Worldwide Privacy Law Courses + Whiteboards
We are pleased to announce the Worldwide Privacy Law Project — a series of courses and whiteboards about countries around the world, all written and designed by Professor Daniel J. Solove.
Each whiteboard is a 1-page visual summary of a country’s main privacy law (or laws). For many countries, Professor Solove is also developing short courses of about 15-20 minutes each. Courses and whiteboards will be available for licensing for personal and organizational use. Some whiteboards are provided for free for personal use at particular times. Scroll down below to learn about each country and see which whiteboards are available. Please keep checking back as this project grows and develops. More whiteboards will be made available for download soon.
Course
|
Canada
|
Argentina’s comprehensive privacy law is Law 25,326, the Personal Data Protection Law (PDPL) of 2000. The PDPL has an extraterritorial scope, provides heightened protection to sensitive data, and requires an adequate level of data protection for data transfers outside of Argentina. The PDPL contains many similar rights as the GDPR, with robust notice, access, and deletion rights (in the habeas data tradition), but it lacks a right to data portability. Generally, consent is required to process personal data, subject to a few exceptions. The PDPL has a registration requirement but doesn’t require data protection officers. The PDPL lacks a breach notification requirement. Fines for violations are rather low, mainly due to a drop in the value of the Argentine peso. Argentina was the first country in Latin America to be designated by the EU as providing an adequate level of data protection.
Whiteboard |
Course
|
Brazil passed its comprehensive privacy law in 2018 – the Lei Geral de Proteção de Dados Pessoais (LGPD). Based on the GDPR, the LGPD has an extraterritorial scope, provides heightened protection to sensitive data, and requires an adequate level of data protection for data transfers outside of Brazil. The LGPD contains many similar rights as the GDPR. Consent must be free, informed, and unambiguous. The LGPD has 10 legal bases to process personal data (the GDPR has 6). The LGPD requires data protection officers and data protection impact assessments, and it has a breach notification requirement. Fines for violations are steep.
Colombia enacted Statutory Law 1581, the General Data Protection Law, in 2012. The law applies to entities established in Colombia, but the Data Protection Authority has begun making inquiries of entities outside of Colombia. The law provides heightened protection to sensitive data and requires an adequate level of data protection for cross-border data transfers. Generally, consent is required to process personal data, subject to a few exceptions. Inaction isn’t recognized as valid consent. The law provides for similar rights as the GDPR, but it lacks a right to data portability. Data protection officers are required (by Decree 1377). There is a database registration requirement and a breach notification requirement. Fines for violations are significant, and the law is actively enforced, though enforcement generally is more preventative than punitive.
Costa Rica enacted Law 8968, Protection of Individuals Against the Processing of Personal Data in 2011. The law applies to entities established in Costa Rica and doesn’t have extraterritorial reach. The law provides heightened protection to sensitive data. Cross-border transfers require an adequate level of data protection, data subject consent, and an agreement filed with Costa Rica’s data protection authority, PRODHAB. Express consent is required to process personal data, and the law is one of the most restrictive, with only three exceptions where data can be processed without consent. The law provides for similar rights as the GDPR, but it lacks a right to data portability. The law lacks a data protection officer requirement. Databases must be registered, and PRODHAB is given “super user access” to databases. There is a breach notification requirement. Fines for violations are low to moderate.
Whiteboard |
Course
|
Mexico’s Federal Law on Protection of Personal Data Held by Private Parties went into effect in 2010. Akin to many US privacy laws, the Federal Law relies on providing privacy notices and assuming that data subjects consent if they don’t opt out. The law is not extraterritorial for controllers, but the law applies to processors outside Mexico that process data for controllers in Mexico. Implied consent is sufficient for most uses and types of data, but the law requires express consent for financial data and written express consent for sensitive data. The law provides for rights of access, rectification, cancellation, and opposition (the “ARCO rights”). A data protection officer must be designated. Affected individuals must be notified of data breaches, but there is no requirement to notify the data protection authority – the INAI. The law doesn’t have an adequacy requirement for cross-border data transfers. Fines for violations are quite steep.
In August 2021, China passed its first comprehensive privacy law, the Personal Information Protection Law (PIPL). The law has many similarities to the GDPR. The PIPL is extraterritorial. The law provides for a robust set of data subject rights. A lawful basis is required to process personal data, and unlike the GPDR, the PIPL does not recognize legitimate purpose as a lawful basis. The PIPL has strict data localization requirements. It is enforced by different regulators. Fines are significant.
Hong Kong has one of Asia’s longest standing general data privacy laws. In 1995, Hong Kong enacted the Personal Data (Privacy) Ordinance (PDPO). The PDPO only applies to foreign organizations when they have an office or operations in Hong Kong. doesn’t have extraterritorial reach. Although the law doesn’t include a category of sensitive data, the Commissioner has released Codes of Practice with heightened protections for a few types of data. Processing personal data doesn’t require a lawful basis as in the GDPR; instead, data subjects must be notified of the purposes of the processing. This is closer to the US approach than the GDPR. The PDPO doesn’t have restrictions on cross-border transfers, but the Commissioner has released guidance about such transfers. Privacy officers aren’t required. There is no data breach notification requirement. Most fines are on the low side, but some can be steep. There can also be significant prison terms for certain violations.
In July 2023 the Parliament of India passed the Digital Personal Data Protection Act, or DPDPA for short. The Act took a long time to enact and went through many years of discussions and drafts. The journey to the DPDPA began in 2017, when the Supreme Court of India decided the landmark case of K.S. Puttaswamy v. Union of India. The Supreme Court held that the right to privacy was a fundamental right under the Constitution as an intrinsic part of the right to life and personal liberty. This decision created a need for legislation on the issue of data privacy. Various bills were introduced to Parliament, but none were enacted until the DPDPA of 2023.
Indonesia’s Personal Data Protection Bill (PDPB) is on the cusp of being enacted. The PDPB is extraterritorial, protects sensitive data, and provides a robust set of individual rights. As a general rule, personal data must be processed with consent, but there are exceptions that generally follow the legal bases of the GDPR. The PDPB restricts cross-border data transfers to recipients in countries with an adequate level of protection. There is a data breach notification requirement (72 hours). The PDPB has significant fines and criminal penalties.
Whiteboard |
Course
|
Japan’s Act on the Protection of Personal Information (APPI) came into force in 2005. In January 2019, the EU and Japan announced that they were mutually recognizing each other‘s privacy protection system as adequate. The APPI is extraterritorial. The law has a rather complicated definition of personal data, with three categories: personal information, personal data, and retained personal data. Principal rights attach to retained personal data. The law has heightened protections for “special-care-required personal information.” Processing PI doesn’t require a lawful basis as in the GDPR; instead, there must be a notice of privacy practices. Express consent is only required when processing special-care PI, processing for purposes beyond those originally stated, or sharing PI with third parties. Cross-border transfers require an adequate level of data protection or systems established by the recipient to ensure an adequate level. There is a beach notification requirement. Fines can only be issued after an enforcement order has been issued and violated, and fines are on the low side.
Kazakhstan’s Law on Personal Data and their Protection was passed in 2012. The law generally requires consent to process personal data, but there are several exceptions where data can be processed without consent. The law lacks heightened protection for sensitive data or a data breach notification requirement. There is a robust set of individual rights. Amendments in 2020 added a right to be forgotten as well as a data protection officer requirement. Kazakhstan’s law is likely not extraterritorial, though it is unclear on this point. The law restricts cross-border data transfers to recipients in countries with an adequate level of data protection. Although the 2012 law didn’t establish a data protection authority, the 2020 amendments created an enforcement body. There are fines for violations, though they are quite low. The law has criminal penalties with significant jail time.
Whiteboard |
Course
|
Malaysia was one of the first countries in Southeast Asia to introduce a data privacy law when it enacted the Personal Data Protection Act (PDPA) or 2010. Influenced by the UK Data Protection Act of 1998, the PDPA was updated in 2016. The PDPA requires a lawful basis to process personal data, and the permitted bases are similar to those of the GDPR, except for the omission of legitimate interest. The law protects sensitive data and provides for many rights, though it lacks rights to data portability and erasure. There is no breach notification requirement. The law restricts cross-border data transfers to recipients in countries with an adequate level of data protection. The law has moderate to significant fines, as well as criminal penalties.
Whiteboard |
Course
|
The Philippines enacted its comprehensive privacy law, the Data Privacy Act (DPA) in 2012. Like the GDPR, the DPA is extraterritorial. The law provides heightened protection for sensitive information, as well as privileged information, which is any information deemed to be privileged by the judiciary or legislature. The DPA requires a lawful basis to process personal data, and it recognizes similar lawful bases as the GDPR. The DPA provides for a robust set of rights, and it requires organizations to have a data privacy officer. The DPA has a registration requirement along with a requirement to conduct data protection impact assessments. There is a breach notification requirement (72 hours) and an adequacy requirement for cross-border data transfers. There are moderate fines for violations and potential imprisonment.
Course
|
Singapore’s Personal Data Protection Act (PDPA) was enacted in 2012 and significantly updated in 2020. The law is extraterritorial. Although the PDPA lacks a set of special protections for sensitive data, the Personal Data Protection Commission (which enforces the law) will enforce more stringently for certain forms of data. As a general rule, personal data must be processed with consent, but there are exceptions that generally follow the legal bases of the GDPR. In contrast to the GDPR, the PDPA recognizes a form of implied consent called “deemed consent” when individuals provide their data to an organization. The law provides for nine general obligations for personal data processing as well as a robust set of individual rights. The PDPA requires data protection officers, training, policies and procedures, and other things. There is a breach notification requirement (72 hours) and an adequacy requirement for cross-border data transfers. Fines for violations can be hefty – up to 10% of annual turnover in Singapore.
South Korea enacted the Personal Information Protection Act (PIPA) in 2011. The PIPA is extraterritorial. The law protects sensitive data, as well as requires a lawful basis in order to process all forms of personal data. These lawful bases are quite similar to those of the GDPR. The PDPA requires a data protection officer and provides for a robust set of individual rights. Data breaches must be reported without delay, and cross-border data transfers require an adequate level of protection. Fines can be steep, and the law is actively enforced. The law also provides for a special mediation committee to resolve disputes.
In 2019, Thailand enacted the Personal Data Protection Act (PDPA). The law is extraterritorial. The PDPA has heightened protections for certain types of data, but it doesn’t call them “sensitive data” or use another term. As a general rule, personal data must be processed with consent, but there are exceptions that have some similarities to the legal bases of the GDPR. The PDPA requires data protection officers in a number of circumstances, and it imposes many obligations for the processing of data, including a general rule (subject to some exceptions) that personal data must be collected directly from the data subjects rather than other sources. The PDPA provides for a robust set of individual rights and requires breach notification (72 hours). Cross-border data transfers require an adequate level of protection. Fines can be moderate to severe, and there is potential imprisonment for certain violations.
Whiteboard |
Course
|
Uzbekistan enacted its Law on Personal Data in 2019. The law is unclear on whether it is extraterritorial. The Law on Personal Data provides heightened protection of special personal data, which is a category akin to sensitive data under the GDPR. The law requires a lawful basis for the processing of personal data, and it recognizes a few additional lawful bases than the GDPR (such as publicly availably data). The law provides for a number of individual rights and requires data protection officers. There is a registration requirement. The law lacks a breach notification requirement. Cross-border data transfers require an adequate level of protection. The law is enforced by the State Center for Personalization. Fines are quite low, but there are significant prison terms.
Whiteboard |
Course
|
Vietnam lacks a comprehensive privacy law. Relevant laws include the Law on Protection of Consumers’ Rights, which applies to any organizations or individuals trading goods and services, and the Law on Cybersecurity, which applies to any organization providing services on telecom networks or the Internet. Many of these laws are extraterritorial. The general rule is that the notice and the consent of a personal information owner is required in order for a personal information controller to collect and use personal information in Vietnam. There is no specific requirement for the form of consent. Nor is the law clear about whether consent must be explicit or implied from inaction. As a whole, Vietnamese laws provide for a number of individual rights. There are no restrictions on cross-border data transfers except for a data localization requirement for telecom and Internet service providers. A draft Decree on Personal Data Protection requires data protection officers, but it isn’t in force yet. Enforcement is carried out by different agencies, and fines are generally low. There are some significant prison terms.
Whiteboard |
Course
|
Georgia’s Personal Data Protection Law (PDPL) was enacted in 2012. Unlike the GDPR, the PDPL isn’t extraterritorial. The law provides heightened protection of a large number of types of sensitive data, including many types of data not deemed to be sensitive under the GDPR (such as several types of data involved with the criminal justice system). The PDPL requires a lawful basis to process personal data. The law provides for a robust set of individual rights. There is no data protection officer requirement or a breach notification requirement. Cross-border data transfers require an adequate level of protection. Fines for violations are low, but the Personal Data Protection Inspector is an active enforcer.
Whiteboard |
Course
|
Montenegro’s Personal Data Protection Law (PDPL) was enacted in 2012 and amended in 2017. It is based on the EU Data Protection Directive. The law is extraterritorial and protects categories of sensitive data akin to the GDPR (but also including criminal conviction data). There must be a lawful basis to process personal data, and the PDPL requires similar lawful bases as the GDPR. Data subjects have similar rights as in the GDPR with the exception of the right to data portability. The law has a data protection officer requirement but lacks a breach notification requirement. An adequate level of data protection is required for cross-border data transfers. Fines for violations are much lower than those of the GDPR.
Whiteboard |
Course
|
The Russian Federation enacted the Federal Law on Personal Data in 2006 and amended in 2015. The law doesn’t mention explicitly if it is extraterritorial, but it also applies when organizations outside of Russia are actively soliciting business in Russia or directing services to Russian citizens. For special categories of personal data (akin to sensitive data under the GDPR), written consent is required for processing. The Federal Law requires a lawful basis to process personal data, but it recognizes 11 lawful bases rather than 6 as under the GDPR. The law provides for a robust set of individual rights and requires a data protection officer. There is a breach notification requirement, and adequacy is required for cross-border data transfers. A separate Data Localization Law requires operators that purposefully collect personal data of Russian citizens to process and store that data in Russia. The Roskomnadzor enforces the Federal Law. Fines are on the low side, except there are steep fines for violating the Data Localization Law.
Whiteboard |
Course
|
Turkey’s Law on the Protection of Personal Data (LPPD) was enacted in 2016. The law is extraterritorial. It provides heightened protection of sensitive data, but it includes types of sensitive data not included in the GDPR (criminal convictions) as well as types rarely included in any other law (clothing). The law has 8 lawful bases to process personal data (the GDPR has 6), a major difference being the inclusion of publicly available data. The law provides for a robust set of individual rights. The LPPD has a breach notification requirement (72 hours) but unlike the GDPR, lacks a data protection officer requirement. Cross-border data transfer requires an adequate level of data protection. The law is enforced by the Personal Data Protection Authority (called the KVKK). Fines are moderate, and much less than those of the GDPR.
In 2012, Ghana enacted the Data Protection Act (DPA), one of the earliest comprehensive privacy laws in Africa. The law is extraterritorial. The DPA provides heightened protection of special personal data (a category akin to sensitive data under the GDPR). Processing personal data under the DPA requires a lawful basis, and the recognized bases are very similar to those of the GDPR. A unique part of the DPA is that controllers or processors must comply with data protection legislation of the country of foreign data subjects. The DPA provides for a robust set of individual rights. The law has a breach notification requirement, but it lacks adequacy restrictions on cross-border data transfers. Fines for violations are on the lower side, but the DPA carries one of the longest potential prison terms – 10 years!
Whiteboard |
Course
|
Israel enacted its Privacy Protection Law (PPL) in 1981. The 2017 Protection of Privacy Regulations (Security Regulations) significantly expanded the protection of privacy and security in Israel. Since 2011, Israel has been recognized by the European Commission as providing an adequate level of protection of personal data. The PPL is unclear about whether it has extraterritorial jurisdiction, but Israel’s Privacy Protection Authority interprets the law to apply to organizations outside of Israel. The PPL provides heightened protections to sensitive data. As a general rule, the PPL requires consent to process data, but there are exceptions. The law provides for several individual rights. The PPL requires database registration. There is a breach notification requirement (72 hours) and an adequacy requirement for cross-border data transfers. Fines are quite low, but there is a robust private right of action.
Whiteboard |
Course
|
Privacy is part of the South African Bill of Rights of 1996. South Africa began drafting its comprehensive data privacy law in 2003, and the law eventually passed in 2013. The law is called the Protection of Personal Information Act (POPIA). The POPIA only has a limited extraterritorial reach – it applies to entities that are located outside of South Africa that use a means of information processing within South Africa. The POPIA provides more stringent protections to special personal information, which is a category akin to sensitive data under the GDPR. The law requires lawful bases in order to process personal data. The POPIA provides for a robust set of individual rights, and it requires information officers (akin to data protection officers). There is a breach notification requirement (as soon as reasonably possible) and conditions for the cross-border transfer of data. Enforcement begins with an enforcement notice, which requires violators to bring themselves within compliance. Failure to follow the notice can result in steep fines.
Whiteboard |
Course
|
Australia’s Privacy Act was an early privacy law, passed in 1988. It was expanded to cover the private sector in 2000 and updated extensively in 2014 and 2020. The Privacy Act is extaterritorial. The Privacy Act exempts small businesses with less than $3 million of annual worldwide turnover. The GDPR doesn’t have this size threshold. The Act protects sensitive information. At the core of the Privacy Act are 13 principles, called the Australian Privacy Principles (APPs). The principles provide a robust regulatory framework for personal data. The Act also provides for a robust set of individual rights. On the weaker side, however, the law recognizes implied consent, where failing to opt out from a privacy notice can be deemed as valid consent — an approach similar to that of many US privacy laws. Explicit consent is required for sensitive data. DPOs are recommended but not required. There is a breach notification requirement. The Privacy Act lacks a requirement of adequacy for cross-border data transfer, but reasonable steps must be taken to ensure that recipients of data follow the APPs. Enforcement penalties can be substantial – up to 10% of annual turnover or three times the value of any benefit obtained through the violation.
New Zealand enacted its comprehensive privacy law, the Privacy Act, in 1993. Similar to the Australian Privacy Act 1988, New Zealand’s Act contains a set of Information Privacy Principles (IPPs). In 2020, New Zealand passed an updated law, the Privacy Act 2020, which expands upon and strengthens the protections of the 1993 Act. The Act is extraterritorial. It doesn’t recognize categories of sensitive data, but various types of personal data are regulated by separate laws. The main justification to process personal information is whether there is a legitimate business purpose, and there are many exceptions for where an agency (a data controller) can use the collected data for a secondary purpose. The 13 IPPs provide for a robust protection of personal data, though the law only provides for a few individual rights. The Act requires DPOs and has a breach notification requirement. There is an adequacy requirement for cross-border data transfers. Enforcement fines are on the low side, but individual can bring actions for damages.
Whiteboard |
Course
|
Please Contact Us to Evaluate this Program or Others
We can provide you with a login so you can evaluate the programs.
About TeachPrivacy and Our Training Philosophy
TeachPrivacy was founded by Professor Daniel J. Solove, the leading expert on privacy and data security law. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
According to Professor Solove: “Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training is made with genuine passion – to make people love training, it must be made with love. Excellent substance is essential. The material must be explained clearly, understandably, and concretely. The content must be short and to the point – and it must be engaging. Slickness and gimmicks can’t compensate for lackluster substance.”
TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics.
Professor Solove is a law professor at George Washington University Law School. He has taught privacy law every year since 2000, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.