Comparitech has assessed privacy protection and the state of surveillance in 47 countries to see where governments are failing to protect privacy and/or are creating surveillance states.

To do this we looked at a number of categories, from the use of biometrics and CCTV to data sharing and retention laws.

What did we find?

Not one country is consistent in protecting the privacy of its citizens, most are actively surveilling their citizens, and only five could be deemed to have “adequate safeguards.”

Are things improving or getting worse?

In the EU, the General Data Protection Regulation (GDPR) is helping improve privacy laws, on the whole. However, it doesn’t prevent some countries from entering into agreements that encroach on residents’ privacy through data sharing with other countries, e.g. the Treaty of Prüm. It doesn’t stop some countries from increasing their use of biometric surveillance, either.

Outside of the EU, several countries are creating what can only be described as surveillance states, with privacy rights seemingly taking a serious back seat. Perhaps unsurprisingly, China and Russia are the biggest culprits.

How do countries like the UK and US fare?

We’ll find out below.

Key findings

Here are some notable findings from the study:

China’s government not only fails to protect citizens’ privacy, but actively invades it

Collection and retention of biometric data—fingerprints and faces—is ramping up worldwide

EU countries tend to share a large amount of their citizens’ data with fellow member states

Immigrants are often most impacted by government surveillance, particularly when they enter or leave a country

Only five countries have adequate privacy safeguards according to our scoring system, and all of them are in Europe. The GDPR plays a large role in this, but does not account for everything

No countries earned a perfect score, or even a near-perfect score

Enforcement varies widely even among those countries with good privacy laws

Scoring system (for each category and overall)

4.1-5.0 = Upholding privacy standards on a consistent basis

3.6-4.0 = Significant safeguards and protections

3.1-3.5 = Adequate safeguards against abuse

2.6-3.0 = Some safeguards but weakened protections

2.1-2.5 = Systemic failure to maintain safeguards

1.6-2.0 = Extensive surveillance

1.1-1.5 = Endemic surveillance

EU and non-EU privacy ranking Total Score Card Constitutional Protection Statutory Protection Privacy Enforcement Identity Cards and Biometrics Data-sharing Visual Surveillance Communication Interception Workplace Monitoring Government Access to Data Communication Data Retention Surveillance of Medical, Financial and Movement Border and Trans-Border Issues Leadership Democratic Safeguards EU Ireland 3.2 Adequate Safeguards 3.3 3.2 3.1 3.3 3.7 3.0 2.9 3.2 3.1 3.1 2.6 3.2 3.5 3.2 France 3.1 Adequate Safeguards 2.9 3.4 3.4 3.4 2.7 3.1 3.1 3.3 3.1 2.8 3.2 3.1 2.7 3.1 Portugal 3.1 Adequate Safeguards 3.1 2.8 3.4 3.6 3.3 3.2 2.8 3.3 3.1 2.9 2.8 3.1 2.7 2.9 Denmark 3.1 Adequate Safeguards 2.9 3.3 3.0 2.9 3.4 3.2 3.2 3.1 3.1 2.6 2.7 3.1 3.3 3.1 Malta 3.0 Some Safeguards/Weakened Protection 3.1 3.5 3.8 2.9 2.8 3.2 2.7 3.3 3.1 3.4 2.7 2.9 2.8 2.2 Lithuania 3.0 Some Safeguards/Weakened Protection 3.3 3.1 3.3 2.6 2.9 3.3 3.1 3.2 3.0 3.2 2.7 2.8 2.9 3.0 Cyprus 3.0 Some Safeguards/Weakened Protection 3.1 3.1 3.2 2.3 3.1 3.6 3.1 3.1 3.0 2.9 3.2 2.7 2.8 3.1 UK 3.0 Some Safeguards/Weakened Protection 2.9 3.4 3.4 3.2 2.9 3.1 3.1 2.8 3.1 2.8 2.7 3.2 2.7 2.6 Netherlands 3.0 Some Safeguards/Weakened Protection 2.7 3.3 3.8 2.6 2.9 3.1 2.9 3.1 3.2 2.9 2.6 2.7 2.7 3.3 Greece 3.0 Some Safeguards/Weakened Protection 3.2 2.5 3.3 2.8 2.8 2.9 2.9 3.8 2.9 3.4 2.5 3.0 2.8 2.9 Czech Republic 3.0 Some Safeguards/Weakened Protection 3.1 3.2 2.9 3.0 3.1 3.1 3.1 3.4 2.8 2.8 2.9 2.6 2.8 2.6 Bulgaria 3.0 Some Safeguards/Weakened Protection 3.3 3.2 3.3 2.8 3.0 3.1 3.2 3.4 2.8 2.6 2.8 2.8 2.8 2.2 Poland 2.9 Some Safeguards/Weakened Protection 3.1 3.2 3.4 3.1 2.7 2.8 3.1 3.2 2.3 2.6 3.3 2.9 2.7 2.6 Slovakia 2.9 Some Safeguards/Weakened Protection 3.1 3.3 2.6 2.9 2.7 3.1 2.6 3.2 3.2 2.9 3.1 3.2 2.9 2.1 Latvia 2.9 Some Safeguards/Weakened Protection 3.1 3.2 3.3 2.9 2.7 2.9 2.8 3.2 2.9 2.7 2.7 2.8 2.7 2.8 Sweden 2.9 Some Safeguards/Weakened Protection 2.6 3.1 2.8 2.7 3.0 2.7 3.4 3.1 3.1 2.8 2.3 3.1 2.2 3.7 Estonia 2.9 Some Safeguards/Weakened Protection 2.9 2.7 3.1 2.4 2.7 3.2 2.8 2.9 2.8 2.2 3.6 2.9 3.1 3.3 Romania 2.9 Some Safeguards/Weakened Protection 3.4 3.1 2.8 2.9 2.8 3.2 3.3 2.8 2.5 3.1 3.0 2.6 2.2 2.7 Austria 2.9 Some Safeguards/Weakened Protection 2.9 3.3 3.3 2.8 2.7 3.3 3.1 3.2 2.9 2.6 3.1 2.9 2.2 2.1 Luxembourg 2.9 Some Safeguards/Weakened Protection 2.7 3.1 3.1 3.2 2.5 2.9 2.6 3.0 2.4 3.1 3.1 2.9 2.7 2.9 Finland 2.9 Some Safeguards/Weakened Protection 2.9 2.6 2.8 2.7 2.7 2.7 2.4 3.6 2.1 2.9 2.9 2.7 3.1 4.1 Belgium 2.9 Some Safeguards/Weakened Protection 3.2 3.1 3.3 2.6 2.6 2.9 2.7 3.0 3.1 2.6 2.8 2.7 2.6 2.9 Spain 2.9 Some Safeguards/Weakened Protection 3.4 3.2 3.1 2.7 2.6 3.2 2.9 3.4 2.7 2.6 2.7 2.6 2.6 2.4 Germany 2.8 Some Safeguards/Weakened Protection 3.3 3.4 3.8 2.3 2.7 2.4 2.6 3.1 2.8 2.4 3.0 2.3 2.8 2.8 Slovenia 2.7 Some Safeguards/Weakened Protection 2.4 2.6 2.6 2.8 2.6 2.8 2.7 3.4 2.9 2.5 2.9 2.4 2.2 3.0 Hungary 2.7 Some Safeguards/Weakened Protection 2.7 2.8 3.3 2.3 2.2 2.7 2.4 2.8 2.7 2.6 2.9 2.8 2.6 2.9 Italy 2.7 Some Safeguards/Weakened Protection 2.7 3.1 3.3 2.4 2.7 2.6 2.7 3.4 2.8 1.7 2.9 2.7 2.3 2.4 Non-EU Norway 3.1 Adequate Safeguards 3.1 3.3 3.2 2.9 2.9 3.1 3.2 3.2 2.9 3.2 2.8 2.8 2.8 4.1 South Africa 3.0 Some Safeguards/Weakened Protection 3.6 3.3 3.1 2.9 3.1 3.0 3.3 3.0 3.1 2.8 2.9 2.7 2.9 2.9 Switzerland 3.0 Some Safeguards/Weakened Protection 3.1 3.2 3.3 3.1 2.9 3.2 2.7 2.9 3.1 3.1 3.0 2.7 2.7 3.3 Argentina 3.0 Some Safeguards/Weakened Protection 3.1 3.1 3.1 2.7 2.9 3.2 3.1 3.2 3.0 2.6 2.7 3.3 3.0 2.8 Canada 3.0 Some Safeguards/Weakened Protection 3.2 3.2 2.8 2.9 2.6 3.1 3.0 3.3 2.7 3.1 2.8 2.6 3.3 2.9 Iceland 3.0 Some Safeguards/Weakened Protection 3.2 3.1 2.7 3.0 2.9 3.1 3.0 3.1 2.7 3.3 2.8 2.7 2.8 3.1 New Zealand 2.9 Some Safeguards/Weakened Protection 3.0 3.1 3.2 3.0 2.8 2.8 2.9 3.0 2.9 3.1 2.7 2.6 2.5 3.2 Israel 2.9 Some Safeguards/Weakened Protection 2.8 3.1 3.3 2.7 3.1 2.8 2.7 3.4 2.7 2.6 2.9 2.6 3.0 2.2 Taiwan 2.8 Some Safeguards/Weakened Protection 3.2 3.1 2.9 3.1 2.8 2.7 2.9 2.4 2.9 2.4 2.8 2.9 2.8 2.7 Australia 2.8 Some Safeguards/Weakened Protection 2.4 3.3 3.3 3.4 3.0 2.8 2.3 2.6 2.7 2.6 2.7 2.8 2.5 3.1 Japan 2.8 Some Safeguards/Weakened Protection 3.2 3.2 2.7 2.3 2.7 2.7 3.3 2.9 2.8 2.9 2.9 2.6 2.7 2.6 Philippines 2.8 Some Safeguards/Weakened Protection 2.9 3.2 3.1 2.7 2.8 2.0 3.1 2.7 2.8 3.1 2.8 2.9 3.1 2.2 Brazil 2.8 Some Safeguards/Weakened Protection 3.1 2.9 2.4 2.6 3.1 2.2 3.1 3.2 2.9 2.7 3.1 2.8 3.2 2.0 USA 2.7 Some Safeguards/Weakened Protection 3.1 2.9 3.2 2.7 2.7 2.9 3.1 2.6 2.9 2.3 2.2 2.8 2.5 2.5 Singapore 2.7 Some Safeguards/Weakened Protection 2.6 3.2 3.2 2.7 2.8 2.8 2.3 2.6 2.5 2.8 2.6 2.7 2.7 2.3 Malaysia 2.6 Some Safeguards/Weakened Protection 2.7 2.7 2.9 2.4 2.6 2.4 2.7 2.8 2.7 2.9 2.5 2.6 2.8 2.3 Thailand 2.6 Some Safeguards/Weakened Protection 2.7 3.2 2.3 2.6 2.8 2.5 2.2 2.6 2.3 2.8 2.8 2.6 2.7 1.7 India 2.4 Systemic Failure to Maintain Safeguards 3.4 2.7 2.3 1.6 2.4 2.3 1.8 2.3 2.4 2.6 2.7 2.8 2.4 2.1 Russia 2.1 Systemic Failure to Maintain Safeguards 2.7 2.9 2.6 2.9 1.3 1.9 1.4 2.8 1.4 1.4 2.6 2.2 1.6 1.7 China 1.8 Extensive Surveillance 2.5 2.3 2.7 1.1 2.1 1.3 1.2 2.1 1.7 1.2 2.6 1.4 1.2 1.3

Bottom 5 non-EU countries

China – 1.8 – Extensive surveillance Russia – 2.1 – Systemic failure to maintain safeguards India – 2.4 – Systemic failure to maintain safeguards Thailand – 2.6 – Some safeguards but weakened protections Malaysia – 2.6 – Some safeguards but weakened protections

China

China’s ranking isn’t much of a surprise but where does its extensive surveillance arise from?

Privacy laws lack clear guidelines, which makes them difficult to enforce

ID cards are mandatory in China for anyone over the age of 16

China is heavily reliant on biometrics and artificial intelligence (AI). For example, facial recognition cameras are now catching jaywalkers, triggering a text message, and sending their image to large screens to publicly shame them. China also uses these types of cameras to track and monitor Uighurs, the country’s Muslim minority

Data is frequently shared among agencies and state intelligence has a green light to request data from any organization or citizen

Surveillance cameras with facial recognition are now the “norm” in China and there are few limitations in place on CCTV as a whole

Intelligence services and law enforcement can intercept communications without a court order – and how they perform these interceptions is still largely unknown

Employees aren’t protected when it comes to their communications, despite the data subject needing to give their consent for data collection. Courts have been known to rule in favor of the employer (where an employee didn’t give their consent for email monitoring) and employees’ brainwaves have even been monitored to “aid productivity”

There are no time limits on data retention but there are specific requirements on what data needs retaining. For example, text message service providers have to store various information for a minimum of five months

Medical data is frequently used for research or as “public interest records”

All financial transactions over a certain amount have to be reported to a government agency

Extreme surveillance is being implemented at China’s borders with apps being installed on people’s phones (without consent) to scan for “inappropriate content”

China is a member of Interpol but many countries are wary of sharing data with China due to how it may use it

The government controls most media sources

It is difficult to draw any positives from China’s privacy rights. Even if they are mentioned in law, the reality is often very different.

Russia

Closely following China is Russia, with its poor score coming from:

Its regulatory body, the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor), is incredibly active but often in cases of censorship rather than privacy

It is in the process of creating an eGovernment framework which will allow for inter-agency data sharing but will also grant the general public access to government-held information

Companies are often required to hand over data to the government with the most recent example being Tinder. If they fail to comply, they are blocked

Started to build its own “sovereign internet” with fears that this will remove its need for the world wide web and will create a highly-censored internet that’s used for surveillance

Facial recognition is already being used in cameras to track down debtors

Despite clear safeguards to protect against communication interception (i.e. a court order is required in most cases), there were 540,000 approved interceptions in 2012, showing little limitation on what is and isn’t granted

Intercept capability need not be offered by service providers as the System of Operative-Search Measures (SORM) enables the Federal Security Service (FSB) to eavesdrop on communications via a direct line from internet service providers. In most cases, operators and ISPs aren’t even aware this is happening

Telecom service providers have to store call and message records for a minimum of six months

All transactions over the value of 600,000 roubles have to be reported to the relevant agency

AI technology is being implemented at Russia’s borders to collect data

Member of Interpol and various tax agreements that involve the sharing of data

Laws against “fake news” were recently passed but many believe this is just a bid to aid censorship. Furthermore, independent media outlets are being squeezed out or “brought under control” and TV channels are known for showing propaganda, highlighting some of the reasons why Russia is ranked 149th in the world in the World Press Freedom Index

Again, it’s hard to find anything constructive within Russia’s “privacy policies.” On the same day that the European Court of Human Rights (ECHR) ruled against Russia, Russia introduced a new law that allows it to overrule decisions made by the ECHR. And although Russia has fined Facebook because it failed to comply with its local data privacy law (which requires all foreign and domestic companies that are processing, storing, or accumulating data of Russian citizens to store this data on a server within Russia), it is questionable as to how much this relates to privacy and how much this relates to control over data.

We have marked Russia relatively well for workplace monitoring because there are safeguards in place and Russia should, in theory, apply the case of Barbulescu v. Romania (employees should always be notified of monitoring) because it’s a member of the ECHR. However, as noted above, there are no guarantees this will happen.

India

A number of concerning aspects of India’s laws and regulations threaten citizens’ privacy, including:

Its Data Protection Bill is yet to take effect and there isn’t a data protection authority in place, meaning privacy protections are weak at present

The Aadhaar Identification Scheme gives citizens a unique ID number and is also home to the largest biometric database, which contains 1.23 billion people

This database also contains information such as purchases, bank accounts, and insurance

Trying to get WhatsApp to make messages traceable by adding a digital fingerprint to every message sent

CCTV isn’t regulated and any privacy laws relating to it are very vague and open to interpretation

10 government agencies have recently been given the authorization to decrypt, monitor, and intercept data on any computer (but this must be approved by the Home Secretary)

Should service providers fail to offer intercept capabilities, they could face prison for up to seven years

Looking to install hi-tech border surveillance at certain borders

Frequently shares information with the US and has multiple Mutual Legal Assistance Treaties with different countries

Ranks 140th in the world for the Press Freedom Index with 6 journalists (at least) being killed in 2018

What is clear is that the laws and courts of India are starting to protect data privacy. For example, the courts changed the law so private companies did not have the right to request ID numbers, and government agencies’ access to the Aadhaar database has been recently withdrawn. Covert surveillance will also be banned when the new data protection law comes into power. However, with surveillance tactics and biometrics already going incredibly far, it’s questionable as to how much a law will change things.

Thailand

National ID card with fingerprints

Biometrics are heavily used and are a requirement for many day-to-day things. For example, a biometric check must be performed to buy a SIM card

CCTV is widely used and accepted in Thailand. But a new law does require a data owner to be informed that they’re being monitored

Although the Special Case Investigation Act states a chief judge must grant permission for communication interception to occur, a military coup in 2014 enabled the military to intercept any messages under Martial Law

The Computer Crimes Act allows officers of the Ministry of Digital Economy and Society (MDES) to request documents and computer data from service providers. This is all done without a warrant. With a warrant, they are able to request much more information

Thai police have a technology that can gain access to chat room messages, emails, and text messages – but this should be conducted under a court order

Fingerprints are collected when people enter the country

Part of numerous international data-sharing agreements

New laws and the Junta do impose restrictions on the freedom of speech in Thailand, with many believing that the new cybersecurity law will be used by the government to silence critics

Thailand recently implemented the Personal Data Protection Act (PDPA) on May 28 2019. It is hoped this will create Thailand’s very first consolidated data protection act but people are being given a one-year grace period to adjust to these new laws. Workplace monitoring and data retention policies should improve. A recent development (which happened post-study) also means Thai cafes are being forced to create a log of customers’ browsing data for 90 days – at least. The government has suggested that this is to help identify users who are violating Thai law and are creating “fake news.”

Malaysia

Calls for a more in-depth privacy law that covers all matters. At present, there is only the Personal Data Protection Act 2010 (PDPA) which protects the personal data of a data subject

However, the courts have been quite proactive in enforcing this law, and the data protection agency frequently inspects businesses and offers recommendations on their data practices

A national ID card (MyKad) is compulsory from the age of 12 and contains biometrics (thumbprints). It also stores bank details, certain health information, can be used to make purchases, and stores data for up to 20 years (the card’s only valid for 10, though)

For children up to the age of 12, MyKid carries parents’ religion details, birth data, health information, and education data

Face recognition technology is also on the rise with Grab Malaysia teaming up with the Ministry of Transport to improve driver safety and provide safeguards against crimes

Few laws surrounding the use of face recognition technology

Data sharing does require written consent in most cases, but the government does have a platform (MyGDX) which facilitates intergovernmental agency data sharing

CCTV is prevalent in Malaysia and there are few safeguards in place. However, a “CCTV Guide” that is yet to come into law will enforce a few more protections, e.g. notifying people of CCTV monitoring

Several large data breaches involve financial and medical details

Founder of the ASEAN Treaty on Mutual Legal Assistance in Criminal Matters

The introduction of the data protection law in 2010 did make some improvements to Malaysia’s data privacy – but, as technology advances and times change, these need updating to better protect all types of data, including biometrics.

Bottom 5 EU countries

Italy – 2.7 – Some Safeguards/Weakened Protection Hungary – 2.7 – Some Safeguards/Weakened Protection Slovenia – 2.7 – Some Safeguards/Weakened Protection Germany – 2.8 – Some Safeguards/Weakened Protection Spain – 2.9 – Some Safeguards/Weakened Protection

Italy

Italy fails to uphold privacy protections in a number of areas. This includes:

An ID card that contains biometrics

Extensive use of biometrics, including facial recognition in airports, is causing concern among citizens

Data-sharing agreements as part of the Treaty of Prüm and Schengen Agreement

Extensive CCTV use (including with facial recognition)

Lengthy data retention periods (six years for internet and telephone traffic data)

It lacks freedom of the press

The Italian regulatory body in charge of enforcing the GDPR, Garante, hasn’t been very active. This could be due to there being a lack of data breaches or it may indicate a lack of implementation. However, Italy has made efforts to prohibit workplace monitoring.

Hungary

Hasn’t always protected its people’s right to privacy, even ruling that police officers were not entitled to their right to privacy because their roles as agents of public power outweighed it

ID card contains owner’s fingerprint

Employers are also allowed to use biometrics in certain situations, i.e. to prevent unauthorized access to information

Building a facial recognition database from the identification photos of its citizens and tourists

Government agencies are able to take data from telecommunication companies without a warrant

Part of the Treaty of Prüm and the Schengen Agreement

GDPR is helping to make some improvements in Hungary, for example, helping enforce people’s rights when it comes to CCTV footage and protecting data as a whole through fines given by The Hungarian National Authority for Data Protection and Freedom of Information.

Slovenia

With the highest record of human rights violations per capita in Europe, Slovenia is constantly being monitored to see if and how it is improving the protection of its citizens. We’ve found:

Although Slovenia is part of the EU and the GDPR law applies, it hasn’t implemented it through its own legislation, leaving leaves large question marks over its data protection policies

This also removes some of the integrity and strength of its regulatory body, the Information Commissioner (IC)

It relies on biometrics in its passports

It’s part of the Treaty of Prüm and Schengen Agreement

Although the GDPR should, in theory, improve things in Slovenia, there are reports to suggest that it isn’t being properly implemented in many EU countries. And with Slovenia’s lack of laws, this is likely the case. Equally, the draft bill proposed by Slovenia has been criticized by many as “overstepping” the boundaries put in place by GDPR.

Germany

Despite privacy enforcement in a number of areas (sensitive data and the implementation of the data protection law, Bundesdatenschutzgesetz) and the active role of its Data Protection Conference, Germany is failing its citizens in a number of areas. These include:

Its extensive use of biometrics, including in a national ID card

Being a founding member of the Treaty of Prüm and Schengen Agreement

Its allowance of CCTV cameras with facial recognition

Controversial data retention directives

Lack of privacy protection for journalists

Heavy censorship of social media posts through “hate speech” laws

Spain

Again, Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has been effective in implementing the GDPR laws, fining La Liga €250,000 for privacy violations. However, the privacy rights of its citizens are significantly reduced due to:

Its increasing use of biometrics (and the general overall acceptance of this)

ID card that contains biometrics

It being a founding member of the Treaty of Prüm, the Schengen Agreement, and tax data-sharing agreements

Its communication data retention policies have been met with a lot of criticism (12 months after the communication but this can be extended to 2 years)

A gag law on journalists

Top 5 non-EU countries

Norway – 3.1 – Adequate Safeguards

South Africa – 3.0 – Some Safeguards/Weakened Protection

Switzerland – 3.0 – Some Safeguards/Weakened Protection

Argentina – 3.0 – Some Safeguards/Weakened Protection

Canada – 3.0 – Some Safeguards/Weakened Protection

Norway

As the only non-EU country to be found to have “adequate safeguards,” Norway is succeeding at:

Implementing GDPR laws

Fining companies who are not protecting data (the municipality of Bergen was fined €170,000 for violating GDPR laws by leaving 35k usernames and passwords of primary school students and employees openly accessible)

Protecting freedom of speech (it’s ranked number one in the World Press Freedom Index and has been for the last three years)

Offering extra privacy protection for certain jobs, e.g. lawyers and medical practitioners

Biometrics do let Norway down. It is looking to introduce them into ID cards in 2020 and law enforcement does have access to biometric data. Norway is also a member of the Schengen Agreement and parts of the Treaty of Prüm.

South Africa

Privacy rights are protected through the constitutional court

Landmark case in which bulk interception by the National Communications Centre was declared unlawful by the High Court (amaBhungane Centre v Minister of Justice)

Limits on data sharing, even between agencies within the same sector

Not part of any invasive international treaties (but it is involved in tax-sharing agreements)

South Africa is in the process of introducing an Information Regulator and the Protection of Personal Information Act (POPIA) which will help to further enforce privacy rights. But as these aren’t yet fully in place, it does create some gray areas. Biometrics are also on the rise and the newly introduced South African ID card contains fingerprints.

Switzerland

Actively enforcing privacy rights with its Federal Act on Data Protection (due to be updated in 2020)

Its data protection agency, the Federal Data Protection and Information Commissioner (FDPIC), is rumored to be the regulator Facebook wants to manage its cryptocurrency, Libra

No mandatory ID card with biometrics

Freedom of speech and the media

Despite Switzerland being a “tax haven” for many years, it is now clamping down on this by sharing tax details with other countries. It is also part of the Schengen Agreement and has signed an agreement with member states of the Prüm Decision so they can share data. Switzerland also allows workplace monitoring without permission, so long as an employee is informed.

Argentina

Actively trying to improve data privacy and keep up with other laws (i.e. the GDPR) and technological advancements

Adequate safeguards for areas of surveillance and workplace monitoring

Warrants are required for communications to be intercepted

Argentina’s mandatory ID card does contain biometrics. Biometrics are widely implemented and accepted on the whole. The Data Protection Act is in need of an update, particularly when it comes to data retention laws (there are no clear guidelines as such, leaving it very open to interpretation). Argentina also actively shares personal information with other countries

Canada

28 different statutes protecting data privacy in the private, public, and health sectors

Adequate safeguards for areas of surveillance and workplace monitoring

Very similar data retention laws to the GDPR

Canada’s regulatory body, the Office of the Privacy Commissioner of Canada, is criticized as being lackluster in its authority but there are talks to improve its powers so it can levy fines. Biometrics are on the rise with fingerprints now being a requirement for people applying for certain kinds of visas. Data sharing is also an issue due to the agreements Canada has with other nations (approximately 17). And Canada recently ruled against a journalist, requiring him to disclose a source.

Top 5 EU countries

Due to the recent implementation of the GDPR laws, there isn’t much difference in the scores of EU countries. What tends to differentiate them is their data-sharing agreements with other countries, their freedom of speech, their use of biometrics, and other country-specific rules and regulations.

Ireland – 3.2 – Adequate Safeguards France – 3.1 – Adequate Safeguards Portugal – 3.1 – Adequate Safeguards Denmark – 3.1 – Adequate Safeguards Malta – 3.0 – Some Safeguards/Weakened Protection

Ireland

Ireland tops the list when it comes to privacy and surveillance protection due to:

The active role the Data Protection Commission of Ireland is playing in protecting privacy (18 ongoing investigations into US technology companies, for example)

Its resistance toward biometrics on ID cards, despite it being an EU regulation

It not being part of invasive data-sharing agreements, i.e. the Treaty of Prüm or the Schengen Agreement

An active role in overturning the EU’s data retention directive due to its breach of privacy and human rights

Its opt-out clause for EU laws

The categories that let Ireland down were its weakened protections for sensitive data (i.e. several data breaches in the medical industry), the subsidization of CCTV, and a threat to press freedom due to the concentrated ownership of media outlets.

France

Just behind Ireland is France, which scored reasonably well because of:

Its data regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), successfully enforcing GDPR laws by fining Google €50 million because it didn’t get proper consent from users for its ad personalization (it used pre-ticked boxes)

The CNIL being proactive before the implementation of GDPR, fining Uber €400,000 for its data breach

the implementation of GDPR, fining Uber €400,000 for its data breach No biometrics required for the mandatory French ID card

The CNIL actively debating and preventing the use of biometrics in other areas, e.g. in the workplace

The requirement for a Data Protection Impact Assessment (DIPA) before surveillance is installed for large-scale public monitoring

However, France is a member of the Treaty of Prüm and the Schengen Agreement. There is active data sharing occurring within France, too. For example, suspicious transactions must be reported as part of anti-money laundering laws. Communication data is retained for one year.

Portugal

Portugal also makes the top three due to:

Its regulator, the Comissão Nacional de Protecção de Dados (CNPD), actively enforcing the GDPR

Its recent €400,000 fine of a hospital for various data breaches – one of the largest GDPR fines to date

Biometric databases being forbidden

Its restriction and regulation of CCTV use

Has a history of protecting employees’ privacy through domestic legislation

Portugal was one of the last European countries to implement the GDPR law (one year and three months after it was enforced). It is also a member of the Treaty of Prüm but, due to its lacking DNA database (less than 0.1% of its citizens are on it), it doesn’t share much information and only shares data with select countries. That said, it is also a member of the Schengen Agreement and data is regularly shared internally, too, i.e. for anti-money laundering laws.

Denmark

Denmark receives its score of “adequate safeguards” because of:

The active role of the Danish data protection agency, the Datatilsynet (DPA), since the implementation of the GDPR

Its general success at implementing GDPR across a range of categories

The Danish ID card not containing biometrics

Its opt-out agreement with EU laws

The protection of freedom of expression

Yet, there is a worrying acceptance of both biometrics and CCTV cameras within Denmark which may allow privacy controls to slip. The sharing of data, both within Denmark and with other countries (part of the Schengen Agreement) also lowers the score, as do the queries over data retention (location data from mobile phones).

Malta

Although Malta does make the top 5, it does also fall into a lower category than the other four EU countries. It received a “some safeguards but weakened protections” score due to:

Courts ruled in favor of privacy when it comes to short data retention periods (the case of Maltapost PLC Vs Kummissarju Ghall-Informazzjoni u l-Protezzjoni tadData)

Its data protection authority, the Information and Data Protection Commissioner (IDPC), works proactively to enforce the GDPR and fines

The Maltese ID card does not contain biometrics

The IDPC requires notification before CCTV is installed

Malta is, however, a member of the Treaty of Prüm and the Schengen Agreement and does have weakened protections when it comes to communication interception and sensitive data. It also has a systemic failure to uphold safeguards when it comes to democratic issues like freedom of the press (the majority of media sources are owned by politicians).

Where do the US and UK rank?

United States

The US is seventh from bottom in our non-EU rankings. This is due to:

Biometrics growing in use with the Biometric Exit Program predicted to be in place within four years, processing 97% of people who leave the US

Courts rule in different ways when it comes to biometrics. There are several debates over topics like whether the police could ask you to unlock your phone with your fingerprint

Building a database of biometric information containing digital facial images and the 10 fingerprints of over 200 million people who have tried to enter, have entered, or have exited the US

Private companies are able to set their own guidelines when it comes to processing personal data

There are no federal laws regarding the use of CCTV, meaning usage varies drastically on a state-by-state basis. For example, some states include a safeguard that prohibits CCTV use in areas where people expect privacy, e.g. changing rooms, but some do not

Only two states require companies to inform their employees of workplace monitoring

Numerous data breaches across all sectors

Part of numerous international data-sharing agreements

Recently created the Clarifying Lawful Overseas Use of Data (CLOUD) Act which allows law enforcement of cooperating countries to request data directly from service providers rather than having to go through the government

Data protection in the US is governed by multiple sectoral laws and laws also differ by state. This can cause some confusion and inconsistency, and it can leave some huge gaps in certain areas/states. Nevertheless, some of the governing bodies actively pursue data privacy. For example, the Federal Trade Commission (FTC) recently fined Facebook $5 billion for privacy violations.

United Kingdom

At present, the UK is governed by GDPR laws but has also implemented its own Data Protection Act, which will remain in place post-Brexit.

The governing body, the Information Commissioner’s Office (ICO), has already issued a number of fines, including one of £183 million to British Airways for breaching customer data and one of £99 million to hotel chain Marriott for exposing 399 million guest records

The UK is not part of the Prüm Decision (but has requested to be and is involved in parts of it – see below) or the Schengen Agreement

Certain safeguards are in place for CCTV usage (i.e. businesses must inform the ICO why they are using CCTV and must tell people they are being recorded), communication interception (warrants are required), and government access to data (again, warrants are often required)

Does have opt-out agreements with EU laws

Despite some of these safeguards, the UK is moving toward more biometrics, more CCTV, and could involve itself in further international treaties post-Brexit. It has recently joined the Prüm DNA framework, which allows law enforcement agencies to share DNA profiles and fingerprints, giving member states access to the UK’s database of over 5 million people. Workplace monitoring is also accepted (if employers can justify their reasons for doing so) and there have been cases of employees being fired for things they have said on social media.

How things look overall

If we merged the rankings of both the EU and non-EU countries, the leaderboard wouldn’t look much different to the EU one. All that would change is Norway taking second place, pushing Malta out of the top five.

What is interesting about these top five (the only ones to receive an “adequate” score) is that they are all governed by the GDPR laws. So, while there is still huge room for improvement in all countries, the GDPR laws do seem to be encouraging them to move in the right direction.

Constitutional Protection Statutory Protection Privacy Enforcement Identity Cards and Biometrics Data-sharing Visual Surveillance Communication Interception Workplace Monitoring Government Access to Data Communication Data Retention Surveillance of Medical, Financial and Movement Border and Trans-Border Issues Leadership Democratic Safeguards Slovenia, Australia, China, Sweden, Singapore, Netherlands, Luxembourg, Hungary, Italy, Malaysia China, Greece, Slovenia, Finland, Malaysia, Estonia, India, Hungary, Portugal, Russia India, Thailand, Brazil, Slovenia, Russia, Slovakia, China, Iceland, Japan, Finland China, India, Japan, Cyprus, Hungary, Germany, Malaysia, Estonia, Italy, Thailand Russia, China, Hungary, India, Luxembourg, Malaysia, Belgium, Spain, Slovenia, Canada China, Russia, Philippines, Brazil, India, Malaysia, Germany, Thailand, Italy, Hungary China, Russia, India, Thailand, Sinapore, Australia, Hungary, Finland, Germany, Luxembourg China, India, Taiwan, Thailand, Singapore, Australia, US, Philippines, Russia, Hungary Russia, China, Finland, Thailand, Poland, India, Luxembourg, Singapore, Romania, Australia China, Russia, Italy, Estonia, US, Germany, Taiwan, Slovenia, Poland, India US, Sweden, Malaysia, Greece, China, Russia, Singapore, Netherlands, Ireland, India China, Russia, Germany, Slovenia, Malaysia, Spain, New Zealand, Thailand, Canada, Israel China, Russia, Slovenia, Romania, Austria, Sweden, Italy, India, New Zealand, US China, Russia, Thailand, Brazil, Austria, India, Slovakia, Bulgaria, Malta, Israel

Methodology

Each country was given a score per category based on a number of criteria (listed below). Then, to gain an overall score, we added up the total of these scores before dividing by 14 (the number of categories in total).

Constitutional Protection

Does a constitution exist and does it protect privacy?

Does the constitutional court have a ruling over privacy protection? If so, does it have a history of providing these protections?

Is the country a member of the EU (the GDPR plays a key role)?

Statutory Protection

Are there laws in place that protect people’s privacy against companies and governments?

Are there sectoral laws? E.g., anti-money laundering laws or medical laws.

Do these laws succeed in protecting privacy?

Privacy Enforcement

Is there a regulatory body, e.g. a Data Protection Authority, that has the power to investigate privacy cases?

Are they proactive at doing this? Are there any cases that have been taken through the courts/legal systems?

Identity Cards and Biometrics

Does the country have a national ID card? Does this have biometrics?

Are biometrics common? Are they used to aid privacy or are they used for surveillance?

Is there a privacy debate in the country about this use of biometrics? Or are most happy with the technology?

Data Sharing

Are there laws to prevent the secondary use of data?

Does the government share personal data between its agencies?

Do companies have to hand over personal data to the government?

Visual Surveillance

How prevalent is CCTV in the public and private sector?

Are CCTV cameras regulated?

Is there any debate surrounding the use of CCTV?

Communication Interception

Are there laws that prevent abuse?

When can law enforcement intercept communications, i.e. with a warrant, if they have reasonable doubt, etc.?

What types of investigations can result in communication interceptions?

Who authorizes their access, if anyone?

Are telecommunication providers expected to allow interception capabilities?

Workplace Monitoring

Are there laws that prevent abuse?

Are there legal avenues/cases?

Are companies given adequate guidelines to follow?

Government Access to Data

What are the warrant regimes? For example, can they enter a property without a warrant?

How does law enforcement gain access to private sector databases?

What powers do various agencies have to access data?

Communications Data Retention

Do telecommunication providers have to retain data for a specific period of time? If so, how long?

Are there considerations for different types of data and how the retention periods may differ?

Surveillance of Movement, Finances, and Medical Data

Although this data is sensitive, is it adequately protected?

Are there laws which allow for the monitoring of these types of data? E.g. anti-money laundering laws.

Have there been data breaches involving this type of data?

Border Issues

Does the country have biometrics at its borders?

Is the country cooperating with other countries when it comes to law enforcement and surveillance?

Leadership

Is the government part of any anti-privacy treaties? E.g., Five Eyes or the Treaty of Prüm?

What data is the government sharing with other countries?

Democratic Safeguards

Is there freedom of speech in the country?

Are there protections in place for journalists?

Sources

For each country’s report, sources, and scores, please see this spreadsheet: https://docs.google.com/spreadsheets/d/1uPCfyzwT2b47oX0kcYg3kn3V4H6IWUikp4jMOVUWmJA/edit?usp=sharing