| COUNTRY |
LAW(s)/BILL(s) |
STATUS |
KEY DETAILS |
| Argentina |
Law for the
Protection of Personal Data (English language version:
http://www.privacyinternational.org/countries/argentina/argentine-dpa.html) |
Law enacted in
November of 2000. Regulations for law enacted in December
2001. |
Ensures notice,
purpose limitation, data quality and security.
Requires express consent for sensitive information.
Data subjects have right to access, correct, block, or update
data.
Law enforced by national data protection commissioner
(http://www.jus.gov.ar/minjus/DPDP/).
Complaints may be brought before judicial system.
Provides "adequacy" standards for data flows outside of
Argentina.
The European Union has determined that Argentina’s law meets
the EU’s "adequacy" standard.
|
| Australia |
Privacy Amendment
(Private Sector) Act of 2000 (http://privacy.gov.au ) |
Law enacted in
December 2000 Became effective in December 2001. |
Establishes National
Privacy Principles covering collection, use and disclosure,
accuracy, security, management, access, anonymity, and
identification of personal data.
Establishes "co-regulatory" scheme which allows the use of
business-generated codes of conduct that have been approved by
national Privacy Commissioner (http://privacy.gov.au).
Complaints may be brought to/by Privacy Commissioner.
Law operates extra-territorially, covering organizations
outside Australia in situations where data is moved overseas for
use or processing.
Australian authorities have sought "adequacy" from the
European Union.. |
| Austria |
Data Protection
Law (English language version: http://www.bka.gv.at/datenschutz/indexe.htm)
|
Law enacted in
January 2000.
Implements European Union Directive on Data Protection. |
See "European Union"
for information on principles established by Austrian law.
Law enforced by National Data Protection Commission (http://www.bka.gv.at/datenschutz/indexe.htm) |
| Belgium |
Processing of
Personal Data Law (Dutch and French language version:
http://www.privacy.fgov.be/) |
Revised law
implemented in 2001.
Implements European Union Directive on Data Protection |
See "European Union"
for information on principles established by the Belgian law.
Law enforced by Data Privacy Commissioner (http://www.privacy.fgov.be/)
|
| Brazil |
Bill #6891/02
proposed in Brazilian Congress by Deputy Orlando Fantazzini
(Portuguese language version: http://www.camara.gov.br/Internet/sileg/Prop_Detalhe.asp?id=56678)
|
Bill proposed by
Deputy Fantazzini in June 2002.
Legislative timeframe for passage of bill not known. |
Bill proposed by
Deputy Fantazzini would establish privacy principles for notice,
consent, data integrity, security, access and enforcement.
Handling of sensitive data would be prohibited in most
circumstances.
Bill would establish an "appropriateness" standard for data
transfers outside of Brazil. |
| Bulgaria |
Personal Data
Protection Act |
Adopted in December
2001. Came into effect in January 2002. |
Resembles EU
Directive on Data Protection.
Personal information is defined as data relating to natural
persons, legal entities, and even government personnel and
agencies.
Opt-in consent required for sensitive data.
Law creates a Commission on Protection of Personal Data to
supervise compliance and implementation. |
| Canada |
Personal
Information Protection & Electronic Documents Act (English
language version: http://www.privcom.gc.ca/legislation/02_06_01_e.asp)
|
Law passed in
October 1999.
Received "Royal Assent" in April 2000.
Implementation of bill to occur in three stages (from 2001 –
2004). |
Law establishes 10
privacy principles.
Businesses must obtain minimum of opt-out consent from data
subjects in order to collect, use or disclose personal
information.
Privacy Commissioner’s Office (http://www.privcom.gc.ca) has
broad powers to ensure compliance.
Law will apply to all inter-provincial and international
transactions by January 2004.
Law has received "adequacy" from European Union. |
| Chile |
Law for the
Protection of Private Life |
Entered into force
in October 1999. Amended in 2002. |
Establishes rules
for the handling of data in the public and private sectors.
Establishes rights to access, correction and judicial control
of personal data.
Addresses financial, commercial and banking data.
Only databases in the country must be registered.
Law does not establish a data protection enforcement body.
Enforcement occurs via court system. |
| China |
Chin’s State
Council for Informatization Office has indicated that it plans
to develop data privacy legislation for the private sector.
Apparently, the bill would apply to online and offline data.
However, few additional details are available. |
Time frame for
introduction of bill not clear. |
No additional
details available. |
| Colombia |
Data Protection
Bill (Spanish language version: http://ulpiano.com/colombia.pdf) |
Approved by
Colombia’s Senate in December 2002. To be discussed in
Colombia’s Chamber of Deputies in March 2003. |
Details Pending. |
| Czech Republic |
Act on Personal
Data Protection (English language version: http://www.uoou.cz/eng/101_2000.php3)
|
Enacted in April
2000 Went into effect in June 2000. |
Essentially
implements EU Directive’s requirements. Political parties,
churches and some civic organizations exempted from law.
Law implemented and enforced by Office for Personal Data
Protection (http://www.uoou.cz/eng/index.php3) |
| Denmark |
Act on Processing
of Personal Data (English language version: http://www.datatilsynet.dk/eng/index.html) |
Entered into force
in July 2000. Implements EU Directive on Data Protection. |
See "European Union" for information on
principles established by the Danish law.
Law enforced by Danish Data Protection Agency (http://www.datatilsynet.dk/) |
| Estonia |
Law on the
Protection of Personal Data (English language version:
http://www.dp.gov.ee/?lang=en) |
Enacted in June
1996. Supplemental "Databases Act" passed in April 1997.
Several subsequent amendments to these acts.
|
Act divides personal
data into non-sensitive and sensitive personal data. Processing
of non-sensitive data permissible without consent of data
subject if in accordance with law. Processors must register
the processing of sensitive data.
Sets out general principles for maintenance of databases and
requirements for data processing.
Laws enforced by Data Protection Inspectorate (http://www.dp.gov.ee/?lang=en)
|
| European Union |
European Union
Directive on Data Protection (Directive 95/46/EC) (Multiple
language versions: http://europa.eu.int/comm/internal_market/en/dataprot/law/index.htm) |
Passed by EU
Parliament in 1995. Directive effective/implementation begun
in 1998.
Supplemented by Directive for Protection of Privacy in
Telecommunications Sector (1997); regulations for data
processing (2000); and Directive on Privacy and Electronic
Communications (2002).
Implementation by 15 Member States at varying stages of
progress. |
Personal information
is defined as information relating to an identified or
identifiable natural person. An identifiable person is one who
can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic,
cultural or social identity. The scope of the Directive is
very broad. It applies to all processing of data, on-line and
off-line, manual as well as automatic, and all organizations
holding personal data. It excludes from its reach only data used
"in the course of purely personal or household activity".
Establishes requirements for notice, consent, accuracy,
security and access.
Establishes strict guidelines for the processing of personal
information. "Processing" includes any operations involving
personal information, except perhaps its mere transmission.
"Sensitive" data, such as that pertaining to racial or ethnic
origins, political or religious beliefs, or health or sex life,
may not be processed at all unless such processing comes within
limited exceptions, for example if the individual gives explicit
consent.
Mandates a government authority to oversee data processing
activities. Each Member State must establish an independent
public authority to supervise the protection of personal data.
Requires that Member States enact laws prohibiting the
transfer of personal data to countries outside the European
Union that fail to ensure an "adequate level of [privacy]
protection". Where the level of protection is deemed inadequate,
Member States are required to take measures to prevent any
transfer of data to the third country. |
| Finland |
Personal Data Act
(English language version: http://www.tietosuoja.fi/1560.htm)
|
Went into effect in
June 1999. Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by the Finnish law.
Law enforced by the Data Protection Ombudsman (http://www.tietosuoja.fi/1560.htm)
|
| France |
Data Protection
Act Draft Implementation Law (pursuant to EU Data
Protection Directive) of July 2001 (French language version:
http://www.justice.gouv.fr/actua/loicnild.htm) |
Originally enacted
in 1978. Implementing legislation (pursuant to EU Directive)
before French Senate. |
See "European Union"
for information on principles established by the French law.
Law enforced by The French Data Protection Authority (CNIL)
(http://www.cnil.fr/uk/index.htm) |
| Germany |
Federal Data
Protection Act (English language version: http://www.bfd.bund.de/information/bdsg_eng.pdf)
|
Adopted in May 2001.
Implements the EU Directive on Data Protection.
All "Länder" (except Sachsen and Bremen) have adopted laws to
implement the Directive. These acts apply to the public sector
of the respective "Länder".
|
See "European Union"
for information on principles established by the German law.
Law enforced by the Federal Data Protection Commissioner
(http://www.bfd.bund.de/information/engl_corner.html)
and "Länder" data protection authorities. |
| Greece |
Law on the
Protection of Individuals with Regard to the Processing of
Personal Data (English language version: http://www.dpa.gr/legal_eng.htm)
|
Entered into force
in 1997. Implements the EU Directive on Data Protection |
See "European Union"
for information on principles established by the German law.
Law enforced by the Hellenic Data Protection Authority (http://www.dpa.gr/home_eng.htm)
|
| Hong Kong |
Personal Data
(Privacy) Ordinance (http://www.pco.org.hk/english/ordinance/ordfull.html)
|
Enacted in 1995.
Implemented in December 1996. |
Establishes six
principles to regulate the collection, use, accuracy and
security of personal information. Data subjects provided right
to access, correct or erase personal information.
Establishes complaint procedures and allows compensation for
damages suffered.
Enforcement of ordinance occurs via the Privacy
Commissioner’s Office (http://www.pco.org.hk/#) |
| Hungary |
Act on the
Protection of Personal Data and Disclosure of Data of Public
Interest (English language version: http://www.obh.hu/adatved/indexek/index.htm)
|
Enacted in 1992.
Amended in 1999 in order to become compatible with EU Directive
on Data Protection. |
Resembles EU
Directive on Data Protection. Applies to both the public and
private sectors.
The law expressly prohibits the use of all purpose
identification numbers or codes.
Enforcement occurs via the Parliamentary Commissioner for
Data Protection and Freedom of Information (http://www.obh.hu/adatved/indexek/index.htm)
Law has received "adequacy" from the EU. |
| Iceland |
Act on the
Protection of Individuals with regard to the Processing of
Personal Data (English language version: http://www.personuvernd.is/tolvunefnd.nsf/pages/english)
|
Came into force in
January 2000. |
Consistent with EU
Directive on Data Protection. Iceland is a member of the
European Free Trade Association (EFTA). Law covers both
automated and manual processing of personal information.
Restricts use of national identification numbers, video
surveillance technology.
Enforcement occurs via the Privacy & Data Protection
Authority (http://www.personuvernd.is/tolvunefnd.nsf/pages/english)
|
| Ireland |
Data Protection
Act Data Protection Amendment
Bill (pursuant to EU Data Protection Directive) (Bill
summarized at http://www.dataprivacy.ie/3bii.htm)
|
Law originally
passed in 1988. Certain regulations to implement EU Data
Protection Directive passed in December 2001.
Data Protection Amendment Bill passed by Irish Senate in 2001
and passed by House of Representatives in 2003.
|
See "European Union"
for information on principles established by the Irish bill.
Law enforced by the Data Protection Commissioner (http://www.dataprivacy.ie/)
|
| Israel |
Protection of
Privacy Law |
Enacted in February
1981. Amended in 1996. |
Regulates data
processing and computer databases. Imposes limitations on data
controllers/processors concerning use of information (11
activities prohibited by law).
Data subjects have right to inspect, correct and erase
information.
Databases with over 10,000 names must register with Ministry
of Justice’s Registrar of Databases. |
| Italy |
Data Protection
Act (English language version: http://www.dataprotection.org/garante/prewiew/1,1724,448,00.html?sezione=120&LANG=2)
|
Enacted in 1996.
Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by the Italian law.
Enforcement occurs via the Italian Data Protection Commission
(http://astra.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2)
|
| Japan |
Law on the
Protection of Personal Information |
Passed May 30, 2003.
Will go into effect May 2005. Ministries are in the process of
drafting implementation guidelines. Voluntary guidelines
protecting personal data collected by RFID technology have been
published by METI. |
Law sets forth
"basic philosophy" that calls for "respect for individual
personality." News organizations, research institutions,
religious groups, political organizations and "writers" are
exempt from the law.
It is unclear how enforcement of the law will be handled, may
be clarified in the implementation guidelines.
|
| Latvia |
Law on Personal
Data Protection |
Enacted in March
2000. Entered into force in January 2001. |
Similar to EU
Directive on Data Protection. Law requires all databases
(public and private sector) to be registered with Ministry of
Justice, State Data Inspectorate. |
| Lithuania |
Law on Legal
Protection of Personal Data (English language version:
http://www.ada.lt/en/legal.html) |
Enacted in 1996.
Amended in 1998, 2000, 2002. |
Similar to EU
Directive on Data Protection. Personal data can only be
disclosed to a third party under an approved personal contract.
Law enforced by the State Data Protection Inspectorate
(http://www.ada.lt/en/) |
| Luxembourg |
Data Protection
Law (French language version: http://www.etat.lu/memorial/memorial/a/2002/a0911308.pdf)
|
Enacted in 2002.
Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by Luxembourg’s law.
Enforcement occurs via Commission nationale pour
la protection des données (http://www.cnpd.lu/)
|
| Malaysia |
Personal Data
Protection Bill |
Various Ministries
have drafted the bill and it is currently awaiting Parliament.
Legislative timeframe not yet established. |
Early drafts of the
bill would have established nine principles for the collection
and use of personal data. Early drafts of the bill had a
trans-border provision that would require other regimes to be
"substantially similar"; or "serve the same purpose"; or provide
an "adequate" level of protection.
Data Protection Commissioner would enforce the law.
|
| Mexico |
Federal Personal
Data Protection Bill |
Bill introduced in
Parliament by Senator Antonio Garcia Torres in February 2001.
Passed by Mexican Senate and forwarded to House of
Representatives in April 2002.
Bill currently under review at the committee level in the
House of Representatives.
Further timeframe for review/passage of bill not known at
this time. |
Bill would establish
requirements for notice, consent, access, data accuracy and
security. Most recent (September 2002) draft of bill narrows
the scope of the legislation to data involving natural persons.
"[A]ll gathering and processing of data require the prior
consent of each person involved."
Defines "sensitive data" to include "all data that reveal the
racial or ethnic origin; political opinions; religious,
philosophical or moral beliefs; labor union membership; health
or sex life of a person".
Requires all data to be stored "so as to enable the right of
access to be exercised by each interested person involved".
Trans-border data provision imposes an "equivalency" standard
for data protection regimes in other countries; would presumably
prohibit transfers to nations that do not exactly match the
requirements set forth by the draft bill.
Sets forth broad registration and reporting requirements.
Law would be enforced by the Federal Institute for the
Protection of Personal Data.
|
| Netherlands |
Personal Data
Protection Act (English language version: http://www.cbpweb.nl/)
|
Approved by Senate
in June 2000. Entered into force in September 2001.
Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by the Dutch law.
Enforcement occurs via the Dutch Data Protection Authority
(http://www.cbpweb.nl/) |
| New Zealand |
Privacy Act (http://www.privacy.org.nz/slegisf.html)
|
Enacted in 1993.
Subsequently amended. |
Applies to both
public and private sectors. Establishes 12 privacy principles
roughly equivalent to those set forth in the EU Directive on
Data Protection.
Approved industry codes of conduct may be adhered to in lieu
of legislation.
Enforcement overseen by the Office of the Privacy
Commissioner (http://www.privacy.org.nz/top.html) |
| Norway |
Personal Data Act
of 2000 (English language version: http://www.datatilsynet.no/)
|
Passed in 2000.
Entered into force in January 2001. |
Consistent with EU
Directive on Data Protection. Norway is a member of the European
Free Trade Association (EFTA). Applies to both public and
private sectors.
Trans-border provision prohibits transfer of personal data to
another country without the permission of The Data Inspectorate
(http://www.datatilsynet.no/), the agency that enforces the law.
Personal data cannot be transferred to another country that
has less protection than that provided by the EU Directive on
Data Protection..
|
| Paraguay |
Regulation for
Personal Data (Spanish language version: http://www.ulpiano.com/habeasdaata_paraguay_Ley.htm)
|
Passed in December
2000. |
Details pending. |
| Philippines |
|
|
|
| Poland |
Law on the
Protection of Personal Data (English language version:
http://www.giodo.gov.pl/English/english.htm) |
Passed by Parliament
in October 1997. Entered into force in April 1998.
Regulations passed in 1998.
Law amended in August 2001. |
Law is consistent
with the EU Directive on Data Protection. Applies to both
public and private sectors.
Regulations establish standards for the security of
information systems.
Data subjects have substantial rights to access, amend,
correct and/or delete data.
Enforcement of law handled by the Inspector General for the
Protection of Personal Data (http://www.giodo.gov.pl/English/english.htm)
|
| Portugal |
Law on the
Protection of Personal Data (English language version:
http://www.cnpd.pt/Leis/lei_6798en.htm) |
Entered into force
in 1998. Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by Portugal’s law.
Enforcement occurs via the National Data Protection Commission
(http://www.cnpd.pt/) |
| Russian Federation |
Law of the
Russian Federation on Information, Informatization and
Information Protection |
Passed by the Duma
(Parliament) in 1995. Supplemental Act on the Information of
Personal Character has been proposed. |
Applies to both
public and private sectors. Establishes requirements for the
processing of personal information.
Prohibits misuse of personal information; prohibits use of
sensitive information.
No agencies have been established to enforce the law.
|
| Singapore |
No data protection
law. However, Singapore is considering the adoption of a
"voluntary" code of conduct on data protection for the private
sector. (English language version: http://www.trustsg.org.sg/mdpc.htm)
|
The National Trust
Council (NTC) launched a public consultation exercise on the
Model Code in February 2002. The public consultation has since
closed in May 2002.
In December 2002, the NTC launched an enhanced version of the
Model Data Protection Code.
It is not clear exactly how (or at what point) the code would
be officially endorsed/implemented. |
Sets forth a set of
data protection principles loosely based on the OECD’s privacy
guidelines. Draft provisions apply to "the processing of
personal data wholly or partly by automatic means".
Companies would be required to provide a list of
organizations "to which it may have disclosed data about the
individual".
It is not clear how the code would be enforced. |
| Slovakia |
Act on the
Protection of Personal Data (Slovak language version:
http://www.dataprotection.gov.sk/buxus/generate_page.php3?page_id=1)
|
Entered into force
in 1998. |
Establishes
requirements for notice, consent, access, accuracy, correction,
security and confidentiality. Processing of certain sensitive
information is prohibited.
Imposes an "adequacy" standard for transfers of data to other
countries.
Enforcement of law handled by the Inspection Unit for the
Protection of Personal Data (http://www.dataprotection.gov.sk/buxus/generate_page.php3?page_id=1)
|
| Slovenia |
Law on Personal
Data Protection |
Entered into effect
in August 1999. Amended in 2001. |
Consistent with EU
Directive on Data Protection. Enforcement occurs via Human
Rights Ombudsman (http://www.varuh-rs.si/cgi/teksti-eng.cgi/Index?vsebina)
|
| South Africa |
South Africa has
recently enacted an Electronic Communications and
Transactions (ECT) Law that sets forth "voluntary"
requirements for data protection. (Version of the bill at
http://www.cellular.co.za/ect-bill.pdf)
SA Law Commission currently investigating privacy and data
protection legislation. Issue paper published for public
comment, closing February 2004. (Issue paper at http://wwwserver.law.wits.ac.za/salc/issue/issue.html) |
The bill was signed
into law in 2002.
Timing for draft legislation unknown. |
Chapter VIII of the
law addresses the Protection of Personal Information. Sets forth
a series of data protection requirements. Applies only to
electronic data transmissions.
A data controller may "voluntarily " subscribe to the
principles by recording the principles in a written agreement.
Requires opt-in consent from data subject prior to
collecting/transferring any personal data.
It is not clear how the requirements of the law are to be
enforced.
Issue paper favors approach taken by EU Data Directive. The
issue paper will be followed by a discussion paper containing
draft legislation and a report with the Commission’s final
recommendations and proposed legislative proposals.
|
| South Korea |
Act on Promotion
of Information and Communications Network Utilization and Data
Protection (PICNU)
Amendments to PICNU
|
Entered into effect
in 2000.
Amendment passed Dec. 29, 2003, effective date unknown. |
Establishes
requirements for the collection, use and disclosure of personal
data. Law applies to "providers of information and
communications services" and certain offline services, namely
travel services.
In most cases, opt-out consent from data subject required.
However, exceptions apply. Opt-in consent required for certain
sensitive information.
Enforcement is complaint-driven and occurs via judicial
system and Personal Information Mediation Committee.
Strengthens the protection of private information related to
the use of Internet and tightens regulatory control with respect
to unwanted electronic mail on a nationwide basis. Includes
consumer consent requirement to transfer individual information
overseas.
|
| Spain |
Data Protection
Law (English language version: https://www.agenciaprotecciondatos.org/datd_inglish.htm)
|
Passed in 1999.
Entered into force in 2000.
Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by Spain’s law.
Enforcement occurs via the Data Protection Agency (http://agenciaprotecciondatos.org)
|
| Sweden |
Personal Data Act
(English language version: http://www.datainspektionen.se/in_english/default.asp?content=/in_english/start/start.shtml)
|
Enacted in 1998.
Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by Sweden’s law.
Enforcement occurs via the Data Inspection Board (http://www.datainspektionen.se/in_english/default.asp?content=/in_english/start/start.shtml)
|
| Switzerland |
Federal Act of
Data Protection (English language version: http://www.edsb.ch/e/gesetz/schweiz/act.htm)
|
Originally enacted
in 1992.
Subsequently amended. |
Consistent with EU
Directive on Data Protection. Switzerland is a member of the
European Free Trade Association (EFTA). In 1999, the Swiss law
received "adequacy" from the EU.
Trans-border data provision requires data controllers to
register transfers of data to other countries. Requires that
other countries have equivalent laws.
Law enforced by the Swiss Federal Data Protection
Commissioner (http://www.edsb.ch/e/aktuell/index.htm)
|
| Taiwan |
Computer
Processed Data Protection Law (English language version:
http://www.virtual-asia.com/taiwan/bizpack/legalcodes/cpdpl.htm)
|
Originally enacted
in 1995. |
Applies to public
sector and certain areas of the private sector. Regulates the
"computerized processing of personal data",
In order to collect or process personal information, a data
controller must either obtain written consent from the data
subject; have a contractual relationship with the data subject;
determine that the data is already within the public domain; or
determine that the data is for academic research.
No central agency responsible for enforcement of the law.
Enforcement is handled by relevant agency for the sector
concerned. |
| Thailand |
Data Protection
Bill |
Thailand’s National
Information Technology Committee is currently drafting the bill.
No timeframe for introduction of the bill; public comment;
Parliamentary consideration/approval has been announced. |
Details pending. |
| United Kingdom |
Data Protection
Act (http://www.dataprotection.gov.uk/) |
Passed by Parliament
in 1998. Entered into force in 2000.
Implements the EU Directive on Data Protection. |
See "European Union"
for information on principles established by the United
Kingdom’s law. Enforcement occurs via the Information
Commissioner (http://www.dataprotection.gov.uk/) |
