Privacy Ref Blog

What in the World??

With many of us so busily focused on compliance with the European Union’s General Data Protection Regulation (“GDPR”) – and probably soon to be focused on the new California Consumer Privacy Act – it is easy to neglect (albeit inadvertently) other areas of the world. If you are a company with international operations or are collecting the personal information of non-EU foreign residents, this could be a costly mistake.

To date, over 120 countries have some form of data protection laws. Just this year alone, a number of countries have passed their own GDPR versions of law. The most recent is the Brazilian Data Protection Law, enacted this month with an effective date in February 2020. The new Brazil law strongly mirrors the GDPR, including consent or other legal grounds for the processing of personal information (which term is broadly defined), cross-border data transfer restrictions, data subject rights, mandatory data breach reporting obligations, joint and several liability for data controllers and processors, and penalties and fines up to 2% of earnings or just under $13 million. Previously, Brazil only had sectoral laws in place, so this is a big change for many companies.

Brazil is not alone. Whether by accident or by design, there has been a flurry of activity this summer in the wake of the GDPR implementation. Other countries adopting new data protection laws and regulations this year include Algeria (in July) and St. Kitts and Nevis (in May). And, in June, Chile went so far as to make protection of personal information a Constitutional right! What these laws all have in common is the establishment of obligations with respect to the collection, retention, use, disclosure, and transfer of personal information, as well as setting data subject rights and breach response requirements. While not being as aggressive as its peers, China did adopt a non-binding “specification” in May on personal information security, which provides guidance on the collection, retention, use, sharing, and transfer of personal information, as well as breach notification best practices. And Kenya, India, Uzbekistan, and Iran are all positioned to follow the trend with their respective releases in July and August of draft comprehensive data protection legislation (of particular interest, the Kenya proposal includes a 5-year prison term for violations).

As a friendly reminder, Canada’s Digital Privacy Act, which amends the well-known PIPEDA (“Personal Information Protection and Electronic Documents Act”) to provide new breach reporting requirements, is set to become effective on November 1, 2018. Thus, it is incumbent upon companies operating outside the confines of the United States’ territorial limits to stay abreast of these world developments and adjust accordingly.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on August 27, 2018 by Kelly Cheary

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

March 15, 2019

Protecting kids online – are we doing our best?

I’m trying to work through some thoughts about how companies repeatedly take advantage of consumers’ privacy in the US.  The latest being TikTok, a video sharing app acquired from, which has agreed to pay $5.7 million to settle allegations that it collected personal information from children – a violation of COPPA or the Children’s Online Privacy Protection Act.  Of note, TikTok is a $75 billion – with a B – dollar startup.  In GDPR terms, the maximum fine for egregious behavior could be 4% of gross revenues or in TikTok’s case $3 billion – with a B – dollars, which is a far cry from the fine that the FTC assessed for their alleged COPPA violations (FTC’s largest ever COPPA fine).

Continue reading this post...

March 13, 2019

In da House (of Representatives)

Recently, the US Congress met to discuss privacy protections from the perspective of a federal regulation. One of the most discussed topics was GDPR and whether it works or not. A lot was said, and I was pretty disappointed with the overall lack of nuance with regards to understanding what privacy is about from sitting politicians. That said, I want to go over some of the arguments.

Continue reading this post...

Other Recent Posts