Once a global rarity, data protection laws 'becoming ubiquitous,' new research shows

The count of countries with data protection laws more than doubled to 162 over the past dozen years, a total that includes a wide majority of the world’s nations, with new research suggesting data protection rules are approaching ubiquity.

Notable gaps remain. The United States and India considered national data protection legislation last year but failed to pass a comprehensive law that covers commercial data practices, Graham Greenleaf, a professor at the University of New South Wales in Australia, noted in the recent release of his highly respected biennial survey of the world’s data protection laws.

The clear trend, however, is toward a world where virtually every country has some sort of data protection measure in place, a trend fueled in significant part by the EU’s influential General Data Protection Regulation, which celebrates its fifth birthday this week.

“Previous assessments have argued that the steady growth of data privacy laws means that they were becoming ubiquitous. This assessment shows that point has now been reached, with only 18 percent of UN Member States having neither a data privacy law nor a privacy Bill in progress,” Greenleaf concluded in this seventh global assessment of privacy laws.

From February 2021 to March of this year, 17 nations enacted data protection laws, Greenleaf found, an increase of 11.7 percent over the total of 145 countries with laws he counted two years ago. At least 20 other countries are considering data protection legislation, Greenleaf said.

“It seems likely that most of these countries without data privacy laws at present will eventually develop them, resulting in data privacy laws becoming ubiquitous across the globe, probably within this decade,” he wrote in the new assessment.

The pace of adoption from 2021 to 2023 was even faster than in in the two-year period from 2019 to 2021, when 13 countries added data protection laws, a 9.8 percent jump. Two years ago, Greenleaf suggested that the global Covid-19 pandemic was slowing the pace of adoption.

The UN, which also tracks data protection laws but has a slightly different definition of countries and privacy laws, says that 137 out of 194 countries have put in place legislation "to secure the protection of data and privacy." Data collected by UNCTAD shows that 71 percent of nations have data protection laws in place, with another 9 percent considering draft legislation.

There is a correlation between data protection and development, UNCTAD said, and the share of data protection laws in the least developed countries is only 48 percent.

In 2011, when Greenleaf first began tracking the expansion of data protection laws, he counted just 76 countries with privacy or data security laws. The total topped 100 between 2013 and 2015, and by 2019, there were 132 countries with laws. For context, the United Nations has 193 member nations.

Europe’s GDPR has been a key driver for the spreading of data protection law around the world, Greenleaf told MLex. He said that scholarly articles he publishes generally conclude “that the single most important influence on the country’s new/revised laws, or those of a region, is the GDPR. However, which bits of the GDPR are emulated varies a great deal.”

The GDPR has been particularly influential in Asia, Africa and Latin America, Greenleaf said. Africa is one region where adoption of data protection legislation has been the most rapid in recent years. The United Nations said 61 percent — at least 33 of Africa’s 54 countries — had a privacy or data protection law in place at the beginning of 2022. That's up from 50 percent in early 2020.

Many of the nations that adopted new laws in 2021 and 2022 were in Africa, Asia, or Central or South America, including Rwanda, Zimbabwe, Zambia, Sri Lanka, Belize, Mongolia, Ecuador, Saudi Arabia, United Arab Emirates, Oman, Indonesia, Cuba, Eswatini (formerly known as Swaziland), Laos, and Tanzania.

Greenleaf’s research found that countries considering new laws include Cambodia, Bolivia, Ethiopia, the Gambia, Kuwait, Malawi, South Sudan, Bangladesh, Pakistan, Brunei, Guyana, El Salvador, Guatemala, Suriname, Honduras, Iran and Jordan.

The US is not on the list of countries without a privacy law. It has a number of them, dating back to the Privacy Act of 1974, which set out fair information collection practices for data held by US federal government agencies, and the Children’s Online Privacy Protection Act.

The US also has a growing list, approaching 10 states, that have passed compressive privacy laws governing commercial practices, but it has not yet passed a comprehensive commercial privacy and data security law despite the progress the Congress made on the American Data Privacy and Protection Act last year.

There are now just 36 UN member nations that lack a data privacy or security law, Greenleaf concluded, including African nations such as Burundi and Central African Republic; Pacific Island nations such as the Solomon Islands, Fiji and Vanuatu, and Caribbean nations including Dominica, Grenada and Haiti. In Asia, North Korea and Myanmar also lack a privacy law, Greenleaf found.

“There is nothing that unites the disparate group of 36 countries without laws or Bills, and certainly not some principled opposition to data protection laws,” he wrote. “Nine Pacific Island countries comprise the only region where no country has a data privacy law.”