Although the focus of this chapter is on U.S. laws, there are laws and regulations from outside the United States that are worth mentioning. It would be impossible to cover every privacy or information security management regulation in the entire world; however, some regulations apply to such a broad range of nations that at least a basic description is important.
The most important non-U.S. regulation is the General Data Protection Regulation (GDPR). This was passed in 2016 by the European Union (EU) and has sweeping regulations regarding data privacy. The full scope of GDPR would occupy an entire book (and in fact, several books have been written on it). A brief overview of critical points is provided here.
This law applies to any organization that collects data from EU residents, even if that organization is outside the EU. The primary goal of GDPR is to protect personal data. One of the bedrock principles of GDPR is informed consent. Any data collected or used must have been given with informed consent explicitly for the purposes for which the data is used. That consent can be withdrawn by the data owner/subject at any time. The process for opting out cannot be any more difficult than was the process to opt in. Importantly, a service provider may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service.
The European Telecommunications Standards Institute (ETSI) established a cybersecurity committee in 2014 to establish cybersecurity standards for all of Europe. This committee has published a wide range of standards on topics ranging from consumer Internet of Things (IoT) security to Quantum-Safe Virtual Private Networks.11
In Asia, 21 member countries have adopted a voluntary privacy framework called the Asia-Pacific Economic Framework.12 APEC consists of nine principles regarding privacy. It defines personal information as any information that can be used to identify an individual. The nine principles in the APEC privacy framework are preventing harm, notice, collection limitations, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability.