When we say the words “data protection”, for most of us, The European Union’s General Data Protection Regulation, GDPR comes to mind. However, there are many different data protection laws from around the world, which I shall attempt to briefly showcase in this post.
First of all, I must point out that data protection has historically always had a huge presence in the continent of Europe, so the fact that the EU now has strict legislation in place to protect privacy is no surprise. The first ever data protection law was Sweden’s Data Act, which was passed in 1973, and came into effect the following year. In 1981, the Council of Europe adopted the Data Protection Convention, rendering the right to privacy a legal imperative. It is important to note that privacy and data protection are not the same, but they are closely intertwined, especially when we talk about the effectiveness of protecting personal data. There were many preparatory documents and various milestones in the EU before GDPR came into effect. Surprisingly though, this is not where the right to privacy first emerged. In fact, that place would be the United States and the year 1890, when two US lawyers, Samuel D. Warren and Louis Brandeis, wrote The Right to Privacy, an article that argued the “right to be left alone”, using the phrase as a definition of privacy. From then on, this right made it into international agreements, and slowly gained popularity, culminating in becoming a crucial aspect of our lives. With the technological advances of AI and other technologies relying on data, privacy has become something precious and fragile. How good of a job does the EU do in protecting it? What about the US?
Currently, when ranking countries by privacy focusing on Internet users’ rights and the Internet privacy laws each country has in place, Estonia, Island and Costa Rica sit at the top, followed by Canada, Georgia and Armenia. Unsurprisingly, China came last in the ranking of 70 different countries: but even China has privacy laws in place. The Personal Information Protection Law (‘PIPL’) entered into effect on 1 November 2021 and is China’s first comprehensive data protection, governing personal information processing activities carried out by entities or individuals within China. Together with this law, the Cybersecurity Law and the Data Security Law were introduced. The PIPL is partly modeled after the GDPR, containing principles of personal information processing, consent and non-consent grounds for processing, but there is no single specific authority in China that has responsibility for the supervision of compliance with personal data related laws.
Similarly modeled after the GDPR is the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act, Brazil’s Lei Geral de Proteçao de Dados (LGPD), Egypt’s Law on the Protection of Personal Data, and India’s Personal Data Protection Bill. Despite the close resemblance, there are clear differences: for example in India, more discretion is given to India’s Central Government to decide how it is enforced and when exceptions can be made. In Egypt, the fines for non-compliance are significantly lower than GDPR with a minimum of 100,000 LE (approx. 5,560 EUR) and a maximum of 1 million LE (approx. 55,600 EUR), but data breaches could also result in prison time.
New amendments to New Zealand’s 1993 Privacy Act came into effect on December 1, 2020, and similarly to GDPR, there is a requirement to notify authorities and affected parties of data breaches and the introduction of new restrictions to offshore data transfer. However, the fines for non-compliance are significantly lower than with GDPR (the maximum fine is just 10,000 NZD, however there is a mechanism in place for class action suits), and the “right to be forgotten” is not included in the Privacy Act.
These are some of the data protection laws in place which have significant similarities to the GDPR, but seeing that no EU country except for Estonia made it into the ranking of the best countries by Internet users’ privacy, it is worth asking whether GDPR is actually the best regulation out there.
While researching this topic, I have found that 137 out of 194 countries had put in place legislation to secure the protection of data and privacy. The continents of Africa and Asia are at 61 and 57 percent of countries having adopted such legislations. Naturally, some form of legislation is better than no safeguards in relation to privacy, but I think that the most important aspect of any law is not the written word, but how it is enforced in practice. Personally, I believe that the true effect of GDPR does not come from the specific text alone, but rather how it has shaped the way other countries relate to data protection, and how significant the case law has become since data breaches were taken seriously. The laws I briefly mentioned have ever-expanding requirements, new legislation is put in place in several countries (such as Canada’s New Data Privacy Law (CPPA)). The law on data protection might be completely different within a country, like in the case of the US, where while there are no formal laws at the federal level, there is some federal legislation that protects data on a more general level. Knowing that it might restrict competitiveness for businesses, the US typically does not have strict laws in place. Several US states have created their own laws, with California’s California Consumer Privacy Act (CCPA) providing privacy rights and consumer protection, which allows for residents of the state to establish precisely how their personal data is being collected and what it is being used for. The New York Privacy Act obligates companies to acquire consumer’s consent, disclose their de-identification processes, and install controls and safeguards to protect personal information. There are laws in place in Colorado, Connecticut and Virginia, with bills introduced in Utah, Indiana, Iowa, Montana, Oregon, Tennessee and Texas. While there had been a EU-US Privacy Shield framework in place to make GDPR compliance more understandable for organizations operating on both sides of the Atlantic, the agreement was struck down by the European Court of Justice, as they were of the opinion that that the rights of EU data subjects were not adequately protected from US surveillance.
Data protection is a national security issue, so it is understandable that different nations might feel apprehensive about data flow. But we must understand that we are living in a world that is so interconnected that simply creating data protection laws will never be enough to actually make sure there is no misuse or data breaches. But is cooperation possible on an international level in such a sensitive matter? Experts have previously made a case for a global privacy standard, which would be easier on data protection officers and authorities, stating that “while the European Data Protection Board has provided guidance about adequacy thresholds, each company’s risk assessment necessarily will be subjective and result in inconsistent application of the GDPR’s data privacy scheme.”. There is a data privacy international treaty in place, which is wholly ineffective: this leads me back to my point about the importance of implementation when it comes to any regulation. As long as different nations have diverging interests – which will always be the case – an international data protection treaty seems far away. For the purpose of business many countries attempt to comply with the GDPR, which forced its way into the consciousness of the international committee, but is still often ignored by those companies which are powerful enough to pay a fine and not change their lucrative practice of selling personal data.
So what is the solution? Can we find any common ground in relation to privacy laws from around the world, especially with the emergence of newer technologies and AI legislation also taking precedence worldwide? Or will we just keep trying to comply with differing regulations until one day we find that privacy has vanished altogether – if it hasn’t already?
Only time will tell what this possibility means for the future of data protection, but one thing is for sure: privacy laws became more significant in the eyes of world leaders through legislative effort from the EU, and are here to stay. Let’s hope that something similar will happen with regard to Artificial Intelligence, so that we may have an imperfect, but slightly safer future.
Mónika Mercz, JD, is specialized in English legal translation, Junior Researcher at the Public Law Center of Mathias Corvinus Collegium Foundation in Budapest while completing a PhD in Law and Political Sciences at the Károli Gáspár University of the Reformed Church in Budapest, Hungary. Mónika’s past and present research focuses on constitutional identity in EU Member States, with specific focus on essential state functions, data protection aspects of DNA testing, environment protection, children’s rights and Artificial Intelligence.