Table of Contents
Australia
Privacy (Commonwealth):
- Privacy Act 1988 (Cth) (“Privacy Act”) (this contains the Australian Privacy Principles(“APPs”))
- [Spam Act 2003 (Cth) (“Spam Act”) (regulates sending of commercial electronic messages)
- Do Not Call Register Act 2006 (Cth) (“DNCR Act”) (regulates telemarketing activities)]
- Online Safety Bill
Privacy (State and Territory — public sector only):
- Information Privacy Act 2014 (ACT)
- Privacy and Personal Information Protection Act 1998 (NSW)
- Information Act 2002 (NT)
- Information Privacy Act 2009 (Qld)
- Personal Information and Protection Act 2004 (Tas)
- Privacy and Data Protection Act 2014 (Vic)
- South Australia (“SA”) and Western Australia (“WA”) have public sector privacy policies/guidelines (e.g., in SA, the PC012 Information Privacy Principles (IPPS). Instructions), although these do not have the force of law.
Health sector-specific (Commonwealth):
Health sector-specific (State / Territory):
- Health Records (Privacy and Access) Act 1997 (ACT)
- Health Records and Information Privacy Act 2002 (NSW)
- Health Records Act 2001 (Vic)
Telecommunications-specific:
- Telecommunications Act 1997 (Cth) (“Telecommunications Act”) (particularly, Part 14 — National Interest Matters and Part 15 – Industry Assistance)
- Telecommunications (Interception and Access) Act 1979 (Cth)
Surveillance (including workplace surveillance):
- Listening Devices Act 1992 (ACT)
- Workplace Privacy Act 2011 (ACT)
- Surveillance Devices Act 2007 (NSW)
- Workplace Surveillance Act 2005 (NSW)
- Surveillance Devices Act 2007 (NT)
- Invasion of Privacy Act 1971 (QLD)
- Surveillance Devices Act 2016 (SA)
- Listening Devices Act 1991 (Tas)
- Surveillance Devices Act 1999 (Vic)
- Surveillance Devices (Workplace Privacy) Act 2006 (Vic) (inserted Part 2A into main Surveillance Devices Act 1999)
- Surveillance Devices Act 1998 (WA)
Security:
- Security of Critical Infrastructure Act 2018 (Cth) (“SOCI Act”)
- Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (amends certain of the telecommunications and surveillance laws listed above and other legislation)
Various other laws deal with aspects of national security in Australia, which may have implications for data security, including:
- Australian Security Intelligence Organisation Act 1979 (Cth)
- Crimes Act 1914 (Cth) (e.g., section 3, “terrorism offences”)
- Criminal Code Act 1995 (Cth) (e.g., Divisions 91 and 92, espionage and foreign interference)
- Foreign Influence Transparency Scheme Act 2018 (Cth)
- Intelligence Services Act 2001 (Cth)
- Office of National Intelligence Act 2018 (Cth)
- National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 (Cth)
Freedom of information (FOI) laws:
- Freedom of Information Act 1982 (Cth)
- Freedom of Information Act 2016 (ACT)
- Government Information (Public Access) Act 2009 (NSW)
- Information Act 2002 (NT)
- Right to Information Act 2009 (QLD)
- Freedom of Information Act 1991 (SA)
- Right to Information Act 2009 (Tas)
- Freedom of Information Act 1982 (Vic)
- Freedom of Information Act 1992 (WA)]
Other:
China
- Personal Information Protection Law of the People’s Republic of China on August 20, 2021
- The Cybersecurity Law
- Civil Code of People’s Republic of China effective as of January 1st 2021
- The Criminal Code, last amended on November 4, 2017
- The Law on Protection of Rights and Interests of Consumers, last amended on March 15, 2014
- The Interpretations of the Supreme People’s Court and the Supreme Procuratorate on Several Issues Concerning Handling of Cases Involving Infringement Upon Personal Information of Citizens
- PRC Encryption Law, 2020
- Second draft of the Personal Information Per Act.
- The Law of the people’s republic of china on the protection of personal information.
- Data Security Law.
- Shenzhen Special Economic Zone Data Regulation
- Shanghai Data Regulations
India
- Data Protection Bill, 2021
- The Information Technology Act, 2000 (“IT Act”)
- The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”)
- Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”).
- Digital Personal Data Protection Act, 2023.
Indonesia
- Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (“EIT Law”)
- Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions (“GR 82”)
- Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI Regulation 20”) (together, “Data Protection Regulations”)
- Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration
Japan
- The Act on Protection of Personal Information, (APPI)
- Amended Act on the Protection of Personal Information
- Basic Policy for protecting Personal Information
- Enforcement Regulation of APPI
- Enforcement Order of APPI
- Guidelines on the Act on Protection of Personal Information
- Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision
- Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013, as amended)
Kyrgyzstan
New Zealand
Pakistan
- The Prevention of Electronic Crimes Act, 2016 criminalizes unauthorized: access to information systems or data, copying or transmission of data and use of identity information.
- Personal Data Protection Bill 2020 (‘the bill’)
Russia
- Federal Law of 27 July 2006 N 152-FZ On Personal Data
- Federal Law No. 149-FZ of 27 July 2006, on Information, Information Technology and Data Protection
- Federal Law of 24 April 2020 No. 123-FZ
- Code of Administrative Offences
- Federal Law of 30 December 2020 No 519-FZ on Personal Data as amended on 1 March 2021.
- Code of Administrative Offenses Amended on 24 February 2021- Federal Law of 24 February 2021 No. 19-FZ.
Tajikistan
- Personal Data Protection Law, No.1537 of 3 August 2018
- Protection Data Law, No.631 of 15 May 2002
- Informatization Law, No. 40 of 6 August 2001
- Information Law, No.609 of 10 May, 2002
- Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for
- Their State Registration, No.404 of 1 October 2004
- The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008
Thailand
- Personal Data Protection Act 2019
- The Notification of the National Telecommunications Commission Re: Measures to Protect Telecommunications Users, Data Privacy, Privacy Rights and Freedom of Communications
- The Official Information Act B.E. 2540 (1997)
- The Credit Information Business Act B.E. 2545 (2002)
- The Child Protection Act B.E. 2546 (2003)
- The National Health Act B.E. 2550 (2007)
- The Payment System Act B.E. 2560 (2017)
Uzbekistan
- The Law on Personal Data No. ЗРУ-547 (The Law) (enacted on 2nd July, 2019) and further amended on 16 April 2021.
- Constitution of Uzbekistan
- Law No. 439-II ‘On Principles and Guarantees of Freedom of Information’
- Law No. 560-II ‘On Informatization’
- Law of the Republic of Uzbekistan, No. ORQ-764 of 04.15.2022 on Cybersecurity
- Law No. 530-II ‘On Bank Secrecy’ under which a bank is prohibited to disclose bank secrecy, and should guarantee its protection
- Law No. 822-I ‘On Telecommunications’ under which all operators and service providers are obliged to ensure the secrecy of communications
- Law No. 265-I ‘On Protection of Citizens’ Health’ under which the medical secrecy is protected
- Law No. 358-II ‘On Insurance Activities’ under which insurance companies should guarantee the confidentiality of information which became available in course of provision of insurance services.
- Law No. ZRU-385 of the Republic of Uzbekistan ‘On E-Commerce’ (new version)
Vietnam
- Law No. 91/2015/QH13, adopted by the National Assembly on 24 November 2015 (“Civil Code”)
- Law No. 67/2006/QH11, adopted by the National Assembly on 29 June 2006 (“ITLaw”)
- Law on Cyber Information Security No. 86/2015/QH13, adopted by the NationalAssembly on 19 November 2015 (“LOCIS”)
- Law No. 24/2018/QH14, adopted by the National Assembly on 12 June 2018 (“Law on Cybersecurity”)
- Law No. 59/2010/QH12, adopted by the National Assembly on 17 November 2010 (“Law on Consumer Protection”)
- Law No. 10/2016/QH13 dated 5 April 2016, effective from 1 June 2017 (“Law on Children”).
- Decree No. 72/2013/ND-CP, dated 15 July 2013, on the management, provision and use of internet services and online information, as amended and supplemented by Decree No. 27/2018/ND-CP (“Decree No. 72”)
- Decree No. 52/2013/ND-CP dated May 16, 2013 of the Government on e-commerce
- Draft Decree on Personal Data Protection
- Decree No. 174/2013/ND-CP, dated 13 November 2013, providing penalties for administrative violations pertaining to postal, telecommunication, information technology and radio frequency areas (“Decree No. 174”)
- Draft Decree on Personal Data Protection 2021.
*Disclaimer: This general information is provided for reference purpose only. It is informed that laws are subject to frequent updation and each jurisdiction may have additional civil laws and policies in place. Also link to laws provided for certain countries are of unofficial english translation therefore readers are advised to cross-check/ validate the information provided from official sources.
