Data Protection Laws of the World

Data Privacy: The Current Legal Landscape

This publication attempts to cover the ongoing evolution of the legal landscape for data-based products, so that organizations can continue to succeed in their development of data-based products.

Download the report

Data Protection 2017

Data Protection covers relevant legislation and competent authorities, key principles, individual rights, registration formalities and prior approval, appointment of a data protection officer, marketing and cookies – in 35 jurisdictions.

Covers Law in 36 Jurisdictions & 1 General Chapter
Published: 15/05/2017

Download the Report

A Structured Approach to GDPR Compliance and Accountability: Getting Started Manual for GDPR

The accountability principle in Article 5(2) of the GDPR requires organisations to demonstrate compliance with the principles of the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to ensure that organisations can demonstrate the processing of personal data is performed in accordance with the GDPR. What appropriate means is largely dependent on the specifics of the individual company. There is no silver bullet. What works for one company does not necessarily work for another, but the obligation to demonstrate compliance exists in all instances and a structured approach to GDPR compliance works for all organisations.

Expectations from regulators have shown the obligation to demonstrate compliance is more than a one-off inventory or snapshot of your operations at a certain moment in time. It is not a tick-box exercise or a one-time gap analysis. Demonstrating compliance requires ongoing awareness and understanding of your personal data processing operations and embedding privacy management throughout your organisation.

This Manual leverages a culmination of these experiences and is adapted to address GDPR compliance. This manual also integrates the Nymity GDPR Accountability Handbook.

The manual supports a structured approach to privacy management ensuring you:

  • do not have to be a privacy expert
  • quickly gain privacy management expertise
  • can identify and leverage your organisations existing privacy management program
  • scale your privacy management program based on resources available
  • Focus on the highest risk areas
  • communicate and report effectively on the status of ongoing GDPR compliance

Prepare to Comply: A General Data Protection Regulation (GDPR) Guidebook

Data security law continues to evolve. Enactment of the General Data Protection Regulation (GDPR), which takes effect May 25, 2018, will impose formal, new data security requirements on organizations with business operations in the European Union or handling data of EU citizens. Organizations should be especially aware that the GDPR and other recent legal developments amplify the negative repercussions of a data security breach, meaning organizations have increased incentives to improve their security as well as assessment and reporting capabilities. This whitepaper provides recommendations and a checklist for technical compliance and for avoiding a painful data security breach.

Download this whitepaper that provides education on:

  • What, exactly, the GDPR is and which sections are specifically applicable to information security technology;
  • The ramifications of implementing the GDPR in Europe and beyond;
  • How to compile a track record for compliance.

Download Whitepaper

Source: A SANS Whitepaper Written by Benjamin Wright, Attorney February 2017 Sponsored by Skybox Security

Hunton Privacy Team Publishes Several Chapters in International Comparative Legal Guide to Data Protection

Recently, the fourth edition of the book,  The International Comparative Legal Guide to: Data Protection 2017,  was published by the Global Legal Group. Hunton & Williams.

The guide provides corporate counsel and international practitioners with a comprehensive worldwide legal analysis of the laws and regulations relating to data protection. Aaron Simpson, managing partner of the firm’s London office, and Anita Bapat, senior associate in London, served as the contributing editors of the guide.

View the relevant chapters.

DLA Piper Data Protection Laws of the World

More than ever it is crucial that organizations manage and safeguard personal information and address their risks and legal responsibilities in relation to processing personal data, to ensure consistency with the growing thicket of applicable data protection legislation.

A well-constructed and comprehensive compliance program can solve these competing interests and is an important risk-management tool.

This handbook sets out an overview of the key privacy and data protection laws and regulations across 72 different jurisdictions, and offers a primer to businesses as they consider this complex area of compliance.

DLA Piper’s global data protection and privacy team has the deep experience and international reach to help global businesses develop and implement achievable compliance solutions to the myriad data protection laws that apply to global businesses.
Should you require further guidance, please do not hesitate to contact us at

Go to the Handbook

2016 Global Data Protection Enforcement Report

globeNearly every company in the world is struggling to effectively manage the broad range of legal and operational risks associated with data.  Data is everywhere, and everyone is working to avoid wrongful disclosures, theft of informational assets, and the losses related to the costly legal fallout.  This is the result, in large part, of the heightened regulatory scrutiny and marketplace expectations facing multinationals linked electronically across country borders, and increasingly dependent on service providers for their core business functions.

Against this backdrop,  Baker & McKenzie’s Global Data Protection Enforcement Report provides legal and compliance risk managers an understanding of the data enforcement laws in place around the world with the hopes of better equipping  them to make informed decisions about how to manage risks associated with data.

Read full report

Privacy and Data Protection in Latin America

Latin America is a region comprised of a multiplicity of languages, cultures and is as diverse in its privacy regimes as it is in its geographies. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework. This report provides an overview of some of the key privacy themes and differences across the region for enterprises considering their involvement in these developing markets.

It is important for companies to be aware of the data privacy quirks that exist in Latin America, but that are not widespread elsewhere, such as Costa Rica’s “super user” database access for the government, the “right to be forgotten” in Nicaragua, and Mexico’s detailed privacy notice rules, but lack of a registration requirement.

In light of Chile, Mexico and Peru becoming APEC members, global commerce and trade, and international adequacy/interoperability opportunities more Latin American governments are likely to consider modernizing their data privacy laws. Businesses that operate in the region must have an exemplary grasp not just of the local rules, but also of their global data flows.

Read Truste’s Client Advisory Note July 2016

The EU US Privacy Shield: A How-To Guide

EU data protection law generally prohibits the transfer of personal data outside of the EU unless the transfer (1) is to a jurisdiction that is deemed by the EC to provide an “adequate” level of protection for EU personal data, (2) falls within one of the few exceptions, or (3) is made in accordance with one of a small number of legal data transfer mechanisms. There are few “adequate” jurisdictions globally and the U.S. is not one of them. The exceptions, which include consent of the relevant individual, are ill-suited to routine and systematic business transfers. With respect to legal mechanisms for transferring EU personal data, the Privacy Shield is one of the few methods available, along with standard contractual clauses and binding corporate rules, by which personal data can be legally transferred from the EU to the U.S. Unlike standard contractual clauses and binding corporate rules, the Privacy Shield is available only to companies in the U.S. and applies only to data transfers from the EU to the U.S.

Read Huntons How To Guide

Future-Proofing Privacy A guide to preparing for the EU Data Protection Regulation

The Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them because:

  • The Regulation imposes a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controller
  • A processor will be fully liable for the actions of any sub-processor that it uses to provide its services and will be required to flow down its obligations under the Regulation to the sub-processor
  • There are significant penalties which can be imposed on processors for failure to comply with their increased responsibilities and individuals have enhanced rights to seek compensation directly from service providers
  • The new law is much more prescriptive about the contractual arrangements that must be in place between controllers and processors than under the current Directive
  • The processor is established in the EU (even if the actual processing takes place outside the EU)
  • Where the processor offers goods or services or monitors the behaviour of EU-based individuals (even if the processor is not established in the EU). In such circumstances the non-EU based processor must designate an EU representative, unless the data processing is occasional, does not involve sensitive data processing or is not high risk to the individual
  • If an organisation is established in the EU, whether as a controller or processor, the Regulation will definitely apply.
  • Non-EU controllers or processors that offer goods or services to, or monitor the behaviour of individuals who are in the EU will also be caught by the Regulation.
  • For the law to apply there is no longer a focus on the use of equipment located on the territory of an EU Member State instead, the focus is on the targeting of individuals in the EU.

Read Hogan Lovell’s full guide

International Privacy Law Library

The International Privacy Law Library aims to make searchable from one location all of the databases specialising in Privacy law available on any of the Legal Information Institutes (LIIs) that are part of WorldLII.

The databases include:
– Case Law
– Law Journals, Commentary and Resources
– Law Reform Publications
– Legislation
– Treaties and International Agreements

Read More

Privacy and Data Protection Laws of Bali Process Member States

The public policy benefits of exchanging personal information must be balanced against the individual’s right to privacy. The significance of this balancing exercise is reflected in the Regional Cooperation Framework of the Bali Process. Under the Regional Cooperation Framework, member States are encouraged to enter into practical arrangements to “support and promote increased information exchange, while respecting confidentiality and upholding the privacy of affected persons.” Member States are encouraged to not only consider the privacy protections available within their own jurisdiction, but also consider the level of privacy protection available within the laws of partnering jurisdictions if they are to cooperate with each other through exchanging personal information.

This framework may assist member States in developing information exchange frameworks and arrangements which include privacy safeguards that are consistent with international privacy standards and principles and with domestic laws. This research can also be useful for any context in which information is exchanged between governments, assisting both member States and individuals in understanding how personal information is and can be protected, both domestically and during cross-border transfers of personal information. It may act as a useful guide for understanding the overall landscape of privacy protection in the Asia-Pacific region, and in particular which privacy laws apply to government agencies. It highlights the key emerging trends that can assist States in developing their own laws that are harmonized and consistent with regional and international standards.

Read full report

Overview of the EU General Data Protection Regulation

The EU’s legislative bodies have reached a political agreement on an updated and more harmonised data protection law (the “Regulation”). The Regulation will significantly change EU data protection law, strengthening individual’s rights, expending the territorial scope, increasing compliance obligations and expanding regulator enforcement powers. The formal adoption is expected in Spring 2016, with the Regulation applying from Spring 2018. Organisations will have two years to implement changes to their data protection compliance programmes, business processes, and IT infrastructure to reflect the Regulation’s new requirements.

Download the Overview

Privacy Laws Around the World

Links to privacy laws in Europe (EU and National Law), United States (Federal and state laws), Canada (Federal and Province laws), South America, Asia, Australia and Africa.

Read overview

Bloomberg Law’s Privacy Laws Around the World

boomerang lawDownload Privacy Laws Around the World to access common and disparate elements of the privacy laws from 61 countries. Crafted by Cynthia Rich of Morrison & Foerster LLP, the report includes expert analysis on privacy laws in Europe and Eurasia (non-EEA); East, Central and South Asia and the Pacific; the Western Hemisphere (Latin America, Caribbean and Canada); as well as Africa and the Near East.


The report contains:

  • Side-by-side charts comparing four key compliance areas including registration requirements, cross-border data transfer limitations, data breach notification requirements and data protection officer requirements
  • A country-by-country review of the special characteristics of framework privacy laws
  • An overview of privacy legislation in development around the world

Click here to Download Your Copy