The global landscape of data privacy regulation has expanded dramatically, with four major frameworks now governing how organizations collect, process, and share personal data: the European Union's General Data Protection Regulation (GDPR), California's Consumer Privacy Act as amended by the CPRA (collectively CCPA), Brazil's Lei Geral de Protecao de Dados (LGPD), and China's Personal Information Protection Law (PIPL). For organizations deploying AI systems internationally, understanding the similarities and critical differences between these frameworks is essential for building compliant data practices.
Scope and Applicability
GDPR
The GDPR applies to the processing of personal data of individuals in the EU by organizations established in the EU, or by organizations outside the EU that offer goods or services to EU individuals or monitor their behavior. Its extraterritorial scope means any organization processing EU residents' data must comply, regardless of physical presence in Europe. The regulation covers all personal data, defined broadly as any information relating to an identified or identifiable natural person.
CCPA/CPRA
The CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one threshold: annual gross revenues exceeding $25 million, annually buying, selling, or sharing the personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenues from selling or sharing consumers' personal information. Unlike GDPR, the CCPA is limited to for-profit entities and includes revenue and volume thresholds.
LGPD
Brazil's LGPD applies to any processing of personal data carried out in Brazil, where the data was collected in Brazil, or where the purpose of the processing is to offer goods or services to individuals in Brazil. Its scope closely mirrors GDPR's extraterritorial approach, making it applicable to international organizations serving the Brazilian market.
PIPL
China's PIPL applies to the processing of personal information of natural persons within China. It also has extraterritorial reach, applying to processing activities outside China that are for the purpose of providing products or services to individuals within China, analyzing or assessing the behavior of individuals within China, or otherwise specified by law. Organizations subject to PIPL's extraterritorial provisions must establish a dedicated entity or appoint a representative within China.
Legal Bases for Processing
The frameworks diverge significantly in how they structure the legal bases for data processing.
GDPR provides six legal bases: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests. Organizations may choose the most appropriate basis for each processing activity. For AI systems, legitimate interests and consent are the most commonly invoked bases.
CCPA takes a fundamentally different approach. Rather than requiring an affirmative legal basis for processing, the CCPA operates on a notice-and-opt-out model. Businesses may collect and use personal information for disclosed purposes without obtaining prior consent, but consumers have the right to opt out of the sale or sharing of their personal information. Sensitive personal information is subject to additional limitations on use.
LGPD closely follows the GDPR model, providing ten legal bases for processing including consent, legitimate interests, contract performance, and legal obligation. Like GDPR, the LGPD requires a specific legal basis for each processing activity.
PIPL requires consent as the default basis for processing and lists specific circumstances where consent is not required, including contract performance, legal obligations, public health emergencies, and public interest activities. Notably, PIPL does not include a legitimate interests basis comparable to GDPR's, making consent more central to its framework. Separate consent is required for processing sensitive personal information, transferring data cross-border, and disclosing data to third parties.
Individual Rights
All four frameworks grant individuals rights over their personal data, though the scope varies.
GDPR provides the most comprehensive set of rights: access, rectification, erasure, restriction of processing, data portability, objection to processing, and rights related to automated decision-making. The right to object to automated decision-making under Article 22, including the right to human intervention, is particularly relevant for AI systems.
CCPA grants the right to know what data is collected, the right to delete, the right to correct, the right to opt out of the sale or sharing of data, the right to limit use of sensitive information, and the right to non-discrimination for exercising rights. The CCPA does not include a specific right related to automated decision-making, though the CPRA amendments directed the California Privacy Protection Agency to issue regulations on this topic.
LGPD provides rights to confirmation of processing, access, correction, anonymization or deletion, data portability, information about sharing with third parties, information about the possibility of denying consent, and the right to request review of decisions made solely based on automated processing.
PIPL grants rights to know and decide on processing, restrict or refuse processing, access and copy data, portability, correction, deletion, and the right to request explanation of automated decision-making rules. Individuals also have the right to refuse decisions made solely through automated processing that have a significant impact on their rights.
Cross-Border Data Transfers
This is an area of significant divergence. GDPR permits transfers to countries with adequate data protection or through mechanisms such as Standard Contractual Clauses, Binding Corporate Rules, or the EU-U.S. Data Privacy Framework. CCPA does not impose specific restrictions on international data transfers, though it requires disclosure of sharing practices.
LGPD permits transfers to countries with adequate protection, pursuant to contractual clauses, or with the data subject's prior and specific consent. PIPL imposes the strictest transfer requirements. Critical information infrastructure operators and processors of large volumes of personal information must store data in China and pass a security assessment conducted by the Cyberspace Administration of China before any cross-border transfer. Other organizations may use security assessments, standard contracts, or certification to transfer data abroad.
Enforcement and Penalties
GDPR fines can reach 20 million euros or 4 percent of global annual turnover, whichever is higher, and has resulted in penalties exceeding one billion euros in individual cases. The CCPA provides for civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, plus a private right of action for data breaches. LGPD penalties can reach 2 percent of the company's revenue in Brazil, capped at 50 million reais per violation. PIPL penalties can reach 50 million yuan or 5 percent of annual revenue for serious violations, and responsible individuals may be fined between 100,000 and 1 million yuan.
Implications for AI Systems
Organizations deploying AI systems globally must navigate these overlapping but distinct frameworks. Training data practices must comply with the lawful basis requirements of each applicable jurisdiction. Automated decision-making provisions under GDPR, LGPD, and PIPL require explainability and human oversight capabilities. Cross-border data transfers for AI training and deployment must satisfy each framework's transfer mechanisms, with PIPL imposing the most restrictive requirements.
Building a unified compliance program that satisfies all four frameworks requires identifying the strictest requirements in each area and engineering AI systems to meet those standards globally, while retaining the flexibility to implement jurisdiction-specific processes where the frameworks diverge.
