Countries With the Strictest Data Privacy Laws

It seems like the time for tech companies running amok is over.

Barely a few weeks into 2019, Google was fined 50 million euros in France by the newly passed General Data Protection Regulation for failing to convey to its users how their data is used across popular services like Google Maps and YouTube.

We have a feeling this is only the beginning. As more and more people grow increasingly concerned about data privacy online, governments are finally starting to catch up to protect their citizens’ virtual welfare. Or that’s the theory, at least.

Here are just a few examples of the strictest regulations in existence so far. We’ll add to the list as new laws are passed.

artmotion.eu data risk score per country

But First… How Do We Interpret Privacy Law?

Back in colonial America, there was a law to protect your personal information by preventing others from eavesdropping in your home. This was further developed in 1890 in an article called Right to Privacy published in the Harvard Law Review.

This highly influential document argued for the “right to be left alone,” which became an early definition of privacy in the U.S.

In 1948, privacy became a fundamental human right. Different countries, conventions, and organizations such as the Organisation for Economic Co-operation and Development (OECD), the United States, Germany, the United Kingdom, and other countries helped develop laws and programs that became the basis for the privacy laws we know today.

As online technology develops, new legislation is proposed on a regular basis to accommodate these changes and keep private companies in check.

Different countries take different measures to secure the information of their citizens. The following countries’ policies can give you some inkling of how universal privacy laws might change over time.

Data Privacy Law in the US

freedomhouse.org

Although the U.S. is home to most of the tech giants in the world today, it does not have a sweeping federal data privacy law. In fact, they’re only just beginning to discuss this seriously after the consequences of Facebook’s involvement in the 2016 election.

Last year, the Senate introduced the Data Care Act. If this gets passed, it will act as the equivalent of GDPR in Europe.

Let’s take California as an example since, among the 50 states, California is leading the path toward stricter privacy laws.

In 2018: The state approved the California Consumer Privacy Act of 2018 (CCPA) that will take effect in 2020.

What it does: The law requires Californian companies to reveal what data they’ve collected from users, as well as inform their consumers how and why it was collected. Consumers are also given the right to request and delete personal information that companies have collected.

Also, if consumers decide that their information is not for sale, they can opt out. The CCPA sets an example for others states to follow to safeguard the privacy of their residents.

Why it matters: Since California is home to Silicon Valley, privacy advocates have been pushing for the Senate to legitimize their movement for years.

Not only does this law establish accountability for companies, but it’s also a forward step for consumer welfare in the States as well as the rest of the world.

Data Privacy Laws in Europe

The European Union has laws that all its members must adhere to, and the General Data Protection Regulation (GDPR) is such an example.

In 2018: The EU passed the GDPR in May, establishing a historic precedent for data privacy law worldwide.

What it does: Like the CCPA, it requires companies to clearly state what user data will be collected. The company’s use of the collected data must also be made known to their consumers.

Deleting photos posted as a minor can also be deleted in a social network. What’s more, the social network is required to inform search engines and other websites that the photos should be removed.

Violators can face fines up to 20 million euros or 4% of their annual global revenue.

The regulation applies to all individuals living in the 28 member countries of the European Union. Even if the data is being processed elsewhere, the regulation will protect the personal information of those consumers.

Why it matters: Publishers, universities, SMBs, and even Silicon Valley tech giants outside the EU are affected by the regulation if they have users living in the EU. The GDPR gives companies several options for complying with the rule.

For instance, companies can revise the company’s privacy policy globally or create a separate application that follows the GDPR. They may also discontinue their services for their European consumers or shut down completely.

A good example of this is Gravity Interactive and Uber Entertainment. The two video game companies are headquartered in America and have European users. To comply with the GDPR, Gravity Interactive blocked all European users from their games. On the other hand, Uber Entertainment shut down its once popular Super Monday Night Combat game entirely once GDPR rolled out.

We may see smaller companies shutting down their services in Europe to avoid these fines. But the since the GDPR is still reviewing tons of cases, we can expect more companies to receive fines over the coming years. Likewise, bigger companies like Google and Facebook have and may continue to face huge fines over their privacy policies.

Data Privacy in Iceland

freedomhouse.org

Despite not being a part of the European Union, Iceland has its own high standards when it comes to securing consumer privacy.

In 2016, the secure data center Artmotion analyzed 170 countries and gave them each a data risk score based on factors like digital infrastructure and political stability. Iceland ranked 3rd on the list for being one of the safest places in the world to store data.

In 2018: Following the EU’s implementation of the GDPR, Iceland’s Parliament passed the Data Protection Act, voting to implement the GDPR in the country.

Why it matters: Iceland’s decision to follow the GDPR is a telling example of its priority of protecting their citizens’ privacy.

In 2010, the country launched the Icelandic Modern Media Initiative, providing security to people like investigative journalists by providing whistleblower protection, source protection, and protection for communications between sources and the media. It also offers protection for intermediaries like ISPs.

Through all their efforts, Iceland has become a safe haven for journalists and a global leader in promoting freedom of speech. Likewise, it is one of the most secure places in the world for internet users seeking privacy.

Data Privacy in Sweden

Sweden was the first country to enact a data protection law. As a member state of the EU, it currently follows the GDPR. But it’s worth examining its history with data protection.

In 1973: The Swedish Parliament passed the Data Act.

What it did: The law was enacted to protect privacy, regulate the use of personal information databases, and prevent misuse. The law had a vast definition of personal information and data. Everything that pertained to a certain individual was considered personal information by law.

It also required companies handling such personal data to obtain licenses from the Swedish Data Protection Agency. This proved to be a long, bureaucratic process, which is why it was eventually replaced with the Personal Data Act of 1998.

Why it matters: Sweden takes their privacy seriously. An author in 1990 was prevented from using a personal computer to publish a book containing personal information of named individuals.

After appealing to the government, the author was allowed to publish the book but this case shows how the government was willing to infringe on the freedom of expression to protect privacy.

Data Privacy Laws in Asia

Data Privacy in China

freedomhouse.org

It might surprise you to find China on this list since its government is known for keeping a close eye on its citizens’ activities, monitoring their speech and behavior.

But if we’re strictly speaking about data protection regulation, China seems to be catching up to Europe.

In 2017: China passed the Cyber Security Law.

What it does: The law requires companies to explain to users what content they are collecting. This should include a written statement, a ticked box, registration form, message of consent or continuous communication between the company and the user.

The government also requires data encryption when transmitting data.

Additionally, China requires companies to have a contingency plan for security breaches. Drills and security checks are required at least once a year.

Following the passage of its first cybersecurity law, China also introduced the Personal Information Security Specification in 2018. This comprehensive guideline clearly lays out the details of data protection in the country.

Why it matters: As one of the most populated countries in the world, China is home to over 700 million internet users. The number of users alone exceeds the population of Europe and the United States. Data breaches are said to affect 80% of netizens and files in the black market contain massive amounts of data.

On top of that, China’s use of technology far surpasses the majority of countries around the world.

The way China handles data violations will almost certainly have an impact on the rest of the region as well.

Data Privacy in Malaysia

freedomhouse.org

Malaysia is generally regarded as a good jurisdiction when it comes to privacy.

In 2010: Malaysia passed the Personal Data Protection Act (PDPA). It was put into effect in 2013.

What it does: It shares similarities with the GDPR but one of their main differences is their scope. Unlike the GDPR, the PDPA is only limited to data processed within Malaysia. Malaysian data outside of Malaysia is not covered by the PDPA.

The similarities of the PDPA with the GDPR are the rights it gives to consumers. Malaysian consumers also have a right to access and correct personal data, as well as withdraw consent from processing data.

Additionally, consumer information disclosure without consent is also prohibited by this act. Retaining personal data longer than necessary is prohibited as well.

Why it matters: Malaysia has shown a willingness to step up its data protection legislation with the passage of the PDPA. In 2018, the Communications and Multimedia Minister Gobind Singh Deo announced that the country would be updating its data privacy policy to match that of the GDPR.

The progression of data protection law in Malaysia demonstrates that the GDPR is having clear repercussions around the world, with other governments using it as a model for improving their own laws.

Data Privacy Laws in Other Regions

Data Privacy in Russia

freedomhouse.org

Russia is in a situation similar to China, where the country may have strict data protection laws but not necessarily for the citizens’ benefit. It’s a double-edged sword where the strict privacy laws can protect the data from others, but enable the government to monitor its citizens.

Recently, Russia said it would sue Google and Facebook for violating its data localization laws. This is one such example of a case where the government wants to keep their citizens’ data out of these companies’ hands and into their own.

In 2006: Russia implemented the Russian Federal Law on Personal Data.

What it does: Like other countries, Russia has also developed similar privacy policies such as informing the consumers about what information will be collected and where it will be used. Data localization is also required by Russia like China and other countries.

Russia also has adopted counter-terrorism amendments that require information providers to retain data for six months and disclose them to officials if necessary.

Disobeying the law can have violators pay fines or much worse, be blocked in that country. Recently a popular messaging app, Telegram, was banned in Russia for refusing to provide the Federal Security Service that would give access to user messaging data. And it’s not going well… for Russia.

Why it matters: Russia has been in an ongoing cyberwar with the U.S. As time passes, more information is emerging about Russia’s connection to the U.S. election–and suspicions emerging about its activities in European elections as well–and its role in mining user data on platforms like Facebook and Twitter.

This means we should keep a close eye on Russia’s approach to data protection as it will have further consequences for us all.

In Summary

After 200 years, privacy, or “the right to be left alone” has changed and it has drastically affected everyone on the web. Each country has their own policies but we’ve seen other countries follow those in the lead.

Nowadays, privacy policies are focused on requiring companies to provide sufficient and clear information to their consumers.

If lawmakers continue heading in this direction, consumer empowerment can gradually increase in the following years.

Consumers are given the right to control their data and what happens to it. This gives the consumer the responsibility to actively manage and know their data in order to keep companies in check and protect themselves from potential violations of privacy.

How to Protect Your Privacy Right Now

Consumers can take their privacy protection into their own hands immediately by subscribing to a VPN.

It’s important to note that a lot of VPNs are subjected to giving user information to government officials, especially those under the Five, Nine, and Fourteen Eyes Alliance.

But there are VPNs like Private Internet Access, NordVPN, and others that have a “No Log” policy. Even if government officials wanted user information from them, they wouldn’t be able to give out any precisely because they don’t keep user information.

In this digital age, consumers must be well-informed on critical topics such as privacy and personal information. Together with lawmakers and companies, consumers can create a more secure environment for data protection.

Table of Contents