AI Summarize

Share

Different countries can at times have wildly diverging privacy laws. But for large multinational companies or even small companies operating across borders, they may be subject to more than one privacy law at a time. Working out how to comply with these issues can be difficult, and fines or other penalties for breaches could be significant.

This article will cover some of the challenges of conflicting privacy laws, including consent models, data localisation requirements, and enforcement issues. Then we'll go through steps that you can take to ensure compliance.

Let's begin.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Differences in Privacy Laws

One of the most comprehensive privacy laws in the world is the General Data Protection Regulation (GDPR) in Europe. But this is far from the only one: 79% of countries around the world have enacted privacy legislation of some kind. Many of these laws apply to businesses that are processing the data of their citizens, while others apply only to businesses that operate in that country.

This means if you have a website with international reach, or have a company with branches in multiple countries, you may need to comply with multiple different laws, depending on where your users come from, and where your business is based.

Even within the EU, businesses may be subject to several individual countries' implementations of the GDPR, as each country has to establish their own law to reflect the GDPR's requirements.

Some differences in privacy laws that you will need to consider include:

  • Jurisdiction
  • Enforcement
  • Consent model
  • Data localisation

Let's take a look at each of those now.

Jurisdiction

The GDPR applies to all EU citizens or residents, regardless of where the processing company is based, while laws like the California Consumer Privacy Act (CCPA) apply to businesses doing business in California.

Others like the Personal Information Protection and Electronic Documents Act (PIPEDA), apply primarily to private-sector organizations in Canada.

Some are narrow in other ways, such as the Lei Geral de Proteção de Dados (LGPD) in Brazil, which applies only to data processed within national borders. The Personal Information Protection Act (PIPA) in South Korea also takes the same approach as the LGPD.

More restrictive regimes, such as China's PIPL, apply to both domestic data processing and overseas processing of Chinese citizens' personal data "where the purpose is to provide products or services, or to analyze individuals' behavior." These laws effectively create jurisdictional overlaps that businesses must reconcile through careful data mapping and legal review.

You'll need to consider where your business is based, and where your users are based, to work out which laws apply to you.

Enforcement

Each law also has its own penalties and enforcement rules. The GDPR, for instance, includes fines of up to €20 million (EUR) or 4% of a company's annual global turnover.

Under the CCPA, however, fines range from only $2500-$7500 (USD) per violation. Under PIPEDA, fines can go up to around $100,000 (CAD) per violation. In this case you can see that the GDPR's penalties are significantly higher than other privacy laws.

While the CCPA/CPRA has lower statutory fines ($2,500–$7,500 per violation), enforcement activity has increased since the California Privacy Protection Agency became operational. Additionally, businesses in the U.S. face mounting class action risks under biometric and consumer protection laws: notably, Illinois' BIPA, which includes statutory damages of $1,000 to $5,000 per violation.

Depending on the privacy law, you may need to take significantly more compliance measures and steps to reduce the risks of large fines.

GDPR compliance is particularly important, as fines are high and enforcement is carried out frequently. For example, Ireland has currently handed down the top amount of fines for GDPR violations (for a total of €4,037,913,400 (EUR)), while Spain has handed down the top number of fines, at 983.

Other countries like China also take significant enforcement steps, and are increasing their pursuit of violations. The China's Cyberspace Administration (CAC) and other regulators are increasingly active in enforcing the PIPL, with fines reaching hundreds of millions of yuan. China's regulatory framework also includes administrative shutdowns and blacklisting for non-compliant foreign entities.

One important factor to consider is the consent model that is used by different laws you may be dealing with. This is because in some countries you may be able to collect data, and rely on individuals to opt-out of certain types of processing. On the other hand, other jurisdictions require you to obtain consent before you even collect data in the first place.

The GDPR is an opt-in model, which means people have to consent for you to collect and process their data. Under the GDPR, consent must be freely given, active, unambiguous, and informed. Other countries like Brazil, South Africa, and China have also chosen an opt-in model.

Many US state laws use opt-out approaches, such as the CCPA's rules that customers have a right to opt-out of allowing a business to sell their personal information. Other countries like Japan, South Korea, and Singapore use an opt-out model.

PIPEDA, on the other hand, allows both opt-in and opt-out consent processes. Opt-in is required for the collection of sensitive information or information where harm could be caused. Opt-out can be used when the purpose for data collection is clear, users are informed, and opting out is easy.

Getting this correct, and asking for the appropriate consent, is vitally important. Make sure that your website uses the correct geographical settings to present the appropriate consent to people, depending on where they are coming from.

Or, use opt-in processes as a default, to meet the highest standard of what is required under the strictest laws.

Data Localisation

Each privacy law has rules about where and how businesses can store data, and how they need to notify data subjects about transfers of data overseas. Rules around where businesses can store data are called data localisation rules.

Don't assume that each country has the same rules, as some are very restricted in where data can be transferred and stored.

Some countries like China, under their Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL), require most data to only be stored within the country. Transfers are limited and need to be approved to be carried out. Other countries like Vietnam also require data to stay within the country's borders, and are very strict.

Other places like the EU do not require data to be kept within EU borders. However, data must be protected, regardless of where it is stored. If data is transferred to another country, that country has to have an adequacy decision (which states that the country's data protection rules are sufficiently as good as the EU).

On the other hand, the US has no federal data localisation law. There are also no specific state requirements. However, in 2024 the Department of Justice set out to develop a new regulatory programme that would prevent US sensitive data being transferred to "countries of concern", which includes China (including Hong Kong and Macao), Russia, Iran, North Korea, Venezuela and Cuba. This could later develop into data localisation rules.

How to Handle Data Privacy Law Conflicts

As you can see, data privacy laws around the world handle privacy rules quite differently. Some have broad rules around application, while others have strict data localisation requirements or heavy penalties. In particular, consent processes differ, and can lead to serious violations if you get it wrong.

If you're dealing with data coming from multiple jurisdictions, or have a business that operates globally, you'll need to take steps to make sure you can comply with conflicting legal obligations across borders.

Some of the steps you can take include:

  1. Map out your data flows
  2. Identify applicable laws and regulations
  3. Create a global privacy policy
  4. Use cross-border transfer clauses and policies, like SCCs and BCRs
  5. Use compliance software
  6. Use PETs

Let's go through each of those.

Map Out Your Data Flows

First, you need to understand where your data is coming from, where it is stored, and where it is transferred. Without this information, you can't figure out what data privacy laws may apply.

Consider each of your systems that generate, collect, process, or otherwise interact with personal data. Think about which third parties you work with, share data with, or other jurisdictions where you store data in or transfer data to.

Identify Applicable Laws and Regulations

Once you've mapped out your data flows, you need to look at which countries' laws apply to this data. This means you need to consider the residency or citizenship of data subjects whose data you collect, the jurisdictions that your business is based in, jurisdictions you transfer data to, and the location of companies you store data with (including in the cloud).

Then, you'll need to look at whether any applicable laws or regulations have conflicting obligations, such as opt-out approaches in one jurisdiction, and opt-in in another. Look at whether any jurisdictions have data localisation requirements that prevent you from transferring data out of the country.

For example, if you are collecting or processing the data of EU citizens, you'll need to consider if the transfer destination country has an adequacy decision.

For this step, you will most likely need to obtain legal advice to look at all the nuances of the different privacy laws, and consider how they interact. You may need different Privacy Policies for each jurisdiction, and you may need to store data from some parts of your business separately, for example.

Make sure you stay up to date on the laws in the jurisdictions you work in, in case privacy laws are updated or added to.

Create a Global Privacy Policy

If your business is operating in a number of different places, or you collect data from all over the world, a global Privacy Policy can help you to cover many of your obligations.

A global Privacy Policy should cover many of the same sections that a normal Privacy Policy would cover. This includes, among other things:

  • Applicable laws
  • What data is collected and how
  • What persona data is used for
  • Data sharing with other parties
  • Data subject rights
  • Data transfers to other jurisdictions
  • Country-specific terms

Let's take a look at some examples of those clauses.

Applicable Laws

In some global Privacy Policies, a statement of applicable laws is explicitly set out. In this example from Sonova, you can see the different laws that it is complying with:

Sonova Privacy Policy: Compliance with different laws

You can see that the list includes the GDPR, the Swiss Federal Act on Data Protection, the CCPA, the Health Insurance Portability and Accountability Act (HIPAA), and several different Chinese data privacy laws and standards.

You don't need to set out the laws and regulations separately in your policy, but it can help to make your users aware of what different rules and jurisdictions may apply.

What Data is Collected and How

Your global Privacy Policy should also outline what data you collect, and how you collect it. This is common for all Privacy Policies and remains relevant even if your policy is covering multiple jurisdictions.

You can see from Sonova's global Privacy Policy below, that types of personal data collected are outlined in a list:

Sonova Privacy Policy: Personal data collected

In an additional example below from 3M, you can also see a list of data that is collected by the company.

In both examples you can see the list is divided into categories of data, such as identity data, contact information, financial data or transaction data, and more. This helps your users to understand the policy more easily.

3M Privacy Policy: What personal data 3M collects

Your global Privacy Policy should be clear and readable, and break sections down into bullet points like these examples to make it easy to read.

What Personal Data is Used For

You'll also need a section covering what you use personal data for. This should also be presented in a list or bullet-point section, like in this example from Fujitsu:

Fujitsu Privacy Policy: Use of Personal information

You can also see in the following example from Mastercard, that the list of uses is clear and readable.

Mastercard Privacy Policy: We may use your personal information

In both examples you can see data uses like processing payments, marketing, personalising services, support and account management, and more.

Data Sharing With Other Parties

Your global Privacy Policy will need to cover any situations in which you share data with other parties.

In the example from Fujitsu below, you can see this includes sharing with other members of the Fujitsu group of companies, service providers, business partners, and disclosures required by law, among other cases.

Fujitsu Privacy Policy: We may disclose personal information

Mastercard provides a similar section, also noting that data will be shared with other entities within the Mastercard group of companies, service providers, payment ecosystem participants, third parties for fraud monitoring, and more.

Mastercard Privacy Policy: We may disclose Personal information

Think carefully about which third parties you share data with, and make sure to disclose this in your global Privacy Policy.

Data Subject Rights

Many data privacy laws around the world set out data subject rights that need to be reflected in your Privacy Policy. If you have a global Privacy Policy, you'll need to make sure you cover the relevant rights from multiple different jurisdictions.

In this example from 3M, you can see that a number of different rights are set out, such as the right to restrict the sale of data, the right to object to processing of data, and the right to restrict the use or disclosure of sensitive personal data. In the section you can see that both the CCPA and GDPR are mentioned.

3M Privacy Policy: User Rights to Object or Restrict

You can also see in this example from Mastercard that a number of rights are set out that correspond to the rights contained in both the GDPR and the CCPA.

Mastercard Privacy Policy: User rights

Note in the above example that the policy uses language like "depending on your country", and "if you reside in the United States", to specify that different laws from different countries may apply.

Data Transfers to Other Jurisdictions

Your policy should also outline how you handle data transfers to other jurisdictions. When you are operating globally, it's highly likely that storage or processing will occur elsewhere than where the data was collected.

In the section from 3M below, you can see that personal data may be transferred across borders to other 3M affiliates, support companies, or other entities. The section notes that many transfers may be to the United States, Costa Rica, Philippines and Poland.

3M Privacy Policy: Cross-border transfers

In the example from Mastercard below, the policy also explains that personal data may be transferred to the US for processing.

Mastercard Privacy Policy: Data transfers

You can also see that the section notes that if you are located in the EEA, UK, or Switzerland, data will be transferred in accordance with adequacy decisions, binding corporate rules, or standard contractual clauses. Countries with adequacy decisions are then listed for the customer's information.

Country-specific Terms

Like the "Applicable laws" section discussed above, you can also include country-specific sections in your global Privacy Policy that outline specific rights or information for individual jurisdictions.

In this example you can see a section from Webflow, which outlines California privacy rights specifically. It notes that it applies only to California residents.

Webflow Privacy Policy: California Privacy Rights

In the example from Fujitsu below, a number of different country-specific terms are set out, with links to individual terms and policies that apply to users located in those countries.

Fujitsu Privacy Policy: Country specific terms

Policies like this can help to ensure you meet relevant responsibilities and compliant obligations for the various different jurisdictions that apply to you.

Use Cross-Border Transfer Clauses and Policies

When you are transferring data between jurisdictions, make sure you also use tools and mechanisms like Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). These are contractual mechanisms that are approved by the European Commission, and help to make sure that transfers are legally compliant for GDPR purposes.

However, the Schrems II ruling (CJEU, Case C-311/18) held that SCCs must be supplemented by Transfer Impact Assessments (TIAs) and technical safeguards (e.g., encryption, pseudonymization) to ensure "essential equivalence" in protection. This means SCCs alone are insufficient if local surveillance laws or government access threaten data subject rights.

You should also make sure the country you want to transfer data to has an adequacy decision for the purposes of the GDPR. In other countries, you may need permission from government departments or privacy regulatory bodies.

Your business should also have internal policies that explain to your employees how you transfer and store personal data safely across borders.

Use Compliance Software

Another helpful approach is to use compliance software to help you keep track of overlapping privacy obligations.

Privacy compliance software enables businesses to automate and operationalize key aspects of their programs, including:

  • Mapping global data flows and storage locations
  • Managing consent preferences across legal regimes
  • Responding to DSARs (Data Subject Access Requests)
  • Tracking regulatory changes and risk alerts
  • Monitoring and documenting compliance audits

Use PETs

Finally, for all types of data collection and processing, make sure you protect data with Privacy-Enhancing Technologies (PETs). PETs include approaches like encryption, anonymization, and pseudonymization.

These help to protect data during transfers and during storage, and can help you to comply with many different privacy laws around the world. For example, the European Data Protection Board (EDPB) recommends all of these PETs when transferring data from the EU to the US (also described as "supplementary measures").

Summary

In an increasingly-global working environment, clashes between privacy laws will become commonplace. If your business is working in multiple jurisdictions or processing the data of people from many places, you'll need to make sure you manage your legal obligations well.

By mapping out your data flows carefully, identifying relevant laws, and creating a global privacy policy, you'll be in a good position to comply.

Make sure you use appropriate cross-border transfer clauses, compliance software, and PETs, to protect data during transfer and storage, and to meet your legal obligations.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy