Home | Databases | WorldLII | Search | Feedback United Nations Special Rapporteur on the Right to Privacy Publications

UN Special Rapporteur on the Right of Privacy - Appendix 2 accompanying Annual Report; Thirty-seventh session of the UN Human Rights Council [2018] UNSRPPub 3 (28 February 2018)

Appendix 2

Professor Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales, Sydney, Australia; Founding Co-Director & Senior Researcher, Australasian Legal Information Institute (AustLII); Asia-Pacific Editor, Privacy Laws & Business International Report (PLBIR)

University of New South Wales Law Research Series

GLOBAL DATA PRIVACY LAWS 2017: 120 NATIONAL DATA PRIVACY LAWS, INCLUDING INDONESIA AND TURKEY^{[1], [2]}

Graham Greenleaf, Professor of Law & Information Systems, UNSW Australia

(2017) 145 Privacy Laws & Business International Report, 10 [2017] UNSWLRS 45

UNSW Law
UNSW Sydney NSW 2052 Australia

E: unswlrs@unsw.edu.au
W: http://www.law.unsw.edu.au/research/faculty-publications

AustLII: http://www.austlii.edu.au/au/journals/UNSWLRS/ SSRN: http://www.ssrn.com/link/UNSW-LEG.html

Published in (2017) 145 Privacy Laws & Business International Report, 10-13

1. 
* Valuable information and comments for this article have been received from Marie Georges, David Banisar, Andin Aditya Rahman, Alex Boniface Makulilo, Isabel Ornelas and Sebastião de Barros Vale, Pablo Palazzi, Blair Stewart, Thomas Brookes, Sophie Kwasny, Laura Linkomes and Jill Matthews. They are acknowledged with gratitude, but responsibility for all content remains with the author. Separate acknowledgments accompany the Tables. 
1 For the standards applied, Greenleaf, G ‘Global data privacy laws 2015: 109 countries, with European laws now in a minority’ (2015) 133 Privacy Laws and Business International Report, 14-17, February 2015. 
2 Greenleaf, G ‘Global Data Privacy Laws: Forty Years of Acceleration’ (2011) 112 Privacy Laws and Business International Report, 11-17, September 2011 < https://ssrn.com/abstract=1946700> 


In the past two years, the number of countries that have enacted data privacy laws has risen from 109 to 120, a 10% increase, with at least 30 more countries having official Bills for such laws in various stages of progress. These 120 jurisdictions have comprehensive data privacy laws for the private sector, public sector, or (in most cases) both, and the laws meet at least minimum formal standards based on international agreements.¹

The accompanying global Tables setting out the details of all these data privacy laws and bills, as at January 2017, (<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2992986>) are the 5th edition since 76 countries were identified as having such laws in the 2011 1st edition.2 The 4th edition identified 109 countries with data privacy laws, as at January 2015,3 and has been cited by the European Commission as the authoritative assessment of the global tally of such countries.4

Eleven new Laws

The new laws enacted in eleven jurisdictions that have been added to the Global Table of Data Privacy Laws are as follows, with brief comments on each:

2. Turkey (Data Protection Law 2016) – Turkey’s law is perhaps the most significant enacted in 2015-16, from the last OECD country and last Council of Europe country to do so. Turkey then ratified CoE Convention 108 and its Additional Protocol. By the end of 2016 all appointments to its Data Protection Board were completed.5 The extent of the Board’s independence from government, in practice, remains to be seen.
3. Qatar (Personal Information Privacy Protection Law 2016) – This significant law is the first data privacy law in a Middle-East country since Israel in 1981 to cover the whole private sector.6 Qatar is not one of the seven emirates of the UAE. The separate law in the Qatar Financial Center, with a separate regulator, will continue to apply.
4. Abu Dhabi Global Market (ADGM Data Protection Regulation 2016, made under Law 4/2013) – This special economic zone (SEZ) law is typical of previous laws for ‘financial free zones’ in UAE jurisdictions, being limited in scope to the physical location of Al Maryah Island and the ADGM jurisdiction which has its own courts and other regulations.7

• Antigua & Barbuda (Data Protection Act 2013) – Ten Caribbean laws now show the take-up of data privacy across these small jurisdictions (not included in 2015 Table). 

• Bermuda (Personal Information Protection Act 2016) – The most recent Caribbean law, it covers all sectors and requires a Privacy Commissioner. 

• Aruba (Afkondigingsblad van Aruba 2011 no. 37) – The law is an example of the Netherlands data privacy law being extended to all of its overseas territories (not included in 2015 Table). 

• Chad (Law 007/PR/2015 on the Protection of Personal Data) – This comprehensive law is complemented by Law 006/PR 2015 establishing the National Agency for Information Security and Electronic Certification as its DPA (not yet appointed). 

• Equatorial Guinea (Law 1/2016, in force 11/8/2016) – This Law covers all sectors and requires appointment of a DPA. The country’s 30-year dictatorship has one of the world’s worst human rights records. 

• São Tomé and Principe (Data Protection Law 2016) – The smallest Portuguese- speaking country now has an EU-style law covering all sectors and requiring appointment of a DPA. 

• Malawi (Electronic Transactions and Cyber Security Act, 2016) – Part VII of the Act establishes a data protection regime for both public and private sectors (not limited to e-commerce), supervised by the existing Malawi Communications Regulatory Authority. 

• Indonesia (Personal Data Protection in Electronic Systems Regulation 2016) – This regulation, in combination with the Electronic Information and Transactions Law 20088 under which it is made, means Indonesia satisfies the criteria for a data privacy law. These laws include the main data privacy principles (plus a right to be forgotten); their scope covers most of both the private and public sectors (omitting manual transactions); and there are enforcement measures by law (albeit rather weak ones).9 
With 38 new countries enacting laws in the first seven years of this decade (an average of 5.4 per year), the continuation of this growth would result in at least 54 new laws for the whole decade, a total of at least 134 by 2020. 
These totals are likely to under-estimate the number of data privacy laws to date. For example, a number of reports claim that the Comoros Islands have enacted a law, but verification has not yet been possible. It is also arguable that China’s new Cybersecurity Law meets the minimum criteria for a data privacy law10 but there are still doubts as to how it will be interpreted on two important points: the extent of its scope (particularly whether it covers most of the private sector, or only certain types of networks), and whether a right of access is implied by other rights such as a right of correction. These matters are likely to be clarified by further implementing laws,11 and it is therefore prudent to wait until that occurs, so China has not been included in the Table at this stage.

Some other countries not yet included in the Table passed major legislation during this period, but which fall short of constituting general data privacy laws. Significant examples include Brazil, where the Marco Civil does not cover all aspects of data privacy beyond the Internet and the data protection Bill has not yet been enacted, and Mozambique, where a new law has EU-like provisions but is limited to telecommunications e-commerce law.

The geographical distribution of the 120 laws by region is: EU (28); Other European (26); Africa (21);12 Asia (13); Caribbean (10); Latin America (10); Middle East (6); North America (2); Australasia (2); Central Asia (2); Pacific Islands (0). The Pacific Islands remain the only region without any Act or Bills in relation to data privacy, and the regional Pacific Islands Forum has not shown any active interest in the topic.13 European laws (54/120) are a decreasing minority of global laws (44%), compared with non-European laws (66/120). But the influence of European standards does not appear to have diminished.

A significant development in 2015-16, though not confined to any one region, is that Turkey and Indonesia, two of the world’s most populous, and most economically and politically significant Muslim-majority countries, have enacted data privacy laws. Along with Qatar (another new enactment), they join the 12 Muslim-majority countries14 which already have data privacy laws.15

Bills awaiting enactment

At least 30 countries16 have Bills with some reported government support which are awaiting enactment. These are predominantly from Africa (10), the Caribbean (8) and Latin America (7), but also a handful from Asia, the middle east, and Europe. Details of known progress is in the Table of Bills. Many jurisdictions which already have data privacy laws are also developing new Bills to strengthen those laws, including, in the EU, for implementation of the General Data Protection Regulation (GDPR) and the data protection Directive concerning Police. These have not been tabulated. The most significant example outside Europe is the draft data protection Act proposed by Argentina’s DPA, which is heavily based on the EU GDPR. It includes elements such as data breach notification, accountability, privacy by design and by default, data protection officer requirements, BCRs as the basis for transfers, and mandatory PIAs.17

Muslim-Majority Countries Comprising the Islamic World, CEW, University of Michigan 15 Albania, Azerbaijan, Burkina Faso, Chad, Kazakhstan, Kyrgz Republic, Malaysia, Mali, Morocco, Senegal, Tunisia, and Yemen.

Special economic zones are not included.

International agreements strengthen, memberships expand

2015-16 has been a period of very significant progress for international data privacy agreements, both in terms of their content, and the number of countries that have taken steps to become parties to them. The expansion of international agreements is usually something of a ‘snail race’, but in 2015-16 there has been an unusually high level of growth, as the following details show.

Strengthening content: A watershed period

The European Union’s finalisation of its move from a Directive to a Regulation (the GDPR, General Data Protection Regulation) is the most significant change in international data protection standards for more than two decades, creating a ‘third generation’ standard which will have global influence (as does its predecessor). Despite Brexit, even the UK says its data protection law will stay consistent with the GDPR. Once the GDPR was finalised, the Council of Europe was able to complete its ‘Modernisation’ of Convention 108, the standards of which can be summed up as ‘GDPR Lite’.18 These two updated European standards are likely to result in a ‘third generation’ global data protection standard, as aspects of them are also adopted by national laws, and regional agreements, outside Europe.

APEC is considering some updating of its Privacy Framework, but most likely to be along the lines of the mild 2013 changes to the OECD privacy Guidelines.

EU adequacy assessments

While not an ‘international agreement’ in the usual sense, assessments of the adequacy of a country’s data protection under the EU data protection Directive give countries a privileged position in relation to trade with the EU. The only new adequacy finding in 2015-16 concerns the USA’s ‘Safe Harbor #2’ (Privacy Shield), the legality of which has been challenged in the Court of Justice of the European Union by Digital Rights Ireland and other parties,19 and may end up being held illegal like its predecessor. The EU Commission has announced20 it will now prioritise adequacy discussions with South Korea and Japan (which have each strengthened their laws recently), with Mercosur countries,21 (presumably with an eye to Brazil’s data protection Bill), and with countries in ‘the European neighbourhood’.22 The announcement also reiterated the significance, in relation to adequacy assessments, that the EU now places on accession to Council of Europe Convention 108, and its Additional Protocoland, and on the EU completing its own membership of CoE 108.

CoE Convention 108: ratifications and accessions

In 2016, Turkey became the last Council of Europe member to ratify CoE data protection Convention 108, which is at present the only binding data protection treaty. Ratifications of

the Convention’s Additional Protocol by Slovakia brought total ratifications to 39. Mauritius and Senegal completed their accessions to the Convention and Additional Protocol, bringing the Convention’s current membership to 50.

The accessions by Morocco and Tunisia are still to be completed. Burkina Faso has requested to be invited to accede to both the Convention and its additional protocol, and this is likely to be considered by the Committee of Ministers in early 2017. The Convention Bureau is continuing discussions with various other interested countries, on both accession requests and observer status on the consultative committee. The ‘globalisation’ of Convention 108 is therefore occurring at a steady pace – given the slow rate at which treaties usually progress.

African Union Convention: 8 signatures, one ratification

The African Union Convention on Cyber Security and Protection of Personal Data (2014) has relatively high data protection standards, and a potential membership of 55 African countries.23 As at 31 January 2017, the AU’s status list (to July 2016) says 8 states had signed the Convention (Benin; Chad; Congo; Guinea-Bissau; Mauritania; Sierra Leone; Sao Tome & Principe; and Zambia), but none had ratified it. Of these eight, only three (Benin, Chad, and Sao Tome) as yet have data privacy laws. No Bills for new laws have been found for any of the other countries. However, Senegal (which does have a law) has since ratified the Convention, and is the first country to do so,24 but this is not yet listed on the AU’s status list. Since 21 African countries now have data privacy laws, ratifications could occur rapidly. The Convention needs 15 ratifications to come into force.25

Caribbean cooperation (OECS)

The Organisation of Eastern Caribbean States (OECS) is the inter-governmental organisation grouping ten countries and dependencies in the Eastern Caribbean.26 OECS aims at economic harmonisation and integration, protection of human and legal rights, and encouragement of good governance.27 One of its initiatives is a Data Protection Bill (4th draft, 2011), suitable for enactment by any OECS member. Its intended scope is ‘the processing of personal data in the context of commercial transactions’, which can include government bodies, and is broader than ‘e-commerce’. Only two OECS members have enacted data privacy laws as yet, but four have Bills for such laws (see Tables).

APEC CBPRs: 6 commitments, two operational

In 2016 Japan became a second full participant in APEC’s Cross-Border Privacy Rules system (CBPRs), joining the USA. Four of the other 19 APEC members, Mexico, Canada, Vietnam and (in 2017) Korea, have formally indicated their intention to participate, but have not yet appointed an Accountability Agent (AA).28 Canada has in 2017 called for applicants to be AAs.29

OECD’s ‘globalisation’: Zero adherences

Although the 2013 modifications to the OECD privacy Guidelines invited ‘adherence’ by non- OECD members, there are no known adherents, and none noted on the OECD website.

UN privacy commitments: Most have ratified

Renewed UN involvement in privacy has followed Edward Snowden’s mass surveillance revelations, and the appointment in 2015 of a Special Rapporteur on the Right of Privacy. Details of which countries have ratified the relevant UN agreements affecting privacy have therefore been added to the Table. Almost every country with a data privacy law that is a UN member state has ratified the International Covenant on Civil and Political Rights, 1966 (ICCPR), Article 17 of which requires parties to provide protection of law against interferences to ‘privacy, family, home and correspondence’. There are only five UN member countries that have data privacy laws, but have not ratified the ICCPR: Singapore, Malaysia and Qatar have never even signed the ICCPR, and St. Lucia and Sao Tome & Principe have each signed but have not ratified it (Sao Tome is actively considering doing so).30 China has also signed but not ratified.

The 1st Optional Protocol to the ICCPR allows individuals to make ‘communications’ (complaints) to the UN Human Rights Committee, including concerning state failures to implement ICCPR Article 17. The following 15 UN members with data privacy laws have not ratified the Protocol (in addition to the five above-mentioned): Bahamas; Gabon; India; Israel; Macedonia (FYROM); Moldova; Monaco; Morocco; Switzerland; Thailand; United Kingdom; United States; Vietnam; Yemen; and Zimbabwe.31 These countries are therefore not full participants in the international human rights system. However, by far the majority of countries with data privacy laws have also ratified both the ICCPR and the 1st Protocol. Alignment of these UN commitments with membership of other privacy agreements such, as those of the EU, AU and CoE, may become of greater importance in future years.

TPP: FTAs fail to diminish privacy (yet)

Following the Presidential election, the USA has pulled out of the Trans-Pacific Partnership (TPP) free trade agreement of eleven countries, and it cannot proceed without comprehensive re-negotiation (of which there is no sign). The TPP, if in operation, would have made it very difficult for member countries to enact laws requiring data export restrictions or data localisation.32 The texts relating to privacy of other proposed multilateral FTAs, such as the 16 country Regional Comprehensive Economic Partnership (RCEP), are not yet available, but may well pose significant future challenges for strong data privacy laws.

International Covenant on Civil and Political Rights (signatures and ratifications)

Conclusions

In the past two years, the 10% increase in countries with data privacy laws to 120, the 30 or more additional countries planning to enact such laws, and the bills to strengthen existing laws, all underline the continuing global expansion of data privacy laws. Indonesia and Turkey, countries of major significance, are now included, and it may soon be clarified that existing laws in China mean that it should also be counted. The expansion of Convention 108 beyond Europe is slowly making it apparent that it is the only viable global data privacy treaty, reinforced by developments in the EU and the African Union. These are very positive developments, but the uncertain international environment provides no guarantees that they will continue.

The next issues of this International Report will include the second part of this article, ‘Data privacy authorities (DPAs) 2017’ analysing growth of the networks in which DPAs are involved. The details of these networks are contained in the Tables located at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2992986>.

4 European Commission Exchanging and Protecting Personal Data in a Globalised World (Communication from the Commission to the European Parliament and the Council), 10 January 2017, COM(2017) 7 final; see footnote 32.

5 Moroğlu Arseven ‘Turkey Completes Appointments to Data Protection Board’ MA | Gazette, 5 January 2017 <http://www.lexology.com/library/document.ashx?g=6906c905-a22f-4e69-9a39-9180fa7145e1> .

6 Emma Higham and Kellie Blyth ‘Qatar leads the way with new standalone data protection law‘ Clyde & Co, LLP 15 January 2017 (via Lexology)

7 ADGM website < https://www.adgm.com/>


8 For details of the 2008 Act, see Graham Greenleaf Asian Data Privacy Laws (OUP, 2014), pp. 374-388.

9 And in Aditya Rahman ‘Indonesia Enacts Right to be Forgotten and Comprehensive Personal Data Regulation’ (2017) 145 Privacy Laws & Business International Report, p.1.

10 Graham Greenleaf and Scott Livingston 'China’s Cybersecurity Law – also a data privacy law?' (2016) 144 Privacy Laws & Business International Report, 1-7

11 The right of access is in fact confirmed in the draft E-Commerce Law currently before the Standing Committee of the National Peoples Congress, but that has not yet been enacted.

12 Because there is now an African Union data protection Convention, the previous division between North Africa (grouped with Middle East) and (sub-Saharan) African has been dropped. The new division is between Africa and the Middle East.

13 Pacific Islands Forum Secretariat website <http://www.forumsec.org/> . There is a provision in a regional agreement on trade in services which contains an exception allowing State parties to enact legislation protecting the privacy of personal data: Art. 14(1)(c)(ii), Pacific Island Countries Trade Agreement (PICTA) Trade In Services Protocol, open for signature 2012 <http://www.forumsec.org/resources/uploads/attachments/documents/PICTA_TIS_Protocol_%2020Aug20131.pdf> .

14 <http://www.cew.umich.edu/muslim_majority>

16 In alphabetic order: Barbados, Belarus, Brazil, Brunei, Cayman Islands, Dominica, Ecuador, El Salvador, Ethiopia, Falkland Islands, Grenada, Guatemala, Honduras, Indonesia (further comprehensive law), Jamaica, Jordan, Kenya, Mauritania, Montserrat, Niger, Nigeria, Panama, Saint Helena, Ascension & Tristan de Cunha, Saint Kitts & Nevis, Saudi Arabia, Swaziland, Tanzania, Thailand (private sector), Uganda, Virgin Islands (Br) and Zimbabwe (private sector).

17 Pablo Palazzi and Andres Chomczyk ‘DPA of Argentina issues draft data protection BIll’ Data Privacy Laws Blog, 2 February 2017 <http://www.dataprivacylaws.com.ar/>

18 Greenleaf, G 'Renewing Convention 108: The CoE’s ‘GDPR Lite’ initiatives' (2016) 142 Privacy Laws & Business International Report, 14-17

Action brought on 16 September 2016 – Digital Rights Ireland v Commission (Case T-670/16) 20 European Commission Exchanging and Protecting Personal Data in a Globalised World, cited above.

19 <http://curia.europa.eu/juris/document/document.jsf?text= & docid=185146 & pageIndex=0 & doclang=EN & mode=lst & dir= & o cc=first & part=1 & cid=914048>

21 Mercosur, a South American customs union and trading bloc. has five member states: Argentina; Brazil; Paraguay; Uruguay and Venezuela (suspended since December, 2016). Bolivia is in the process of joining. There are no Mercosur agreements on data protection, although there is an old draft Model Bill, and the proposed EU-Mercosur FTA has not yet reached the point of drafting data protection clauses. Report of the XXVI negotiation round on the trade part of the EU-Mercosur Association Agreement, October 2016 <http://trade.ec.europa.eu/doclib/docs/2016/november/tradoc_155069.pdf> .

22 In previous editions of the Table, a number of European countries were marked “EU[I]”, on the assumption that adequacy findings were in practice irrelevant due to the country acceding to both Council of Europe Convention 108 and its Additional Protocol. These entries have now been deleted, in light of the Commission’s January 2017 ‘Communication’, and the more strict standards for adequacy implied by the Schrems decision, as discussed therein.

23 Morocco rejoined the African Union in January 2017: Ben Quinn ‘Morocco rejoins African Union after more than 30 years’ The Guardian, 1 February 2017.

24 Dr Papa Assange Touré, ‘A decisive step by Senegal towards accession to and ratification of the Budapest and Malabo Conventions’ (Observatoire-FIC.com, 2 May 2016) states that Senegal ratified the Convention in the July-November 2016 period after the Senegal council adopted bills authorising Presidential ratification of the AU Convention and the Budapest Convention on Cybercrime of 23 November 2001 (and 2013 additional protocol). <https://www.observatoire-fic.com/a- decisive-step-by-senegal-towards-accession-to-and-ratification-of-the-budapest-and-malabo-conventions/>.

25 Greenleaf, Graham and Georges, Marie, The African Union's Data Privacy Convention: A Major Step Toward Global Consistency? (October 8, 2014). (2014) 131 Privacy Laws & Business International Report, 18-21; <https://ssrn.com/abstract=2546652>.

26 OECS comprises the full Member States of Antigua and Barbuda, Commonwealth of Dominica, Grenada, Montserrat, St Kitts and Nevis, Saint Lucia and St Vincent and the Grenadines, with the British Virgin Islands, Anguilla and Martinique as associate members of the OECS

27 ‘About the OECS’, Organisation of Eastern Caribbean States website <http://www.oecs.org> Although it was started in 1981, the 2010 Revised Treaty of Basseterre created an economic union.

28 Tradeology (US International Trade Administration blog), 17 January 2017 <https://blog.trade.gov/2017/01/17/south- korea-submits-intent-to-participate-in-asia-pacific-data-transfer-agreement-the-apec-cross-border-privacy-rules-system/>

29 see Gazette <http://www.gazette.gc.ca/rp-pr/p1/2017/2017-01-21/pdf/g1-15103.pdf> at p. 242.

30
<https://treaties.un.org/Pages/ViewDetails.aspx?src=IND&mtdsg_no=IV-4&chapter=4&clang=_en > (as at 12 January 2017)

31 ICCPR 1st Protocol, ratifications

<https://treaties.un.org/Pages/ViewDetails.aspx?src=IND&mtdsg_no=IV- 5&chapter=4&clang=_en>

32 Greenleaf, Graham, The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy? in Dan Svantesson and Dariusz Kloza Transatlantic Data Privacy Relationships as a Challenge for Democracy (European Integration and Democracy series) (Intersentia, 2017); preprint at <https://ssrn.com/abstract=2732386>.

^[1] Professor Greenleaf advises there are five new countries with laws since the writing of this article in 2017: Niger; Mauritania; Comoros; Guinea (Conarky) and Cayman Islands.

^[2] Additional relevant articles include:

* Greenleaf, Graham, Global Tables of Data Privacy Laws and Bills (5th Ed 2017) (January 31, 2017). 145 Privacy Laws & Business International Report, 14-26. https://ssrn.com/abstract=2992986

* Greenleaf, Graham, ‘European’ Data Privacy Standards Implemented in Laws Outside Europe (September 3, 2017). 149 Privacy Laws & Business International Report 21-23; https://ssrn.com/abstract=3096314

* Greenleaf, Graham, Data Protection Convention 108 Accession Eligibility: 80 Parties Now Possible (August 31, 2017). 148 Privacy Laws & Business International Report, 12-16. https://ssrn.com/abstract=3062415

* Greenleaf, Graham, The UN Special Rapporteur: Advancing a Global Privacy Treaty? (August 1, 2015). 136 Privacy Laws & Business International Report, 7-9; https://ssrn.com/abstract=2672549