Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories
(2014) 23(1) Journal of Law, Information & Science, Special Edition: Privacy in the Social Networking World.
29 Pages Posted: 20 Jun 2013 Last revised: 31 Jul 2014
Date Written: September 10, 2013
It is forty years since Sweden’s Data Act 1973 was the first comprehensive national data privacy law, and the first such national law to implement what we can now recognize as a basic set of data protection principles. The core of this paper is the question 'How many countries now have data privacy laws?'. First, a definition is provided of a 'data privacy law', based largely on the requirements of the earliest international data protection instruments, the OECD privacy guidelines, and Council of Europe data protection Convention 108. 'Countries' are considered to include separate legal jurisdictions.
The answer to the question – documented in the Global Table of data privacy laws at http://ssrn.com/abstract=2280875 - is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws. The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data privacy Bills currently before legislatures or under government consideration in at least 20 more countries.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU directive and 'adequacy', APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and some conclusions drawn concerning their overlapping but incomplete memberships.
In summary, this paper gives a global snapshot of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.
A Postscript (September 2013) adds that the 100th and 101st have now come from Kazakhstan and South Africa. Sheherezade's work is complete.
The Global Tables of Data Privacy Laws and Bills (3rd Ed, June 2013) analysed in this article are at http://ssrn.com/abstract=2280875
Keywords: privacy, data protection, international agreements, data protection authorities, DPA, Council of Europe, Convention 108, APEC, ECOWAS
Suggested Citation: Suggested Citation