: Technical and organizational safeguards
• Transparency: Privacy policies required
• Rights: Subject access, correction, deletion, opt-out of third-party disclosure

APPI reform (2022)¶

• Scope Expansion: Broader definition of personal information
• Sensitive Information: Enhanced protection for sensitive data (racial/ethnic origin, political beliefs, health, etc.)
• International Transfers: New restrictions and requirements
• Third-Party Disclosure: Enhanced consent and notification requirements
• Liability: Strengthened corporate responsibility provisions

Data subject rights¶

• Right to know if personal information is held
• Right to access personal information
• Right to correct inaccurate data
• Right to delete personal information
• Right to opt-out of third-party disclosure
• Right to object to automated decision-making

Fines and penalties¶

• Administrative monetary penalties (up to 100 million yen for serious violations)
• Civil liability for damages
• Enforcement by Personal Information Protection Commission (PPC)

Organizational obligations¶

• Privacy policies and notices
• Consent management
• Purpose limitation policies
• Data retention schedules
• Cross-border transfer mechanisms
• Data breach notification

LGPD (Lei Geral de Proteção de Dados - Brazil)¶

Jurisdiction¶

Applies to organizations in or outside Brazil processing personal data of Brazilian residents.

Scope¶

• Data Subjects: Brazilian residents and individuals
• Personal Data: Information relating to identified or identifiable individuals
• Processing: Any operation involving personal data (collection, use, disclosure, storage)
• Data Controllers & Processors: Entities determining processing purposes/means or processing on behalf

Key features¶

• Lawful Basis: Processing requires one of ten lawful bases (consent, legal obligation, public administration, research by a research body, contract execution, exercise of rights in judicial/administrative/arbitral proceedings, protection of life or physical safety, health protection, legitimate interests, credit protection)
• Transparency: Privacy notices and clear disclosure required
• Data Protection Officer: Required for public entities and large-scale data processors
• Consent: Explicit, informed consent required for most processing
• Subject Rights: Access, correction, deletion, portability, opt-out from processing
• Accountability: Documented compliance and audit trails

Data subject rights¶

• Right to confirmation of processing and access to personal data
• Right to correction of inaccurate data
• Right to deletion or anonymization
• Right to data portability
• Right to object to processing
• Right to revoke consent
• Rights related to automated decision-making
• Right to complaint to authority

Fines and penalties¶

• Up to 50 million Brazilian reals or 2% of company's revenue (up to 50 million reals maximum) per infraction
• Enforcement by National Data Protection Authority (ANPD)
• Private right of action for affected individuals

Organizational obligations¶

• Privacy notices and policies
• Consent mechanisms
• Data inventories and processing records
• Vendor/processor agreements
• Data breach notification
• International transfer mechanisms
• Regular compliance monitoring and audits

Comparison table¶

Key takeaways¶

What to read next¶

• Practical compliance guidance → — Step-by-step implementation strategies
• Compliance checklist → — Verification checklist for your program
• Privacy notice guide → — Creating jurisdiction-specific notices

Note: For jurisdiction-specific questions, consult with legal counsel qualified in that region. These materials provide overview guidance only.