International privacy rules are the network of national and supranational laws that regulate the processing of personal data. At Musch Legal, we see that companies operating internationally must deal with multiple regimes simultaneously: GDPR in the EU, UK GDPR in the UK, CCPA in California, PIPL in China, LGPD in Brazil. A structured compliance approach prevents fines amounting to several percent of global turnover.
What is the legal issue? (Which privacy rules apply simultaneously?)
For international activities, multiple privacy regimes apply simultaneously. GDPR applies worldwide to the processing of EU data subjects under Article 3 (extraterritorial effect). UK GDPR for UK data subjects. CCPA for Californian consumers. PIPL for Chinese data subjects. Differences between regimes: legal basis, data subject rights, data transfer rules, enforcement. Without a structured approach, compliance gaps and fines arise.
What does the law say? (Which frameworks are relevant?)
GDPR (Regulation (EU) 2016/679) governs the processing of personal data in the EU with extraterritorial effect under Article 3. UK GDPR under the Data Protection Act 2018. California Consumer Privacy Act (CCPA, 2018) and California Privacy Rights Act (CPRA, 2020). China Personal Information Protection Law (PIPL, 2021). Brazil Lei Geral de Proteção de Dados (LGPD, 2018). For data transfers outside EU SCCs under Implementing Decision (EU) 2021/914.
ePrivacy Directive (2002/58/EC) governs cookies and direct marketing in the EU.
Regime
Scope
Maximum fine
GDPR (EU)
EU data subjects worldwide
4% of global turnover
UK GDPR
UK data subjects
4% of global turnover
CCPA/CPRA
Californian consumers
7,500 USD per violation
PIPL (China)
Chinese data subjects + processors in China
5% turnover
LGPD (Brazil)
Brazilian data subjects
2% Brazilian turnover, max 50M BRL
Regime
Scope
Maximum fine
GDPR (EU)
EU data subjects worldwide
4% global turnover
UK GDPR
UK data subjects
4% global turnover
CCPA/CPRA
Californian consumers
7,500 USD per violation
PIPL (China)
Chinese data subjects + processors in China
5% turnover
LGPD (Brazil)
Brazilian data subjects
2% Brazilian turnover, max 50M BRL
What risks do companies face? (What threatens non-compliance?)
GDPR fines have amounted to millions of euros on multiple occasions. CPRA enforcement by the California Privacy Protection Agency. PIPL fines by the Cyberspace Administration of China can completely exclude enterprises from the Chinese market. LGPD enforcement by the ANPD. Reputational damage from a data breach affects customers and shareholders. Directors' liability due to inadequate oversight. Loss of insurance coverage for cyber incidents.
Practical example from our practice (How did we coordinate multi-jurisdiction privacy?)
Musch Legal advised a Dutch SaaS company with customers in the EU, UK, US, and China. We implemented a layered privacy framework: GDPR-compliant basis with additional UK GDPR provisions, CCPA rights for Californian customers, and PIPL-compliant data localization for Chinese users. SCCs under Implementing Decree 2021/914 for EU data outside the EEA, TIAs per recipient. Total compliance investment €75,000 versus estimated €500,000 in the event of subsequent corrections or fines.
What can you do? (Which privacy framework are you building?)
Inventory personal data processing by jurisdiction. Build the GDPR as a basis with additional modules for UK GDPR, CCPA, PIPL, LGPD. Implement DPAs with SCCs for data transfer under Implementing Decision 2021/914. Appoint a Data Protection Officer under Article 37 GDPR. Conduct Transfer Impact Assessments for non-EEA. Train employees periodically. Engage Musch Legal for an international privacy package.
GDPR and international data transfer