Data privacy protection has emerged as a crucial consideration for individuals and businesses in the digital era. With technological progress, there is a corresponding evolution in the legal frameworks and regulations aimed at safeguarding personal information. While new laws are emerging in different regions and individual countries, the relevance of old legal acts persists. This guide delves into the evolution of global and regional data privacy regulations, providing insights into the most influential laws shaping the digital world.
Table of Contents
Global Evolution of Personal Data Regulations in the World
In the internet’s early days, companies adapted to combat fraud as users adopted passwords and email. Big tech reshaped the landscape using user data to improve search and advertising. Despite self-regulation efforts, like prompts and opt-out tools, ad trackers could still monitor user behavior extensively, prompting the emergence of laws and regulations on data governance.
Let’s take a look at crucial dates of significant developments around privacy protection:
1980
The OECD issued data protection guidelines reflecting the growing utilization of computers in business transactions.
1981
The Data Protection Convention (Treaty 108) was adopted by the Council of Europe, establishing the right to privacy as a legal imperative.
1983
The Federal Constitutional Court of Germany made a pivotal decision on the census judgment, marking a significant milestone in data protection.
1984
The 1984 Data Protection Act adopted by the United Kingdom’s Parliament grants individuals new legal rights when computers store their personal information.
1995
The European Data Protection Directive established itself by incorporating technological advancements and introducing new terms such as processing, sensitive personal data, and consent.
2000
Policymakers introduced the Safe Harbor Arrangement as a set of principles to address the disparities in data privacy laws between the United States and the European Union. The primary goal was to enhance the smooth flow of information between these two regions.
2002
The EU embraces the Directive on Privacy and Electronic Communications.
2006
The EU puts into effect the Directive on retaining data generated or processed in association with the making of publicly available electronic communications services or public communications networks. However, a Court of Justice ruling in 2014 declared it invalid for violating fundamental rights.
2009
The EU Electronic Communications Regulations evolved in response to email addresses and mobile numbers becoming essential in marketing and sales campaigns.
2013
The European Commission adopted Regulation 611/2013 concerning the measures relevant to the notification of personal data breaches under Directive 2002/58/EC.
2014
A ruling by the Court of Justice of the EU establishes that European law grants individuals the right to request search engines to delete results for queries containing their name, leading to the concept known as “the right to be forgotten.”
2015
Due to U.S. laws granting unrestricted access to EU citizens’ data by U.S. intelligence agencies, the European Court of Justice invalidated the Safe Harbor Arrangement.
2016
After four years of discussions, the EU parliament approved the General Data Protection Regulation (GDPR).
2018
GDPR comes into enforcement, replacing the Data Protection Act.
2019
In 2019, the California Consumer Privacy Act became the first modern privacy legislation in the United States, focusing on providing people with insight and some control over how companies use personal data.
2020
Since 2020, several US states have initiated the exploration of privacy legislation. Colorado, Connecticut, Virginia, and Utah have all enacted legislation similar to CCPA, and some other states are considering privacy bills.
10 Most Influential Data Regulation Laws Worldwide
Global laws, like the GDPR in the EU and emerging regulations in the US, China, India, and beyond, significantly affect advertising markets. We explore frameworks shaping data privacy and address the complexities of electronic communications, online content, and personal information. This provides a glimpse into the continuous endeavors of nations as they grapple with the challenges and opportunities presented by the digital age.
General Data Protection Regulation
The GDPR, established by the European Union in 2018, stands as one of the most renowned frameworks for ensuring data privacy. This regulation extends its jurisdiction to any entity processing EU citizens’ confidential data, regardless of geographical location. Imposing stringent standards for acquiring, using, and safeguarding personal information, the GDPR mandates that individuals provide explicit consent and affirms the right to delete their data. Furthermore, it grants individuals the right to access, rectify, and erase their personal data and data portability.
ePrivacy Directive
The ePrivacy Directive, a cornerstone of the European Union’s legislative framework, is dedicated to safeguarding privacy and confidentiality within electronic communications. Enacted in 2002 and subsequently refined through multiple amendments, this directive plays a crucial role in harmonizing with the General Data Protection Regulation (GDPR). Its primary focus is addressing nuanced concerns inherent in electronic communications, spanning topics such as the regulation of cookies and the management of direct marketing practices. The directive works with the GDPR to ensure a comprehensive and robust framework for protecting individuals’ digital privacy.
Digital Services Act
The recently enacted regulation aims to tackle illegal and harmful content by imposing obligations on platforms like Google and Facebook to eliminate content that fails to meet specified standards. The underlying principle is ensuring that activities deemed illegal offline are also unlawful online, as the Council of the EU emphasizes. The Digital Services Act (DSA) officially commenced on November 16, 2022, with various law provisions slated to take effect at different intervals. The law will fully operate by February 17, 2024.
California Consumer Privacy Act
A noteworthy data privacy framework originating from the United States is the CCPA, enacted in California in 2018 and enacted in 2020. Applicable to businesses gathering and selling California residents’ personal data, the CCPA establishes guidelines for transparency and consumer rights. These rights encompass the ability to opt out of personal data sales and the entitlement to request access to the collected personal data.
California Privacy Rights Act
The California Privacy Rights Act stands as the most complete state data privacy legislation to date. Enacted through a ballot initiative in November 2020, the CPRA amended California’s prior privacy law, the California Privacy Protection Act, and officially came into force on January 1, 2023, applying to personal data gathered on or after the 1st of January 2022.
This cross-sector legislation introduces crucial definitions and expansive individual consumer rights while imposing significant obligations on entities collecting personal information from or about California residents. These responsibilities encompass notifying data subjects about the collection methods and timing, providing options to opt out of data collection, facilitating access to, correction, and deletion of such information, and setting limitations on how businesses can transfer personal information to other entities.
Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act is a U.S. law designed to safeguard children’s online data, regulating how websites and services manage such information. Enacted in 1998, the COPPA rule, implemented in 2000, outlines the specific guidelines for compliance with the act. It mandates that operators of websites and online services targeting children under the age of 13 must receive parental consent before collecting, using, or disclosing any information from users.
The EU-U.S. Data Privacy Framework
As of July 10, 2023, the newly implemented EU-U.S. Data Privacy Framework has come into effect. This framework introduces enhanced security measures, establishes a refund mechanism for EU and U.S. citizens who believe someone has infringed upon their rights, and amplifies protections for the data of foreign citizens transferred to the U.S. Notably, it mandates intelligence agencies to update surveillance-related policies and procedures, subject to review by the Privacy and Civil Liberties Oversight Board.
While an improvement over the Privacy Shield, this framework has imperfections. Anticipated criticisms from European privacy advocacy groups may arise. Nonetheless, if the framework endures, it could be the preferred method for businesses to transfer data between the EU and the U.S.
APEC Privacy Framework
Ministers of the APEC region officially finalized the APEC Privacy Framework in December 2005, recognizing its significance in establishing robust privacy protections that prevent hindrances to information flows, thereby ensuring ongoing trade and economic growth in the APEC region. This framework champions a flexible approach to information privacy protection across member economies, committed to avoiding unnecessary barriers. Formulated as a set of voluntary data privacy principles, the APEC Privacy Framework strives to promote data privacy, facilitate cross-border trade, and contribute to economic growth in the APEC region.
China’s Personal Information Protection Law
Amid various unresolved aspects, China successfully enacted the Personal Information Protection Law (PIPL) on November 1, 2021. While preceding legislation, such as the Data Security Law (DSL) and Cybersecurity Law (CSL), was already in effect, PIPL stands out as China’s inaugural comprehensive law designed to oversee and safeguard personal information. The introduction of DSL and PIPL signifies a notable convergence of China’s data security and personal information regulations with international standards, particularly evident in PIPL’s striking similarities to the General Data Protection Regulation (GDPR).
Indian Personal Data Protection Bill
In December 2019, India presented the Personal Data Protection Bill (PDPB) to parliament, which received approval in 2023. Drawing inspiration from the GDPR, the PDPB shares commonalities, but some policies lack clarity. Notably, the PDPB grants a degree of discretion to India’s Central Government in determining enforcement mechanisms and specifying instances for exceptions. The legislation echoes GDPR in crucial aspects, including the necessity of obtaining consent from data subjects (termed “data principals” in the PDPB), mandating breach notifications, establishing a “right to be forgotten,” and imposing substantial fines for non-compliance, potentially reaching up to 4% of global annual turnover.
Brazilian General Data Protection Law
Brazilian General Data Protection Law, or LGPD, closely mirrors the GDPR in scope and applicability, albeit featuring comparatively milder financial penalties for non-compliance. To engage in business with the largest economy in Latin America, companies must adhere to LGPD regulations, facing potential fines reaching up to 11.8 million EUR if they fail to comply. Initially slated for implementation in February 2020, LGPD encountered some legislative deliberations, ultimately taking effect in September 2020 after a period of adjustments.
Other Regional Laws Worldwide
The upcoming chapter examines varied data protection laws, showcasing distinct regulatory structures in different regions. These tailored laws significantly influence regional markets, reflecting personalized approaches to safeguard personal data in the digital era. They underscore a global commitment to responsible data practices, and we’ll explore their nuances to understand their contributions to international data protection regulations.
Japanese Act on the Protection of Personal Information
The Act on the Protection of Personal Information was initially passed in 2005 and updated in both 2015 and 2020. It strictly regulates the handling of personal data for Japanese residents. Recent amendments require mandatory reporting of data breaches, with companies submitting reports to Japan’s Personal Information Protection Commission (PPC). APPI aligns with global privacy laws, emphasizing user consent before collecting information, especially for third-party sharing. Notably, it extends jurisdiction to foreign entities, allowing PPC to notify authorities in the offender’s location, showcasing Japan’s commitment to adapting to modern digital tendencies.
Canada’s Consumer Privacy Protection Act
Introduced on June 16, 2022, the Canadian federal government’s Digital Charter Implementation Act 2022 is a highly anticipated legislative move. This proposed law maintains PIPEDA’s definition of personal information under the Consumer Privacy Protection Act (CPPA). If passed, it will establish CPPA as the primary privacy law, replacing PIPEDA, introduce the Personal Information and Data Protection Tribunal Act, create a new tribunal, and enact the Artificial Intelligence and Data Act. CPPA requirements extend to organizations involved in collecting, using, and sharing personal information for commercial purposes and collecting, using, and sharing personal information about employees and job candidates.
Australian Privacy Act
Australia’s Privacy Act 1988 is the primary privacy law governing both public and private sectors. In addition to this act, various statutory privacy laws in Australian states and sector-specific privacy laws apply. For instance, the Health Privacy Principles regulate organizations handling health data, and the Information Privacy Act 2009 applies to personal data in Queensland. In late 2020, Australia conducted a public consultation to review the Privacy Act. In early 2021, the government published a document soliciting specific input on elements such as the Act’s scope, efficacy, and enforcement. By late 2022, the Australian Parliament successfully enacted the Privacy Legislation Amendment Bill 2022, emphasizing heightened penalties for data breaches and aligning existing privacy laws more closely with the European Union’s GDPR.
The Republic of Turkey’s Law on Personal Data Protection
The Republic of Turkey’s Law on Personal Data Protection, enacted in 2016, draws heavy influence from EU Directive 95/46/EC. Through multiple amendments, it is evolving to resemble GDPR, covering aspects like data retention, deletion, and anonymization, registering data controllers, organizing the Kişisel Verileri Koruma Kurumu (KVKK), and specifying the processing of special categories of personal data. Recent proposals from the KVKK aim to clarify definitions and justify the uses of health-related data and specify countries with adequate data protection laws for international data transfers. Initially, a list of such countries was not published, requiring individual permission from the KVKK for international data transfers. Individual violations of the LPDP fines on range from 325 EUR to 65,000 EUR, with the KVKK having the authority to ban certain processing activities. Despite having extra-territorial applicability like GDPR, LPDP imposes lower fines.
United Kingdom’s Data Protection Act
The Data Protection Act 2018 actively molds the regulatory landscape in the United Kingdom by incorporating and complementing the provisions of the European Union’s General Data Protection Regulation (GDPR). Emphasizing data subject rights, handling “special category” personal data, managing data protection fees, addressing data protection offenses, obtaining consent from children, and enforcing regulations are key aspects of this legislation.
The U.K. has further shaped its data protection policies since it departed from the European Union on January 31, 2020. In July 2022, the House of Commons presented the Data Protection and Digital Information Bill for 2022-2023. This bill is geared towards modernizing and streamlining the existing data protection framework in the U.K., aiming to alleviate organizational burdens while upholding robust data protection standards.
German Telecommunications and Telemedia Data Protection Act
The Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) in Germany consolidates previously scattered data protection regulations in telecommunications and telemedia, streamlining various laws. It got full power on December 1, 2021. This legislation, among its provisions, governs confidentiality and privacy protection for internet-ready terminal infrastructure like websites, messenger services, and smart home devices. Additionally, it alters the legal framework concerning cookies and similar technologies, aligning with the ePrivacy directive and operating alongside GDPR.
TTDSG, in accordance with the ePrivacy directive, covers both personal and non-personal data. When processing non-personal data exclusively, TTDSG alone applies, while processing both personal and non-personal data invokes the applicability of both TTDSG and GDPR. Non-compliance with TTDSG can result in fines of up to €300,000.00, varying based on the severity of the violation. However, in cases where GDPR provisions are relevant, fines can escalate significantly higher.
Thailand’s Personal Data Protection Act 2019
Thailand’s data privacy regulations, up to 2022, are comprised of various sources such as the Constitution, the Child Protection Act 2003, the Credit Bureau Act 2002, and the National Health Act 2007. However, as of June 1, 2022, Thailand’s inaugural consolidated law dedicated to data protection came into full effect. The implementation of the Personal Data Protection Act (PDPA) aimed to align with GDPR in several aspects, such as mandating that controllers and data processors must have valid legal reasons for their actions. The PDPA, akin to the GDPR, upholds the rights of data subjects, including but not limited to the right to data erasure and portability. It also ensures rights such as being informed, accessing, rectifying, and updating their data.
Singapore’s Personal Data Protection Act
Singapore’s Personal Data Protection Act (PDPA), enacted in 2014 and amended in 2021, is one of Southeast Asia’s strictest data protection laws. The recent amendments, effective from February 1, 2021, strengthened the consent framework and clarified rules for offshore data transfers.
The PDPA in Singapore regulates the collection, utilization, and disclosure of personal data, requiring website owners, companies, and organizations to be accountable for establishing lawful procedures for data collection. With an extra-territorial effect, the law applies to any company handling data of Singaporean residents. While the PDPA covers private organizations, exceptions include individuals using data for personal purposes, employees during their employment, and public and government agencies, which have their own privacy rules.
New Zealand Privacy Act 2020
New Zealand’s Privacy Act 1993 underwent amendments in June 2020, becoming effective on December 1, 2020. While these changes share some similarities with GDPR, such as mandatory data breach notifications and restrictions on offshore data transfer akin to Australia’s 2018 Privacy Amendment, they lack key GDPR provisions.
Notably, non-compliance fines are considerably lower, capped at 10,000 NZD with the provision for class action suits. New Zealand’s Privacy Act does not incorporate the “right to be forgotten” or the right to data portability. Moreover, restrictions on offshore data transfer generally exclude cloud servers, a significant distinction given that major cloud servers are often located outside New Zealand.
Mexico’s Federal Law on the Protection of Personal Data
The Federal Law governs Mexico’s data protection on the Protection of Personal Data held by Private Properties 2010, which oversees private entities’ processing of personal data. This comprehensive law encompasses various data activities: collection, management, use, disclosure, storage, access, transfer, and disposal.
In addition to this legislation, the private sector follows the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties 2011, the Privacy Notice Guidelines 2013, and the Parameters for Self-Regulation 2014. The enforcement and regulation of these measures fall under the responsibility of Mexico’s Federal Institute for Access to Information and Data Protection (IFAI). This framework ensures a holistic approach to safeguarding personal data within private entities while empowering regulatory oversight.
States Privacy Regulations
In the absence of a federal law in the United States, individual states have taken it upon themselves to address this issue, with approximately two dozen states already implementing such laws. California’s legislation stands out prominently, given its significance as the headquarters for major tech giants like Apple, Facebook, Oracle, EA, Google, and others. However, exploring the notable laws introduced in various other states is worthwhile.
Virginia’s Consumer Data Protection Act
Enacted on March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) positions the state as the second, following California, to adopt a comprehensive data privacy law. CDPA, effective January 1, 2023, grants Virginia residents more control over their data, operating as an “opt-out law,” requiring consumers to object to data collection actively.
The law applies to businesses operating in Virginia that offer products or services to residents and meet specific criteria: controlling or processing personal data of at least 100,000 consumers annually or at least 25,000 with a minimum of 50% of gross revenue from personal data sales. Large businesses not meeting these criteria are exempt. CDPA excludes specific data, such as employee data, de-identified data, and publicly available information. Notably, the law doesn’t empower consumers to bring private actions. Fines, imposed by the attorney general, come with a 30-day cure period. Organizations in breach after this period may face fines of up to $7,500 per violation.
Colorado Privacy Act
On July 7, 2021, Colorado joined California and Virginia to pass extensive consumer privacy legislation, known as the CPA (effective date since 1 July 2023). Like other state laws and drawing inspiration from the EU’s GDPR, the CPA grants Colorado residents control over their data and imposes obligations on data controllers and processors. The law applies to entities conducting business intentionally targeting Colorado residents and either processing the personal data of at least 100,000 consumers per year or deriving revenue from the sale of personal data and processing the data of at least 25,000 consumers, with no revenue thresholds.
Exemptions include state and local governments, state institutions of higher education, personal data governed by specified laws, listed activities, and employment records. The CPA doesn’t set a fixed amount per violation; however, non-compliance may be considered a deceptive trade practice under the Colorado Consumer Protection Act, potentially resulting in a $20,000 fine per violation.
Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA), the fourth state-level privacy law in the United States, was signed into law on March 24, 2022. Effective December 31, 2023, the UCPA protects the privacy rights of Utah residents and outlines data privacy obligations for companies processing their data. The law considered more business-friendly than other state-level regulations, applies to data controllers or processors conducting business in Utah with annual revenue of $25 million or more.
To be subject to the UCPA, a business must meet specific criteria, such as controlling or processing personal data of 100,000 or more consumers, withdrawing over 50% of its gross revenue from selling personal data and preventing or processing personal data of 25,000 or more consumers. Exclusions apply to personal data collected in an employment or business-to-business context. In case of a violation, the Utah Attorney General provides written notice and a 30-day cure period. Failure to address the violation may result in fines for actual damages and up to $7,500 per violation.
Connecticut’s Data Privacy Law
The Connecticut Data Privacy Act (CTDPA), enacted on May 10, 2022, positions Connecticut as the fifth U.S. state to adopt comprehensive privacy legislation. Amended on June 12, 2023, by the Act Concerning Online Privacy, Data, and Safety Protections, the CTDPA now includes provisions for protecting minors and health information.
Entered into force on July 1, 2023, the act applies to entities conducting business in the state or targeting Connecticut residents, meeting specific criteria such as controlling or processing personal data of 100,000 or more consumers (excluding data processed solely for completing a payment transaction) or controlling or processing personal data of at least 25,000 consumers, with more than 25% of gross revenue derived from the sale of personal data. There is no revenue threshold for organizations subject to the law. The Connecticut Attorney General can enforce violations, imposing fines of up to $5,000 per violation. The Attorney General may also issue orders to prevent further violations, mandate restitution to victims, and compel the surrender of profits derived from illegal conduct.
New York SHIELD Act
In July 2019, New York enacted the SHIELD Act. This legislation amends the existing data breach notification law and introduces more stringent data security requirements for companies handling information about New York residents. Since March 2020, the law has been fully enforceable. The SHIELD Act significantly broadens the scope of consumer privacy and enhances protection for New York residents against potential breaches of their personal information. It mandates employers holding private information of New York residents to “develop, implement, and maintain reasonable safeguards” to guarantee the security, confidentiality, and integrity of such information.
In 2022, the state Attorney General reached a settlement with an organization, levying a $600,000 fine for failing to meet minimum standards, which led to a security breach and the exposure of personal information. Despite no recent updates, the law remains actively enforced, as evidenced by this settlement.
Our tech staff and AdOps are formed by the best AdTech and MarTech industry specialists with 10+ years of proven track record!
To Sum Up
The landscape of data privacy regulations has evolved significantly on both global and regional fronts. The rise of digital technology and growing concerns about personal data protection have spurred the enactment of many laws worldwide. Notable regulations like GDPR, CCPA, and CPRA have set standards for transparent data practices, individual rights, and stringent safeguards. The overall trend emphasizes a commitment to responsible data practices, empowering individuals, and holding entities accountable for secure and ethical data handling. As technology advances, these regulations will likely evolve to address emerging challenges, reinforcing the ongoing effort to balance innovation and privacy protection.
This Article's Ad Tech terms