Sheherezade and The 101 Data Privacy Laws: Origins, Significance and Global Trajectories, Graham Greenleaf

1lLle: !"#"#$#%&'# &)' *"# +,+ -&*& .
$/0&12 3&456 7$/8/)59

!/8)/:/1&)1# &)' ;<=>&< ?$&@#1*=$/#5
AuLhor: ;$&"&A ;$##)<#&:
LA uaLe (approved for prlnL): 14 Aprll 2014
uCl: 10.3778/!LlS.2014.23.Creenleaf.1

Note to users: Articles in the Epubs ahead of print (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware
that although EAPs do not have all bibliographic details available yet, they
can be cited using the year of online publication and the Digital Object
Identifier (DOI) as follows: Author(s), Article Title, Journal (Year), DOI, EAP
(page #).
The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue. Collated print
versions of the article will contain an additional volumetric page number.
Both page citations will be relevant, but any EAP reference must continue to
be preceded by the letters EAP.

ISSN-0729-1485
Copyright ! 2014 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or
by any means electronic, mechanical, photocopying, recording or otherwise,
without the permission of the owner of the copyright. All enquiries seeking
permission to reproduce any part of this publication should be addressed in
the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart,
Tasmania 7001, Australia.
editor@jlisjournal.org

http://www.jlisjournal.org/

EAP 1
Sheherezade and the 101 Data Privacy Laws:
Origins, Significance and Global Trajectories
GRAHAM GREENLEAF
*

Abstract
It is forty years since enactment of Swedens Data Act of 1973, the first
comprehensive national data privacy law, and the first such national law to
implement what we can now recognise as a basic set of data protection principles.
This article answers the question, How many countries now have data privacy
laws?, starting by defining a data privacy law. The result is a global analysis of
data privacy laws and the international agreements relevant to each, and of Data
Protection Authorities and their interlocking associations.
The answer to the question documented in the accompanying Table of global data
privacy laws is that, as of mid-2013, 99 countries have such laws, a number
considerably higher than earlier commentators had assumed. By looking at the related
questions of the date at which such laws were enacted, and the regions of the world in
which they have arisen, we can see trends in development which indicate the future
direction of global development of data privacy laws.
The article also analyses which international agreements or requirements concerning
data privacy (OECD, EU, APEC, ECOWAS etc) affect which countries, and how
many relevant parties have enacted laws in accordance with the various agreements
or requirements. The extent to which data protection authorities (DPAs) are required
as part of data privacy laws is analysed, and existing DPAs identified. The
associations of DPAs in which each is involved are also identified, and the
implications of their overlapping but incomplete memberships.
The conclusion reached is that, given the continuing accelerating growth in the
number of such laws, it seems likely that, within a decade, data privacy laws will be
ubiquitous in that they will be found in almost all economically more significant
countries, and most others. This conclusion is supported by the number of official data

*
Graham Greenleaf, Professor of Law & Information Systems, University of New
South Wales.
The accompanying Tables are also available on SSRN/LSN (Legal Scholarship
Network) at <http://ssrn.com/abstract=2280875>. The data in the Tables and
article are as at 1 June 2013. Comments, additions and corrections are welcome to
<graham@austlii.edu.au>. The assistance of Marie Georges, David Banisar, Charles
Raab, Stewart Dresner, Laura Linkomies, Blair Stewart and Jill Matthews is
gratefully acknowledged. Responsibility for all content, remains with the author.
Separate acknowledgments are provided in relation to the accompanying Tables.
Substantial work on this article was completed while the author was a Japan
Society for the Promotion of Science (JSPS) Visiting Fellow at Meiji University,
Tokyo, from September-December 2012.
Journal of Law, Information and Science Vol 23(1) 2014
EAP 2
privacy Bills currently before legislatures or under government consideration in at
least 20 more countries. It is reinforced by the increasing importance of both
international agreements and associations of DPAs.
A Postscript reveals that there are now 101 laws, not 99, and Sheherezade can rest a
while.
Introduction
Sheherezade told Sultan Shahryar yet another fabulous tale from a far-off
land, but the Sultan was never satisfied, so each night Sheherezade brought
him another tale (and thus saved her head), until one thousand nights had
passed, and then one.
1
Like the thousand-and-one nights, the global history of
data privacy laws is a tale that grows with each successive telling, and it may
be that the steady growth of such laws in far-off lands will turn out to be the
secret of the survival of privacy in a rather hostile world. The meme of data
privacy, having escaped from the bottle over 40 years ago, is proving difficult
to put back in.
2
It is not a history that can boast 1001 data privacy laws, but it
does have 101, to which (dear reader) we shall now turn.
1 A Surprising Lacuna
It is forty years since Swedens Data Act 1973 was the first comprehensive
national data privacy law, and the first such national law to implement what
we can now recognise as a basic set of data protection principles.
3
How many

1
Sir R Burton, (trans) Tales from the Arabian Nights (Avenel Books, 1975).
Sheherazade, Scheherazade, !ahrzd and Shahrzd are among many
spellings of her name in different sources. The story goes that the Sultan would
marry a new wife each day, but next morning would have her beheaded, from fury
at his first wifes unfaithfulness. Sheherezade, the daughter of his Vizier, offered to
marry him, and on the first night told him a tale that had him enthralled, until
dawn broke but the tale was unfinished, so he asked her to return the next night to
finish it. And each night she would start a new tale, not finish it (thus saving her
sisters), and keep returning for one thousand nights, and then one.
2
The effectiveness of data privacy principles comes as much from their ideological
effect and their global nature as from their enforcement (which is often lacking).
Forty years of data privacy laws have created a language of data privacy, and a set
of ethical standards to which most companies and governments feel obliged to at
least give lip service. Attempts to break the power of this discourse by creation of
alternative language/ethical standards, particularly the push for
accountability have failed as yet but are a continuing threat to the hegemony
of conventional data privacy principles.: G Greenleaf, Global data privacy in a
networked world in I Brown (ed), Research Handbook on Governance of the Internet
(Edward Elgar, 2013) <http://ssrn.com/abstract=1954296>.
3
In 1970 both the USAs Fair Credit Reporting Act and a data protection law for
public sector in the Lander of Hessen, Germany, had included sets of data
protection principles, but did not have the scope required for laws considered here.
Sheherezade and the 101 Data Privacy Laws
EAP 3
countries now have data protection laws? seemed like a fairly
straightforward question when it was asked of me in June 2011.
4
The usual
answer, including mine, was somewhat vague: about sixty or perhaps a
well-informed respondent might have said more than sixty.
5

No resources could be found to give a convenient and convincing answer,
6

leading to successive attempts to provide such an answer, of which this is the
third over two years. The first
7
showed that at least 76 countries had enacted
data privacy laws by mid-2011. Six months later, new laws and further
investigation showed there were at least 89 countries with such laws.
8
The last
18 months have seen a moderate expansion in global data privacy laws. Since
the previous analysis listing 89 countries, there have been new data privacy
laws enacted covering the private sector in Ghana, Georgia
9
, Nicaragua, the
Philippines, and Singapore (private sector only). To the list must also be
added laws omitted previously from Kosovo and Greenland (a Danish
territory which is still subject to Denmarks old data protection law). That
brings the total to 96. However, as discussed below, there are also at least
three data privacy laws,
10
both new and pre-existing, concerning the public
sector only (Yemen, Zimbabwe and Nepal), which need to be added, bringing
the total to 99.
The Table of Data Privacy Laws at the conclusion of this article lists all
countries (including otherwise independent legal jurisdictions) which have

4
By James B Rule, author of Privacy Lives and Public Surveillance (Allen Lane, 1973),
and many other distinguished works on privacy. That book was published the
same year as the Swedish Data Act was enacted, and shortly before Michel Foucault
published that other early classic of surveillance studies, Discipline and Punish: The
Birth of the Prison in 1975.
5
For example, Professor Lee Bygrave, very well informed in these matters, was
sufficiently cautious to write in a 2010 global analysis of data privacy
developments that well over 40 countries have data privacy laws: L Bygrave,
Privacy and Data Protection in an International Perspective (2010) 56 Scandinavian
Studies in Law 165, 166
<http://www.uio.no/studier/emner/jus/jus/JUR5630/v11/undervisningsmateri
ale/>.
6
One early such Table was by Christopher Millard, European Data Protection Laws
Chart (May 1997) Privacy Laws & Business Newsletter.
7
G Greenleaf, Global data privacy laws: 40 years of acceleration (September 2011)
(issue 112) Privacy Laws & Business International Report 11
<http://ssrn.com/abstract=1946700>.
8
G Greenleaf, Global Data Privacy Laws: 89 Countries, and Accelerating (February
2012) (issue 115) Privacy Laws & Business International Report, Special Supplement
<http://ssrn.com/abstract=2000034>.
9
The Georgian Law on Personal Data Protection was enacted on 28 December 2011
and entered into force on 1 May 2012.
10
Inclusion of a fourth public sector law, from Georgia, is unnecessary because it has
now passed data protection legislation.
EAP 4
enacted data privacy laws; the principal law; when enacted; its sectoral
coverage (only private sector; only public sector; or both sectors); the
international data privacy commitments of the country, or the international
recognition its laws have received; whether it has a data protection authority
(named if so); and the international associations in which that DPA is
involved. A separate Table of Official Bills lists known official Bills not yet
enacted. The picture that will emerge from the analysis of the growth of these
laws over time is that data privacy laws are spreading globally, and their
number and geographical diversity accelerating since 2000. Growth of data
privacy laws is not yet flattening off.
The number, growth and geographical distribution of data protection laws is
significant. As Bennett and Raab said in their leading text in 2006, over the
past thirty or more years, comprehensive and general data protection laws
have been regarded as essential tools for regulating the use of personal
data.
11
By tracking their occurrence we can obtain insights into the global
progress of protection of data privacy as a human right, into the extent to
which certain practices are becoming entrenched in the worlds legal systems
(and therefore increasingly difficult to remove), and into the likely future rate
of occurrence of new data protection laws in other countries. These matters
affect the global geo-politics of privacy protection. Such information is also
significant for more academic enquires, such as into the extent (and success)
of data protection laws as a transplant into legal cultures in which it was not
previously found.
2 What is a Data Privacy Law?
Before answering a simple question, it is sometimes necessary to answer some
more complex questions first. In this case, before starting to count data
privacy laws it is necessary to answer: What is a country?; What is a law?;
What scope must a law have?; What data privacy principles must a law
include?; and how effective must a law be? The overall approach taken here is
to attempt to define what are the minimum criteria that reasonable and
impartial observers could agree constitute a data privacy law or data
protection law when satisfied. The factors are used to determine which
countries laws are included in the concluding Tables.
2.1 What is a country?
In this analysis, countries is a slight exaggeration, and a more accurate term
would be separate legal jurisdictions. The Table includes the two Special
Administrative Regions (SARs) which have constitutionally different legal
systems from the rest of China (Hong Kong and Macao, under the principle of
One Country, Two Systems) and five British dependent territories which

11
C Bennett and C Raab, The Governance of Privacy: Policy Instruments in Global
Perspective (MIT Press, 2006).
EAP 5
have their own legal systems (the Isle of Man, Jersey, Guernsey, Gibraltar and
the Bahamas). By the same reasoning it includes the Qatar Financial Centre
(QFC) and the Dubai International Finance Centre (DIFC), because these
areas, somewhat similar to special economic zones, have data privacy laws
which apply to all business carried out within the QFC and DIFC, and their
own administrations, data protection authorities and courts to enforce such
laws. Geographically, they may be like miniature versions of Hong Kong, but
the size of a jurisdiction is little indication of how much personal data may be
processed within it or transferred to or from it, so it seems best to include
them for completeness. Whatever view one takes of Taiwan as a country, it is
also included, as is Greenland (a Danish territory with a separate data privacy
law).
However, sub-national jurisdictions which do not have their own separate
legal systems, or are subject to the laws of a federation in relation to data
privacy law, are not included. So states and provinces in Germany, Canada,
Australia, Spain, Switzerland and elsewhere with data privacy laws are
excluded even if they do sometimes provide some non-comprehensive
coverage of the private sector as well as covering the public sector.
12
Certain
provinces of the Peoples Republic of China which have enacted local laws,
are excluded for similar reasons. State or provincial laws which only cover the
local public sector, are also excluded. Many of these sub-national laws are
quite significant sources of data privacy legislation and case law, or were
pioneers in data protection. Hesse in Germany, Quebec, Ontario and British
Columbia in Canada, and Victoria and New South Wales in Australia are
examples. It would be valuable to include such jurisdictions in a separate
Table, but this has not been done in this article. The result of this conservative
approach is that no country is included twice in the Table, but nor is any
jurisdiction unreasonably excluded.
2.2 What is a law?
The approach taken here is that a law is what the word implies, and this is
not satisfied by a voluntary code of conduct or a trustmark scheme. A law
must set out data privacy principles (which ones are discussed later) in a
specific fashion, not only as a general constitutional protection for privacy, or
a civil action (tort) for infringement of privacy.
A law in this sense must make its data privacy principles enforceable, but
whether this is by criminal offences, civil penalties, administrative orders for
compensation, or a right of civil actions before the courts, is left open, as it
was (for example) in the original Council of Europe Convention. Most
jurisdictions with data privacy laws also have a Data Protection Authority
(DPA), a separate institution which has responsibility for the data privacy
legislation, but this is not a necessary requirement and is was left open in the

12
A separate table detailing such laws would be desirable but has not been done.
EAP 6
Organisation for Economic Co-operation and Development (OECD) and
Council of Europe in 1981.
2.3 What scope must a law have?
Nearly ninety per cent of all data privacy laws in the Table (88/99) cover both
the public sector and the private sector of a country, but there are two small
groups of exceptions that only cover one or the other sector, and they are both
included.
In relation to the private sector, to be included a law must cover most
economically significant aspects of the operation of the private sector. This
excludes countries which have only scattered sectoral privacy laws (eg credit
reporting or medical records laws). The USA, which has numerous limited
sectoral laws in the private sector is included not because of its private sector
laws, but only because of its federal public sector law. Many countries have
some exceptions in their private sector coverage, such as various forms of
small business exceptions (eg Japan and Australia), or exceptions for non-
automated records, or exceptions for the media (many countries), or for
employment records (Australia again). Such exceptions are not a basis for
exclusion. A law with largely comprehensive private sector coverage is
considered as covering that sector.
There is a small but growing group of countries (six at present), particularly
in Asia, with laws which only cover the private sector but provide no
protection in relation to the public sector: Singapore, Malaysia, Vietnam,
India, Qatar Financial Centre and Dubai International Finance Centre.
However, most jurisdictions which have laws with private sector coverage,
also have data privacy laws which cover their national public sectors (88/94).
Such protection is sometimes by different legislation from that covering the
private sector. Where there is a different law for the public sector it will often
have principles and enforcement mechanisms which differ significantly from
those applying to the private sector. Some jurisdictions which now have
private sector coverage initially only covered their public sectors, including
the OECD members, Australia, Japan, Canada and South Korea, with private
sector coverage only introduced up to 15 years later.
13
At least six jurisdictions
provide basic data privacy protection in relation to their public sector only
(the United States, Thailand, Yemen, Zimbabwe, St Vincent & the Grenadines,
and Nepal), but do not do so for their private sector according to the criteria
used here. As a federation, the US Privacy Act 1974 only covers the federal

13
The year stated in the Table under From is the year from which legislation was
enacted which first provided the required coverage of either the private sector or
the public sector. So, for example, the year shown for Australia is 1988, even
though the Privacy Act 1988 operated for 13 years in relation to the public sector
only, and for a lesser period in relation to the credit industry, before most of the
private sector was added in 2001.
EAP 7
public sector, but some states have equivalent laws.
14
As unitary counties, the
laws in the other countries cover their whole public sectors.
Are there other countries in this category? There are 94 countries that have
right to information (RTI) laws (also called freedom of information or FOI
laws).
15
Of these 94 countries with RTI/FOI laws, 37 do not otherwise have
data privacy laws.
16
While there are quite a few laws which go beyond only
providing access rights, such as by providing rights of correction of personal
information (eg the laws of Australia, China, the Cook Islands, Ethiopia,
Jamaica and South Africa), and some provide rights of compensation for
breaches of access rights, few go any further and provide other data privacy
rights such as limits on collection, use and disclosure, data security
requirements, or deletion/de-identification requirements. Of these 37 laws, an
analysis of the 25 available in English shows that only four of them could also
be considered to meet a minimum set of conditions to qualify as a data
privacy law for the public sector: the laws of Yemen, Zimbabwe, Nepal and
Thailand. The remaining 12 laws
17
(seven in Spanish, five in other languages)
could contain additional public sector data privacy laws, and while this does
not seem likely, it has not yet been conclusively assessed.
18
New RTI/FOI
laws are being enacted every year, so it is necessary when assessing the global
dissemination of data privacy laws to also keep these new RTI/FOI laws in
mind. The Table does not include any countries which might have public
sector privacy laws for some of their regional governments only (China might
qualify if it did).

14
California, New York, Hawaii, Minnesota and Massachusetts have laws which
may constitute data privacy laws as defined here, limited to their state public
sectors. This has not been investigated fully. For details of such laws see P Swire,
and K Ahmad, US Private Sector Privacy: Law and Practice for Privacy Professionals
(IAPP, 2012), or R E Smith, Compilation of State and Federal Privacy Laws (Privacy
Journal, 2013).
15
The 94 countries with RTI/FOI laws are the 93 listed in the Global Right to
Information Website (AccessInfo and Center for Law and Democracy) as at 28
September 2012 <http://www.rti-rating.org/pdf/index.php>, plus Rwanda
whose law was enacted in 2013.
16
This can be established by comparing the lists of countries with RTI/FOI laws with
the list of countries with data privacy laws set out in Greenleaf, above n 8. To the
89 listed there must be added Ghana, Georgia, Kosovo, Nicaragua, the Philippines,
Singapore and Greenland (Danish territory but with a different data protection
law). Thailand is already included in the list of 89 countries.
17
Countries with FOI/RTI laws that might contain public sector data privacy laws:
Brazil, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Niger,
Panama, Rwanda, Turkey, Uganda and Uzbekistan.
18
Based on brief advice received from local experts but not on a translation of the
laws.
EAP 8
2.4 What data privacy principles must a law include?
Standard texts on data privacy do not often define the minimum set of
principles which a law must contain to be considered a data privacy law, but
some go close to so doing. Bennett and Raab in 2006 refer to a strong
consensus that has emerged as to what are a set of twelve fair information
principles (FIPs),
19
which can be summarised as: accountability; purpose
identification; collection with knowledge and consent; limited collection to
where necessary for purpose (also called minimal collection); use limited to
identified purpose or with consent (finality); disclosure likewise; retention
only as long as necessary; data kept accurate, complete and up-to-date (often
called data quality); security safeguards; openness on policies and practices;
individual access; individual correction. When they discuss data protection
legislation, they at one point refer to the universal embodiment of these
twelve FIPs in national and sub-national laws, in the European Union (EU)
Directive, and then in legislation passed subsequent to that.
20
However, over
the following pages they are more realistic and note that some FIPs, such as
the data quality principles finality principles are only included in most
laws.
21

Bygrave in 2003 also comes close to providing a set of necessary requirements
when he provides an overview of the basic principles applied by data
processing laws to the processing of personal data.
22
He then discusses fair
and lawful processing, minimality, purpose specification, information
quality, data subject participation and control, disclosure limitation,
information security and sensitivity.
23
Other than sensitivity these
categories are close to the FIPs of Bennett and Raab, but do not include all of
them. Neither Bennett and Raab, or Bygrave attempt to state a minimum set
of principles that should be included in a data privacy law, but imply that
most of the principles in their lists should be included.
Another approach is to start with the two earliest international instruments
concerning data privacy, the OECD privacy Guidelines of 1981 and the
Council of Europe (CoE) Data Protection Convention 108 of 1981 (Convention
108) (without its 2001 Additional Protocol). It is reasonable to regard them as
providing the best guide to the minimum requirements of a data privacy law,
given that they existed for more than twenty years prior to the analysis of
both Bennett and Raab and Bygrave. That is the approach taken in this article.

19
Bennett and Raab, above n 11, 12-13.
20
Ibid 121.
21
Ibid 121-125.
22
L Bygrave, Data Protection Law: Approaching its Rationale, Logic and Limits (Kluwer,
2002) 57.
23
Ibid Ch 3 Core Principles of Data Protection Laws.
EAP 9
The principles in those earliest two instruments can most simply be
summarised as the following 10 principles:
1. Data quality relevant, accurate, & up-to-date.
2. Collection limited, lawful & fair; with consent or knowledge.
3. Purpose specification at time of collection.
4. [Notice of purpose and rights at time of collection (implied)].
5. Uses & disclosures limited to purposes specified or compatible.
6. Security through reasonable safeguards.
7. Openness re personal data practices.
8. Access individual right of access.
9. Correction individual right of correction.
10. Accountable data controller with task of compliance.
Principles concerning minimal collection, retention limits and sensitive
information are not included, as they only became common requirements
later, and the aim here is to identify a basic set of data privacy principles with
some pedigree in international agreements and academic scholarship.
However, the question still arises whether a data privacy law must include
every aspect of the content principles of these two instruments? What may be
expressed as a single principle in these instruments may compact two
logically distinct principles, for example the use and disclosure limitation
principles, and the data subjects rights of access and correction. The
following Table breaks down the OECD and CoE content principles into 15
separate principles, and then states whether those principles can be found in
the laws of the 10 countries in Asia which could be regarded as having data
privacy laws (for Thailand a Bill only). These are a very diverse range of
countries, with influences on data protection laws coming from many sources,
and so would seem to provide a reasonable (and manageable) test set to assist
a decision on the content of a data privacy law.
Jurisdictions
24
HK IN JN KR MA MY PH TW SN VN TTL
Collection limits (not
excessive)
0 0 0 0 0 0 0 0 0 X 9

24
Jurisdictions: HK = Hong Kong SAR; IN = India; JN = Japan; KR = South Korea;
MA = Macau SAR; MY = Malaysia; PH = the Philippines; TH = Thailand (Bill
only); TW = Taiwan; SN = Singapore; VN = Vietnam.
EAP 10
Jurisdictions
24
HK IN JN KR MA MY PH TW SN VN TTL
Collection by lawful
means
0 X 0 0 0 X 0 0 0 0 7
Collection by fair means 0 X 0 0 0 X 0 0 0 0 7
Purpose of collection
specified by time of
collection
0 0 0 0 0 0 X 0 0 0 9
Collection with
knowledge or consent,
when from data subject
0 0 ? 0 0 0 0 0 0 0 9
Data quality relevant,
accurate, complete &
up-to-date
0 X 0 0 0 0 0 0 0 0 9
Uses limited to purpose
of collection, with
consent or by law
0 0 0 0 0 0 0 0 0 0 10
Disclosure limited to
collection purpose, with
consent or by law (or
stricter)
0 0 0 0 0 0 0 0 0 0 10
Secondary uses and
disclosures only
allowed if compatible
(or stricter)
0 0 0
25
0 0 X
26
0 0 0 0 9
Secondary purpose
specified at change of
use (or stricter)
X 0 0 0 0 0 0 ? 0 X 7
Security safeguards
27

reasonable
0 0 0 0 0 0 0 0 0 0 10
Openness re policies on
personal data
0 X 0 0 0 X X 0 0 X 6
Access to individual
personal data
0 0 0 0 0 0 0 0 0 0 10
Correction of individual
data
0 0 0 0 0 0 0 0 0 0 10
Accountable data
controller
0 0 0 0 0 0 0 0 0 X 10
Total for OECD/CoE
principles /15
14 11 14 15 15 11 13 15 15 11 Av 13.4
Table: OECD & CoE108 content principles, as found in laws of 10 Asian
jurisdictions (O indicates element is found in the law, X indicates it is absent).

25
Japan All aspects of secondary use and disclosure under Japans law depart from
OECD principles because of its special principle concerning website notification
and opt-out.
26
Malaysia Secondary uses are not so limited, but secondary disclosures are so
limited.
27
Safeguards must be against loss or unauthorised access, destruction, use,
modification or disclosure.
EAP 11
While some countries do satisfy all 15 criteria (South Korea, Macau, Singapore
and Taiwan), the average is 13.4 principles over the 10 countries. It would be
too strict to require all 15. For example, there is no explicit openness
principle in six of the 10 laws, and only five of the 15 are satisfied by all 10
countries (use and disclosure limitations, security requirements, and data
subject access and correction rights). None fall below satisfying 11 of the 15.
While the selection of countries is not geographically representative, and
analysis of their laws should not determine any conclusions, the results found
nevertheless seem congruent with an informed intuitive approach as to what
a data privacy law should contain as a minimum.
Therefore, the assumption on which the following analysis of global privacy
laws is based is that a data privacy law must include as a minimum (i) access
and correction rights (individual participation), (ii) some finality principles
(limits on use and disclosure based on the purpose of collection), (iii) some
security protections; and (iv) overall, at least 11 of the 15 OECD/CoE
principles identified above.
Any such analysis will necessarily include some subjective judgments at the
margin of acceptability. In the above example, the inclusion of both India and
Vietnam is based on generous interpretations of their laws (in the absence of
any cases to negative such interpretations). The Indian law is replete with
ambiguities, including questions such as whether all or only some principles
apply to protect data subjects when data is received from a third party rather
than from the data subject. In relation to Vietnam, the principle of subject
access is not explicit and must be implied from the right of correction in what
are very short statements of sets of data privacy rights in two pieces of
legislation. It is also necessary to conclude that two laws, one dealing with e-
commerce and one with consumer rights, effectively cover the majority of
private sector personal data.
Many countries have laws covering parts of their private sector (eg credit
reporting, e-commerce or medical records), or requiring their private sectors
to comply with a particular data protection principle (eg aspects of data
security), but these do not meet the criteria for this study and the Table.
Recent examples are from Indonesia and Turkey (both concerning e-
commerce). Other examples are the many sectoral privacy laws in the USA
which deal with parts of the US private sector.
28
Nor do US private sector

28
For details of such laws see Swire and Ahmad, above n 14; Smith, above n 14.
EAP 12
privacy laws meet the criteria even if aggregated,
29
and possibly they could
not do so for constitutional reasons.
30

2.5 How effective must a law be?
This analysis only considers whether a data privacy law exists on paper (ie
has been enacted) and is in force. The assessment of how effectively a law is
enforced is half of the task of an EU adequacy assessment, and in each
instance such an assessment takes many weeks of work.
31
Apart from being
impossible for 98 countries, that is not the purpose of this analysis. While each
reader may have their own list of countries which they would suspect as
being very probably at the low end of enforcement effectiveness, depending
on what we know about them. In fact reliable information about enforcement
of most data privacy laws is difficult to obtain, and evaluation of impact
extremely difficult.
32
Also, the fact that such countries have data privacy laws
in force leaves open the possibility that enforcement arrangements can change
very quickly toward effectiveness. Laws are not ruled out, therefore, for lack
of evidence of effectiveness. That is a different enquiry from this.
Finally, for the purposes of this brief overview, it is important to note that
growth or expansion of data privacy laws cannot be equated with
improvement in privacy protection. Some privacy laws are simply not
enforced. Surveillance activities in both the private and public sectors can also
grow at the same time as laws are enacted and operational, and quite often do
when data privacy laws are a trade-off for, or a belated response to, more
intensive surveillance. Assessing the effectiveness or value of data privacy
laws is a far more complex task than is undertaken in this relatively simple
exercise.
2.6 The resulting global tabulation
To summarise the above discussion, in this article and the accompanying
Table, a country (including any independent legal jurisdiction) is considered
to have a data privacy law if it has one or more laws covering the most

29
For details see C Hoofnagle, Country Studies B.1 United States of America in D
Koff, (ed), Comparative study on different Approaches to new privacy challenges, in
particular in the light of technological developments (European Commission, 2010) 6.
Data protection principles
<http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challe
nges/final_report_country_report_B1_usa.pdf>.
30
See G Greenleaf and N Waters, Obamas Privacy Framework: An Offer to be Left
on the Table (October 2012) (issue 119) Privacy Laws & Business International Report
6-9, and references cited therein <http://ssrn.com/abstract=2187234>.
31
The author has been involved in the preparation of five expert reports for such
assessments.
32
See Bennett and Raab, above n 11, Ch 9 for a discussion of the difficulties.
EAP 13
important parts of its private sector, or its national public sector, or both, and
that law provides a set of basic data privacy principles, to a standard at least
approximating the minimum provided for by the OECD Guidelines or
Council of Europe Convention 108, plus some methods of officially-backed
enforcement (ie not only self-regulation). To approximate the OECD/CoE
standards, a law must provide individual participation, finality, security and
at least 11 of the 15 principles overall.
3 The Global Diffusion of Data Privacy Laws Over 40 Years
Using this definition of a country with a data privacy law, the annexed Table
of Data Privacy Laws applies the definition to determine that 99 countries
currently have such laws, and lists them alphabetically. What can analysis of
this Table tell us about how these laws have developed globally over the last
40 years since Sweden was the sole national experiment in 1973? The most
obvious questions are to ask at what rate this expansion has occurred, and
where has it occurred? Answers to these questions will enable some informed
discussion of the likely rate and location of future global growth in data
privacy laws, and its implications.
3.1 Countries without data privacy laws: Heading toward a minority
A tabulation of countries with data privacy laws requires the complement to
be determined: how many countries have no such laws? There are at least 109
countries with no laws yet enacted, taking into account UN member states
and a number of non-member states.
33
If the 20 current Bills known are taken
into account (the Thai Bill is ignored because there is already a public sector
Act), there are 89 countries
34
with no Acts or Bills. The global distribution of

33
The list in the following footnote includes UN observer states, a number of other
states that are not UN members, and UK territories. There may be some other
territories with separate legal systems not included.
34
Countries with no Acts or Bills: Afghanistan; Algeria; Bahrain; Bangladesh;
Belarus; Belize; Bermuda***; Bhutan**; Bolivia; Botswana; British Virgin Islands***;
Brunei Darussalam; Burundi; Cambodia; Cameroon; Central African Republic;
Chad; China; Comoros; Congo, Republic; Congo
,
Democratic Republic; Cuba;
Djibouti; Ecuador; Egypt; El Salvador; Equatorial Guinea; Eritrea; Ethiopia; Fiji;
Gambia; Guatemala; Guinea; Guinea-Bissau; Guyana; Haiti; Honduras; Indonesia;
Iran; Iraq; Jordan; Kazakhstan; Kiribati; Korea, North; Kuwait; Lao PDR; Lebanon,
Lesotho; Liberia; Libya; Malawi; Maldives; Marshall Islands; Mauritania;
Micronesia; Mongolia; Mozambique; Myanmar; Namibia; Nauru; Oman; Pakistan;
Palau; Palestine*; Panama; Papua New Guinea; Rwanda; Samoa; Sao Tome and
Principe; Saudi Arabia; Sierra Leone; Solomon Islands; Somalia; Sri Lanka; Sudan;
Suriname; Swaziland; Syria; Tajikistan; Timor Leste; Togo; Tonga; Turkmenistan;
Tuvalu; Uganda; United Arab Emirates; Uzbekistan; Vanuatu; Vatican (Holy See)*;
Venezuela; Zambia (* = UN observer states; ** = Not UN member; *** = UK
territory). This list is constructed by starting with all UN member states and
observers, adding known independent jurisdictions, and then removing countries

EAP 14
208 countries is therefore: 89 with no Acts or Bills; 20 with Bills; 99 with Acts.
It is clear from the list of countries with Bills that the numbers could change
quite soon. Enactment of six more Bills will put the number of countries with
data privacy laws in the majority. This is likely to occur in 2014. Of course,
numbers of countries with laws is not the only indicator of significance, and
other measures based on the populations or economic significance of
countries could be used.
3.2 Growth by decade
The rate of expansion has averaged approximately 2.5 laws per year for 40
years, but it has not been a linear growth. The number of new data privacy
laws globally, viewed by decade, has grown as follows: 9 (1970s), +12 (1980s),
+20 (1990s), +39 (2000s) and +19 (3.5 years of the 2010s), giving the total of 99.
In the 1970s, data privacy laws were a western European phenomenon
(Austria, Denmark, Greenland, Germany, France, Norway, Sweden, and
Luxembourg), other than for the US public sector Act. The position was
similar in the 1980s (Finland, Iceland, Ireland, the Netherlands, San Marino,
the UK, and three territories related to the UK), with Israel as the first non-
European state in 1981, and Australia, Canada and Japan providing public
sector only legislation. Acceleration commenced in the 1990s, as most
remaining western European countries (EU and EEA) enacted laws (Belgium,
Italy, Greece, Monaco, Portugal, Spain, and Switzerland), with developments
in Portugal and Spain in conjunction with democratisation. More
significantly, with the collapse of the Soviet Union many former eastern bloc
countries enacted data privacy laws as part of their protection of civil liberties
(Albania, Czech Republic, Hungary, Poland, Slovakia, and Slovenia), and the
first ex-Soviet-republics (Azerbaijan and Lithuania) did likewise. The spread
outside Europe also started, with the first laws in Latin America (Chile) and
the first comprehensive laws in the Asia-Pacific (Hong Kong, New Zealand
and (with limitations) Taiwan, plus Thailand and South Koreas public sector
laws), also often related to increased democratisation.
In the 2000s the acceleration continued, and increased in almost all regions of
the world. Most striking was the expansion in the former eastern bloc and
Soviet republic countries the (Bosnia & Herzegovina, Bulgaria, Croatia,
Estonia, Latvia, Macedonia (FYROM), Moldova, Romania, Serbia and
Montenegro, plus Russia itself, though not in force until 2011), plus the
addition of the remaining western European countries (Andorra, Cyprus,
Gibraltar, Liechtenstein and Malta). Outside Europe, expansion accelerated in
the Asia-Pacific (Macao SAR, and Nepals public sector, and private sector
extensions of existing laws in Australia, South Korea, and Japan), Latin
America (Argentina, Colombia, Paraguay and Uruguay), and the Caribbean
(Bahamas, St Vincent & Grenadines). Rapid development took place in Africa

with Acts or Bills. It is possible that some territorial jurisdictions with independent
legal systems are not yet included.
EAP 15
with new laws in Tunisia and Morocco (North Africa) and Benin, Burkina
Faso, Cape Verde, Mauritius, Senegal, Seychelles, and Zimbabwes public
sector law (sub-Saharan Africa). The Kyrgyz Republic became the first
country in Central Asia to legislate in 2008, and the Dubai and Qatar Financial
Centres added the first laws in the Middle East. The noughties (2000-09) was
the first decade in which non-European expansion of laws (23) exceeded that
in Europe (16).
In the first three and a half years of this decade 19 new laws have been
enacted. All remaining European countries enacted laws (Faroe Islands,
Georgia, Kosovo and Ukraine), with the exception of Turkey (also the only
remaining OECD exception) and the two non-members of the Council of
Europe (Belarus and the Vatican). The Russian law also finally came into
force. Outside Europe, almost all regions have already shown continuing
expansion. Expansion outside Europe (15) continues to outstrip that within
Europe (3), and this will of necessity continue as the capacity for European
expansion is now largely exhausted. Growth comes from all regions: India,
the Philippines, Malaysia, Vietnam, and Singapore (the last three only private
sector) (Asia); Costa Rica, Nicaragua, Mexico and Peru (Latin America);
Angola, Gabon, and Ghana, (Africa); St Lucia and Trinidad & Tobago,
(Caribbean); and Yemen (public sector) (Middle East). So far, the 2010s are the
most intensive period of data protection development in the 40-year history
of the field, averaging more than five new laws per year.
There is also a continuing strengthening of existing law outside Europe in the
2010s, as has occurred in Hong Kong, South Korea, Australia, and Taiwan, to
consider only the Asia-Pacific.
3.3 Geographical expansion
Geographically,
35
more than half (53 per cent) of data privacy laws are still in
European countries (52/98), EU member states making up less than one third
(28/98), even with the expansion of the EU into Eastern Europe. There are
data privacy laws in all 28 member states of the European Union (counting
Croatia as of 1 July 2013), and a further 24 laws in other European countries
or jurisdictions (including the EEA states). Only a few European countries
remain without such laws, (Belarus, the Holy See/Vatican, and Turkey).
There are nine laws in Latin America. In the Americas, are also the laws in
Canada and the USA, and four laws in the Caribbean. In Asia there are now
12 of 27 countries with data privacy laws. Both Australia and New Zealand
have data privacy laws, but no countries in the Pacific Islands do so (the only
region with no such laws). In North Africa and the Middle East, there are six
such laws, and 10 in Sub-Saharan Africa. The French-speaking Association of
Personal Data Protection Authorities (AFAPDP), and Frances CNIL have

35
A recent map is by D Banisar, National Comprehensive Data Protection/Privacy
Laws and Bills 2013 Map (7 July 2013)
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416>.
EAP 16
both made efforts to encourage expansion of data privacy in African
francophone countries. The Kyrgyz Republic law is the first in Central Asia,
though Mongolias laws also come close to qualifying.
The geographical distribution of the 99 laws by region is therefore: EU (28);
Other European (25); Asia (12); Latin America (9); (sub-Saharan) Africa (10);
North Africa/Middle East (6); Caribbean (4); North America (2); Australasia
(2); Central Asia (1); Pacific Islands (0). So there are 44 data privacy laws
outside Europe, 47 per cent of the total. Because there is little room for
expansion within Europe, the majority of the worlds data privacy laws will
soon be from outside Europe, probably by the middle of this decade.
3.4 Bills for new Acts Where will expansion occur next?
The annexed Global Table of Data Privacy Bills lists known official Bills for new
Acts, both those which have been introduced into legislatures, and those
which are under official consideration by governments. Information is
included about the current known state of a Bill. Currently, there are 21 such
Bills known, based on reliable sources. As shown in the Table they are
primarily from the Caribbean (8) and Africa (8)
36
, plus two from Latin
America (Brazil and the Falkland Islands), and one each from the Middle East
(Qatar, as distinct from the Qatar Financial Authority sub-region), Europe
(Turkey) and Asia (Thai private sector). Further research may reveal more
Bills under consideration but not yet listed. Some Bills are excluded because
they have not been enacted for a decade after introduction,
37
and some are
excluded because they appear to have been rejected by legislatures, not
merely delayed.
38

The Table does not include Bills for revisions of existing Acts although these
are important in expanding the strength of data privacy laws globally, as
exemplified by legislation in the past two years in South Korea, Taiwan and
Hong Kong.

36
From Africa they are: Ivory Coast, Kenya, Madagascar, Mali, Niger, Nigeria, South
Africa, Tanzania. From the Caribbean they are: Antigua & Barbuda; Barbados;
Cayman Island; Dominica; Dominican Republic; Grenada; Jamaica; Saint Kitts and
Nevis.
37
This includes Venezuelas 2003 (or earlier) Bill for a Law on Data Protection and
Habeas Data, which has been before the Science and Technology Committee of the
National Assembly but has not been introduced to the National Assembly for
formal discussion (information provided by John Tucker Barboza and Rob
Kenigsberg).
38
This includes Ecuadors 2010 Bill for a Ley de Proteccion a la Intimidad y a los
Datos Personales, which was rejected and set aside by a plenary meeting of the
National Assembly on 4 October 2012 (information provided by Rob Kenigsberg).
EAP 17
3.5 Predicting growth and ubiquitous data privacy laws
For over two decades the rate of adoption of new data privacy laws per year
has been steadily increasing, and the regions of the globe that have such laws
has been steadily expanding. If the current rate of expansion for 2010-mid
2013 continues in a linear fashion, 50 new laws would result in this decade,
bringing the total to 140. On the other hand, continued acceleration would
make the total somewhere between 140 and 160 (ie 60 to 80 new laws this
decade). Even on the conservative (and almost certainly unrealistic)
assumption that the 2010s will see no more data privacy laws than the 2000s,
there would be 130 countries with data privacy laws by the decades end,
with a large majority of the laws by then coming from outside Europe.

Figure 1: Growth of data protection laws by decade (to June 2013), with projections to
2020 (linear = 139; accelerating 160)
Even allowing for a few more legally distinct territories to be added, the total
number of jurisdictions globally is about 210. By the end of this decade, the
number of countries with data privacy laws, all of which have a strong
family resemblance will be somewhere between 130 and 160 on the estimates
above, more likely toward the higher end. In other words, between 62 per
cent and 76 per cent of all jurisdictions globally will have data privacy laws in
only seven years time, and global growth can be expected to continue beyond
2020. Whatever country numbers and growth rates are used, it seems likely
that at some year in the next decade the number of countries with data
privacy laws will reach a tipping point at which it becomes in the interests of
all jurisdictions wishing to participate in the global economy to have such
laws. It is not unrealistic to talk of global ubiquity of data privacy laws
within 50 years of the enactment of the first such national law in Sweden.
Ubiquity in this context means that almost all countries will have data
privacy laws, and most of their neighbours will have them, even if there are
still a few exceptions remaining.
EAP 18
There are other ways, potentially more useful, by which global expansion of
data privacy laws could be measured, say by the populations of the countries
concerned, or by their GNP, or GNP per head, or other measure of economic
significance. These could show different trends, and would be valuable, but
may not be necessary for the purposes of this research. Inspection of the list of
119 countries in the two Tables which already have data privacy laws or have
official Bills, in comparison with the above-noted list of 89 that do not, makes
it obvious that data privacy laws are found in almost all the worlds larger
and more economically significant countries. If one adds Brazil, South Africa,
Nigeria or Kenya from the list of countries with official Bills, the picture is
even more clear. Two of the few economically highly significant countries in
the list of countries with no laws or Bills are China and Indonesia. Indonesia
has, in 2012, enacted a data privacy regulation for e-commerce and is reported
to be drafting a comprehensive law.
39
China is enacting a mosaic of data
privacy laws in economically significant sectors, but could move to a
comprehensive data privacy law.
40
India has legislated, though poorly and
idiosyncratically, and there is considerable internal and external pressure on
India to enact more conventional comprehensive legislation. South Africas
legislation has almost completed its passage, and Brazils may do so in 2013:
another BRIC in the wall, we could say.
3.6 Enough on quantity! What quality do these laws have?
Although an OECD/CoE minimum standard has been used to define a data
privacy law (and inclusion in the Table), this should not lead to the mistaken
assumption that only such a minimum standard of data protection is what is
achieved be the laws from countries outside Europe.
41
Analysis of 33/39
countries outside Europe with data protection laws as at December 2010,
42

showed that in relation to 10 principles that were more strict than the
OECD/CoE basic principles, the 33 non-European laws on average exhibited
7/10 of those principles. Some of these additional European principles
occurred in more than 75 per cent of the 33 countries assessed, namely

39
G Greenleaf and S Rosadi, Indonesias data protection Regulation 2012: A brief
code with data breach notification (2013) (issue 122) Privacy Laws & Business
International Report 24-27.
40
G Greenleaf and G Tian, China expands data protection through new 2013
guidelines (2013) (issue 122) Privacy Laws & Business International Report 1, 4-6; G
Greenleaf, Chinas NPC Standing Committee privacy Decision: A small step, not a
great leap forward (issue 121) Privacy Laws & Business International Report 1, 4-6,
February 2013.
41
Laws in European countries can be assumed to exhibit generally higher standards,
because of the requirements of the EU Directive, and the Additional Protocol to the
CoE Convention.
42
G Greenleaf, The Influence of European Data Privacy Standards Outside Europe:
Implications for Globalisation of Convention 108 (2012) 2(2) International Data
Privacy Law, <http://papers.ssrn.com/abstract_id=1960299>.
EAP 19
border-control data export restrictions (28/33); additional protection for
sensitive data (28/33); deletion requirements (28/33); recourse to the courts
(26/33); minimum collection (26/33); and specialist data protection agencies
(25/33). The number of non-European laws has now expanded to 44, but the
new laws seem to be at least as strong as in previous decades. In addition,
many existing laws are being strengthened to keep up with rising
expectations of privacy protection, international agreements, and the
examples set by other countries (see the Latest column in the Table). This is
important, because the strength or quality of data privacy laws is rising
globally, as well as their number.
4 International Commitments and Recognition
International agreements concerning data protection have had a considerable
influence on adoption of data privacy laws for 30 years since the drafting of
both the OECDs privacy Guidelines and the Council of Europe Data
Protection Convention at the outset of the 1980s. Since then, Developing in
part out of the Council of Europe data protection Convention, the European
Unions data protection Directive of 1995 has been the most influential
international instrument, the Economic Community of West African States
(ECOWAS) Supplementary Act on data protection has spurred data privacy
laws in West Africa, and the Asia-Pacific Economic Cooperations (APEC)
Privacy Framework has created regular opportunities for discussion of
privacy issues among some Asia-Pacific jurisdictions.
To complete this global survey it is necessary to look at penetration of both
international instruments dealing with data privacy, and international
associations of data protection authorities. Analysis of the substance and
significance of these instruments and associations is largely beyond the scope
of this article, which aims more at analysis of which countries are affected by
them.
4.1 The EU and adequacy
All 28 member states of the European Union are required to have data
privacy laws which implement the EU data protection Directives, and all do
so (see the Table). Four additional countries have applied to join the EU,
43
and
one of these (Turkey) does not yet have a data privacy law. The European
Economic Area (EEA) includes the European Union member states plus
Iceland, Norway and Liechtenstein, all of which have data privacy laws
consistent with the Directive, resulting from the EEA Treaty. Steps to develop
a Regulation to replace most aspects of the Directive, and increase the level of
protection, are continuing.

43
Former Yugoslav Republic of Macedonia (FYRIM); Iceland; Montenegro; Turkey.
Croatias membership dates from July 2013.
EAP 20
Countries or jurisdictions outside the EEA can obtain from the European
Commission a decision that their laws provide an adequate level of
protection of privacy, to enable free flow of personal data from EU member
states to organisations in those countries.
44
As yet, the EC has only made such
decisions in relation to twelve jurisdictions as a whole, a minority of which
are of economic or political significance,
45
the most recent being Uruguay and
New Zealand.
4.2 Council of Europe data protection Convention 108
With the recent new law in Georgia and ratification by Russia, forty-five of
the forty-seven Council of Europe member states have now ratified the
Council of Europe Convention 108, and have data privacy laws. Turkey has
signed but not ratified the Convention and is now the only Council of Europe
member state not to have enacted a data privacy law, following recent
enactments by Armenia and Georgia. San Marino has not signed or ratified,
but does have a law. Belarus is not a Council of Europe member because of
human rights concerns, and the Vatican is not a member because it is not a
democracy.
The Additional Protocol (ETS 181) to the Convention also requires a
commitment to data export restrictions and to an independent data protection
authority, and brings the standards of the Convention up to approximately the
same level as the Directive. Forty-three member states have signed the
Additional Protocol (Georgia only in May 2013), and 33 have subsequently
ratified it (plus Uruguay). Twelve countries that have ratified the Convention
(plus three territories on whose behalf the UK acceded to the Convention) have
not ratified the Additional Protocol. Where a Council of Europe member has
ratified both Convention 108 and the Additional Protocol, it is extremely
unlikely as a matter of practice that data exports to that country from EU
member states would be prevented, so obtaining an adequacy finding under
the Directive appears to be largely irrelevant in practice. This is noted in the
Table.
Since 2008, the Council of Europe has made it clear that it wishes the
Convention and Optional Protocol to become global agreements, and that it
welcomes requests by states outside Europe with suitable data privacy laws
to apply to accede to both. Uruguay was the first non-European state to be
invited to do so, and in 2013 acceded to and ratified the Convention and the
Additional Protocol.
46
The second globalisation invitation was also issued to

44
See EU website for adequacy decisions <http://ec.europa.eu/justice/data-
protection/document/international-transfers/adequacy/index_en.htm>.
45
Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of
Man, Jersey, New Zealand and Uruguay (and not Australia as a whole, despite the
appearance to the contrary of the EC website).
46
G Greenleaf, Uruguay starts Convention 108s global journey with accession
(2013) (issue 122) Privacy Laws & Business International Report 20-23.
EAP 21
Morocco. The Convention is now in a process of modernisation which if
successful will incorporate both the existing Convention and the Optional
Protocol.
47

An adequacy finding from the EU does not impose any reciprocal obligations
on the recipient to allow free flow of personal data from it to EU countries.
This obligation does arise when countries outside the EU (including other
European countries) become members of the Council of Europe Convention
108.
4.3 The OECD and its Guidelines
All of the 34 OECD member countries,
48
other than Turkey and the USA (in
relation to the private sector), now have a data privacy law implementing the
OECDs privacy Guidelines of 1981. The OECDs plans for enlargement
49

mean that more countries in future will be likely to be influenced by the
OECD privacy Guidelines to adopt data privacy laws. The OECD is currently
revising the Guidelines.
4.4 Regional agreements between countries
The following regional groupings of countries are all relevant to the
development of data privacy laws (with the exceptions of the South Asian
Association for Regional Cooperation (SAARC) and the Common Market of
the South (Mercado Comn del Sur) (MERCOSUR), and their memberships are
therefore noted in the Tables. At present, the ECOWAS, APEC and the
Association of Southeast Asian Nations (ASEAN) groupings are probably the
most significant, but the development of regional data privacy agreements is
likely to play a more significant role on all continents in future.
Four fifths (17) of the 21 APEC member economies
50
do have data privacy
laws in at least one of the two sectors (see the Table), but four do not (Brunei;
Indonesia; China; and Papua New Guinea). Thailand and the USA have

47
G Greenleaf, Modernising Data Protection Convention 108: A Safe Basis for a
Global Privacy Treaty? (2013) 29(4) Computer Law & Security Review (forthcoming).
48
List of OECD Member Countries
<http://www.oecd.org/general/listofoecdmembercountries-
ratificationoftheconventionontheoecd.htm>.
49
In May 2007, OECD countries agreed to invite Chile, Estonia, Israel, Russia and
Slovenia to open discussions for membership of the Organisation and offered
enhanced engagement to Brazil, China, India, Indonesia and South Africa: See
OECD, Members and partners (2013)
<http://www.oecd.org/about/membersandpartners/>. Chile, Slovenia, Israel
and Estonia have since become members.
50
See APEC Member Economies <http://www.apec.org/about-us/about-
apec/member-economies.aspx>.
EAP 22
public sector only laws, and Malaysia and Vietnam have private sector only
laws. Thailand has a Bill for a comprehensive laws being re-drafted for its
Cabinet. Whether APEC will expand beyond 21 members is still possible, but
unlike the EU, its membership currently seems frozen. Numerous countries
have been trying to join for some time, without success.
51
APEC membership
and the APEC Privacy Framework means little more than voluntary
participation in six monthly discussions of APECs data privacy sub-group
(useful though that is). APECs Cross-Border Privacy Rules (CBPR) does not
yet have any members fully operational with an endorsed Accountability
Agent, so involvement in it is not yet noted in the Table.
Possibly more influential than APEC in encouraging new privacy laws is
ASEAN, a 10 nation
52
treaty-based organisation which has a policy to improve
its members data protection by 2015. Singapore, the Philippines, Vietnam
and Malaysia have recently enacted data protection laws, a Bill is before
Cabinet in Thailand and development of Bills is reported to be underway in
ASEAN members Indonesia, Vietnam (for a stronger law), Laos and Brunei.
ASEAN countries had a decade ago made a commitment to adopt electronic
commerce regulatory and legislative frameworks, including to take
measures to promote personal data protection and consumer privacy.
53

At the 21
st
ASEAN Summit on 18 November 2012, the ASEAN heads of state
adopted the ASEAN Human Rights Declaration,
54
Article 21 of which states
Every person has the right to be free from arbitrary interference
with his or her privacy, family, home or correspondence
including personal data, or to attacks upon that persons honour
and reputation. Every person has the right to the protection of
the law against such interference or attacks.
Although based on the terminology of the Universal Declaration of Human
Rights, the specific references to personal data and the right to legal
protection increase the internal incentives to all ASEAN members, from both

51
In addition to India, Mongolia, Pakistan, Laos, Bangladesh, Costa Rica, Colombia,
Panama and Ecuador,

are among a dozen countries seeking membership in APEC
by 2008: See <http://en.wikipedia.org/wiki/Asia-
Pacific_Economic_Cooperation#Member_Economies>. In refusing Indias
application for membership, APEC decided not to admit more members until 2010,
but this has not changed since.
52
ASEAN Member States: Brunei Darussalam, Cambodia, Indonesia, Lao PDR,
Malaysia, Myanmar, the Philippines, Singapore, Thailand, and Viet Nam. Timor
Leste is a candidate member.
53
Clause 5(e) E-ASEAN Framework Agreement, (24 November 2000)
<http://www.asean.org/news/item/e-asean-framework-agreement>.
54
ASEAN Human Rights Declaration, (18 December 2012)
<http://www.asean.org/news/asean-statement-communiques/item/asean-
human-rights-declaration>.
EAP 23
within ASEAN and within each country, to enact data privacy laws.
However, the Declaration has come under savage criticism and outright
rejection
55
from a coalition of fifty-five global and regional human rights
organisations.
56
Among the criticisms are that [i]n many of its articles, the
enjoyment of rights is made subject to national laws, instead of requiring that
the laws be consistent with the rights; it fails to include several key basic
rights and fundamental freedoms, including the right to freedom of
association and the right to be free from enforced disappearance; and that the
rights it states are of a lower standard than those in equivalent declarations in
Europe, Africa or the Americas. Consequently, the civil society organisations
state that they will not invoke it in their work except to condemn it as an anti-
human rights instrument. The UN High Commissioner for Human Rights
considered that the Declaration retains language that is not consistent with
international standards.
57
It is clear that both the Declaration, and the body
which helped develop it, the ASEAN Intergovernmental Commission on
Human Rights (AICHR)
58
established in 2009, have not yet established
credibility.
Macao SAR, Nepal and India are the only Asian countries which are not
APEC members but do have a data privacy law. The SAARC, of which both
India and Nepal are members, does not have any policies concerning data
protection laws or e-commerce harmonisation, and is not a significant
influence in this area.
In Africa, the strongest developments have been from the ECOWAS, a
grouping of fifteen states
59
where French, Portuguese and English are
variously spoken. Under the Revised Treaty of the ECOWAS they agreed in
2008 to adopt data privacy laws. A Supplementary Act on Personal Data
Protection within ECOWAS to the ECOWAS Treaty, adopted by the ECOWAS
member states, establishes the content required of a data privacy law in each
ECOWAS member state, including the composition of a data protection
authority. All requirements are influenced very strongly by the EU data

55
Human Rights Watch, Civil Society Denounces Adoption of Flawed ASEAN
Human Rights Declaration (19 November 2012)
<http://www.hrw.org/print/news/2012/11/19/civil-society-denounces-
adoption-flawed-asean-human-rights-declaration>.
56
Coordinated by Human Rights Watch and including among the international
organisations the International Commission of Jurists and Article 19.
57
UN News Centre, UN official welcomes ASEAN commitment to human rights,
but concerned over declaration wording (19 November 2012)
<http://www.un.org/apps/news/story.asp?NewsID=43536#.UgiIOVP9ogI>.
58
ASEAN Intergovernmental Commission on Human Rights website
<http://aichr.org/>.
59
ECOWAS Member States: Benin, Burkina Faso, Cape Verde, the Ivory Coast,
Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal,
Sierra Leone and Togo.
EAP 24
protection Directive. Five ECOWAS states have so enacted laws (Benin,
Burkina Faso, Cape Verde, Senegal and Ghana), and Bills are under
elaboration or consideration in, Nigeria, Niger, Ivory Coast and Mali, leaving
only six yet to take any action. In some other ECOWAS member states the
Supplementary Act, as an additional protocol to a treaty, may be legally
binding in creating substantive rights in countries where treaties have direct
effect and do not require local enactment. This appears to be the case in Niger,
where law is being developed to establish a DPA, to complement the
ECOWAS treaty on data protection, which was published in the official
journal in 2013.
Less advanced as yet, the East African Community (EAC), a regional group of
five East African countries (Kenya, Tanzania, Uganda, Rwanda and
Burundi),
60
where English and French are variously spoken, has taken
initiatives that encourage the member states to adopt data privacy legislation.
Such initiatives include the current discussion of a Draft Bill of Rights for the
East African Community
61
which, unlike the African Charter on Human and
Peoples Rights, incorporates the right to privacy. It also includes a right of
legal enforcement culminating in a right of appeal to the East African Court of
Justice. Also, although not binding, the EAC has adopted the EAC Framework
for Cyberlaws Phases I and II in 2008 and 2011 respectively, addressing
multiple cyber law issues including data protection. Kenya and Tanzania are
currently considering draft bills on data protection.
The Southern African Development Community (SADC) encompasses 15
countries
62
in southern and central Africa, and Indian Ocean states, four of
which have data protection laws (Angola, Mauritius, Seychelles and
Zimbabwe), and at least three of which have current Bills (South Africa,
Tanzania and Madagascar). The South African Bill, which has already passed
the lower house, can be expected to have a significant effect on prompting
laws in at least the other SADC countries because of South Africas role as the
regional economic power.
There has already been work done on SADC-wide data protection laws and
policies,
63
as part of an EU and International Telecommunication Union (ITU)
sponsored harmonisation project relevant to all regions in sub-Saharan Africa
(ie SADC, EAC and ECOWAS) which has also produced a Model-law on

60
East African Community (2014) <http://www.eac.int/>; Tanzania is a member of
both EAC and SADC.
61
Draft Bill of Rights for the East African Community, May 2009, Arusha, Tanzania.
62
SADC Member States: Angola, Botswana, Democratic Republic of Congo, Lesotho,
Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, South Africa,
Swaziland, Tanzania, Zambia and Zimbabwe; See SADC website
<http://www.sadc.int/>.
63
P Chetty, Presentation on Regional Assessment of Data Protection Law and Policy
in SADC (Workshop on the SADC Harmonized Legal Framework for Cyber
Security, Gaborone Botswana 27 February3 March 2012).
EAP 25
data protection in 2012.
64
The African Union has also prepared in 2011 a draft
Cyber Convention,
65
which includes a division on data protection replicating
most of the principles of the ECOWAS Supplementary Act.
66
If it proceeds it
would be of great significance, because the African Union has 54 member
states.
In the Americas, the Organization of American States (OAS), with 35 member
states (including from North and South America, and the Caribbean), has
started work on data protection in recent years. The Inter-American Juridical
Committee adopted several resolutions on this matter, all in an effort to
address the regulation of data protection through potential international
instruments as well as at the level of the legislation of some OAS member
states, and of the processing of personal data by the private sector, and the
General Assembly of the OAS instructed it
67
to prepare a document of
principles of privacy and data protection in the Americas.
68
A set of
Preliminary Principles were published by the Committee in 2011,
69
which,
although brief, included cross-border transfer restrictions based on the same
level of protection in the recipient jurisdiction, the recognition of habeas data
principles, and the existence of an independent supervisory authority. The
OAS General Assembly has also resolved to urge member states (and its
Secretariat) to participate in and support the work of the Latin American
Network of Personal Data Protection (RIPD), to attend the meetings of the
International Conference of data protection authorities, and to continue its
work on data protection by developing a model law.
70
These resolutions are

64
J-M Van Gyseghem, Model Law on Data Protection, Support for Harmonization of
ICT Policies in Sub-Sahara Africa (HIPSSA), International Telecommunications
Union (ITU), 6 February 2012.
65
Economic Commission for Africa and African Union Commission, Draft African
Union Convention on the Establishment of a Credible Legal Framework for Cyber Security
in Africa (1 November 2011) <http://www.itu.int/ITU-
D/projects/ITU_EC_ACP/hipssa/events/2011/WDOcs/CA_5/Draft%20Convent
ion%20on%20Cyberlegislation%20in%20Africa%20Draft0.pdf>.
66
A B Makulilo, Protection of Personal Data in sub-Saharan Africa (Doctoral
Dissertation, Bremen, 2012) Part 4.4.1.3: African Union Convention on Cyber
Security 2011.
67
OAS General Assembly Resolution, Access to Public Information: Strengthening
Democracy, AG/RES. 2514 (XXXIX-O/09) (4 June 2009).
68
OAS Department of International Law, Data Protection (2012)
<http://www.oas.org/dil/data_protection_oas_work.htm>.
69
Permanent Council of the Organization of American States, Committee on Juridical
and Political Affairs, Preliminary Principles and Recommendations on Personal Data,
Document presented by the Department of International Law of the Secretariat for
Legal Affairs, OEA/Ser.G CP/CAJP-2921/10 rev. 1 corr. 1 (17 October 2011)
<http://www.oas.org/dil/CP-CAJP-2921-10_rev1_corr1_eng.pdf>.
70
OAS General Assembly Resolution, Access to Public Information and Protection of
Personal Data, AG/RES. 2811 (XLIII-O/13), (6 June 2013)
<http://www.oas.org/en/sla/dil/docs/AG-RES_2811_XLIII-O-13_eng.pdf >.
EAP 26
included within the more contentious context of development of laws for
access to public sector information.
71

In the Caribbean, the Caribbean Community (CARICOM) of 15 states and five
associate members
72
is developing an Economic Partnership Agreement (EPA)
with the European Union as part of the 2008 Caribbean Forum of African,
Caribbean and Pacific States (CARIFORUM
73
)EU EPA. Data protection is
covered by the EPA and was one of the topics under discussion at EPA
meetings in 2012.
74
Data protection is also part of the ITUs Caribbean
Harmonization of ICT Policies (HIPCAR) capacity-building project.
75
Five
countries with data protection Bills are CARICOM members or associates,
and four already have data protection laws.
In Latin America, the MERCOSUR common market, formed in 1991 involves
10 countries. It currently consists of Argentina, Brazil, Paraguay, Uruguay
and Venezuela (since 2012). Bolivia is in the process of becoming a full
member, and Chile, Colombia, Ecuador and Peru are associated states. A
working group (SGT) was established in 2002 to discuss integration of e-
commerce and data protection but seems to have had few results. Data
protection is sometimes mentioned as a topic in ongoing negotiations for a
EU-MERCOSUR Free Trade Agreement. In short, MERCOSUR has not yet
proved to be significant in relation to data protection.
5 Data Protection Authorities and their Associations
Most data privacy laws include provision for a DPA, a separate institution
which has some type of responsibility for the data privacy legislation,

71
See Freedom Info (FOIA advocates), OAS Assembly Defeats Attacks on Rapporteur (14
June 2013) <http://www.freedominfo.org/2013/06/oas-assembly-defeats-attacks-
on-special-rapporteur/>.
72
CARICOM members: Antigua and Barbuda, Bahamas, Barbados, Belize, Dominica,
Dominican Republic, Grenada, Guyana, Haiti, Jamaica, St Lucia, St Vincent and the
Grenadines, St Kitts and Nevis, Suriname, Trinidad and Tobago; Associate
members: Anguilla; Bermuda; British Virgin Islands; Cayman Islands; Turks and
Caicos Islands: See
<http://www.caricom.org/jsp/community/member_states.jsp?menu=community>.
73
CARIFORUM stands for the Caribbean Forum of African, Caribbean and Pacific
States, and covers the same 15 states as CARICOM.
74
CARICOM Press Release, CARIFORUM gears up for key EPA meeting (24
September 2012)
<http://www.caricom.org/jsp/pressreleases/press_releases_2012/pres252_12.jsp>.
75
R Wilson, Privacy and Personal Data Protection Bill Under Review St Kitts &
Nevis Observer (online), 30 April 2013
<http://www.thestkittsnevisobserver.com/2013/04/26/privacy-bill.html>. See
also ITU, The HIPCAR Project
<http://www.itu.int/net/itunews/issues/2011/07/56.aspx>.
EAP 27
involving some enforcement powers, and which are separate from the normal
prosecutorial and judicial systems of the country.
5.1 The prevalence of DPAs
Of the 99 countries with data privacy laws, 85 have DPAs. Fourteen countries
do not have a DPA, in 10 cases because their laws do not provide for any
separate DPA,
76
and in four cases because no DPA has been appointed
although provided for in law.
77
The position of the USA is complex, because
its Federal Trade Commission acts in many respects as a DPA (including as a
member of international associations of DPAs) even though the USA does not
meet the criteria for a data privacy law in the private sector.
78
The Table
includes the name of the DPA if there is one, or none if the law concerned
does not provide for one.
DPAs vary greatly in name (common names are Data Protection Authority,
Privacy Commissioner, and Personal Data Protection Office, or
combinations thereof), functions and degree of independence from other
government authorities. Whether a particular DPA can be classed as
independent is complex question.
79

Various global and regional associations of DPAs or other data privacy
enforcement bodies are of increasing significance. This analysis, and the
Table, might not yet reflect fully the diversity of these associations, but does
include most of them. Nor does it yet include the website addresses of the
various DPAs, but there are other sources for those.
80
There are associations of
DPAs globally (two of them), and from the EU, central and eastern Europe,
Latin America, the Asia-Pacific, and the francophone countries, but none from
Africa or the Caribbean as yet. The membership of most of them is incomplete
from their potential pool of members, with considerable overlaps but
surprising omissions, as the Table shows.

76
Countries without DPAs in their laws: Angola, Armenia, Chile, the Kyrgyz
Republic, India, Japan, Paraguay, St Vincent & Grenadines, Taiwan, and Vietnam.
77
Countries that have failed to appoint DPAs: Azerbaijan, Seychelles, Cape Verde
and Malaysia. The Philippines law is too recent to be included yet.
78
The Federal Trade Commission is accredited to the ICDPPC (international data
protection authorities conference), and has enforcement powers for only some data
privacy rules over only some parts of the US private sector, but not over the US
federal public sector, where the USA has a federal data privacy law.
79
G Greenleaf, Independence of Data Privacy Authorities: International Standards
and Asia-Pacific Experience (2012) 28(1&2) Computer Law & Security Review.
80
For example, the dataprotection.eu site at
<http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.DPAuthorities>.
EAP 28
5.2 Associations of DPAs - Global
The International Conference of Data Protection and Privacy Commissioners
(ICDPPC) is the grouping of data protection authorities of broadest scope and
greatest longevity, having held an annual conference for 35 years. As Raab
points out conference is used not only to describe their annual meeting, but
as a collective noun.
81
It has accreditation standards which govern which
authorities can attend its closed meetings and vote on resolutions, originally
quite strict but simplified and possibly weakened in 2010.
82
The ICDPPC
members adopt joint policy resolutions, and their annual conference is open
to all attendees (except for closed sessions) and has become the leading global
data protection conference.
Of the 85 countries which have data protection authorities appointed under
their data privacy laws, only 59 national DPAs are accredited to ICDPC (as
shown in the Table). The ICDPPC therefore only has 70 per cent of national
data protection authorities as its members. After 35 years, this is far from
global coverage. It is particularly weak in its lack of members from the
Caribbean, but otherwise the gaps in membership are from all regions.
However, the ICDPPCs membership also includes 33 sub-national (state,
provincial etc) data protection authorities from Australia, Canada, Germany,
Mexico, Spain and Switzerland, a high percentage of such authorities as exist.
There are other sub-national DPAs, such as those in Mexico and Argentina.
Some are also members of the Global Privacy Enforcement Network (GPEN),
Asia Pacific Privacy Authorities (APPA) and other associations of DPAs. The
ICDPPC therefore has a total membership of 92, plus the European Data
Protection Supervisor.
GPEN originated in a 2007 OECD Recommendation on Cross-border Cooperation
in the Enforcement of Laws Protecting Privacy
83
calling for the establishment of
an informal network of privacy enforcement authorities. GPEN membership
is open to any public privacy enforcement authority that: (1) is responsible
for enforcing laws or regulations the enforcement of which has the effect of
protecting personal data; and (2) has powers to conduct investigations or
pursue enforcement proceedings.
84
GPEN has members from 26 jurisdictions,

81
For a history of ICDPPC, see C Raab, Networks for Regulation: Privacy
Commissioners in a Changing World (2011) 13(2) Journal of Comparative Policy
Analysis: Research and Practice 195.
82
Greenleaf, above n 79, section 3.7.
83
OECD, Recommendation on Cross-border Co-operation in the Enforcement of
Laws Protecting Privacy
<http://www.oecd.org/document/60/0,3343,en_2649_34255_38771516_1_1_1_1,0
0.html>.
84
GPEN Action Plan (Action Plan for the Global Privacy Enforcement Network
(GPEN)) adopted 15 June 2012; Part E amended 22 January 2013 at
<https://www.privacyenforcement.net/public/activities>.
EAP 29
all of which have data privacy laws of one form or other, and most but not all
of which are OECD members. There are four others members not included in
the country Table, the European Data Protection Supervisor (a supra-national
body), two Australian state DPAs (from Victoria and Queensland), and a
German state DPA (Berlin).
Competition may develop between these two global networks of DPAs, and
they could develop diverging memberships, but the operation of GPEN is as
yet too recent for these matters to be clear.
5.3 Associations of DPAs Regional and sub-global
At the sub-global level, the European Unions Article 29 Working Party is the
most influential organisation of DPAs, both because it has a formal role under
the European data protection Directive and because of the quality and
diversity of its Opinions on data privacy issues. Its membership is co-
extensive with that of the EU, but is separately reflected in the Table. It may
increasingly have a rival for influence in the Council of Europe data
protection Convention 108, Consultative Committee (to be re-named
Convention Committee), as an outcome of the Conventions modernisation
process.
85
However, this is technically not a committee of data protection
authorities, it is one of the representatives of state parties to the Convention,
although nearly half of the state representatives are DPAs.
A larger and also influential body is the (Conference of) European Data
Protection Authorities (EDPA) which holds a Spring Conference almost
every year. Resolutions are usually passed,
86
and on Raabs analysis are
significant to the development of data protection policies in Europe.
87

According to one of its member DPAs,
[o]ne of the most important tasks of the European Data
Protection Authorities consists in advising the authorities
involved in legislative matters on data protection issues, by
pointing out the risks that legislative initiatives might entail and
by proposing alternatives which would be more respectful of
individuals rights with regard to the processing of their personal
data.
88

85
Greenleaf, above n 47.
86
Resolutions since 2004 are listed on the European Data Protection Supervisor
website, European Conference page
<http://www.edps.europa.eu/EDPSWEB/edps/Cooperation/Eurconference>.
87
C Raab, Information Privacy: Networks of Regulation at the Subglobal Level
(October 2010) 1(3) Global Policy 291.
88
Office of the Information and Data Protection Commissioner, Malta,
<http://idpc.gov.mt/article.aspx?art=163>.
EAP 30
EDPA has quite strict accreditation rules, requiring its members to operate
under a law of a state implementing either Council of Europe Convention 108
or the EU data protection Directive, and having independence and
appropriate functions and powers.
89
In 2013, for example, Kosovos DPA was
refused membership because Kosovo was not a member state of either the
European Union or the Council of Europe, so it was made a permanent
observer instead.
90
Andorras DPA is also a permanent observer. Although in
theory all member states of the Council of Europe which do have DPAs
should be eligible to be accredited to the EDPA, four are not yet accredited.
91

Two Council of Europe member states have not been accredited because they
do not have DPAs (Armenia and Azerbaijan). Turkey is excluded because it
does not yet have a data protection law. San Marino has a law but has not
signed Convention 108, nor joined any association of DPAs. Twelve sub-
national DPAs in Europe from Germany, Spain and Switzerland are also
accredited to EDPA, as are four supra-national authorities at EU level. EDPA
therefore has a high level of coverage of European DPAs.
The next largest DPA network in Europe is the Central and Eastern Europe
Data Protection Authorities (CEEDPA) which has 18 members, most recently
including Russia but not yet Georgia. The Baltic states and Slovenia are not
members. Membership overlaps with the Article 29 Working Party, but many
CEEDPA members are from countries which are not yet EU member states. It
held its 15
th
annual meeting in 2012. It is active in mutual support activities
and developing policy positions such as approval of reforms of European
data protection instruments.
92
CEEDPA states have a common concern as ex-
communist states dealing with historical surveillance files of personal data,
and in some cases with uncertain democratic institutions. The Western
European states have less need for a separate association of DPAs, because
only a few of them are not EU member states.
There is also an association of Nordic Data Protection Authorities (NDPA)
(Sweden, Norway, Denmark and Finland) which meets every two years. It

89
Conference of European Data Protection Authorities, Report of the Accreditation
Committee, Lisbon, 16-17 May 2013
<http://www.tietosuoja.fi/uploads/xpit2ond8o6_1.pdf >.
90
Ibid.
91
Portuguese National Data Protection Commission, Spring Conference - European
authorities accredited as members Lisbon 2013. DPAs not listed as accredited to
EDPA are Georgias DPA; Monacos Supervisory Commission for Personal
Information; Russias Federal Service for Supervision of Communications,
Information Technologies and Mass Media; and Ukraines State Service on
Personal Data Protection.
92
See CEEDPA, News and Events page
<http://www.ceecprivacy.org/main.php?s=5>.
EAP 31
sometimes acts in concert, as it did in 2011, in sending 45 questions to
Facebook concerning its practices.
93

The operation of other sub-global networks of data protection authorities is
less well known, but has been well-documented by Raab.
94
It is not accurate to
call them regional networks, because some are based on language, some on
geography, and some a mix between the two.
The British, Irish and Islands Data Protection Authorities (BIIDPA), an
Anglophone grouping within Europe, usually meets annually. As Raab
describes it, [l]ess formal connections exist in another, and apparently looser,
network that links the DPAs for the United Kingdom, the Republic of Ireland,
the Isle of Man (IOM), Jersey and Guernsey, with further connections to
Malta, Cyprus and Gibraltar. He considers that these meetings help the
Crown Dependency authorities, who do not sit on WP29, to keep abreast of
current issues discussed there.
95

The Association of Francophone Data Protection Authorities (AFAPDP) is an
active organisation which is influential in francophone countries which have
not yet adopted data protection laws. It classifies 41 of the 77 members and
observers of the International Organisation of the Francophonie (OIF) as
having a data protection law. Of those 41, only 18 are members of AFAPDP,
including two Canadian provinces.
96
Only those member countries with
DPAs are allowed to vote on issues or for election of positions. Some states
intending to develop data protection laws are also members of the association
but with no voting rights. In 2009, AFAPDP recommended an initiative for a
binding global data protection instrument. AFAPDP aims to develop other
policy positions and further agreements.
97
The summit of the Heads of States
and governments of the francophone countries has encouraged adoption of
comprehensive data protection laws and DPAs in 2004 and 2006.
The membership of La Red Iberoamericana de Proteccin de Datos, also
called the Red Iberoamericana or Latin American Network (RIPD or
RedIPD),
98
consists of all the Latin American countries, plus Spain and

93
Norwegian Data Inspectorate, What happens with personal information in
Facebook?, July 2011.
94
Raab, above n 87; and Raab, above n 81.
95
Raab, above n 87, 296.
96
One reason is that many of the non-participating DPAs are from European
countries which do not have staff speaking French, while all the eligible non-
European countries with data privacy laws (and some with Bills) are members.
97
For example, there has been work as yet incomplete on a framework for
international data transfers between French-speaking countries, using an approach
related to Binding Corporate Rules (BCRs).
98
RedIPD website, list of members
<http://www.redipd.org/la_red/Miembros/index-iden-idphp.php>.
EAP 32
Portugal. It does not include the other Spanish or Portuguese-speaking
countries outside Latin America. It includes in its membership all countries
within its community that wish to be a member, irrespective of whether they
have yet adopted data privacy laws or have DPAs, so it does not have
accreditation requirements equivalent to the IDPPCC or APPA. Its annual
conferences pass resolutions concerning data protection, encouraging and
assisting other Latin American countries that do not yet have data protection
agreements to enact them, and to include independent DPAs.
99

APPA, a forum of national and sub-national DPAs originally only allowed
as members those authorities that have been accredited to the International
Data Protection Commissioners Conference,
100
so the Macao DPA was only
an observer at its meetings due to its incomplete legislative basis. APPA has
now relaxed its standards somewhat.
101
It now has 16 members from
Australia (federal and four states/territories), Canada (federal and British
Columbia), Hong Kong SAR, South Korea (two authorities), Macau SAR,
Mexico, Colombia, Peru, New Zealand and the USA. Neither Japan nor
Taiwan are members due to (at least) lack of a DPA. Singapore will probably
join soon, but it is questionable whether Malaysia will have a DPA to qualify,
and the Philippines DPA has not been appointed yet. It meets twice per year
and has had a primary function of sharing experiences, but has also
developed valuable standards on reporting and citing privacy decisions.
APPA is expanding its membership (particularly in Latin America) and
functions and will probably be more significant in future. It has a
considerable and increasing personnel overlap with the APEC data privacy
Sub-group, though that is technically a grouping of countries (economies in
APEC-speak) whereas APPA is a grouping of DPAs.
There is also a framework for regional cooperation called the APEC Cross-
border Privacy Enforcement Arrangement (CPEA) in which [a]ny Privacy
Enforcement Authority (PE Authority) in an APEC economy may participate
in cross-border co-operation, enforcement and information sharing.
102
It has
as members data protection authorities from only six of the 17 APEC
economies which have data privacy laws (Australia, NZ, USA, Canada, Hong
Kong and Mexico), plus government departments from Korea (but not their
independent DPAs) and Japan. The separate membership of 15 Japanese
government agencies indicates the lack of much central coordination in their

99
Raab, above n 87, 297-8.
100
Ibid 296-7.
101
Members can be accredited to the International Conference of Data Protection and
Privacy Commissioners (ICDPPC); or a participant in the APEC Cross-border
Privacy Enforcement Arrangement (CPEA); or a member of the OECD Global
Privacy Enforcement Network (GPEN): See APPA website
<http://www.appaforum.org/about/>.
102
APEC CPEA website <http://www.apec.org/Groups/Committee-on-Trade-and-
Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-
Enforcement-Arrangement.aspx>.
EAP 33
law. APEC CPEA therefore has membership from relatively few APEC
countries.
Although three Caribbean countries now have data protection authorities,
they do not have any regional organisation as yet, and nor are they members
of ICDPPC or GPEN. There is also no pan-African association of DPAs,
despite there now being eight DPAs in African countries, although only some
operating in practice. Active regional associations of DPAs seem to be an
indicator of maturity of data protection regulation in a region, partly because
of the mutual support they provide for each other.
6 The Future Global Trajectory of Data Privacy Laws
This article and the following Tables dont constitute big data, but at least
they are more data about global trends in enactment of data privacy laws, and
the interlocking memberships of associations of DPAs, than was previously
available. Now that we have this more accurate picture, further research
becomes possible. It has already made possible an assessment of the influence
of European privacy standards on legislative developments outside Europe.
103

Further research is required on such questions as the implications of the
increasingly interlocking data export restrictions in this legislation;
104
on the
effectiveness of the enforcement regimes in various countries; on the extent of
judicial interpretation of these laws, and on other comparative aspects of data
privacy laws. All of this requires an accurate account of the incidence, growth
and distribution of the worlds data privacy laws.
Some conclusions seem apparent from the data. The expansion of data
privacy laws embodying at least a minimum set of OECD/CoE data
protection principles continues to accelerate after 40 years. By the 50
th

anniversary in 2023 of the first such Act in Sweden we can expect that there
will be global saturation of data privacy laws, in the sense that about 70 per
cent of all independent jurisdictions will have such laws, including almost all
of the economically significant countries on the globe (with the USA probably
the only significant exception). The majority of countries globally will have
such laws within another year or two, and there will be more non-European
countries than European countries with data privacy laws from that point
onward. A large portion of these countries will have laws influenced strongly
by European standards similar to those of the current EU privacy Directive,
including its data export restrictions. The globalisation of Council of Europe
Convention 108 is increasing its reach and influence, and is likely to compete
with APECs as-yet-inchoate CBPR process for influence outside Europe.
These widely dispersed laws and expanding international agreements build
up a considerable global legal inertia which it will be difficult to reverse or

103
104
See for a recent analysis C Kuner, Transborder Data Flows and Data Privacy Law,
(Oxford University Press, May 2013).
EAP 34
(eventually) to ignore. Associations of data protection authorities are also
likely to increase in importance as venues for contesting influence. These are
geo-political facts of considerable significance. There may come a time when
the development of technologies and business practices inimical to data
privacy will be confronted by these embedded and expanding legal
developments more directly than is currently the case.
6.1 Is there now a trajectory?

In 2006, Bennett and Raab, in what is still the most systematic global review of
data privacy regulation, presented their main research question as whether
there was a race to the bottom, a race to the top, or something else, in the
global development of data privacy protection.
105
They correctly caution that
the existence and formal strength of a data privacy law is only one factor by
which we should measure data privacy protection in a country, and two other
key dimensions are the effectiveness of enforcement and the extent of
surveillance. Therefore, globally, there is more than one race to the top or
bottom. They noted that, in relation to legislation, the main conditions
proposed by globalisation theories of regulation for a race to the bottom
(data mobility and wide national divergences in laws) were present in the
case of data protection legislation.
106
Nevertheless, they found that there is
clearly no race to the bottom, but nor did they find clear evidence of a race to
the top, or global ratcheting up of privacy standards. In particular, they
considered that the general suspicion that the APEC Privacy Principles are
intended as an alternative, and a weaker, global standard than the EU (which
suspicion was shared by the author) means that they may serve to slow and
even reverse the otherwise halting and meandering walk to higher
standards which the EU Directive had inspired.
107
They concluded that the
most plausible future scenario (which I have described as the Bennett-Raab
thesis
108
) was an incoherent and fragmented patchwork, a more chaotic
future of periodic and unpredictable victories for the privacy value.
109
So they
found some upward global trajectory influenced significantly by the EU
Directive, but sufficiently weak in the mid-2000s that the countervailing
weakness of the APEC approach was enough to make the future quite
unpredictable.
The position in 2013 is very different. Their thesis may have been in part
based on an under-estimate of the number of data privacy laws outside
Europe before 2006 (18, not 12), but even if this is not so, events have
overtaken it. Now there are almost as many laws outside Europe (44) as there

105
Bennett and Raab, above n 11, xv.
106
Ibid 276.
107
Ibid 283.
108
G Greenleaf, above n 2.
109
Bennett and Raab, above n 11, 295.
EAP 35
are within Europe (52), and the rate of increase outside Europe is still
accelerating. At some point the growth curve of the number of laws may
flatten, but there is no sign of that as yet. Bennett and Raab saw APEC as
slowing the growth of EU-like privacy laws, but that has been shown not to
be occurring, with laws outside Europe showing a very high correlation with
European principles, and little sign of this diminishing in new laws.
110
They
did not sufficiently recognise this aspect of consistency in global data privacy
laws, which removes some of the incoherence they claimed exists, though
this consistency was not as apparent back in 2006.
Furthermore, the number of European-like data privacy laws outside and
inside Europe (only half within the EU) is not only evidence of the
momentum of these developments, but also that the sheer inertia provided by
a hundred or more countries with data privacy laws is a global fact of life
which it will be difficult for anyone to reverse, including the USA. It is
possible that APECs Cross-Border Privacy Rules (CBPR), although still not
operative, might become an influence, but both a revised EU Directive (as a
Regulation) and a revitalised Council of Europe Convention (through
globalisation which has started, and modernisation which is well
underway) are likely to prove to be attractive forces that APEC CBPR will
find difficult to match. Seven years after Bennett and Raab wrote, there is now
much clearer evidence of upward global trajectory than they found,
provided we keep clear that we are only talking about the existence and
formal strength of data privacy laws, not the other factors.
6.2 American exceptionalism and increasing isolation
The USA has many privacy laws in both its private and public sectors and
some effective enforcement, but no comprehensive privacy law in the private
sector, nor it seems much prospect of one despite the Obama
Administrations Consumer Privacy Bill of Rights initiative.
111
Even though
the US has many laws, they rarely meet the requirements set out in this article
for a data privacy law, particularly the finality requirements limiting use
and disclosure, and often not the requirements for limits on data collection.
This is not surprising, because US corporations are the worlds leading
commercial exploiters of personal data. Thats why the history and geography
of data protection laws set out in this article is important. US corporations and
the US government have been able to use their economic and political power
to use personal data as they wish until now with very few adverse
consequences. Developments such as cloud computing, social networking
and big data analytics seem conducive to that continuing. But the
international legal environment for their continuing to do so is slowly
becoming more hostile and complex to navigate, as more and more countries

110
111
Greenleaf and Waters, above n 30.
EAP 36
adopt or strengthen data privacy laws. Which approach will win remains to
be seen, but the game is not over yet.
6.3 And what about that 101
st
law?
Dear reader, I hear you say that 99 is not 100, let alone 101, so you have been
enticed to read to the end of a long and dreary article on a false promise,
about which you have a mind to inform the Federal Trade Commission. But
we know there are many data privacy Bills lingering around the worlds
legislatures waiting to be enacted, and there may be others of which we are
unaware. There are still some public sector RTI/FOI laws in languages other
than English where more detailed inspection could reveal a hidden data
privacy law. Perhaps there is even another country or independent
jurisdiction that has quietly passed a comprehensive law that no-one has
noticed. Sheherezade needs to brush up her linguistic skills (often just a
refresher course), and to ask the genie in the Internet to search for unknown
laws from even further-away lands. Or perhaps she just needs to read
tomorrows news. But she promises to come back very soon to finish the story

Postscript
1 September 2013
A few weeks passed, and the genie in the Internet
112
did deliver the awaited
news of the 100
th
law, and wouldnt you know it was from a very
surprising place almost under Sheherezades nose, the dismal dictatorship of
Kazakhstan.
113
However, the law did meet all of the formal requirements of a
data privacy law, and so had to be counted,
114
which goes to illustrate that a
law on the books is not to be confused with effective privacy protection.
The 101
st
law arrived soon thereafter, from a more expected and significant
direction, when both houses of South Africas Parliament passed its long-
anticipated Protection of Personal Information Bill, which now awaits signature
by President Zuma.
115

112
In this case, and the 101
st
, the genie in question was David Banisar of Article 19, to
whom thanks.
113
Law on personal data and their protection, 21 May 2013, in effect from 26
November 2013.
114
G Greenleaf, Kazakhstan enacts Central Asias second data privacy law (August
2013) (issue 124) Privacy Laws & Business International Report 23-24.
115
Parliament of South Africa, Press Release Protection of Personal Information Bill
Approved 22 August 2013 <http://www.parliament.gov.za/live/content-
mobi.php?C_Item_ID=3919&Item_ID=3534>.
EAP 37

Global Table of Countries with Data Privacy Laws
(as known at 1 June 2013)

Jurisdiction Key Act From
1
Latest
2
Region
3
Sec
4
EU
5
CoE
6
Other Int.
7
DPA
8
DPAA
9

Albania
Act on the
Protection of
Personal Data
1999 1999 Europe (O) Both [I]
RC;
RP

Office for
Personal Data
Protection
ICDPPC;
EDPA;
AFAPDP
Andorra
Law on the
protection of
personal data
2003 2003 Europe (O) Both A
RC;
RP

Data Protection
Agency
ICDPPC;
EDPA (O);
RedIPD;
AFAPDP
Angola
Lei da Proteco de
Dados Pessoais
2011 2011 Africa Both SADC
None (Agncia da
Proteco de
Dados not yet
established)

Argentina
Personal Data
Protection Act
2000 2000 Latin Am Both A
National
Direction for
Personal Data
Protection
ICDPPC;
RedIPD
Armenia
Law on Personal
Data
2002 Europe (O) Both [I]
RC;
RP
None

1
From column: Year = date original data privacy law enacted, for either private or public sector; might not be date of
current law.
2
Latest column: Year = date of last significant amendment known; NYIF = not yet in force; NIFU = not in force until
year stated, where bringing into force is delayed over one year.
3
Region column: Europe (EU) = current European Union member states; Europe (O) = other European states
(including EEA); others are self-explanatory.
4
Sector column: Pri = covers private sector only; Pub = covers public sector only; blank = covers both sectors.
5
European Union column: M = country is an EU member state; AQ = countrys protection of personal data has been
held adequate by the EU; [A] = Favourable Article 29 Working Party opinion on adequacy, but no final decision
announced; EEA = country is a member of the European Economic Area; [I] = Adequacy finding is in practice
irrelevant due to country acceding to both Council of Europe Convention 108 and Additional Protocol.
6
Council of Europe column: (Member means Member State of the Council of Europe) RC = Member and has ratified
the Convention; RC* = United Kingdom has ratified Convention on behalf of sub-jurisdiction; SC = Member and has
signed but not ratified Convention; RP = has also ratified the optional protocol; SP = Member and has signed but not
ratified Additional Protocol; NS = Member but has not signed Convention; [IA] = not a Member but has been invited
to accede to the Convention; AC= not a Member but has acceded to the Convention.
7
Other international commitments column: APEC = economy is a member of APEC (Asia Pacific Economic
Cooperation); OECD = country is a member of OECD; ASEAN = county is a member of Association of South East
Asian Nations; ECOWAS = country is a member of Economic Community of West African States; EAC = county is a
member of the East African Community; SADC = country is a member of the Southern African Development
Community; CARICOM = country is a member of the Caribbean Community (add (Assoc) for Associate members.
8
DPA column: None = no specialised data protection authority (plus name of authority if enacted but not yet
appointed one year after enactment).
9
DPAA column: (inclusion = DPA is a member of the named association of data protection authorities; except O =
Observer status only): ICDPPC = International Conference of Data Protection and Privacy Commissioners; A29WP =
EU Article 29 Working Party; GPEN = Global Privacy Enforcement Network; AFAPDP = Association of Francophone
Data Protection Authorities; APPA = Asia-Pacific Privacy Authorities; RedIPD = Latin American Network; CEEDPA
= Central and Eastern Europe Data Protection Authorities; NDPA = Nordic Data Protection Authorities; EDPA =
European Data Protection Authorities; BIIDPA = British, Irish and Islands Data Protection Authorities; APEC CPEA
= APEC Cross-border Privacy Enforcement Arrangement.
EAP 38

Australia Privacy Act 1988 1988 2001 Australasia Both
APEC;
OECD;
Information
Commissioner
ICDPPC;
APPA;
GPEN;
APEC
CPEA
Austria Datenschutzgesetz 1978 2009
Europe
(EU)
Both M
RC;
RP
OECD
Data Protection
Commissioner
ICDPPC;
EDPA;
A29WP
Azerbaijan
Law on personal
data 2010 (replaces
1998 Act)
1998 2010 Europe (O) Both RC
None (Ministry of
Communications
and Information
Technologies
administers
Register)

Bahamas
Data Protection
(Privacy of
Information) Act
2003 2003 Caribbean Both CARICOM
Data Protection
Commissioner

Belgium
Law on Privacy
Protection in
relation to the
Processing of
Personal Data
1992 2011
Europe
(EU)
Both M
RC;
SP
OECD;
Privacy
Commission
ICDPPC;
EDPA;
A29WP;
GPEN;
AFAPDP
Benin
Loi Portant
Protection des
donnes
Caractre
Personnel
2009 2009 Africa Both ECOWAS
Commission
nationale de
linformatique et
des liberts
AFAPDP
Bosnia &
Herzegovina
Law on the
protection of
personal data
RC;
RP

Personal Data
Protection
Agency
ICDPPC;
EDPA;
CEEDPA
Bulgaria
Law for Protection
of Personal Data
2002 2007
Europe
(EU)
Both M
RC;
RP

Commission for
Personal Data
Protection
ICDPPC;
EDPA;
A29WP;
CEEDPA;
GPEN
Burkina Faso
Loi Portant
Protection des
Donnes
Caractre
Personnel
Commission for
Informatics and
Liberties
ICDPPC;
AFAPDP
Canada
Personal
Information
Protection and
Electronic
Documents Act
1983
(prior
Act)
2002 North Am Both AQ
APEC;
OECD
Privacy
Commissioner
ICDPPC;
APPA;
GPEN;
APEC
CPEA;
AFAPDP
Cape Verde
Regime Jurdico
Geral de Proteco
de Dados Pessoais
a Pessoas
Singulares
None
(Parliamentary
Commission for
the Monitoring of
Personal Data not
yet appointed)

Chile Privacy Law 1999 1999 Latin Am Both
APEC;
OECD
None
Colombia
Data Protection
Law
2008 2012 Latin Am Both
Superintendence
of Industry and
Commerce
ICDPPC;
RedIPD;
APPA
Costa Rica
Proteccin de la
Persona frente al
tratamiento de sus
datos personales
Agency for the
Protection of
Personal Data of
Inhabitants
ICDPPC;
RedIPD
EAP 39

Croatia
Act on Personal
Data Protection
2003 2003
Europe
(EU)
Both M
RC;
RP

Data Protection
Agency
ICDPPC;
EDPA;
A29WP;
CEEDPA
Cyprus
The Processing of
Personal Data
(Protection of the
Individual) Law
2001 2003
Europe
(EU)
Both M
RC;
RP

Personal Data
Protection
Commissioner
ICDPPC;
EDPA;
A29WP;
BIIDPA
Czech
Republic
Personal Data
Protection Act
1992 2000
Europe
(EU)
Both M
RC;
RP
OECD;
GPEN
Office for
Personal Data
ICDPPC;
EDPA;
A29WP;
CEEDPA;
AFAPDP
Denmark
Act on Processing
of Personal Data
1978 2000
Europe
(EU)
Both M
RC;
SP
OECD
Data Protection
Agency
ICDPPC;
EDPA;
A29WP,
NDPA
Dubai IFC
Data Protection
Law (IFC =
International
Financial Centre)
2007
N.Af/M.E-
ast
Pri
Commissioner of
Data Protection

Estonia Data Protection Act 2003 2003
Europe
(EU)
Both M
RC;
RP
OECD

Data Protection
Inspectorate
ICDPPC;
EDPA;
A29WP;
GPEN
Faroe Islands
Act on processing
of personal data
2010 2010 Europe (O) Both A
Data Protection
Agency

Finland Personal Data Act 1987 2000
Europe
(EU)
Both M
RC;
RP
OECD
Data Protection
Ombudsman
ICDPPC;
EDPA;
A29WP,
NDPA
France
Law relating to the
protection of
individuals against
the processing of
personal data
1978 2004
Europe
(EU)
Both M
RC;
RP
OECD;
National
Commission for
Informatics and
Liberties
ICDPPC;
EDPA;
A29WP;
GPEN;
AFAPDP
Gabon
Law related to
personal data
2011 2011 Africa Both
Commissariat la
protection des
donnes
personnelles
AFAPDP
Georgia
Law on Personal
Data Protection
2012 Europe (O) Both
RC;
SP

Data Protection
Commissioner

Germany
Federal Data
Protection Act
1977 2009
Europe
(EU)
Both M
RC;
RP
OECD
Federal Data
Protection
Commission
ICDPPC;
EDPA;
A29WP;
GPEN
Ghana Data Protection Act 2012 Africa Both ECOWAS
Commission on
Human Rights
and
Administrative
Justice

Gibraltar Data Protection Act 2004 2004 Europe (O) Both
Data Protection
Commissioner
BIIDPA
Greece
Law on the
Protection of
individuals with
regard to the
processing of
personal data
1997 1997
Europe
(EU)
Both M
RC;
SP
OECD
Data Protection
Authority
ICDPPC;
EDPA;
A29WP;
AFAPDP
EAP 40

Greenland
(Danish) Public
and Private
Registers Acts
1979 1979 Europe (O) Both
[(Danish) Data
Protection
Agency
(Registertilsyn-
et)]

Guernsey
Data Protection
(Bailiwick of
Guernsey) Law
1986 2001 Europe (O) Both AQ RC* GPEN
Data Protection
Commissioner
BIIDPA;
EDPA
Hong Kong
SAR
Personal Data
(Privacy)
Ordinance
1995 1995 Asia Both APEC
Privacy
Commissioner for
Personal Data
ICDPPC;
APPA;
APEC
CPEA
Hungary
Act on
Informational Self-
Determination and
Freedom of
Information
1992 1992
Europe
(EU)
Both M
RC;
RP
OECD
National
Authority for
Data Protection
and Freedom of
Information
ICDPPC;
EDPA;
A29WP;
CEEDPA
Iceland
Law on the
Protection and
Processing of
Personal Data
1989 2000 Europe (O) Both EEA
RC;
SP
OECD
Data Protection
Agency
ICDPPC;
EDPA
India
Rules under s43A
(2008 Amendt),
Information
Technology Act
2000
2011 2011 Asia Pri None
Ireland Data Protection Act 1988 2003
Europe
(EU)
Both M
RC;
RP
OECD
Data Protection
Commissioner
ICDPPC;
EDPA;
A29WP;
GPEN;
BIIDPA
Isle of Man Data Protection Act 1986 2002 Europe (O) Both AQ RC*
Data Protection
Registrar
BIIDPA;
EDPA
Israel
Privacy Protection
Act 1981
1981 1981
N.Af/M.E-
ast
Both AQ OECD;
Law, Information
and Technology
Authority
ICDPPC;
GPEN
Italy
Consolidation Act
regarding the
Protection of
Personal Data
1996 2003
Europe
(EU)
Both M
RC;
SP
OECD;
Data Protection
Authority
ICDPPC;
EDPA;
A29WP;
GPEN
Japan
Act on the
Protection of
Personal
Information
2003 2003 Asia Both
APEC;
OECD
None
Jersey
Data Protection
(Jersey) Law
1987 2005 Europe (O) Both AQ RC*
Data Protection
Registrar
ICDPPC;
EDPA;
BIIDPA
Kosovo
Law on the
Protection of
Personal Data
2010 2010 Europe (O) Both
National Agency
for the Protection
of Personal Data
EDPA (O)
Kyrgyz
Republic
Law on Personal
Data
2008 2008
Central
Asia
Both None
Latvia
Law on Protection
of Personal Data of
Natural Persons
2000 2002
Europe
(EU)
Both M
RC;
RP

State Data
Protection
Inspectorate
ICDPPC;
EDPA;
A29WP;
CEEDPA;
GPEN
Liechtenstein
Gesetz ber die
Abnderung des
Datenschutzgesetze
s (2002)
2002 2008 Europe (O) Both EEA
RC;
RP

Data Protection
Commissioner
ICDPPC;
EDPA
EAP 41

Lithuania
Law on Legal
Protection of
Personal Data
1996 2003
Europe
(EU)
Both M
RC;
RP

State Data
Protection
Inspectorate
ICDPPC;
EDPA;
A29WP
Luxembourg
Data Protection
Law
1979 2002
Europe
(EU)
Both M
RC;
RP
OECD
National Data
Protection
Commission
ICDPPC;
EDPA;
A29WP;
AFAPDP
Macao SAR
Personal Data
Protection Act
2006 2006 Asia Both
Office for
Personal Data
Protection
APPA;
GPEN
Macedonia
(FYROM)
Law on Personal
Data Protection
RC;
RP

Directorate of
Personal Data
Protection
ICDPPC;
EDPA;
CEEDPA
Malaysia
Personal Data
Protection Act
2010
NIFU
2013
Asia Pri
APEC;
ASEAN
None (Personal
Data Protection
Commissioner in
Act not
appointed)

Malta Data Protection Act 2001 2001
Europe
(EU)
Both M RC
Data Protection
Commissioner
ICDPPC;
EDPA;
A29WP;
BIIDPA
Mauritius Data Protection Act 2004 2004 Africa Both SADC
Commissariat la
protection des
donnes
personnelles
AFAPDP
Mexico
Federal Law on the
Protection of
Personal Data Held
by Private Parties
APEC;
OECD;
Federal Institute
for Access to
Information and
Data Protection
ICDPPC;
APPA;
GPEN;
APEC
CPEA;
RedIPD
Moldova
Law on Personal
Data Protection
RC;
RP

National Center
for Personal Data
Protection
ICDPPC;
EDPA;
AFAPDP;
CEEDPA
Monaco
Act controlling
personal data
processing
RC;
RP

Supervisory
Commission for
Personal
Information
AFAPDP
Montenegro
Law on Personal
Data Protection
RC;
RP

Agencija za
za!titu li"nih
podataka i
slobodan pristup
informacija
EDPA;
CEEDPA
Morocco
Loi relative la
protection des
personnes
physiques l'gard
du traitement des
donnes caractre
personnel
2009 2009
N.Af/M.E-
ast
Both (IA)
National
Commission for
the Control and
the Protection of
Personal Data
AFAPDP
Nepal
Right to
Information Act
2007 2007 Asia Pub
National
Information
Commission

Netherlands
Personal Data
Protection Act
1988 2000
Europe
(EU)
Both M
RC;
RP
OECD
Data Protection
Authority
ICDPPC;
EDPA;
A29WP;
GPEN
EAP 42

New Zealand Privacy Act 1993 1993 2010 Australasia Both AQ
APEC;
OECD
Privacy
Commissioner
ICDPPC;
GPEN;
APPA;
APEC
CPEA
Nicaragua
Law on Protection
of Personal Data
2012 Latin Am.
Directorate for
the Protection of
Personal
Information
RedIPD
Norway Personal Data Act 1978 2000 Europe (O) Both EEA
RC;
SP
OECD; Data Inspectorate
ICDPPC;
EDPA;
GPEN,
NPDA
Paraguay
Law 1682 on
Information of a
Private Nature
2002 Latin Am Both None
RedIPD
(o)
Peru
Law on Protection
of Personal Data
APEC; US
FTA
National
Authority for
Data Protection
ICDPPC;
RedIPD;
APPA
Philippines Data Privacy Act 2012 Asia
APEC;
ASEAN
National Privacy
Commission

Poland
Act on the
Protection of
Personal Data
1997 2004
Europe
(EU)
Both M
RC;
RP
OECD
Inspector General
for Personal Data
Protection
ICDPPC;
EDPA;
A29WP;
CEEDPA;
GPEN;
Portugal
Lei da proteao de
dados pessoais
1991 1998
Europe
(EU)
Both M
RC;
RP
OECD
National Data
Protection
Commission
ICDPPC;
A29WP;
EDPA;
RedIPD
Qatar FC
Data Protection
Regulations (FC =
Financial Centre)
2005 2005
N.Af/M.E-
ast
Pri QFC Authority
Romania
Law on the
protection of
individuals with
regard to the
processing of
personal data etc
2001 2005
Europe
(EU)
Both M
RC;
RP

National
Supervisory
Authority for
Personal Data
Protection
ICDPPC;
EDPA;
A29WP;
CEEDPA
Russia
Federal Law
Regarding Personal
Data
2006
NIFU
2011
Europe (O) Both [I]
RC;
SP
APEC
Federal Service
for Supervision of
Communicatio-
ns, Information
Technologies and
Mass Media
(Roskomnadzor)
CEEDPA
San Marino
Law regulating the
Computerized
Collection of
Personal Data
1983 1995 Europe (O) Both NS
Guarantor for the
Protection of
Confidential and
Personal Data

Senegal
Loi sur la
Protection des
donnes
Caractre
Personnel
Commission des
donnes
personnelles
AFAPDP
Serbia
Law on Personal
Data Protection
RC;
RP

Commissioner for
Information of
Public
Importance and
Personal Data
Protection
ICDPPC;
EDPA;
CEEDPA
EAP 43

Seychelles Data Protection Act
2003
NYIF
2003 Africa Both SADC
None (DPA in
Act not
established)

Singapore
Personal Data
Protection Act
2012 Asia
APEC;
ASEAN
Personal Data
Protection
Commission

Slovakia
Act on the
Protection of
Personal Data
1992 2013
Europe
(EU)
Both M
RC;
RP
OECD
Inspection Unit
for the Protection
of Personal Data
ICDPPC;
EDPA;
A29WP;
CEEDPA
Slovenia
Personal Data
Protection Act
1990 2004
Europe
(EU)
Both M RC OECD;
Information
Commissioner
ICDPPC;
EDPA;
A29WP;
GPEN;
South Korea Data Protection Act 1994 2011 Asia Both
APEC;
OECD;
Personal
Information
Protection
Commission &
Korea
Information
Security Agency
ICDPPC;
APPA;
GPEN;
APEC
CPEA
Spain
Ley Orgnica de
Proteccin de
Datos de Carcter
Personal
1992 1999
Europe
(EU)
Both M
RC;
RP
OECD
Data Protection
Commissioner
ICDPPC;
EDPA;
A29WP;
GPEN;
RedIPD
St Lucia
Data Protection Act
2011
2011 NYIF Caribbean Both CARICOM
Data Protection
Commissioner

St Vincent &
Grenadines
Privacy Act 2003 NYIF Caribbean Pub CARICOM None
Sweden Personal Data Act 1973 1998
Europe
(EU)
Both M
RC;
RP
OECD
Data Inspection
Board
ICDPPC;
EDPA;
A29WP,
NDPA
Switzerland Data Protection Act 1992 2006 Europe (O) Both AQ
RC;
RP
OECD
Federal Data
Protection
Commission
ICDPPC;
EDPA;
GPEN;
AFAPDP
Taiwan
Personal Data
Protection Act
1995 2010 Asia Both APEC None
Thailand
Official
Information Act
1997
1997 1997 Asia Pub
APEC
ASEAN
Official
Information
Commission

Trinidad &
Tobago
Data Protection Act 2011 2011 Caribbean Both CARICOM
Data Protection
Commissioner

Tunisia
Loi portant sur la
protection des
donnes caractre
personnel.
2004 2004
N.Af/M.Ea
st
Both
National
Authority for the
Protection of
Personal Data
AFAPDP
Ukraine
Law on Personal
Data Protection
RC;
RP

The State Service
on Personal Data
Protection
CEEDPA;
GPEN
United
Kingdom
Data Protection Act
1998
1984 2000
Europe
(EU)
Both M
RC;
SP
OECD
Information
Commissioner
ICDPPC;
EDPA;
A29WP;
GPEN;
BIIDPA
United States Privacy Act of 1974 1974 North Am Pub
OECD;
APEC
Federal Trade
Commission
ICDPPC;
GPEN;
APPA;
APEC
CPEA
EAP 44
* The data in the Tables and article are as at 1 June 2013. Note Since completion of the
Tables, two more countries have enacted data privacy laws, Kazakhstan and South Africa.
These are not included in the Table of laws, but are noted in the Postscript to the article (1
September 2013).
** These Tables have benefitted from information and advice received from David
Banisar of Article 19 in relation to all countries; from Marie Georges (Planete
Informatique et Liberties, Paris) in relation to French-speaking countries; from
Magda Cocco, Isabel Ornelas and Ins Antas Barros (Vieira de Almeida &
Associados, Lisbon) in relation to Portuguese-speaking countries; Dr Alex Boniface
Makulilo in relation to African countries; Pablo Palazzi (Allende & Brea,
Argentina) in relation to Latin American countries; Sophie Kwasny (Council of
Europe) in relation to Council of Europe Convention 108; Rob Kenigsberg
(Nymity) in relation to Latin America and the Caribbean; Hannah McCausland
(UK Information Commissioners Office) and Clara Guerra (Portugals Data
Protection Commission), in relation to European data protection authorities; Blair
Stewart (Office of the New Zealand Privacy Commissioner) in relation to data
protection authorities; and Stewart Dresner and Laura Linkomies (Privacy Laws &
Business) in relation to all countries. All errors and omissions remain the
responsibility of the author.

Uruguay
Law on the
Protection of
Personal Data
2008 2008 Latin Am Both AQ
AC;
RC;
RP

Regulatory and
Control Unit of
Personal Data
ICDPPC;
RedIPD
Vietnam
Law on Protection
of Consumers
Rights
2010 2010 Asia Pri
APEC;
ASEAN
None
Yemen
Law of the Right of
Access to
Information
2012
N.Af/M.Ea
st
Pub
Commissioner-
General of the
Information

Zimbabwe
Access to
Information and
Protection of
Privacy Act
2002 2002 Africa Pub SADC
Media and
Information
Commission

EAP 45

Global Table of Official Data Privacy Bills
Table of Bills (and official draft Bills) for new Acts (as known at 1 June 2013)
Jurisdiction Title of Bill/Draft From
10
Current? Region Sec CoE Other Int.
Antigua &
Barbuda
Data Protection Act 2013
Announced to be
introduced to
Parliament January
2013
Caribbean CARICOM
Barbados Data Protection Bill 2005
Draft law; No current
progress known
Caribbean Both CARICOM
Brazil
Protection of Personal
Data Bill
2011
Bill under review by
the Ministry of Justice
Latin Am. Both
Cayman
Island
Data Protection Bill 2012
Data Protection
Working Group started
official two month
consultation
02/09/2012
Caribbean Both
CARICOM
(Assoc)
Dominica
Privacy and Data
Protection Bill
2007
progress known
Dominican
Republic
Law on Protection of
Personal Data
2013
Approved by Senate
29/04/13; awaits
House approval
Falkland
Islands
Data Protection
Ordinance
2012
Legislative Assembly
resolved 2012 that new
law was needed (to
replace Data Protection
Ordinance 1995 never
brought into force);
government agreed.
Latin Am
Grenada
Privacy and Data
Protection Bill
2012
Government statement
of intent to legislate
2012, as part of ICT
reforms
Caribbean Both
CARICOM
(Assoc)
Ivory Coast
No current progress
known
Africa Both ECOWAS
Jamaica Data Protection Bill 2012
Government
announcement of intent
August 2012
Kenya Data Protection Bill 2012
Commission for
Implementation of the
Constitution (CIC)
seeking submissions,
January 2012; draft Bill
forwarded to Attorney
General for publication
Africa Both EAC
Madagascar Data Protection Bill 2008
Draft under current
review led by Justice
Ministry
Africa Both SADC
Mali Data Protection Bill 2011
Draft; No current
progress known
Africa Both ECOWAS
Niger
Law to establish a DPA
(to complement
ECOWAS treaty on data
protection)
2013
Draft law development
led by Telecom
Ministry
Africa Both ECOWAS
Nigeria Data Protection Bill 2010
Bill tabled in
Parliament 2010; no
recent progress
Africa Both ECOWAS

10
From: Date of latest known Bill before legislature or official draft Bill or announced government plans to draft Bill.
EAP 46

Qatar
Personal Information
Privacy Protection Law
2012
Supreme Council of
ICT (ICT Qatar) was
reviewing its draft law
January 2012
ME/N. Af
Saint Kitts
and Nevis
Privacy and Data
Protection Bill
2012
Government draft Bill
under review by
stakeholders, April
2013
South Africa
Protection of Personal
Information Bill
2009
Bill passed by National
Assembly; National
Council of Provinces
hearing Select
Committee in 06/13
Africa Both SADC
Tanzania Data Protection Bill 2013
Draft law; undergoing
internal review and
stakeholder
consultations, May 2013
Africa
EAC;
SADC
Thailand
Personal Data Protection
Bill
2011
Bill before Cabinet mid-
2012; new private
sector law to add to
existing public sector
law
Asia Pri
APEC;
ASEAN
Turkey
Law on the Protection of
Personal Data
2003
progress known
Europe
(O)
Both SC OECD

Sheherezade and The 101 Data Privacy Laws: Origins, Significance and Global Trajectories, Graham Greenleaf

Enviado por

Dados do documento

Título original

Direitos autorais

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Sheherezade and The 101 Data Privacy Laws: Origins, Significance and Global Trajectories, Graham Greenleaf

Enviado por

Direitos autorais:

1lLle: !"#"#$#%&'# &)' "# +,+ -&& .

$/0&12 3&456 7$/8/)59

Você também pode gostar