It is forty years since enactment of Sweden’s Data Act of 1973, the first comprehensive national data privacy law, and the first such national law to implement what we can now recognise as a basic set of data protection principles. This article answers the question, ‘How many countries now have data privacy laws?,’ starting by defining a ‘data privacy law’. The result is a global analysis of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.
The answer to the question — documented in the accompanying Table of global data privacy laws — is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU, APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and the implications of their overlapping but incomplete memberships.
The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data
Título original
Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories, Graham Greenleaf
It is forty years since enactment of Sweden’s Data Act of 1973, the first comprehensive national data privacy law, and the first such national law to implement what we can now recognise as a basic set of data protection principles. This article answers the question, ‘How many countries now have data privacy laws?,’ starting by defining a ‘data privacy law’. The result is a global analysis of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.
The answer to the question — documented in the accompanying Table of global data privacy laws — is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU, APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and the implications of their overlapping but incomplete memberships.
The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data
It is forty years since enactment of Sweden’s Data Act of 1973, the first comprehensive national data privacy law, and the first such national law to implement what we can now recognise as a basic set of data protection principles. This article answers the question, ‘How many countries now have data privacy laws?,’ starting by defining a ‘data privacy law’. The result is a global analysis of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.
The answer to the question — documented in the accompanying Table of global data privacy laws — is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU, APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and the implications of their overlapping but incomplete memberships.
The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data
!/8)/:/1&)1# &)' ;<=>&< ?$&@#1*=$/#5 AuLhor: ;$&"&A ;$##)<#&: LA uaLe (approved for prlnL): 14 Aprll 2014 uCl: 10.3778/!LlS.2014.23.Creenleaf.1
Note to users: Articles in the Epubs ahead of print (EAP) section are peer reviewed accepted articles to be published in this journal. Please be aware that although EAPs do not have all bibliographic details available yet, they can be cited using the year of online publication and the Digital Object Identifier (DOI) as follows: Author(s), Article Title, Journal (Year), DOI, EAP (page #). The EAP page number will be retained in the bottom margin of the printed version of this article when it is collated in a print issue. Collated print versions of the article will contain an additional volumetric page number. Both page citations will be relevant, but any EAP reference must continue to be preceded by the letters EAP.
ISSN-0729-1485 Copyright ! 2014 University of Tasmania All rights reserved. Subject to the law of copyright no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise, without the permission of the owner of the copyright. All enquiries seeking permission to reproduce any part of this publication should be addressed in the first instance to: The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart, Tasmania 7001, Australia. editor@jlisjournal.org
http://www.jlisjournal.org/
EAP 1 Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories GRAHAM GREENLEAF *
Abstract It is forty years since enactment of Swedens Data Act of 1973, the first comprehensive national data privacy law, and the first such national law to implement what we can now recognise as a basic set of data protection principles. This article answers the question, How many countries now have data privacy laws?, starting by defining a data privacy law. The result is a global analysis of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations. The answer to the question documented in the accompanying Table of global data privacy laws is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws. The article also analyses which international agreements or requirements concerning data privacy (OECD, EU, APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and the implications of their overlapping but incomplete memberships. The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data
* Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales. The accompanying Tables are also available on SSRN/LSN (Legal Scholarship Network) at <http://ssrn.com/abstract=2280875>. The data in the Tables and article are as at 1 June 2013. Comments, additions and corrections are welcome to <graham@austlii.edu.au>. The assistance of Marie Georges, David Banisar, Charles Raab, Stewart Dresner, Laura Linkomies, Blair Stewart and Jill Matthews is gratefully acknowledged. Responsibility for all content, remains with the author. Separate acknowledgments are provided in relation to the accompanying Tables. Substantial work on this article was completed while the author was a Japan Society for the Promotion of Science (JSPS) Visiting Fellow at Meiji University, Tokyo, from September-December 2012. Journal of Law, Information and Science Vol 23(1) 2014 EAP 2 privacy Bills currently before legislatures or under government consideration in at least 20 more countries. It is reinforced by the increasing importance of both international agreements and associations of DPAs. A Postscript reveals that there are now 101 laws, not 99, and Sheherezade can rest a while. Introduction Sheherezade told Sultan Shahryar yet another fabulous tale from a far-off land, but the Sultan was never satisfied, so each night Sheherezade brought him another tale (and thus saved her head), until one thousand nights had passed, and then one. 1 Like the thousand-and-one nights, the global history of data privacy laws is a tale that grows with each successive telling, and it may be that the steady growth of such laws in far-off lands will turn out to be the secret of the survival of privacy in a rather hostile world. The meme of data privacy, having escaped from the bottle over 40 years ago, is proving difficult to put back in. 2 It is not a history that can boast 1001 data privacy laws, but it does have 101, to which (dear reader) we shall now turn. 1 A Surprising Lacuna It is forty years since Swedens Data Act 1973 was the first comprehensive national data privacy law, and the first such national law to implement what we can now recognise as a basic set of data protection principles. 3 How many
1 Sir R Burton, (trans) Tales from the Arabian Nights (Avenel Books, 1975). Sheherazade, Scheherazade, !ahrzd and Shahrzd are among many spellings of her name in different sources. The story goes that the Sultan would marry a new wife each day, but next morning would have her beheaded, from fury at his first wifes unfaithfulness. Sheherezade, the daughter of his Vizier, offered to marry him, and on the first night told him a tale that had him enthralled, until dawn broke but the tale was unfinished, so he asked her to return the next night to finish it. And each night she would start a new tale, not finish it (thus saving her sisters), and keep returning for one thousand nights, and then one. 2 The effectiveness of data privacy principles comes as much from their ideological effect and their global nature as from their enforcement (which is often lacking). Forty years of data privacy laws have created a language of data privacy, and a set of ethical standards to which most companies and governments feel obliged to at least give lip service. Attempts to break the power of this discourse by creation of alternative language/ethical standards, particularly the push for accountability have failed as yet but are a continuing threat to the hegemony of conventional data privacy principles.: G Greenleaf, Global data privacy in a networked world in I Brown (ed), Research Handbook on Governance of the Internet (Edward Elgar, 2013) <http://ssrn.com/abstract=1954296>. 3 In 1970 both the USAs Fair Credit Reporting Act and a data protection law for public sector in the Lander of Hessen, Germany, had included sets of data protection principles, but did not have the scope required for laws considered here. Sheherezade and the 101 Data Privacy Laws EAP 3 countries now have data protection laws? seemed like a fairly straightforward question when it was asked of me in June 2011. 4 The usual answer, including mine, was somewhat vague: about sixty or perhaps a well-informed respondent might have said more than sixty. 5
No resources could be found to give a convenient and convincing answer, 6
leading to successive attempts to provide such an answer, of which this is the third over two years. The first 7 showed that at least 76 countries had enacted data privacy laws by mid-2011. Six months later, new laws and further investigation showed there were at least 89 countries with such laws. 8 The last 18 months have seen a moderate expansion in global data privacy laws. Since the previous analysis listing 89 countries, there have been new data privacy laws enacted covering the private sector in Ghana, Georgia 9 , Nicaragua, the Philippines, and Singapore (private sector only). To the list must also be added laws omitted previously from Kosovo and Greenland (a Danish territory which is still subject to Denmarks old data protection law). That brings the total to 96. However, as discussed below, there are also at least three data privacy laws, 10 both new and pre-existing, concerning the public sector only (Yemen, Zimbabwe and Nepal), which need to be added, bringing the total to 99. The Table of Data Privacy Laws at the conclusion of this article lists all countries (including otherwise independent legal jurisdictions) which have
4 By James B Rule, author of Privacy Lives and Public Surveillance (Allen Lane, 1973), and many other distinguished works on privacy. That book was published the same year as the Swedish Data Act was enacted, and shortly before Michel Foucault published that other early classic of surveillance studies, Discipline and Punish: The Birth of the Prison in 1975. 5 For example, Professor Lee Bygrave, very well informed in these matters, was sufficiently cautious to write in a 2010 global analysis of data privacy developments that well over 40 countries have data privacy laws: L Bygrave, Privacy and Data Protection in an International Perspective (2010) 56 Scandinavian Studies in Law 165, 166 <http://www.uio.no/studier/emner/jus/jus/JUR5630/v11/undervisningsmateri ale/>. 6 One early such Table was by Christopher Millard, European Data Protection Laws Chart (May 1997) Privacy Laws & Business Newsletter. 7 G Greenleaf, Global data privacy laws: 40 years of acceleration (September 2011) (issue 112) Privacy Laws & Business International Report 11 <http://ssrn.com/abstract=1946700>. 8 G Greenleaf, Global Data Privacy Laws: 89 Countries, and Accelerating (February 2012) (issue 115) Privacy Laws & Business International Report, Special Supplement <http://ssrn.com/abstract=2000034>. 9 The Georgian Law on Personal Data Protection was enacted on 28 December 2011 and entered into force on 1 May 2012. 10 Inclusion of a fourth public sector law, from Georgia, is unnecessary because it has now passed data protection legislation. Journal of Law, Information and Science Vol 23(1) 2014 EAP 4 enacted data privacy laws; the principal law; when enacted; its sectoral coverage (only private sector; only public sector; or both sectors); the international data privacy commitments of the country, or the international recognition its laws have received; whether it has a data protection authority (named if so); and the international associations in which that DPA is involved. A separate Table of Official Bills lists known official Bills not yet enacted. The picture that will emerge from the analysis of the growth of these laws over time is that data privacy laws are spreading globally, and their number and geographical diversity accelerating since 2000. Growth of data privacy laws is not yet flattening off. The number, growth and geographical distribution of data protection laws is significant. As Bennett and Raab said in their leading text in 2006, over the past thirty or more years, comprehensive and general data protection laws have been regarded as essential tools for regulating the use of personal data. 11 By tracking their occurrence we can obtain insights into the global progress of protection of data privacy as a human right, into the extent to which certain practices are becoming entrenched in the worlds legal systems (and therefore increasingly difficult to remove), and into the likely future rate of occurrence of new data protection laws in other countries. These matters affect the global geo-politics of privacy protection. Such information is also significant for more academic enquires, such as into the extent (and success) of data protection laws as a transplant into legal cultures in which it was not previously found. 2 What is a Data Privacy Law? Before answering a simple question, it is sometimes necessary to answer some more complex questions first. In this case, before starting to count data privacy laws it is necessary to answer: What is a country?; What is a law?; What scope must a law have?; What data privacy principles must a law include?; and how effective must a law be? The overall approach taken here is to attempt to define what are the minimum criteria that reasonable and impartial observers could agree constitute a data privacy law or data protection law when satisfied. The factors are used to determine which countries laws are included in the concluding Tables. 2.1 What is a country? In this analysis, countries is a slight exaggeration, and a more accurate term would be separate legal jurisdictions. The Table includes the two Special Administrative Regions (SARs) which have constitutionally different legal systems from the rest of China (Hong Kong and Macao, under the principle of One Country, Two Systems) and five British dependent territories which
11 C Bennett and C Raab, The Governance of Privacy: Policy Instruments in Global Perspective (MIT Press, 2006). Sheherezade and the 101 Data Privacy Laws EAP 5 have their own legal systems (the Isle of Man, Jersey, Guernsey, Gibraltar and the Bahamas). By the same reasoning it includes the Qatar Financial Centre (QFC) and the Dubai International Finance Centre (DIFC), because these areas, somewhat similar to special economic zones, have data privacy laws which apply to all business carried out within the QFC and DIFC, and their own administrations, data protection authorities and courts to enforce such laws. Geographically, they may be like miniature versions of Hong Kong, but the size of a jurisdiction is little indication of how much personal data may be processed within it or transferred to or from it, so it seems best to include them for completeness. Whatever view one takes of Taiwan as a country, it is also included, as is Greenland (a Danish territory with a separate data privacy law). However, sub-national jurisdictions which do not have their own separate legal systems, or are subject to the laws of a federation in relation to data privacy law, are not included. So states and provinces in Germany, Canada, Australia, Spain, Switzerland and elsewhere with data privacy laws are excluded even if they do sometimes provide some non-comprehensive coverage of the private sector as well as covering the public sector. 12 Certain provinces of the Peoples Republic of China which have enacted local laws, are excluded for similar reasons. State or provincial laws which only cover the local public sector, are also excluded. Many of these sub-national laws are quite significant sources of data privacy legislation and case law, or were pioneers in data protection. Hesse in Germany, Quebec, Ontario and British Columbia in Canada, and Victoria and New South Wales in Australia are examples. It would be valuable to include such jurisdictions in a separate Table, but this has not been done in this article. The result of this conservative approach is that no country is included twice in the Table, but nor is any jurisdiction unreasonably excluded. 2.2 What is a law? The approach taken here is that a law is what the word implies, and this is not satisfied by a voluntary code of conduct or a trustmark scheme. A law must set out data privacy principles (which ones are discussed later) in a specific fashion, not only as a general constitutional protection for privacy, or a civil action (tort) for infringement of privacy. A law in this sense must make its data privacy principles enforceable, but whether this is by criminal offences, civil penalties, administrative orders for compensation, or a right of civil actions before the courts, is left open, as it was (for example) in the original Council of Europe Convention. Most jurisdictions with data privacy laws also have a Data Protection Authority (DPA), a separate institution which has responsibility for the data privacy legislation, but this is not a necessary requirement and is was left open in the
12 A separate table detailing such laws would be desirable but has not been done. Journal of Law, Information and Science Vol 23(1) 2014 EAP 6 Organisation for Economic Co-operation and Development (OECD) and Council of Europe in 1981. 2.3 What scope must a law have? Nearly ninety per cent of all data privacy laws in the Table (88/99) cover both the public sector and the private sector of a country, but there are two small groups of exceptions that only cover one or the other sector, and they are both included. In relation to the private sector, to be included a law must cover most economically significant aspects of the operation of the private sector. This excludes countries which have only scattered sectoral privacy laws (eg credit reporting or medical records laws). The USA, which has numerous limited sectoral laws in the private sector is included not because of its private sector laws, but only because of its federal public sector law. Many countries have some exceptions in their private sector coverage, such as various forms of small business exceptions (eg Japan and Australia), or exceptions for non- automated records, or exceptions for the media (many countries), or for employment records (Australia again). Such exceptions are not a basis for exclusion. A law with largely comprehensive private sector coverage is considered as covering that sector. There is a small but growing group of countries (six at present), particularly in Asia, with laws which only cover the private sector but provide no protection in relation to the public sector: Singapore, Malaysia, Vietnam, India, Qatar Financial Centre and Dubai International Finance Centre. However, most jurisdictions which have laws with private sector coverage, also have data privacy laws which cover their national public sectors (88/94). Such protection is sometimes by different legislation from that covering the private sector. Where there is a different law for the public sector it will often have principles and enforcement mechanisms which differ significantly from those applying to the private sector. Some jurisdictions which now have private sector coverage initially only covered their public sectors, including the OECD members, Australia, Japan, Canada and South Korea, with private sector coverage only introduced up to 15 years later. 13 At least six jurisdictions provide basic data privacy protection in relation to their public sector only (the United States, Thailand, Yemen, Zimbabwe, St Vincent & the Grenadines, and Nepal), but do not do so for their private sector according to the criteria used here. As a federation, the US Privacy Act 1974 only covers the federal
13 The year stated in the Table under From is the year from which legislation was enacted which first provided the required coverage of either the private sector or the public sector. So, for example, the year shown for Australia is 1988, even though the Privacy Act 1988 operated for 13 years in relation to the public sector only, and for a lesser period in relation to the credit industry, before most of the private sector was added in 2001. Sheherezade and the 101 Data Privacy Laws EAP 7 public sector, but some states have equivalent laws. 14 As unitary counties, the laws in the other countries cover their whole public sectors. Are there other countries in this category? There are 94 countries that have right to information (RTI) laws (also called freedom of information or FOI laws). 15 Of these 94 countries with RTI/FOI laws, 37 do not otherwise have data privacy laws. 16 While there are quite a few laws which go beyond only providing access rights, such as by providing rights of correction of personal information (eg the laws of Australia, China, the Cook Islands, Ethiopia, Jamaica and South Africa), and some provide rights of compensation for breaches of access rights, few go any further and provide other data privacy rights such as limits on collection, use and disclosure, data security requirements, or deletion/de-identification requirements. Of these 37 laws, an analysis of the 25 available in English shows that only four of them could also be considered to meet a minimum set of conditions to qualify as a data privacy law for the public sector: the laws of Yemen, Zimbabwe, Nepal and Thailand. The remaining 12 laws 17 (seven in Spanish, five in other languages) could contain additional public sector data privacy laws, and while this does not seem likely, it has not yet been conclusively assessed. 18 New RTI/FOI laws are being enacted every year, so it is necessary when assessing the global dissemination of data privacy laws to also keep these new RTI/FOI laws in mind. The Table does not include any countries which might have public sector privacy laws for some of their regional governments only (China might qualify if it did).
14 California, New York, Hawaii, Minnesota and Massachusetts have laws which may constitute data privacy laws as defined here, limited to their state public sectors. This has not been investigated fully. For details of such laws see P Swire, and K Ahmad, US Private Sector Privacy: Law and Practice for Privacy Professionals (IAPP, 2012), or R E Smith, Compilation of State and Federal Privacy Laws (Privacy Journal, 2013). 15 The 94 countries with RTI/FOI laws are the 93 listed in the Global Right to Information Website (AccessInfo and Center for Law and Democracy) as at 28 September 2012 <http://www.rti-rating.org/pdf/index.php>, plus Rwanda whose law was enacted in 2013. 16 This can be established by comparing the lists of countries with RTI/FOI laws with the list of countries with data privacy laws set out in Greenleaf, above n 8. To the 89 listed there must be added Ghana, Georgia, Kosovo, Nicaragua, the Philippines, Singapore and Greenland (Danish territory but with a different data protection law). Thailand is already included in the list of 89 countries. 17 Countries with FOI/RTI laws that might contain public sector data privacy laws: Brazil, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Niger, Panama, Rwanda, Turkey, Uganda and Uzbekistan. 18 Based on brief advice received from local experts but not on a translation of the laws. Journal of Law, Information and Science Vol 23(1) 2014 EAP 8 2.4 What data privacy principles must a law include? Standard texts on data privacy do not often define the minimum set of principles which a law must contain to be considered a data privacy law, but some go close to so doing. Bennett and Raab in 2006 refer to a strong consensus that has emerged as to what are a set of twelve fair information principles (FIPs), 19 which can be summarised as: accountability; purpose identification; collection with knowledge and consent; limited collection to where necessary for purpose (also called minimal collection); use limited to identified purpose or with consent (finality); disclosure likewise; retention only as long as necessary; data kept accurate, complete and up-to-date (often called data quality); security safeguards; openness on policies and practices; individual access; individual correction. When they discuss data protection legislation, they at one point refer to the universal embodiment of these twelve FIPs in national and sub-national laws, in the European Union (EU) Directive, and then in legislation passed subsequent to that. 20 However, over the following pages they are more realistic and note that some FIPs, such as the data quality principles finality principles are only included in most laws. 21
Bygrave in 2003 also comes close to providing a set of necessary requirements when he provides an overview of the basic principles applied by data processing laws to the processing of personal data. 22 He then discusses fair and lawful processing, minimality, purpose specification, information quality, data subject participation and control, disclosure limitation, information security and sensitivity. 23 Other than sensitivity these categories are close to the FIPs of Bennett and Raab, but do not include all of them. Neither Bennett and Raab, or Bygrave attempt to state a minimum set of principles that should be included in a data privacy law, but imply that most of the principles in their lists should be included. Another approach is to start with the two earliest international instruments concerning data privacy, the OECD privacy Guidelines of 1981 and the Council of Europe (CoE) Data Protection Convention 108 of 1981 (Convention 108) (without its 2001 Additional Protocol). It is reasonable to regard them as providing the best guide to the minimum requirements of a data privacy law, given that they existed for more than twenty years prior to the analysis of both Bennett and Raab and Bygrave. That is the approach taken in this article.
19 Bennett and Raab, above n 11, 12-13. 20 Ibid 121. 21 Ibid 121-125. 22 L Bygrave, Data Protection Law: Approaching its Rationale, Logic and Limits (Kluwer, 2002) 57. 23 Ibid Ch 3 Core Principles of Data Protection Laws. Sheherezade and the 101 Data Privacy Laws EAP 9 The principles in those earliest two instruments can most simply be summarised as the following 10 principles: 1. Data quality relevant, accurate, & up-to-date. 2. Collection limited, lawful & fair; with consent or knowledge. 3. Purpose specification at time of collection. 4. [Notice of purpose and rights at time of collection (implied)]. 5. Uses & disclosures limited to purposes specified or compatible. 6. Security through reasonable safeguards. 7. Openness re personal data practices. 8. Access individual right of access. 9. Correction individual right of correction. 10. Accountable data controller with task of compliance. Principles concerning minimal collection, retention limits and sensitive information are not included, as they only became common requirements later, and the aim here is to identify a basic set of data privacy principles with some pedigree in international agreements and academic scholarship. However, the question still arises whether a data privacy law must include every aspect of the content principles of these two instruments? What may be expressed as a single principle in these instruments may compact two logically distinct principles, for example the use and disclosure limitation principles, and the data subjects rights of access and correction. The following Table breaks down the OECD and CoE content principles into 15 separate principles, and then states whether those principles can be found in the laws of the 10 countries in Asia which could be regarded as having data privacy laws (for Thailand a Bill only). These are a very diverse range of countries, with influences on data protection laws coming from many sources, and so would seem to provide a reasonable (and manageable) test set to assist a decision on the content of a data privacy law. Jurisdictions 24 HK IN JN KR MA MY PH TW SN VN TTL Collection limits (not excessive) 0 0 0 0 0 0 0 0 0 X 9
24 Jurisdictions: HK = Hong Kong SAR; IN = India; JN = Japan; KR = South Korea; MA = Macau SAR; MY = Malaysia; PH = the Philippines; TH = Thailand (Bill only); TW = Taiwan; SN = Singapore; VN = Vietnam. Journal of Law, Information and Science Vol 23(1) 2014 EAP 10 Jurisdictions 24 HK IN JN KR MA MY PH TW SN VN TTL Collection by lawful means 0 X 0 0 0 X 0 0 0 0 7 Collection by fair means 0 X 0 0 0 X 0 0 0 0 7 Purpose of collection specified by time of collection 0 0 0 0 0 0 X 0 0 0 9 Collection with knowledge or consent, when from data subject 0 0 ? 0 0 0 0 0 0 0 9 Data quality relevant, accurate, complete & up-to-date 0 X 0 0 0 0 0 0 0 0 9 Uses limited to purpose of collection, with consent or by law 0 0 0 0 0 0 0 0 0 0 10 Disclosure limited to collection purpose, with consent or by law (or stricter) 0 0 0 0 0 0 0 0 0 0 10 Secondary uses and disclosures only allowed if compatible (or stricter) 0 0 0 25 0 0 X 26 0 0 0 0 9 Secondary purpose specified at change of use (or stricter) X 0 0 0 0 0 0 ? 0 X 7 Security safeguards 27
reasonable 0 0 0 0 0 0 0 0 0 0 10 Openness re policies on personal data 0 X 0 0 0 X X 0 0 X 6 Access to individual personal data 0 0 0 0 0 0 0 0 0 0 10 Correction of individual data 0 0 0 0 0 0 0 0 0 0 10 Accountable data controller 0 0 0 0 0 0 0 0 0 X 10 Total for OECD/CoE principles /15 14 11 14 15 15 11 13 15 15 11 Av 13.4 Table: OECD & CoE108 content principles, as found in laws of 10 Asian jurisdictions (O indicates element is found in the law, X indicates it is absent).
25 Japan All aspects of secondary use and disclosure under Japans law depart from OECD principles because of its special principle concerning website notification and opt-out. 26 Malaysia Secondary uses are not so limited, but secondary disclosures are so limited. 27 Safeguards must be against loss or unauthorised access, destruction, use, modification or disclosure. Sheherezade and the 101 Data Privacy Laws EAP 11 While some countries do satisfy all 15 criteria (South Korea, Macau, Singapore and Taiwan), the average is 13.4 principles over the 10 countries. It would be too strict to require all 15. For example, there is no explicit openness principle in six of the 10 laws, and only five of the 15 are satisfied by all 10 countries (use and disclosure limitations, security requirements, and data subject access and correction rights). None fall below satisfying 11 of the 15. While the selection of countries is not geographically representative, and analysis of their laws should not determine any conclusions, the results found nevertheless seem congruent with an informed intuitive approach as to what a data privacy law should contain as a minimum. Therefore, the assumption on which the following analysis of global privacy laws is based is that a data privacy law must include as a minimum (i) access and correction rights (individual participation), (ii) some finality principles (limits on use and disclosure based on the purpose of collection), (iii) some security protections; and (iv) overall, at least 11 of the 15 OECD/CoE principles identified above. Any such analysis will necessarily include some subjective judgments at the margin of acceptability. In the above example, the inclusion of both India and Vietnam is based on generous interpretations of their laws (in the absence of any cases to negative such interpretations). The Indian law is replete with ambiguities, including questions such as whether all or only some principles apply to protect data subjects when data is received from a third party rather than from the data subject. In relation to Vietnam, the principle of subject access is not explicit and must be implied from the right of correction in what are very short statements of sets of data privacy rights in two pieces of legislation. It is also necessary to conclude that two laws, one dealing with e- commerce and one with consumer rights, effectively cover the majority of private sector personal data. Many countries have laws covering parts of their private sector (eg credit reporting, e-commerce or medical records), or requiring their private sectors to comply with a particular data protection principle (eg aspects of data security), but these do not meet the criteria for this study and the Table. Recent examples are from Indonesia and Turkey (both concerning e- commerce). Other examples are the many sectoral privacy laws in the USA which deal with parts of the US private sector. 28 Nor do US private sector
28 For details of such laws see Swire and Ahmad, above n 14; Smith, above n 14. Journal of Law, Information and Science Vol 23(1) 2014 EAP 12 privacy laws meet the criteria even if aggregated, 29 and possibly they could not do so for constitutional reasons. 30
2.5 How effective must a law be? This analysis only considers whether a data privacy law exists on paper (ie has been enacted) and is in force. The assessment of how effectively a law is enforced is half of the task of an EU adequacy assessment, and in each instance such an assessment takes many weeks of work. 31 Apart from being impossible for 98 countries, that is not the purpose of this analysis. While each reader may have their own list of countries which they would suspect as being very probably at the low end of enforcement effectiveness, depending on what we know about them. In fact reliable information about enforcement of most data privacy laws is difficult to obtain, and evaluation of impact extremely difficult. 32 Also, the fact that such countries have data privacy laws in force leaves open the possibility that enforcement arrangements can change very quickly toward effectiveness. Laws are not ruled out, therefore, for lack of evidence of effectiveness. That is a different enquiry from this. Finally, for the purposes of this brief overview, it is important to note that growth or expansion of data privacy laws cannot be equated with improvement in privacy protection. Some privacy laws are simply not enforced. Surveillance activities in both the private and public sectors can also grow at the same time as laws are enacted and operational, and quite often do when data privacy laws are a trade-off for, or a belated response to, more intensive surveillance. Assessing the effectiveness or value of data privacy laws is a far more complex task than is undertaken in this relatively simple exercise. 2.6 The resulting global tabulation To summarise the above discussion, in this article and the accompanying Table, a country (including any independent legal jurisdiction) is considered to have a data privacy law if it has one or more laws covering the most
29 For details see C Hoofnagle, Country Studies B.1 United States of America in D Koff, (ed), Comparative study on different Approaches to new privacy challenges, in particular in the light of technological developments (European Commission, 2010) 6. Data protection principles <http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challe nges/final_report_country_report_B1_usa.pdf>. 30 See G Greenleaf and N Waters, Obamas Privacy Framework: An Offer to be Left on the Table (October 2012) (issue 119) Privacy Laws & Business International Report 6-9, and references cited therein <http://ssrn.com/abstract=2187234>. 31 The author has been involved in the preparation of five expert reports for such assessments. 32 See Bennett and Raab, above n 11, Ch 9 for a discussion of the difficulties. Sheherezade and the 101 Data Privacy Laws EAP 13 important parts of its private sector, or its national public sector, or both, and that law provides a set of basic data privacy principles, to a standard at least approximating the minimum provided for by the OECD Guidelines or Council of Europe Convention 108, plus some methods of officially-backed enforcement (ie not only self-regulation). To approximate the OECD/CoE standards, a law must provide individual participation, finality, security and at least 11 of the 15 principles overall. 3 The Global Diffusion of Data Privacy Laws Over 40 Years Using this definition of a country with a data privacy law, the annexed Table of Data Privacy Laws applies the definition to determine that 99 countries currently have such laws, and lists them alphabetically. What can analysis of this Table tell us about how these laws have developed globally over the last 40 years since Sweden was the sole national experiment in 1973? The most obvious questions are to ask at what rate this expansion has occurred, and where has it occurred? Answers to these questions will enable some informed discussion of the likely rate and location of future global growth in data privacy laws, and its implications. 3.1 Countries without data privacy laws: Heading toward a minority A tabulation of countries with data privacy laws requires the complement to be determined: how many countries have no such laws? There are at least 109 countries with no laws yet enacted, taking into account UN member states and a number of non-member states. 33 If the 20 current Bills known are taken into account (the Thai Bill is ignored because there is already a public sector Act), there are 89 countries 34 with no Acts or Bills. The global distribution of
33 The list in the following footnote includes UN observer states, a number of other states that are not UN members, and UK territories. There may be some other territories with separate legal systems not included. 34 Countries with no Acts or Bills: Afghanistan; Algeria; Bahrain; Bangladesh; Belarus; Belize; Bermuda***; Bhutan**; Bolivia; Botswana; British Virgin Islands***; Brunei Darussalam; Burundi; Cambodia; Cameroon; Central African Republic; Chad; China; Comoros; Congo, Republic; Congo , Democratic Republic; Cuba; Djibouti; Ecuador; Egypt; El Salvador; Equatorial Guinea; Eritrea; Ethiopia; Fiji; Gambia; Guatemala; Guinea; Guinea-Bissau; Guyana; Haiti; Honduras; Indonesia; Iran; Iraq; Jordan; Kazakhstan; Kiribati; Korea, North; Kuwait; Lao PDR; Lebanon, Lesotho; Liberia; Libya; Malawi; Maldives; Marshall Islands; Mauritania; Micronesia; Mongolia; Mozambique; Myanmar; Namibia; Nauru; Oman; Pakistan; Palau; Palestine*; Panama; Papua New Guinea; Rwanda; Samoa; Sao Tome and Principe; Saudi Arabia; Sierra Leone; Solomon Islands; Somalia; Sri Lanka; Sudan; Suriname; Swaziland; Syria; Tajikistan; Timor Leste; Togo; Tonga; Turkmenistan; Tuvalu; Uganda; United Arab Emirates; Uzbekistan; Vanuatu; Vatican (Holy See)*; Venezuela; Zambia (* = UN observer states; ** = Not UN member; *** = UK territory). This list is constructed by starting with all UN member states and observers, adding known independent jurisdictions, and then removing countries
Journal of Law, Information and Science Vol 23(1) 2014 EAP 14 208 countries is therefore: 89 with no Acts or Bills; 20 with Bills; 99 with Acts. It is clear from the list of countries with Bills that the numbers could change quite soon. Enactment of six more Bills will put the number of countries with data privacy laws in the majority. This is likely to occur in 2014. Of course, numbers of countries with laws is not the only indicator of significance, and other measures based on the populations or economic significance of countries could be used. 3.2 Growth by decade The rate of expansion has averaged approximately 2.5 laws per year for 40 years, but it has not been a linear growth. The number of new data privacy laws globally, viewed by decade, has grown as follows: 9 (1970s), +12 (1980s), +20 (1990s), +39 (2000s) and +19 (3.5 years of the 2010s), giving the total of 99. In the 1970s, data privacy laws were a western European phenomenon (Austria, Denmark, Greenland, Germany, France, Norway, Sweden, and Luxembourg), other than for the US public sector Act. The position was similar in the 1980s (Finland, Iceland, Ireland, the Netherlands, San Marino, the UK, and three territories related to the UK), with Israel as the first non- European state in 1981, and Australia, Canada and Japan providing public sector only legislation. Acceleration commenced in the 1990s, as most remaining western European countries (EU and EEA) enacted laws (Belgium, Italy, Greece, Monaco, Portugal, Spain, and Switzerland), with developments in Portugal and Spain in conjunction with democratisation. More significantly, with the collapse of the Soviet Union many former eastern bloc countries enacted data privacy laws as part of their protection of civil liberties (Albania, Czech Republic, Hungary, Poland, Slovakia, and Slovenia), and the first ex-Soviet-republics (Azerbaijan and Lithuania) did likewise. The spread outside Europe also started, with the first laws in Latin America (Chile) and the first comprehensive laws in the Asia-Pacific (Hong Kong, New Zealand and (with limitations) Taiwan, plus Thailand and South Koreas public sector laws), also often related to increased democratisation. In the 2000s the acceleration continued, and increased in almost all regions of the world. Most striking was the expansion in the former eastern bloc and Soviet republic countries the (Bosnia & Herzegovina, Bulgaria, Croatia, Estonia, Latvia, Macedonia (FYROM), Moldova, Romania, Serbia and Montenegro, plus Russia itself, though not in force until 2011), plus the addition of the remaining western European countries (Andorra, Cyprus, Gibraltar, Liechtenstein and Malta). Outside Europe, expansion accelerated in the Asia-Pacific (Macao SAR, and Nepals public sector, and private sector extensions of existing laws in Australia, South Korea, and Japan), Latin America (Argentina, Colombia, Paraguay and Uruguay), and the Caribbean (Bahamas, St Vincent & Grenadines). Rapid development took place in Africa
with Acts or Bills. It is possible that some territorial jurisdictions with independent legal systems are not yet included. Sheherezade and the 101 Data Privacy Laws EAP 15 with new laws in Tunisia and Morocco (North Africa) and Benin, Burkina Faso, Cape Verde, Mauritius, Senegal, Seychelles, and Zimbabwes public sector law (sub-Saharan Africa). The Kyrgyz Republic became the first country in Central Asia to legislate in 2008, and the Dubai and Qatar Financial Centres added the first laws in the Middle East. The noughties (2000-09) was the first decade in which non-European expansion of laws (23) exceeded that in Europe (16). In the first three and a half years of this decade 19 new laws have been enacted. All remaining European countries enacted laws (Faroe Islands, Georgia, Kosovo and Ukraine), with the exception of Turkey (also the only remaining OECD exception) and the two non-members of the Council of Europe (Belarus and the Vatican). The Russian law also finally came into force. Outside Europe, almost all regions have already shown continuing expansion. Expansion outside Europe (15) continues to outstrip that within Europe (3), and this will of necessity continue as the capacity for European expansion is now largely exhausted. Growth comes from all regions: India, the Philippines, Malaysia, Vietnam, and Singapore (the last three only private sector) (Asia); Costa Rica, Nicaragua, Mexico and Peru (Latin America); Angola, Gabon, and Ghana, (Africa); St Lucia and Trinidad & Tobago, (Caribbean); and Yemen (public sector) (Middle East). So far, the 2010s are the most intensive period of data protection development in the 40-year history of the field, averaging more than five new laws per year. There is also a continuing strengthening of existing law outside Europe in the 2010s, as has occurred in Hong Kong, South Korea, Australia, and Taiwan, to consider only the Asia-Pacific. 3.3 Geographical expansion Geographically, 35 more than half (53 per cent) of data privacy laws are still in European countries (52/98), EU member states making up less than one third (28/98), even with the expansion of the EU into Eastern Europe. There are data privacy laws in all 28 member states of the European Union (counting Croatia as of 1 July 2013), and a further 24 laws in other European countries or jurisdictions (including the EEA states). Only a few European countries remain without such laws, (Belarus, the Holy See/Vatican, and Turkey). There are nine laws in Latin America. In the Americas, are also the laws in Canada and the USA, and four laws in the Caribbean. In Asia there are now 12 of 27 countries with data privacy laws. Both Australia and New Zealand have data privacy laws, but no countries in the Pacific Islands do so (the only region with no such laws). In North Africa and the Middle East, there are six such laws, and 10 in Sub-Saharan Africa. The French-speaking Association of Personal Data Protection Authorities (AFAPDP), and Frances CNIL have
35 A recent map is by D Banisar, National Comprehensive Data Protection/Privacy Laws and Bills 2013 Map (7 July 2013) <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416>. Journal of Law, Information and Science Vol 23(1) 2014 EAP 16 both made efforts to encourage expansion of data privacy in African francophone countries. The Kyrgyz Republic law is the first in Central Asia, though Mongolias laws also come close to qualifying. The geographical distribution of the 99 laws by region is therefore: EU (28); Other European (25); Asia (12); Latin America (9); (sub-Saharan) Africa (10); North Africa/Middle East (6); Caribbean (4); North America (2); Australasia (2); Central Asia (1); Pacific Islands (0). So there are 44 data privacy laws outside Europe, 47 per cent of the total. Because there is little room for expansion within Europe, the majority of the worlds data privacy laws will soon be from outside Europe, probably by the middle of this decade. 3.4 Bills for new Acts Where will expansion occur next? The annexed Global Table of Data Privacy Bills lists known official Bills for new Acts, both those which have been introduced into legislatures, and those which are under official consideration by governments. Information is included about the current known state of a Bill. Currently, there are 21 such Bills known, based on reliable sources. As shown in the Table they are primarily from the Caribbean (8) and Africa (8) 36 , plus two from Latin America (Brazil and the Falkland Islands), and one each from the Middle East (Qatar, as distinct from the Qatar Financial Authority sub-region), Europe (Turkey) and Asia (Thai private sector). Further research may reveal more Bills under consideration but not yet listed. Some Bills are excluded because they have not been enacted for a decade after introduction, 37 and some are excluded because they appear to have been rejected by legislatures, not merely delayed. 38
The Table does not include Bills for revisions of existing Acts although these are important in expanding the strength of data privacy laws globally, as exemplified by legislation in the past two years in South Korea, Taiwan and Hong Kong.
36 From Africa they are: Ivory Coast, Kenya, Madagascar, Mali, Niger, Nigeria, South Africa, Tanzania. From the Caribbean they are: Antigua & Barbuda; Barbados; Cayman Island; Dominica; Dominican Republic; Grenada; Jamaica; Saint Kitts and Nevis. 37 This includes Venezuelas 2003 (or earlier) Bill for a Law on Data Protection and Habeas Data, which has been before the Science and Technology Committee of the National Assembly but has not been introduced to the National Assembly for formal discussion (information provided by John Tucker Barboza and Rob Kenigsberg). 38 This includes Ecuadors 2010 Bill for a Ley de Proteccion a la Intimidad y a los Datos Personales, which was rejected and set aside by a plenary meeting of the National Assembly on 4 October 2012 (information provided by Rob Kenigsberg). Sheherezade and the 101 Data Privacy Laws EAP 17 3.5 Predicting growth and ubiquitous data privacy laws For over two decades the rate of adoption of new data privacy laws per year has been steadily increasing, and the regions of the globe that have such laws has been steadily expanding. If the current rate of expansion for 2010-mid 2013 continues in a linear fashion, 50 new laws would result in this decade, bringing the total to 140. On the other hand, continued acceleration would make the total somewhere between 140 and 160 (ie 60 to 80 new laws this decade). Even on the conservative (and almost certainly unrealistic) assumption that the 2010s will see no more data privacy laws than the 2000s, there would be 130 countries with data privacy laws by the decades end, with a large majority of the laws by then coming from outside Europe.
Figure 1: Growth of data protection laws by decade (to June 2013), with projections to 2020 (linear = 139; accelerating 160) Even allowing for a few more legally distinct territories to be added, the total number of jurisdictions globally is about 210. By the end of this decade, the number of countries with data privacy laws, all of which have a strong family resemblance will be somewhere between 130 and 160 on the estimates above, more likely toward the higher end. In other words, between 62 per cent and 76 per cent of all jurisdictions globally will have data privacy laws in only seven years time, and global growth can be expected to continue beyond 2020. Whatever country numbers and growth rates are used, it seems likely that at some year in the next decade the number of countries with data privacy laws will reach a tipping point at which it becomes in the interests of all jurisdictions wishing to participate in the global economy to have such laws. It is not unrealistic to talk of global ubiquity of data privacy laws within 50 years of the enactment of the first such national law in Sweden. Ubiquity in this context means that almost all countries will have data privacy laws, and most of their neighbours will have them, even if there are still a few exceptions remaining. Journal of Law, Information and Science Vol 23(1) 2014 EAP 18 There are other ways, potentially more useful, by which global expansion of data privacy laws could be measured, say by the populations of the countries concerned, or by their GNP, or GNP per head, or other measure of economic significance. These could show different trends, and would be valuable, but may not be necessary for the purposes of this research. Inspection of the list of 119 countries in the two Tables which already have data privacy laws or have official Bills, in comparison with the above-noted list of 89 that do not, makes it obvious that data privacy laws are found in almost all the worlds larger and more economically significant countries. If one adds Brazil, South Africa, Nigeria or Kenya from the list of countries with official Bills, the picture is even more clear. Two of the few economically highly significant countries in the list of countries with no laws or Bills are China and Indonesia. Indonesia has, in 2012, enacted a data privacy regulation for e-commerce and is reported to be drafting a comprehensive law. 39 China is enacting a mosaic of data privacy laws in economically significant sectors, but could move to a comprehensive data privacy law. 40 India has legislated, though poorly and idiosyncratically, and there is considerable internal and external pressure on India to enact more conventional comprehensive legislation. South Africas legislation has almost completed its passage, and Brazils may do so in 2013: another BRIC in the wall, we could say. 3.6 Enough on quantity! What quality do these laws have? Although an OECD/CoE minimum standard has been used to define a data privacy law (and inclusion in the Table), this should not lead to the mistaken assumption that only such a minimum standard of data protection is what is achieved be the laws from countries outside Europe. 41 Analysis of 33/39 countries outside Europe with data protection laws as at December 2010, 42
showed that in relation to 10 principles that were more strict than the OECD/CoE basic principles, the 33 non-European laws on average exhibited 7/10 of those principles. Some of these additional European principles occurred in more than 75 per cent of the 33 countries assessed, namely
39 G Greenleaf and S Rosadi, Indonesias data protection Regulation 2012: A brief code with data breach notification (2013) (issue 122) Privacy Laws & Business International Report 24-27. 40 G Greenleaf and G Tian, China expands data protection through new 2013 guidelines (2013) (issue 122) Privacy Laws & Business International Report 1, 4-6; G Greenleaf, Chinas NPC Standing Committee privacy Decision: A small step, not a great leap forward (issue 121) Privacy Laws & Business International Report 1, 4-6, February 2013. 41 Laws in European countries can be assumed to exhibit generally higher standards, because of the requirements of the EU Directive, and the Additional Protocol to the CoE Convention. 42 G Greenleaf, The Influence of European Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108 (2012) 2(2) International Data Privacy Law, <http://papers.ssrn.com/abstract_id=1960299>. Sheherezade and the 101 Data Privacy Laws EAP 19 border-control data export restrictions (28/33); additional protection for sensitive data (28/33); deletion requirements (28/33); recourse to the courts (26/33); minimum collection (26/33); and specialist data protection agencies (25/33). The number of non-European laws has now expanded to 44, but the new laws seem to be at least as strong as in previous decades. In addition, many existing laws are being strengthened to keep up with rising expectations of privacy protection, international agreements, and the examples set by other countries (see the Latest column in the Table). This is important, because the strength or quality of data privacy laws is rising globally, as well as their number. 4 International Commitments and Recognition International agreements concerning data protection have had a considerable influence on adoption of data privacy laws for 30 years since the drafting of both the OECDs privacy Guidelines and the Council of Europe Data Protection Convention at the outset of the 1980s. Since then, Developing in part out of the Council of Europe data protection Convention, the European Unions data protection Directive of 1995 has been the most influential international instrument, the Economic Community of West African States (ECOWAS) Supplementary Act on data protection has spurred data privacy laws in West Africa, and the Asia-Pacific Economic Cooperations (APEC) Privacy Framework has created regular opportunities for discussion of privacy issues among some Asia-Pacific jurisdictions. To complete this global survey it is necessary to look at penetration of both international instruments dealing with data privacy, and international associations of data protection authorities. Analysis of the substance and significance of these instruments and associations is largely beyond the scope of this article, which aims more at analysis of which countries are affected by them. 4.1 The EU and adequacy All 28 member states of the European Union are required to have data privacy laws which implement the EU data protection Directives, and all do so (see the Table). Four additional countries have applied to join the EU, 43 and one of these (Turkey) does not yet have a data privacy law. The European Economic Area (EEA) includes the European Union member states plus Iceland, Norway and Liechtenstein, all of which have data privacy laws consistent with the Directive, resulting from the EEA Treaty. Steps to develop a Regulation to replace most aspects of the Directive, and increase the level of protection, are continuing.
43 Former Yugoslav Republic of Macedonia (FYRIM); Iceland; Montenegro; Turkey. Croatias membership dates from July 2013. Journal of Law, Information and Science Vol 23(1) 2014 EAP 20 Countries or jurisdictions outside the EEA can obtain from the European Commission a decision that their laws provide an adequate level of protection of privacy, to enable free flow of personal data from EU member states to organisations in those countries. 44 As yet, the EC has only made such decisions in relation to twelve jurisdictions as a whole, a minority of which are of economic or political significance, 45 the most recent being Uruguay and New Zealand. 4.2 Council of Europe data protection Convention 108 With the recent new law in Georgia and ratification by Russia, forty-five of the forty-seven Council of Europe member states have now ratified the Council of Europe Convention 108, and have data privacy laws. Turkey has signed but not ratified the Convention and is now the only Council of Europe member state not to have enacted a data privacy law, following recent enactments by Armenia and Georgia. San Marino has not signed or ratified, but does have a law. Belarus is not a Council of Europe member because of human rights concerns, and the Vatican is not a member because it is not a democracy. The Additional Protocol (ETS 181) to the Convention also requires a commitment to data export restrictions and to an independent data protection authority, and brings the standards of the Convention up to approximately the same level as the Directive. Forty-three member states have signed the Additional Protocol (Georgia only in May 2013), and 33 have subsequently ratified it (plus Uruguay). Twelve countries that have ratified the Convention (plus three territories on whose behalf the UK acceded to the Convention) have not ratified the Additional Protocol. Where a Council of Europe member has ratified both Convention 108 and the Additional Protocol, it is extremely unlikely as a matter of practice that data exports to that country from EU member states would be prevented, so obtaining an adequacy finding under the Directive appears to be largely irrelevant in practice. This is noted in the Table. Since 2008, the Council of Europe has made it clear that it wishes the Convention and Optional Protocol to become global agreements, and that it welcomes requests by states outside Europe with suitable data privacy laws to apply to accede to both. Uruguay was the first non-European state to be invited to do so, and in 2013 acceded to and ratified the Convention and the Additional Protocol. 46 The second globalisation invitation was also issued to
44 See EU website for adequacy decisions <http://ec.europa.eu/justice/data- protection/document/international-transfers/adequacy/index_en.htm>. 45 Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay (and not Australia as a whole, despite the appearance to the contrary of the EC website). 46 G Greenleaf, Uruguay starts Convention 108s global journey with accession (2013) (issue 122) Privacy Laws & Business International Report 20-23. Sheherezade and the 101 Data Privacy Laws EAP 21 Morocco. The Convention is now in a process of modernisation which if successful will incorporate both the existing Convention and the Optional Protocol. 47
An adequacy finding from the EU does not impose any reciprocal obligations on the recipient to allow free flow of personal data from it to EU countries. This obligation does arise when countries outside the EU (including other European countries) become members of the Council of Europe Convention 108. 4.3 The OECD and its Guidelines All of the 34 OECD member countries, 48 other than Turkey and the USA (in relation to the private sector), now have a data privacy law implementing the OECDs privacy Guidelines of 1981. The OECDs plans for enlargement 49
mean that more countries in future will be likely to be influenced by the OECD privacy Guidelines to adopt data privacy laws. The OECD is currently revising the Guidelines. 4.4 Regional agreements between countries The following regional groupings of countries are all relevant to the development of data privacy laws (with the exceptions of the South Asian Association for Regional Cooperation (SAARC) and the Common Market of the South (Mercado Comn del Sur) (MERCOSUR), and their memberships are therefore noted in the Tables. At present, the ECOWAS, APEC and the Association of Southeast Asian Nations (ASEAN) groupings are probably the most significant, but the development of regional data privacy agreements is likely to play a more significant role on all continents in future. Four fifths (17) of the 21 APEC member economies 50 do have data privacy laws in at least one of the two sectors (see the Table), but four do not (Brunei; Indonesia; China; and Papua New Guinea). Thailand and the USA have
47 G Greenleaf, Modernising Data Protection Convention 108: A Safe Basis for a Global Privacy Treaty? (2013) 29(4) Computer Law & Security Review (forthcoming). 48 List of OECD Member Countries <http://www.oecd.org/general/listofoecdmembercountries- ratificationoftheconventionontheoecd.htm>. 49 In May 2007, OECD countries agreed to invite Chile, Estonia, Israel, Russia and Slovenia to open discussions for membership of the Organisation and offered enhanced engagement to Brazil, China, India, Indonesia and South Africa: See OECD, Members and partners (2013) <http://www.oecd.org/about/membersandpartners/>. Chile, Slovenia, Israel and Estonia have since become members. 50 See APEC Member Economies <http://www.apec.org/about-us/about- apec/member-economies.aspx>. Journal of Law, Information and Science Vol 23(1) 2014 EAP 22 public sector only laws, and Malaysia and Vietnam have private sector only laws. Thailand has a Bill for a comprehensive laws being re-drafted for its Cabinet. Whether APEC will expand beyond 21 members is still possible, but unlike the EU, its membership currently seems frozen. Numerous countries have been trying to join for some time, without success. 51 APEC membership and the APEC Privacy Framework means little more than voluntary participation in six monthly discussions of APECs data privacy sub-group (useful though that is). APECs Cross-Border Privacy Rules (CBPR) does not yet have any members fully operational with an endorsed Accountability Agent, so involvement in it is not yet noted in the Table. Possibly more influential than APEC in encouraging new privacy laws is ASEAN, a 10 nation 52 treaty-based organisation which has a policy to improve its members data protection by 2015. Singapore, the Philippines, Vietnam and Malaysia have recently enacted data protection laws, a Bill is before Cabinet in Thailand and development of Bills is reported to be underway in ASEAN members Indonesia, Vietnam (for a stronger law), Laos and Brunei. ASEAN countries had a decade ago made a commitment to adopt electronic commerce regulatory and legislative frameworks, including to take measures to promote personal data protection and consumer privacy. 53
At the 21 st ASEAN Summit on 18 November 2012, the ASEAN heads of state adopted the ASEAN Human Rights Declaration, 54 Article 21 of which states Every person has the right to be free from arbitrary interference with his or her privacy, family, home or correspondence including personal data, or to attacks upon that persons honour and reputation. Every person has the right to the protection of the law against such interference or attacks. Although based on the terminology of the Universal Declaration of Human Rights, the specific references to personal data and the right to legal protection increase the internal incentives to all ASEAN members, from both
51 In addition to India, Mongolia, Pakistan, Laos, Bangladesh, Costa Rica, Colombia, Panama and Ecuador,
are among a dozen countries seeking membership in APEC by 2008: See <http://en.wikipedia.org/wiki/Asia- Pacific_Economic_Cooperation#Member_Economies>. In refusing Indias application for membership, APEC decided not to admit more members until 2010, but this has not changed since. 52 ASEAN Member States: Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand, and Viet Nam. Timor Leste is a candidate member. 53 Clause 5(e) E-ASEAN Framework Agreement, (24 November 2000) <http://www.asean.org/news/item/e-asean-framework-agreement>. 54 ASEAN Human Rights Declaration, (18 December 2012) <http://www.asean.org/news/asean-statement-communiques/item/asean- human-rights-declaration>. Sheherezade and the 101 Data Privacy Laws EAP 23 within ASEAN and within each country, to enact data privacy laws. However, the Declaration has come under savage criticism and outright rejection 55 from a coalition of fifty-five global and regional human rights organisations. 56 Among the criticisms are that [i]n many of its articles, the enjoyment of rights is made subject to national laws, instead of requiring that the laws be consistent with the rights; it fails to include several key basic rights and fundamental freedoms, including the right to freedom of association and the right to be free from enforced disappearance; and that the rights it states are of a lower standard than those in equivalent declarations in Europe, Africa or the Americas. Consequently, the civil society organisations state that they will not invoke it in their work except to condemn it as an anti- human rights instrument. The UN High Commissioner for Human Rights considered that the Declaration retains language that is not consistent with international standards. 57 It is clear that both the Declaration, and the body which helped develop it, the ASEAN Intergovernmental Commission on Human Rights (AICHR) 58 established in 2009, have not yet established credibility. Macao SAR, Nepal and India are the only Asian countries which are not APEC members but do have a data privacy law. The SAARC, of which both India and Nepal are members, does not have any policies concerning data protection laws or e-commerce harmonisation, and is not a significant influence in this area. In Africa, the strongest developments have been from the ECOWAS, a grouping of fifteen states 59 where French, Portuguese and English are variously spoken. Under the Revised Treaty of the ECOWAS they agreed in 2008 to adopt data privacy laws. A Supplementary Act on Personal Data Protection within ECOWAS to the ECOWAS Treaty, adopted by the ECOWAS member states, establishes the content required of a data privacy law in each ECOWAS member state, including the composition of a data protection authority. All requirements are influenced very strongly by the EU data
55 Human Rights Watch, Civil Society Denounces Adoption of Flawed ASEAN Human Rights Declaration (19 November 2012) <http://www.hrw.org/print/news/2012/11/19/civil-society-denounces- adoption-flawed-asean-human-rights-declaration>. 56 Coordinated by Human Rights Watch and including among the international organisations the International Commission of Jurists and Article 19. 57 UN News Centre, UN official welcomes ASEAN commitment to human rights, but concerned over declaration wording (19 November 2012) <http://www.un.org/apps/news/story.asp?NewsID=43536#.UgiIOVP9ogI>. 58 ASEAN Intergovernmental Commission on Human Rights website <http://aichr.org/>. 59 ECOWAS Member States: Benin, Burkina Faso, Cape Verde, the Ivory Coast, Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and Togo. Journal of Law, Information and Science Vol 23(1) 2014 EAP 24 protection Directive. Five ECOWAS states have so enacted laws (Benin, Burkina Faso, Cape Verde, Senegal and Ghana), and Bills are under elaboration or consideration in, Nigeria, Niger, Ivory Coast and Mali, leaving only six yet to take any action. In some other ECOWAS member states the Supplementary Act, as an additional protocol to a treaty, may be legally binding in creating substantive rights in countries where treaties have direct effect and do not require local enactment. This appears to be the case in Niger, where law is being developed to establish a DPA, to complement the ECOWAS treaty on data protection, which was published in the official journal in 2013. Less advanced as yet, the East African Community (EAC), a regional group of five East African countries (Kenya, Tanzania, Uganda, Rwanda and Burundi), 60 where English and French are variously spoken, has taken initiatives that encourage the member states to adopt data privacy legislation. Such initiatives include the current discussion of a Draft Bill of Rights for the East African Community 61 which, unlike the African Charter on Human and Peoples Rights, incorporates the right to privacy. It also includes a right of legal enforcement culminating in a right of appeal to the East African Court of Justice. Also, although not binding, the EAC has adopted the EAC Framework for Cyberlaws Phases I and II in 2008 and 2011 respectively, addressing multiple cyber law issues including data protection. Kenya and Tanzania are currently considering draft bills on data protection. The Southern African Development Community (SADC) encompasses 15 countries 62 in southern and central Africa, and Indian Ocean states, four of which have data protection laws (Angola, Mauritius, Seychelles and Zimbabwe), and at least three of which have current Bills (South Africa, Tanzania and Madagascar). The South African Bill, which has already passed the lower house, can be expected to have a significant effect on prompting laws in at least the other SADC countries because of South Africas role as the regional economic power. There has already been work done on SADC-wide data protection laws and policies, 63 as part of an EU and International Telecommunication Union (ITU) sponsored harmonisation project relevant to all regions in sub-Saharan Africa (ie SADC, EAC and ECOWAS) which has also produced a Model-law on
60 East African Community (2014) <http://www.eac.int/>; Tanzania is a member of both EAC and SADC. 61 Draft Bill of Rights for the East African Community, May 2009, Arusha, Tanzania. 62 SADC Member States: Angola, Botswana, Democratic Republic of Congo, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, South Africa, Swaziland, Tanzania, Zambia and Zimbabwe; See SADC website <http://www.sadc.int/>. 63 P Chetty, Presentation on Regional Assessment of Data Protection Law and Policy in SADC (Workshop on the SADC Harmonized Legal Framework for Cyber Security, Gaborone Botswana 27 February3 March 2012). Sheherezade and the 101 Data Privacy Laws EAP 25 data protection in 2012. 64 The African Union has also prepared in 2011 a draft Cyber Convention, 65 which includes a division on data protection replicating most of the principles of the ECOWAS Supplementary Act. 66 If it proceeds it would be of great significance, because the African Union has 54 member states. In the Americas, the Organization of American States (OAS), with 35 member states (including from North and South America, and the Caribbean), has started work on data protection in recent years. The Inter-American Juridical Committee adopted several resolutions on this matter, all in an effort to address the regulation of data protection through potential international instruments as well as at the level of the legislation of some OAS member states, and of the processing of personal data by the private sector, and the General Assembly of the OAS instructed it 67 to prepare a document of principles of privacy and data protection in the Americas. 68 A set of Preliminary Principles were published by the Committee in 2011, 69 which, although brief, included cross-border transfer restrictions based on the same level of protection in the recipient jurisdiction, the recognition of habeas data principles, and the existence of an independent supervisory authority. The OAS General Assembly has also resolved to urge member states (and its Secretariat) to participate in and support the work of the Latin American Network of Personal Data Protection (RIPD), to attend the meetings of the International Conference of data protection authorities, and to continue its work on data protection by developing a model law. 70 These resolutions are
64 J-M Van Gyseghem, Model Law on Data Protection, Support for Harmonization of ICT Policies in Sub-Sahara Africa (HIPSSA), International Telecommunications Union (ITU), 6 February 2012. 65 Economic Commission for Africa and African Union Commission, Draft African Union Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa (1 November 2011) <http://www.itu.int/ITU- D/projects/ITU_EC_ACP/hipssa/events/2011/WDOcs/CA_5/Draft%20Convent ion%20on%20Cyberlegislation%20in%20Africa%20Draft0.pdf>. 66 A B Makulilo, Protection of Personal Data in sub-Saharan Africa (Doctoral Dissertation, Bremen, 2012) Part 4.4.1.3: African Union Convention on Cyber Security 2011. 67 OAS General Assembly Resolution, Access to Public Information: Strengthening Democracy, AG/RES. 2514 (XXXIX-O/09) (4 June 2009). 68 OAS Department of International Law, Data Protection (2012) <http://www.oas.org/dil/data_protection_oas_work.htm>. 69 Permanent Council of the Organization of American States, Committee on Juridical and Political Affairs, Preliminary Principles and Recommendations on Personal Data, Document presented by the Department of International Law of the Secretariat for Legal Affairs, OEA/Ser.G CP/CAJP-2921/10 rev. 1 corr. 1 (17 October 2011) <http://www.oas.org/dil/CP-CAJP-2921-10_rev1_corr1_eng.pdf>. 70 OAS General Assembly Resolution, Access to Public Information and Protection of Personal Data, AG/RES. 2811 (XLIII-O/13), (6 June 2013) <http://www.oas.org/en/sla/dil/docs/AG-RES_2811_XLIII-O-13_eng.pdf >. Journal of Law, Information and Science Vol 23(1) 2014 EAP 26 included within the more contentious context of development of laws for access to public sector information. 71
In the Caribbean, the Caribbean Community (CARICOM) of 15 states and five associate members 72 is developing an Economic Partnership Agreement (EPA) with the European Union as part of the 2008 Caribbean Forum of African, Caribbean and Pacific States (CARIFORUM 73 )EU EPA. Data protection is covered by the EPA and was one of the topics under discussion at EPA meetings in 2012. 74 Data protection is also part of the ITUs Caribbean Harmonization of ICT Policies (HIPCAR) capacity-building project. 75 Five countries with data protection Bills are CARICOM members or associates, and four already have data protection laws. In Latin America, the MERCOSUR common market, formed in 1991 involves 10 countries. It currently consists of Argentina, Brazil, Paraguay, Uruguay and Venezuela (since 2012). Bolivia is in the process of becoming a full member, and Chile, Colombia, Ecuador and Peru are associated states. A working group (SGT) was established in 2002 to discuss integration of e- commerce and data protection but seems to have had few results. Data protection is sometimes mentioned as a topic in ongoing negotiations for a EU-MERCOSUR Free Trade Agreement. In short, MERCOSUR has not yet proved to be significant in relation to data protection. 5 Data Protection Authorities and their Associations Most data privacy laws include provision for a DPA, a separate institution which has some type of responsibility for the data privacy legislation,
71 See Freedom Info (FOIA advocates), OAS Assembly Defeats Attacks on Rapporteur (14 June 2013) <http://www.freedominfo.org/2013/06/oas-assembly-defeats-attacks- on-special-rapporteur/>. 72 CARICOM members: Antigua and Barbuda, Bahamas, Barbados, Belize, Dominica, Dominican Republic, Grenada, Guyana, Haiti, Jamaica, St Lucia, St Vincent and the Grenadines, St Kitts and Nevis, Suriname, Trinidad and Tobago; Associate members: Anguilla; Bermuda; British Virgin Islands; Cayman Islands; Turks and Caicos Islands: See <http://www.caricom.org/jsp/community/member_states.jsp?menu=community>. 73 CARIFORUM stands for the Caribbean Forum of African, Caribbean and Pacific States, and covers the same 15 states as CARICOM. 74 CARICOM Press Release, CARIFORUM gears up for key EPA meeting (24 September 2012) <http://www.caricom.org/jsp/pressreleases/press_releases_2012/pres252_12.jsp>. 75 R Wilson, Privacy and Personal Data Protection Bill Under Review St Kitts & Nevis Observer (online), 30 April 2013 <http://www.thestkittsnevisobserver.com/2013/04/26/privacy-bill.html>. See also ITU, The HIPCAR Project <http://www.itu.int/net/itunews/issues/2011/07/56.aspx>. Sheherezade and the 101 Data Privacy Laws EAP 27 involving some enforcement powers, and which are separate from the normal prosecutorial and judicial systems of the country. 5.1 The prevalence of DPAs Of the 99 countries with data privacy laws, 85 have DPAs. Fourteen countries do not have a DPA, in 10 cases because their laws do not provide for any separate DPA, 76 and in four cases because no DPA has been appointed although provided for in law. 77 The position of the USA is complex, because its Federal Trade Commission acts in many respects as a DPA (including as a member of international associations of DPAs) even though the USA does not meet the criteria for a data privacy law in the private sector. 78 The Table includes the name of the DPA if there is one, or none if the law concerned does not provide for one. DPAs vary greatly in name (common names are Data Protection Authority, Privacy Commissioner, and Personal Data Protection Office, or combinations thereof), functions and degree of independence from other government authorities. Whether a particular DPA can be classed as independent is complex question. 79
Various global and regional associations of DPAs or other data privacy enforcement bodies are of increasing significance. This analysis, and the Table, might not yet reflect fully the diversity of these associations, but does include most of them. Nor does it yet include the website addresses of the various DPAs, but there are other sources for those. 80 There are associations of DPAs globally (two of them), and from the EU, central and eastern Europe, Latin America, the Asia-Pacific, and the francophone countries, but none from Africa or the Caribbean as yet. The membership of most of them is incomplete from their potential pool of members, with considerable overlaps but surprising omissions, as the Table shows.
76 Countries without DPAs in their laws: Angola, Armenia, Chile, the Kyrgyz Republic, India, Japan, Paraguay, St Vincent & Grenadines, Taiwan, and Vietnam. 77 Countries that have failed to appoint DPAs: Azerbaijan, Seychelles, Cape Verde and Malaysia. The Philippines law is too recent to be included yet. 78 The Federal Trade Commission is accredited to the ICDPPC (international data protection authorities conference), and has enforcement powers for only some data privacy rules over only some parts of the US private sector, but not over the US federal public sector, where the USA has a federal data privacy law. 79 G Greenleaf, Independence of Data Privacy Authorities: International Standards and Asia-Pacific Experience (2012) 28(1&2) Computer Law & Security Review. 80 For example, the dataprotection.eu site at <http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.DPAuthorities>. Journal of Law, Information and Science Vol 23(1) 2014 EAP 28 5.2 Associations of DPAs - Global The International Conference of Data Protection and Privacy Commissioners (ICDPPC) is the grouping of data protection authorities of broadest scope and greatest longevity, having held an annual conference for 35 years. As Raab points out conference is used not only to describe their annual meeting, but as a collective noun. 81 It has accreditation standards which govern which authorities can attend its closed meetings and vote on resolutions, originally quite strict but simplified and possibly weakened in 2010. 82 The ICDPPC members adopt joint policy resolutions, and their annual conference is open to all attendees (except for closed sessions) and has become the leading global data protection conference. Of the 85 countries which have data protection authorities appointed under their data privacy laws, only 59 national DPAs are accredited to ICDPC (as shown in the Table). The ICDPPC therefore only has 70 per cent of national data protection authorities as its members. After 35 years, this is far from global coverage. It is particularly weak in its lack of members from the Caribbean, but otherwise the gaps in membership are from all regions. However, the ICDPPCs membership also includes 33 sub-national (state, provincial etc) data protection authorities from Australia, Canada, Germany, Mexico, Spain and Switzerland, a high percentage of such authorities as exist. There are other sub-national DPAs, such as those in Mexico and Argentina. Some are also members of the Global Privacy Enforcement Network (GPEN), Asia Pacific Privacy Authorities (APPA) and other associations of DPAs. The ICDPPC therefore has a total membership of 92, plus the European Data Protection Supervisor. GPEN originated in a 2007 OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy 83 calling for the establishment of an informal network of privacy enforcement authorities. GPEN membership is open to any public privacy enforcement authority that: (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings. 84 GPEN has members from 26 jurisdictions,
81 For a history of ICDPPC, see C Raab, Networks for Regulation: Privacy Commissioners in a Changing World (2011) 13(2) Journal of Comparative Policy Analysis: Research and Practice 195. 82 Greenleaf, above n 79, section 3.7. 83 OECD, Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy <http://www.oecd.org/document/60/0,3343,en_2649_34255_38771516_1_1_1_1,0 0.html>. 84 GPEN Action Plan (Action Plan for the Global Privacy Enforcement Network (GPEN)) adopted 15 June 2012; Part E amended 22 January 2013 at <https://www.privacyenforcement.net/public/activities>. Sheherezade and the 101 Data Privacy Laws EAP 29 all of which have data privacy laws of one form or other, and most but not all of which are OECD members. There are four others members not included in the country Table, the European Data Protection Supervisor (a supra-national body), two Australian state DPAs (from Victoria and Queensland), and a German state DPA (Berlin). Competition may develop between these two global networks of DPAs, and they could develop diverging memberships, but the operation of GPEN is as yet too recent for these matters to be clear. 5.3 Associations of DPAs Regional and sub-global At the sub-global level, the European Unions Article 29 Working Party is the most influential organisation of DPAs, both because it has a formal role under the European data protection Directive and because of the quality and diversity of its Opinions on data privacy issues. Its membership is co- extensive with that of the EU, but is separately reflected in the Table. It may increasingly have a rival for influence in the Council of Europe data protection Convention 108, Consultative Committee (to be re-named Convention Committee), as an outcome of the Conventions modernisation process. 85 However, this is technically not a committee of data protection authorities, it is one of the representatives of state parties to the Convention, although nearly half of the state representatives are DPAs. A larger and also influential body is the (Conference of) European Data Protection Authorities (EDPA) which holds a Spring Conference almost every year. Resolutions are usually passed, 86 and on Raabs analysis are significant to the development of data protection policies in Europe. 87
According to one of its member DPAs, [o]ne of the most important tasks of the European Data Protection Authorities consists in advising the authorities involved in legislative matters on data protection issues, by pointing out the risks that legislative initiatives might entail and by proposing alternatives which would be more respectful of individuals rights with regard to the processing of their personal data. 88
85 Greenleaf, above n 47. 86 Resolutions since 2004 are listed on the European Data Protection Supervisor website, European Conference page <http://www.edps.europa.eu/EDPSWEB/edps/Cooperation/Eurconference>. 87 C Raab, Information Privacy: Networks of Regulation at the Subglobal Level (October 2010) 1(3) Global Policy 291. 88 Office of the Information and Data Protection Commissioner, Malta, <http://idpc.gov.mt/article.aspx?art=163>. Journal of Law, Information and Science Vol 23(1) 2014 EAP 30 EDPA has quite strict accreditation rules, requiring its members to operate under a law of a state implementing either Council of Europe Convention 108 or the EU data protection Directive, and having independence and appropriate functions and powers. 89 In 2013, for example, Kosovos DPA was refused membership because Kosovo was not a member state of either the European Union or the Council of Europe, so it was made a permanent observer instead. 90 Andorras DPA is also a permanent observer. Although in theory all member states of the Council of Europe which do have DPAs should be eligible to be accredited to the EDPA, four are not yet accredited. 91
Two Council of Europe member states have not been accredited because they do not have DPAs (Armenia and Azerbaijan). Turkey is excluded because it does not yet have a data protection law. San Marino has a law but has not signed Convention 108, nor joined any association of DPAs. Twelve sub- national DPAs in Europe from Germany, Spain and Switzerland are also accredited to EDPA, as are four supra-national authorities at EU level. EDPA therefore has a high level of coverage of European DPAs. The next largest DPA network in Europe is the Central and Eastern Europe Data Protection Authorities (CEEDPA) which has 18 members, most recently including Russia but not yet Georgia. The Baltic states and Slovenia are not members. Membership overlaps with the Article 29 Working Party, but many CEEDPA members are from countries which are not yet EU member states. It held its 15 th annual meeting in 2012. It is active in mutual support activities and developing policy positions such as approval of reforms of European data protection instruments. 92 CEEDPA states have a common concern as ex- communist states dealing with historical surveillance files of personal data, and in some cases with uncertain democratic institutions. The Western European states have less need for a separate association of DPAs, because only a few of them are not EU member states. There is also an association of Nordic Data Protection Authorities (NDPA) (Sweden, Norway, Denmark and Finland) which meets every two years. It
89 Conference of European Data Protection Authorities, Report of the Accreditation Committee, Lisbon, 16-17 May 2013 <http://www.tietosuoja.fi/uploads/xpit2ond8o6_1.pdf >. 90 Ibid. 91 Portuguese National Data Protection Commission, Spring Conference - European authorities accredited as members Lisbon 2013. DPAs not listed as accredited to EDPA are Georgias DPA; Monacos Supervisory Commission for Personal Information; Russias Federal Service for Supervision of Communications, Information Technologies and Mass Media; and Ukraines State Service on Personal Data Protection. 92 See CEEDPA, News and Events page <http://www.ceecprivacy.org/main.php?s=5>. Sheherezade and the 101 Data Privacy Laws EAP 31 sometimes acts in concert, as it did in 2011, in sending 45 questions to Facebook concerning its practices. 93
The operation of other sub-global networks of data protection authorities is less well known, but has been well-documented by Raab. 94 It is not accurate to call them regional networks, because some are based on language, some on geography, and some a mix between the two. The British, Irish and Islands Data Protection Authorities (BIIDPA), an Anglophone grouping within Europe, usually meets annually. As Raab describes it, [l]ess formal connections exist in another, and apparently looser, network that links the DPAs for the United Kingdom, the Republic of Ireland, the Isle of Man (IOM), Jersey and Guernsey, with further connections to Malta, Cyprus and Gibraltar. He considers that these meetings help the Crown Dependency authorities, who do not sit on WP29, to keep abreast of current issues discussed there. 95
The Association of Francophone Data Protection Authorities (AFAPDP) is an active organisation which is influential in francophone countries which have not yet adopted data protection laws. It classifies 41 of the 77 members and observers of the International Organisation of the Francophonie (OIF) as having a data protection law. Of those 41, only 18 are members of AFAPDP, including two Canadian provinces. 96 Only those member countries with DPAs are allowed to vote on issues or for election of positions. Some states intending to develop data protection laws are also members of the association but with no voting rights. In 2009, AFAPDP recommended an initiative for a binding global data protection instrument. AFAPDP aims to develop other policy positions and further agreements. 97 The summit of the Heads of States and governments of the francophone countries has encouraged adoption of comprehensive data protection laws and DPAs in 2004 and 2006. The membership of La Red Iberoamericana de Proteccin de Datos, also called the Red Iberoamericana or Latin American Network (RIPD or RedIPD), 98 consists of all the Latin American countries, plus Spain and
93 Norwegian Data Inspectorate, What happens with personal information in Facebook?, July 2011. 94 Raab, above n 87; and Raab, above n 81. 95 Raab, above n 87, 296. 96 One reason is that many of the non-participating DPAs are from European countries which do not have staff speaking French, while all the eligible non- European countries with data privacy laws (and some with Bills) are members. 97 For example, there has been work as yet incomplete on a framework for international data transfers between French-speaking countries, using an approach related to Binding Corporate Rules (BCRs). 98 RedIPD website, list of members <http://www.redipd.org/la_red/Miembros/index-iden-idphp.php>. Journal of Law, Information and Science Vol 23(1) 2014 EAP 32 Portugal. It does not include the other Spanish or Portuguese-speaking countries outside Latin America. It includes in its membership all countries within its community that wish to be a member, irrespective of whether they have yet adopted data privacy laws or have DPAs, so it does not have accreditation requirements equivalent to the IDPPCC or APPA. Its annual conferences pass resolutions concerning data protection, encouraging and assisting other Latin American countries that do not yet have data protection agreements to enact them, and to include independent DPAs. 99
APPA, a forum of national and sub-national DPAs originally only allowed as members those authorities that have been accredited to the International Data Protection Commissioners Conference, 100 so the Macao DPA was only an observer at its meetings due to its incomplete legislative basis. APPA has now relaxed its standards somewhat. 101 It now has 16 members from Australia (federal and four states/territories), Canada (federal and British Columbia), Hong Kong SAR, South Korea (two authorities), Macau SAR, Mexico, Colombia, Peru, New Zealand and the USA. Neither Japan nor Taiwan are members due to (at least) lack of a DPA. Singapore will probably join soon, but it is questionable whether Malaysia will have a DPA to qualify, and the Philippines DPA has not been appointed yet. It meets twice per year and has had a primary function of sharing experiences, but has also developed valuable standards on reporting and citing privacy decisions. APPA is expanding its membership (particularly in Latin America) and functions and will probably be more significant in future. It has a considerable and increasing personnel overlap with the APEC data privacy Sub-group, though that is technically a grouping of countries (economies in APEC-speak) whereas APPA is a grouping of DPAs. There is also a framework for regional cooperation called the APEC Cross- border Privacy Enforcement Arrangement (CPEA) in which [a]ny Privacy Enforcement Authority (PE Authority) in an APEC economy may participate in cross-border co-operation, enforcement and information sharing. 102 It has as members data protection authorities from only six of the 17 APEC economies which have data privacy laws (Australia, NZ, USA, Canada, Hong Kong and Mexico), plus government departments from Korea (but not their independent DPAs) and Japan. The separate membership of 15 Japanese government agencies indicates the lack of much central coordination in their
99 Raab, above n 87, 297-8. 100 Ibid 296-7. 101 Members can be accredited to the International Conference of Data Protection and Privacy Commissioners (ICDPPC); or a participant in the APEC Cross-border Privacy Enforcement Arrangement (CPEA); or a member of the OECD Global Privacy Enforcement Network (GPEN): See APPA website <http://www.appaforum.org/about/>. 102 APEC CPEA website <http://www.apec.org/Groups/Committee-on-Trade-and- Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy- Enforcement-Arrangement.aspx>. Sheherezade and the 101 Data Privacy Laws EAP 33 law. APEC CPEA therefore has membership from relatively few APEC countries. Although three Caribbean countries now have data protection authorities, they do not have any regional organisation as yet, and nor are they members of ICDPPC or GPEN. There is also no pan-African association of DPAs, despite there now being eight DPAs in African countries, although only some operating in practice. Active regional associations of DPAs seem to be an indicator of maturity of data protection regulation in a region, partly because of the mutual support they provide for each other. 6 The Future Global Trajectory of Data Privacy Laws This article and the following Tables dont constitute big data, but at least they are more data about global trends in enactment of data privacy laws, and the interlocking memberships of associations of DPAs, than was previously available. Now that we have this more accurate picture, further research becomes possible. It has already made possible an assessment of the influence of European privacy standards on legislative developments outside Europe. 103
Further research is required on such questions as the implications of the increasingly interlocking data export restrictions in this legislation; 104 on the effectiveness of the enforcement regimes in various countries; on the extent of judicial interpretation of these laws, and on other comparative aspects of data privacy laws. All of this requires an accurate account of the incidence, growth and distribution of the worlds data privacy laws. Some conclusions seem apparent from the data. The expansion of data privacy laws embodying at least a minimum set of OECD/CoE data protection principles continues to accelerate after 40 years. By the 50 th
anniversary in 2023 of the first such Act in Sweden we can expect that there will be global saturation of data privacy laws, in the sense that about 70 per cent of all independent jurisdictions will have such laws, including almost all of the economically significant countries on the globe (with the USA probably the only significant exception). The majority of countries globally will have such laws within another year or two, and there will be more non-European countries than European countries with data privacy laws from that point onward. A large portion of these countries will have laws influenced strongly by European standards similar to those of the current EU privacy Directive, including its data export restrictions. The globalisation of Council of Europe Convention 108 is increasing its reach and influence, and is likely to compete with APECs as-yet-inchoate CBPR process for influence outside Europe. These widely dispersed laws and expanding international agreements build up a considerable global legal inertia which it will be difficult to reverse or
103 Greenleaf, above n 42. 104 See for a recent analysis C Kuner, Transborder Data Flows and Data Privacy Law, (Oxford University Press, May 2013). Journal of Law, Information and Science Vol 23(1) 2014 EAP 34 (eventually) to ignore. Associations of data protection authorities are also likely to increase in importance as venues for contesting influence. These are geo-political facts of considerable significance. There may come a time when the development of technologies and business practices inimical to data privacy will be confronted by these embedded and expanding legal developments more directly than is currently the case. 6.1 Is there now a trajectory?
In 2006, Bennett and Raab, in what is still the most systematic global review of data privacy regulation, presented their main research question as whether there was a race to the bottom, a race to the top, or something else, in the global development of data privacy protection. 105 They correctly caution that the existence and formal strength of a data privacy law is only one factor by which we should measure data privacy protection in a country, and two other key dimensions are the effectiveness of enforcement and the extent of surveillance. Therefore, globally, there is more than one race to the top or bottom. They noted that, in relation to legislation, the main conditions proposed by globalisation theories of regulation for a race to the bottom (data mobility and wide national divergences in laws) were present in the case of data protection legislation. 106 Nevertheless, they found that there is clearly no race to the bottom, but nor did they find clear evidence of a race to the top, or global ratcheting up of privacy standards. In particular, they considered that the general suspicion that the APEC Privacy Principles are intended as an alternative, and a weaker, global standard than the EU (which suspicion was shared by the author) means that they may serve to slow and even reverse the otherwise halting and meandering walk to higher standards which the EU Directive had inspired. 107 They concluded that the most plausible future scenario (which I have described as the Bennett-Raab thesis 108 ) was an incoherent and fragmented patchwork, a more chaotic future of periodic and unpredictable victories for the privacy value. 109 So they found some upward global trajectory influenced significantly by the EU Directive, but sufficiently weak in the mid-2000s that the countervailing weakness of the APEC approach was enough to make the future quite unpredictable. The position in 2013 is very different. Their thesis may have been in part based on an under-estimate of the number of data privacy laws outside Europe before 2006 (18, not 12), but even if this is not so, events have overtaken it. Now there are almost as many laws outside Europe (44) as there
105 Bennett and Raab, above n 11, xv. 106 Ibid 276. 107 Ibid 283. 108 G Greenleaf, above n 2. 109 Bennett and Raab, above n 11, 295. Sheherezade and the 101 Data Privacy Laws EAP 35 are within Europe (52), and the rate of increase outside Europe is still accelerating. At some point the growth curve of the number of laws may flatten, but there is no sign of that as yet. Bennett and Raab saw APEC as slowing the growth of EU-like privacy laws, but that has been shown not to be occurring, with laws outside Europe showing a very high correlation with European principles, and little sign of this diminishing in new laws. 110 They did not sufficiently recognise this aspect of consistency in global data privacy laws, which removes some of the incoherence they claimed exists, though this consistency was not as apparent back in 2006. Furthermore, the number of European-like data privacy laws outside and inside Europe (only half within the EU) is not only evidence of the momentum of these developments, but also that the sheer inertia provided by a hundred or more countries with data privacy laws is a global fact of life which it will be difficult for anyone to reverse, including the USA. It is possible that APECs Cross-Border Privacy Rules (CBPR), although still not operative, might become an influence, but both a revised EU Directive (as a Regulation) and a revitalised Council of Europe Convention (through globalisation which has started, and modernisation which is well underway) are likely to prove to be attractive forces that APEC CBPR will find difficult to match. Seven years after Bennett and Raab wrote, there is now much clearer evidence of upward global trajectory than they found, provided we keep clear that we are only talking about the existence and formal strength of data privacy laws, not the other factors. 6.2 American exceptionalism and increasing isolation The USA has many privacy laws in both its private and public sectors and some effective enforcement, but no comprehensive privacy law in the private sector, nor it seems much prospect of one despite the Obama Administrations Consumer Privacy Bill of Rights initiative. 111 Even though the US has many laws, they rarely meet the requirements set out in this article for a data privacy law, particularly the finality requirements limiting use and disclosure, and often not the requirements for limits on data collection. This is not surprising, because US corporations are the worlds leading commercial exploiters of personal data. Thats why the history and geography of data protection laws set out in this article is important. US corporations and the US government have been able to use their economic and political power to use personal data as they wish until now with very few adverse consequences. Developments such as cloud computing, social networking and big data analytics seem conducive to that continuing. But the international legal environment for their continuing to do so is slowly becoming more hostile and complex to navigate, as more and more countries
110 Greenleaf, above n 42. 111 Greenleaf and Waters, above n 30. Journal of Law, Information and Science Vol 23(1) 2014 EAP 36 adopt or strengthen data privacy laws. Which approach will win remains to be seen, but the game is not over yet. 6.3 And what about that 101 st law? Dear reader, I hear you say that 99 is not 100, let alone 101, so you have been enticed to read to the end of a long and dreary article on a false promise, about which you have a mind to inform the Federal Trade Commission. But we know there are many data privacy Bills lingering around the worlds legislatures waiting to be enacted, and there may be others of which we are unaware. There are still some public sector RTI/FOI laws in languages other than English where more detailed inspection could reveal a hidden data privacy law. Perhaps there is even another country or independent jurisdiction that has quietly passed a comprehensive law that no-one has noticed. Sheherezade needs to brush up her linguistic skills (often just a refresher course), and to ask the genie in the Internet to search for unknown laws from even further-away lands. Or perhaps she just needs to read tomorrows news. But she promises to come back very soon to finish the story
Postscript 1 September 2013 A few weeks passed, and the genie in the Internet 112 did deliver the awaited news of the 100 th law, and wouldnt you know it was from a very surprising place almost under Sheherezades nose, the dismal dictatorship of Kazakhstan. 113 However, the law did meet all of the formal requirements of a data privacy law, and so had to be counted, 114 which goes to illustrate that a law on the books is not to be confused with effective privacy protection. The 101 st law arrived soon thereafter, from a more expected and significant direction, when both houses of South Africas Parliament passed its long- anticipated Protection of Personal Information Bill, which now awaits signature by President Zuma. 115
112 In this case, and the 101 st , the genie in question was David Banisar of Article 19, to whom thanks. 113 Law on personal data and their protection, 21 May 2013, in effect from 26 November 2013. 114 G Greenleaf, Kazakhstan enacts Central Asias second data privacy law (August 2013) (issue 124) Privacy Laws & Business International Report 23-24. 115 Parliament of South Africa, Press Release Protection of Personal Information Bill Approved 22 August 2013 <http://www.parliament.gov.za/live/content- mobi.php?C_Item_ID=3919&Item_ID=3534>. EAP 37
Global Table of Countries with Data Privacy Laws (as known at 1 June 2013)
Jurisdiction Key Act From 1 Latest 2 Region 3 Sec 4 EU 5 CoE 6 Other Int. 7 DPA 8 DPAA 9
Albania Act on the Protection of Personal Data 1999 1999 Europe (O) Both [I] RC; RP
Office for Personal Data Protection ICDPPC; EDPA; AFAPDP Andorra Law on the protection of personal data 2003 2003 Europe (O) Both A RC; RP
Data Protection Agency ICDPPC; EDPA (O); RedIPD; AFAPDP Angola Lei da Proteco de Dados Pessoais 2011 2011 Africa Both SADC None (Agncia da Proteco de Dados not yet established)
Argentina Personal Data Protection Act 2000 2000 Latin Am Both A National Direction for Personal Data Protection ICDPPC; RedIPD Armenia Law on Personal Data 2002 Europe (O) Both [I] RC; RP None
1 From column: Year = date original data privacy law enacted, for either private or public sector; might not be date of current law. 2 Latest column: Year = date of last significant amendment known; NYIF = not yet in force; NIFU = not in force until year stated, where bringing into force is delayed over one year. 3 Region column: Europe (EU) = current European Union member states; Europe (O) = other European states (including EEA); others are self-explanatory. 4 Sector column: Pri = covers private sector only; Pub = covers public sector only; blank = covers both sectors. 5 European Union column: M = country is an EU member state; AQ = countrys protection of personal data has been held adequate by the EU; [A] = Favourable Article 29 Working Party opinion on adequacy, but no final decision announced; EEA = country is a member of the European Economic Area; [I] = Adequacy finding is in practice irrelevant due to country acceding to both Council of Europe Convention 108 and Additional Protocol. 6 Council of Europe column: (Member means Member State of the Council of Europe) RC = Member and has ratified the Convention; RC* = United Kingdom has ratified Convention on behalf of sub-jurisdiction; SC = Member and has signed but not ratified Convention; RP = has also ratified the optional protocol; SP = Member and has signed but not ratified Additional Protocol; NS = Member but has not signed Convention; [IA] = not a Member but has been invited to accede to the Convention; AC= not a Member but has acceded to the Convention. 7 Other international commitments column: APEC = economy is a member of APEC (Asia Pacific Economic Cooperation); OECD = country is a member of OECD; ASEAN = county is a member of Association of South East Asian Nations; ECOWAS = country is a member of Economic Community of West African States; EAC = county is a member of the East African Community; SADC = country is a member of the Southern African Development Community; CARICOM = country is a member of the Caribbean Community (add (Assoc) for Associate members. 8 DPA column: None = no specialised data protection authority (plus name of authority if enacted but not yet appointed one year after enactment). 9 DPAA column: (inclusion = DPA is a member of the named association of data protection authorities; except O = Observer status only): ICDPPC = International Conference of Data Protection and Privacy Commissioners; A29WP = EU Article 29 Working Party; GPEN = Global Privacy Enforcement Network; AFAPDP = Association of Francophone Data Protection Authorities; APPA = Asia-Pacific Privacy Authorities; RedIPD = Latin American Network; CEEDPA = Central and Eastern Europe Data Protection Authorities; NDPA = Nordic Data Protection Authorities; EDPA = European Data Protection Authorities; BIIDPA = British, Irish and Islands Data Protection Authorities; APEC CPEA = APEC Cross-border Privacy Enforcement Arrangement. Journal of Law, Information and Science Vol 23(1) 2014 EAP 38
Australia Privacy Act 1988 1988 2001 Australasia Both APEC; OECD; Information Commissioner ICDPPC; APPA; GPEN; APEC CPEA Austria Datenschutzgesetz 1978 2009 Europe (EU) Both M RC; RP OECD Data Protection Commissioner ICDPPC; EDPA; A29WP Azerbaijan Law on personal data 2010 (replaces 1998 Act) 1998 2010 Europe (O) Both RC None (Ministry of Communications and Information Technologies administers Register)
Bahamas Data Protection (Privacy of Information) Act 2003 2003 Caribbean Both CARICOM Data Protection Commissioner
Belgium Law on Privacy Protection in relation to the Processing of Personal Data 1992 2011 Europe (EU) Both M RC; SP OECD; Privacy Commission ICDPPC; EDPA; A29WP; GPEN; AFAPDP Benin Loi Portant Protection des donnes Caractre Personnel 2009 2009 Africa Both ECOWAS Commission nationale de linformatique et des liberts AFAPDP Bosnia & Herzegovina Law on the protection of personal data 2001 2001 Europe (O) Both [I] RC; RP
Personal Data Protection Agency ICDPPC; EDPA; CEEDPA Bulgaria Law for Protection of Personal Data 2002 2007 Europe (EU) Both M RC; RP
Commission for Personal Data Protection ICDPPC; EDPA; A29WP; CEEDPA; GPEN Burkina Faso Loi Portant Protection des Donnes Caractre Personnel 2004 2004 Africa Both ECOWAS Commission for Informatics and Liberties ICDPPC; AFAPDP Canada Personal Information Protection and Electronic Documents Act 1983 (prior Act) 2002 North Am Both AQ APEC; OECD Privacy Commissioner ICDPPC; APPA; GPEN; APEC CPEA; AFAPDP Cape Verde Regime Jurdico Geral de Proteco de Dados Pessoais a Pessoas Singulares 2001 2001 Africa Both ECOWAS None (Parliamentary Commission for the Monitoring of Personal Data not yet appointed)
Chile Privacy Law 1999 1999 Latin Am Both APEC; OECD None Colombia Data Protection Law 2008 2012 Latin Am Both Superintendence of Industry and Commerce ICDPPC; RedIPD; APPA Costa Rica Proteccin de la Persona frente al tratamiento de sus datos personales 2011 2011 Latin Am Both Agency for the Protection of Personal Data of Inhabitants ICDPPC; RedIPD Sheherezade and the 101 Data Privacy Laws EAP 39
Croatia Act on Personal Data Protection 2003 2003 Europe (EU) Both M RC; RP
Data Protection Agency ICDPPC; EDPA; A29WP; CEEDPA Cyprus The Processing of Personal Data (Protection of the Individual) Law 2001 2003 Europe (EU) Both M RC; RP
Personal Data Protection Commissioner ICDPPC; EDPA; A29WP; BIIDPA Czech Republic Personal Data Protection Act 1992 2000 Europe (EU) Both M RC; RP OECD; GPEN Office for Personal Data ICDPPC; EDPA; A29WP; CEEDPA; AFAPDP Denmark Act on Processing of Personal Data 1978 2000 Europe (EU) Both M RC; SP OECD Data Protection Agency ICDPPC; EDPA; A29WP, NDPA Dubai IFC Data Protection Law (IFC = International Financial Centre) 2007 N.Af/M.E- ast Pri Commissioner of Data Protection
Estonia Data Protection Act 2003 2003 Europe (EU) Both M RC; RP OECD
Data Protection Inspectorate ICDPPC; EDPA; A29WP; GPEN Faroe Islands Act on processing of personal data 2010 2010 Europe (O) Both A Data Protection Agency
Finland Personal Data Act 1987 2000 Europe (EU) Both M RC; RP OECD Data Protection Ombudsman ICDPPC; EDPA; A29WP, NDPA France Law relating to the protection of individuals against the processing of personal data 1978 2004 Europe (EU) Both M RC; RP OECD; National Commission for Informatics and Liberties ICDPPC; EDPA; A29WP; GPEN; AFAPDP Gabon Law related to personal data 2011 2011 Africa Both Commissariat la protection des donnes personnelles AFAPDP Georgia Law on Personal Data Protection 2012 Europe (O) Both RC; SP
Data Protection Commissioner
Germany Federal Data Protection Act 1977 2009 Europe (EU) Both M RC; RP OECD Federal Data Protection Commission ICDPPC; EDPA; A29WP; GPEN Ghana Data Protection Act 2012 Africa Both ECOWAS Commission on Human Rights and Administrative Justice
Gibraltar Data Protection Act 2004 2004 Europe (O) Both Data Protection Commissioner BIIDPA Greece Law on the Protection of individuals with regard to the processing of personal data 1997 1997 Europe (EU) Both M RC; SP OECD Data Protection Authority ICDPPC; EDPA; A29WP; AFAPDP Journal of Law, Information and Science Vol 23(1) 2014 EAP 40
Greenland (Danish) Public and Private Registers Acts 1979 1979 Europe (O) Both [(Danish) Data Protection Agency (Registertilsyn- et)]
Guernsey Data Protection (Bailiwick of Guernsey) Law 1986 2001 Europe (O) Both AQ RC* GPEN Data Protection Commissioner BIIDPA; EDPA Hong Kong SAR Personal Data (Privacy) Ordinance 1995 1995 Asia Both APEC Privacy Commissioner for Personal Data ICDPPC; APPA; APEC CPEA Hungary Act on Informational Self- Determination and Freedom of Information 1992 1992 Europe (EU) Both M RC; RP OECD National Authority for Data Protection and Freedom of Information ICDPPC; EDPA; A29WP; CEEDPA Iceland Law on the Protection and Processing of Personal Data 1989 2000 Europe (O) Both EEA RC; SP OECD Data Protection Agency ICDPPC; EDPA India Rules under s43A (2008 Amendt), Information Technology Act 2000 2011 2011 Asia Pri None Ireland Data Protection Act 1988 2003 Europe (EU) Both M RC; RP OECD Data Protection Commissioner ICDPPC; EDPA; A29WP; GPEN; BIIDPA Isle of Man Data Protection Act 1986 2002 Europe (O) Both AQ RC* Data Protection Registrar BIIDPA; EDPA Israel Privacy Protection Act 1981 1981 1981 N.Af/M.E- ast Both AQ OECD; Law, Information and Technology Authority ICDPPC; GPEN Italy Consolidation Act regarding the Protection of Personal Data 1996 2003 Europe (EU) Both M RC; SP OECD; Data Protection Authority ICDPPC; EDPA; A29WP; GPEN Japan Act on the Protection of Personal Information 2003 2003 Asia Both APEC; OECD None Jersey Data Protection (Jersey) Law 1987 2005 Europe (O) Both AQ RC* Data Protection Registrar ICDPPC; EDPA; BIIDPA Kosovo Law on the Protection of Personal Data 2010 2010 Europe (O) Both National Agency for the Protection of Personal Data EDPA (O) Kyrgyz Republic Law on Personal Data 2008 2008 Central Asia Both None Latvia Law on Protection of Personal Data of Natural Persons 2000 2002 Europe (EU) Both M RC; RP
State Data Protection Inspectorate ICDPPC; EDPA; A29WP; CEEDPA; GPEN Liechtenstein Gesetz ber die Abnderung des Datenschutzgesetze s (2002) 2002 2008 Europe (O) Both EEA RC; RP
Data Protection Commissioner ICDPPC; EDPA Sheherezade and the 101 Data Privacy Laws EAP 41
Lithuania Law on Legal Protection of Personal Data 1996 2003 Europe (EU) Both M RC; RP
State Data Protection Inspectorate ICDPPC; EDPA; A29WP Luxembourg Data Protection Law 1979 2002 Europe (EU) Both M RC; RP OECD National Data Protection Commission ICDPPC; EDPA; A29WP; AFAPDP Macao SAR Personal Data Protection Act 2006 2006 Asia Both Office for Personal Data Protection APPA; GPEN Macedonia (FYROM) Law on Personal Data Protection 2005 2005 Europe (O) Both [I] RC; RP
Directorate of Personal Data Protection ICDPPC; EDPA; CEEDPA Malaysia Personal Data Protection Act 2010 NIFU 2013 Asia Pri APEC; ASEAN None (Personal Data Protection Commissioner in Act not appointed)
Malta Data Protection Act 2001 2001 Europe (EU) Both M RC Data Protection Commissioner ICDPPC; EDPA; A29WP; BIIDPA Mauritius Data Protection Act 2004 2004 Africa Both SADC Commissariat la protection des donnes personnelles AFAPDP Mexico Federal Law on the Protection of Personal Data Held by Private Parties 2010 2010 Latin Am Both APEC; OECD; Federal Institute for Access to Information and Data Protection ICDPPC; APPA; GPEN; APEC CPEA; RedIPD Moldova Law on Personal Data Protection 2007 2007 Europe (O) Both [I] RC; RP
National Center for Personal Data Protection ICDPPC; EDPA; AFAPDP; CEEDPA Monaco Act controlling personal data processing 1993 2001 Europe (O) Both [I] RC; RP
Supervisory Commission for Personal Information AFAPDP Montenegro Law on Personal Data Protection 2008 2008 Europe (O) Both [I] RC; RP
Agencija za za!titu li"nih podataka i slobodan pristup informacija EDPA; CEEDPA Morocco Loi relative la protection des personnes physiques l'gard du traitement des donnes caractre personnel 2009 2009 N.Af/M.E- ast Both (IA) National Commission for the Control and the Protection of Personal Data AFAPDP Nepal Right to Information Act 2007 2007 Asia Pub National Information Commission
Netherlands Personal Data Protection Act 1988 2000 Europe (EU) Both M RC; RP OECD Data Protection Authority ICDPPC; EDPA; A29WP; GPEN Journal of Law, Information and Science Vol 23(1) 2014 EAP 42
New Zealand Privacy Act 1993 1993 2010 Australasia Both AQ APEC; OECD Privacy Commissioner ICDPPC; GPEN; APPA; APEC CPEA Nicaragua Law on Protection of Personal Data 2012 Latin Am. Directorate for the Protection of Personal Information RedIPD Norway Personal Data Act 1978 2000 Europe (O) Both EEA RC; SP OECD; Data Inspectorate ICDPPC; EDPA; GPEN, NPDA Paraguay Law 1682 on Information of a Private Nature 2002 Latin Am Both None RedIPD (o) Peru Law on Protection of Personal Data 2011 2011 Latin Am Both APEC; US FTA National Authority for Data Protection ICDPPC; RedIPD; APPA Philippines Data Privacy Act 2012 Asia APEC; ASEAN National Privacy Commission
Poland Act on the Protection of Personal Data 1997 2004 Europe (EU) Both M RC; RP OECD Inspector General for Personal Data Protection ICDPPC; EDPA; A29WP; CEEDPA; GPEN; Portugal Lei da proteao de dados pessoais 1991 1998 Europe (EU) Both M RC; RP OECD National Data Protection Commission ICDPPC; A29WP; EDPA; RedIPD Qatar FC Data Protection Regulations (FC = Financial Centre) 2005 2005 N.Af/M.E- ast Pri QFC Authority Romania Law on the protection of individuals with regard to the processing of personal data etc 2001 2005 Europe (EU) Both M RC; RP
National Supervisory Authority for Personal Data Protection ICDPPC; EDPA; A29WP; CEEDPA Russia Federal Law Regarding Personal Data 2006 NIFU 2011 Europe (O) Both [I] RC; SP APEC Federal Service for Supervision of Communicatio- ns, Information Technologies and Mass Media (Roskomnadzor) CEEDPA San Marino Law regulating the Computerized Collection of Personal Data 1983 1995 Europe (O) Both NS Guarantor for the Protection of Confidential and Personal Data
Senegal Loi sur la Protection des donnes Caractre Personnel 2008 2008 Africa Both ECOWAS Commission des donnes personnelles AFAPDP Serbia Law on Personal Data Protection 2008 2008 Europe (O) Both [I] RC; RP
Commissioner for Information of Public Importance and Personal Data Protection ICDPPC; EDPA; CEEDPA Sheherezade and the 101 Data Privacy Laws EAP 43
Seychelles Data Protection Act 2003 NYIF 2003 Africa Both SADC None (DPA in Act not established)
Singapore Personal Data Protection Act 2012 Asia APEC; ASEAN Personal Data Protection Commission
Slovakia Act on the Protection of Personal Data 1992 2013 Europe (EU) Both M RC; RP OECD Inspection Unit for the Protection of Personal Data ICDPPC; EDPA; A29WP; CEEDPA Slovenia Personal Data Protection Act 1990 2004 Europe (EU) Both M RC OECD; Information Commissioner ICDPPC; EDPA; A29WP; GPEN; South Korea Data Protection Act 1994 2011 Asia Both APEC; OECD; Personal Information Protection Commission & Korea Information Security Agency ICDPPC; APPA; GPEN; APEC CPEA Spain Ley Orgnica de Proteccin de Datos de Carcter Personal 1992 1999 Europe (EU) Both M RC; RP OECD Data Protection Commissioner ICDPPC; EDPA; A29WP; GPEN; RedIPD St Lucia Data Protection Act 2011 2011 NYIF Caribbean Both CARICOM Data Protection Commissioner
St Vincent & Grenadines Privacy Act 2003 NYIF Caribbean Pub CARICOM None Sweden Personal Data Act 1973 1998 Europe (EU) Both M RC; RP OECD Data Inspection Board ICDPPC; EDPA; A29WP, NDPA Switzerland Data Protection Act 1992 2006 Europe (O) Both AQ RC; RP OECD Federal Data Protection Commission ICDPPC; EDPA; GPEN; AFAPDP Taiwan Personal Data Protection Act 1995 2010 Asia Both APEC None Thailand Official Information Act 1997 1997 1997 Asia Pub APEC ASEAN Official Information Commission
Trinidad & Tobago Data Protection Act 2011 2011 Caribbean Both CARICOM Data Protection Commissioner
Tunisia Loi portant sur la protection des donnes caractre personnel. 2004 2004 N.Af/M.Ea st Both National Authority for the Protection of Personal Data AFAPDP Ukraine Law on Personal Data Protection 2011 2012 Europe (O) Both [I] RC; RP
The State Service on Personal Data Protection CEEDPA; GPEN United Kingdom Data Protection Act 1998 1984 2000 Europe (EU) Both M RC; SP OECD Information Commissioner ICDPPC; EDPA; A29WP; GPEN; BIIDPA United States Privacy Act of 1974 1974 North Am Pub OECD; APEC Federal Trade Commission ICDPPC; GPEN; APPA; APEC CPEA Journal of Law, Information and Science Vol 23(1) 2014 EAP 44 * The data in the Tables and article are as at 1 June 2013. Note Since completion of the Tables, two more countries have enacted data privacy laws, Kazakhstan and South Africa. These are not included in the Table of laws, but are noted in the Postscript to the article (1 September 2013). ** These Tables have benefitted from information and advice received from David Banisar of Article 19 in relation to all countries; from Marie Georges (Planete Informatique et Liberties, Paris) in relation to French-speaking countries; from Magda Cocco, Isabel Ornelas and Ins Antas Barros (Vieira de Almeida & Associados, Lisbon) in relation to Portuguese-speaking countries; Dr Alex Boniface Makulilo in relation to African countries; Pablo Palazzi (Allende & Brea, Argentina) in relation to Latin American countries; Sophie Kwasny (Council of Europe) in relation to Council of Europe Convention 108; Rob Kenigsberg (Nymity) in relation to Latin America and the Caribbean; Hannah McCausland (UK Information Commissioners Office) and Clara Guerra (Portugals Data Protection Commission), in relation to European data protection authorities; Blair Stewart (Office of the New Zealand Privacy Commissioner) in relation to data protection authorities; and Stewart Dresner and Laura Linkomies (Privacy Laws & Business) in relation to all countries. All errors and omissions remain the responsibility of the author.
Uruguay Law on the Protection of Personal Data 2008 2008 Latin Am Both AQ AC; RC; RP
Regulatory and Control Unit of Personal Data ICDPPC; RedIPD Vietnam Law on Protection of Consumers Rights 2010 2010 Asia Pri APEC; ASEAN None Yemen Law of the Right of Access to Information 2012 N.Af/M.Ea st Pub Commissioner- General of the Information
Zimbabwe Access to Information and Protection of Privacy Act 2002 2002 Africa Pub SADC Media and Information Commission
Sheherezade and the 101 Data Privacy Laws EAP 45
Global Table of Official Data Privacy Bills Table of Bills (and official draft Bills) for new Acts (as known at 1 June 2013) Jurisdiction Title of Bill/Draft From 10 Current? Region Sec CoE Other Int. Antigua & Barbuda Data Protection Act 2013 Announced to be introduced to Parliament January 2013 Caribbean CARICOM Barbados Data Protection Bill 2005 Draft law; No current progress known Caribbean Both CARICOM Brazil Protection of Personal Data Bill 2011 Bill under review by the Ministry of Justice Latin Am. Both Cayman Island Data Protection Bill 2012 Data Protection Working Group started official two month consultation 02/09/2012 Caribbean Both CARICOM (Assoc) Dominica Privacy and Data Protection Bill 2007 Draft law; No current progress known Caribbean Both CARICOM Dominican Republic Law on Protection of Personal Data 2013 Approved by Senate 29/04/13; awaits House approval Caribbean Both CARICOM Falkland Islands Data Protection Ordinance 2012 Legislative Assembly resolved 2012 that new law was needed (to replace Data Protection Ordinance 1995 never brought into force); government agreed. Latin Am Grenada Privacy and Data Protection Bill 2012 Government statement of intent to legislate 2012, as part of ICT reforms Caribbean Both CARICOM (Assoc) Ivory Coast No current progress known Africa Both ECOWAS Jamaica Data Protection Bill 2012 Government announcement of intent August 2012 Caribbean Both CARICOM Kenya Data Protection Bill 2012 Commission for Implementation of the Constitution (CIC) seeking submissions, January 2012; draft Bill forwarded to Attorney General for publication Africa Both EAC Madagascar Data Protection Bill 2008 Draft under current review led by Justice Ministry Africa Both SADC Mali Data Protection Bill 2011 Draft; No current progress known Africa Both ECOWAS Niger Law to establish a DPA (to complement ECOWAS treaty on data protection) 2013 Draft law development led by Telecom Ministry Africa Both ECOWAS Nigeria Data Protection Bill 2010 Bill tabled in Parliament 2010; no recent progress Africa Both ECOWAS
10 From: Date of latest known Bill before legislature or official draft Bill or announced government plans to draft Bill. Journal of Law, Information and Science Vol 23(1) 2014 EAP 46
Qatar Personal Information Privacy Protection Law 2012 Supreme Council of ICT (ICT Qatar) was reviewing its draft law January 2012 ME/N. Af Saint Kitts and Nevis Privacy and Data Protection Bill 2012 Government draft Bill under review by stakeholders, April 2013 Caribbean Both CARICOM South Africa Protection of Personal Information Bill 2009 Bill passed by National Assembly; National Council of Provinces hearing Select Committee in 06/13 Africa Both SADC Tanzania Data Protection Bill 2013 Draft law; undergoing internal review and stakeholder consultations, May 2013 Africa EAC; SADC Thailand Personal Data Protection Bill 2011 Bill before Cabinet mid- 2012; new private sector law to add to existing public sector law Asia Pri APEC; ASEAN Turkey Law on the Protection of Personal Data 2003 Draft law; No current progress known Europe (O) Both SC OECD
Secret Law and The Snowden Revelations: A Response To The Future of Foreign Intelligence: Privacy and Surveillance in A Digital Age, by Laura K. Donohue by HEIDI KITROSSER
Collaboration Between The State and The LII Community in Improving Access To Legislation in A National Jurisdiction: A New Zealand Example, David Noble
Redefining The Smart Grids' Smartness. or Why It Is Impossible To Adequately Address Their Risks To Privacy and Data Protection If Their Environmental Dimension Is Overlooked. by Raphaël Gellert