Eager to share in global digital economy, developing nations embrace data protection laws
16 August 2019. By Mike Swift.
From central Africa to central Asia to central America, the world’s developing nations are enacting data-protection laws at a steady pace, in most cases creating independent commissioners or agencies to enforce the privacy and security of personal data held by both private companies and government.
There are now more than 120 countries — and by the count of one expert, at least 136 countries — which have passed national data-protection laws. But that total is growing almost on a weekly basis. Over the past year and a half, Algeria, Brazil, Lebanon and Panama have all passed comprehensive data-protection laws, with at least four countries — Uganda, Nigeria, Kyrgyzstan and Uzbekistan — passing laws so far in 2019.
Another 40-odd countries and jurisdictions including Kenya, Nigeria, Iran and Indonesia have pending data-protection bills or initiatives, as lawmakers race to pass laws to answer their citizens’ growing concerns about the safety and privacy of their personal data, and to enable the free flow of digital goods and services both regionally, and with large blocs such as the European Union.
In a few cases, such as India and Kenya, the government’s move to create a national identification system has sparked privacy concerns that led to court cases or political debate that are driving lawmakers to create a national data-protection law.
While the laws vary greatly in their quality of data protection and what they require companies to do to legally collect and process personal data, the changes are rapidly creating a world where having a national data-protection law is the standard, and large developed countries that lack national laws — the US being the most glaring example — are outliers.
“Privacy as an aspect of human rights is an increasingly important driver, as people everywhere have realized the great risks inherent in identity theft, data breaches by everyone, personalized marketing, and pretty much everything to do with Facebook,” said Graham Greenleaf, a professor at the University of New South Wales in Australia who tracks the global development of data-protection laws. “This creates local political demand for data privacy laws, somewhat separate from e-commerce considerations.”
Greenleaf puts the number of countries with data-protection laws at 136, although he said the number could already be higher based on unverified reports that Congo just enacted a law, while Egypt is moving forward but hasn't yet finalized its legislative process.
The recognition by political leaders of the critical importance of digital trade is another important factor driving the adoption of new laws.
In Africa, member states in the African Union in 2014 completed a convention on cybersecurity and data protections, which concluded that the biggest obstacles to the growth of the Internet and electronic commerce on the continent are data security issues, including “the absence of specific legal rules that protect consumers, intellectual property rights, personal data and information systems.”
The convention contains the building blocks for individual African states to fashion their own data-protection laws, including definitions of what constitutes personal data, how people can provide meaningful consent for the collection and use of their personal data, and definitions of cybercrime.
“You have a continent with 1.3 billion people, that has been trading the least among themselves,” said Alice Munyua, a former official with the government of Kenya who now leads African public policy work for the browser-maker Mozilla. “It’s that stark realization that we haven’t been trading with ourselves, and we need to start self-actualizing, that prompted many African heads of state toward creating what we are calling a single digital economy.”
Just as Europe’s General Data Protection Regulation allows for the free transfer of data within the European Union, the African Union is creating a region of free data flows among the 55 nations on the continent.
But the GDPR is also significant, because some African nations hope to obtain or maintain “adequacy” rulings from the European Commission that would allow for free data transfers with the EU. “The GDPR has had a huge impact on most countries rushing to have their privacy and data protection laws in place,” said Munyua, who is also a former official with the Kenyan government.
In the developed world, personal computers and websites predated a mobile web of smartphone messaging and apps. But in much of the developing world, social media apps accessed from a phone, particularly Facebook and its WhatsApp platform, are perceived by many people as the sum total of the Internet. Facebook says more than 2.7 billion people, 35 percent of the world’s population, now use its family of products at least once a month — Facebook, WhatsApp, Instagram or Messenger.
In part because of that, Munyua said, the Cambridge Analytica privacy leak has resonated with people in several African countries, because personal data was also used to impact elections in Kenya and Nigeria. “Cambridge Analytica made it real, because the one thing about most of our countries, when it comes to personal data, personal data is political,” she said.
Elsewhere in the world, the realization that without data-protection rules, countries risk being cut out of international digital commerce is a critical driver of new laws.
“Countries don’t want to get cut off from data flows,” said David Banisar, who has tracked the development of data-protection laws for two decades through his work at a number of organizations. “They’ve realized that information, particularly on the developing country side, is important. It’s valuable. And at the same time, citizens have been seeing everything that is going on, and they are realizing their information is being collected.”
Banisar sets the total number of countries with comprehensive data-protection laws at 126, but he limits his tally to “comprehensive data protection laws.” He doesn’t include countries with laws that only cover the private sector, such as Malaysia, Singapore and China. Nor does he count countries with privacy laws that only pertain to government, such as Zimbabwe, Nepal and the US with its Privacy Act of 1974.
There is a wide gulf, Banisar said, between laws or legislation passed by countries like Brazil, which enacted a law with strong protections for personal data, although it has yet to be fully implemented by the new president, and those in central Asia, where protections are much looser.
“The central Asian states' ones are much weaker,” said Banisar, the head of transparency for Article 19, a global freedom of expression organization. “They don’t have privacy enforcement agencies for one thing, and there are all sorts of holes in them. It really does vary from one country to another.”
But to illustrate the rapid pace of change, on the day he spoke to MLex this week, Banisar was busy investigating reports that lawmakers in Barbados have just passed a data-protection law, as well as a court ruling in Jamaica that cited the ruling from the Indian Supreme Court last year that privacy is a fundamental human right.
He believes the trend of nations passing data-protection rules still has a way to run.
“There are still another 80 or so countries that are UN member states that don’t have laws yet, including some very big ones such as India, Indonesia and the US,” Banisar said. “So I don’t’ think we’re close to saturation yet.”
Graham Greenleaf's latest report the growth of data protection laws is at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3380794, while David Banisar's latest study can be accessed at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416.