1. General Data Protection Regulation (GDPR):
  • Jurisdiction: European Union (EU) and European Economic Area (EEA) countries
  • Key Provisions: GDPR establishes rules for the collection, processing, and storage of personal data, including consent requirements, data subject rights (e.g., right to access, right to erasure), data breach notification, and data protection impact assessments (DPIAs).
  • Penalties: GDPR violations can result in significant fines of up to €20 million or 4% of global annual turnover, whichever is higher.
  1. California Consumer Privacy Act (CCPA):
  • Jurisdiction: California, United States
  • Key Provisions: CCPA grants California residents rights over their personal information, including the right to know, right to opt-out of sale, and right to delete personal data. It imposes requirements on businesses to disclose data practices, provide opt-out mechanisms, and maintain reasonable security measures.
  • Penalties: CCPA violations can result in fines of up to $7,500 per intentional violation and $2,500 per unintentional violation.
  1. Health Insurance Portability and Accountability Act (HIPAA):
  • Jurisdiction: United States (applies to healthcare providers, health plans, and healthcare clearinghouses)
  • Key Provisions: HIPAA sets standards for the protection of protected health information (PHI), including requirements for data security, privacy notices, patient rights, and breach notification.
  • Penalties: HIPAA violations can result in civil penalties ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year per violation category.
  1. Personal Data Protection Act (PDPA):
  • Jurisdiction: Singapore
  • Key Provisions: PDPA regulates the collection, use, and disclosure of personal data by organizations in Singapore. It includes requirements for consent, purpose limitation, data accuracy, data protection officers (DPOs), and data breach notification.
  • Penalties: PDPA violations can result in fines of up to S$1 million for organizations and up to S$10,000 for individuals per offense.
  1. Personal Information Protection Law (PIPL):
  • Jurisdiction: China
  • Key Provisions: PIPL establishes rules for the processing of personal information by organizations operating in China, including requirements for consent, purpose limitation, data localization, data subject rights, and cross-border data transfers.
  • Penalties: PIPL violations can result in fines of up to 5% of annual revenue or 50 million yuan (approximately $7.7 million), as well as suspension of business operations and revocation of licenses.
  1. Data Protection Act 2018 (DPA 2018):
  • Jurisdiction: United Kingdom
  • Key Provisions: DPA 2018 supplements GDPR and governs the processing of personal data in the UK. It includes provisions for law enforcement data processing, intelligence services data processing, and exemptions for specific purposes (e.g., journalism, research).
  • Penalties: DPA 2018 violations can result in fines of up to £17.5 million or 4% of global turnover, whichever is higher.