In recent years, we’ve seen great strides in the implementation of data privacy laws around the world.
Any country in the European Union already has a leg up, thanks to its General Data Protection Regulation (GDPR), enacted in 2018 and governing the collection of personal information ranging from someone’s phone number and biometric data to IP address.
And earlier this year the California Consumer Privacy Act (CCPA), which bears similarities to GDPR, came into force—and state residents have just voted to strengthen it. This legislation represents a promising framework for other parts of the U.S., if not also for laws on the federal level.
Here’s a look at other standout privacy laws by country.
The island nation got an early start on legislating data privacy starting with the Data Protection Act in 1988 and built on that legal framework with the ePrivacy Regulations of 2011. Organizations in Ireland are legally required to issue a “privacy statement” on their websites that clearly state how they apply the country’s eight data protection principles to their collection of personal data. Failing to provide such a statement could lead to heavy penalties.
Australian Privacy Principles give the country an edge. The APP is a set of 13 principles that govern the collection of personal information, and they’re backed by the powerful Office of the Australian Information Commissioner, which will hear complaints from any citizen and conduct investigations free of charge.
Denmark protects the privacy of its citizens with a government agency called the Danish Data Protection Agency, which works off of the 2000 Act of Processing Personal Data. This law says that personal data can only be collected if the user gives explicit consent and can’t be disclosed to third parties for marketing purposes without consent.
The GDPR is part of Norwegian law thanks to its inclusion in the European Economic Area, but the country already had a strong history of data privacy protections. Its Personal Data Act is particularly robust: If you’re seeking to collect data from a Norwegian user you need to first inform the individual of your name and address, the purpose of the data collection, whether said data will be given to third parties, the fact that participating is voluntary, and what their rights are under the law.
The country’s primary protections come from the Personal Information Protection and Electronic Data Act, which require privacy policies to detail the collection, handling, and use of personal information, and the policies must be easy to find and understand. PIPEDA is built on a list of 10 guiding principles surrounding personal information, and the government provides a Privacy Guide for Business to help corporations operating in the country comply.
Portugal gets its privacy cred from its straightforward Act on the Protection of Personal Data., which dictates that personal data can only be collected after obtaining the “unambiguous consent” of the user. Transparency is a point of emphasis, as the user needs to be provided with the identity of who is processing their data, the purpose of said process, and any other recipients.
While the country uses a biometric ID card that stores fingerprint information, the system has been praised for the way it protects users’ privacy. A fingerprint is only stored on the card itself, not on any central database, which is prohibited by Portuguese law. To confirm someone’s identity, the system simply confirms whether an individual’s fingerprint matches the one stored on the card.
France has world-class standards in statutory protections, privacy enforcement and identity cards, and biometrics. Its primary legislation, the Data Protection Act, is powerful and broad in scope, applying to all entities located in France who collect data as well as those who merely carry out activities there. The DPA allowed the French government to fine Google 150,000 euros in 2014, an admittedly modest victory, but one that few other countries would be able to replicate.
Brazil’s inclusion here is more about the country’s future than its track record. This August, the Lei Geral de Proteção de Dados, a law clearly inspired by the GDPR, came into effect. The law itself isn’t necessarily revolutionary, but the penalties for breaking it will give companies pause. Those found in breach of it could face fines of up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 reals (approximately 9.25 million USD), whichever is higher.
Switzerland is a hotbed for cloud storage as its laws and values mesh with the needs of corporations whose businesses center around data privacy. The country’s constitution guarantees individual privacy, with the Federal Data Protection Act requiring companies to tell users they’re collecting their personal data and why.
Iceland is part of the European Economic Area, which means it’s GDPR compliant, but it has strong laws of its own. Its Data Privacy Act requires organizations to only collect personal data for legitimate purposes and with individuals’ consent, and penalties for violation reaching three years in prison.
But the country is also particularly known for its protections for investigative journalism and whistleblowers. In 2010, the Icelandic Modern Media Initiative was adopted with an aim to strongly position the country “legally with regard to the protection of freedoms of expression and information.” The idea was conceptualized with the involvement of WikiLeaks.