Data Privacy Briefing Series

The United States has a patchwork of federal and state data privacy laws that offer varying levels of protection for consumers’ personal information. At the federal level, there are sector-specific laws like HIPAA for health data, COPPA for children’s online privacy, and the Gramm-Leach-Bliley Act for financial data. However, a comprehensive federal data privacy law has yet to exist as of 2024. In the absence of such a law, many states have passed their own comprehensive data privacy legislation. The scope and specifics of these laws vary by state, but they generally aim to give consumers more control over their personal information and hold businesses accountable for protecting that data.

In Canada, data privacy is regulated by a combination of federal and provincial laws. The primary federal law is the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs private-sector organizations’ collection, use, and disclosure of personal information. However, some provinces, such as Alberta, British Columbia, and Quebec, have “substantially similar” privacy legislation that takes precedence over PIPEDA within those provinces. Quebec recently enacted significant changes to its privacy law (Law 25), bringing it more in line with the EU’s GDPR. Additionally, Canada has sector-specific privacy laws, such as those covering health information, and privacy rights are also protected under the Canadian Charter of Rights and Freedoms. The federal government is considering updates to PIPEDA through Bill C-27 to further strengthen privacy protections for Canadians.

The European Union has some of the world’s most comprehensive and stringent data privacy laws, centered around the General Data Protection Regulation (GDPR). The GDPR, which went into effect in May 2018, sets strict requirements for how companies collect, process, store, and transfer the personal data of EU citizens. It gives individuals enhanced rights over their data, requires companies to obtain explicit consent, and imposes hefty fines for non-compliance. In addition to the GDPR, the EU has the Law Enforcement Directive governing the use of personal data by law enforcement, the ePrivacy Directive regulating electronic communications, and a new Trans-Atlantic Data Privacy Framework enabling data transfers between the EU and the US. Overall, the EU prioritizes the fundamental right of data protection and has established itself as a global leader in this area.

Before Brexit, the UK was subject to the EU’s General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred. To ensure adequate data protection and allow the free flow of data between the UK and EU post-Brexit, the UK incorporated the GDPR into domestic law as the UK GDPR, alongside the Data Protection Act 2018. The EU has since granted the UK an adequacy decision, finding the UK’s data protection laws essentially equivalent to the EU’s, allowing personal data to continue flowing freely between the two until at least June 2025.

Switzerland’s data privacy landscape is governed by the revised Federal Act on Data Protection (FADP), enacted on September 1, 2023. The updated law aims to strengthen data protection, align with the EU’s General Data Protection Regulation (GDPR), and adapt to technological and social developments. Fundamental changes include expanded user consent requirements, increased severity of sanctions, mandatory data protection impact assessments for high-risk processing, and the introduction of “privacy by design and default” principles. The FADP applies to businesses operating in Switzerland and those outside Switzerland that process the personal data of Swiss residents. While the FADP shares many similarities with the GDPR, there are some notable differences in areas such as the designation of data protection officers, data breach notification timelines, and the scope of sanctions.

Brazil’s primary data privacy law is the Lei Geral de Proteção de Dados (LGPD), enacted in September 2020 to protect the fundamental rights of freedom, privacy, and free development of individuals. The LGPD applies to any processing of personal data in Brazil—regardless of where the entity is based—and requires entities to obtain consent, allow users to withdraw consent, and grants users rights such as data portability and deletion. Entities must appoint a data protection officer, and the law is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), which can issue warnings and fines for violations. The LGPD aligns broadly with the EU’s GDPR and replaces and consolidates various previous sector-specific data privacy regulations in Brazil.

China has implemented a comprehensive data protection legal framework through the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL). These laws regulate data collection, use, storage, and cross-border transfer, focusing on protecting personal information and safeguarding national security. The PIPL, similar to the EU’s GDPR, gives Chinese data subjects new rights and applies extraterritorially to offshore data processors delivering goods or services or analyzing individuals in China. The DSL classifies data by importance and restricts cross-border transfers, requiring official approval to provide data to foreign judicial or enforcement authorities. Companies must assess compliance with these stringent laws, which carry severe penalties for violations.

In August 2023, India passed the Digital Personal Data Protection (DPDP) Act, a comprehensive data privacy law that governs how entities process users’ personal data. The DPDP Act requires express user consent before processing personal data with some exceptions, prohibits behavioral monitoring and targeted advertising directed at minors, and establishes the Data Protection Board of India to investigate data breaches and handle consumer inquiries. The law applies extraterritorially to processing personal data outside India if it relates to providing goods or services to Indian residents. Entities responsible for collecting, storing, and processing digital personal data, known as data fiduciaries, have defined obligations under the Act.