Database

While in the United States there is no national law on data privacy, the state of California has passed in 2018 a privacy law that will apply to all firms established in the state. California's Consumer Privacy Act of 2018 demands that firms give consumers the opportunity to learn the categories of personal information that they collect, sell, or disclose about them, and to whom information is sold or disclosed. The Act also gives consumers right to prevent businesses from selling or disclosing their personal information. Individuals must therefore be informed that their information may be sold, and that they have a "right to opt out."

There are few limits on the transfer of personal data outside the US. Several states have enacted laws that limit or discourage state agencies or state contractors from outsourcing data processing beyond US borders, but these laws are typically limited to state government agencies and private companies that contract to perform services for or provide goods to state agencies.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the US. These agreements ensure that U.S. government agencies have the ability to access communications data when legally requested.

The agreements reported range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury.

According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

Moreover, the agreements impose local storage requirements for certain customers data as well as minimum periods of data retention for data such as billing records and access logs.

The transfer of traffic and location data abroad is permitted with the data subjects' explicit consent.

The legislation stipulates that data cannot be processed or transferred abroad without the individual's explicit consent. Consent will not be required if the transfer is necessary to exercise a right or is required by law, and either:
- Sufficient protection exists in the transferee country, or
- if the data controller gives a written security undertaking and Turkey’s Data Protection Board grants permission.

Article 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "the information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

Consent is needed for the data transfer to third countries. Otherwise, the transfer can happen if:
- the third party is subject to a law, binding corporate rules or binding agreement that provide for an adequate level of protection;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party, or
- the transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject's request.

According to the Federal Law no. 152-FZ “On Personal Data” (OPD-Law) the transfer of data outside Russia does not require additional consent from the data subject only if the jurisdiction that the personal data is transferred to ensures adequate protection of personal data. Those jurisditctions are the parties to the Convention 108 and other countries approved by the Russian Federal Service for Supervision in the sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor). Roskomnadzor's official list of countries includes Australia, Argentina, Canada, Israel, Mexico and New Zealand.

Federal Law No 374-FZ, signed in July 2016, requires local storage of information confirming the fact of receipt, transmission, delivery and/or processing of voice data, text messages, pictures, sounds, video or other communications (i.e., metadata reflecting these communications). The storage period is of three years (with respect to telecom providers) or one year (with respect to ISPs and message exchange services). In addition, local storage for a period of six months is required for the content of communications, including voice data, text messages, pictures, sounds, video or other communications. While the first requirement entered into force in July 2016, the second requirement came into force starting from July 2018.

The Russian Government has given instructions to require public Wi-Fi user identification. The government decrees require that:
- ISPs should identify Internet users, by means of identity documents (such as passport);
- ISPs should identify terminal equipment by determining the unique hardware identifier of the data network;
- all legal entities in Russia are required to provide ISPs monthly with the list of the individuals that connected to the Internet using their network.

The data should be stored locally for a period of at least six months.

Later in 2015, the authorities have proposed the following levels of fines for non-compliance:
- 5,000-50,000 rubles (approx. 60-140 USD) for individual entrepreneurs; and
- 100,000-200,000 rubles (approx. 1,400-2,600 USD) for legal entities.
The fines would be higher for repeating offenders.

The “Blogger’s law” was repealed in in July 2017 by the Federal Law No. 276-FZ. It required "organizers of information distribution in the Internet" (it is not clear which operators fall under this definition) to store on Russian territory information on facts of receiving, transfer, delivery and/or processing of voice information, texts, images, sounds and other electronic messages and information about users during six months from the end of these actions.

Blogs with more than 3,000 readers were required to register as "organizers of information distribution" and were therefore subject to this requirement. Platforms that did not comply with these requirements upon a second notice faced a fine of 500,000 rubles and could be blocked in Russia by Roscomnadzor. Russian services such as VKontakte, Yandex and Mail.Ru registered their activities.

The amendments to the National Payment System Law require international payment cards to be processed locally. The law requires international payment systems to transfer their processing capabilities with respect to Russian domestic operations to the local state-owned operator (National Payment Card System) by 31 March 2015.

The amendments are reported to be a response to the international political sanctions which prohibited certain international payment systems (e.g., Visa and MasterCard) from servicing payments on cards issued by sanctioned Russian banks.

Russian data protection has been covered since 27 July 2006 by Federal Law no. 152-FZ, also known as the OPD-law (“On Personal Data”). In July 2014, the law was amended by the Federal Law No. 242-FZ to include a clear data localisation requirement. Article 18 §5 requires data operators to ensure that the recording, systematisation, accumulation, storage, update/amendment and retrieval of personal data of the citizens of the Russian Federation is made using databases located in the Russian Federation. This amendment entered into force on 1 September 2015.

It is not clear how restrictive the data localisation requirement is, but it appears that the OPD-Law does not prohibit accessing the servers from abroad and does not impose any special restriction on cross-border data transfers or duplication of personal data.

Online websites that violate the prohibition could be placed on the Roscomnadzor's blacklist of websites.

Although the transfer of data to third parties is not specifically regulated under the laws of Pakistan, data cannot be transferred to a country which is not recognized by Pakistan.

Currently, the list of countries not recognized by Pakistan include: Israel, Taiwan, Kosovo, Somaliland, Nagorno-Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia. This list may change from time to time.

Furthermore, data can only be transferred to India if such a transfer can be justified by the transferor.