A Complete Guide to International Data Privacy Law
Many businessess are doing business online serving customers internationally from different parts of the world. Trying to keep with all regulations worldwide is both complicated and highly time consuming.
That is why we have created this complete guide with in in-depth article and infographic to help you get an overview of the different international data privacy laws, how they may have consequenses to you and how your business can become compliant in relevant markets.
Tracking users data
Tracking users’ data is crucial for business success in this data-driven world. If your operations are not data-driven, it may hinder your chances to get the results your business need.
However, your users’ data belong to them. They have the right to proper data protection, which brings us to today’s data protection laws. These laws have been existing in parts of the world for quite some time and their importance has grown. Data protection laws are here to stay and you have to comply with them if you want to do business ethically, build relationship based on trust and avoid penalties.
What Are Data Privacy Laws and Who Do They Apply To?
What Are Data Privacy Laws and Who Do They Apply To?
When tracking technologies became available years ago, data collection was yet not regulated. Website owners could freely collect visitors’ data and use it for any purpose they wished.
That has changed. As the existing privacy laws were not sufficient for regulating data collection and use, governments began passing new laws or updating the existing ones. As technology changes, governments try to keep up with the changes and requirements needed in the privacy laws.
When it comes to your duty to comply with these laws, it is important to remember that there is no single universal data protection law. Every single government can pass laws that meet their jurisdiction, which means that their laws only apply in certain territories or for a group of people.
Wherever you are based, you have to know what local data privacy law that applies to you. Wherever you have a visitor from, your local privacy law and probably their local privacy law apply to the collection and use of their data.
Let’s imagine that you are a US citizen and your website has visitors from different parts of the world. You have to comply with the US federal laws, as well as the laws of your state and your industry. However, when a visitor from Canada lands on your website, the collection and use of their data have to be done in compliance with both the US and the Canadian laws. The same goes if the visitor is from an EU country; both the US and the EU laws apply to the relationship between you and your EU visitor. The US laws apply to you, while the Canadian and EU laws apply to your interactions with Canadian and EU visitors respectively.
Overview of the Current Data Protection Laws from Around the World
Overview of the Current Data Protection Laws from Around the World
As tracking technologies change, so does data protection laws. New ones are being passed, or existing ones are being updated on a regular basis.
To give you an idea of what you have to do to stay fully compliant no matter where you have visitors from, we created an overview of the most important data protection laws from around the world. It focuses on the requirements needed specifically around privacy policies and cookie banners.
When it comes to complying with the data protection laws in Europe, you have to be aware of the European Union (EU) laws and the laws of the EU member states.
The EU is a union of European States. Each one of them is a sovereign country with its own laws. When an EU institution passes a law (regulation or directive), it applies on EU level. It means that in each country, both EU laws and domestic laws apply. In case of collision, the EU law applies. That’s why EU member states regularly update domestic laws in line with EU laws.
That’s also the case with the General Data Protection Regulation (GDPR) of the EU. Although every member state has its own data protection law, you have to comply with it to make sure you do everything right.
If you collect data from EU residents, you need to comply with the EU privacy laws. There are two main laws you should take note of: the General Data Protection Regulation and the ePrivacy Directive.
GDPR, which came into effect on 25 May 2018, is the most extensive personal data protection law to date. As you’ll see from the rest of this article, the rest of the world doesn’t have as many requirements about using tools for data collection and processing.
Do I Have To Be GDPR Compliant?
If you are located in the EU or are collecting and processing personal data from EU residents, then the answer is yes.
How To Be GDPR Compliant?
- Inform your users that you collect and process their data, tell them how you do it and list the reasons why you collect and process their data.
- Get a prior consent before collecting any data. Injecting cookies in their computers and waiting for the consent afterward puts you in breach of the GDPR. If you collect data from a child under 16, you need to get explicit consent from the parents.
- Obtain consent for each purpose you collect data for, except for necessary functions. Let’s say that you collect data about users’ preferences, analytics, and marketing. You have to obtain an active opt-in for each one of them. This means that you have to provide a checkbox or similar for each function. If they don’t check any of the boxes, you are not allowed to collect their data for any purposes.
- Only use the data for the purposes you communicated and received valid consent for.
- Provide them with access to their data, possibility to correct and transfer the data to somewhere else.
- Provide a possibility for withdrawing the already given consent. Opting out should be as easy as opting in.
- Document each consent you receive from your users and keep it documented until necessary or until they ask for removal.
- Delete users’ data upon request.
What are the Consequences for Non-Compliance?
If you don’t comply with any of these requirements, you risk huge penalties. In case you were wondering why the GDPR is important, this may be the answer. Penalties are capped at 4% of the annual global turnover or €20 million - whichever is higher. The authorities have discretionary right to decide about penalties on a case-by-case basis. However, don’t take this lightly and make sure you are GDPR compliant to avoid any troubles with the EU institutions.
Also, violation of the GDPR will likely mean violation of the national data privacy laws of the EU member state you collect data from. If not with the EU agencies, that could bring problems with the national law enforcement agencies and fines according to the national data protection laws.
Unlike the GDPR, the ePrivacy Directive does not require asking for consent for each and every purpose you collect data for. One general consent is enough.
However, since the application scope of the directive is the same as GDPR, compliance with the GDPR means compliance with the ePrivacy Directive as well.
Non-EU European Countries
Not all European countries are EU member states, which means that the GDPR doesn’t apply to them. However, most of these countries are part of the European Economic Area (EEA) or are preparing to become EU member states, so they are updating their national data protection laws in line with the GDPR. EEA member states such as Iceland and Norway have accepted the GDPR, while EU member state candidates, such as Serbia and Macedonia, have fully harmonized their laws with the GDPR. Ensure you check out the law of every non-EU country your business is related with but keep in mind they all incline toward the GDPR.
There is no single federal data privacy law in the United States. US privacy laws apply on a state level and on an industry sector level.
The industry laws requiring certain data privacy protection are not data privacy laws per se. They regulate entirely different matters but have provisions on data privacy as well. There are a plethora of them on federal level and hundreds on a state level. These laws are very diverse and it’s impossible to fit them all into one article. Just to give you an idea about them, here are few examples:
FTC: Federal Trade Conmission
Federal Trade Commission Rules (FTC Rules) prohibit unfair and deceptive practices on the market, including cases when companies fail to keep their promises listed in privacy policies.
Coppa: Children's Online Privacy Protection Act
Children’s Online Privacy Protection Act of 1998 (COPPA) requires providing a notice to the parent about the collection of their children’ data, obtaining a prior parental consent for websites that knowingly collect, use, or disclose children’s personal data, providing reasonable means for parents to review the collected data, withdraw the consent and deny further use of that data.
HIPAA: Health Insurance Portability and Accountability Act
Health Insurance Portability and Accountability Act (HIPAA) requires providing notice to people whose medical information you may collect or use.
Each one of them has some requirements, but none is as extensive as the GDPR or national law of any other country.
- What type of data you collect from the users
- What third parties you share data with
- The way users can review the data you have collected from them
- The way users can change their data
- How the website responds to Do Not Track signals
You have to be compliant with the CalOPPA in any of the following two scenarios:
- If your company or your website is based in California
- If you have collected personal data from at least one user from California, no matter if the person is a citizen or only a resident
In case you breach the CalOPPA, you’ll get in trouble with the Federal Trade Commission or California Attorney General Office. The penalty will depend on the circumstances of your particular case.
All other US states
There are California privacy laws, and all the other US states privacy laws. As for now, no other state follows the example of California. All of them have some kind of privacy laws pertaining to personal data collected by businesses, but none of them is extensive as CalOPPA .
Like the US, Canada has several privacy laws - on federal, province, and industry sector level.
There are two laws that regulate data collection and management on federal level in Canada.
The first one is the Privacy Act, but it applies only to government institutions and what they do with citizens’ data, so it doesn’t affect you in any way.
The second one affects your business if you are based in Canada or collect data from Canadian visitors. This law is called Personal Information Protection and Electronic Documents Act (PIPEDA). It doesn’t apply to nonprofits, political parties, and associations. It applies to all the Canadian provinces, except for Quebec, Alberta, and British Columbia, only if the business is entirely operated in these provinces. As soon as the first visitors from these provinces arrive at the company’s website, PIPEDA applies. Don’t let it confuse you, because the requirements by the local province laws are almost the same as the federal law.
To comply with PIPEDA, you have to:
- Appoint someone to be in charge of the data you collect and use
- Identify the purposes you will collect and use data for and limit your actions to those purposes only.
- Inform your users in an understandable way what data you collect, what you do with it, and for what purpose
- Get consent from each user before or at the time of collecting their data, as well as when you want to use their data for a purpose you haven’t got consent for already.
- Keep the data for a reasonable time and delete it as soon as you don’t need it for the purposes you have got the consent.
- Safeguard the data
- Upon request, grant your users access to their data and inform them about the data you have collected about them, how it has been used, to whom it has been disclosed, or anything else you have done with their data.
- What type of data you collect
- How you collect and hold it
- For what purpose you collect data
- How your users can access their collected data
- How users can complain for breach of their privacy rights
To comply with the law, you have to:
- Collect the personal information directly from the individual concerned
- Let the users know that you are collecting data
- Inform them about what data you collect and for what purpose
- Inform them about your name and address of the subject that collects and holds the information
Not all Asian countries have enacted data privacy laws, but those who have done that have clear requirements that you need to follow if you operate from there or interact with website visitors from those countries. Here is a short overview of what you should take note of when collecting and using data from them.
If you are doing business in China or collect and use Chinese visitors’ data, there are two laws to comply with: The Cybersecurity Law and the Information Security Technology - Personal Information Security Specification. The law has come into force in 2016, while the Specification has come into effect on 1 May 2017.
The Cybersecurity Law provides the data protection standard in broader terms, while the Specification makes it more concrete. To make sure that you comply with both, you have to make sure you:
- Tell users that you collect and use their data
- Inform them why and how you do it
- Obtain explicit consent before collecting and using their data for each purpose separately
- Store the data safely and keep it for the minimum period necessary
- Let them know how they can access, correct, and delete their data
- Inform them about the use of third-party data processors (Google Analytics, widgets, plugins, and others)
- Conduct a security assessment of the third-party data processors before letting them collect data for you
- Inform users that you collect data and why you collect it
- Use the data only for the purpose you have collected it for
- Get prior consent before collecting sensitive data (passwords, financial statements, credit card information, biometric data, etc.). Collecting any other data doesn’t require prior consent.
- Keep the data safely stored, but only for the minimum necessary period of time
As of the moment of writing, the Indian government is in the process of enacting the Data Privacy Bill 2018. The proposed draft has many similarities with the GDPR. You’ll find more details about that at the end of this article. We will keep you updated for any changes.
Other Asian countries
Other Asian countries
Not all Asian countries have personal data privacy laws in place. The ones that are more technologically advanced, however, have laws that you should bear in mind when doing business with their residents or operating from these countries.
The Amendments to the Act of Protection of Personal Information of Japan doesn’t require prior consent from users, except for when you want to use the data for a purpose other than the one you have collected the data for, or cases when you disclose personal data to third-party service providers.
The Malaysian Personal Data Protection Act 2010 requires getting explicit consent for collection and use of personal data on top of providing the usual information on why, how, and what you do with the information.
Indonesia doesn’t have a consolidated law on privacy. The government still prepares the bill planned to be enacted in 2019. For now, there are many laws touching the subject of personal data protection. Cookie-wise, the most important of them is the Law on Electronic Information and Transaction.
Unlike other privacy laws, this one applies to companies and persons who:
- Operate in Indonesia
- Collect personal data from Indonesian residents
- Operate outside of Indonesia, but their legal acts have legal consequences in the country
In Singapore, you also have to obtain prior consent from your user before injecting tracking mechanisms into their computers. Check out the Personal Data Protection Act 2012.
As long as you provide information about what you collect, how, and for what purpose, you are compliant with the Hong Kong Personal Data Ordinance.
The Computer-Processed Personal Data Protection Law of Taiwan also doesn’t require prior consent. All you have to do is have a document informing users that you collect their data, how you do it, and for what purpose.
The personal data collection by cookies is regulated by the Vietnamese Law on Cyber Information and Security. It requires prior consent before injecting them into someone’s computer.
According to the Data Privacy Act of 2012 and the Implementing Rules and Regulations of the Data Privacy Act of 2012, you have to ask for consent from your users before collecting their data.
Rest of the world
Rest of the World
There are many other countries around the world that regulate the processing of personal data in their territory or of their residents. To keep it concise and simple, here are the most important of them.
Russia has many laws pertaining to personal data protection. The most important of them is the Data Protection Act. According to this law, you have to register as a data operator with the state agency Roskomnadzor. Then, you have to store the data you collect in Russia or from Russian residents on servers located in Russia.
Prior consent is necessary before sending out cookies.
According to the Data Protection Act, users can ask for erasure of their personal data only if the data is unlawfully obtained, incomplete, out of date, not necessary for the purposes it has been collected for, or if it is inaccurate. A user cannot request data deletion without a reason, as in other countries.
Turkish law also tends to harmonize with the EU law. It doesn’t require explicit consent for each and every purpose you collect data for, but you’re prohibited from sending out cookies before getting users’ consent.
The consent has to be given freely. It is valid only if you have informed the user about the reasons and the ways you collect and use data. Finally, you have to delete or anonymize the data upon a user’s request.
The Protection of Personal Information Act 4 of 2013 of South Africa obliges you to get a voluntary consent from your users before getting and processing their data.
If you tell your users that you collect their data, why and how you do it, and they give you a voluntary consent for collection and use, you are in compliance with the Argentina Personal Data Protection Act of 2000.
Qatar was the first Gulf country to pass a data protection law back in 2016. It requires getting a prior consent before collecting data. Bahrain hasn’t passed a separate law yet, nor has the United Arab Emirates (where Dubai and Abu Dhabi are located). The Dubai International Finance Centre, however, has a data protection law since 2007. It requires consent for processing of users’ personal information.
What the future brings
What the Future Brings?
From this overview, it is obvious that the trend between all the recently enacted data protection laws is the requirement for a prior consent before sending out cookies. None of them would allow you tracking tools or technologies in your users’ computers before getting their permission. Also, the right to be forgotten, i.e. deletion of data is gaining significant legal momentum.
Some of the countries listed above are in the process of drafting or passing new legislation on personal data protection. Here is what the future brings you:
In 2020, the California Consumer Privacy Act will come into force. It gives users more rights, such as the right to get information about the data that has been or is being collected about them. They can also ask for erasure of their data. Compared to the CalOPPA, the most important changes are the right to be forgotten and the right to prohibit the sale of your data.
Only a year after introducing the GDPR, the EU plans to enact yet another data protection privacy law. This time it is the ePrivacy Regulation 2019 which, among other things, is expected to simplify the cookie rules. Legislators will likely remove the need for prior consent for non-privacy intrusive cookies aimed for improving or the user experience.
Post-Brexit United Kingdom
As long as the UK is an EU member-state, the GDPR applies and the Data Protection Act 2018 applies. After leaving the Union, which is set for spring 2019, the GDPR may not apply anymore. It is going to depend of the choices the UK government will make in the process of leaving. However, the Data Protection Act 2018 is fully harmonized with the Regulation, so it doesn’t really make a difference.
Compared to the current law, the proposed Personal Data Protection Bill of India introduces several significant changes, including prior consent requirement for collection and processing of any data (not just the sensitive one), as well as the right to access, correct, and move one’s data, and the right to be forgotten.
The current law requires only telling your users why and how you collect data and get their consent. When it comes to cookies, the new law is expected to introduce the right to be forgotten, to correct and move the personal data.
There are many different laws all around the world and compliance with all of them may seem intimidating to you. But it is not as hard as it looks.
As you would notice from the article, the legal requirements often overlap. So, if you comply with one law, you are likely to comply with many others at the same time.
The GDPR is the one that stands off. It requires an obligatory active opt-in, which is not needed for many of the other countries. So, how do you stay compliant with the GDPR cookie-wise, without going that far with the consent request for each single data collection purpose?
You can choose to show this banner only to the visitors from the EU. For the visitors from other countries, you can generate another cookie banner compliant with their respective laws.
That way, you’ll always show the right cookie banner to the right persons.
Disclaimer: This website contains general information about legal matters. This article is for informational purposes only. The information is not advice, and should not be treated as such.