4.2 How Privacy Laws Are Structured

Privacy laws vary enormously around the world, but most share a recognisable architecture. Understanding the building blocks helps you read any law — or any company's privacy policy — with greater confidence.

The common building blocks

Most modern privacy laws are constructed from a similar set of elements:

Scope defines who and what is covered. Dös the law apply to organisations of all sizes, or only large ones? Dös it cover paper records or only digital data? Dös it apply to foreign companies processing data about local residents? Scope determines whether you are protected and whether an organisation is obligated.

Principles are the core rules governing how data may be processed. The OECD Privacy Guidelines (1980, updated 2013) — the closest thing to a global consensus framework — identify eight: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. Most national laws implement some version of these. GDPR distils them into six principles (Art. 5): lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality.

Rights for individuals give data subjects legal levers to exercise control. Common rights include access (seeing your data), rectification (correcting errors), erasure (in some circumstances), portability (receiving your data in a usable format), and objection (to certain processing). Not all laws grant all rights — the scope varies significantly.

Obligations for organisations mirror those rights: register with a supervisory authority, appoint a Data Protection Officer (if required), conduct Data Protection Impact Assessments for high-risk processing, notify authorities (and sometimes individuals) of data breaches, maintain records of processing activities, and implement technical and organisational security measures.

Enforcement mechanisms determine whether the law has teeth. These include administrative fines (GDPR: up to €20 million or 4% of global annual turnover), civil litigation (the right to sue), supervisory authority powers (orders, audits, bans on processing), and criminal penalties in some jurisdictions.

Omnibus vs. sectoral laws

An omnibus law covers all sectors and all types of personal data within its jurisdiction. The GDPR is the clearest example: it applies to a hospital, a bank, a retailer, and a political party in the same way. This creates consistency and a single accountability standard, but can require complex carve-outs for sensitive sectors with specific needs.

A sectoral law covers only a specific industry or data type. The US model is the clearest example: HIPAA covers health data in healthcare settings; GLBA covers financial institutions; COPPA covers children under 13 online. Each law has its own definitions, rights, and enforcement body. The result is described as a 'patchwork' — significant because gaps exist between the sectors. A data broker, for example, may fall under no sector-specific law despite holding extensive personal profiles.

GDPR vs. the US approach: a snapshot comparison

The GDPR requires a legal basis for every processing activity, grants eight individual rights, mandates breach notification within 72 hours, and provides for fines up to 4% of global revenue. It applies to any organisation — anywhere in the world — that processes data of EU residents.

By contrast, in the United States there is no equivalent federal law. The Federal Trade Commission (FTC) acts under general consumer protection powers to challenge deceptive privacy practices, but cannot issue comprehensive privacy regulations. Multiple states (California, Virginia, Colorado, Texas, and others) have enacted their own omnibus laws — California's CCPA/CPRA being the most prominent — creating a patchwork within a patchwork.

Your takeaway

Once you know the architecture — scope, principles, rights, obligations, enforcement — you can map any privacy law onto this framework. This skill will serve you well in the detailed regulatory walkthroughs in Module 5 onwards.