What are the International Privacy Laws and how to comply with them?

The question of how to deal with privacy matters in the age of the digital economy concerns many organizations these days. It is not possible to live in the 21st century and not have heard of privacy and personal data protection. In fact, privacy has become so valuable that countries are enacting data privacy laws to address the growing concern of privacy of individuals.  

Why does privacy matter? 

Privacy has become inevitably important since the increased use and reliance on the Internet and electronic commerce. It is often referred to as the “new oil” in the digital age. In order to regulate how businesses must collect, use and store personal data of individuals, countries have enacted data privacy laws. Since the nature of the Internet and all the things that come with it have no boundaries, it affects how privacy laws are drafted and passed into laws. Even though there is no international privacy law which applies regardless of the territory or region, there are laws which have got features of international privacy law in that they may apply extraterritorially.   

What are the international privacy laws?

There is no legal instrument dealing with the privacy of individuals on an international scale. Rather, there are territorial privacy laws which are applicable within certain countries or regions. These laws provide a legal framework on how to collect, use and store the personal data of natural persons.

The most prominent examples of privacy laws include the EU General Data Protection Regulation (GDPR), EU ePrivacy Directive, California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA), and the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA). 

These laws, as a general rule, are applicable within the boundaries where they are adopted. However, some data privacy laws also include special provisions which make it possible to apply the laws internationally (“extraterritoriality”). For example, in order for GDPR to apply, a data controller or processor does not only have to reside in the EU. If such a controller or processor offers goods or services or monitors the online behavior of individuals in the EU, then such an organization has to comply with the GDPR, despite being established outside the EU.  

How to comply with international privacy laws?

As mentioned above, there is no single legal instrument applicable internationally. However, it may well be the case that a company operating internationally could become bound by more than one privacy law. For example, an e-commerce store based in Canada, selling goods or services to consumers in the EU and Brazil will have to comply with the GDPR and LGPD since these laws set out extraterritorial applicability provisions. Since the organization is based in Canada, it will be bound by PIPEDA as well. Further, if the same e-commerce company offers services to California residents and, for example, handles personal data of more than 50,000 California residents it will have to consider compliance with the CCPA as well. 

As can be seen from the example above, companies doing business internationally will most likely have to comply with the world privacy laws applicable in certain territories where they do business.  

Which data privacy laws are the most important?

There is no such thing as the most important data privacy law. Nevertheless, some factors may render certain data privacy laws more important compared to others. Such factors could include level of technological advancement, total number of residents, popularity of electronic commerce, total number of Internet users, etc. These all contribute to the importance of one privacy law over the others. 

Due to the aforementioned factors, world privacy laws such as GDPR, ePrivacy, CCPA, PIPEDA, LGPD have become relatively more important in the age of digital economy. The list is likely to expand as other major economies adopt comprehensive data privacy laws. For example, China’s data privacy law is set to take effect from September 2021 which would have a huge impact on most organizations.

Who enforces world privacy laws?

There is no single authority that enforces privacy laws worldwide. In fact, each authority tasked with enforcing certain data privacy law in a certain territory is the main enforcing authority. This basically means that a supervisory authority in a particular territory will only be able to enforce the privacy law applicable only in that territory subject to certain limitations such as extraterritorial application of data privacy laws.

The supervisory authority enforcing data privacy law in a particular jurisdiction will have tools such as carrying out inspections, demanding organizations to demonstrate their compliance with a particular privacy law, imposing administrative fines and other penalties (Hotel GDPR Compliance: read about the GDPR Marriot fine.).

There may be mutual cooperation between supervisory authorities of some countries in order to render the protection of privacy of individuals more efficient. This kind of mutual cooperation would allow to bring to justice violations of privacy which take place internationally (i.e. where data subject is in one country and the organization holding his/her data which gets hacked as a result or poor security measures is in another country). 

What is GDPR?

General Data Protection Regulation (GDPR) is an EU-wide data privacy law which aims to strengthen individuals' fundamental rights in the digital age relating to the protection of their personal information and privacy. 

Even though GDPR is enacted and is effective in Europe, it has got broader implications. Its reach goes beyond the EU and companies offering goods or services to EU residents of monitoring their online behavior must also comply with it regardless of the place of establishment. 

GDPR accords data subjects certain rights such as right to access to data, right to erasure (also known as right to be forgotten), right to rectification of data, right not to be subject to automated decision-making, etc. These rights ensure that data subjects have more control over their personal data and how it is used by organizations. 

GDPR sets out hefty penalties for non-compliance. There is a 2-tier penalty system set forth with the regulation. Accordingly, for less severe violations the administrative fine is equal to 2 % of the global annual revenue or 10 million Euros, whichever is higher, or for more severe violations, 4 % of the global annual revenue or 20 million Euros, whichever is higher. 

In order to get a more detailed view of the GDPR you can refer to our article on the GDPR here.

What is CCPA?

The California Consumer Privacy Act, or CCPA is a state-wide legislative act in the USA which aims to regulate how businesses all over the world are allowed to handle the personal information of California residents. 

Unlike GDPR, CCPA only applies to for-profit organizations. If a business does business in California and collects personal information of at least one California resident provided that the following thresholds are met:

The business has (i) annual gross revenue of more than US$25 million, (ii) annually handles personal information regarding at least 50,000 California consumers, households or devices, or (iii) derives more than 50% of its annual revenue from selling personal information. 

In order to get a more detailed view of the CCPA you can refer to our article on the CCPA here.

Take a look at our Complete Guide to the New US Federal Data Privacy Bill (ADPPA).

What is LGPD? 

LGPD (Lei Geral de Protecao de Dados) is the general data protection law of Brazil. It is the most comprehensive data privacy law of Brazil in history and has been enacted in response to the GDPR. LGPD imposes several obligations on businesses as well as granting rights to internet users. 

LGPD applies to businesses and individuals processing personal data, where: (i)the personal data processing has been carried out in Brazil, (ii) the processing activity is carried out anywhere in the world for the purpose of offering or supplying goods or services or the processing of data of individuals located in Brazil, or (iii) the personal data has been collected in Brazil. 

The Brazilian law also sets forth serious administrative penalties for non-compliance. Accordingly, companies may receive an administrative fine of up to 2% of annual turnover, limited to 50 Million Brazilian Reals.

In order to find out more about the LGPD you can refer to our article written on this subject here.

Compliance Solutions with Secure Privacy

At Secure Privacy, we have developed tools for you to comply with data protection laws such as the GDPR, CCPA, and LGPD. Contact us if you'd like to learn more about how to comply with international data privacy laws and protect yourself while doing business online. We'll gladly point you in the right way with our wide range of solutions.