International Privacy Laws

Introduction 

This page is intended to be a guide to the privacy and data protection regulation of countries around the world. For each country it covers the scope, requirements and other details which may be useful for people working with contracts and individuals from other countries.

Global map highlighting the regions discussed on this page.


Global Data Protection Regulation (GDPR) - European Union 

Overview

GDPR’S aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information.

Scope

The GDPR applies to all companies processing the personal data of data subjects residing in the EU/EEA, regardless of the company’s location.

Categories of Sensitive Data

All personal data including racial, political, religious, trade union membership, genetic, biometric, sexual orientation, and health details of individuals from the EU falls under the GDPR's sensitive data list.

Some Key Requirements

  • Data subject consent with option to withdraw
  • Data breach notification for subject
  • In high impact situations, a personal information protection impact assessment
  • Appointing Data Protection Officer

Does it exempt academic research?

IFor research, special categories of personal data may be processed. Provided that appropriate technical and organisational measures have been taken, certain right of data subject may be renounced, if this is necessary for research

Learn more on the EU GDPR page



Personal Information Protection Law (PIPL) - China

Overview

The China Personal Information Protection Law (PIPL) is the new data privacy law in China, targeted at personal information protection and addressing the problems with personal data leakage.

Scope

The PIPL is not only applicable to organizations and individuals who process personally identifiable information (PII) in China, but also those who process data of China citizens' PII outside of China.

Categories of Sensitive Data

Information that may lead to discrimination or harm if leaked or used illegally, such as personal identifying information, individual biometric features, medical health, financial accounts, location tracking, and other sensitive information.

Some Key Requirements

  • Consent for transferring and processing
  • Appropriate Privacy Notice
  • In specific cases, a personal information protection impact assessment
  • Appointing local representative in China

Does it exempt academic research?

If data will be de-identified/anonymized, PIPL is unlikely to apply. If data is identified, a research contract may include components of PIPL compliance.

Learn more on the China Privacy Law page



Lei Geral de Proteção de Dados (LPGD) - Brazil

Overview

The Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules on collecting, handling, storing and sharing of personal data managed by organizations.

Scope

LPGD covers all companies that offer services or have operations involving data handling in Brazil.

Categories of Sensitive Data

Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organisation membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person

Some Key Requirements

  • Data subject consent
  • Appropriate Privacy Notice
  • When directed by national authorities, a personal information protection impact assessment
  • Appointment of a Data Protection Officer

Does it exempt academic research?

The LGPD does not apply in the case when the processing of personal data is performed solely for academic purposes.

Learn more on the Brazil Privacy Law page



Information Technology Act 2000 and SPDI Rules - India

Overview

According to IT Act 2000 and SPDI Rules companies must implement and maintain reasonable security practices and procedures to prevent unauthorized access, use, disclosure, alteration, or destruction of sensitive personal data.

Scope

The SPDI Rules issued under the IT Act apply to offences that occur in India and outside India, if the offences involve electronic resources in India.

Categories of Sensitive Data

Sensitive personal information or data' means passwords, financial information, physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information, except if in public domain.

Some Key Requirements

  • Having a privacy policy available describing type of data collected and purpose.
  • Getting consent from data subjects.

Does it exempt academic research?

No such exemption stated.

Learn more on the India Privacy Law page



Federal Act on Data Protection (FADP) - Switzerland

Overview

The data processing principles set out in the FADP provide for protection against infringements of personality rights (data privacy) through excessive use of personal data.

Scope

FADP applies to data processing outside of Switzerland which may adversely affect the privacy rights of individuals in Switzerland.

Categories of Sensitive Data

Data concerning religious, ideological, political, trade union-related views, health, social security, criminal proceedings, genetic data, biometric data.

Some Key Requirements

  • Consent from data subjects
  • Appropriate privacy notice required
  • Appointing a local representative in Switzerland in high risk scenarios
  • Appointment of a Data Protection Officer

Does it exempt academic research?

No such exemption stated.

Learn more on the Switzerland Privacy Law page


Ley Federal de Protección de Datos Personales en Posesión de los Particulares (The Federal Law on the Protection of Personal Data held by Private Parties) - Mexico

Overview

The law establishes the bases, principles, and procedures for guaranteeing the right to the protection of the personal data that is in possession of the mandated subjects.

Scope

The regulation applies to the processing of personal data carried out in or involving Mexico by a data controller or data processor, regardless of location.

Categories of Sensitive Data

Defined as data that may reveal personal aspects such as racial or ethnic origin, current or future state of health, genetic information, religious, philosophical or moral beliefs, labor union membership, political opinions etc.

Some Key Requirements

  • Appropriate Privacy Notice required
  • Explicit consent
  • Appointing a Data Protection Officer

Does it exempt academic research?

No such exemption stated.