22 June 2013

Data Protection Inventory

Apropos the preceding post SSRN now features 'Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories' [PDF] by Graham Greenleaf in (2012) Journal of Law & Information Science
It is forty years since Sweden’s Data Act 1973 was the first comprehensive national data privacy law, and the first such national law to implement what we can now recognize as a basic set of data protection principles. The core of this paper is the question 'How many countries now have data privacy laws?'. First, a definition is provided of a 'data privacy law', based largely on the requirements of the earliest international data protection instruments, the OECD privacy guidelines, and Council of Europe data protection Convention 108. 'Countries' are considered to include separate legal jurisdictions.
The answer to the question – documented in the Global Table of data privacy laws [PDF] is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws. The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data privacy Bills currently before legislatures or under government consideration in at least 20 more countries.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU directive and 'adequacy', APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and some conclusions drawn concerning their overlapping but incomplete memberships.
In summary, this paper gives a global snapshot of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.