Laws

Regulation on Artificial Intelligence

The AI Act categorizes AI systems by risk level: prohibited (social scoring, emotion recognition at work, predictive policing), high-risk (critical infrastructure, education, employment, law enforcement), and limited/minimal risk. High-risk AI must meet strict requirements for data quality, documentation, transparency, human oversight, and accuracy.

Act on the Protection of Personal Information

APPI protects personal information handled by business operators. The 2020 amendments introduced individual rights (deletion, usage suspension), strengthened cross-border transfer rules, and created the Personal Information Protection Commission (PPC). Japan has mutual EU adequacy, enabling data flows.

Bundesdatenschutzgesetz (Federal Data Protection Act)

The BDSG supplements GDPR with German-specific rules where EU law allows national flexibility. It contains detailed provisions for employment data processing, public sector data handling, video surveillance, and data protection officers. German data protection authorities at federal and state levels supervise compliance.

Clarifying Lawful Overseas Use of Data Act

The CLOUD Act establishes that US jurisdiction follows the company, not the data location. US companies must comply with warrants for data they control even if stored in EU datacenters. This creates direct conflicts with GDPR and undermines the 'datacenter location' approach to data sovereignty.

Cyber Resilience Act

The CRA imposes security-by-design obligations on manufacturers of connected devices and software. Products must meet essential cybersecurity requirements, handle vulnerabilities throughout their lifecycle, and carry CE marking certifying compliance. Critical products face third-party conformity assessment.

Cybersecurity Law of the People's Republic of China

The Cybersecurity Law requires critical information infrastructure operators to store personal information and important data within China. Cross-border transfers require security assessments. Network operators must assist public security with technical support and decryption capabilities.

Regulation on harmonised rules on fair access to and use of data

The Data Act creates new rights for users to access and share data generated by connected devices and related services. It establishes obligations for data holders, enables public sector access to private data in emergencies, and gives customers the right to switch cloud providers without lock-in.

Federal Law No. 242-FZ on Personal Data Localization

Federal Law 242-FZ mandates that databases containing Russian citizens' personal data must be physically located in Russia. Companies collecting such data must record, systematize, accumulate, and store it on Russian servers. Cross-border transfer is permitted only after initial localization.

Data Security Law of the People's Republic of China

The Data Security Law creates a tiered data classification system (core, important, general) with corresponding protection requirements. Cross-border transfers of 'important data' face restrictions and assessments. The state can access data for national security purposes, and organizations must cooperate with public security requests.

Data Governance Act

The DGA establishes rules for data intermediation services and data altruism organizations. It creates conditions for re-using protected public sector data, sets registration requirements for data intermediaries acting as neutral brokers, and enables individuals and companies to donate data for the common good.

Digital Markets Act

The DMA targets large platforms that act as gatekeepers between businesses and consumers. Designated gatekeepers must allow interoperability, enable data portability, refrain from self-preferencing, and provide fair access terms to business users. Non-compliance can result in fines up to 10% of global turnover.

Digital Operational Resilience Act

DORA creates a comprehensive framework for digital operational resilience in financial services. It requires financial entities to implement robust ICT risk management, report major ICT incidents, test their digital resilience regularly, and manage risks from third-party ICT service providers including cloud platforms.

Digital Personal Data Protection Act 2023

The DPDP Act grants data principals (individuals) rights including access, correction, erasure, and grievance redress. Data fiduciaries (controllers) must process data based on consent or legitimate purposes. However, the government has broad exemption powers for sovereignty, security, and public order.

Digital Services Act

The DSA creates a tiered liability framework for online intermediaries based on their size and role. It requires notice-and-takedown mechanisms, transparency reporting, algorithmic accountability for very large platforms (VLOPs), and risk assessments for systemic risks to democracy, public health, and fundamental rights.

Electronic Communications Privacy Act

ECPA sets rules for when government can access electronic communications. Passed in 1986, its framework distinguishes between communications content (higher protection), stored communications (varying by age), and metadata (lower protection). The law has been criticized as outdated for the cloud computing era.

Agreement on the European Economic Area

The EEA Agreement integrates EFTA states (except Switzerland) into the EU single market. Relevant EU legislation, including GDPR and other data protection rules, is incorporated into the EEA legal framework, ensuring equivalent protection across EEA countries.

Lov om elektronisk kommunikasjon (Electronic Communications Act)

Ekomloven governs electronic communications in Norway, covering network operators, service providers, and numbering resources. It includes provisions for lawful interception by authorities and security obligations for critical communications infrastructure.

Executive Order 12333 - United States Intelligence Activities

EO 12333 provides the primary legal framework for NSA signals intelligence collection overseas. Unlike FISA which covers collection inside the US, EO 12333 governs bulk collection of data transiting international cables and stored abroad. Non-US persons receive minimal protections under this framework.

Directive on privacy and electronic communications

The ePrivacy Directive protects confidentiality of electronic communications and regulates the use of cookies and similar tracking technologies. It requires consent for storing information on user devices, prohibits unsolicited marketing communications, and ensures the confidentiality of communications content and metadata.

EU-US Data Privacy Framework

The EU-US Data Privacy Framework is an adequacy decision allowing transfers to US companies that self-certify compliance with DPF principles. It addresses Schrems II concerns through Executive Order 14086, which limits US intelligence access and creates a Data Protection Review Court for EU citizens' complaints.

Federal Act on Data Protection (revised)

The revised FADP modernizes Swiss data protection to maintain EU adequacy while reflecting Swiss legal specifics. It introduces privacy-by-design requirements, breach notification, and substantial penalties. Switzerland remains outside the EEA but benefits from EU adequacy decisions recognizing equivalent protection.

Foreign Intelligence Surveillance Act Section 702

FISA Section 702 allows the NSA and other agencies to collect communications of foreign targets without individual warrants. Communications providers must assist with collection. Non-US persons have minimal legal protections, and 'incidental collection' of US persons' communications raises ongoing civil liberties concerns.

General Data Protection Regulation

The GDPR establishes strict requirements for processing personal data of EU residents. It requires a lawful basis for all processing, grants individuals rights to access, correct, delete and port their data, and imposes significant penalties up to 4% of global turnover for violations.

Investigatory Powers Act 2016 (Snoopers' Charter)

The IPA provides the legal framework for UK intelligence agencies to intercept communications, collect bulk data, and conduct equipment interference (hacking). It requires communications providers to retain connection records and assist with decryption. The law has been criticized as the most extensive surveillance legislation in Western democracies.

Information Technology Act 2000

Section 69 grants the government power to direct any agency to intercept, monitor, or decrypt any information transmitted through any computer resource when necessary for national security, public order, or investigation of offenses. Intermediaries must assist with interception and content blocking.

Law Enforcement Directive

The LED establishes data protection safeguards for law enforcement processing. It grants individuals rights when their data is processed by police, prosecutors, and courts, while providing appropriate flexibility for effective law enforcement. It complements the GDPR by covering the criminal justice domain.

National Intelligence Law of the People's Republic of China

Article 7 states that organizations and citizens 'shall support, assist, and cooperate with state intelligence work.' This creates concerns that any Chinese company or technology must provide intelligence assistance when requested, effectively mandating potential backdoors in Chinese products and services.

National Security Act 2023

The National Security Act modernizes UK espionage laws for the digital age. It creates offenses for obtaining and disclosing protected information, foreign interference in UK politics, and sabotage of critical infrastructure. It also establishes a foreign influence registration scheme.

Directive on measures for a high common level of cybersecurity across the Union

NIS2 significantly expands the scope of the original NIS Directive to cover more sectors and entity types. It requires organizations to implement risk management measures, report significant incidents within 24 hours, secure their supply chains, and ensure management bodies are trained and accountable for cybersecurity.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

The Patriot Act expanded FBI and NSA authorities for national security investigations. Section 215 allowed bulk collection of telephony metadata until reformed by the USA FREEDOM Act. The law lowered barriers for obtaining business records, enabled roving wiretaps, and expanded information sharing between intelligence and law enforcement.

Lov om behandling av personopplysninger (Personal Data Act)

Personopplysningsloven makes GDPR applicable in Norway through the EEA Agreement and adds national provisions where GDPR allows member state flexibility. Datatilsynet (the Norwegian Data Protection Authority) supervises compliance and handles complaints.

Personal Information Protection Act

Korea's PIPA provides robust individual rights and imposes strict requirements on personal information handlers. The Personal Information Protection Commission (PIPC) enforces compliance with significant fines. Cross-border transfers require consent and adequate safeguards. Korea has EU adequacy status.

Personal Information Protection and Electronic Documents Act

PIPEDA governs how private sector organizations collect, use, and disclose personal information in commercial activities. Based on fair information principles, it requires consent, limits collection to necessary purposes, ensures accuracy, and provides access rights. The Privacy Commissioner investigates complaints but has limited enforcement powers.

Personal Information Protection Law

PIPL grants individuals rights over their personal information including consent requirements, access, deletion, and portability. Cross-border transfers require consent plus a government assessment or standard contracts. However, PIPL coexists with laws requiring cooperation with state intelligence and security activities.

Privacy Act 2020

The Privacy Act 2020 replaced 1993 legislation to address digital-age challenges. It introduces mandatory breach notification, strengthens compliance notices and enforcement, adds cross-border disclosure requirements, and creates offenses for misleading agencies about individual requests.

Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18)

The Court of Justice of the European Union ruled that US surveillance laws (particularly FISA 702 and EO 12333) provide insufficient protection for EU personal data. Privacy Shield was invalidated. Standard Contractual Clauses remain valid but require case-by-case assessment of destination country protections.

Lov om nasjonal sikkerhet (National Security Act)

Sikkerhetsloven establishes Norway's framework for protecting national security interests. It covers security clearances, protection of classified information, security in government procurement, and safeguarding critical infrastructure from threats including foreign ownership and intelligence activities.

System for Operative Investigative Activities

SORM mandates that all telecommunications equipment in Russia include hardware and software enabling direct FSB access to communications. Providers must install and maintain surveillance equipment at their expense, with direct connections to FSB facilities for real-time monitoring.

Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

TOLA creates three types of notices: Technical Assistance Requests (voluntary), Technical Assistance Notices (mandatory), and Technical Capability Notices (requiring new capabilities). Companies can be compelled to assist with decryption, modify systems, and build new interception capabilities. Gag orders prevent disclosure.

UK General Data Protection Regulation

UK GDPR incorporates EU GDPR into UK law following Brexit. It provides substantially similar protections including rights of access, erasure, and data portability. The ICO (Information Commissioner's Office) supervises compliance. The UK benefits from EU adequacy, enabling free data flows between UK and EU.

Yarovaya Law (Federal Law No. 374-FZ)

The Yarovaya Law requires telecom providers and internet companies to retain communications content for 6 months and metadata for 3 years. Companies must provide authorities with decryption assistance, effectively requiring backdoor capabilities. Encrypted messaging services must register encryption keys with the government.