Global Data Privacy Laws: Forty Years of Acceleration
University of New South Wales, Faculty of Law
October 10, 2011
Privacy Laws and Business International Report, No. 112, pp. 11-17, September 2011
UNSW Law Research Paper No. 2011-36
It is almost forty years since Sweden’s Data Act 1973 was the first comprehensive national data privacy law, and the first to implement what we can now recognize as a basic set of data protection principles. This article surveys the forty years since then of global development of data privacy laws to mid-2011. How many countries now have data privacy (‘data protection’) laws that at least cover most of their private sector and include privacy principles meeting or exceeding the minimum standards of international data protection and privacy agreements? As of mid-2011there are now seventy six such countries (or otherwise independent legal jurisdictions), as identified in this article for the first time. A Table lists all such countries and their main data privacy laws, when first enacted and most recent versions, and the international commitments of each country, or the international recognition their laws have received.
The picture that emerges is that data privacy laws are spreading globally, and their number and geographical diversity accelerating since 2000. There are some surprising inclusions, and some illuminating trends in the expansion of these laws. The total number of new data privacy laws globally, viewed by decade, shows that their growth is accelerating, not merely expanding linearly: 7 (1970s), 10 (1980s), 19 (1990s), 32 (2000s) and 8 (1.5 years of 2010s), giving the total of 76. In the first 18 months of this decade 8 new laws have been enacted (Faroe Islands, Malaysia, Mexico, India, Peru, Russia - more accurately, brought into force - Ukraine and Angola), making this the most intensive period of data protection developments in the last 40 years. Geographically, almost two thirds of data privacy laws are in European states (48/76), EU member states are little more than one third (27/76), even with the expansion of the EU into eastern Europe. There are data privacy laws in all 27 member states of the European Union, and a further 21 laws in other European countries or jurisdictions. There are now 27 data privacy laws outside Europe, which considered by region are as follows: Latin America (6); North America (1); Caribbean (1); Asia (7); Australasia (2); North Africa/Middle East (3); Sub-Saharan Africa (6); Central Asia (1); Pacific Islands (0).
For over two decades the rate of adoption of new data privacy laws per year has been steadily increasing, and the regions of the globe that have such laws has been steadily expanding. If the current rate of expansion is continued, at least 50 new laws will result in this decade. The most economically significant countries currently missing from the list are the USA, China and Brazil, now that India has adopted a data privacy law in 2011. The omission of Brazil is also expected to be remedied this year. Most other countries that do not yet have data privacy laws are of relatively low significance in international trade, though some countries with large populations are among them, particularly in sub-Saharan Africa (eg Nigeria), and in Asia (eg Indonesia).
The article and Table also summarize the international commitments to data privacy made by each of the countries included, covering the EU Directive, Council of Europe data protection Convention and Additional Protocol, OECD privacy Guidelines, APEC Privacy Framework, and ECOWAS data protection Act. Recognition of non-EU laws by the EU as ‘adequate’ is also noted.
This research presented in this article and its Tables has now been updated (to 1 June 2013) by the article available at: http://ssrn.com/abstract=2280877 and by the Tables available at: http://ssrn.com/abstract=2280875
Number of Pages in PDF File: 7
Date posted: October 20, 2011 ; Last revised: February 1, 2014