Asia

China passed the Personal Information Protection Law of the People's Republic of China on August 20, 2021, and it came into force on November 1, 2021. Roughly based on the US GDPR, it focuses primarily on consent, the rights to privacy, and transparency of data processing. Unlike the GDPR, this law requires consent for all types of data processing activity, especially when personal data is transferred abroad.

The Personal Information Protection Law of the People's Republic of China is divided into 8 chapters and 73 articles.[6]​.

1. • General principles.

2. • Rules for the management of personal information:

1. General provisions

2. Rules for the processing of sensitive personal information

3. Special regulation on the processing of personal information by the State.

3. • Rules for the cross-border provision of personal information.

4. • Rights of people in the processing of personal information.

5. • Obligations of personal information processors.

6. • Department that performs personal data protection responsibilities.

7. • Legal responsibility.

8. • Supplementary provisions.

Legislation process of the Personal Information Protection Law of the People's Republic of China[7]​.

• - On December 20, 2018, the personal data protection law of the People's Republic of China has been included in the legislative plan of the Standing Committee of the National Congress.

• - On October 20, 2019, the personal data protection law of the People's Republic of China has been included in the legislative plan of the Standing Committee of the 13th National People's Congress.

• - In November 2020, the draft personal data protection law of the People's Republic of China described that in case of serious illegal act it can reach a fine of fifty million yuan (CNY).

• - On April 26, 2021, the second draft stipulates that personal information processors that provide basic services on an internet platform that contains a large number of users with complex business types must establish an independent body composed mainly of external members, supervising personal information processing activities, and periodically publish social responsibility reports on personal data protection.

• - On August 20, 2021, the Personal Information Protection Law of the People's Republic of China was approved, and it came into force on November 1, 2021.

In the Philippines, the Data Privacy Law of 2012 mandated the creation of the National Privacy Commission, which would monitor and maintain policies involving personal data protection and information privacy in the country.

Modeled after the European Data Protection Directive") and the privacy framework of the Asia-Pacific Economic Cooperation Forum, the independent body that would ensure the country's compliance with established international standards for data protection.[8]​ The law requires the government and private organizations composed of at least 250 employees, or those that have access to the personal information of at least 1,000 people, to appoint a Data Protection Officer to manage control. of information in these entities.[9]​

In summary, the law identifies important points regarding the management of personal information as follows:.

1. • Personal information must be collected for reasons that are specific, legitimate and reasonable.

2. • Personal information must be managed appropriately. It must be kept accurate, relevant, used for its stated purposes, and retained only for as long as necessary. The law requires entities to be active in ensuring that unauthorized parties do not have access to customer information.

3. • Personal information must be eliminated so that third parties cannot access the discarded data.

The Law on Protection of Personal Information[10]​ of Japan (APPI) is a regulation on the protection of personal information, which was designed to regulate the handling of personal information, whether by individuals or organizations, including government agencies, companies and non-profit organizations. This regulation was implemented and is managed today by a central government organization overseeing privacy protection issues, this being the Personal Information Protection Commission,[11]​ also known as PPC (Personal Information Protection Commission).

The APPI requires organizations that wish to collect personal information to obtain consent from individuals before collecting, using or sharing such information, but only in specific cases, such as when the information is sensitive or will be transferred to a third party or outside of Japan. Currently, the APPI continues to be modified, so it is possible that there will be new minutes that cover specific cases.

• - In 2003, the original APPI was enacted, but it was amended and the amendments came into effect on May 30, 2017.

• - On June 5, 2020, a project was approved that meant further modifying the APPI. The Modified APPI came into effect on April 1, 2022.

The Personal Information Protection Law of Japan is organized into 8 chapters and 185 articles as follows:

1. • Chapter I General Provisions (Articles 1 to 3).

2. • Chapter II Responsibilities of National and Local Governments (Articles 4 to 6).

3. • Chapter III Measures to Protect Personal Information (Articles 7 to 15).

4. • Chapter IV Obligations of Companies that Handle Personal Information (Articles 16 to 59).

5. • Chapter V Obligations of Administrative Entities (Articles 60 to 129).

6. • Chapter VI The Commission for the Protection of Personal Information (Articles 130 to 170).

7. • Chapter VII Various Provisions (Articles 171 to 175).

8. • Chapter VIII Penal Provisions (Articles 176 to 185).

Europe

Information source: General Data Protection Regulation").

The right to data privacy is strongly regulated and actively enforced in Europe. Article 8 of the European Convention on Human Rights - Wikipedia, the free encyclopedia (ECHR) provides the right to respect for a person's “private and family life, home and correspondence”, subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. According to the Court's law, the collection of information by State officials about an individual without their consent always falls within the scope of Article 8. Thus gathering information for the official census, recording fingerprints and photographs in a police register, collecting medical data or details about personal spending, and implementing a personal identification system has been judged to be a data privacy issue. What is also included in “privacy sensitive data” under the GDPR is information such as race or ethnicity ("Race (classification of human beings)"), political opinions, religion or philosophy, and information linked to a person's sex life or sexual orientation.[12]​.

Any state interference with a person's privacy is only acceptable to the Court if it meets the three conditions:

1. • The interference is in accordance with the law.

2. • The interference has a legitimate purpose.

3. • Interference is necessary for a democratic society.

The government is not the only entity that poses a threat to data privacy. Other citizens, and especially private companies, may also engage in threatening activities, especially since automatic data processing has become widespread. The Convention on the Protection of Individuals through Automatic Processing of Personal Data was concluded at the Council of Europe in 1981. This convention obliges signatories to represent legislation on the automatic processing of personal data.

All Member States of the European Union are also signatories to the European Convention on Human Rights and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data), the European Commission is concerned that divergent data protection legislation would emerge preventing the free flow of data within the EU area. The European Commission therefore decided to propose the harmonization of data protection law within the EU. The resulting Data Protection Directive was adopted by the European Parliament. and the ministers of the national government in 1995 and had to be transposed into national law at the end of 1998.

The directive contains a series of key principles with which Member States must comply. Anyone who processes personal data must comply with the eight applicable principles of good practice.[13]​ They indicate that the data must be:.

1. • Processed fairly and legally.

2. • Processed for limited purposes.

3. • Adequate, timely and not excessive.

4. • Precise.

5. • Do not keep more than necessary.

6. • Processed in accordance with the rights of the subject.

7. • Sure.

8. • It can only be transferred in countries with adequate protection.

Personal data covers facts and opinions about the individual.[13] This also includes information about the data controller's intentions towards the individual, although in some limited circumstances exemptions may apply. With processing, the definition is much broader than before. For example, it incorporates the concepts of “obtaining”, “possession” and “revelation”[14]​.

All EU states adopted legislation in accordance with this directive or adapted their existing laws. Each country also has its own supervisors to monitor the level of protection.[15]​.

Because of this, in theory the transfer of personal information from the EU to the US is prohibited when there is no equivalent privacy protection to that in the US. American companies that would work with EU data must comply with the safe harbor framework. The basic principles of protected data are limited collection, owner consensus, accuracy, integrity, security, the subject's right to review and delete. As a result, customers of international organizations such as Amazon and eBay in the EU have the ability to review and delete information while Americans do not.

In the United States, the equivalent guiding philosophy is the Fair Information Practices Code (FTC).

The difference in language here is important: in the United States the debate is about privacy while in the European Community the debate is about data protection. The move from the privacy debate to data protection is seen by some philosophers as a mechanism to advance the practical realm without requiring agreement on fundamental questions about the nature of privacy.

France adapted its existing law “nª 78-17 of January 6, 1978 on information technology, archives and civil liberties”[16]​.

In Germany, the federal government and the states both enacted laws.[17]​.

Switzerland is not a member of the European Union (EU) or the European Economic Area (EEA), it partially implemented the EU Directive on the protection of personal data in 2006 by consenting to STE 108 agreements of the Council of Europe and a corresponding amendment to the Federal Data Protection Act. However, Swiss law imposes fewer restrictions on data processing than the Directive in several respects.[18]​.

In Switzerland, the right to privacy is guaranteed in article 13 of the Swiss Federal Constitution. The Swiss Federal Data Protection Act (DPA)[19]​ and the Swiss Federal Data Protection Ordinance (DPO) entered into force on July 1, 1993. The latest amendments to the DPA and DPO entered into force on January 1, 2008.

The DPA applies to the processing of personal data by private persons and federal government agencies. Unlike the data protection legislation of many other countries, the DPA protects personal data belonging to natural and legal persons.[20]​.

The Swiss Federal Data Protection and Information Commissioner in particular supervises the compliance of federal government agencies with the DPA, provides advice to private persons on data protection, conducts investigations and makes recommendations on data protection practices.

Some data files must be registered with the Federal Commissioner for Data and Information Protection before they are created. In the event of a transfer of personal data outside of Switzerland, special requirements must be met and, depending on the circumstances, the Federal Commissioner for Data and Information Protection must be informed before the transfer is made.[20]​.

Most Swiss cantons have enacted their own data protection laws that regulate the processing of personal data by cantonal and municipal bodies.

In the UK, the Data Protection Act 1998" (c 29)(Information Commissioner) implemented the EU Directive on the protection of personal data. It replaced the Data Protection Act 1984" (c 35). Replaces the Data Protection Act 1984(c 35). The General Data Protection Regulation 2016 replaced the previous Data Protection Acts. The Data Protection Act 2018(c 12) updated data screening laws in the United Kingdom. It is a national law that complements the European Union's General Data Protection Regulation (GDPR).

North America

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force on January 1, 2001, applicable to private entities regulated by the federal government. All other organizations are included as of January 1, 2004.[21]​[22]​ PIDEDA brings Canada into compliance with EU data protection law.

PIPEDA") specifies the rules that guide the collection, use or disclosure of personal information in recognition of the right to privacy of individuals with respect to their personal information. In addition, it specifies the rules for organizations to collect, use and disclose personal information.

PIPEDA") apply to:.

Organizations collect, use or disclose for commercial use.

Organizations and organization employees collect, use, or disclose in guidance of the operation of a federal work, enterprise, or business.

PIPEDA") DOES NOT apply to:.

Government institutions to which the Privacy Law applies.

Individuals who collect, use or disclose personal information for personal purposes and uses.

Organizations that collect, use or disclose only for journalistic, artistic or literary purposes.

As specified in PIPEDA:

“Personal information” means information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization.

“Organization” means an association, a society, a person and a union.

“Federal work, undertaking or business” means any work, undertaking or business which is within the legislative authority of Parliament. Including:.

1. • A job, enterprise or business that is operated or carried out for or in connection with navigation and transportation, whether land or sea, including the operation of ships and transportation by ship in any part of Canada.

2. • A railway, canal, telegraph or other work or company that connects a province with another province or extends beyond the limits of a province.

3. • A ship line that connects one province with another province or that extends beyond the limits of a province.

4. • A raft between one province and another province or between a province and a country other than Canada.

5. • Aerodrome, aircraft or an air transport line.

6. • A broadcasting station.

7. • A bank.

8. • A work which, although entirely situated within a province, before or after its execution declared by Parliament to be for the general benefit of Canada or for the benefit of two or more provinces.

9. • A work, company or business outside the exclusive legislature of the provinces.

10. • A job, enterprise or business to which federal laws apply, within the meaning of section 2 of the Oceans Act, applies within section 20 of that Act and any regulation made under paragraph 26(1)(k) of that Act.

PIPEDA grants individuals the right to:.

1. • Understand the reasons why organizations collect, use or disclose personal information.

2. • Have organizations collect, use or disclose personal information in a reasonable and appropriate manner.

3. • Understand who is responsible for protecting the personal information of individuals in the organization.

4. • Ensure that organizations protect personal information in a reasonable and secure manner.

5. • Ensure that personal information held by organizations is accurate, complete and up-to-date.

6. • Have access to your personal information and request any correction or have the right to submit complaints to organizations.

PIPEDA requires organizations to:.

1. • Obtain consent before collecting, using and disclosing any personal information.

2. • Collect personal information in a reasonable, appropriate and legal manner.

3. • Establish personal information policies that are clear, reasonable and available to protect people's personal information.

Main article: United States Privacy Law").

Data privacy is not widely legislated or regulated in the US[23]​ . In the United States, access to private data content, such as third-party credit reports, may be sought when seeking employment or health care, or when making purchases on credit terms. Although there are partial regulations, there is no comprehensive law regulating the acquisition, storage, or use of personal data in the U.S. Generally speaking, in the U.S., anyone who has the trouble of entering the data is considered to have the right to store and use the data, even if the data was collected without permission, except to the extent they are regulated by laws and rules, such as provisions of the Federal Communications Act and the implementing rules of the Federal Communications Commission, which regulate the use of customer-owned network information" (CPNI). For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Children's Online Privacy Protection Act of 1998 (COPPA), and the Fair and Accurate Credit Transactions Act of 2003 (FACTA) are examples of U.S. federal law provisions that tend to promote the efficiency of information flow.

The Supreme Court interpreted the Constitution to grant a right to privacy to individuals in Griswol v. Connecticut "Griswold (Connecticut)"). However, very few states recognize the right to privacy of individuals, especially California. The inalienable right to privacy is enshrined in Article 1, Section 1 of the California Constitution, and the California legislature has enacted several laws designed to protect this right. The California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial websites or online services that collect personal information from California residents through a website to conspicuously post a privacy policy on the website and to comply with its policy.

The International Safe Harbor Principles were developed by the United States Department of Commerce to provide a means for American companies to demonstrate compliance with European Commission Directives and thus simplify relations between them and European companies.[24]​.

Recently, lawmakers in several states have proposed laws to change the way online companies handle user information. Among those generating significant attention are several "Do Not Track" legislations and the Right to Know Law (California's Bill AB 1291). The California Right to Know Act, if passed, would require all companies that continue to store user information to provide their users with a copy of the stored information upon request.[25] The bill faced strong opposition from trade groups such as Google, Microsoft, and Facebook, and did not. It was approved.[26]​.

On June 28, 2018, the California legislature passed AB 375, the California Consumer Privacy Act of 2018, effective January 1, 2020.[27] If the law is not amended before it goes into effect, the California Consumer Privacy Act, AB. 375 - grants California residents a series of new rights, beginning with the right to be informed about what types of personal data will be collected by the company and why it is collected.[28]​.

The Health Insurance Portability and Accountability Act (HIPPA) was enacted by the US Congress in 1996 and is also known as the Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPPA- Public Law 104-191), effective August 21, 1996. The basic idea of HIPPA is that an individual who is a subject of identifiable health information individually must have:.

• - Established procedures for the exercise of individual health information privacy rights.

• - The use and disclosure of individual health information must be authorized or required.

A difficulty with HIPPA is that there must be an authentication mechanism for the patient who requests access to their data. As a result, medical mechanisms that make it easier to obtain Social Security Number requests from patients, possibly decreasing privacy by simplifying the process of correlating health records with other records. The issue of consent is problematic under HIPPA, because medical providers simply make care contingent on agreement with privacy standards in practice.

The Fair Credit Reporting Act applies the principles of the Code of Fair Reporting Practices to credit reporting agencies. FCRA allows individuals to opt out of receiving unwanted credit offers:

• - Equifax (888) 567-8688 Equifax Options, P.O. Box 74'123 Atlanta GA 20274-0123.

• - Experian(800) 353-0809 or (888) 5OPTOUT P.O. Box 919, Allen, TX 75013.

• - TransUnion(800) 680-7293 or (888) 5OPTOUT P.O. Box 97328, Jackson MS 39238.

Because of the Fair and Accurate Credit Transactions Act, everyone can get a free annual credit report.

The Fair Credit Reporting Act has been effective in preventing the proliferation of misleading private credit directories. Before 1970, private credit directories offered detailed, if unreliable, information about easily identifiable individuals.[29] Before the Fair Credit Reporting Act, unsubstantiated lewd material could be included, and in fact, gossip was widely included in credit reports. EPIC has an FCRA page. The Consumer Data Industry Association, which represents the consumer reporting industry, also has a website with FCRA information.

The Fair Credit Reporting Act provides consumers with the ability to view, correct, respond to, and limit reporting uses of credit reports. FCRA also protects the credit agency from the charge of negligent release in case of false statement by the applicant. Credit agencies should ask the applicant the purpose of the requested information disclosure, but should make no effort to verify the veracity of the applicant's statements. In fact, courts have ruled that, “The Act clearly does not provide a remedy for the unlawful or abusive use of consumer information” (Henry v Forbes, 1976). It is widely believed that to avoid FCRA, Equifax created ChoicePoint, at which point the parent company copied all of its records to its newly created subsidiary. ChoicePoint is not a credit reporting agency and therefore the FCRA does not apply.[30]​.

The Fair Debt Collection Practices Act similarly limits the dissemination of information about a consumer's financial transactions. It prevents creditors or their agents from disclosing the fact that an individual is indebted to a third party, although it allows creditors and their agents to attempt to obtain information about a debtor's location. It limits the actions of those seeking payment of a debt. For example, debt collection agencies are prohibited from harassing or contacting people in the The Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (which actually eliminated consumer protections, for example, in bankruptcy as a result of medical costs) limited some of these controls on debtors.

The Electronic Communications Privacy Act (ECPA) establishes criminal penalties for the interception of electronic communications. However, the legislation has been criticized for lack of impact due to loopholes.

Some of the laws, regulations and directives related to the protection of information systems are summarized below:

• - 1970 US Fair Credit Reporting Act").

• - 1970 US Racketeer Influenced and Corrupt Organizations (RICO) Act").

• - 1974 Family Educational Rights and Privacy Act (FERPA)").

• - 1974 US Privacy Act").

• - 1980 Guidelines of the Organization for Economic Cooperation and Development (OECD)").

• - 1984 US Medical Computer Crimes Act.

• - 1984 US Federal Computer Crimes Act (reinforced in 1986 and 1994).

• - 1986 US Computer Fraud and Abuse Act") (amended in 1986, 1994, 1996 and 2001).

• - 1986 US Electronic Communications Privacy Act (ECPA).

• - 1987 U.S. Computer Security Act") (repealed by the Federal Information Security Management Act of 2002")).

• - 1988 US Video Privacy Protection Act").

• - 1990 UK Computer Misuse Act").

• - 1991 US Federal Sentencing Guidelines").

• - 1992 OECD Guidelines of 1992 to serve as a comprehensive security framework.

• - 1994 Law Enforcement Communications Assistance Act").

• - 1995 Data Protection Council Directive for the European Union (EU).

• - 1996 US Economic and Private Information Protection Act").

• - 1996 Health Insurance Portability and Accountability Act (HIPAA) (requirement added December 2000).

• - 1998 US Digital Millennium Copyright Act (DMCA).

• - 1999 US Uniform Computer Information Transactions Act (UCITA)").

• - 2000 US Congressional Electronic Signatures in Global National Commerce Act ("ESIGN").

• - 2001 Uniting and strengthening America by providing appropriate tools to restrict, intercept and obstruct terrorism (USA PATRIOT).

• - 2002 Homeland Security Act (HSA)").

• - 2002 Federal Information Security Management Act of 2002").

Several U.S. federal agencies have privacy statutes that cover their collection and use of private information. These include the Census Bureau, the Internal Revenue Service, and the National Center for Educational Statistics (under the Education Sciences Reform Act). Additionally, the CIPSEA statute protects the confidentiality of data collected by federal statistical agencies.

South America

The Brazilian General Law on Protection of Personal Data (LGPD) came into force on September 18, 2020. The main objective of the law is to unify 40 different Brazilian laws that regulate the processing of personal data. The bill has 65 articles and has many similarities with the GDPR.[31]​.

The safeguarding of personal information in Mexico constitutes a right enshrined in article 16, second paragraph, of the Political Constitution of the United Mexican States. This article guarantees every person the right to the protection of their personal data, as well as access, rectification and cancellation thereof. In the Mexican sphere, the protection of personal data is regulated by different regulations depending on the corresponding sector. In the private sphere, the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) stands out, while in the public sphere, the General Law on Protection of Personal Data Held by Obligated Subjects (LGPDPPSO) establishes the relevant guidelines.

The entry into force of this last regulation led to the laws of both sectors, public and private, incorporating a series of principles that regulate the rules and obligations that govern the handling of personal data by those responsible. In addition, each federal entity of Mexico is obliged to have legislation that regulates the processing of personal data in the public sphere, in accordance with its territorial jurisdiction. In accordance with the laws mentioned above, those who handle personal data must take into consideration the guidelines and documents issued by the National Institute of Transparency, Access to Information and Protection of Personal Data (“INAI”).

[32]​.

In Argentina, the current data protection framework has been in place for more than two decades. However, in the face of technological advances and the emerging challenges of the globalized digital economy, it has become imperative to adjust existing legislation. Consequently, the Executive Branch has proposed a new Personal Data Protection Bill with the purpose of strengthening state capacities in the regulation and management of public policies in this area. Below are some of the changes proposed by the new bill:.

• Precise and expanded definitions: The project incorporates new terms and definitions linked to the processing of personal data, such as consent, international data transfer, genetic and biometric data, among others.

• Extended territorial scope: Similar to the General Data Protection Regulation (GDPR), the project extends to organizations outside Argentina that provide goods or services to people in Argentina or monitor their behavior.

• Updated principles: The project introduces new principles for data processing, such as limiting data use and proactive and demonstrated responsibility.

• Expanded legal basis: Unlike the current Personal Data Protection Law (LPDP), which is based exclusively on consent as the legal basis for the processing of personal data, the Bill allows other legal bases, such as legitimate interest.

• Protection of sensitive data: The project establishes additional legal bases for the processing of sensitive personal data and defines criteria for enhanced responsibility in its processing.

• Protection of children's data: Special protection is contemplated for children's personal data and specific rules are established to safeguard their information when it is processed in society services.

[33]​.