Although the volume of data that flows between the EU and the U.S. ensures that EU privacy law occupies most of the spotlight on the world stage, other countries have their own privacy laws worth noting as well.1
Different Types of Privacy Regimes
As a preliminary matter, it is important to keep in mind that most countries' privacy regimes can be grouped into two categories: sectoral and comprehensive. As mentioned in the previous post, privacy law in the U.S. is sectoral, meaning that different laws and regulations govern data from one industry to the next. For example, the Health Insurance Portability and Accountability Act (HIPAA) includes a Privacy Rule and a Security Rule meant to protect people's medical records; the Family Educational Rights and Privacy Act (FERPA) regulates the release of students' educational records; and the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act applies to the financial industry. Further complicating matters is the fact that both the state and the federal governments may enact privacy laws, which has led to varying privacy-related requirements across the country.The U.S. is not the only country in the world that takes a sectoral approach. China, for example, also regulates privacy through multiple laws targeting different industries and types of data, and Canadian provinces may enact their own privacy laws that vary from one another to some degree. It can be particularly tricky to navigate the privacy laws of a foreign country that takes the sectoral approach, as there is always the risk of glossing over or missing a law or regulation governing a given set of data due to lack of familiarity with that country's legislative system. Therefore, it is especially important to consult a privacy lawyer and/or local counsel in those jurisdictions.
In contrast, the EU Directive, discussed in the first post in this series, is an example of a more comprehensive approach to privacy. It is designed to serve as a single law governing data protection across the board. In recent years, many jurisdictions have adopted a similar approach in crafting their own privacy laws, with countries such as Switzerland (which is not an EU Member State), Malaysia, and South Africa enacting comprehensive data protection laws. Although these laws may seem fairly straightforward, they often contain complicated (or confusing) exceptions or, as is in the case of the EU Directive, allow certain jurisdictions...