International Regulations


    International Privacy Regulations 

    This section provides an overview of international developments on information privacy. It reviews initiatives by the Organization for Economic Co-operation Development (OECD) and by the European Union (EU). It also reviews specific initiatives by Australia, Canada, New Zealand, and the United Kingdom.

    Organisation for Economic Co-operation and Development

    A globe for international regulationsThe Organisation for Economic Co-operation and Development (OECD) brings together 30 countries sharing the principles of the market economy, pluralist democracy, and respect for human rights. The original 20 members of the OECD included the western countries of Europe and North America. They were followed with Japan, Australia, New Zealand, and Finland. More recently Mexico, the Czech Republic, Hungary, Poland, Korea, and the Slovak Republic have joined.

    In September 1980 the OECD developed, for its member states, a set of guidelines for the protection of personal information. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data represent an international consensus on how best to balance effective privacy protection with the free flow of personal data. "Personal data" is defined as "any information relating to an identified or an identifiable individual (data subject)." Learn more about the OECD by visiting the links below.

    OECD Privacy Policy Statement Generator
    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data


    Australia's Privacy Act of 1988 establishes information privacy principles that apply to the activities of most federal government agencies. In April 2000, the Australian government introduced legislation to extend privacy protection to the private sector. The Privacy Amendment (Private Sector) Act of 2000 received royal assent in December 2000. For many organizations, including health services, the new private sector provisions went into effect December 2001. For small business, the new provisions will commence in December 2002.

    The new Act requires organizations to respect the privacy of personal information they collect and use. It contains 10 National Privacy Principles that cover collection, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, transborder data flows, and sensitive information. It conveys to the Office of the Privacy Commissioner a wide range of functions, including handling complaints, auditing compliance, promoting awareness, and advising on privacy matters.

    Visit the Office of the Federal Privacy Commissioner of Australia website for additional information.


    Since January 1, 2004, Canadians' personal information is protected by a new law—the Personal Information Protection and Electronic Documents Act (PIPEDA)—a law that lays ground rules for the collection, use, and disclosure of personal information in the course of commercial activities. It balances an individual's right to privacy with an organization's needs for personal information for legitimate business purposes.

    The PIPEDA Act has been coming into effect in stages. Beginning on January 1, 2001, the Act applied to personal information about customers and employees in the federally-regulated sector in the course of commercial activities—organizations and sectors such as airlines, banking, broadcasting, telecommunications, and transportation. It has also applied to information sold across provincial and territorial boundaries.

    Visit the AICPA's Canadian International Regulations page for additional information.

    European Union

    In October 1995, the European Union (EU) issued the EU Privacy Directive, and it went into effect on October 25, 1998. The Safe Harbor Provisions between the United States and the EU were issued on July 21, 2000.

    The EU is the result of a process of cooperation and integration that began in 1951 between six countries ( Belgium, Germany, France, Italy, Luxembourg, and the Netherlands). After nearly 50 years, with four waves of accessions (1973: Denmark, Ireland, and the United Kingdom; 1981: Greece; 1986: Spain and Portugal; 1995: Austria, Finland, and Sweden), the EU today has 15 member states and is preparing for its fifth enlargement, this time towards Eastern and Southern Europe.

    View more information on Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

    New Zealand

    New Zealand's 1993 Privacy Act is based on the 1980 OECD guidelines and the information privacy principles in Australia's 1988 Privacy Act. The Act regulates the collection, use, and dissemination of personal information in both the public and private sectors. It applies to "personal information" about an identifiable individual, whether automatically or manually processed, and grants individuals the right of access to their personal information held by any agency. An agency can include a person or body of people; consequently, companies, government departments, incorporated societies, and boards of trustees are all agencies.

    New Zealand's Privacy Act contains 12 Privacy Principles that include: (1) purpose of collection of personal information; (2) source of personal information; (3) collection of information from subject; (4) manner of collection of personal information; (5) storage and security of personal information; (6) access to personal information; (7) correction of personal information; (8) accuracy of personal information to be checked before use; (9) limit that the agency keep personal information no longer than necessary; (10) limits on use of personal information; (11) limits on disclosure of personal information; and (12) unique identifiers.

    In addition, it provides guidelines with respect to information matching programs run by government agencies and makes special provisions for the sharing of law enforcement information among specialized agencies.

    Visit the official Office of the Privacy Commissioner of New Zealand website for additional information. 

    United Kingdom

    Approved in July 1998, the United Kingdom's Data Protection Act came into force on March 1, 2000. It applies to personal data, which includes both facts and opinions about an individual, as well as information regarding the intentions of the data controller toward the individual.

    Government agencies and private entities processing personal data must comply with the principles of good practice. The Act sets out eight Data Protection Principles. They require that personal data be processed fairly and lawfully, obtained only for one or more specified and lawful purposes, and not be further processed in any manner incompatible with those purposes. They also require that personal data be adequate, relevant, not excessive in relation to the purposes for which they are processed, accurate, kept up-to-date, and retained only as long as necessary for the stated purposes.

    In addition, personal data must be processed in accordance with the rights of data subjects under the Act, and appropriate technical and organizational measures must be taken against unauthorized or unlawful processing, accidental loss, destruction or damage. Furthermore, personal data may not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of subjects in relation to the processing of personal data.

    United Kingdom's Information Commissioner's Office
    Privacy and Electronic Communications Regulations 2003 (Amended 2011)
    Freedom of Information Act 2000

    Copyright © 2006-2015 American Institute of CPAs.