General Data Protection Regulation
(GDPR)
Primary jurisdiction: European Union
Data covered: Any data that could potentially
identify an E.U. citizen
Website: https://gdpr-info.eu/
Notes: GDPR is one of the most stringent
dt protection regimes in the world.
Companies must allow users to opt out
of data collection, and they can only
capture PII for essential business purposes.
Organizations face severe restrictions on
transporting PII out of Europe, even when
using a third party service. The E.U. has
successfully fined a number of American firms
for GDPR breaches, including Google
5
.
Bundesdatenschutzgesetz (BDSG)
Primary jurisdiction: Germany
Data covered: Any data that could potentially
identify a German citizen
Website: https://www.gesetze-im-internet.de/
englisch_bdsg/index.html
Notes: E.U. member states can introduce
their own laws to supplement GDPR.
Germany is the only state to have done so to
date, with the BDSG law that imposes stricter
controls and steeper fines. German citizens
can claim for non-monetary damages such as
stress and suering under BDSG.
Health Insurance Portability and
Accountability Act (HIPAA)
Primary jurisdiction: United States
Data covered: Protected Health Information
of Americans
Website: https://www.hhs.gov/hipaa/
Notes: HIPAA refers specifically to health
information about an individual, which
includes medical records and biometric
information. Under HIPAA, data handlers
must ensure confidentiality, integrity and
availability of all relevant information. They
must also take steps to prevent breaches and
unauthorized access.
California Consumer Privacy Act
(CCPA)
Primary jurisdiction: California
Data covered: Personal Identifiable
Information (PII) of Californian consumers
Website: https://oag.ca.gov/privacy/ccpa
Notes: CCPA grants consumers more power
over their PII, including the right to know
what’s on file, the right to request deletion
and the right to opt out of the sale of PII. In
the event of a compliance breach, consumers
can directly sue the company. This law is
currently unique in the U.S., but it is the
template for forthcoming legislation in other
states
6
.
Australian Privacy Act of 1988
Primary jurisdiction: Australia
Data covered: PII of Australian citizens
Website: https://www.ag.gov.au/rights-and-
protections/privacy
Notes: Australia amended its 1988 Privacy
Act in 2017 to cover digital communications.
The act takes a principles-based approach
to compliance, so companies have some
freedom as long as they follow the spirit of
the principles. Since 2018, companies have
been obliged under the Privacy Act to notify
Australian authorities of data breaches that
may cause harm to an individual.
Lei Geral de Proteção de Dados (LGPD)
Primary jurisdiction: Brazil
Data covered: Any data that could potentially
identify a Brazilian citizen
Website: http://www.planalto.gov.br/
ccivil_03/_ato2015-2018/2018/lei/L13709.htm
Notes: Brazil’s LGPD is one of the first
international law to model itself on the E.U.’s
GDPR. As with European law, the LGPD
covers a wide range of personal information
and has an extra-territorial eect on foreign
companies. However, LGPD is generally less
punitive in terms of fines and enforcement.