Privacy Data Legislation

Note: The following chart was developed by the U.S. Department of Commerce in order to provide information on national data protection laws that have either been enacted or are currently under consideration around the world. The following does not address sectoral laws, local laws, criminal/civil code provisions, or constitutional provisions that may address data protection. The chart is intended for information only and is not an authoritative statement or summary of the actual laws in these countries. The chart also may not reflect all recent changes and legislative updates.


COUNTRY LAW(s) / BILL(s) STATUS KEY DETAILS
Argentina Law for the Protection of Personal Data
Law enacted in November of 2000.

Regulations for law enacted in December 2001.
Ensures notice, purpose limitation, data quality and security.

Requires express consent for sensitive information.

Data subjects have right to access, correct, block, or update data.

Law enforced by the National Data Protection Commissioner.

Complaints may be brought before judicial system.

Provides "adequacy" standards for data flows outside of Argentina.

The European Union has determined that Argentina's law meets the EU's "adequacy" standard.
Australia Privacy Amendment (Private Sector) Act of 2000
Law enacted in December 2000.

Became effective in December 2001.
Establishes National Privacy Principles covering collection, use and disclosure, accuracy, security, management, access, anonymity, and identification of personal data.

Establishes "co-regulatory" scheme which allows the use of business-generated codes of conduct that have been approved by the National Privacy Commissioner.

Complaints may be brought to/by Privacy Commissioner.

Law operates extra-territorially, covering organizations outside Australia in situations where data is moved overseas for use or processing.

Australian authorities have sought "adequacy" from the European Union.
Austria Data Protection Law (English language version)
Law enacted in January 2000.

Implements European Union Directive on Data Protection.
See "European Union" for information on principles established by Austrian law.

Law enforced by the National Data Protection Commission.
Belgium Processing of Personal Data Law (Dutch and French language versions) Revised law implemented in 2001.

Implements European Union
Directive on Data Protection.
See "European Union" for information on principles established by the Belgian law.

Law enforced by the Data Privacy Commissioner.
Brazil Bill #6891/02 proposed in Brazilian Congress by Deputy Orlando Fantazzini (Portuguese language version) Bill proposed by Deputy Fantazzini in June 2002.

Legislative timeframe for passage of bill not known.
Bill proposed by Deputy Fantazzini would establish privacy principles for notice, consent, data integrity, security, access and enforcement.

Handling of sensitive data would be prohibited in most circumstances.

Bill would establish an "appropriateness" standard for data transfers outside of Brazil.
Bulgaria Personal Data Protection Act Adopted in December 2001.

Came into effect in January 2002.
Resembles EU Directive on Data Protection.

Personal information is defined as data relating to natural persons, legal entities, and even government personnel and agencies.

Opt-in consent required for sensitive data.

Law creates a Commission on Protection of Personal Data to supervise compliance and implementation.
Canada Personal Information Protection & Electronic Documents Act (English language version) Law passed in October 1999.

Received "Royal Assent" in April 2000.

Implementation of bill to occur in three stages (from 2001–2004).
Law establishes 10 privacy principles.

Businesses must obtain minimum of opt-out consent from data subjects in order to collect, use or disclose personal information.

Privacy Commissioner's Office has broad powers to ensure compliance.

Law will apply to all inter-provincial and international transactions by January 2004.

Law has received "adequacy" from European Union.
Chile Law for the Protection of Private Life Entered into force in October 1999.

Amended in 2002.
Establishes rules for the handling of data in the public and private sectors.

Establishes rights to access, correction and judicial control of personal data.

Addresses financial, commercial and banking data.

Only databases in the country must be registered.

Law does not establish a data protection enforcement body.

Enforcement occurs via court system.
Colombia Data Protection Bill (Spanish language version)
Approved by Colombia's Senate in December 2002.

To be discussed in Colombia's Chamber of Deputies in March 2003.
Details Pending.
Czech Republic Act on Personal Data Protection (English language version) Enacted in April 2000.

Went into effect in June 2000.
Essentially implements EU Directive's requirements.

Political parties, churches and some civic organizations exempted from law.

Law implemented and enforced by Office for Personal Data Protection
Denmark Act on Processing of Personal Data (English language version) Entered into force in July 2000.

Implements EU Directive on Data Protection.
See "European Union" for information on principles established by the Danish law.

Law enforced by Danish Data Protection Agency.
Estonia Law on the Protection of Personal Data (English language version) Enacted in June 1996.

Supplemental "Databases Act"
passed in April 1997.

Several subsequent
amendments to these acts.
Act divides personal data into non-sensitive and sensitive personal data. Processing of non-sensitive data permissible without consent of data subject if in accordance with law.

Processors must register the processing of sensitive data.

Sets out general principles for maintenance of databases and requirements for data processing.

Laws enforced by the Data Protection Inspectorate
European Union European Union Directive on Data Protection - Directive 95/46/EC (Multiple language versions) Passed by EU Parliament in 1995.

Directive effective or implementation begun in 1998.

Supplemented by Directive for Protection of Privacy in Telecommunications Sector (1997); regulations for data processing (2000); and Directive on Privacy and Electronic Communications (2002).

Implementation by 15 Member States at varying stages of progress.
Personal information is defined as information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The scope of the Directive is very broad. It applies to all processing of data, on-line and off-line, manual as well as automatic, and all organizations holding personal data. It excludes from its reach only data used "in the course of purely personal or household activity".

Establishes requirements for notice, consent, accuracy, security and access.

Establishes strict guidelines for the processing of personal .

information. "Processing" includes any operations involving personal information, except perhaps its mere transmission.

"Sensitive" data, such as that pertaining to racial or ethnic origins, political or religious beliefs, or health or sex life, may not be processed at all unless such processing comes within limited exceptions, for example if the individual gives explicit consent.

Mandates a government authority to oversee data processing activities. Each Member State must establish an independent public authority to supervise the protection of personal data.

Requires that Member States enact laws prohibiting the transfer of personal data to countries outside the European Union that fail to ensure an "adequate level of [privacy] protection". Where the level of protection is deemed inadequate, Member States are required to take measures to prevent any transfer of data to the third country.
Finland Personal Data Act (English language version)
Went into effect in June 1999.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by the Finnish law.

Law enforced by the Data Protection Ombudsman
France Data Protection Act

Draft Implementation Law - Pursuant to EU Data Protection Directive of July 2001 (French language version)
Originally enacted in 1978.

Implementing legislation (pursuant to EU Directive) before French Senate.
See "European Union" for information on principles established by the French law.

Law enforced by the French Data Protection Authority (CNIL).
Germany Federal Data Protection Act (English language version) Adopted in May 2001.

Implements the EU Directive on Data Protection.

All "L?nder" (except Sachsen and Bremen) have adopted laws to implement the Directive. These acts apply to the public sector of the respective "L?nder".
See "European Union" for information on principles established by the German law.

Law enforced by the Federal Data Protection Commissioner and "L?nder" data protection authorities.
Greece Law on the Protection of Individuals with Regard to the Processing of Personal Data (English language version) Entered into force in 1997.

Implements the EU Directive on Data Protection
See "European Union" for information on principles established by the Greek law.

Law enforced by the Hellenic Data Protection Authority.
Hong Kong Personal Data (Privacy) Ordinance Enacted in 1995.

Implemented in December 1996.
Establishes six principles to regulate the collection, use, accuracy and security of personal information.

Data subjects provided right to access, correct or erase personal information.

Establishes complaint procedures and allows compensation for damages suffered.

Enforcement of ordinance occurs via the Privacy Commissioner's Office
Hungary Act on the Protection of Personal Data and Disclosure of Data of Public Interest (English language version) Enacted in 1992.

Amended in 1999 in order to become compatible with EU Directive on Data Protection.
Resembles EU Directive on Data Protection.

Applies to both the public and private sectors.

The law expressly prohibits the use of all purpose identification numbers or codes.

Enforcement occurs via the Parliamentary Commissioner for Data Protection and Freedom of Information.

Law has received "adequacy" from the EU.
Iceland Act on the Protection of Individuals with regard to the Processing of Personal Data (English language version)
Came into force in January 2000. Consistent with EU Directive on Data Protection. Iceland is a member of the European Free Trade Association (EFTA).

Law covers both automated and manual processing of personal information.

Restricts use of national identification numbers, video surveillance technology.

Enforcement occurs via the Privacy & Data Protection Authority
Ireland Data Protection Act

Data Protection Amendment Bill - pursuant to EU Data Protection Directive (Bill summary)
Law originally passed in 1988.

Certain regulations to implement EU Data Protection Directive passed in December 2001.

Data Protection Amendment Bill passed by Irish Senate in 2001 and currently before House of Representatives.
See "European Union" for information on principles established by the Irish bill.

Law enforced by the Data Protection Commissioner.
Israel Protection of Privacy Law Enacted in February 1981.

Amended in 1996.
Regulates data processing and computer databases.

Imposes limitations on data controllers/processors concerning use of information (11 activities prohibited by law).

Data subjects have right to inspect, correct and erase information.

Databases with over 10,000 names must register with Ministry of Justice's Registrar of Databases.
Italy Data Protection Act (English language version)
Enacted in 1996.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by the Italian law.

Enforcement occurs via the Italian Data Protection Commission.
Japan Personal Data Protection Bill Currently before the Japanese legislature (Diet).

Timeframe for Diet's consideration/passage of bill not known.
The original draft of the bill set forth five basic principles, including that personal information must be collected in an appropriate manner and that "appropriate involvement of an individual as data subject" should be sought in collecting personal information.

However, a subsequent draft has eliminated the basic principles. Instead, the latest draft sets forth "basic philosophy" that calls for "respect for individual personality."

News organizations, research institutions, religious groups, political organizations and "writers" would be exempt from the law.

It is unclear how enforcement of the bill would be handled.
Latvia Law on Personal Data Protection Enacted in March 2000.

Entered into force in January 2001.
Similar to EU Directive on Data Protection.

Law requires all databases (public and private sector) to be registered with Ministry of Justice, State Data Inspectorate.
Lithuania Law on Legal Protection of Personal Data (English language version)
Enacted in 1996.

Amended in 1998, 2000, 2002.
Similar to EU Directive on Data Protection.

Personal data can only be disclosed to a third party under an approved personal contract.

Law enforced by the State Data Protection Inspectorate
Luxembourg Data Protection Law (French language version)

Enacted in 2002.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by Luxembourg's law.

Enforcement occurs via Commission nationale pour la protection des donn?es.
Malaysia Personal Data Protection Bill Various Ministries have drafted the bill and it is currently awaiting Parliament.

Legislative timeframe not yet established.
Early drafts of the bill would have established nine principles for the collection and use of personal data.

Early drafts of the bill had a trans-border provision that would require other regimes to be "substantially similar"; or "serve the same purpose"; or provide an "adequate" level of protection.

Data Protection Commissioner would enforce the law.
Mexico Federal Personal Data Protection Bill Bill introduced in Parliament by Senator Antonio Garcia Torres in February 2001.

Passed by Mexican Senate and forwarded to House of Representatives in April 2002.

Bill currently under review at the committee level in the House of Representatives.

Further timeframe for review/passage of bill not known at this time.
Bill would establish requirements for notice, consent, access, data accuracy and security.

Most recent (September 2002) draft of bill narrows the scope of the legislation to data involving natural persons.

"[A]ll gathering and processing of data require the prior consent of each person involved."

Defines "sensitive data" to include "all data that reveal the racial or ethnic origin; political opinions; religious, philosophical or moral beliefs; labor union membership; health or sex life of a person".

Requires all data to be stored "so as to enable the right of access to be exercised by each interested person involved".

Trans-border data provision imposes an "equivalency" standard for data protection regimes in other countries; would presumably prohibit transfers to nations that do not exactly match the requirements set forth by the draft bill.

Sets forth broad registration and reporting requirements.

Law would be enforced by the Federal Institute for the Protection of Personal Data.
Netherlands Personal Data Protection Act (English language version)

Bill introduced in Parliament by Senator Antonio Garcia Torres in February 2001.

Passed by Mexican Senate and forwarded to House of Representatives in April 2002.

Bill currently under review at the committee level in the House of Representatives.

Further timeframe for review/passage of bill not known at this time.
See "European Union" for information on principles established by the Dutch law.

Enforcement occurs via the Dutch Data Protection Authority.
New Zealand Privacy Act Enacted in 1993.

Subsequently amended.
Applies to both public and private sectors.

Establishes 12 privacy principles roughly equivalent to those set forth in the EU Directive on Data Protection.

Approved industry codes of conduct may be adhered to in lieu of legislation.

Enforcement overseen by the Office of the Privacy Commissioner.
Norway Personal Data Act of 2000 (English language version)
Passed in 2000.

Entered into force in January 2001.
Consistent with EU Directive on Data Protection. Norway is a member of the European Free Trade Association (EFTA).

Applies to both public and private sectors.

Trans-border provision prohibits transfer of personal data to another country without the permission of the Data Inspectorate, the agency that enforces the law.

Personal data cannot be transferred to another country that has less protection than that provided by the EU Directive on Data Protection.
Paraguay Regulation for Personal Data (Spanish language version) Passed in December 2000. Details pending.
Poland Law on the Protection of Personal Data (English language version)
Passed by Parliament in October 1997.

Entered into force in April 1998.

Regulations passed in 1998.

Law amended in August 2001.
Law is consistent with the EU Directive on Data Protection.

Applies to both public and private sectors.

Regulations establish standards for the security of information systems.

Data subjects have substantial rights to access, amend, correct and/or delete data.

Enforcement of law handled by the Inspector General for the Protection of Personal Data.
Portugal Law on the Protection of Personal Data (English language version)

Entered into force in 1998.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by Portugal's law.

Enforcement occurs via the National Data Protection Commission.
Russian Federation Law of the Russian Federation on Information, Informatization and Information Protection Passed by the Duma (Parliament) in 1995.

Supplemental Act on the Information of Personal Character has been proposed.
Applies to both public and private sectors.

Establishes requirements for the processing of personal information.

Prohibits misuse of personal information; prohibits use of sensitive information.

No agencies have been established to enforce the law.
Singapore No data protection law. However, Singapore is considering the adoption of a "voluntary" code of conduct on data protection for the private sector. (English language version) The National Trust Council (NTC) launched a public consultation exercise on the Model Code in February 2002.

The public consultation has since closed in May 2002.

In December 2002, the NTC launched an enhanced version of the Model Data Protection Code.

It is not clear exactly how (or at what point) the code would be officially endorsed/ implemented.
Sets forth a set of data protection principles loosely based on the OECD's privacy guidelines.

Draft provisions apply to "the processing of personal data wholly or partly by automatic means".

Companies would be required to provide a list of organizations "to which it may have disclosed data about the individual".

It is not clear how the code would be enforced.
Slovakia Act on the Protection of Personal Data (Slovak language version)
Entered into force in 1998. Establishes requirements for notice, consent, access, accuracy, correction, security and confidentiality.

Processing of certain sensitive information is prohibited.

Imposes an "adequacy" standard for transfers of data to other countries.

Enforcement of law handled by the Inspection Unit for the Protection of Personal Data.
Slovenia Law on Personal Data Protection Entered into effect in August 1999.

Amended in 2001.
Consistent with EU Directive on Data Protection.

Enforcement occurs via Human Rights Ombudsman.
South Africa South Africa has recently enacted an Electronic Communications and Transactions (ECT) Law that sets forth "voluntary" requirements for data protection The bill was signed into law in 2002. Chapter VIII of the law addresses the Protection of Personal Information. Sets forth a series of data protection requirements.

Applies only to electronic data transmissions.

A data controller may "voluntarily " subscribe to the principles by recording the principles in a written agreement.

Requires opt-in consent from data subject prior to collecting/transferring any personal data.

It is not clear how the requirements of the law are to be enforced.
South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection Entered into effect in 2000. Establishes requirements for the collection, use and disclosure of personal data.

Law applies to "providers of information and communications services" and certain offline services, namely travel services.

In most cases, opt-out consent from data subject required. However, exceptions apply. Opt-in consent required for certain sensitive information.

Enforcement is complaint-driven and occurs via judicial system and Personal Information Mediation Committee.
Spain Data Protection Law (English language version)
Passed in 1999.

Entered into force in 2000.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by Spain's law.

Enforcement occurs via the Data Protection Agency.
Sweden Personal Data Act (English language version) Enacted in 1998.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by Sweden's law.

Enforcement occurs via the Data Inspection Board.
Switzerland Federal Act of Data Protection (English language version)
Originally enacted in 1992.

Subsequently amended.
Consistent with EU Directive on Data Protection. Switzerland is a member of the European Free Trade Association (EFTA).

In 1999, the Swiss law received "adequacy" from the EU.

Trans-border data provision requires data controllers to register transfers of data to other countries. Requires that other countries have equivalent laws.

Law enforced by the Swiss Federal Data Protection Commissioner.
Taiwan Computer Processed Data Protection Law (English language version) Originally enacted in 1995. Applies to public sector and certain areas of the private sector.

Regulates the "computerized processing of personal data",

In order to collect or process personal information, a data controller must either obtain written consent from the data subject; have a contractual relationship with the data subject; determine that the data is already within the public domain; or determine that the data is for academic research.

No central agency responsible for enforcement of the law. Enforcement is handled by relevant agency for the sector concerned.
Thailand Data Protection Bill Thailand's National Information Technology Committee is currently drafting the bill.

No timeframe for introduction of the bill; public comment; Parliamentary consideration/ approval has been announced.
Details pending.
United Kingdom Data Protection Act Passed by Parliament in 1998.

Entered into force in 2000.

Implements the EU Directive on Data Protection.
See "European Union" for information on principles established by the United Kingdom's law.

Enforcement occurs via the Information Commissioner.

Price Sheets(PDF)

Quicklink

You will need to download Adobe Acrobat Reader to view these files. You can download it here if you do not already have it.

 

©2024 Straightline International. All rights reserved.
Home | About Us | Contact Us | Search4Crime.com | Conferences | Site Map | Google+ | Privacy Policy