Skip to main content

Other Privacy Laws

Updated Jan 30, 2024 ·

GDPR (EU)

The European Union (EU)'s General Data Protection Regulation (GDPR) applies to all organizations processing the personal data of individuals residing in the EU, regardless of the organization's location.

  • Grants rights like access, correction, and deletion of data
  • Companies must protect data and report breaches quickly
  • Penalties can reach €20 million or 4% of global revenue
info

Under GDPR, the data protection officer (DPO) ensures that the company understands its privacy responsibilities and serving as the primary liaison to the supervising authority.

The chief information security officer (CISO) focuses on information security and risk management within the company but does not primarily serve as the liaison for GDPR compliance.

GDPR Key Principles

  1. Lawfulness, Fairness, and Transparency

    • Personal data must be processed legally and fairly
    • Organizations must clearly inform individuals about how their data is used

  2. Purpose Limitation

    • Data must be collected for specific, legitimate purposes
    • Cannot be used for unrelated or incompatible purposes

  3. Data Minimization

    • Only collect data necessary for the intended purpose
    • Avoid excessive or irrelevant data collection

  4. Accuracy

    • Keep personal data accurate and up to date
    • Correct or delete inaccurate data without delay

  5. Storage Limitation

    • Retain data only as long as necessary for its purpose
    • Safely delete or anonymize data when no longer needed

  6. Integrity and Confidentiality

    • Protect data against unauthorized access, loss, or damage
    • Implement appropriate technical and organizational safeguards

  7. Accountability

    • Organizations must comply with GDPR requirements
    • Implement policies to show responsibility for data protection

Cross-Border Information Sharing

Under GDPR, transferring personal data outside the EU requires compliance. Organizations have two main options:

  • Standard Contractual Clauses (SCCs)

    • Pre-approved clauses ensuring EU data protection
    • For transfers to third-party organizations outside the EU
    • Legally binding for both sender and recipient

  • Binding Corporate Rules (BCRs)

    • Internal policies for multinational companies
    • Approved by EU data protection authorities
    • Enable intra-group transfers while maintaining GDPR compliance

PIPEDA (Canada)

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information in commercial activities.

Covers personal information such as:

  • Race, nationality, or ethnic origin
  • Religion
  • Age and marital status
  • Medical, education, or employment history
  • Financial information and identifiers (e.g., DNS, ID numbers)
  • Employee performance records

Excludes information that does not qualify as personal information under the law

  • Anonymized or de-identified data
  • Business contact information used solely for work purposes
  • Publicly available information or records required by law

PIPL (China)

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law that regulates the processing of personal information.

  • Applies to any organization handling personal data of individuals in China
  • Covers both China-based and foreign organizations
  • Requires consent for data collection and processing
  • Sets rules for cross-border data transfers and security measures

Key aspects:

  • Consent and Legitimate Purpose

    • Personal data must be collected with clear consent
    • Data must be used only for legitimate and specified purposes

  • Minimum Necessary Data Collection

    • Similar to GDPR's minimization principle
    • Collect only the data necessary for the intended purpose
    • Avoid excessive or irrelevant data

  • Cross-Border Data Transfers

    • Require security assessments for transfers abroad
    • Ensure foreign recipients maintain adequate data protection

  • Data Subject Rights

    • Individuals can access, correct, or delete their data
    • Right to withdraw consent at any time

  • Heavy Penalties

    • Non-compliance can result in severe consequences
    • May include fines, business suspension, or license revocation

POPIA (South Africa)

The Protection of Personal Information Act (POPIA) is South Africa's data protection law that regulates the processing of personal information.

Key provisions:

  • Lawful Processing

    • Personal data must be processed lawfully and fairly
    • Governed by eight conditions for lawful processing

  • Consent

    • Must obtain consent before collecting personal information
    • Individuals can withdraw consent at any time

  • Special Personal Information

    • Extra protection for sensitive data
    • Includes health or biometric information
    • Requires higher safeguards and lawful justification

  • Processing of Personal Information of Children

    • Requires parental or guardian consent for minors
    • Limit collection to what is necessary
    • Provide clear notice to children and guardians

  • Cross-Border Information Transfers

    • Transfers allowed only if the recipient provides adequate protection
    • Must comply with POPIA conditions for international transfers

  • Enforcement and Penalties

    • Regulated by the Information Regulator of South Africa
    • Violations can result in fines or imprisonment