Consent

China’s Personal Information Protection Law of 2021 is often compared to GDPR but operates in a fundamentally different legal context. PIPL provides individual rights: informed consent for processing, access to personal information, correction of errors, deletion rights, and data portability. Processing requires a lawful basis (consent, contract, legal obligation, public interest, etc.). Cross-border transfers need individual consent plus one of: government security assessment, standard contractual clauses, or certification. However, PIPL explicitly exempts state security and emergency response activities. The coexistence of PIPL’s individual protections with the National Intelligence Law’s access requirements creates an unusual framework: organizations must protect personal data while simultaneously being prepared to disclose it to state security when requested. For international data transfers involving China, this dual nature complicates compliance.

PIPEDA applies to private sector organizations collecting, using, or disclosing personal information in commercial activities across Canada (except in provinces with substantially similar legislation: Quebec, BC, Alberta). It implements ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Organizations must obtain meaningful consent, which varies by sensitivity and context. Individuals have rights to access their information and challenge its accuracy. The Privacy Commissioner of Canada investigates complaints, makes recommendations, and can seek court orders for compliance. Recent amendments (Bill C-27) propose replacing PIPEDA with the Consumer Privacy Protection Act, adding stronger penalties and algorithmic transparency requirements. Canada has EU adequacy status for commercial data transfers.

South Korea’s Personal Information Protection Act provides comprehensive data protection with strong enforcement. The law applies broadly to public and private sector personal information handling. Key requirements include: specific purpose limitation, consent for collection (with strict standards for sensitive data), security measures commensurate with risk, and individual rights to access, correct, delete, and suspend processing. The Personal Information Protection Commission (PIPC) supervises compliance and can impose administrative fines up to 3% of relevant revenue plus criminal penalties for severe violations. Data breach notification is mandatory within 24 hours. Cross-border transfers require consent plus one of: adequacy determination, binding corporate rules, or PIPC-recognized certifications. Korea achieved EU adequacy in 2021. The law is notably stricter than some GDPR requirements, particularly around consent standards and data minimization.

India’s Digital Personal Data Protection Act 2023 creates the country’s first comprehensive data protection framework. It establishes rights for ‘data principals’ including informed consent, access to information, correction and erasure, and grievance redress. ‘Data fiduciaries’ (similar to controllers) must process personal data lawfully, implement security safeguards, and fulfill data principal requests. The Act creates a Data Protection Board to adjudicate complaints and impose penalties up to ₹250 crore (~$30M). However, Section 17 gives the central government sweeping exemption powers for state security, sovereignty, public order, and other specified purposes. This means the strong protections can be bypassed for government activities. Cross-border transfer is permitted to countries not blacklisted by the government. The interaction between DPDP and the IT Act’s surveillance powers creates a regime where individual protections coexist with extensive government access.