Major Privacy Laws

General Data Protection Regulation (GDPR) – EU & UK

Scope: The GDPR applies globally to any organization processing personal data of EU/UK residents, covering both online and offline data.

Key Features:

• Explicit consent required for data collection.
• Rights include access, rectification, erasure (“right to be forgotten”), and portability.
• Mandatory breach notification within 72 hours.
• Non-compliance can result in heavy fines, up to €20 million or 4% of global turnover.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) – California, USA

Scope: These laws apply to for-profit businesses handling data of California residents, with thresholds based on revenue or number of consumers.

Key Features:

• Right to know what data is collected.
• Right to delete personal data.
• Right to opt-out of data sales.
• CPRA introduces correction rights and sensitive data protections.
• Penalties range from $2,500 to $7,500 per violation.

Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada

Scope: PIPEDA applies to private-sector organizations across Canada, with exceptions for provinces with their own equivalent laws.

Key Features:

• Requires informed or implied consent for data processing.
• Principles include accountability, limiting collection, and safeguarding data.
• Individuals have the right to access and challenge the accuracy of their data.

Brazilian General Data Protection Law (LGPD) – Brazil

Scope: LGPD applies to any entity processing personal data in Brazil, including both domestic and international companies.

Key Features:

• Consent-based processing with transparency obligations.
• Rights include access, correction, and deletion of personal data.
• Requires the appointment of a Data Protection Officer (DPO).
• Penalties can reach up to 2% of revenue, capped at 50 million BRL.

Personal Data Protection Act (PDPA) – Singapore

Scope: PDPA governs the collection, use, and disclosure of personal data in Singapore, applicable to both digital and physical records.

Key Features:

• Consent is required for the collection and use of personal data.
• Organizations have accountability obligations for data protection.
• Mandatory breach notification requirements.
• Penalties can go up to SGD 1 million for non-compliance.

Protection of Personal Information Act (POPIA) – South Africa

Scope: POPIA applies to all public and private bodies processing personal information in South Africa.

Key Features:

• Requires lawful processing of personal information.
• Individuals have rights to access, correct, and object to the processing of their data.
• Non-compliance can lead to severe penalties, including fines or imprisonment for up to 10 years.

Personal Information Protection Law (PIPL) – China

Scope: PIPL applies to the processing of personal data of individuals in China, with strict rules for cross-border data transfers.

Key Features:

• Consent-based processing of personal data.
• Strict restrictions on international data transfers.
• Penalties for violations can be as high as RMB 50 million or 5% of annual revenue.

Data Protection Bill (DPDP Act) – India

Scope: The DPDP Act applies to the processing of digital personal data in India and extends to data related to Indian citizens processed abroad.

Key Features:

• Consent-based processing of personal data.
• Rights provided include access, correction, erasure, and grievance redressal.
• Establishes the Data Protection Board of India for oversight and enforcement.

HIPAA (USA – Healthcare)

Scope

• Applies to healthcare providers, insurers, and business associates handling protected health information (PHI) in the United States.
• Covers electronic, paper, and oral health information.

Key Features

• Privacy Rule: limits use/disclosure of PHI, grants patients rights to access and amend records.
• Security Rule: requires safeguards for electronic PHI (encryption, access controls, audit trails).
• Breach Notification Rule: mandates notifying affected individuals and regulators of breaches.
• Enforcement Rule: civil and criminal penalties, fines up to $1.5M per year per violation category.

Big Picture

• GDPR, LGPD, PIPL, DPDP Act → broad, cross-sector, consent-driven frameworks.
• CCPA/CPRA, PIPEDA, PDPA, POPIA → regional laws with varying strength, often modeled after GDPR.
• HIPAA → sector-specific, focused entirely on healthcare data, with strict technical safeguards.

The post Major Privacy Laws first appeared on Vinod Sebastian - B.Tech, M.Com, PGCBM, PGCPM, PGDBIO.