Feature / Regulation

Australia |

The Privacy Act 1988

Brazil |

Lei Geral de Proteção de Dados ('LGPD')

Canada |

Personal Information Protection and Electronic Documents Act ('PIPEDA')

China |

Personal Information Protection Law ('PIPL')

Focus

Protects personal information & regulate data processing within Australia

Protects personal data, ensure rights to data subjects, and establish obligations for data processing entities

Protects personal information in the course of commercial activities and regulate data processing activities within Canada to ensure transparent and secure data practices

Protects personal information, safeguard the rights and interests of individuals and regulate data processing activities within China

Applicability

Organizations operating in Australia and those overseas dealing with Australian residents' data

Data processing by individuals, companies, and public entities within Brazil and international entities processing data of Brazilian citizens

Organizations engaged in commercial activities across Canada, and federally regulated organizations, with some provincial variations (e.g., Alberta, British Columbia, and Quebec have their own privacy laws)

Organizations and individuals processing personal information within China, as well as those processing data of Chinese residents outside of China if certain conditions are met, such as the purpose of providing products or services to Chinese residents

Data subject rights

Access, correction, deletion, objection to processing

Access, rectification, deletion, anonymization, data portability, information on data processing, and the right to revoke consent

Access, correction, and the right to challenge the accuracy and completeness of personal data, with rights to withdraw consent and be informed about data use

Access, rectification, erasure, restriction of processing, data portability, and the right to object to certain data processing activities, including automated decision-making and profiling

Consent

Express consent" implies the individual actively agrees through a written statement or clear action

Must be freely given, informed, unambiguous, and explicit. Special requirements for consent from children and for sensitive data. The LGPD emphasizes the concept of clear and affirmative action for consent

Must be freely given, specific, informed, and unambiguous. Implied consent can be acceptable in some cases, but explicit consent is generally required, especially for sensitive personal data. PIPEDA allows for implied consent in limited circumstances, but explicit consent is the preferred method, especially for sensitive data

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive personal information, with provisions for withdrawal at any time. The PIPL emphasizes separate consent for processing sensitive personal information and offers a right to withdraw consent at any time

Lawful basis for processing

Includes consent, legitimate interests, and other grounds

Consent, legal obligation, contract performance, legitimate interest, protection of life, health, and other specified legal bases

Primarily based on the need for consent, with some exceptions for specific circumstances such as legal, medical, and journalistic purposes

Consent, necessity for contract performance, compliance with legal obligations, protection of vital interests, public interest, legitimate interests, and other specified legal bases

Data transfer

Less restrictive, but organizations must take reasonable steps to protect data

Permitted to countries with adequate data protection levels, with consent, or with adequate safeguards such as standard contractual clauses or binding corporate rules

Must ensure data transfers to foreign countries have adequate levels of data protection, and obtain consent from data subjects for such transfers, or use appropriate safeguards

Must ensure data transfers to foreign countries have adequate levels of data protection, obtain consent from data subjects, undergo security assessments, and receive government approvals as necessary

Enforcement

Potential fines by Office of the Australian Information Commissioner ('OAIC') and class action lawsuits

Enforced by the National Data Protection Authority ('ANPD'), which can impose fines, warnings, and other sanctions for non-compliance

Enforced by the Office of the Privacy Commissioner of Canada ('OPC'), with penalties including fines and corrective

actions for non-compliance

Enforced by the Cyberspace Administration of China ('CAC') and other relevant authorities, with penalties including fines, corrective actions, and potential criminal liability for non-compliance

Data breach notification

Mandatory notification to OAIC and affected individuals if risk of serious harm exists

Notify the ANPD and affected data subjects within a reasonable time frame, including details of the breach and measures taken to address the same

Notify the OPC and affected individuals in the event of a data breach that poses a real risk of significant harm, including details of the breach and mitigation measures

Notify the CAC and affected individuals without undue delay in the event of a data breach that poses a risk to their rights and interests, including details of the breach and measures taken to mitigate it

Feature / Regulation

European Union |

General Data Protection Regulation ('GDPR')

India |

Digital Personal Data Protection

Japan |

Act on the Protection of Personal Information

Kenya |

Data Protection Act 2019

Focus

Provides comprehensive data subject rights and strong enforcement. Focuses on individual control over personal data, with strong data subject rights and robust enforcement mechanism

Focuses on data localization and protection of personal data of Indian residents, with potential restrictions on cross-border data transfers

Protects personal information. Focuses on transparency and accountability for data processing activities, ensuring individuals are informed about how their data is used and organizations are held responsible for data security

Focuses on data protection principles similar to the GDPR, promoting transparency and accountability for data processing activities within Kenya.

Applicability

Organizations processing data of EU residents (regardless of location)

Organizations processing data in connection with offering goods/services in India

Organizations operating in Japan or targeting Japanese residents, including entities handling personal information of 5,000 or more individuals within the past six months

Organizations operating within Kenya or processing personal data of Kenyan residents, including data controllers and data processors, both local and international

Data subject rights

Access, rectify, erase, restrict processing, data portability

Similar to GDPR, with some variations

Access, correction, deletion, and the right to suspend the use of personal data, as well as the right to be informed about the purpose of data usage

Access, rectification, erasure, restriction of processing, and the right to object to certain data processing activities, including automated decision-making and profiling

Consent

Clear and affirmative consent required

Consent or "legitimate use" for processing

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive personal information

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive personal data, with provisions for withdrawal at any time

Lawful basis for processing

Broad range, including consent, contract, legitimate interests

Consent or for a "legitimate use" (narrower than GDPR)

Consent, necessity for contract performance, compliance with legal obligations, and legitimate interests

Consent, necessity for contract performance, compliance with legal obligations, legitimate interests, public interest, and other specified legal bases

Data transfer

Strict safeguards for international transfers

Unclear at this stage and likely to get clarified in the rules

Ensure data transfers to foreign countries have adequate levels of data protection; and obtain consent from data subjects for such transfers.

Ensure data transfers to foreign countries have adequate levels of data protection, and obtain consent from data subjects for such transfers, or use appropriate safeguards like Standard Contractual Clauses and Binding Corporate Rules

Enforcement

Data Protection Authority with significant fines

Data Protection Board with power to levy fines

Enforced by the Personal Information Protection Commission ('PPC'), with penalties including fines and corrective actions for non-compliance

Enforced by the Office of the Data Protection Commissioner, with penalties including fines and corrective actions for non-compliance, and provision for appeals

Data breach notification

Mandatory notification requirements

Regulations under development

Notify the PPC and affected individuals in the event of a data breach, including details of the breach and mitigation measures

Notify the Office of the Data Protection Commissioner and affected individuals without undue delay in the event of a data breach that poses a risk to their rights and freedoms, including details of the breach and mitigation measures

Feature / Regulation

Mexico |

Federal Law on the Protection of Personal Data Held by Private Parties ('LFPDPPP')

Saudi Arabia |

Personal Data Protection Law

South Africa |

Protection of Personal Information Act

Singapore |

Personal Data Protection Act

Focus

The main objectives and scope of LFPDPPP, such as protecting personal data held by private parties and regulating data processing activities within Mexico

Provides data protection principles and data subject rights

Protects personal information

Protects personal data

Applicability

Details about who the LFPDPPP applies to, including private entities and individuals processing personal data for commercial purposes within Mexico

Organizations processing personal data in Saudi Arabia

Organizations operating in South Africa or those processing the data of South African residents

Organizations collecting, using or disclosing personal data in Singapore

Data subject rights

The rights granted to data subjects under the LFPDPPP, including access, rectification, cancellation, and opposition (ARCO rights)

Access, rectify, erase, restrict processing, portability

Access, correction, deletion, object to processing

Access, correction, deletion, restriction of processing, portability (limited)

Consent

Requirements for obtaining valid consent from data subjects for processing their personal data, including specific conditions under which consent is considered valid

Emphasis on consent, with

evolving regulations

Required, with some exceptions for specific purposes

Required, with some exceptions for "deemed consent"

Lawful basis for processing

The legal grounds on which data processing can be based, such as consent, necessity for contract performance, legal obligations, and legitimate interest

Consent, contract, and limited "legitimate interests"

Consent, legitimate interests complying with a public interest law, other prescribed grounds

Limited grounds (consent, performance of a contract)

Data transfer

Regulations and conditions for transferring personal data outside of Mexico, including the requirement for adequate levels of data protection in the recipient country. This may involve implementing data transfer agreements or relying on approved mechanisms like Standard Data Protection Clauses

Stricter requirements for transfers outside Saudi Arabia. Organizations may need to obtain prior authorization from the regulator or fulfil more stringent requirements compared to other jurisdictions

Requires permission from the Information Regulator if transfer does not meet adequacy requirements. If the level of protection is insufficient, they must obtain approval from the Information Regulator before transferring data.

Stricter requirements, requires comparable level of protection in receiving country. This may involve data transfer agreements, relying on approved mechanisms, or meeting specific conditions set by the Personal Data Protection Commission ('PDPC').

Enforcement

The mechanisms and authorities responsible for enforcing the LFPDPPP, including penalties and sanctions for non-compliance, and the role of the National Institute for Transparency, Access to Information and Personal Data Protection

Saudi Data Protection Authority with power to impose sanctions

Fines by Information Regulator and potential civil lawsuits

High potential fines by Personal Data Protection Commission

Data breach notification

Requirements for notifying relevant authorities and affected data subjects in the event of a data breach, including timelines and content of the notification

Mandatory notification requirements

Mandatory notification to Information Regulator and affected individuals if likely to cause harm

Mandatory notification to PDPC and affected individuals

Feature / Regulation

California |

Privacy Rights Act

Colorado

Privacy Act

Utah

Consumer Privacy Act

Virginia

Consumer Data Protection Act

Focus

Enhances consumer privacy rights, regulate data processing activities within California, and promote transparent data practices

Protects consumer privacy rights, regulate data processing activities within Colorado, and promote transparent data practices

Enhances consumer privacy rights, regulate data processing activities within Utah, and promote transparent data practices

Enhances consumer privacy rights, regulate data processing activities within Virginia, and promote transparent data practices

Applicability

Organizations operating in California or targeting California residents, meeting certain thresholds (e.g., gross annual revenues over $25 million, buying/selling/

sharing personal information of 100,000+ consumers or households, or deriving 50% or more annual revenue from selling/sharing consumers' personal information)

Organizations operating in Colorado or targeting Colorado residents, meeting certain thresholds (e.g., processing data of 100,000+ consumers annually or deriving revenue from the sale of personal data of 25,000+ consumers)

Organizations operating in Utah or targeting Utah residents, meeting certain thresholds (e.g., annual revenue of $25 million or more, processing data of 100,000+ consumers or deriving 50% or more annual revenue from selling personal data)

Organizations operating in Virginia or targeting Virginia residents, meeting certain thresholds (e.g., controlling or processing data of 100,000+ consumers or deriving 50% or more annual revenue from the sale of personal data)

Data subject rights

Access, correction, deletion, data portability, the right to opt out of the sale or sharing of personal information, and the right to limit the use of sensitive personal information

Access, correction, deletion, data portability, and the right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Access, deletion, data portability, and the right to opt out of the sale of personal data and targeted advertising

Access, correction, deletion, data portability, and the right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Consent

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive personal information of children under 16

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive data

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive data and for data of children under 13

Must be freely given, specific, informed, and unambiguous. Explicit consent required for processing sensitive data and for data of children under 13

Lawful basis for processing

Consent, necessity for contract performance, compliance with legal obligations, legitimate interests, public interest, and other specified legal bases

Consent, necessity for contract performance, compliance with legal obligations, legitimate interests, public interest, and other specified legal bases

Consent, necessity for contract performance, compliance with legal obligations, legitimate interests, public interest, and other specified legal bases

Consent, necessity for contract performance, compliance with legal obligations, legitimate interests, public interest, and other specified legal bases

Data transfer

Ensure data transfers comply with other applicable state and federal laws and implement adequate safeguards for international data transfers

Ensure data transfers comply with other applicable state and federal laws and implement adequate safeguards for international data transfers

Ensure data transfers comply with other applicable state and federal laws and implement adequate safeguards for international data transfers

Ensure data transfers comply with other applicable state and federal laws and implement adequate safeguards for international data transfers

Enforcement

Enforced by the California Privacy Protection Agency and the California Attorney General, with penalties including fines and corrective actions for non-compliance

Enforced by the Colorado Attorney General, with penalties including fines and corrective actions for non-compliance

Enforced by the Utah Attorney General, with penalties including fines and corrective actions for non-compliance

Enforced by the Virginia Attorney General, with penalties including fines and corrective actions for non-compliance

Data breach notification

Notify affected consumers and the California Attorney General within a reasonable time frame, including details of the breach and measures taken to mitigate the breach

Notify affected consumers and the Colorado Attorney General within a reasonable time frame, including details of the breach and measures taken to mitigate the breach

Notify affected consumers and the Utah Attorney General within a reasonable time frame, including details of the breach and measures taken to mitigate the breach

Notify affected consumers and the Virginia Attorney General within a reasonable time frame, including details of the breach and measures taken to mitigate the breach