Introduction
This page is intended to be a guide to the privacy and data protection regulation of countries around the world. For each country it covers the scope, requirements and other details which may be useful for people working with contracts and individuals from other countries.
Global Data Protection Regulation (GDPR) - European Union
Overview
GDPR’S aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information.
Scope
The GDPR applies to all companies processing the personal data of data subjects residing in the EU/EEA, regardless of the company’s location.
Categories of Sensitive Data
All personal data including racial, political, religious, trade union membership, genetic, biometric, sexual orientation, and health details of individuals from the EU falls under the GDPR's sensitive data list.
Some Key Requirements
- Data subject consent with option to withdraw
- Data breach notification for subject
- In high impact situations, a personal information protection impact assessment
- Appointing Data Protection Officer
Does it exempt academic research?
IFor research, special categories of personal data may be processed. Provided that appropriate technical and organisational measures have been taken, certain right of data subject may be renounced, if this is necessary for research
Learn more on the EU GDPR page
Personal Information Protection Law (PIPL) - China
Overview
The China Personal Information Protection Law (PIPL) is the new data privacy law in China, targeted at personal information protection and addressing the problems with personal data leakage.
Scope
The PIPL is not only applicable to organizations and individuals who process personally identifiable information (PII) in China, but also those who process data of China citizens' PII outside of China.
Categories of Sensitive Data
Information that may lead to discrimination or harm if leaked or used illegally, such as personal identifying information, individual biometric features, medical health, financial accounts, location tracking, and other sensitive information.
Some Key Requirements
- Consent for transferring and processing
- Appropriate Privacy Notice
- In specific cases, a personal information protection impact assessment
- Appointing local representative in China
Does it exempt academic research?
If data will be de-identified/anonymized, PIPL is unlikely to apply. If data is identified, a research contract may include components of PIPL compliance.
Learn more on the China Privacy Law page
Lei Geral de Proteção de Dados (LPGD) - Brazil
Overview
The Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules on collecting, handling, storing and sharing of personal data managed by organizations.
Scope
LPGD covers all companies that offer services or have operations involving data handling in Brazil.
Categories of Sensitive Data
Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organisation membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person
Some Key Requirements
- Data subject consent
- Appropriate Privacy Notice
- When directed by national authorities, a personal information protection impact assessment
- Appointment of a Data Protection Officer
Does it exempt academic research?
The LGPD does not apply in the case when the processing of personal data is performed solely for academic purposes.
Learn more on the Brazil Privacy Law page
Information Technology Act 2000 and SPDI Rules - India
Overview
According to IT Act 2000 and SPDI Rules companies must implement and maintain reasonable security practices and procedures to prevent unauthorized access, use, disclosure, alteration, or destruction of sensitive personal data.
Scope
The SPDI Rules issued under the IT Act apply to offences that occur in India and outside India, if the offences involve electronic resources in India.
Categories of Sensitive Data
Sensitive personal information or data' means passwords, financial information, physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information, except if in public domain.
Some Key Requirements
- Having a privacy policy available describing type of data collected and purpose.
- Getting consent from data subjects.
Does it exempt academic research?
No such exemption stated.
Learn more on the India Privacy Law page
Federal Act on Data Protection (FADP) - Switzerland
Overview
The data processing principles set out in the FADP provide for protection against infringements of personality rights (data privacy) through excessive use of personal data.
Scope
FADP applies to data processing outside of Switzerland which may adversely affect the privacy rights of individuals in Switzerland.
Categories of Sensitive Data
Data concerning religious, ideological, political, trade union-related views, health, social security, criminal proceedings, genetic data, biometric data.
Some Key Requirements
- Consent from data subjects
- Appropriate privacy notice required
- Appointing a local representative in Switzerland in high risk scenarios
- Appointment of a Data Protection Officer
Does it exempt academic research?
No such exemption stated.
Learn more on the Switzerland Privacy Law page
Ley Federal de Protección de Datos Personales en Posesión de los Particulares (The Federal Law on the Protection of Personal Data held by Private Parties) - Mexico
Overview
The law establishes the bases, principles, and procedures for guaranteeing the right to the protection of the personal data that is in possession of the mandated subjects.
Scope
The regulation applies to the processing of personal data carried out in or involving Mexico by a data controller or data processor, regardless of location.
Categories of Sensitive Data
Defined as data that may reveal personal aspects such as racial or ethnic origin, current or future state of health, genetic information, religious, philosophical or moral beliefs, labor union membership, political opinions etc.
Some Key Requirements
- Appropriate Privacy Notice required
- Explicit consent
- Appointing a Data Protection Officer
Does it exempt academic research?
No such exemption stated.