Assessing Global Data Privacy Laws: 50 Years of Evolution

Generations of data privacy principles are examined in a comprehensive assessment of global data privacy laws over the last 50 years. The study delves into the foundational principles, enforcement effectiveness, and the impact on reversing surveillance capitalism, amidst the backdrop of global technological regulation competition. Insights are drawn from an ongoing project aiming to make sense of half a century of data privacy laws, exploring the origins, evolution, and varying regulatory models influencing digital empires.

• Data privacy
• Global laws
• Surveillance capitalism
• Technological regulation
• Privacy principles

mikkelsen_c Follow

Uploaded on Mar 13, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Assessing global data privacy laws after 50 years Part I: Generations of Principles Graham Greenleaf Independent Scholar; Senior Researcher, AustLII Asian Privacy Scholars Network (APSN) Conference, Taiwan, August 2024

2. Scott McNealy, CEO of Sun Microsystems, famously said in 1999 You have no privacy anyway Get over it!

3. An ongoing project Making sense of 50 years of data privacy laws Challenge: reconciling ubiquitous global DP laws and many international instruments (sets of principles) Step 1: Identify distinct sets of data privacy principles Step 2: Locate national laws in relation to their enactment of principles which principles do laws show are standards , over time Step 3: Assess effective enforcement of laws - 3 approaches Step 4: Assess whole privacy regimes (principles + enforcement) against our objectives of regulation Taking into account changes between 1970 & 2020 Step 5: How can data privacy laws help reverse surveillance capitalism?

4. Context: Part of global competition in technology regulation Data privacy (DP) laws are obviously part of technology regulation but why important? Bradford (2023): DP reg. is a major element of 3 competing regulatory models digital empires : 1. American market-driven model (maximising non-interference to support innovation); 2. Chinese State-driven model (maximising State interests); 3. European rights-driven model (maximizing protection of individual interests). Empires compete for global hegemony via laws (including DP laws), infrastructure and surveillance technologies. DP laws are present to differing extents in countries which are parts of all 3 empires

5. Half-century of Data Privacy Laws Origins: 50 years since the first data privacy law Hessen, Germany - Datenschutzgesetz 1970 First separate law setting out data protection rules; first data protection authority (DPA Spiros Simitis); origin of term data protection ( datenschutz ) Sweden - Datalag (Data Act) 1973 First national data protection law, and DPA Based around a registration system Ubiquity August 2024 167 national laws Since 2014, majority of laws are from outside Europe By 2022, only 16% of laws (27/167) are from the EU A few only cover either public or private sectors, not both

6. 167 Countries with data privacy Laws (to August 2024) Key Comprehensive Public only Private only Most Private Bills Plus 20+ new countries with Bills; and many with Bills to revise laws. 6

7. Toward data protection saturation Details in my 2023 Tables and articles New laws - Rate of growth increasing : Average 3.2 new laws p/a since 1973 But average 5.5 laws p/a in 2010-19 decade New laws by decade: 10 / 10 / 20 / 40 / 60 / ?? Total laws by decade: 10 / 20 / 40 / 80 / 140 / ?? Most laws also revised (strengthened) at least once Common features of these laws 90% have a separate Data Protection Authority (DPA) 80% have Data export restrictions depending on law of recipient

8. Countries with new data privacy laws by decade 8

9. 10. 2013 OECD Revd. GLs 2014 African Union DP & cybercrime Convention 2016 EU GDPR 2016 ASEAN Framework 2017 RIPD Standard for Ibero-American States 2018 CoE Conv. 108+ 2022 Commonwealth Model Clauses 2024 EU AI Act 1. 2. 3. 4. 1970s CoE resolutions 1980 OECD Guidelines 1981 CoE Conv. 108 1990 UN Gen. Ass. GLs on Computerised Files 1995 EU general DP Directive 2001 CoE 108 Add. Protocol 2004 APEC Privacy Framework 2010 ECOWAS Treaty Supp. DP Act 2012 APEC CBPRs (Main) International data privacy instruments 11. 12. 13. 5. 14. 6. 7. 15. 8. 16. 9. 17. Italics = Not binding or Not-yet-in-force Bold = Most influential

10. Relationship between national data privacy laws & international standards Task: How to make sense of 167 laws & 17 agreements? Step 1: Identify principles in key international agreements These fall into 3 generations of principles, 1980-2018 Cumulative, each generation assumes its predecessors A generation of principles is also called a standard Step 2: Map principles in the (167) laws against those in the 3 generations of principles, to enable: one rational comparison of national laws: how many international principles does each law embody a more detailed analysis of each country than Bradford s 3 Empires one form of assessment of the extent to which each principle has been adopted globally (or regionally) BUT this only considers the law on the books (formal)

11. Generations of data privacy principles 1st Gen: Basic principles (1980-1994) Standards 1.01-1.10, Based on OECD GL 1980 & Conv 108 1981 2nd Gen: Current global standards (1995-2018) Standards 2.01-2.10, Based on EU Directive 1995 & Conv 108 Add. Protocol 2001 3rd Gen: New global candidate standards (2016 ??) Common European Standards 3.01-3.10, Based on both EU GDPR 2016 & Conv 108+ 2018 EU Additional Standards 3.11 - 3.18, based on EU GDPR 2016, but not included in CoE 108+ 2018 Only 6/17 internat. instruments were essential to 3 standards The other 11/17 instruments have reinforced these 3 standards None of the other 11/17 has contributed anything additional to international standards (Exception?: OECD 2013 MDBN? - No)

12. # 1st Generation: OECD/Conv 108 common standards post-1980 1.01 Collection - limited, lawful and by fair means; with consent or knowledge 1.02 Data quality relevant, accurate, up-to-date 1.03 Purpose specification by time of collection OECD GLs OECD 7 Convention 108 C108 5(a),(c) OECD 8 OECD 9 C108 5(c),(d) C108 5(b) 1.04 Uses limited (including disclosures) to purposes specified or compatible 1.05 Security through reasonable safeguards OECD 10 C108 5(b) OECD 11 C108 7 1.06 Openness re personal data practices (not limited to data subjects) 1.07 Access individual right of access OECD 12 C108 8(a) OECD 13 C108 8(b) 1.08 Correction individual right of correction OECD 13 C108 8(c),(d) 1.09 Accountable identified data controller accountable for implementation 1.10 Data export limits allowed only if recipient country does not have equivalent protection, or to avoid circumvention by onward transfers OECD 14 C108 8 OECD 15 C108 12

13. Enactment of 1st Generation standard The definition of a data privacy law 10 principles common to OECD Guidelines 1980 & CoE Convention 1981 A country (including any independent legal jurisdiction) is considered to have a data privacy law if it has law(s): covering most important parts of its private sector, or its public sector, or both; define personal data as identifiability providing a set of basic data privacy principles approximating these 10 principles; including individual participation (right to access and correction: 1.07 & 1.08) ; finality (uses and disclosures limited by the purpose of collection: 1.01, 1.03, 1.04); security (1.05); at least two of the other four principles (1.02, 1.04; 1.06; 1.10) . The law has some method(s) of officially-backed enforcement (i.e. not only self- regulation). All 167 countries laws meet these criteria; a widely accepted test This categorisation only requires a law on the books , it says nothing about the extent to which a law is or is not effective.

14. II 2nd Generation Current global standards post-1995 Minimum collection necessary for the purpose (not only limited ) (data minimisation) Destruction or anonymisation of personal data after purpose completed Add. protections for sensitive data in defined categories Legitimate bases for processing defined [Weaker: general requirement of fair and lawful processing (not only collection)] Additional restrictions on some sensitive processing systems(notification; prior checking by DPA etc) Limits on automated decision-making (incl. right to know processing logic) 2.07 To object to processing on compelling legitimate grounds, including to opt-out of direct marketing uses of personal data 2.08 Restricted data exports required based on recipient country protections, or alternative guarantees 2.09 Independent Data Protection Authority(-ies) (DPA) 2.10 Recourse to the courts to enforce rights (incl. compensation, 7 appeals from DPA decisions) EU Directive Conv 108 +AP 2.01 Dir 6(1)(b),(c), Dir 7 Dir 6(1)(e) C108 5(c) 2.02 C108 5(e) 2.03 Dir 8 C108 6 2.04 Dir 7 [Dir 6(1)(a)] C108 [C108 5(a)] 2.05 Dir 20 C108 2.06 Dir 15, 12(a) C108 Dir 14(a), (b) C108 Dir 25, 26 C108 AP 2 Dir 28 Dir 22, 23 C108 AP 1 C108 AP 1(4)

15. Enactment of 2nd Generation Principles 2nd Gen = 10 principles required by EU Directive 1996, but not by 1st Gen standard. All 27 EU countries (+3 EEA) assumed enacted 10/10 Additional 18 European Parties of Conv. 108 should have enacted at least 8/10 principles 2011 analysis of 33/39 non-European countries with data privacy laws showed average enactment of 7/10 principles 2021 (unpublished) study of enactment in Top 50% by GDP countries with DP laws: Non-European countries (43/86) = 6.6/10 non-EU/EEA countries (50/100) = 6.8/10 Conclusion: The current global standard is most of the second generation principles (approx. 7/10) 2nd Gen is not a guarantee of adequacy or of accession to C.108.

16. Step 3 (cont): Interpreting similarity Correlation does not imply causation, so similarity of principles must be interpreted cautiously. Three types of interpretation are common: 1. Coercive eg advantages of EU adequacy (Japan; Korea) 2. Normative GDPR seen as gold standard (Thailand) 3. Mimetic habitual cut n paste 4. Independent creation due to similar causes eg similar technological and social changes 5. Indirect coercion via regional standards African laws in ECOWAS member states. Latin American DPA s RIPD Standard Any combination of these five factors may be explanatory History of each country & region will suggest differing answers Where does a law s principles fit in relation to the 3 generations? Normative emulation of EU DPD and GDPR has grown ( Brussels effect )

17. Non-European DP laws ranked by GDP

18. Enactment of 2nd Gen. Principles (2021) Principles enacted in at least 75% (37) of 50 countries outside EU assessed (2021): deletion requirements (2.02: 43/50); specialist data protection agency (2.09: 43/50); destination-based export restrictions (2.07: 40/50); additional protection for sensitive data (2.03: 40/50); recourse to the courts (2.10: 37/50). Principles least enacted: Limits on automated decision-making (2.06: 21/50) Additional restrictions on some sensitive processing (2.05: 21/50)

19. 2nd generation standards in Asian laws (2019) (outdated slightly due to post-2019 laws) 2nd Gen. Current global standard Data retention limits (destruction or anonymisation) after processing achieved EU Directive EU Dir 6(1)(e) GDPR 5(1)(e) Asian laws including principle (all 15 countries) Bhutan, HK, Indonesia, Japan, Korea, Malaysia, Macau, Philippines, Taiwan, Singapore, Thailand, Vietnam, Sri Lanka Bhutan, China, HK, India, Indonesia, Korea, Macau, Philippines, Taiwan, Singapore, Thailand, Vietnam, Sri Lanka Bhutan, China, HK, India, Korea, Malaysia, Macau, Taiwan, Singapore, Thailand, Sri Lanka No. 13 Recourse to the courts to enforce data privacy rights (incl. compensation, and appeals from decisions of DPAs) Minimum necessary collection for the purpose (not only limited ) EU Dir 22, 23 GDPR 78, 79, 82 13 EU Dir 6(1)(c), 7 GDPR 5(1)(c) 10 10 Restricted data exports based on data protection provided by recipient country ( adequate ), or alternative guarantees Specialised Data Protection Authority(-ies) (DPA) required EU Dir 25 GDPR 44-49 China, India, Japan, Korea, Malaysia, Macau, Singapore, Thailand, Taiwan, Sri Lanka 10 EU Dir 28 GDPR 51-59, 77 Bhutan, HK, Japan, Malaysia, Korea, Macau, Philippines, Singapore, Thailand, Sri Lanka 10 Additional protections for sensitive data in defined categories EU Dir 8 GDPR 9, 10 Bhutan, China, Japan, Korea, Malaysia, Macau, Philippines, Taiwan, Thailand, Sri Lanka 10 Rights to object to processing, including to opt-out of direct marketing uses of personal data General requirement, and exhaustive definition, of legitimate processing EU Dir 14(a), (b) GDPR 21 Bhutan, China, HK, Korea, Malaysia, Macau, Taiwan, Thailand, Vietnam, Sri Lanka 9 EU Dir 6(1)(a) GDPR 5(1)(a), 6 Bhutan, China, Korea, Malaysia, Macau, Philippines, Taiwan, Thailand, Sri Lanka 6 Prior notification to or checking by DPA of some sensitive processing EU Dir 20 GDPR 36 HK, Japan, Korea, Malaysia, Macau, Sri Lanka 4 Limits on automated decision-making (incl. right to know processing logic) EU Dir 15, 12(a) GDPR 22 China, Macau, Philippines, Sri Lanka Av. over 14 countries = 6.4/10 principles 96

20. IIIA 3rd Generation Common European Principles Data protection by design and by default GDPR Conv 108+ 3.01 GDPR 25 C108+ 10(2)-(4) 3.02 Demonstrable accountability by controllers GDPR 5(2) C108+ 10(1) 3.03 Data breach notification to DPA for serious breaches Direct liability for processors as well as controllers Stronger consent requirements including unambiguous and unbundled; special conditions for children s consent Proportionality required in all aspects of processing DPAs to make decisions and issue administrative sanctions incl. fines Biometric and genetic data require extra protections Stronger right to erasure incl. to be forgotten DPAs must cooperate with other DPAs in resolving complaints with international elements GDPR 33 C108+ 7(2) 3.04 GDPR 28-31 C108+ 7(1), 10(1) 3.05 GDPR 7, 8 C108+ 5(2) 3.06 GDPR passim C108+ 5(1), 10(4) 3.07 GDPR 58(1) C108+ 12 3.08 GDPR 9 C108+ 6(1) 3.09 GDPR 17, 19 C108+ 9(1)(d),(e) 3.10 GDPR 50 C108+ 16-21

21. IIIB 3.11 3rd Generation GDPR additional principles GDPR CoE 108+ GDPR 35, 36 Mandatory Data Protection Impact Assessments (DPIAs) for high risk processing Extra-territorial jurisdiction, where goods or services offered, or behaviour monitored Extra-territorial controllers or processors must be represented within jurisdiction (EU/other) Right to data portability (UGC / other) Mandatory Data Protection Officers (DPOs) for sensitive processing Data breach notificationto data subjects (if high risk) Representative actions before DPAs or courts by public interest privacy groups Maximum admin. fines based on annual turnover, global or local C108+ 3.12 GDPR 3 C108+ 3.13 GDPR 27 C108+ 3.14 3.15 GDPR 20 GDPR 37-39 C108+ C108+ 3.16 GDPR 34 C108+ 3.17 GDPR 80 C108+ 3.18 GDPR 83(4)- (6) C108+ Outside the EU, we can already identify at least 200 instances of these 3rd generation principles implemented in the top 50% by GDP of countries with data privacy legislation

22. Convergence: What is the current global standard for data privacy Laws? Mid-2021 analysis of top 50% (ranked by GDP) of countries outside EU with data privacy laws shows: All laws include 10 1st Gen. principles in both 1980 OECD Guidelines, and in the original 1981 Council of Europe Convention foundations The 10 extra 2nd Gen. principles in the 1995 EU Data Protection Directive (DPD) and revised Conv 108, going beyond the 1st Gen.: Outside Europe, each law enacts 6.6/10 2nd Generation principles Including non-EU Europe, each law enacts 8/10 2nd Generation principles The 18 new 3rd Gen. principles in the 2016 EU GDPR (with 10 also in 108+): Outside Europe, each law enacts 4.1/18 3rd Gen. principles Including non-EU Europe, each law enacts 8/18 3rd Gen. principles 1. 2. 3.

23. Convergence (cont.) Globally, data privacy laws are converging on principles originating in European instruments: current global standards is 16/28 principles from Conv. 108/108+ and DPD/GDPR; standard outside Europe is 10.7/28. No new principles originating in Africa, Asia, LatAm etc New and revised laws converge closer to these standards. Bradford s 3 empires may become 2: USA s market-based model is adopting more EU-style rights- based regulation (California; many other states) China s state-driven model is successful and expanding (Russia); private sector competition is required to adopt consumer rights EU s rights-driven model becomes more global every year/

24. Competition between standards? The 1st Generation family low standards OECD Guidelines (1980/2013); APEC Framework (2004/2017); Global CBPRs (2012); ASEAN Framework (2016) All based on OECD 1980 standards + little more Data retention (2.02) & MDBN (3.03) only additions All Asian countries with laws have higher standard Acts/Bills Failed APEC/Global Cross-border Privacy Rules system Only requires APEC Framework (2004/17) compliance Japan & Singapore s laws (only) allow exports based on CBPRs compliance EU s Japan adequacy Decision: CBPRs cannot be the basis for data exports; Japan excluded EU-origin data from CBPRs Renamed Global but nothing has changed. 1. 2. After 10 years, only 3 countries fully participating!

25. APEC-CBPRs has only 3 full participants after a decade (as at 04/24) who benefits? (Now Global CBPRS , but no change) APEC economy Approved to join Accountability Agent(s) appointed 2013 No. of Cos certified USA 2012 36 JAPAN 2014 2015 3 CANADA 2014 MEXICO 2014 KOREA 2016 2019 0 SINGAPORE 2017 2019 6 TAIWAN 2018 2021 0 AUSTRALIA 2018 PHILIPPINES 2019 OTHER 10 APEC members

26. Conclusions: Can data privacy principles declare victory? 40 years since two 1stgeneration int. agrmts OECD/APEC/CBPRs branch remains frozen in low 80s standards Conv 108/DPD/GDPR branch has evolved into much higher European standards, the 2nd and 3rd Generations 50 years of national laws: becoming ubiquitous (167+): not a European thing Non-European countries have enacted European standards (2nd & 3rd Generations) to a significant extent: the Brussels effects Europe s ideological victory: the hegemony of data privacy principles over free flow , in language and ethics of both government and business 2 unresolved issues: Will Free Trade Agreements (GATS art. XIV(c)(ii)) stop export limits? What effect will AI practices and AI regulation have? Will a European-led 4th Generation of principles emerge?; or Will AI s voracious big data appetite destroy data privacy principles?