It wouldn’t be a stretch to say data has become a significant and vital asset in the 21st century.
In fact, it’s one of the primary reasons why some popular tech companies are happy to provide their services for free—doing so allows them to collect users’ data on an unprecedented scale. However, that may have changed in the past couple of years.
Thanks to various factors, nearly all nations currently have, or are in the process of legislating, data protection laws. These laws are designed to curate the way companies collect, store and employ user data, transfer data across borders, and sell/share this data.
For companies, compliance with these regulations is necessary—both to continue operations and to avoid hefty fines. (Also read: GDPR: Do You Know if Your Organization Needs to Comply?)
That said, some regulations are far stricter than others. Here are the 10 strictest data protection regulations every business should know about:
1. The EU
OK, so the European Union (EU) is technically not a single country. But considering that the General Data Protection Regulation (GDPR) is considered the gold standard when it comes to data protection laws, and considering how every country in the EU is subject to it, it’d be hard not to list it at the top of this list.
Owing to how elaborately the GDPR explains all data subject rights, and how it lays in down the responsibilities of data handlers and processors, it is nearly impossible for any organization subject to the GDPR to claim to be uninformed of their due obligations.
Under the GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company’s annual global turnover—whichever is higher. (Also read: Data Breach Notification: The Legal and Regulatory Environment.)
Lastly, the GDPR applies to both for-profit and non-profit organizations; it is blanket legislation covering anyone collecting and/or processing user data for any reason whatsoever.
Nigeria’s Data Protection Regulation (NDPR) was issued in 2019 under the 2014 Malabo Convention. The NDPR affords all data subjects nearly the same rights as those guaranteed under the GDPR. However, its section on Administrative Sanctions in its Implementation Framework cemented its reputation as perhaps one of the strictest data protection regulations.
Unlike other regulations, no minimum or maximum sum that an offending party may be fined is mentioned. Instead, any fines will depend on the “nature, gravity and severity of the breach” in addition to a combination of other factors.
Hence, under the NDPR, it’s possible for millions of dollars to be levied on organizations that fail to sufficiently protect Nigerian residents’ data. (Also read: Massive Data Breaches: The Truth You Might Not Know About.)
Canada’s primary data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA) is often cited as an example of a regulation designed specifically for businesses and corporations rather than a blanket piece of legislation.
Furthermore, its scope covers any organization that collects, uses or discloses personal information of natural persons in the course of commercial activities—rather than specifying a particular nationality or a place of residence.
While PIPEDA is not overtly strict in dishing out penalties for non-compliance—the maximum fine allowed is only CA$100,000, its strictness comes in the form of the 10 Fair Information Principles. Organizations subject to PIPEDA need to adhere to these principles, as failing to do so may lead to a fine on each non-compliance instance.
The Australian Federal Privacy Act, known as the Privacy Act 1988, is Australia’s primary legislation dealing with data protection.
The Privacy Act 1988 is considered one of the first laws enacted that dealt with users’ privacy. It is supplemented with 13 Australian Privacy Principles (APPs), which ensure the Privacy Act contains provisions dealing with the current digital environment.
What makes the Privacy Act one of the strictest data privacy laws in the world comes undoubtedly down to the Office of the Australian Information Commissioner (OAIC), who is responsible for enforcing it.
Unlike other regulatory authorities, the OAIC does not have to wait for official complaints to launch an investigation into a business or website it suspects of being non-compliant with the law in any way. (Also read: Encryption Just Isn’t Enough: Critical Truths About Data Security.)
Brazil’s Lei Geral de Proteçao de Dados (LGPD) was one of the first data protection laws that came into effect after the GDPR.
It was also modeled after the GDPR in almost every major way, including applicability, scope and provisions for data transfers outside Brazilian jurisdiction. However, the LGPD stipulates considerably less harsh penalties for businesses in non-compliance with the legislation; the maximum fine allowed is around 50 million Brazilian real ($10.6 million).
Japan’s Act on Protection of Personal Information, or 個人情報保護法, was amended in May 2017 to cover companies outside of Japan that cater to Japanese residents.
Furthermore, the EU and Japan recently reached a “reciprocal adequacy” among one another. This means companies and organizations based in the EU and subject to the GDPR can face legal action in the EU and Japan if the privacy violation occurs in Japan while being based in the EU—and vice versa. (Also read: 3 Defenses Against Cyberattack That No Longer Work.)
Thailand’s Personal Data Protection Act (PDPA) was supposed to have come into effect by May 2020. However, a royal decree allowed for a year’s delay to ensure that all organizations expected to be subject to it would have ample time to prepare and be fully compliant.
This special care was extended because, while the administrative fines under the PDPA may be low, the data subjects have the right to launch civil lawsuits against the offending parties in case their rights are violated. In cases where these criminal penalties are enforced, the responsible officials can face prison sentences determined by the country’s courts.
As per an amendment introduced in the year 2018, Chile designed data privacy as a human right. Hence, any organization found to be insufficient in its data protection practices can be held liable for human rights abuse.
Chile introduced its data protection law in 1999, titled, “Law No. 19.628 Protection of Private Life 1999.” While Chile was the first Latin American country to have a data protection law, the lack of official regulatory authority in addition to low fines made it a relatively obsolete legislation. The 2018 amendment changed that.
Now, an organization found in breach or non-compliance with the data protection law may not have to worry about heavy fines or sanctions—but does face the prospect of being labeled a human rights abuser. Such a possibility can be catastrophic for any business’ public relations, which has led to much more efforts being devoted towards ensuring Chilean residents’ data privacy. (Also read: 10 Quotes About Tech Privacy That’ll Make You Think.)
What makes China’s data protection law, the Personal Information Protection Law (PIPL), so effective is the fact that a further two laws supplement it:
- The Cybersecurity Law.
- The Data Security Law (DSL).
Additionally, the Civil Code of the People’s Republic of China enshrined the rights to privacy and personal information protection within the country’s civil code.
But it doesn’t end there. Not only do organizations operating from China, or catering to Chinese residents, have to ensure compliance with all these laws, there are further regional regulations—such as the Shanghai Data Regulation and the Shenzhen Special Economic Zone Data Regulation.
The mechanisms involved in guaranteeing compliance with each of these regulations leave very little room for error on the part of the organizations when it comes to ensuring the rights of all data subjects are protected at every turn.
Egypt’s Personal Data Protection Law (PDPL) follows nearly all the norms expected from most data protection regulations:
- It applies to all organizations inside or outside Egypt that are involved in processing or collecting data on Egyptian residents.
- There is a responsibility on all data processors and data handlers to report data breaches to the proper authorities within 72 hours of becoming aware of the breach.
The Egypt PDPL’s non-compliance fines are comparatively less harsh than the GDPR’s, with the maximum fine allowed only 1 million Egyptian pounds (around $54,000).
However, what sets the Egyptian PDPL as one of the strictest data regulations is that, if and when users’ privacy is violated, those responsible within the offending organization may face prison sentences and monetary fines.
Around the world, countries are taking steps to ensure their citizens’ privacy online—a realm which was previously largely unregulated.
As such, it’s important to remain cognizant of data privacy laws in any regions where your business operates so you can avoid fines and other penalties.