What are international data protection laws and why do they matter?

Let’s review how international privacy laws are reshaping global data privacy, driving new compliance standards and redefining secure international data flows…

In 2018, the General Data Protection Regulation (GDPR) broke ground as the most forward-thinking and extensive legal provision for the protection of personal data and its ongoing security. 

This law is an international privacy law for data protection that impacted any organisation that processed any personal data (including biometrics) from any EU citizen.  It set the standard and has shaped the trends that dominate this sector today. Data protection ultimately focuses on protecting data and information from both internal and external threats. It mitigates the risks of fraud, compromise and corruption, and protects the individual.

What are the benefits of international privacy regulation?

As the amount of data being stored and created continues to increase exponentially, increased data protection has become critical, and indispensable. 

This has driven international data protection laws, and offers the following benefits:

• Valuable data is protected from leaks, loss and theft
• Companies can increase confidence from public, investors and customers
• Brand value is inherent and implicit in a robust policy and framework
• Good governance improves a company’s competitive advantage
• Improvements in automation, digitisation and innovation due to business process transformation
• Increased trust and credibility across multiple markets and customers
• Deeper understanding of the data, its value, and the benefits it offers
• Improved data management and control, resulting in improved innovation and transformation.

So where do the laws lie, and which ones are the most well-known?

Data protection laws vary by region. Europe enforces strict rules with heavy fines, while the U.S. lacks centralized regulations. GDPR’s enforcement sparked a global shift toward stricter privacy controls. 

Here are key regions with international data protection laws:

• Europe – The enforcement of GDPR triggered a global shift in data privacy, pushing organizations toward stricter compliance. Heavy fines and reputational risks have made data protection more challenging but essential. Today, companies must prioritize compliance to stay protected.
• The USA – while the country doesn’t have formal laws at the federal level, there is some federal legislation that protects data on a more general level. With the devolution of power to the state level, several US states have created their own data-related laws. California’s legislation is considered among the most forward thinking with the California Consumer Privacy Act (CCPA) providing robust privacy rights and consumer protection. The law allows for residents of the state to establish precisely how their personal data is being collected and what it is being used for. A comprehensive list of privacy laws across other US states and their status can be found here.
• Brazil’s Lei Geral de Proteção de Dados (LGPD), enforced in August 2021, streamlines over 40 existing data privacy laws. It clearly defines the concepts of personal data and public data, outlines liabilities, and applies to all sectors. Companies must adopt Data Protection Officers, have rigorous security protocols, and ensure compliance with strict regulations.
• South Africa's Protection of Personal Information Act (POPIA) has undergone several iterations and evolutions since it was first proposed in 2013. Fully effective from July 2021, it offers rigorous data protection aligned with global standards, similar to GDPR.
• Bahrain has the Data Protection Law that has the honour of being the first of its kind to be introduced in the Middle East and that provides individuals with rights concerning how their data is collected, processed and stored.
• The Philippines has the Data Privacy Act of 2012 that has many of the components that define the EU Data Protection Directive and that ensures the protection of personal information by organisations.
• Canada implemented the Personal Information Protection and Electronic Documents Act (PIPEDA) that is aligned with EU data protection law. The Act is very much in line with the five global privacy principles and offers consumers significant protection for their personal information. Future reforms, such as the proposed Digital Charter Implementation Act (DCIA), aim to strengthen privacy rights and impose stricter penalties for non-compliance.
• In the United Kingdom, the GDPR was implemented after Brexit. It mirrors the EU GDPR but is tailored for the UK context. The Data Protection Act 2018 supplements this regulation.
• India has enacted a data protection bill called the Personal Data Protection bill that embeds many of the tenets of GDPR within the country’s context. These include requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In 2017, a Supreme Court ruling restricted private firms from using Aadhaar data – a platform that was unveiled in 2009 and forms a massive part of the country’s biometric identification programme. Aadhaar can verify identities but cannot be used to collect personal details.

Other international privacy laws for data protection can be found here. 

The Schrems II ruling

Schrems II, a ruling that addressed the flow of information from the European Union to the United States, has had an immense impact on global international privacy regulations and approaches. This ruling is reshaping how global organisations that operate across multiple countries and legislations approach the protection of personal information. Schrems II is set to have long-lasting impact across the US and beyond, shifting how organisation and country approaches data protection within global commerce and underscoring the importance of investing into privacy toolkits, technology and professionals to ensure absolute compliance to the letter of any local law.  

International privacy regulation latest trends

In addition to the changes being introduced in Canada, Brazil, the UK and India, California voters passed a supplement to the CCPA in November 2020 known as the California Privacy Rights Act (CPRA). It has been in effect since January 2023 and the law is now enforceable as of February 2024. It provides California residents with even more control over their personal information and imposes additional control over businesses.  It is managed by the California Privacy Protection Agency (CCPA). 

In October 2020, the National People’s Congress in China released a draft of the Personal Information Protection Law (PIPL) and it has now been effective since 1 November 2021. This is an exciting shift in the country’s approach to developing a fully realised and comprehensive privacy and data governance platform. The law is set to change the privacy landscape in China. Global privacy regulations are rapidly evolving. While diverse rules may create gaps, experts expect tighter global alignment for stronger compliance.