From essential laws and principles to directions about compliance and consent. Data protection regulations encompass all.
Our increased online sharing of personal details has come at a high cost. People are rightly questioning the credibility of third-party services and platforms and their claim of protecting them, given the sheer number of recent data breaches. The personal information of millions of individuals are being exposed, regardless of whether it’s an intentionally targeted attack on a network or just a business with careless security procedures. As a result, data privacy has evolved from a specialized area to an essential worldwide concern.
The response from governments is also swift in this matter. Almost every country is enacting strict legislation to guarantee the security of its citizens’ personal information. For companies, this signifies the end of the “wait and see” period.
A summary of privacy laws
When talking about data privacy, the General Data Protection Regulation (GDPR) is frequently the first thing that springs to mind. This European Union (EU) rule, which has been in effect since 2018, has influenced international privacy norms and encouraged nations to enact their own privacy legislation.
This was not the first statute of its kind, however. In 1973, Sweden enacted the first national data privacy law in history, known as Datalagen. More than 170 nations currently have data privacy laws in place, and new data protection legislation is passed annually. For the processing of personal data by its Governorate, the Vatican City State even passed its own data protection law in 2024.
Companies must have a thorough awareness of their global data protection responsibilities in order to prevent legal violations, which can lead to operational fines and reputational harm, as they continue to serve more and more foreign markets. Data privacy regulations aim to control how companies gather, utilize, store, and transfer personal information through strict guidelines. These rules aim to give people more control over their personal data and hold businesses accountable for protecting it.
While basic principles such as ensuring transparency and limiting data use only when it is required are universally accepted, specific rights and obligations vary from country to country. While some policies prioritize user access rights or data security, others focus more on permission. Together, they influence how companies manage personal data globally.
General Data Protection Regulation (GDPR)
Image Source SCC Online
When the General Data Protection Regulation (GDPR) was introduced on May 25, 2018, it basically shifted the entire landscape of privacy. Companies must protect personal data if they sell products or services to individuals in the EU or EEA, or if they monitor their online activity. No exceptions.
The power structure of GDPR is one feature that sets it apart. This is a rule rather than a ‘directive,’ which waits for each nation to enact its own local legislation. This implies that it is immediately and automatically applicable to every member state.
This has a huge reach. The location of your company’s actual headquarters is irrelevant. Even if no money is being exchanged, you are responsible if you process personal information from anyone in that region.
Flying under the radar isn’t possible anymore, from non-profit organizations to multinational corporations, GDPR applies to all organizations equally.
Some basic principles to follow while processing sensitive data are:
Lawfulness, equity, and openness: Handling confidential data requires a strong legal foundation. Additionally, it is imperative that an organization is totally honest with its customers about the true usage of their information.
Limitation of purpose: Stick to the original arrangement. Personal information should only be utilized for the purpose for which it was originally gathered; it cannot be used for other purposes at a later time.
Storage limitations: Businesses should only collect the precise information required to complete the task at hand.
Accuracy: Maintain specific and reliable records. It is your duty to correct any mistakes or out-of-date information that you come across.
Storage limitations: Data shouldn’t sit on your servers forever. This causes clutter and harms efficiency. Once it has served the purpose you collected it for, you need to delete it.
Integrity and confidentiality: To protect confidential data from unauthorized access or data breaches, organizations must implement effective security measures.
Accountability: Organizations must be able to show that they have complied with the regulations.
One of the legal justifications for storing and handling personal data is consent, and the GDPR has placed strict guidelines as to what constitutes valid consent from the user. AS the law states, it should be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes.”
Digital Markets Act (DMA)
Image Source cookieyes
The Digital Markets Act (DMA) officially came into play on November 1, 2022. This was designed to specifically target massive online platforms the European Commission labels as ‘gatekeepers.’ The goal here is apparent to everyone: by pinning down these dominant entities with specific requirements, the legislation aims to drive better competition while simultaneously tightening up consumer protection and privacy laws.
It is worth noting that the DMA has a massive influence on how personal data is stored and used. While the GDPR already holds every business owner accountable for how they gather and handle data, the DMA believes in the notion that these “gatekeepers” are in a league of their own. Because of their sheer market power, they face additional restrictions and guidelines. These extra obligations effectively go a step beyond standard GDPR policies, creating an additional thicker layer of privacy protection for users and ensuring the digital playing field remains fair.
There are currently seven companies labelled as gatekeepers under the DMA, they are Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft.
Health Insurance Portability and Accountability Act (HIPAA)
Federal regulations are mandated by the Health Insurance Portability and Accountability Act (HIPAA) to prevent the disclosure of protected health information (PHI) without the consent of the patient.
It is applicable to “covered entities,” such as:
Hospitals, physicians, dentists, and pharmacies are examples of healthcare providers. Health plans, such as Medicare, Medicaid, employee-sponsored insurance, and private insurers.
Clearing houses for healthcare that handle administrative duties or handle medical data.
Business partners who use PHI for services including billing, data storage, or legal advice on behalf of covered entities.
Consultants offering guidance or analysis on matters pertaining to health information or activities that necessitate the management of PHI.
Contractors or subcontractors providing services such as PHI data analysis or claims processing.
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Passed in 2018, the California Consumer Privacy Act (CCPA) became operative on January 1, 2020. On January 1, 2023, the California Privacy Rights Act (CPRA) added to and modified it. In February 2024, the CPRA was put into effect after a legal battle. The CCPA/CPRA is the collective term for these two legislation.
The almost 40 million people who live in California have their personal information protected by the CCPA/CPRA, which is described as:
Anyone in California for long-term reasons
Anyone with a California residence who is temporarily outside of the state
For-profit companies operating in California that gather personal data from citizens of the state and satisfy any of these requirements are subject to the law:
They made more than USD 26,625,000 in gross income in their previous calendar year.
The total number of customers or households whose personal information the company buys, sells, or shares exceeds the 100,000 threshold.
More than 50% of their annual revenue comes from the sale of their users’ personal information.
Similar to European data privacy regulations, the CCPA has jurisdiction outside of its territory. Any business that meets the thresholds placed by the act must be compliant with the obligations CCPA places upon them. If the organization is conducting business with the residents of California, it can be held liable irrespective of where it is based.
Digital Personal Data Protection Bill (DPDP)
When digital personal data is gathered offline or online and then digitized, it is subject to the Digital Personal Data Protection Act, 2023 in India. If the company offers products or services in India, DPDP also applies to such processing outside of the nation. The Indian government will identify Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of personal data processed, as defined by the DPDP Act. Additionally, once the goal has been achieved, they will be required to ensure data security, accuracy, and erasure. DPDP gives Indian citizens the ability to request additional information about how their personal data is handled. Additionally, they will be entitled to grievance resolution and correction and erasure.
