Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What’s happening in privacy worldwide?

Before the Pandemic I used to go to a local hairdressing salon to get my hair cut. I’d tried a few barbers, but it was the thought of a cup of coffee whilst being pampered that did it for me. Anyway, it was the last place I expected to be confronted with the GDPR. But sure enough, I was asked to consent to the processing of my personal data for hairdressing purposes. Leaving aside the question of whether that was the most appropriate lawful basis, it does illustrate the huge degree of awareness that the GDPR generated amongst the general population and in particular businesses, back in the run up to it becoming law in May 2018. Obviously in the UK we’ve had Brexit since then, which has further muddied the waters of privacy legislation, with the UK (so far) adopting the same rules with only minor tweaks to reflect changes to the institutions involved.

But if the GDPR is the young rock star of privacy legislation, it rather disguises the fact that there have been many less well-known bands treading the circuit for quite a few years beforehand. In this article we wanted to highlight a few of the more established players before providing a status update on the latest entrants to the privacy charts.

Privacy worldwide

Anyone with an interest in the history of data protection will be familiar with the precursors to the GDPR, going all the way back to the post-war European Convention on Human Rights and the 1995 Data Protection Directive. But in other parts of the world legislators have been turning their attention to privacy too, with mixed results. And let’s not forget that if you sell internationally then these laws may affect you too. Before we look at a few examples, it’s worth making a number of general points.

  • Just because there isn’t a specific law with a privacy-related term in its name doesn’t mean that privacy is not regulated in that country. There are plenty of cases where privacy is covered in more general statutes such as a constitution, or for specific industries such as health.
  • The laws vary significantly in scope and many are nowhere near as widely applicable as the GDPR, for example they only apply to organizations with a certain financial turnover. However most of them are “extra-territorial” which means they still apply to organizations outside the country that made them.
  • The law in every country is different and the text of the legislation doesn’t tell the whole story – case law and published guidelines can affect its interpretation significantly.
  • Privacy laws exist as part of a wider legal ecosystem – other laws may have a bearing on data protection issues in many circumstances.
  • Countries with a state, province or territory structure such as the USA, Canada and Australia often have laws at various levels of government so you’ll need to consider all of the applicable ones (and their relative priorities) as a package.

So if you have the impression by now that privacy worldwide is complicated, you’d be right.

A flavour of privacy laws in various countries

There are many countries we could choose, but here are a few that have existing data privacy laws, to give you an idea of the variety of legislation out there.

In Australia the Privacy Act became a federal law in 1988 and applies to organizations with an annual turnover exceeding AU$3 million. It is policed by the Privacy Commissioner and although a data protection officer is not required, it is recommended that one is appointed. Breach notification is mandatory and fines of up to AU$2.2 million can be levied on corporations. Many of the states and territories across Australia have their own privacy legislation too, mainly with an emphasis on government agencies.

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted back in 2000 and broadly applies to all organizations processing the personal data of Canadian citizens. You’ll need a data protection officer and breach notification is mandatory, with the option of damages being paid to those affected by a breach. Provinces such as Alberta and British Columbia have their own privacy legislation too.

If you’re trading in Japan, the Act on the Protection of Personal Information (APPI) of 2003 may apply. Governed by the Personal Information Protection Commission (PPC), the APPI requires you to tell them about any breaches (subject to criteria) and enforcement includes not only fines but the possibility of a year’s imprisonment for those held responsible. They take privacy seriously in Japan.

China chooses to spread its privacy regulation across three main laws, the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL) and the Data Security Law (DSL). Each of these came into effect at different times, starting with the CSL in 2017. The consequences of breaking any of the laws vary widely, from fines of 5% of revenue, to criminal charges to your social credit score being affected.

In the Ukraine the Law of Ukraine No. 2297-VI ‘On Personal Data Protection’ (Data Protection Law) was enacted on 1 June 2010 and has many similarities to the EU Data Protection Directive which preceded the GDPR. The political desire for greater closeness to the European Union presumably comes into play here. The Ukrainian Parliament’s Commissioner for Human Rights oversees compliance with the legislation although there is no breach notification requirement at present.

The Russian Data Protection Act of 2006 was amended in 2015 to require that Russian personal data must be stored in Russia. Failure to do this will result in access to the offending website being blocked. However breaches don’t need to be reported and the maximum fine is currently 75,000 Rubles (less than US$ 1,000).

What’s happened recently?

Over the last few years a number of countries and states have stepped further into the privacy legislation arena.

In Brazil, they now have the LGPD (General Data Protection Law) which came into force in 2020. This is generally accepted to be similar in nature to the EU GDPR and is policed by the National Data Protection Authority (ANPD). With mandatory breach notification, fines of up to 2% of revenue may be levied.

In the USA, the state of California has enacted the California Consumer Privacy Act (CCPA) and followed it up with the California Consumer Privacy Rights Act (CPRA) which expands consumer rights further. Other states with recent privacy laws include Virginia and Colorado.

The South African Protection of Personal Information Act 2013 (POPIA) actually came into force mid 2021 and requires that you tell the Information Regulator about breaches. Possibly taking a lead from Japan, the consequences of such a breach could include up to ten years in jail.

What could be coming next?

There’s a lot of activity worldwide in the privacy space and the next few years could see a number of changes.

In Australia much bigger fines could be on their way under proposals currently being considered.

The Canadian PIPEDA legislation may be replaced with a law that is more similar to the GDPR and the Californian CCPA.

In Japan, amendments to the APPI come into force in April 2022.

A USA federal law that applies to all 50 states could finally be on its way, although the US political process still has some way to go before signatures are applied.

Final words

So it looks like being a busy old time in the world of privacy for some time to come. As technology advances develop (such as the Metaverse), corporate advertising interests evolve and privacy expectations change with upcoming generations, it’s hard to say where the balance will be struck. Perhaps in a world that is still shrinking due to globalisation some common ground will emerge across countries but whether that will look like a super-GDPR is anyone’s guess.


Privacy Toolkits

We have a variety of toolkits available depending on your privacy requirements. CertiKit’s award-winning toolkits are used in thousands of organisations globally, and they include all of the guides and template documents you’ll need for easy compliance.

Our privacy toolkits include:

We’ve helped more than 4000 businesses with their compliance


The structure is excellent, clear, precise and easy to digest. The content is professional and the guidance is extremely helpful. I cannot fault it!


View all Testimonials