Data Governance Outside The US

What can you do with your user data - and where?
31 January 2023

Can you know everything? Can you use all the user data you have? Check before you incur a huge fine.

Data governance is the organized collection, storage, access, and use of data. Outside the USA, the authority on data governance varies depending on the country or region. Each area may have its own laws and regulations governing data privacy, security, and usage. For example, the European Union has the General Data Protection Regulation (GDPR), which provides guidelines for how data should be collected, shared, and used. In India, the Personal Data Protection Bill 2020 sets out the framework for data privacy, security, and usage. Canada has the Personal Information Protection and Electronic Documents ACT (PIPEDA), which establishes rules for how organizations must handle personal information there.

The laws and regulations governing data governance vary, and organizations strive to ensure they understand and comply with the applicable laws in the countries or regions in which they operate.

There are currently over 120 countries that have internal privacy laws for data protection in place, ensuring their citizens, along with their personal data, is protected.

International privacy laws regarding data protection have evolved — and will continue to do so. Eventually, all situations and circumstances that could impede the privacy of data will be tackled and protected via international privacy laws.

Data governance in Europe

The fundamental view regarding privacy throughout Europe is that a person’s dignity should be protected. Therefore, unauthorized use of private information, known as a “right to one’s own image” should be protected.

Of course, the desire to keep personal information and space private is something that is shared worldwide. Therefore, the need for privacy is not something that is expected in just one culture. That being said, various cultural and historical aspects can have an effect on how societies view privacy around the world.

Let’s take a look at Europe as an example. Here, citizens are required to register their residence at local police stations, something that baffles many Americans, as many believe this is none of the government’s business. That’s not to say that Europeans are all that enamored with the invasion of their personal space and privacy by their governments, either. Nonetheless, we must consider the key distinction between personal privacy and data protection.

The General Data Protection Regulation (GDPR) was adopted by the EU in 2016. Organizations must comply with this regulation, as well as other data protection laws, if they operate within the EU.

Data governance in Europe is a set of policies, processes, and tools for ensuring that data is managed in a secure, responsible, and efficient manner. It involves setting data standards, monitoring data usage and access, and protecting data privacy. It also helps organizations ensure that they use data responsibly and ethically. Data governance is essential in helping organizations streamline their data management processes, maximize data value, and improve data security. Data governance also facilitates data sharing and collaboration among organizations, allowing them to better leverage data for their mutual benefit.

The GDPR has been and continues to be important in the protection of personal data against both monetization and dishonest corporate advertising. However, the GDPR does not protect an individual’s privacy from the government. Like its predecessor, the Data Protection Directive of 1995, the GDPR expressly excludes law enforcement and national security from its purview.

In addition to the GDPR, the EU has also created the ePrivacy regulation, a new directive designed to give users greater control over how their personal data is used or viewed by organizations. This regulation means that websites now need to ask for consent in order to collect a user’s personal data.

Outside the EU, the standards and guidelines set out by the GDPR legislation have been adopted by other countries, including Canada, Australia, South Korea, and Japan.

Data governance worldwide

As we’ve said, the personal data protection varies from region to region or country to country. Europe imposes heavy fines on corporations that do not abide by the stringent controls embedded throughout the region. Other countries, such as the USA, continue to tackle the challenges raised by centralized and formal laws that provide cohesive data protection.

The introduction of the GDPR and its enforcement resulted in a significant change in how governments viewed data privacy. That in turn led to a dramatic shift in how countries worldwide approached data governance.

Countries that currently have privacy laws for data protection include:

  • United States
  • Canada
  • Brazil
  • South Africa
  • India
  • Australia
  • Denmark
  • Finland
  • British Virgin Islands
  • Israel
  • Nigeria

A comprehensive list of internal privacy laws can be found here.


In alignment with EU data protection Law, Canada introduced various amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2018. These included a breach notification obligation and a new consent standard as part of the Digital Privacy Act.

This Act falls in line with five of the global privacy principles:

  1. Notice – To advise readers, visitors, and users of the privacy policies that are in place to protect data.
  2. Choice and Consent – To provide individuals with choices regarding the storage, use, collection, and management of their personal information.
  3. Access and Participation – To ensure any information that is accessed is used only by those with the appropriate security procedures.
  4. Integrity and Security – To ensure all data is properly secured, with no unauthorized access.
  5. Enforcement – To ensure everything (site, service, platform, and solution) is consistent with regulations that make compliance mandatory.

In 2022, the Digital Charter Implementation Act (DCIA) was implemented by the Canadian House of Commons. The aim of this was to introduce changes to the country’s privacy legislation, including substantial fines and a private right to action. As well as this, three new acts are being drafted:

  • The Consumer Privacy Protection Act
  • The Artificial Intelligence and Data Act
  • The Personal Information and Data Protection Tribunal Act


The General Data Protection Law entered into force on September 18, 2020 in Brazil. It supplements and supports over 40 laws concerning data privacy that have been implemented in previous years. Some of these laws were found to contradict one another, hence the emergence of this new legislation to iron out any existing conflicts. Utilized in all sectors of the country, the General Data protection Law specifies and differentiates the terms “personal data” and “public data,” and establishes explicit liability.

Companies are required to employ Data Protection Officers, upgrade security measures, and ensure thorough security guidelines are in place to guarantee compliance. In 2020, the Lei Geral de Proteção de Dados (LGPD) came into effect, creating legal guidelines pertaining to the personal data of individuals in Brazil.

South Africa

South Africa has also introduced strict personal data protection laws through the Protection of Personal Information Act (POPIA). First proposed as far back as 2013, the Act has gone through numerous alterations, but it has become more stable in recent years. This data privacy law empowers South African citizens with rights over their personal information. Like the GDPR, this Act requires companies, websites, and organizations to adhere to the minimum conditions it sets out.


The Personal Data Protection bill is the Indian equivalent to Europe’s GDPR and even integrates several of the GDPR’s principles within the context of the nation. Examples include the requirements for prior consent and notice to use an individual’s data and limitations on why the data may be processed by organizations and companies.

In 2017, it was ruled that the use of Aadhaar data, a substantial component of the national biometric identification programme, was unconstitutional. Each Indian resident has a 12-digit Aadhaar number. Today, this numerical value is a universal identity number that can be used by any registered entity in order to authenticate an Indian citizen. This Aadhaar number can be used to verify residents throughout the country, but it also prevents private companies from gathering a person’s information.

United Kingdom

The GDPR applied to the UK until 31 July 2021. Thereafter, different regulations have applied, due to Brexit. However, the EU’s GDPR was implemented into British law in 2021, as set out by the Data Protection Act 2018, the UK’s own data protection framework.

The aim has remained the same in the UK; to ensure there is a secure, reliable and consistent flow of data between the UK and the EU. Meanwhile, the UK government has been working to ensure the country’s data protection and data sharing laws are fully compatible with the EU’s GDPR and ePrivacy regulations. The UK and the EU are still in the process of negotiating a data adequacy agreement to ensure that the UK’s data flow with the EU complies with the GDPR.

The DPA 2018 was altered by the Data Protection, Privacy, and Electronic Communications (DPPEC) Regulations of 2019 to form a data protection platform that was more specific to the UK, now known as the “UK GDPR.”

Every individual who is responsible for using personal data must follow stringent rules imposed by data protection laws. Data governance ensures that information is used lawfully, fairly, and transparently, whatever the country.