Content Overview

Data protection and privacy regulations set forth rules relating to the protection of natural persons (individuals) with regard to the processing of personal data and rules relating to the free movement of personal data. They aim to make businesses more accountable for data privacy compliance and offer individuals greater rights and more control over their personal data.

Recent years have witnessed an unparalleled growth in data protection legislation, primarily as a knock-on effect from the sharp surge in mobile and consumer technologies. As a result, organizations have heightened burdens of compliance while handling large volumes of personal data.
 

On the EU front, a new data protection regime entered into force on 25 May 2018 under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) replacing the existing Data Protection Directive 95/46/EC. GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents and provides for harmonization of the data protection regulations throughout the EU. 

In the US, various omnibus data protection bills have been enacted on the state level in recent years; however, no agreement has been reached yet on an overarching privacy law on a federal level.

This content covers the principal national data protection and privacy laws and regulations, both proposed and enacted focussing on:

• Collection, storage and use of data
• Fair and lawful data processing
• Individual’s rights
• Sharing of data
• Data transfer to other countries
• Data classification and quality of data security measures
• Measures to ensure privacy in relation to connected products

In particular, the lawful processing of personal data is quickly becoming a priority for so-called “smart appliances”. Networked devices, capable of exchanging data, must be used in such a way as to protect users from the risk of privacy breaches. Accordingly, this content area also covers data protection implications for connected products.

Please note that we do not cover the following types of personal information: health information, financial/credit information, criminal records or data held by public entities. Our coverage also does not extend to regulations that apply to electronic communications service providers only (e.g. sources regarding data retention by communications providers). Sources on the use of biometric data by companies and related requirements fall under our coverage, whereas we do not cover sources on biometric data that establish rules only for government entities, financial institutions and/or healthcare institutions.

While we do not cover sources that relate to social media only, if sources are regarding “online privacy” in general, we cover them. We also cover children’s online privacy (obtaining parental consent, giving easily understandable privacy notices, etc.), however, we do not cover sources that relate to protecting children from harmful content such as nudity or sexual content.

Coverage Included

Our regulatory content in C2P is historically comprehensive with a robust QA process to ensure quality, consistency and accuracy. Below is a high level summary of our coverage for this topic:

• EU: Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, Regulation, (EU) 2016/679
• UK: Data Protection Act, 2018
• Norway: Personal Data Protection Act, No. 38, 2018
• Brazil: Protection of Personal Data, Law No. 13709/2018
• California (USA): Privacy of Personal Information, Assembly Bill 375, Enacted, 2018
• California (USA): Connected Devices, Privacy and Consumer Protection, Senate Bill 327 Enacted, 2018
• New Zealand: Privacy Act No. 31, 2020
• Canada: Personal Information Protection and Electronic Documents Act, 2000
• China: Personal Information Protection Law, 2021
• Kenya: Data Protection Act, No. 24, 2019
• India: Digital Personal Data Protection Act, 2023

We cover standards for our core products that are available from our partner Accuris. These are available through our Product Compliance Solution.

Connection with other regulatory content:

The Data Protection content captures regulations which focus on the processing of personal data. An overlap with the Cybersecurity content may occur for regulations dealing with the security and certification of connected devices. The Data Protection content may also sometimes overlap with the Labor/Employment content.