Now that we have understood personal and sensitive personal data, data protection principles, and ways to approach data privacy, let’s look into some of the significant modern privacy laws. Most modern privacy laws have extraterritorial application. This means that they apply to organizations that process personal data belonging to the residents of the particular jurisdiction, whether or not the organization is situated in that jurisdiction.
Some of the significant regulations in the global privacy landscape are:
All modern privacy laws aim to protect the personal data of individuals. However, there are subtle differences between each of the privacy laws making each privacy law unique in itself. For example, there are differences between how each of the modern privacy laws allows personal data processing.
Consider the European Union’s GDPR that allows data processing only on one of the six lawful bases. The six lawful bases of data processing are (1) data subject’s consent, (2) performance of a contract, (3) compliance with a legal obligation, (4) protection of vital interests of the data subject, (5) public interest, and (6) legitimate interests of the data controller.
Consider the California’ CCPA. The CCPA allows organizations to process personal data however, they must inform data subjects about (1) the categories of personal data to be collected along with their purposes, (2) whether the personal data is sold or shared, and (3) the data storage periods. Moreover, organizations must provide the ability to opt-out of the sale of personal data.
Consider Brazil’s LGPD. It allows data processing only on one of the ten lawful bases. The ten lawful bases of data processing are (1) data subject’s consent, (2) performance of a contract, (3) compliance with a legal obligation, (4) public administration, (5) research by public study entities, (6) public task, (7) protection of life & safety, (8) protection of health, (9) protection to credit, and (10) legitimate interests of the data controller.
Consider Canada’s PIPEDA. Under the PIPEDA, organizations can collect, use, and disclose personal data only for the purposes that a reasonable person would consider appropriate in the circumstances.
Consider Australia’s Privacy Act. Under Australia’s Privacy Act, organizations must not collect personal data unless the data is reasonably necessary or directly related to one or more of the organization’s functions or activities.
These differences in privacy laws indicate that organizations must adapt their privacy practices and policies as per the exact law applicable to them.