It is forty years since enactment of Sweden’s Data Act of 1973, the first comprehensive national data privacy law, and the first such national law to implement what we can now recognise as a basic set of data protection principles. This article answers the question, ‘How many countries now have data privacy laws?,’ starting by defining a ‘data privacy law’. The result is a global analysis of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.
The answer to the question — documented in the accompanying Table of global data privacy laws — is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU, APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and the implications of their overlapping but incomplete memberships.
The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data privacy Bills currently before legislatures or under government consideration in at least 20 more countries. It is reinforced by the increasing importance of both international agreements and associations of DPAs.
A Postscript reveals that there are now 101 laws, not 99, and Sheherezade can rest a while.
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales.
** The accompanying Tables are also available on SSRN/LSN (Legal Scholarship Network) at <http://ssrn.com/abstract=2280875>. The data in the Tables and article are as at 1 June 2013. Comments, additions and corrections are welcome to <firstname.lastname@example.org>. The assistance of Marie Georges, David Banisar, Charles Raab, Stewart Dresner, Laura Linkomies, Blair Stewart and Jill Matthews is gratefully acknowledged. Responsibility for all content, remains with the author. Separate acknowledgments are provided in relation to the accompanying Tables. Substantial work on this article was completed while the author was a Japan Society for the Promotion of Science (JSPS) Visiting Fellow at Meiji University, Tokyo, from September-December 2012.
© 2012 Journal of Law, Information & Science and Faculty of Law, University of Tasmania.