AgentSkillsCN

privacy-data-protection

在识别适用于您软件产品的数据隐私与保护法律时使用此功能。涵盖GDPR、CCPA/CPRA、LGPD、PIPL、PIPA、DPDPA、PIPEDA,以及其他全球隐私法规,并附带司法管辖区映射、关键义务与合规触发条件。 适用范围:GDPR、CCPA、CPRA、LGPD、PIPL、PIPA、DPDPA、PIPEDA、英国GDPR、数据隐私合规、数据主体权利、同意管理、跨境数据传输、DPO要求、泄露通知。 不适用范围:加密实施(使用安全/密码学)、数据脱敏技术(使用安全/数据保护)、特定DPA起草(应咨询法律顾问)。

SKILL.md
--- frontmatter
name: privacy-data-protection
description: |
    Use when identifying data privacy and protection laws that apply to your software product. Covers GDPR, CCPA/CPRA, LGPD, PIPL, PIPA, DPDPA, PIPEDA, and other global privacy regulations with jurisdiction mapping, key obligations, and compliance triggers.
    USE FOR: GDPR, CCPA, CPRA, LGPD, PIPL, PIPA, DPDPA, PIPEDA, UK GDPR, data privacy compliance, data subject rights, consent management, cross-border data transfers, DPO requirements, breach notification
    DO NOT USE FOR: encryption implementation (use security/cryptography), data masking techniques (use security/data-protection), specific DPA drafting (consult legal counsel)
license: MIT
metadata:
  displayName: "Privacy & Data Protection"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Privacy & Data Protection

Disclaimer: This skill provides general educational information about legal topics relevant to software development. It is not legal advice. Laws vary by jurisdiction and change frequently. Always consult a qualified attorney licensed in the relevant jurisdiction before making legal decisions for your organization.

Overview

Data privacy is the most universally applicable legal domain for software companies. Nearly every country has enacted or is developing data protection legislation. The obligations these laws impose -- from obtaining lawful consent to enabling data subject rights to reporting breaches within tight deadlines -- have profound implications for software architecture, product design, and business operations. Understanding which laws apply and what they require is the essential first step toward compliance.

Global Privacy Law Comparison

LawJurisdictionEffectiveScopeKey RightsPenalties
GDPREU2018Any company processing EU residents' dataAccess, erasure, portability, objectionUp to 4% global annual revenue or EUR 20M
CCPA / CPRACalifornia, US2020 / 2023Businesses meeting revenue or data volume thresholdsKnow, delete, opt-out of sale, correctUp to $7,500 per intentional violation
UK GDPRUK2021Same as GDPR, post-BrexitMirrors GDPR rightsGBP 17.5M or 4% global annual revenue
LGPDBrazil2020Similar to GDPR in scopeAccess, correction, deletion, portabilityUp to 2% of revenue, capped at BRL 50M
PIPLChina2021Processing Chinese residents' dataAccess, correction, deletion, portabilityUp to 5% of annual revenue
PIPASouth Korea2011 (amended 2023)Broad scope covering personal informationAccess, correction, deletionUp to 3% of revenue
DPDPAIndia2023Processing Indian residents' dataAccess, correction, erasure, nominationUp to INR 250 crore (approx. USD 30M)
PIPEDA / Bill C-27Canada2000 / pendingCommercial activity involving personal informationAccess, correctionUp to CAD 100K per violation under PIPEDA
APPIJapan2022 (amended)Handling personal information of individuals in JapanAccess, correction, deletionUp to JPY 100M for organizations
Privacy ActAustralia1988 (amended)Organizations meeting size or activity thresholdsAccess, correctionCivil penalties up to AUD 50M

Universal Obligations

Most privacy laws share a common set of core obligations. While specific requirements differ, preparing for these areas will provide a strong compliance foundation across jurisdictions:

  • Lawful basis for processing — You must have a recognized legal basis (consent, contract, legitimate interest, legal obligation, etc.) before collecting or processing personal data.
  • Consent management — Where consent is the lawful basis, it must be freely given, specific, informed, and unambiguous. Mechanisms to obtain, record, and withdraw consent are essential.
  • Data subject rights — Individuals have the right to access, correct, delete, and (in many laws) port their data. Your systems must be able to respond to these requests within legally mandated timeframes.
  • Breach notification — Most laws require notification to regulators and affected individuals within strict timelines (e.g., 72 hours under GDPR).
  • Cross-border data transfer restrictions — Transferring personal data across national borders often requires specific legal mechanisms (see below).
  • Records of processing — Organizations must maintain documented records of what data they process, why, and how.
  • Data Protection Officer (DPO) or privacy officer — Many laws require or recommend appointing a dedicated privacy officer, particularly for large-scale or sensitive data processing.
  • Privacy impact assessments — High-risk processing activities require a formal assessment of privacy risks and mitigations before the processing begins.

Cross-Border Data Transfers

Moving personal data across national borders is one of the most complex areas of privacy compliance. The following mechanisms are commonly used:

MechanismUsed ByDescription
Adequacy decisionsEUThe European Commission determines that a non-EU country provides an adequate level of data protection, allowing free data flow.
Standard Contractual Clauses (SCCs)EUPre-approved contract templates that impose GDPR-equivalent obligations on the data importer in a non-adequate country.
Binding Corporate Rules (BCRs)EUInternally binding data protection policies approved by EU regulators for intra-group international transfers.
Data Privacy Framework (DPF)US-EUA self-certification framework allowing US companies to receive EU personal data, replacing the invalidated Privacy Shield.
APEC Cross-Border Privacy Rules (CBPR)Asia-PacificA voluntary certification system enabling data transfers among participating APEC economies.

Compliance Triggers

Understanding when privacy laws apply to your organization is critical. The following triggers commonly bring software companies into scope:

TriggerExample
Collecting personal data from usersSign-up forms, analytics tracking, cookies, device identifiers
Processing data of residents in a regulated jurisdictionAn app available in the EU app store collects user data, regardless of where the company is based
Meeting revenue or data volume thresholdsCCPA applies to businesses with > $25M annual revenue or processing data of > 100K consumers
Processing sensitive or special category dataHealth data, biometric data, racial/ethnic origin, political opinions, sexual orientation
Sharing or selling personal data to third partiesAd tech integrations, data broker partnerships, analytics providers
Automated decision-making or profilingCredit scoring, content recommendation, hiring algorithms
Processing children's dataApps or services directed at or knowingly used by minors (COPPA, GDPR Art. 8, Age Appropriate Design Code)
Operating in a regulated industryHealthcare (HIPAA), finance (GLBA), education (FERPA) add sector-specific obligations on top of general privacy laws

Best Practices

  • Always consult qualified privacy counsel. This overview identifies applicable laws and common obligations, but a licensed attorney can interpret how they apply to your specific product, data flows, and jurisdictions.
  • Conduct a data mapping exercise. Before you can comply, you must understand what personal data you collect, where it flows, where it is stored, and who has access. Data mapping is the foundation of every privacy program.
  • Implement privacy by design and by default. Minimize data collection, pseudonymize where possible, enforce purpose limitation, and set privacy-protective defaults for all users.
  • Build data subject rights into your architecture. Design your systems so that you can efficiently respond to access, deletion, correction, and portability requests within legally mandated timeframes.
  • Establish a breach response plan. Document who is responsible for what, how breaches are assessed, and how notifications are sent. Practice with tabletop exercises so the team is prepared.
  • Use lawful transfer mechanisms for cross-border data flows. Identify every international data transfer and ensure each one is covered by an appropriate legal mechanism (SCCs, adequacy, BCRs, etc.).
  • Keep consent records and processing logs. Regulators expect you to demonstrate compliance, not just assert it. Maintain auditable records of consent, processing activities, and privacy impact assessments.
  • Review and update your privacy program regularly. Privacy laws evolve rapidly. Schedule periodic reviews of your data practices, privacy notices, and compliance posture to keep pace with legal changes.