International Data Privacy Laws and Policies
Table of Contents: Data protection in:
It is really essential for companies to ensure data have been permanently erased to avert risks of leakage, so international laws and policies on data protection have been created to protect personal sensitive data. We have collected some laws or policies about US, European Union, Germany and India for your reference. First of all, we'd like quote what sensitive personal data includes from iclg.co.uk:
“Sensitive Personal Data”
The IT Rules define “sensitive personal data or information” as such personal information which consists of information relating to:
- passwords;
- financial information, such as bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health conditions;
- sexual orientation;
- medical records and history;
- biometric information;
- any details relating to the above clauses as provided to a body corporate for provision of services; and
- any information received under the above clauses by a body corporate for processing, or which has been stored or processed under lawful contract or otherwise.
Provided that any information that is freely available or accessible in the public domain, or furnished under the Right to Information Act (2005) or any other law currently in force, shall not be regarded as sensitive personal data or information for the purposes of these rules.
The proposed Privacy Bill provides a more specific definition of “sensitive data” as follows:
“Sensitive personal data” of an individual means personal data relating to:
- Unique Identifiers such as the Aadhar number or PAN (Personal Account Number);
- physical and mental health, including medical history;
- biometric or genetic information;
- criminal convictions;
- banking credit and financial data; and
- narco analysis and/or polygraph test data.
You can read more from this page:
http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2016/india
Data protection in the United States:
Compliance Requirement
26. What are the sanctions and remedies for non-compliance with data protection laws?
Penalties for violations of the GLB Act are determined by the authorising statute of the agency that brings the enforcement action. For example, an enforcement action brought by the FTC could include penalties of up to US$16,000 per offence. Individuals who obtain, attempt to obtain, cause to be disclosed or attempt to cause to be disclosed customer information of a financial institution relating to another person through a false, fictitious or fraudulent means, can be subject to fines and/or imprisoned for up to five years. In addition, there are criminal penalties for the perpetrator of up to ten years in prison and fines of up to US$500,000 (for an individual) and US$1 million (for a company) if such acts are committed or attempted while violating another US law or as part of a pattern of illegal activity involving more than US$100,000 in a year.
From: us.practicallaw.com/6-502-0467
Data protection in European Union:
The General Data Protection Regulation
Data breaches
Under the GDPR, the independent Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is also still subject to negotiations at present. The reporting of a data breach is not subject to any de minimis standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).
Sanctions
The following sanctions can be imposed:
- a warning in writing in cases of first and non-intentional non-compliance
- regular periodic data protection audits
- a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4)
- a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6)
Wikipedia gets the full explaination here:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Data_breaches
Data protection in Germany:
The German Federal Data Protection Act
26. What are the sanctions and remedies for non-compliance with data protection laws?
A violation of the Federal Data Protection Act (BDSG) can result in fines of up to EUR300,000. The fine must exceed any financial benefit to the perpetrator derived from the unlawful data processing. If the financial benefit is higher than EUR300,000, the fine can also be higher.
If a violation is considered to be a criminal offence, it is punishable with up to two years in prison or a fine.
A violation of sector-specific telecoms secrecy obligations (which can be applicable to employers who allow or tolerate private use of business e-mail accounts) is punishable with up to five years in prison or a fine. The risk of such a violation often arises when an employer reviews the e-mail accounts of an employee without obtaining his prior consent.
The upcoming EU data protection regulation foresees administrative fines of up to EUR20 million or, in the case of an undertaking, 4% of its total worldwide annual turnover.
From:us.practicallaw.com/3-502-4080#a189243
Data protection in India:
The General Data Protection Regulation
43. If any person without permission of the owner or any other person Penalty for who is incharge of a computer, computer system or computer damage to network,— computer, computer system, (a) accesses or secures access to such computer, computer system etc. or computer network; he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
Read more from here:https://en.wikipedia.org/wiki/Information_Technology_Act,_2000
- Published in Wipe Hard Drive