There are many privacy laws widely arranged in different countries, reflecting legal traditions and policy priorities on how confidential data should be protected. Many of these laws focus as well on the protection of personal and confidential data by individuals and the transparency of data.
Australia The current state of privacy law in Australia includes Federal and state information privacy legislation, some sector-specific privacy legislation at state level, regulation of the media and some criminal sanctions. The current position concerning civil causes of action for invasion of privacy is unclear: some courts have indicated that a tort of invasion of privacy may exist in Australia. However this has not been upheld by the higher courts, which have been content to develop the equitable doctrine of Breach of Confidence to protect privacy, following the example set by the UK. The
Privacy Act 1988 aims to protect and regulate an individual's private information. It manages and monitors
Australian Government and organisations on how they hold personal information.
Belize Belize has an official privacy act which is the Data Protection Act (2021). This act regulates the usage and collection of personal data to protect individual privacy. This act establishes different data protection principles and data subjects. Additionally, the
Freedom of Information Act currently protects the personal information of the citizens of Belize. The Freedom of Information Act became effective in 1967 and is a federal law that grants any individual to access records from federal government agencies. The FOIA grants public access to businesses and organizations to be able to access federal records, but does not provide access to federal records held from the United States.
Brazil On 14 August 2018, Brazil enacted its
General Personal Data Protection Law. The General Personal Data Protection Law, which is also known as Brazils Lei Geral de Proteçao de Dados Pessoais The bill has 65 articles and has many similarities to the GDPR. The first translation into English of the new data protection law was published by
Ronaldo Lemos, a Brazilian lawyer specialized in technology, on that same date. There is a newer version.
Canada In Canada, the federal
Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal information in connection with commercial activities, as well as personal information about employees of federal works, undertakings and businesses. The PIPEDA brings Canada into compliance with
EU data protection law, although civil society, regulators, and academics have more recently claimed that it does not address modern challenges of privacy law sufficiently, particularly in view of AI, calling for reform. PIPEDA does not apply to non-commercial organizations or provincial governments, which remain within the jurisdiction of provinces. Five Canadian provinces have enacted privacy laws that apply to their private sector. Personal information collected, used and disclosed by the federal government and crown corporations is governed by the
Privacy Act. Many provinces have enacted provincial legislation similar to the Privacy Act, such as the Ontario
Freedom of Information and Protection of Privacy Act which applies to public bodies in that province. There remains some debate whether there exists a common law tort for breach of privacy across Canada. There have been a number of cases identifying a common law right to privacy but the requirements have not always been articulated clearly. In
Eastmond v. Canadian Pacific Railway & Privacy Commissioner of Canada Canada's Supreme Court found that CP could collect Eastmond's personal information without his knowledge or consent because it benefited from the exemption in paragraph 7(1)(b) of
PIPEDA, which provides that personal information can be collected without consent if "it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement".
Interaction with International Privacy Frameworks Canadian privacy laws also interact with international frameworks, notably the
European Union's General Data Protection Regulation (GDPR). Although PIPEDA shares many similarities with GDPR, there are nuanced differences, particularly in terms of consent and data subject rights. Canadian businesses dealing with international data need to comply with both PIPEDA and GDPR, making compliance a complex but critical task
Privacy Rights and Obligations in Digital Platforms The digital transformation has brought specific challenges and focus areas for privacy regulation in Canada. The Canadian Anti-Spam Legislation (CASL), for example, regulates how businesses can conduct digital marketing and communications, requiring explicit consent for sending commercial electronic messages. This legislation is part of Canada's efforts to protect consumers from spam and related threats while ensuring that businesses conduct their digital marketing responsibly. The rise of digital platforms has also prompted discussions about privacy rights concerning consumer data collected by large tech companies. The Privacy Commissioner of Canada has been active in investigating and regulating how these companies comply with Canadian privacy laws, ensuring they provide transparency to users about data usage and uphold the rights of Canadian citizens
Future Directions and Compliance Challenges Canadian privacy laws are continually evolving to address new challenges posed by technological advancements and global data flows. Businesses operating in Canada must stay informed about these changes to ensure compliance and protect the personal information of their customers effectively. For detailed guidance and the latest updates on compliance with Canadian privacy laws, businesses and individuals can refer to resources provided by the Office of the Privacy Commissioner of Canada and stay informed about developments in Canadian privacy law through expert analyses and updates.
China In 1995, the Computer Processed Personal Information Protection Act was enacted in order to protect personal information processed by computers. The general provision specified the purpose of the law, defined crucial terms, prohibited individuals from waiving certain rights. The
National Security Law and the
Cybersecurity Law promulgated in 2015 give public security and security departments great powers to collect all kinds of information, forcing individuals to use network services to submit private information for monitoring, and forcing network operators to store user data Within China, unrestricted "technical support" from the security department must be provided. Other laws and regulations related to privacy are as follows:
Privacy of the deceased The Supreme People's Court's "Interpretation on Several Issues Concerning the Determination of Liability for Compensation for Mental Damage in Civil Torts" was adopted at the 116th meeting of the Judicial Committee of the Supreme People's Court on February 26, 2001. Article 3 After the death of a natural person, if a close relative of a natural person suffers mental pain due to the following infringements, and the people’s court sues for compensation for mental damage, the people’s court shall accept the case: (2) Illegal disclosure or use of the privacy of the deceased, or infringement of the privacy of the deceased in other ways that violate social public interests or social ethics.
Law on the Protection of Minors Article 39. No organization or individual may disclose the personal privacy of minors. No organization or individual may conceal or destroy letters, diaries, and e-mails of minors, except for the need to investigate crimes. Public security organs or people's procuratorates shall conduct inspections in accordance with the law, or letters, diaries, and e-mails of minors who are incapacitated. Diaries and e-mails shall be opened and read by their parents or other guardians, and no organization or individual shall open or read them.
Fiji An archipelago located in the Pacific, the country of
Fiji was founded on 10 October 1970. In its constitution, the people inhabiting the land are granted the right to
privacy. The exact workings from the constitution is the following: "Every person has the right to personal privacy, which includes the right to — (a)
confidentiality of their personal information; (b) confidentiality of their communications; and (c) respect for their private and family life". Billing information and call information are no exceptions. The only exception to this rule is for the purpose of bringing to light "fraud or bad debt". Under this law, even with the consent of the customer, the disclosure of information is not permitted. Other Privacy laws that have been adopted by this country are those that are meant to protect the collected information, cookies and other privacy-related matter of tourist. This is in regards to (but not limited to) information collected during bookings, the use of one technology of another that belongs to said company or through the use of a
service of the company, or when making
payments. Additionally, as a member of the United Nations, the Fiji is bound by the Universal Declaration of Human Rights which states in article twelve, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks".
France France adopted a data privacy law in 1978. It applies to public and private organizations and forbids gathering sensitive data about physical persons (including sexuality, ethnicity, and political or religious opinions). The law is administered by the
Commission nationale de l'informatique et des libertés (CNIL), a dedicated national administration. Like in Germany, data violations are considered criminal offenses (Art. 84 GPR with Code Pénal, Section 1, Chapitre VI, Art. 226ff.).
Germany Germany is known to be one of the first countries (in 1970) with the strictest and most detailed data privacy laws in the world. The citizens' right to protection is stated in the
Constitution of Germany, in Art. 2 para. 1, and Art. 1 para. 1. The citizens' data of Germany is mainly protected under the
Federal Data Protection Act (1977) from corporations, which has been amended the most recently in 2009. This act specifically targets all businesses that collect information for its use. The major regulation protects the data within the private and personal sector, and as a member of the European Union (EU), Germany has additionally ratified its act, convention, and additional protocol with the EU according to the EU Data Protection Directive 95/46 EC. In Germany, there are two kinds of restrictions on a transfer of personal data. Since Germany is part of the EU Member States, the transfer of personal data of its citizens to a nation outside the EEA is always subject to a decent level of data protection in the offshore country. Secondly, according to German data policy rules, any transfer of personal data outside the EEA symbolizes a connection to a third party which requires a reason. That reason may be for emergency reasons, and a provision must be met with consent by the receiver and the subject of the data. Keep in mind that in Germany, data transfers within a group of companies is subject to the same treatment as transfer to third-parties if the location is outside the EEA. Specifically, the Federal Data Protection Commission is in charge of regulating the entirety of the enforcement of data privacy regulations for Germany. In addition, Germany is part of the
Organisation for Economic Cooperation and Development (OECD). The Federal Data Protection Commission of Germany is a member of the International Conference of Data Protection and Privacy Commissioners, European Data Protection Authorities, the EU Article 29 Working Party, and the Global Privacy Enforcement Network. Like in France, data violations are considered offenses (Art. 84 GPR with § 42 BDSG).
Greece During the military dictatorship era the 57 AK law prohibited taking photos of people without their permission but the law has since been superseded. The 2472/1997 law protects personal data of citizens but consent for taking photos of people is not required as long as they aren't used commercially or are used only for personal archiving ("οικιακή χρήση" / "home use"), for publication in editorial, educational, cultural, scientific or news publications, and for fine art purposes (e.g.
street photography which has been uphold as legal by the courts whether done by professional or amateur photographers). However, photographing people or collecting their personal data for commercial (advertising) purposes requires their consent. The law gives photographers the right to commercially use photos of people who have not consented to the use of the images in which they appear if the depicted people have either been paid for the photo session as models (so there is no separation between editorial and commercial models in Greek law) or they have paid the photographer for obtaining the photo (this, for example, gives the right to wedding photographers to advertise their work using their photos of newly-wed couples they photographed in a professional capacity). In Greece the right to take photographs and publish them or sell licensing rights over them as fine art or editorial content is protected by the
Constitution of Greece (Article 14 and other articles) and free speech laws as well as by
case law and legal cases. Photographing the police or children and publishing the photographs in a non-commercial capacity is also legal.
Hong Kong In Hong Kong, the law governing the protection of personal data is principally found in the Personal Data (Privacy) Ordinance (Cap. 486) which came into force on 20 December 1996. Various amendments were made to enhance the protection of personal data privacy of individuals through the Personal Data (Privacy) (Amendment) Ordinance 2012. Examples of personal data protected include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records. As Hong Kong remains a common law jurisdiction, judicial cases are also a source of privacy law. The power of enforcement is vested with the Privacy Commissioner (the "Commissioner") for Personal Data. Non-compliance with data protection principles set out in the ordinances does not constitute a criminal offense directly. The Commissioner may serve an enforcement notice to direct the data user to remedy the contravention and/or instigate the prosecution action. Contravention of an enforcement notice may result in a fine and imprisonment.
India India's data protection law is known as The
Digital Personal Data Protection Act, 2023, the Right to Privacy is a
fundamental right and an intrinsic part of Article 21 that protects life and liberty of the citizens and as a part of the freedoms guaranteed by Part III of the
Constitution. In June 2011, India passed subordinate legislation that included various new rules that apply to companies and consumers. A key aspect of the new rules required that any organization that processes personal information must obtain written consent from the data subjects before undertaking certain activities. However, application and enforcement of the rules is still uncertain. The Aadhaar Card privacy issue became controversial when the case reached the Supreme Court. The hearing in the
Aadhaar case went on for 38 days across 4 months, making it the second longest Supreme Court hearing after the landmark
Kesavananda Bharati v. State of Kerala. On 24 August 2017, a nine-judge bench of the Supreme Court in
Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. unanimously held that the right to privacy is an intrinsic part of right to life and personal liberty under Article 21 of the Constitution. Previously, the
Information Technology (Amendment) Act, 2008 made changes to the
Information Technology Act, 2000 and added the following two sections relating to Privacy: • Section 43A, which deals with implementation of
reasonable security practices for
sensitive personal data or information and provides for the compensation of the person affected by
wrongful loss or wrongful gain. • Section 72A, which provides for imprisonment for a period up to three years and/or a fine up to Rs. for a person who causes
wrongful loss or wrongful gain by disclosing personal information of another person while
providing services under the terms of lawful contract. A constitutional bench of the Supreme Court declared 'Privacy' as a fundamental right on 24 August 2017.
Ireland Ireland is under the Data Protection Act 1988 along with the EU
General Data Protection Regulation, which regulates the utilization of personal data. The DPA protects data within the private and personal sector. The DPA ensures that when data is transported, the location must be safe and in acknowledgement of the legislation to maintain
data privacy. When collecting and processing data, some of the requirements are listed below: • the subject of personal data must have given
consent • the data is in the subject's interest • the reason for the processing of data is for a contract • the reason for the processing of data is the prevention of injury Specifically the
Data Protection Commissioner oversees the entirety of the enforcement of data privacy regulations for Ireland. All persons that collect and process data must register with the Data Protection Commissioner unless they are exempt (non-profit organizations, journalistic, academic, literary expression etc.) and renew their registration annually.
Electronic Privacy Protection Considering the protection of internet property and online data, the ePrivacy Regulations 2011 protect the communications and higher-advanced technical property and data such as social media and the telephone. In relation to international data privacy law that Ireland is involved in, the British–Irish Agreement Act 1999 Section 51 extensively states the relationship between data security between the United Kingdom and Ireland. In addition, Ireland is part of the
Council of Europe and the
Organisation for Economic Cooperation and Development.
Israel In the Israel privacy law, infringement of privacy is a civil wrong and many types of it constitute an offense punishable by up to 5 years of imprisonment. A considerable part of this law considers privacy of databases and their use for mailing.
Jamaica The Jamaican constitution grants its people the right to "respect for and protection of private and family life, and privacy of the home". Although the government grants its citizens the right to privacy, the protection of this right is not strong. But in regards to other privacy laws that have been adopted in Jamaica, the closest one is the Private Security Regulation Authority Act. This act passed in the year 1992, establishing the Private Security Regulation Authority. This organization is tasked with the responsibility of regulating the private security business and ensuring that everyone working as a
private security guard is trained and certified. The goal of this is to ensure a safer home, community, and businesses. One of the reasons as to why this law was passed is that as trained workers, the guards could ensure maximum
Customer service and also with the education they received they would be equipped how best to deal with certain situations as well as avoid actions can that could be considered violations, such as invasion of privacy. The two latter acts (amended in 2016) contain provisions applicable to the protection of personal information by public sector entities. Although Kenya grants its people the right to privacy, there seems to be no existing document that protects these specific privacy laws. Regarding privacy laws relating to data privacy, like many African countries as expressed by Alex Boniface Makulilo, Kenya's privacy laws are far from the European 'adequacy' standard. As of today, Kenya does have laws that focus on specific sectors. The following are the sectors: communication and information. The law pertaining to this is called the Kenya Information and Communication Act. This Act makes it illegal for any licensed telecommunication operators to disclose or intercept information that is able to get access through the customer's use of the service. This law also grants privacy protection in the course of making use of the service provided by said company. The following common law
torts are related to personal information privacy and continue to play a role in Malaysia's legal system:
breach of confidence,
defamation,
malicious falsehood, and
negligence. It outlines seven Personal Data Protection Principles that entities operating in Malaysia must adhere to: the General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle, and the Access Principle. Personal data includes "information in respect of commercial transactions ... that relates directly or indirectly to a data subject" while sensitive personal data includes any "personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature." Although the Act does not apply to information processed outside the country, it does restrict cross-border transfers of data from Malaysia outwards. Additionally, the Act offers individuals the "right to access and correct the personal data held by data users", "the right to withdraw consent to the processing of personal data", and "the right to prevent data users from processing personal data for the purpose of direct marketing." The key elements included were: • Requirement of all private entities who gather personal data to publish their privacy policy in accordance to the law. • Set fines for up to $16,000,000 MXN in case of violation of the law. • Set prison penalties to serious violations.
Mauritius A Data Protection legislation was enacted in 2017 and it took effect in 2018. The objective of the legislation was to strengthen the control and personal autonomy of a person over their personal data, in line. The law is generally invoked to settle disputes between neighbors regarding the installation and use of surveillance cameras. The law is not applicable for the exchange of personal data between government agencies. Complaints about privacy infringement is a lengthy process.
New Zealand In New Zealand, the
Privacy Act 1993 (replaced by
Privacy Act 2020) sets out principles in relation to the collection, use, disclosure, security and access to personal information. The introduction into the New Zealand common law of a tort covering invasion of personal privacy at least by public disclosure of private facts was at issue in
Hosking v Runting and was accepted by the Court of Appeal. In
Rogers v TVNZ Ltd, the Supreme Court indicated it had some misgivings with how the tort was introduced, but chose not to interfere with it at that stage. Complaints about privacy are considered by the
Privacy Commissioner Nigeria Federal Republic of Nigeria's constitution offers its constituents the right to
privacy as well as privacy protection. The following can be found in the constitution pertaining to this: "The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected". Additionally, as a member of the United Nations, Nigeria is bound by the universal declaration of Human Rights which states in article twelve "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks". This agency is tasked with the job of preventing
cyberattacks and regulating the Nigerian information technology industry. Not only does this country grant the
Filipinos the right to privacy, but it also protects its people's right to privacy by attaching consequences to the violation of it thereof. In the year 2012, the Philippines passed the Republic Act No. 10173, also known as the "Data Privacy Act of 2012". This act extended
privacy regulations and laws to apply to more than just individual industries. This act also offered protection of data belonging to the people regardless of where it is stored, be it in private spheres or not. In that very same year, the cybercrime prevention law was passed. This law was "intended to protect and safeguard the integrity of computer and
communications systems" and prevent them from being misused. Not only does the Philippines have these laws, but it has also set aside agents that are tasked with regulating these privacy rules and due ensure the punishment of the violators. Additionally, with the constitution, previous laws that have been passed but that are in violation of the laws above have been said to be void and nullified. Another way this country has shown their dedication in executing this law is extending it to the government sphere as well. Additionally, as a member of the United Nations, the Philippines is bound by the
Universal Declaration of Human Rights which states in article two "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks". For example, privacy can be protected indirectly through various common law torts: defamation, trespass, nuisance, negligence, and breach of confidence. In February 2002, however, the Singaporean government decided that the common law approach was inadequate for their emerging globalized technological economy. In January 2013, Singapore's Personal Data Protection Act 2012 came into effect in three separate but related phases. The phases continued through July 2014 and dealt with the creation of the Personal Data Protection Commission, the national Do Not Call Registry, and general data protection Rules. The Act's general purpose "is to govern the collection, use and disclosure of personal data by organisations" while acknowledging the individual's right to control their personal data and the organizations' legal needs to collect this data. The Act prohibits transfer of personal data to countries with privacy protection standards that are lower than those outlined in the general data protection rules.
Sweden The
Data Act is the world's first national data protection law and was enacted in Sweden on 11 May 1973. The law was then superseded on 24 October 1998 by the Personal Data Act (Sw.
Personuppgiftslagen) that implemented the 1995 EU
Data Protection Directive.
Switzerland The main legislation over personal data privacy for the personal and private sector in Switzerland is the
Swiss Federal Protection Act, specifically the Data Protection Act, a specific section under the Swiss Federal Protection Act. The Data Protection Act has been enacted since 1992 and is in charge of measuring the consent of sharing of personal data, along with other legislation like the Telecommunication Act and the Unfair Competition Act. The Act generally guides on how to collect, process, store, data, use, disclose, and destruct data. The Data Inspection Board is in charge of overseeing data breaches and privacy enforcement. Personal data must be protected against illegal use by "being processed in good faith and must be proportionate". However, the data protection regulations are sufficient to meet European Union (EU) regulations without being a member of the EU. In addition, Switzerland is part of the Council of Europe and the Organisation for Economic Cooperation and Development. The Justices first made reference to privacy being a protected right in the 1992 "Interpretation of Council of Grand Justices No. 293 on Disputes Concerning Debtors' Rights," but it was not directly or explicitly declared to be a right. It only protected personal information managed by government agencies and certain industries. A few other administrative laws also deal with communication-specific personal privacy protection: • Telecommunications Act • Communications Protection and Surveillance Act Additionally, chapter 28 of the
Criminal Code outlines punishments for privacy violations in article 315, sections 315-1 and 315–2. The sections primarily address issues of search and seizure and criminal punishment for wrongful invasion of privacy. Thailand uses bureaucratic surveillance to maintain national security and public safety, which explains the 1991 Civil Registration Act that was passed to protect personal data in computerized record-keeping and data-processing done by the government. Two communication technology related laws, the Electronic Transactions Act 2001 and the Computer Crime Act 2007, provide some data privacy protection and enforcement mechanisms. On 20 December 2012 legislation was substantially amended. Some general and sector-specific aspects of privacy are regulated by the following acts: • The
Constitution of Ukraine; • The
Civil Code of Ukraine; • Law of Ukraine No. 2657-XII 'On Information' dated 2 October 1992; • Law of Ukraine No. 1280-IV 'On Telecommunications' dated 18 November 2003; • Law of Ukraine No. 80/94-BP 'On Protection of Information in the Information and Telecommunication Systems' dated 5 July 1994; • Law of Ukraine No. 675-VIII 'On Electronic Commerce' dated 3 September 2015.
United Kingdom As a member of the
European Convention on Human Rights, the United Kingdom adheres to
Article 8 of the European Convention on Human Rights, which guarantees a "right to respect for privacy and family life" from state parties, subject to restrictions as prescribed by law and
necessary in a democratic society towards a legitimate aim. However, there is no independent tort law doctrine which recognises a right to privacy. This has been confirmed on a number of occasions. Processing of personal information is regulated by the
Data Protection Act 2018, supplementing the EU
General Data Protection Regulation, which is still in force (in amended form) after the UK's exit from the EU as "retained EU legislation". •
Kaye v Robertson •
Wainwright v Home Office Data Protection Act of 2018 The Data Protection Act of 2018 is the United Kingdom's main legislation protecting personal data and how it should be collected, processed, stored and shared. In accordance to this legislature, citizens have rights such as the right to access their personal data, and the right to request their data be deleted under certain circumstances, also known as the "right to be forgotten." The Act also sets out obligations for organizations that handle personal data, including requirements for transparency in data processing, the implementation of appropriate security measures to protect data, and the need for consent from individuals before processing their data.
Privacy and Electronic Communications Regulations The Privacy and Electronic Communications Regulations, established in 2003, gave citizens control in consent and disclosure of information in specific electronic communications including: • marketing calls, emails, texts and faxes • cookies and tracking technologies • secure communications • customer privacy as regards traffic and location data, billing, phone line identification, and directory listings. The goal of the Privacy and Electronic Communications Regulations is to protect individuals’ privacy and control over their electronic communications while promoting responsible and transparent practices by organizations that engage in electronic marketing and in the use of tracking technologies.
United Kingdom General Data Protection Regulation The United Kingdom General Data Protection Regulation, is the domestic version of the European Union's
General Data Protection Regulation (GDPR), implemented into UK law through the Data Protection Act 2018 and came into effect alongside the EU GDPR in May 2018. UK GDPR governs data protection and privacy within the UK applying to the processing of personal data by organizations operating within the UK. It includes specific provisions tailored to the UK's legal framework and requirements. Key aspects of the UK GDPR include: • Data Protection - Establishes principles for the processing of citizen's personal data under the compliance of confidentiality, integrity and availability standards. • Data Breach Notifications - Requires organizations operating within the UK to disclose any and all information regarding recent breaches to the authorities and notify all parties impacted by the breach. • Rights of Data Accessibility - Citizens have the right to access, modify, restrict and delete personal data collected by organizations. • Legal Basis for Data Processing - Organizations must comply with the legal obligations when processing personal data. • Accountability and Compliance - Organizations are required to demonstrate compliance with data protection including the implementation of security measures to protect data and to conduct Data Protection Impact Assessments while maintaining records or processing activities. The UK GDPR aims to ensure that personal data is processed legally, fairly and with full transparency while individuals are given control over the handling of their personal data. For more information about the Privacy Laws in the United Kingdom: For detailed guidance and the latest updates on compliance with United Kingdom privacy laws, businesses and individuals can refer to resources provided by the https://ico.org.uk/ and stay informed about developments in UK privacy law through expert analyses and updates. To help rule on various privacy-related questions, court cases have applied the
Fourth Amendment right to be free of unwarranted search or seizure, the
First Amendment right to free assembly, and the
Fourteenth Amendment due process right.
Torts A tort expert and Dean of the College of Law at University of California, Berkeley,
William Lloyd Prosser argued in 1960 that "privacy" was composed of four separate torts, the only unifying element of which was a (vague) "right to be left alone". The four torts were: •
Intrusion on seclusion or solitude of the plaintiff. • Appropriating the plaintiff's identity for the defendant's benefit (see
Personality rights § United States). Appropriation of one's likeness is considered the oldest of the main American privacy torts. It involves the right to control where one's appearance and other aspects of their "likeness," such as their voice and name, appear in areas like advertising and other media. As noted by the California Jury, successful cases built on the appropriation of a person's likeness must typically involve them being harmed in some way by this usage, which was non-consensual and contributed to some benefit, often financial, to the person or company using their image. • A rising case for the appropriation tort in the United States appeared in the early 1900s due to companies using individuals' identities and appearances without their consent on packaging and advertisements. A particularly influential case was
Roberson v. Rochester Folding Box Co., in which young woman Abigail Roberson had her image placed on a flour advertisement causing embarrassment and emotional distress. Her case against the company was rejected, leading to widespread public disapproval and the creation of New York Civil Rights Law § 50 that forbid the appropriation of individuals' images in advertisements without their consent, with an emphasis on the emotional impacts of such exploitation. • The tort was also influenced by the later case of
Loftus v. Greenwich Lithographing Co., where Glady Loftus sought financial compensation for the usage of her image in a film advertisement distributed around New York City; this reflected a shift in the claims of appropriation cases from emotional damage to a lack of payment for the plaintiff's image being appropriated. •
Breach of confidence: publicly disclosing private facts about the plaintiff. Public Disclosure of Private Facts or Publicity Given to Private Life is a tort under privacy law that protects individuals from the unauthorized dissemination of private information that is not of public concern. This tort aims to safeguard an individual's right to privacy and prevent unwarranted intrusion into their personal lives. To establish a claim for public disclosure of private facts, the following elements generally need to be proven: • Publication of Private Facts: The defendant must have publicized private information about the plaintiff. This publication can be through various means such as media outlets, social media, or any other public platform. Enacted in 1996, the
Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA sets the standard for protecting sensitive patient data held by health care providers, insurance companies, and their business associates. The
Federal Trade Commission plays a crucial role in enforcing federal privacy laws that protect consumer privacy and security, particularly in commercial practices. It oversees the enforcement of laws such as the
Fair Credit Reporting Act, which regulates the collection and use of consumer credit information. One of the central privacy policies concerning minors is the
Children's Online Privacy Protection Act (COPPA), which requires children under the age of thirteen to gain parental consent before putting any personal information online. Additional federal laws related to privacy include: •
Communications Act of 1934 •
Fair Debt Collection Practices Act (1977) •
Right to Financial Privacy Act of 1978 •
Electronic Communications Privacy Act (1986) •
Computer Fraud and Abuse Act of 1986 •
Video Privacy Protection Act (1988) •
Driver's Privacy Protection Act (1994) •
Health Insurance Portability and Accountability Act of 1996 (HIPAA) •
Information Technology Management Reform Act of 1996 (Clinger–Cohen Act) •
Financial Services Modernization Act (Gramm-Leach Bliley Act, 1999) •
E-Government Act of 2002 State privacy laws Individual states also enact their own privacy laws. The
California Consumer Privacy Act is one of the most stringent privacy laws in the U.S. It provides California residents with the right to know about the personal data collected about them, the right to delete personal information held by businesses, and the right to opt-out of the sale of their personal information. Businesses must disclose their data collection and sharing practices to consumers and allow consumers to access their data and opt-out if they choose. The Act recently expanded existing consumer rights in the state in 2023, providing citizens the right to reduce the collection of data and correct false information.
Enforcement and impact Enforcement of these laws is specific to the statutes and the authorities responsible. For instance, HIPAA violations can lead to substantial fines imposed by the Department of Health and Human Services, while the Federal Trade Commission handles penalties under consumer protection laws. State laws are enforced by respective state attorneys general or designated state agencies. A handful of lists and databases help risk managers research U.S. state and federal laws that define liability. The Perkins Coie Security Breach Notification Chart is a set of articles (one per state) that define data breach notification requirements among U.S. states. The NCSL Security Breach Notification Laws is a list of U.S. state statutes that define data breach notification requirements.
Uzbekistan Though the right to privacy exists in several regulations, the most effective privacy protections come in the form of constitutional articles of Uzbekistan. Varying aspects of the right to privacy are protected in different ways by different situations.
Vietnam Vietnam, lacking a general data protection law, relies on Civil Code regulations relating to personal data protection. Specifically, the Code "protects information relating to the private life of a person." The 2006 Law on Information Technology protects personal information, such as name, profession, phone number, and email address, and declares that organizations may only use this information for a "proper purpose". The legislation, however, does not define what qualifies as proper. The 2010 Law on Protection of Consumers' Rights provides further protection for consumer information, but it does not define the scope of that information or create a data protection authority; additionally, it is only applicable in the private sector. == Countries without official data privacy laws ==