Appendix D: Legal Frameworks Reference -- Comparative Data Protection Law
This appendix provides a structured comparison of the world's major data protection laws and AI-specific regulations. It is designed as a reference for students, practitioners, and researchers who need to quickly identify how different jurisdictions approach key data governance questions.
Important disclaimer: Laws change. The information in this appendix reflects the state of legislation as of early 2026. Always consult current legal texts and qualified legal counsel for compliance decisions. This appendix is an educational reference, not legal advice.
D.1 Comparative Data Protection Laws
The following table compares nine major data protection laws across key dimensions. An expanded discussion of each dimension follows the table.
Summary Comparison Table
| Dimension | GDPR (EU) | CCPA/CPRA (California) | LGPD (Brazil) | PIPL (China) | DPDP Act (India) | POPIA (South Africa) | APPI (Japan) | PDPA (Singapore) | NDPR (Nigeria) |
|---|---|---|---|---|---|---|---|---|---|
| Year enacted | 2016/2018 | 2018/2020 | 2018/2020 | 2021 | 2023 | 2013/2020 | 2003/2022 | 2012/2014 | 2019 |
| Scope | Any processing of EU residents' data | Businesses meeting thresholds + CA residents | Processing of data of persons in Brazil | Processing of natural persons' data in China | Processing of digital personal data in India | Processing in SA or of SA residents | Business operators handling personal info in Japan | Organizations in Singapore | Processing of Nigerian residents' data |
| Legal basis types | 6 bases (consent, contract, legal obligation, vital interests, public task, legitimate interest) | Disclosure + opt-out (sale/sharing); consent for sensitive | 10 bases (similar to GDPR + credit protection, health, research) | Consent primary; + contract, legal duty, public interest, etc. | Consent + deemed consent + certain legitimate uses | 8 conditions (similar to GDPR) | Consent with exceptions; special provisions for pseudonymized data | Consent + exceptions (contractual necessity, vital interests, etc.) | Consent + legitimate interest + public interest + vital interest |
| DPA/Regulator | National DPAs + EDPB | California Privacy Protection Agency (CPPA) | ANPD | Cyberspace Administration of China (CAC) | Data Protection Board of India | Information Regulator | Personal Information Protection Commission (PPC) | Personal Data Protection Commission (PDPC) | NITDA |
| Max penalty | 4% global turnover or EUR 20M | $7,500/intentional violation | 2% revenue, capped at BRL 50M | 5% prior year revenue or RMB 50M | Up to INR 250 crore (~USD 30M) | Up to ZAR 10M or imprisonment | Up to JPY 100M (~USD 660K) for entity | Up to SGD 1M | Up to NGN 10M (~USD 22K) or 2% revenue |
| Breach notification | 72 hours to DPA; to subjects if high risk | Implied through AG enforcement; private right of action for breaches | "Reasonable time" to ANPD and subjects | Immediate to CAC; to subjects if rights impacted | As prescribed by rules | As soon as reasonably possible | Promptly to PPC | As soon as practicable to PDPC | 72 hours to NITDA |
| Children's provisions | Under 16 (member states may lower to 13); parental consent required | Complements federal COPPA; additional "knows" standard | Under 18; specific parental consent | Under 14; parental consent required | As prescribed by rules; verifiable parental consent | Specific provisions for children | Under 15 for certain provisions | No specific age threshold; "reasonable" standard | Under 18; consent of parent/guardian |
D.2 Expanded Comparison by Dimension
D.2.1 Scope and Territorial Application
GDPR: Applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is established (Article 3). This extraterritorial reach -- the "long arm" provision -- means that a US company with no EU offices can fall under the GDPR if it offers goods or services to EU residents or monitors their behavior. The GDPR's scope is the broadest of any data protection law and has created the "Brussels Effect" (Chapter 20).
CCPA/CPRA: Applies to for-profit businesses that do business in California and meet one of three thresholds: (a) annual gross revenue over $25 million, (b) buy, sell, or share the personal information of 100,000 or more consumers or households, or (c) derive 50% or more of annual revenue from selling or sharing personal information. This threshold-based approach exempts small businesses and nonprofit organizations.
PIPL: Applies to the processing of personal information of natural persons within China. Importantly, it also applies extraterritorially to processing conducted outside China if the purpose is providing products or services to, or analyzing the behavior of, individuals within China. The PIPL's extraterritorial reach parallels the GDPR's but is backed by China's ability to restrict market access as an enforcement mechanism.
DPDP Act: Applies to the processing of digital personal data within India and to processing outside India if it relates to offering goods or services to data principals in India. The Act's scope is limited to digital personal data, excluding paper records. The Act includes significant exemptions for government processing in the interests of sovereignty, security, and public order.
POPIA: Applies to the processing of personal information by responsible parties established in South Africa, or using processing means in South Africa (with limited exceptions). It is one of the first comprehensive data protection laws in Africa and serves as a model for the region.
D.2.2 Data Subject Rights
All major data protection laws grant individuals certain rights over their personal data, but the specific rights and their scope vary:
| Right | GDPR | CCPA/CPRA | LGPD | PIPL | DPDP Act |
|---|---|---|---|---|---|
| Right to know/access | Art. 15 | Yes | Yes | Yes | Yes |
| Right to rectification | Art. 16 | Yes (CPRA) | Yes | Yes | Yes |
| Right to erasure/deletion | Art. 17 | Yes | Yes | Yes | Yes |
| Right to portability | Art. 20 | Yes (CPRA) | Yes | Yes | No (not explicit) |
| Right to restrict processing | Art. 18 | No | Yes | Yes | No |
| Right to object | Art. 21 | No | Yes | Yes | No |
| Right to opt out of sale/sharing | No (different model) | Yes (core right) | No | No | No |
| Right to non-discrimination | Implied | Yes (explicit) | Yes | Yes | No |
| Right to explanation of automated decisions | Art. 22 | No | Yes | Art. 24 | No |
Notable differences: The CCPA/CPRA's right to opt out of the "sale" or "sharing" of personal information reflects the US regulatory focus on commercial data transactions. The GDPR's right to explanation of automated decision-making (Article 22) has no equivalent in US law. The DPDP Act grants a narrower set of rights than the GDPR, reflecting a different balance between individual rights and government interests.
D.2.3 Cross-Border Data Transfer Rules
Cross-border data transfer restrictions are among the most commercially significant provisions of data protection law. They determine whether and how personal data can move between jurisdictions.
GDPR (Chapter V): Transfers to countries outside the EU are permitted only if the destination country has received an "adequacy decision" from the European Commission (currently: Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK, the US under the EU-US Data Privacy Framework, and Uruguay). In the absence of adequacy, organizations may use Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or specific derogations.
PIPL: Requires a security assessment by the CAC for transfers by critical information infrastructure operators or transfers exceeding certain volume thresholds. Other transfers may use standard contracts filed with the CAC or certification by a recognized body. China's approach is the most restrictive major framework, reflecting its emphasis on data localization and digital sovereignty.
LGPD: Permits transfers to countries with adequate protection, under SCCs, BCRs, or with specific consent. The ANPD has not yet issued a comprehensive list of adequate countries.
DPDP Act: The Indian government may restrict transfers to specific countries by notification. Unlike the GDPR's default-restrict model, India's approach is default-permit with the possibility of government-imposed restrictions.
APPI: Japan operates under mutual adequacy with the EU, permitting data flows between the two jurisdictions. Transfers to other countries require consent or equivalent protective measures.
D.2.4 Enforcement Bodies and Mechanisms
The effectiveness of data protection law depends heavily on the independence, resources, and authority of enforcement bodies.
GDPR: Enforced by independent national Data Protection Authorities (DPAs) in each EU member state, coordinated by the European Data Protection Board (EDPB). Major cross-border cases are handled through the "one-stop-shop" mechanism, where the DPA of the data controller's main establishment takes the lead. Enforcement actions have included fines of EUR 1.2 billion (Meta, 2023), EUR 746 million (Amazon, 2021), and EUR 405 million (Meta/Instagram, 2022).
CCPA/CPRA: Originally enforced by the California Attorney General; the CPRA created a dedicated California Privacy Protection Agency (CPPA) with rulemaking and enforcement authority. Additionally, the CCPA provides a private right of action for data breaches involving unencrypted personal information, allowing individuals to sue for damages of $100-750 per incident.
PIPL: Enforced by the Cyberspace Administration of China (CAC) and relevant sectoral regulators. The CAC operates under the direction of the Chinese government and is not independent in the way that EU DPAs are required to be. Enforcement has included bans on major apps (Didi Chuxing) and significant fines.
DPDP Act: Enforced by the Data Protection Board of India. The Board's independence has been questioned because its members are appointed by the central government, and the Act's government exemptions are broad.
D.2.5 Approach to Consent
Consent is a legal basis for processing under all major frameworks, but its definition, requirements, and role in the broader legal framework differ significantly.
GDPR: Consent must be "freely given, specific, informed and unambiguous" and demonstrated by a "clear affirmative action" (Article 7). Pre-ticked boxes, silence, and inactivity do not constitute consent. Consent can be withdrawn at any time. Importantly, consent is only one of six legal bases; organizations can also process data under legitimate interest, contractual necessity, or other bases without consent.
CCPA/CPRA: Does not use consent as a prerequisite for data collection (reflecting the US approach). Instead, it requires disclosure of practices and gives consumers the right to opt out of sale/sharing. This is a fundamentally different model: the GDPR is opt-in by default; the CCPA is opt-out.
PIPL: Consent is the primary legal basis, and it must be informed, voluntary, and explicit. Separate consent is required for processing sensitive information, cross-border transfers, public disclosure, and provision to third parties. China's consent requirements are in some respects more stringent than the GDPR's.
DPDP Act: Consent must be "free, specific, informed, unconditional, and unambiguous" with a "clear affirmative action." However, the Act introduces "deemed consent" -- situations where consent is implied rather than explicitly given -- which has been criticized for undermining the consent requirement.
D.3 AI-Specific Regulation
D.3.1 EU AI Act (2024)
The EU AI Act is the world's first comprehensive regulatory framework specifically for artificial intelligence. Its key features include:
Risk-based classification: - Unacceptable risk (prohibited): Social scoring by public authorities; subliminal manipulation; exploitation of vulnerabilities; real-time remote biometric identification in public spaces (with limited law enforcement exceptions) - High risk: AI in critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Subject to: risk management systems, data governance requirements, technical documentation, record-keeping, transparency and information provision, human oversight, accuracy, robustness, cybersecurity - Limited risk: Transparency obligations (chatbots must disclose AI; deepfakes must be labeled; emotion recognition must be disclosed) - Minimal risk: No specific requirements
General-purpose AI models: Providers of general-purpose AI models (including large language models) must: maintain technical documentation, provide information to downstream deployers, comply with copyright law, and publish training content summaries. Models posing "systemic risk" (based on computational power thresholds) face additional obligations including model evaluations, adversarial testing, incident reporting, and cybersecurity measures.
Penalties: Up to EUR 35 million or 7% of global turnover for prohibited AI practices; up to EUR 15 million or 3% for other violations.
Implementation timeline: Prohibitions take effect 6 months after entry into force; GPAI provisions after 12 months; high-risk requirements after 24-36 months.
D.3.2 United States: Sector-Specific and Executive Action
The United States has no comprehensive federal AI regulation. Instead, AI governance relies on:
- Executive Order 14110 on Safe, Secure, and Trustworthy AI (2023): Directs federal agencies to develop AI governance standards, requires reporting on large model training runs, establishes red-teaming requirements, and directs NIST to develop AI safety standards. Executive orders can be rescinded by subsequent administrations.
- NIST AI Risk Management Framework (2023): Voluntary framework for AI risk management (see Appendix C, Document 17).
- Sector-specific guidance: FDA guidance on AI in medical devices; SEC guidance on AI in financial services; EEOC guidance on AI in employment decisions; FTC enforcement actions against deceptive AI practices.
- State-level legislation: Colorado AI Act (2024); various state bills on AI in hiring, insurance, and healthcare.
D.3.3 China's AI Regulatory Framework
China has adopted a more targeted approach, with separate regulations for specific AI applications:
- Algorithm Recommendation Regulations (2022): Require transparency in algorithmic recommendation systems, give users the right to opt out of personalized recommendations, prohibit algorithmic price discrimination, and require algorithm registration with the CAC.
- Deep Synthesis Regulations (2023): Govern deepfakes and synthetic media, requiring watermarking, content labeling, and user identity verification.
- Generative AI Measures (2023): Require generative AI services to uphold core socialist values, not generate content that undermines state power, and obtain approval before public deployment. Providers must conduct security assessments and register algorithms.
- AI Safety Governance Framework (2024): Provides guidelines for AI development covering risk classification, safety assessment, and incident response.
D.3.4 Other Jurisdictions
- Canada: Proposed Artificial Intelligence and Data Act (AIDA) as part of Bill C-27, which would regulate high-impact AI systems through a risk-based framework.
- Brazil: AI regulatory framework under development; the Brazilian Senate approved a comprehensive bill in 2024 with risk-based classification similar to the EU AI Act.
- Singapore: Model AI Governance Framework (voluntary, principles-based) and AI Verify (testing framework for AI systems).
- Japan: AI governance principles (voluntary, industry-led) with sector-specific guidance.
- United Kingdom: Pro-innovation approach to AI regulation, relying on existing sector regulators rather than creating a new AI regulator.
D.4 Sector-Specific Regulations
Certain sectors have data governance requirements that supplement general data protection laws:
Healthcare
| Jurisdiction | Key Law | Scope | Key Requirements |
|---|---|---|---|
| US | HIPAA (1996) | Covered entities + business associates | PHI protection, minimum necessary standard, breach notification, de-identification standards |
| EU | GDPR + national health laws | All health data processors | Health data as "special category"; explicit consent or other specific bases required |
| UK | UK GDPR + Data Protection Act 2018 + NHS Code of Practice | Health and social care | Caldicott Principles; national data opt-out |
Financial Services
| Jurisdiction | Key Law | Scope | Key Requirements |
|---|---|---|---|
| US | GLBA (1999), FCRA (1970), ECOA (1974) | Financial institutions | Privacy notices, opt-out of sharing, fair credit reporting, non-discrimination |
| EU | GDPR + PSD2 + MiCA | Financial service providers | Open banking requirements, strong customer authentication, crypto-asset governance |
Education
| Jurisdiction | Key Law | Scope | Key Requirements |
|---|---|---|---|
| US | FERPA (1974), COPPA (1998) | Educational institutions receiving federal funds; commercial operators | Student record privacy, parental consent for children under 13 |
| EU | GDPR + national education laws | All educational data processors | Student data as regular personal data; special provisions for minors |
D.5 Key Trends in Data Protection and AI Regulation
As of early 2026, several trends are shaping the evolution of data protection and AI regulation globally:
-
Convergence around core principles. Despite different legal traditions and implementation approaches, a global consensus is emerging around core data protection principles: purpose limitation, data minimization, transparency, accountability, and individual rights. The OECD's 1980 principles remain the shared ancestor.
-
Risk-based AI regulation. The EU AI Act's risk-based classification system is influencing regulatory development worldwide. Even jurisdictions that have not yet enacted AI legislation are adopting risk-based thinking in their governance frameworks.
-
Enforcement escalation. Penalties for data protection violations are increasing. GDPR fines have reached the billions of euros. The trend toward stronger enforcement is global.
-
Tension between data flows and sovereignty. The conflict between the economic benefits of free data flows and the sovereign interest in data localization is intensifying. The Schrems I and Schrems II decisions invalidated successive EU-US data transfer mechanisms, and tensions around data localization requirements in China, India, and other jurisdictions continue to grow.
-
Children's protection as a priority. Multiple jurisdictions are strengthening protections for children and teenagers: the UK's Age Appropriate Design Code, the EU's Digital Services Act provisions for minors, US state-level age verification laws, and proposed updates to COPPA. This area is evolving rapidly.
-
AI-specific regulation emerging. The EU AI Act marks the beginning of AI-specific regulation, but most jurisdictions are still in the development phase. The next five years will see a significant expansion of AI-specific governance frameworks worldwide.
-
Governance gaps persist. Despite the proliferation of laws and frameworks, significant governance gaps remain: AI systems trained on data from unregulated jurisdictions; processing by entities below regulatory thresholds; government exemptions from data protection requirements; and the challenge of regulating foundation models whose downstream uses cannot be fully anticipated.
D.6 Using This Reference
This appendix is designed as a starting point, not a comprehensive legal analysis. For each jurisdiction:
- Read the primary text (links provided in Appendix C where available)
- Consult the regulator's website for current guidance and enforcement decisions
- Check for recent amendments -- data protection law is evolving rapidly
- Seek qualified legal counsel for compliance decisions affecting real systems and real people
The field of comparative data protection law is rich and growing. For deeper engagement, the Further Reading section of each chapter provides specific academic and practitioner resources, and the Bibliography provides a comprehensive list of sources referenced throughout this textbook.