9 Pages Posted: 28 Jun 2017 Last revised: 13 Jul 2018

Date Written: January 30, 2017

Abstract

In the past two years, the number of countries that have enacted data privacy laws has risen from 109 to 120, a 10% increase, with at least 30 more countries having official Bills for such laws in various stages of progress. These 120 jurisdictions have comprehensive data privacy laws for the private sector, public sector, or (in most cases) both, and the laws meet at least minimum formal standards based on international agreements.

The Global Tables of Data Privacy Laws and Bills, 5th Edition, 2017, located at:

http://ssrn.com/abstract=2992986, sets out the details of these 120 Laws and 30 Bills, the international agreements relevant to them, and the data protection authorities (DPAs) administering them.

This article analyses the data in these Tables, in relation to the Acts, Bills and international agreements, since the 4th Edition of the Tables in 2015. The changes concerning DPAs, and their associations, are in the following article.

There are eleven additional countries with data privacy laws since the 109 countries included in the 2015 4th Edition. They are from Europe, the Middle East, the Caribbean, Latin America, Africa and Asia. A significant development, not confined to any one region, is the increase in the number and significance of Muslim-majority countries with data privacy laws.

Of the 30 or more countries which have Bills with some reported government support awaiting enactment, most are from Africa, the Caribbean and Latin America, but there are also a handful from Asia, the Middle East, and Europe.

2015-16 has been a period of very significant progress for international data privacy agreements, both in terms of their content, and the number of countries that have taken steps to become parties to them. The expansion of international agreements is usually something of a ‘snail race’, but in 2015-16 there has been an unusually high level of growth, as the following details show. This article details the increasing engagement of countries in EU ‘adequacy assessments’, accession to Council of Europe Convention 108, the African Union Convention on Cyber Security and Protection of Personal Data (2014), and the APEC Cross-border Privacy Rules system (CBPRs). The extent to which countries with data privacy laws have ratified the relevant UN agreements related to privacy (the ICCPR and 1st Optional Protocol), is analysed for the first time, and a high rate of compliance is found.

The article concludes that the 10% increase in countries with data privacy laws to 120, the 30 or more additional countries planning to enact such laws, and the bills to strengthen existing laws, all underline the continuing global expansion of data privacy laws. The expansion of Convention 108 beyond Europe is slowly making it apparent that it is the only viable global data privacy treaty, reinforced by developments in the EU and the African Union. These are very positive developments, but the uncertain international environment provides no guarantees that they will continue.