European Union

The General Data Protection Regulation (GDPR) has been active and enforceable since May of 2018, and requires organizations to undertake significant operational reform to meet the increased obligations of handling personal data.

The benchmark for other data privacy legislation globally, the legislation requires the implementation of appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the Regulation, and reviewed and updated where necessary, and also requires processors of personal information to take responsibility for keeping records of their processing activities.

Penalties of up to 4% of a company’s global turnover available, can be levied upon an organisation for data breaches and non-compliance issues, creating unwarranted reputational damage as a consequence.

For updates on changes in legislation Sign Up for Vox updates on GDPR

Sign Up

Follow the Legislative updates by clicking on the link to the EU GDPR updates website

Follow
California

The California Consumer Privacy Act (CCPA) has been an enforceable law since July 1st 2020, and is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.

CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually, or have an annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents.

The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States, and regarded as the forerunner and template for upcoming data privacy legislation within the United States.

Fines of $7,500 per violation for businesses and $750 per affected user in civil damages for businesses can be levied for a failure to comply with the legislation.

For updates on changes in legislation
Sign Up for Vox updates on CCPA

Sign Up

Follow the Legislative updates by clicking on the link to the the CCPA updates website

Follow
Brazil

Lei Geral de Proteção de Dados Pessoais (LGPD) has been an enforceable law since August 15th, 2020, and is modelled after the European GDPR in creating a legal framework for how personal data is allowed to be handled in Brazil.

The legislation empowers data subjects with nine rights, defines what constitutes personal data, and creates ten legal bases for lawful processing. It also puts the responsibility on companies and organizations to appoint a Data Protection Officer (DPO).

The LGPD applies to all companies that handle the personal information of Brazilian residents, whether they are located in Brazil or not. Fines up to $12,300,000 or 2% of an organisation’s annual turnover within Brazil (whichever is greater) are enforced by a newly formed data protection authority (the ANPD) within the country.

For updates on changes in legislation
Sign Up for Vox updates on LGPD

Sign Up

Follow the Legislative updates by clicking on the link
to the the LGPD updates website

Follow
Australia

The Australian Government have stated to make amendments to its existing Federal Privacy Act 1988 (Privacy Act) to bring the country more closely in line privacy regimes around the world, such as in Europe. The plans to revamp the law include increasing penalties to AUD$10 million; or three times the value of “any benefit obtained through the misuse of information”; or 10 per cent of the breaching entity's annual Australian turnover.

For updates on changes in legislation
Sign Up for Vox updates on Australian Law

Sign Up

Follow the Legislative updates by clicking on the link to the the Australian Law updates website

Follow
Thailand

The Personal Data Protection Act (PDPA), came into force on May 27th, 2020. Much like GDPR, individuals in Thailand have the right to control how their personal data is collected, stored and disseminated. The act protects the privacy of individuals and manages personal data collected by organisations and companies, while individuals have the right to know which organisations have their data, give consent for their data to be used and shared.

The act also mirrors the GDPR's extraterritorial applicability, and applies to data controllers and data processors outside of Thailand if they process personal data of data subjects, offer goods and services to, or monitor behaviour of the data subjects within Thailand.

Fines are a maximum penalty of approximately €149,000. However, there is the possibility of imprisonment depending on the offence of up to 1 year.

For updates on changes in legislation
Sign Up for Vox updates on PDPA

Sign Up

Follow the Legislative updates by clicking on the link to the the PDPA updates website

Follow
China

China’s State Administration for Market Supervision and StateStandardisation Administration has released the revised Information Security Technology: Personal Information Security Specification.

The new specification comprises recommended national standards for personal information security and aims to regulate the collection, storage, use, sharing, transfer, and disclosure of personal information. Although the specification does not have the force of law, it is considered by market participants to set out the best practice that Chinese regulators will likely expect of organisations handling personal information.

This new specification is scheduled to take effect on 1 October 2020.

For updates on changes in legislation
Sign Up for Vox updates on the Chinese Specifications

Sign Up

Follow the Legislative updates by clicking on the link
to the the Chinese Specifications updates website

Follow
Japan

Japan has looked to follow Europe’s example by updating its existing legislation, rather than passing an entirely new law, to bring legislation on data privacy line with the EU’s standards. This is likely so that it can retain an adequacy decision allowing for easier data transfers between the two territories.

The Act on the Protection of Personal Information ("APPI") regulates privacy protection issues in Japan and the Personal Information Protection Commission (the "PPC"), a central agency, acts as a supervisory governmental organization on issues of privacy protection, much like the ICO in the UK.

The APPI was originally enacted in 2003 but was recently amended and the amendments came into force on 30 May 2017.

Whilst the GDPR and APPI have similar provisions within them, there are unique differences however if an organisation has prepared adequately for GDPR then complying with APPI should not be hard.

For updates on changes in legislation
Sign Up for Vox updates on the Japanese Specifications

Sign Up

Follow the Legislative updates by clicking on the link
to the the Japanese Specifications updates website

Follow
India

To date, India has not to date enacted specific legislation on data privacy, with personal data mostly protected through indirect safeguards developed by the courts under common law, principlesof equity and the law of breach of confidence.

The Government of India has proposed a draft statute on data protection, the Personal Data Protection Bill 2019 (PDPB), that is still being debated within parliamentary circles.

The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India, requirements for technology companies to obtain explicit permission for most uses of personal data and allowing citizens more ownership over their personal data and proposes a maximum penalty of up to 4% of a company’s global revenue (as with GDPR).

For updates on changes in legislation
Sign Up for Vox updates on the PDPB

Sign Up

Follow the Legislative updates by clicking on the link to the PDPB updates website

Follow
Canada

Canada is moving to update its national privacy law, with potential legislation coming before Parliament by the close of 2020.

At present in the private sector in Canada, federally regulated businesses, works and undertakings are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including with respect to their collection, use and disclosure of employee personal information. If an organisation is found to be in breach of PIPEDA, they can be fined up to $100,000 for each violation.

In response to consultations across Canada and in recognition of the importance of Canada’s growing digital economy, the Government of Canada announced its Digital Charter, and launched its National Digital and Data consultations for amending PIPEDA.

The Digital Charter articulates a principled approach to digital and data transformation, setting out ten principles to guide amendments to PIPEDA tnat include:

  • Enhancing the control and transparency that individuals have over their personal information by requiring specific standardized plain language information on its use;
  • Providing data mobility opportunities to support greater individual control over data and promotion of consumer choice; and
  • Strengthening enforcement mechanisms, including enhanced penalties for non-compliance.

For updates on changes in legislation
Sign Up for Vox updates on the Canadian law

Sign Up

Follow the Legislative updates by clicking on the link to the Canadian law updates website

Follow
South Korea

On 9 January 2020, the Korean National Assembly passed amendments to three major data privacy laws with a view to aligning more with GDPR in the EU.

  • The Personal Information Protection Act (‘PIPA’);
  • The Act on the Promotion of Information and Communications Network Utilization and Information Protection (‘Network Act’) and
  • The Act on the Use and Protection of Credit Information (‘Credit Information Act’).

It is hoped that in receiving an adequacy decision from the European Commission a positive ruling would mean that data could travel freely between the EU and South Korea, facilitating cross-border data transfers and enhancing business operations

For updates on changes in legislation
Sign Up for Vox updates on South Korea

Sign Up

Follow the Legislative updates by clicking on the link to the South Korea updates website

Follow
South Africa

The Protection of Personal Information Act (POPIA) is South Africa’s data protection commenced on 1st July 2020, and places the onus for organisations to comply by 1st July 2021.

The law covers any natural or juristic person who processes personal information, including large corporate entities, SME’s and government, and involves the interactions between three parties (who can be natural or juristic persons).

  1. The person to whom the information relates (the data subject)
  2. The person who determines why and how to process. For example, profit companies, non-profit companies, governments, state agencies and people. Called controllers in other jurisdictions (the responsible party)
  3. A person who processes personal information on behalf of the responsible party. For example, an IT vendor (the operator or processor).

The Protection of Personal Information Act places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of personal information. Fines for non-compliance will range from between R1 million and R10 million will apply, as will the paying of compensation to data subjects for the damage they have suffered. Considered at this stage unlikely, imprisonment of between one to ten years is also an option for the regulator.

For updates on changes in legislation
Sign Up for Vox updates on the POPIA

Sign Up

Follow the Legislative updates by clicking on the link to the the POPIA updates website

Follow