Brazil
The collection and processing of personal data is regulated by the Brazilian General Data Protection Law – LGPD (n. 13.709/18). But it is also important to note that such law is embedded in a set of rules that address, at least in some respect, issues relating to privacy and protection of personal data, as the following:
- General Telecommunications Law (Federal Law n. 9,472 of 1997) Criminal Identification Law (Federal Law n. 12,037 of 2009) Freedom of Information Act (Federal Law n. 12,527 of 2011)
- Civil Rights Framework for the Internet (Federal Law n. 12,965 of 2014).
Russia
Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions, which implement the data protection rules in relation to specific areas of state services or industries.
New amendments to the Federal Law No. 152-FZ were introduced by Federal Law No. 519-FZ of December 30, 2020. Federal Law No. 515-FZ of 30.12.2020 “On Amendments to Certain Legislative Acts of the Russian Federation to Ensure the Confidentiality of Information about Protected Persons and on the Implementation of Operational Search Activities” also introduced new rules regarding the protection of the personal data of “protected persons” (see question 8)
India
A draft Personal Data Protection Bill was released in 2018 and was introduced in the Parliament in December, 2019. While it is being discussed, the Information Technology (Amendment) Act, 2008, provides limited protection. In addition, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the Aadhaar and Other Laws (Amendment) Act, 2019 address questions regarding personal data specifically in the context of Aadhaar, India’s unique ID. Sectoral directions and regulations, such as those issued by the Reserve Bank of India, also impact personal data. Further draft policies and laws that address aspects of data protection include the draft National e-Commerce Policy, 2019, and the DNA Technology (Use and Application) Regulation Bill, 2019.
China
On Aug. 20, 2021, the Standing Committee of the 13th National People’s Congress approved China’s first comprehensive Personal Information Protection Law (PIPL), which will come into force on Nov. 1, 2021. The right to protection of personal information is also guaranteed by the Civil Code of the People’s Republic of China, and several administrative measures, national standards and industry-specific regulations also define rules applicable to the collection and use of personal data, both on the public and private sectors, such as:
- People’s Republic of China Criminal Law (1997) Amendment V (2005), VII (2009), and IX (2015)
- Law of the People’s Republic of China on Resident Identity Cards (2003)
- Passport Law of the People’s Republic of China (2007)
- China’s National Health and Family Planning Commission’s Administrative Measures for Population Health Information (2014)
- Cybersecurity Law of the People’s Republic of China (2017)
- E-Commerce Law of the People’s Republic of China (2019)
- Implementing Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests (2020)
- Data Security Law of the People’s Republic of China (2021)
South Africa
The Electronic Communications and Transactions Act, 25 of 2002 (ECTA). The CyberCrimes Act, 19 of 2020. The Protection of Personal Information Act 4 of 2013 (POPIA). This Act has come into effect in June 2021 after a one year grace period.