Users of online services have an expectation of how their personal data will be used. Still, with the internet linking users with services around the world, the reality is that the rules and regulations depend on where in the world you are. A US citizen accessing a service based in the European Union can expect significantly different personal data protection than if they accessed a similar service located in China. This article will look at how data privacy varies worldwide and provides our own assessment of which countries offer the best protection and which, in our opinion, the worst.
Contents
Privacy as a concept in the US was defined as the right to be left alone. It became a fundamental human right in the 1940s. With the growth of the internet, technology has been developed to collect personal information by tracking and monitoring users' actions as they use online services and browse websites. This led to the need for data privacy.
Data privacy is basically how an individual's personal information is collected, handled, shared, and stored. In some countries, robust legislation and regulations provide individuals with safeguards for their personal data. These rules cover how individuals, organizations, and the government themselves can deal with an individual's personal data. There are other countries where robust legislation and regulations do not exist, and individuals need to actively protect their personal data from misuse. Then there are those countries where the government and its state-controlled bodies deny individuals the fundamental privacy rights that most of us would expect.
Those countries with data protection regulations have done so to give individuals rights over how and why their personal data is used. It also gives rights over who can use it. More importantly, they also give individuals the right to prevent their personal data from being used unless there is a good reason. For example, law enforcement bodies acting on a court-issued warrant needing access to information.
At a fundamental level, it is merely information that relates to a living and identifiable individual. This can cover identifying information such as names, addresses, email addresses, phone numbers, IP addresses, and social security numbers. It may also include personal information about that individual, such as gender, race, political affiliations, and medical conditions. The exact legal definition of what is covered by the term personal data will vary from country to country due to the differences in each country's data privacy regulations. Where countries have no data privacy regulations, there will be no legal definition of personal data.
In practice, even in countries with robust data privacy regulations, the definition of personal data is not straightforward. For example, a list of names and addresses will meet the criteria for personal data. Suppose the names are replaced with numeric identifiers to break the link between the address information and an identified individual. Under the EU's General Data Protection Regulation (GDPR), this still counts as personal data. The pseudo-anonymization process is not sufficient to prevent the address information from being linked back to an individual. If the data set is genuinely anonymized, only then does it cease to be defined as personal data under GDPR.
Data privacy is having robust data protection regulations and the measures to ensure personal data is managed in compliance with those regulations. The problem is that the internet is a global service, but each country has its own data privacy approach. Data privacy can be encapsulated as a set of core principles. These are:
Undemocratic countries with oppressive state control typically fail the first two core principles, making having regulations in place irrelevant to data privacy for individuals. Democratic nations that abide by the first two core principles but have no formal rules in place provide no mechanisms for individuals to control who collects and processes their personal information. Similarly, having regulations in place but no means or appetite for enforcement with meaningful penalties for non-compliance offer individuals little protection. The lack of governmental enforcement may, worst case, leave individuals having to use the courts to seek redress for misuse of personal data. This can result in a two-tier state where only those with the resources to take legal action are afforded data privacy protection.
Every time you go online to use a service or purchase a product, you hand over personal information. This may be information you knowingly share, like your name and address, to arrange delivery. Or it may be information like your computer's IP address and browsing history that you do not know has been collected. Without rules to govern what can and cannot be collected, with and without consent, individuals may have no idea what information they have shared and where it will end up.
Where an individual provides their personal data, then the following rights should be afforded to individuals. These rights form the basis for the more robust data protection regulations, though not all countries with such laws afford all these rights.
The collection of biometric data and the use of technologies such as facial recognition is increasing across the world, both for law enforcement and state monitoring purposes. Many countries seek to balance individual privacy with national security needs. However, some countries actively use technology to remove the right to privacy and enact state-wide control of their population through behavioral monitoring and analysis techniques.
Personal data is precious for commercial organizations seeking to gain a competitive advantage. Targeted advertising is significantly more effective than more general advertising techniques. Adverts destined to be shown on television channels are tuned to appeal to the typical audience's demographics for the television programs being broadcast when the advert is scheduled to be transmitted. Online collection and processing of personal data on a mass scale using multiple diverse sources allow advertising companies to build up detailed knowledge on a vast section of the population's lifestyle and purchasing habits. They can do this with a granularity that allows adverts to be directed at individuals rather than a specific demographic. While this may sound great in theory, receiving adverts for products you are likely to be interested in does have its downsides.
The internet is awash with criminal elements, be that an opportunist individual or organized crime syndicate. Personal data has value for activities such as identity theft or fraud. Impersonating any individual will allow a criminal to either steal from them or use their identity to trick a person or business into performing some action to the criminals' benefit. Stolen personal data is collected and aggregated until there is sufficient information to commit a crime. Stolen personal data is also made available for sale on the dark web. The chances are that once an individual has been targeted once, they can expect multiple follow-on attacks.
The assessment of how much protection an individual is afforded in any one country depends on the different threat actors seeking to exploit personal information. These can be the country's own government agencies looking to monitor and control its citizens, be that for national security and law enforcement purposes to implementing behavioral monitoring, racial profiling, and oppressive control. These can be commercial companies looking to gain a marketplace advantage with target advertising. The final group is criminals looking to steal personal data for use in the execution of a crime.
The countries with the best data privacy ratings will be those that exercise reasonable and proportional government. They offer individuals control over how commercial companies their personal data and provide the laws to minimize data theft risks.
There are many sources of data available that rank countries for data privacy, data protection, and personal freedoms. Each has different rankings for the top and bottom countries that reflect how the data is biased towards a particular aim. Here, we look at whether the country has robust data privacy legislation. Does it enforce that legislation? Does that legislation afford protection from the government itself and controls over commercial use and security against criminal misuse?
While there are currently 194 countries globally, the UN report that only 128 have any form of data privacy legislation or regulations. This leaves 66 countries that offer their citizens no legal data privacy protection. These include some of the larger countries where internet use is rapidly expanding and established centers for commerce. The list includes:
Based on the ranking criteria we have set out, the results of our qualitative assessment have identified the following top five countries
OK, so the European Union isn't a country. Still, its member states all have data privacy regulations that encompass GDPR with minor tailoring to the rules in areas such as national security. As such, rankings of data privacy protections would be dominated by a list of EU member states. This is why we've grouped them all together. It's also worth mentioning that although the UK is no longer an EU member state, its data privacy regulations have not changed since it was a member. They continue to incorporate the GDPR principles with no immediate plans for change.
The European Union is arguably home to the countries with the best data privacy with the introduction of the GDPR into all member states' data protection legislation. It defines strict limits to what anyone who manages personal data can and cannot do. It enshrines individuals' rights into laws backed up with financial and criminal penalties for wrongdoing. The main feature of GDPR beyond previous privacy laws was all EU citizens' personal data was protected. This protection is irrespective of where that personal data is collected, processed, or stored. This had enormous implications for US companies with European customers. They were required to comply with regulations outside of their own legal jurisdiction. This prompted many companies to move the processing and storage of European customers' data into European located facilities. It even results in some US companies ceasing to deal with customers in the European Union.
Iceland has a long history of data privacy regulations. Although it is not part of the European Union, its legislation was updated to incorporate all the requirements of GDPR, so it provided its citizens with the same levels of protection. However, the regulations are backed with financial and criminal penalties for non-compliance, with the potential for a three-year jail sentence for the most severe violations. This has gained it a reputation for being one of the world's best countries for data privacy.
Norway has implemented robust data privacy regulations. Although it is not part of the European Union, its legislation addresses the requirements of GDPR. It is designated by the EU as having equivalence. The regulations are focused on protecting individuals' data privacy and freedoms of speech. They include provisions for additional safeguards for personal data related to legal and medical information. Monitoring of protection compliance is the responsibility of the Norwegian Data Protection Authority. As an independent public authority, it can impose financial penalties for non-compliance.
Japan has strong data privacy laws comparable with GDPR, to the extent that there is an agreement on reciprocal adequacy between Japan and the EU for specifically identified companies within these countries. Japan's data privacy protection extends to commercial companies operating outside of the country that process Japanese citizens' personal information. It also protects any personal information of non-residents when processed in Japan.
Switzerland has guaranteed its citizens the right to privacy under its constitution and enacted regulations. The Swiss Federal Data Protection Act (DPA) prohibits personal data processing without the individual's consent the data relates to. While these regulations are comparable with GDPR and have been assessed as adequate by the EU, there are significant differences. Individuals have fewer rights to how data is handled once consent has been given. Some rights regarding correction and deletion of personal data are covered outside of the data privacy regulations through Swiss civil law. Also, the penalties for violation of the data privacy regulations are less severe than for GDPR.
Based on the ranking criteria we have set out, our qualitative assessment of the countries with privacy protection has identified the following bottom five countries. Those countries without any privacy protection legislation are not listed. Indeed, countries that do not allow citizens' privacy rights, such as North Korea, are also not included here.
With its development as a regional center for a wide range of business sectors, Malaysia offers its citizens' data privacy protections through the Personal Data Protection Act (PDPA). This is comparable with the EU's GDPR for personal data that is processed within Malaysia. However, through its national identity card scheme, the Malaysian government collects personal and biometric information on all citizens with little control over how that data is used and shared. The shared information includes sensitive medical and financial information. This is aggregated in a single location all the information a malicious person would need to commit identity theft, fraud, embezzlement, and coercion. Security controls are also lacking in some Malaysian organizations, with recent major data breaches of patient records and customer information in the telecommunications and air travel sectors.
India has no single comprehensive data privacy regulations. Instead, various aspects that fall under data privacy protection are distributed amongst other legislation that does not have a data privacy focus. This includes specific rules covering the banking and healthcare sectors. There is also no particular authority is responsible for enforcing data privacy regulations. India has a prominent position in the off-shore data processing market. However, its data protection regulations have been assessed by the EU as not providing an adequate level of protection. Privacy is also compromised by linking the national Aadhaar based biometric identity card with personal information, including financial details. This has raised concerns that the government would have complete access to each citizen's online activities, including purchases, travel booking, and financial transactions. Also, reported breaches of information from government systems have demonstrated controls to protect this enormous aggregation of personal data collected from the citizens are inadequate.
Thailand could join the countries with adequate data privacy protection thanks to the Personal Data Protection Act (PDPA). This would bring in controls equivalent to GDPR, backed with financial and criminal penalties. However, although this act has been approved by the National Legislative Assembly, a royal decree has delayed its introduction. This highlights the limitations of regulatory controls in the country and their ability to be bypassed. The Thai government has also enacted some of the strictest censorship laws that severely restrict freedom of expression. Custodial sentences are routinely applied to those arrested and prosecuted for publishing views that violate the government rules. These include criticizing a member of the Thai monarchy. They also include simply agreeing with such sentiments. The Thai government also routinely monitors online activity on a mass scale.
Russia undertakes widespread monitoring of the online activity of internet users. It has some of the strictest laws on where commercial organizations operating within Russia can store personal data to maximize state monitoring capabilities. There are moves towards creating a state-controlled internet service where only approved services are permitted, and content can be more easily censored. The Russian Federal Law on Personal Data provides citizens with data privacy protection from commercial organizations. These include rights to access their personal data and limited controls on how the data may be used. However, where personal data has been lawfully collected, individuals have very little control over how it may be used. Rules are mainly restricted to processing related to direct marketing.
China has strict access controls and undertakes widespread monitoring of internet users' online activity, offering little to no privacy from state agencies. This includes restrictions on where commercial organizations operating within Chinese territories can store personal data to maximize state monitoring. Of most significant concern is that data interception, collection, processing, and sharing by state agencies has no judicial oversight, court orders are not required. However, China has recently introduced a cybersecurity law and guidance in the form of a Personal Information Security Specification to govern how commercial organizations manage customer data. While the regulations are simple compared to the EU's GDPR, it represents a recognition that personal data requires protection from misuse by commercial and criminal organizations. There are significant weaknesses. For example, data retention specifies minimum periods but not maximums. There are also no controls on sensitive private data. For example, medical records can be used for research purposes without consent. On the plus side, the movement towards consumer protection is expected to be followed by positive changes in other countries in Asia that look towards China for direction or are influenced by its behavior.
The US may be the home to most large online organizations, but it has some of the least integrated data privacy regulations. There are currently no countrywide federal data privacy regulations in place. Instead, rules exist for specific business sectors such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm–Leach–Bliley Act. Some states also have regulations such as the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. There are plans for federal privacy regulations with the proposed Data Care Act, which, if enacted, would help consolidate data privacy protections for US citizens. Currently, laws vary significantly from state to state. Commercial organizations are given free rein to self-police data collection and processing processes, often to their advantage rather than individuals' protection.
Canada has reasonable data privacy laws but is currently making them more robust, bringing them into line with GDPR by bringing in the Digital Charter Implementation Act. This will draw on the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act to provide comprehensive data privacy regulations. The legal protection will be backed up with financial penalties similar to GDPR in scope. However, individual provinces in Canada also have different data privacy regulations that complicate enforcement and compliance.
The use of the internet is becoming more widespread as governments and commercial organizations move services online to make processes more efficient and provide a broader reach. These moves have enormous implications for data privacy. It forces individuals to use online services, putting more of their personal information into the electronic world. More people submitting more information feeds the world of big data, where collated and aggregated data inform government policies, commercial activities, and organized crime. Without regulations on how data is collected and shared with third parties, individuals have no control over their personal information. They lose their right to privacy and lack essential protection when using eCommerce services.
While a significant percentage of countries in Europe and the Americas have data privacy regulations in place, Africa and Asia are lagging behind. This reflects the maturity of the use of online services around the world. Hence, as internet coverage becomes more widely available across Africa and Asia, the trends show that data privacy regulations tend to follow. The exception is those countries with oppressive regimes where there is no desire to provide its citizens with protection at the governmental level.
A Practical Guide to Data Privacy Laws by Country (i-sight.com)
Data Privacy Laws & Government Surveillance by Country (comparitech.com)
DLA Piper Global Data Protection Laws of the World - World Map (dlapiperdataprotection.com)
Data Protection & Privacy 2020 | Global Practice Guides | Chambers and Partners
2020 World Press Freedom Index | Reporters Without Borders (RSF)