TOP 5: Countries from a Data Protection perspective, as you have never seen them before

In the past two decades, data protection and privacy has become a major focus globally, resulting in legislation being enacted in most countries that place the obligation on businesses to protect the privacy of personal data they handle. Data protection is the process of safeguarding important information from corruption, compromise, or loss. All countries share a clear, unified goal; regulate the processing of data.

As the amount of data created and stored continues to grow at an unprecedented rate, so does the importance to protect this data. Today, most countries have some form of data protection law in place. All companies and organisations are obliged to comply with the data privacy laws of all the jurisdictions in which data are processed, which is no easy task.

This article will dive into the current trends and legislation in different countries in relation to data protection and privacy law, as well as the challenges and risks brought about by the processing of data under the prevailing circumstances. We will focus on 5 countries: Brazil, China, the United Kingdom (UK), the United States of America (USA), and Switzerland (CH).

The definition of data differs from jurisdiction to jurisdiction. However, the common thread between each jurisdiction has been that data refers to information concerning an identifiable living, natural person. Most jurisdictions also recognize the concept of sensitive or special personal information, which you can find detailed information in the table below.

(1) The VCDPA requires controllers to obtain consumer consent before processing sensitive data or, with regards to known children, process such data in accordance with the federal Children’s Online Privacy Protection Act. Moreover, the VCDPA requires controllers to conduct and document a data protection assessment prior to processing sensitive data.
(2) The VCDPA and CPA require controllers to obtain consent to process sensitive data, their definitions of consent are not identical. Interestingly, the VCPDA and CPA do not specifically state that controllers must allow consumers to withdraw consent at any time (as does GDPR Article 7, for example). The CPA does address the withdrawal of consent in the context of the universal opt-out mechanism, but not in the context of processing of sensitive data.