Database

China's Telecommunications Regulations require all data collected inside China to be stored on Chinese servers. The US International Trade Commission reports that as a result of this regulation, Hewlett Packard, Qualcomm, and Uber were required to divest more than 50 percent of their businesses in China to Chinese companies, to avoid fines.

China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers.

Online maps are required to set up their server inside of the country and must acquire an official certificate.

China has data residency laws that declare companies can store the data they collect only on servers in country.

China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers.

The transfer abroad of data containing state secrets is prohibited.

Population health information needs to be stored and processed within China. In addition, storage is not allowed overseas.

The "Notice to Urge Banking Financial Institutions to Protect Personal Financial Information" states that the processing of personal information collected by commercial banks must be stored, handled and analysed within the territory of China and such personal information is not allowed to be transferred overseas.

The Marco Civil da Internet introduced specific penalties on internet connection and application providers for data privacy violation. Any or all of the following penalties can be applied, regardless of further penalties: warning; fine of up to 10% of the gross revenues of the economic group in Brazil; temporary suspension of activities; permanent suspension of activities.

The Personal Data Protection Law introduces fines up to 2% of gross annual turnover of the company or 50 million Reais (approx. 11 million Euros). The violation of privacy rules can also result in a suspension of business activities. The Law is now pending the final signature by the Brazilian President and will enter into force 18 months after the official publication in the Federal Official Gazette.

In May 2018, a case involving a Brazilian prosecutor suing Google and Yahoo for the de-indexation of search results associated with his name set a legal precedent for the right to be forgotten in Brazil.

Additionally, Brazil's Personal Data Protection Law (PLC 53/2018) formally introduced the right to be forgotten as one of the data subjects rights. The Law is now pending the final signature by the Brazilian President and will enter into force 18 months after the official publication in the Federal Official Gazette.

According to the Marco Civil da Internet, internet applications access logs should be retained for a minimum period of 6 months by the internet application provider, while connection records of ISPs should be retained for a minimum period of 12 months.

On request from the Police Authorities, administrative authorities or the Ministry of Public Prosecution, the six month and one year terms can be extended.

Similarly to the privacy regime in the EU, the Personal Data Protection Law allows the international transfer of personal data only in certain circumstances. The main conditions for such a transfer are that the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or the transfer is necessary for the performance of a contract between the data subject and the controller. Similarly to the European rules, the law applies extra-territorially to all companies that target Brazilian consumers even when the company is not established in the Brazilian market. The Law is now pending the final signature by the Brazilian President and will enter into force 18 months after the official publication in the Federal Official Gazette.

Brazil's Ministry of Planning, Development and Management issued guidelines which could force data localisation as a requirement for public procurement contracts involving cloud-computing services.

Brazil's central bank has proposed a regulation which would prohibit financial institutions and other institutions regulated by the Brazilian Central Bank from using cloud computing services from providers that store or process information outside Brazil.

Tthe General Data Protection Regulation (GDPR), which entered into force in May 2018, introduces burdensome administrative fines that can be imposed by the supervisory bodies. The upper limits for these fines are:
- EUR 10,000,000, or 2% of the infringing organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's obligations on data controllers, data processors, certification bodies, and monitoring bodies.
- EUR 20,000,000, or 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's principles on data processing (including conditions for consent), data subject's rights, data transfer to third countries and international organizations, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.