What You Need to Know About the New Data Protection Laws

Data protection laws are rules and regulations that aim to protect the privacy and security of personal data collected, processed, and stored by various entities, such as websites, apps, companies, and governments. Personal data can include your name, email, phone number, location, health records, financial information, and more.

Different countries and regions have different data protection laws, but some of the most influential and comprehensive ones are:

1.  The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), which applies to the European Union (EU) and the European Economic Area (EEA), as well as any organization that offers goods or services to, or monitors the behavior of, EU data subjects. The GDPR came into effect on May 25, 2018, and grants data subjects the right to access, rectify, erase, restrict, port, and object to the processing of their personal data, as well as the right to be informed and to withdraw consent. The GDPR also requires data controllers and processors to implement appropriate technical and organizational measures to ensure data protection, and to appoint a data protection officer (DPO) in some cases. The GDPR imposes strict penalties for non-compliance, which can reach up to 20 million euros or 4% of the annual global turnover, whichever is higher.

The California Consumer Privacy Act (CCPA), which applies to California residents and any business that collects, sells, or shares their personal information, and meets certain criteria, such as having annual gross revenues of over $25 million, or buying, receiving, selling, or sharing the personal information of 50,000 or more consumers, households, or devices. The CCPA came into effect on January 1, 2020, and grants consumers the right to know, access, delete, and opt-out of the sale of their personal information, as well as the right to non-discrimination. The CCPA also requires businesses to provide notice, transparency, and accountability regarding their data practices, and to implement reasonable security measures to protect personal information. The CCPA allows consumers to sue businesses for data breaches, and authorizes the California Attorney General to enforce the law and impose civil penalties of up to $7,500 per violation.

The Brazilian General Data Protection Law (LGPD), which applies to Brazil and any organization that processes personal data of individuals located in Brazil, regardless of where the organization is based. The LGPD came into effect on September 18, 2020, and grants data subjects the right to access, correct, delete, anonymize, block, or transfer their personal data, as well as the right to be informed, to give consent, and to revoke consent. The LGPD also requires data controllers and processors to comply with the principles of purpose, adequacy, necessity, transparency, security, prevention, non-discrimination, and accountability, and to appoint a DPO in some cases. The LGPD establishes the National Data Protection Authority (ANPD) as the supervisory body, and sets forth administrative sanctions for non-compliance, which can range from warnings to fines of up to 2% of the annual revenue in Brazil, limited to 50 million reais per violation.

4. The Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to Canada and any organization that collects, uses, or discloses personal information in the course of commercial activities in Canada, or transfers personal information across provincial or national borders. The PIPEDA came into effect on January 1, 2004, and grants individuals the right to access, correct, and challenge the accuracy of their personal information, as well as the right to give consent and to withdraw consent. The PIPEDA also requires organizations to comply with the principles of accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance, and to designate a privacy officer in some cases. The PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC), and sets forth administrative and civil remedies for non-compliance, which can range from recommendations to damages of up to $100,000.

5. The Protection of Personal Information Act (POPIA)

The Protection of Personal Information Act (POPIA), which applies to South Africa and any organization that processes personal information of individuals in South Africa, regardless of where the organization is based. The POPIA came into effect on July 1, 2020, and grants individuals the right to access, correct, delete, and object to the processing of their personal information, as well as the right to data portability and to lodge a complaint. The POPIA also requires organizations to comply with the principles of accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation, and to appoint an information officer in some cases. The POPIA establishes the Information Regulator as the supervisory body, and sets forth administrative and criminal sanctions for non-compliance, which can range from fines to imprisonment.

6. The Data Protection Act 2018 (DPA),

These are some of the most important data protection laws that you need to know about in 2024, but there are many others that may apply to you depending on where you live, work, or visit. I hope this helps you learn more about data protection laws and why they matter.