Professional Documents
Culture Documents
SSRN Id2000034 PDF
SSRN Id2000034 PDF
Graham Greenleaf
Electroniccopy
Electronic copyavailable
available at:
at: https://ssrn.com/abstract=2000034
http://ssrn.com/abstract=2000034
Global data privacy laws: 89 countries, and accelerating
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales *
Privacy Laws & Business International Report, Issue 115 Special Supplement, February 2012
Introduction – 40 years on .............................................................................................................................. 1
Criteria for inclusion........................................................................................................................................... 2
Growth by decade................................................................................................................................................ 3
Geographical expansion.................................................................................................................................... 4
Bills for new Acts – Future expansions likely.......................................................................................... 4
Measuring growth ............................................................................................................................................... 5
International commitments and recognition .......................................................................................... 6
Implications and further research................................................................................................................ 8
Updates, resources and acknowledgments .............................................................................................. 8
Global Table of Data Privacy Laws ............................................................................................................... 9
Global Table of Data Privacy Bills...............................................................................................................13
Introduction – 40 years on
How many countries now have data protection laws? The usual answer was somewhat vague:
‘about sixty’ or perhaps a well‐informed respondent might have said ‘more than sixty’. A
reasonably accurate answer could not conveniently be found until ‘Global data privacy laws:
Accelerating after 40 years’ 1 showed that at least 76 countries had enacted data privacy laws
by mid‐2011. Six months later, further investigation shows that was an under‐estimate, and
that there are at least 89 countries with such laws.
There are four reasons why has the number grown from 76 to 88 in six months. First, new
laws have been passed or come into force in four countries from four different regions (Costa
Rica, St Lucia, Gabon and Vietnam). Second, further research has resulted in the addition of
pre‐existing laws in 5 countries (Armenia; Paraguay; St Vincent & the Grenadines; the
Seychelles; and Trinidad & Tobago). Third, two ‘mini‐jurisdictions’ have been added (Qatar
Financial Centre and Dubai International Finance Centre), after reconsideration. Finally, two
jurisdictions have been added that only meet this article’s criteria for a data privacy law in
relation to their public sectors (Thailand and the USA) and do not do so in relation to the
private sectors.
The following Table lists all countries (including otherwise independent legal jurisdictions)
which have enacted data privacy laws, when they did so, the sectoral coverage of the law
(only private sector; only public sector; or both sectors), and the international commitments
of each country, or the international recognition their laws have received.
It is almost forty years since Sweden’s Data Act 1973 was the first comprehensive national
data privacy law, and was the first to implement what we can now recognise as a basic set of
data protection principles. This article surveys the forty years since then of global
*
This paper was completed and updated while the author was a Visiting Fellow at the Centre for Commercial Law
Studies, Queen Mary, London, January 2012. Please contact the author on < graham@austlii.edu.au > in relation to any
additions to or corrections of the Tables.
1
Greenleaf, G 'Global data privacy laws: 40 years of acceleration' (2011) Privacy Laws & Business International
Report, Issue 112, 11-17, September 2011
Electroniccopy
Electronic copyavailable
available at:
at: https://ssrn.com/abstract=2000034
http://ssrn.com/abstract=2000034
development of data privacy laws to the start of 2012. The picture that emerges is that data
privacy laws are spreading globally, and their number and geographical diversity accelerating
since 2000. There are some surprising inclusions, and some illuminating trends in the
expansion of these laws.
Criteria for inclusion
In this article, and the accompanying Table a country is considered to have a ‘data privacy
law’ if it has a national law which provides a set of basic data privacy principles, to a standard
at least approximating the minimum provided for by the OECD Guidelines or Council of
Europe Convention 108, plus some methods of officially‐backed enforcement (ie not only self‐
regulation). A general constitutional protection for privacy, or a civil action (tort) of
infringement of privacy is not sufficient, and nor is a voluntary code of conduct.
In relation to the private sector, a law must cover most aspects of the operation of the private
sector. This excludes countries which only have scattered sectoral privacy laws (eg credit
reporting or medical records laws). The USA, which has numerous limited sectoral laws in the
private sector is not included because of its private sector laws, but only because of its federal
public sector law. Many countries have some exceptions in their private sector coverage, such
as various forms of ‘small business’ exceptions (eg Japan and Australia), or exceptions for
non‐automated records, but this is not a basis for exclusion. A law with ‘largely
comprehensive private sector coverage’ is therefore the principal basis for inclusion.
Most jurisdictions which have laws with near‐comprehensive private sector coverage also
have data privacy laws which cover their national public sectors. Such protection is
sometimes by different legislation from that covering the private sector. Where there is a
different law for the public sector it will often have principles and enforcement mechanisms
which differ significantly from those applying to the private sector. There is however a
growing group of countries, particularly in Asia, with laws which only cover the private sector
but provide no protection in relation to the public sector: Malaysia, Vietnam, India, Qatar
Financial Centre and Dubai International Finance Centre.
Some jurisdictions which now have private sector coverage initially only covered their public
sectors, including the OECD members, Australia, Japan, Canada and South Korea, with private
sector coverage only introduced up to 15 years later. It seems reasonable to include the two
remaining jurisdictions which still provide basic data privacy protection in relation to their
public sector only (the United States and Thailand), but do not do so for their private sector
according to the criteria used here. As a unitary country, the Thai law covers the whole public
sector. As a federation, the US Privacy Act 1974 only covers the federal public sector, but some
States have equivalent laws. Since ‘private sector only’ countries have been included in the
Table, these ‘public sector only’ countries have now been included. The dates in the Table for
the privacy laws of Australia, Japan, Canada and South Korea have also therefore been
changed to the earlier dates on which their public sector laws were introduced. The Table
does not include any countries which might have public sector privacy laws for some of their
regional governments only (China might quality if it did), but not for most of its private sector
or its federal public sector.
‘Countries’ is a slight exaggeration, and a more accurate term would be ‘separate legal
jurisdictions’. The Table originally included the two Special Administrative Regions (SARs)
which have constitutionally different legal systems from the rest of China (Hong Kong and
Macao, under the principle of ‘One Country, Two Systems’) and five British dependent
territories which have their own legal systems (the Isle of Man, Jersey, Guernsey, Gibraltar
and the Bahamas). By the same reasoning (and after some consideration), there has now been
However, sub‐national jurisdictions which do not have their own separate legal systems, or
are subject to the laws of a federation in relation to data privacy law, are not included. So
States and Provinces in Germany, Canada and Australia are excluded even if they do provide
some non‐comprehensive coverage of the private sector. Certain provinces of the People’s
Republic of China which have enacted local laws are excluded for similar reasons. State or
Provincial laws which only cover the local public sector are also excluded. Many of these sub‐
national laws are quite significant sources of data privacy legislation and case law, or were
pioneers in data protection. Hesse in Germany, Quebec, Ontario and British Columbia in
Canada, and Victoria and New South Wales in Australia are examples. It would be a valuable
to include such jurisdictions in a separate Table, but this has not been done in this article. The
result of this conservative approach is that no country is included twice in the Table, but nor
has any country been unreasonably excluded.
The year stated in the Table under ‘From’ is the year from which the legislation was enacted
which provided coverage of most of the private sector, or of the national public sector. So, for
example, the year shown for Australia is 1988, even though the Privacy Act 1988 operated for
13 years in relation to the public sector only, and for a lesser period in relation to the credit
industry, before most of the private sector was added in 2001. Where the coming into force of
a law was long‐delayed after enactment (eg Russia, from 2007 to 2011) the date stated is the
earlier date (enactment), but the Table notes it was not in force until the later date. A similar
approach is taken where an Act has not yet come into force at all (eg Malaysia). In other cases
the year stated is that of enactment, ignoring the year or so that it often takes for regulations
to be made and preparations made for the law to be administered. The year of the most recent
known amendment to the current law is given in the ‘Latest’ column. The purpose of these
columns is to indicate trends in enactment and updating, not to give precise ‘in force’ dates
(which would result in a far more complex Table).
Almost all jurisdictions provide in their legislation for a Data Protection Authority (DPA), a
separate institution which has responsibility for the data privacy legislation. DPAs vary
greatly in name (often called ‘Privacy Commissioners’), functions and degree of independence
from other government authorities. From the 87 jurisdictions, Chile, Colombia, the Kyrgyz
Republic, India, Japan, Taiwan, Vietnam, Armenia and the USA are among the few remaining
exceptions with no DPA, but this is not covered in the Table.
Growth by decade
The total number of new data privacy laws globally, viewed by decade, shows that their
growth is accelerating, not merely expanding linearly: 8 (1970s), 13 (1980s), 21 (1990s), 35
(2000s) and 12 (2 years of the 2010s), giving the total of 89. In the 1970s data privacy laws
were a western European phenomenon (Sweden, Germany, Austria, Denmark, France,
Norway and Luxembourg), other than for the US public sector Act. The position was similar in
the 1980s (UK, Ireland, Iceland, Finland, San Marino and the Netherlands, and three UK
territories), with Israel as the first non‐European state in 1981, and Australia, Japan and
Canada providing ‘public sector only’ legislation. Acceleration commenced in the 1990s, as
most remaining western European countries (EU and EEA) enacted laws (Portugal, Belgium,
In the 2000s the acceleration continued, with the expansion in the former eastern bloc and
Soviet republic countries the most striking (Latvia, Bosnia & Herzegovina, Romania, Bulgaria,
Croatia, Estonia, FYROM (Macedonia), Moldova, Serbia and Montenegro), plus the addition of
the remaining European states (Cyprus, Malta, Andorra, Liechtenstein, Gibraltar). Outside
Europe, expansion accelerated in the Asia‐Pacific (Australia, South Korea, Japan, Macao SAR)
and Latin America (Argentina, Colombia, Uruguay). In the Americas, the Bahamas added
further new laws. Rapid development took place in Africa with new laws in Tunisia and
Morocco (North African) and Mauritius, Cape Verde, Benin Senegal and Burkina Faso (Sub‐
Saharan Africa). The Kyrgyz Republic became the first country in Central Asia to legislate in
2008. In the first two years of this decade 11 new laws have been enacted (Faroe Islands,
Malaysia, Mexico, India, Peru, Ukraine, Angola, Trinidad & Tobago, Vietnam, Costa Rica, Gabon
and St Lucia) and the Russian law came into force, making this the most intensive period of
data protection developments in the last 40 years.
Geographical expansion
Geographically, more than half (56%) of data privacy laws are still in European states
(50/89), EU member states making up only slightly more than one third (27/89), even with
the expansion of the EU into eastern Europe. There are data privacy laws in all 27 member
states of the European Union (not yet counting Croatia), and a further 23 laws in other
European countries or jurisdictions (including the EEA states). Only a few European states
remain without such laws, (Georgia, Belarus and the Holy See/Vatican), so the potential for
expansion in Europe is very limited. There are eight laws in Latin America, with Brazil set to
become the ninth. In the Americas are also the laws in Canada and the USA, and four laws in
the Caribbean. In Asia there are now nine data privacy laws, with Singapore promising a
tenth, the other eight ASEAN states committed to improved privacy protection by 2015, and
Bills before Parliaments in two others. Both Australia and New Zealand have data privacy
laws, but none of the Pacific Islands do so (the only region with no such laws). In North Africa
and the Middle East, there are five such laws, and eight in Sub‐Saharan Africa. Further Acts
are likely soon, with current Bills progressing in South Africa, Kenya and Ghana. The French‐
Speaking Association of Personal Data Protection Authorities (AFAPDP), and France’s CNIL
have both played key roles in developing expansion of data privacy in Africa. The Kyrgyz
Republic law is the first in Central Asia, though Mongolia’s laws also come close to qualifying.
The geographical distribution of the 89 laws by region is therefore: EU (27); Other European
(23); Asia (9); Latin America (8); Africa (8); North Africa/Middle East (5); Caribbean (4);
North America (2); Australasia (2); Central Asia (1); Pacific Islands (0). So there are 39 data
privacy laws outside Europe, 44% of the total. Because there is little room for expansion
within Europe, the majority of the world’s data privacy laws will soon be from outside Europe,
probably by the middle of this decade.
Bills for new Acts – Future expansions likely
The Global Table of Data Privacy Bills (following the Table of legislation) lists Bills for new
Acts, but not for revisions of existing Acts unless they are Bills which expand a country’s
legislation to cover the private sector (eg Thailand) or the public sector. It first lists Bills
The Table shows that we can expect the pace of legislation to continue accelerating. There are
Bills currently before legislatures in at least five countries (Georgia, Ghana, Philippines,
Thailand and South Africa) although some have been withdrawn for redrafting. There are
official draft Bills known in another five during the past year (Kenya, Cayman Islands, Nigel,
Mali and Brazil). Antigua, British Virgin Islands, Jamaica, and Bermuda are known to be
developing Bills (but with fewer details known), so there is considerable activity in the
Caribbean. There are also older Bills which were introduced in Turkey, Lebanon and
Barbados, and discussed in Madagascar, during the last decade. Not listed in the Bills Table,
there are also those countries that have announced a definite intention to legislate, but have
not yet developed a draft Bill. Singapore 2 and Qatar 3 (as distinct from the Qatar Financial
Authority sub‐region) are two countries in this category. There may be more Bills, or even
more Acts, yet to be discovered. Research has not yet been done in relation to every separate
jurisdiction in the world.
Measuring growth
For over two decades the rate of adoption of new data privacy laws per year has been steadily
increasing, and the regions of the globe that have such laws has been steadily expanding. If the
current rate of expansion is continued, 50 new laws would result in this decade, bringing the
total to 127. Continued acceleration would make the total higher than that. Even on the
conservative (and probably unrealistic) assumption that the 2010s will see no more data
privacy laws than the 2000s, there would be 112 countries with data privacy laws by the
decade’s end, with the majority of the laws by then coming from outside Europe. In addition,
many existing laws are being strengthened to keep up with rising expectations of privacy
protection, international agreements, and the examples set by other countries (see the ‘Latest’
column in the Table).
There are other ways that expansion could be measured, say by the populations of the
countries concerned, or by their GNP. These could show different trends, but reflection on the
size and economic significance of the countries so far included makes it obvious that data
privacy laws are more common in the world’s larger and more economically significant
countries. The recent inclusion of India accelerates this trend, as will the likely inclusion of
Brazil in the near future. By any measure, data privacy laws are of increasing and accelerating
global significance.
The most economically significant countries currently missing from the list are the USA
(private sector), China and Brazil, now that India has adopted a data privacy law in 2011. The
omission of Brazil is also expected to be remedied in 2012. China is currently enacting a
profusion of sectoral laws, but a comprehensive law is still a possibility, and no‐one knows
what the outcome will be. The USA has many privacy laws and some effective enforcement,
but no comprehensive privacy law in the private sector, nor it seems much prospect of one.
Most other countries that do not yet have data privacy laws are of relatively low significance
2
3
Qatar has a draft Personal Information Privacy Protection Law under consideration:
http://www.insideprivacy.com/international/qatar-seeks-views-on-draft-privacy-law/
Finally, for the purposes of this brief overview, it is important to note that ‘growth’ or
‘expansion’ of data privacy laws cannot be equated with improvement in privacy protection.
Some privacy laws are simply not enforced. Surveillance activities in both the private and
public sectors can also grow at the same time as laws are enacted and operational, and quite
often do when data privacy laws are a trade‐off for, or a belated response to, more intensive
surveillance. Assessing the effectiveness of data privacy laws is a far more complex task than
is undertaken in this relatively simple exercise.
International commitments and recognition
International agreements concerning data protection have had a considerable influence on
national and sub‐national adoption of data privacy laws for thirty years since the drafting of
both the OECD’s privacy Guidelines and the Council of Europe Data Protection Convention at
the outset of the 1980s. Since then, the European Union’s data protection Directive of 1995
has been the most influential international instrument, and APEC’s Privacy Framework has
created regular opportunities for discussion of privacy issues among some Asia‐Pacific
jurisdictions.
All 27 Member States of the European Union are required to have data privacy laws which
implement the EU privacy Directives, and all do so (see the Table). Five additional countries
have applied to join the EU 4 , and two of these (Montenegro and Turkey) do not yet have data
privacy laws. The European Economic Area (EEA) includes the European Union member
states plus Iceland, Norway and Liechtenstein, all of which have data privacy laws.
Countries or jurisdictions outside the EEA can obtain from the EU a decision that their laws
provide an ‘adequate’ level of protection of privacy, to enable free flow of personal data from
EU member states to organisations in those countries. As yet, the EU has only made such
decisions in relation to nine jurisdictions as a whole, a minority of which are of economic or
political significance. 5 Uruguay and New Zealand should soon be added to this list, having
receiving favourable Opinions from the Article 29 Working Party.
Forty‐three of the forty‐seven Council of Europe member States have ratified the Council of
Europe Data Protection Convention of 1981 (Convention 108), and have data privacy laws.
Armenia, Turkey and the Russian Federation have signed but not ratified the Convention. San
Marino has done neither. However, Russia does now have a data privacy law (in force 2011).
Armenia, Georgia and Turkey are the only Council of Europe Member State not to have
enacted a data privacy law. Belarus is not a Council of Europe member because of human
rights concerns, and the Vatican is not a member because it is not a democracy. The
Additional Protocol (ETS 181) to the Convention also requires a commitment to data export
restrictions and to an independent data protection authority, and brings the standards of the
Convention up to approximately the same level as the Directive. Forty two Member States
have signed the Additional Protocol, and 31 have subsequently ratified it. Twelve countries
that have ratified the Convention (plus three territories on whose behalf the UK acceded to
the Convention) have not ratified the Additional Protocol. Where a Council of Europe member
has ratified both Convention 108 and the Additional Protocol, it is extremely unlikely as a
matter of practice that data exports to that country would be prevented, so obtaining an
4
Croatia; Former Yugoslav Republic of Macedonia (FYRIM); Iceland; Montenegro; Turkey
5
Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, and Jersey
Since 2008 the Council of Europe has made it clear that it wishes the Convention and Optional
Protocol to become global agreements, and that it welcomes requests by states outside
Europe with suitable data privacy laws to apply to accede to both. Uruguay is the first non‐
European state to be invited to do so, but has not yet formally acceded (there are
Parliamentary processes requiring completion). An adequacy finding from the EU does not
impose any reciprocal obligations on the recipient to allow free flow of personal data from it
to EU countries. This obligation will however arise when countries outside the EU become
members of the Council of Europe Convention 108.
Turkey is the only OECD (Organisation for Economic Cooperation and Development) member
country, other than the USA in relation to the private sector, which does not have a data
privacy law implementing the OECD’s privacy Guidelines of 1981. The OECD’s plans for
enlargement 6 mean that more countries in future will be likely to be influenced by the OECD
privacy Guidelines to adopt data privacy laws.
Two thirds (14) of the 21 APEC (Asia‐Pacific Economic Cooperation) member ‘economies’ do
have data privacy laws in at least one of the two sectors (see the Table), but 7 do not: Brunei;
Indonesia; Philippines; Singapore; China; and Papua New Guinea. Thailand and the USA have
public sector only laws, and Malaysia and Vietnam have private sector only laws. Singapore
says it will introduce legislation in 2011; the Philippines and Thailand have bills for
comprehensive laws before their legislatures. Whether APEC will expand beyond 21 members
is still an open question. Numerous countries have been trying to join for some time 7 . In
refusing India’s application for membership, APEC decided not to admit more members until
2010. India is the only Asian country which is not an APEC member but does have a data
privacy law (Macao SAR has such a law but is not a country). If APEC’s membership is
expanded, this will at least mean that more countries are involved in the six monthly
discussions of APEC’s privacy group.
The Economic Community of West African States (ECOWAS), a grouping of fifteen states
under the Revised Treaty of the ECOWAS, agreed to adopt data privacy laws in 2008. A
Supplementary Act on Personal Data Protection within ECOWAS (ECOWAS, 2010) to the
ECOWAS Treaty, adopted by the ECOWAS member states, has established what the content of
such data privacy laws should be, influenced very strongly by the EU Directive, and that each
state is to establish a data protection authority. Four ECOWAS states have so enacted laws
(Benin, Burkina Faso, Cape Verde, and Senegal), and a Bill is before Parliament in Ghana,
leaving ten yet to take action.
Less advanced as yet, the East African Community (EAC), a regional group of five East African
countries (Kenya, Tanzania, Uganda, Rwanda and Burundi) has taken various initiatives that
encourage the member states to adopt data privacy legislation. Such initiatives include the
current discussion of A Draft Bill of Rights for the East African Community which unlike the
African Charter on Human and Peoples’ Rights incorporates the right to privacy. Also,
although not binding, the EAC has adopted EAC Framework for Cyberlaws Phases I and II in
6
“In May 2007, OECD countries agreed to invite Chile, Estonia, Israel, Russia and Slovenia to open discussions for
membership of the Organisation and offered enhanced engagement to Brazil, China, India, Indonesia and South Africa”
(OECD website). Chile, Solvenia, Israel and Estonia have since become members.
7
“In addition to India, Mongolia, Pakistan, Laos, Bangladesh, Costa Rica, Colombia, Panama and Ecuador, are among a
dozen countries seeking membership in APEC by 2008.” – see <http://en.wikipedia.org/wiki/Asia-
Pacific_Economic_Cooperation#Member_Economies>
Implications and further research
Now that we have this more accurate picture of the global development of data privacy laws,
further research becomes possible. It has already made possible an assessment of the
influence of European privacy standards on legislative developments outside Europe. 8
Further research is required on such questions as the implications of the increasingly
interlocking data export restrictions in this legislation; on the effectiveness of the
enforcement regimes in various countries; on the extent of judicial interpretation of these
laws, and on other comparative aspects of data privacy laws. All of this requires an accurate
account of the world’s data privacy laws.
Updates, resources and acknowledgments
Details of new data privacy laws (and Bills for new laws) from countries which do not have
them will be included in subsequent issues of Privacy Laws & Business International Report.
This commentary and Table will be updated at least annually.
The completion of the Table is based on advice received in relation to Latin American
countries from Pablo Palazzi (Allende & Brea, Argentina); in relation to francophone
countries, from Marie Georges (Planete Informatique et Liberties, Paris); in relation to
lusaphone (Portuguese‐speaking) countries, from Magda Cocco and Inês Antas Barros (Vieira
de Almeida & Associados, Lisbon), and in relation to other countries from David Banisar of
Article 19, and Alex Boniface Makulilo, privacy researcher. Thanks also to Stewart Dresner
and Laura Linkomies (Privacy Laws & Business).
Some of the resources which have been valuable in the research for this article are as follows:
‘Data Protection Laws Around the World Map’ at
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416>; Council of Europe website,
for ratifications of the Convention and the Protocol; EU website for legislation of member
states <http://ec.europa.eu/justice/policies/privacy/law/implementation_en.htm>; EU
website for adequacy decisions
<http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm>; Privacy Laws
& Business website <www.privacylaws.com>; Christopher Millard ‘Privacy Laws & Business
European Data Protection Laws Chart’ Privacy Laws & Business Newsletter, May 1997;
dataprotection.eu website <http://www.dataprotection.eu/>; Morrison & Foerster ‘Privacy
Library’ <http://www.mofo.com/privacylibrary/>; Linklaters ‘Data Protected’ website for
clients; BNA website. All errors and omissions remain my own.
8
Greenleaf, G 'The Influence of European Data Privacy Standards Outside Europe: Implications for Globalisation of
Convention 108' (accepted) International Data Privacy Law, Vol. 2, Issue 2, 2012, available at
<http://papers.ssrn.com/abstract_id=1960299>
Global Table of Data Privacy Laws
This Table is sorted alphabetically by Jurisdiction, but can be sorted by any column (in Word).
Jurisdiction Key Act From 9 Latest Region 10 Sec 11 EU 12 CoE 13 Other
Int. 14
Albania Act on the Protection of 1999 1999 Europe (O) Both [I] R; P
Personal Data
Andorra Law on the protection of 2003 2003 Europe (O) Both A R; P
personal data
Angola Lei da Protecção de Dados 2011 2011 Africa Both
Pessoais
Argentina Personal Data Protection Act 2000 2000 Latin Am Both A
Armenia Law on Personal Data 2002 Europe (O) Both NS;
SP
Australia Privacy Act 1988 1988 2001 Australasia Both APEC;
OECD
Austria Datenschutzgesetz 1978 2009 Europe Both M R; P OECD
(EU)
Azerbaijan Law on data, data processing 1998 1998 Europe (O) Both R
and data protection
Bahamas Data Protection Act 2003 2003 Caribbean Both
Belgium Law on Privacy Protection in 1992 1998 Europe Both M R OECD
relation to the Processing of (EU)
Personal Data
Benin Loi Portant Protection des 2009 2009 Africa Both ECOWAS
données à Caractère
Personnel
Bosnia & Law on the protection of 2001 2001 Europe (O) Both [I] R; P
Herzegovina personal data
Bulgaria Law for Protection of Personal 2002 2007 Europe Both M R; P
Data (EU)
Burkina Faso Loi Portant Protection des 2004 2004 Africa Both ECOWAS
Données à Caractère
Personnel
Canada Personal Information 1983 2002 North Am Both A APEC;
Protection and Electronic (prior OECD
Documents Act Act)
Cape Verde Regime Jurídico Geral de 2001 2001 Africa Both ECOWAS
Protecção de Dados Pessoais
a Pessoas Singulares Janeiro
Chile Privacy Law 1999 1999 Latin Am Both APEC;
9
Date columns: ‘From’ = date original law enacted; ‘Latest’ = year of last significant amendment known; ‘NYIF’ =
not yet in force; ‘NIFU’ = not in force until date stated, where bringing into force is delayed over one year
10
Region column: ‘Europe (EU)’ = current European member states; ‘Europe (O)’ = other European states (including
EEA)
11
Sector column: ‘Pri’ = covers private sector only; ‘Pub’ = covers public sector only; blank = covers both sectors
12
European Union column: M = country is an EU member state; A = country’s protection of personal data has been
held ‘adequate’ by the EU; [A] = Favourable Article 29 Working Party opinion on adequacy, but no final decision
announced; EEA = country is a member of the European Economic Area; [I] = Adequacy finding is in practice
irrelevant due to country acceding to both Council of Europe Convention 108 and Additional Protocol
13
Council of Europe column: (‘Member’ means Member State of the Council of Europe) R = Member and has ratified
the Convention; R* = United Kingdom has ratified Convention on behalf of sub-jurisdiction; S = Member and has
signed but not ratified Convention; P = has also ratified the optional protocol; NS = Member but has not signed
Convention; [I] = not a Member but has been invited to accede to the Convention; A = not a Member but has acceded to
the Convention
14
Other international commitments column: APEC = ‘economy’ is a member of APEC (Asia Pacific Economic
Cooperation); OECD = country is a member of OECD; ASEAN = county is a member of Association of South East
Asian Nations; ECOWAS = country is a member of Economic Community of West African States; EAC = county is a
member of the East African Community
15
‘From’: Date of latest known Bill or official draft Bill
16
‘Current?’: ‘Current’ = before current session of legislature; ‘Draft’ = official draft known, but not yet introduced to
legislature; ‘Lapsed’ = Bill was introduced in previous session of legislature but did not proceed