< Back

Share |

Data Protection index

December 2013

Contents of this article

Initial Observations

This is only the second time that the data protection index has featured in GIPI, yet a number of trends are already apparent from the results. View the table results.

  • Jurisdictions ranked at the top of the table either have no or little data protection laws in place, or have laws that are perceived as weak or with flawed enforcement regimes. India has dragged its feet on implementing specific data protection legislation and this apparent indifference, in the face of legislative developments elsewhere in the world, has moved it to the top of the table.
  • Jurisdictions ranked at the bottom of the table are either those with a specific data protection legislative framework in place, such as Germany, or those that have seen significant legislative developments. Most notable shifts here include Singapore, down a dramatic 31 places from the top to the bottom of the table following the approval of its wide-ranging data protection law, and also moves for Australia and New Zealand who have dropped 27 and 30 places respectively.
  • There have been dramatic shifts in the ranking of jurisdictions in Asia Pacific as countries here adopt domestic data protection laws or enhance existing laws. As a result, the compliance focus is shifting away from Europe to this region, which is seen as presenting fresh challenges for compliance practitioners.
  • Falling scores across the indices point to higher overall costs of ensuring data protection compliance.

Analysis

Pen tipData Protection laws have been the focus of considerable debate and change in recent years. Personal information is now hardwired into nearly every aspect of our lives, with developments in technology presenting greater opportunities to collect and hold more data, use mobile computing technologies, take advantage of combined, outsourced or hosted data or exploit the opportunities of smart technologies that can monitor, track and share personal information.

Focus shifts to Asia Pacific

In our increasingly globalised economy, data protection is no longer a uniquely European preoccupation. European data protection law, for all its faults, is viewed more as an established and known quantity. Of the ranked European Union countries, most fall in the middle of the table. Germany is a notable exception. It retains its position in the bottom tier of the table and compliance with its strict data protection laws are still seen as challenging. In broad terms however, the key rises and falls in ranking appear on the back of changes occurring in those jurisdictions outside of Europe.

The marked change in ranking for Singapore, from the top tier to the bottom of the table, calls for attention. The approval on 15 October 2012 by Singapore’s Parliament of the country’s first full-coverage data protection law marks a clear departure from its previously more limited and sectoral approach to data protection and reflects the intention to position the country as a leading financial services and data hub in the region. The law came into force from January 2013, however a transition period of eighteen months from main provisions of the law mean that businesses have until 2 July 2014 to bring their processes into compliance.

The dramatic 30 place drop by New Zealand reflects the formal recognition by the European Commission (EC) of the adequacy of its personal data protection law on 19 December 2012. This finding has the effect of removing legal restrictions on personal data transfers out of the European Economic Area to this country. The EC recognition follows amendments made to New Zealand data protection law by way of the Privacy Cross-border Information Amendment Act 2010. Among other things, this introduced controls around exports of data outside of New Zealand and extended rights of access to all data subjects, rather than just New Zealand citizens.

Australia’s big drop of 27 places in the table reflects a number of enhancements made to its existing data protection legislative framework in recent years. These include the Privacy Amendment (Enhancing Privacy Protection) Act 2012. This law, which comes into effect in March 2014, will replace the existing National Privacy Principles with new Australia Privacy Principles. The new Principles comprehensively extend the regime around the collection, use, disclosure and transfer of personal data. The law also introduces a new definition of personal data more aligned with that within European data protection law.

Japan flagJapan is another big mover, dropping 20 places from 11th to 31st position. The reason for this shift is not immediately apparent, but may concern the controversy around the passage into law, on 24 May 2013, of a national ID Number System. The ID system will see citizens being issued with a 12 digit identity number in 2016 for use by a large number of authorities, including for tax and social security purposes. The government is required by the new ID law to implement changes to the existing data protection regime. This is likely to be by way of reform of the 2003 Act on the Protection of Personal Information. This first step could lead to wider reform of data protection in Japan, a move that would be welcomed by one commentator, who pointed to the existing regime being “more in favour of business than individuals.”

The view from the top of the table

Sitting at the top of the table, India has no specific data protection law. A data protection Bill was tabled in Parliament back in 2006 but has made no real progress since our last report. Certain other measures are in place, including rights to compensation and enforcement mechanisms around failing to secure IT practices and procedures, however the position is summed up by one respondent who points to the “absence of business law restrictions and non-existent enforcement” in the country.

Brazil, in 2nd position, is now looking isolated among other BRIC countries where there has been a movement towards more comprehensive regimes for data protection in recent years. Brazil has no specific data protection law in force although there are constitutional rights relating to privacy and sector specific laws particularly in the banking and telecommunications industries. A Data Protection Bill was published in 2011 but the legislative process has proved slow to date. It is possible that increased personal data flows in the lead up to the hosting by Brazil of the World Cup in 2014 and the Olympic Games in 2016 may provide an impetus to introduce legislation ahead of these events.

Russia on mapThe jump by Russia up 13 places to third rank in the table appears surprising. There is a Federal law on Data Protection enacted in 2006, however it had been considered to be very strict and unworkable by some. Enforcement of the law was initially delayed until 2011 and early evidence suggested low levels of complaints and limited reports of enforcement. Recent developments may point to a future move back down the rankings. These include:

  • amendments to the law in July 2011 to improve some of the more unworkable elements and clarify the rules around when transfers of personal data are permitted outside of Russia;
  • a more proactive enforcement response from the Russian data protection authority in the light of recent high profile security breaches; and
  • the ratification by Russia of the International Convention 108 on the Automatic Processing of Personal Data.

Data Protection Sub-indices

View the Sub-indices table.

Unlike Brazil, Argentina has specific data protection law dating back to 2000 and the benefit of an EC finding of adequacy of protection for transfers of personal data from 2003. Its ranking reflects issues with the enforcement of the law. Enforcement activity appears limited and the level of compliance with the law on the ground is unclear. This is particularly the case with the processing of personal data in the provinces which are beyond the supervision of the controlling Federal authority and where not all provinces have taken steps to implement individual rights of access or to appoint local enforcement authorities. One respondent stated that “the majority of the databases which fall within the data protection legislation are not registered and there is no control over them.”

Italy is the only EU member state in the first Tier, up 13 places to rank 5th in the table. One factor behind this move may be recent amendments to the Italian data protection law (the Privacy Code, Legislative Decree of June 2003). In particular a law decree of February 2012 simplified the security rules, doing away with the obligation for organisations to maintain a Security Policy Document, which had been seen as a bureaucratic burden on business. Other helpful moves include amending the code to exclude legal persons from the definition of personal data. Perceived weaknesses in the enforcement of the law may however be another factor for this rating, with one respondent pointing to the DPA not being very open to dialogue with lawyers and clients and being pretty slow.

China flagIn China there has been a small move up the table. The absence of a specific legal data protection framework is supplemented by a few provisions touching on data protection under the General Principles of the Civil Code. A Personal Information Protection law was proposed in 2008 but has made no progress. More recently the National Peoples Congress issued its Strengthening Internet Information Protection (Decision) on 28 December 2012. This decision had immediate effect and applies to the use of personal electronic information online, requiring that the data is legitimate, proper and necessary and placing obligations on those collecting this data to be transparent with individuals about the purpose, method and scope of the collection. There are no civil remedies or criminal sanctions for a breach of the Decision but administrative sanctions include fines, confiscation of illegal gains, revocation of licences, closure of websites and prohibitions on further use of data. It is not clear how the sanctions in the law will be enforced in practice, but the decision is seen as an important first step by China and it will be interesting to see how this affects China’s ranking in the years ahead.

North America

The USA may seem like the elephant in the room given that this is a nation with no Federal level data protection law, yet it keeps company in the table with countries with some of the strictest data protection laws in the world. This anomaly can, in part, be accounted for by the presence of some strict sector laws and a divergent network of state privacy laws, including mandatory data breach reporting obligations. Enforcement of sectoral and self-regulatory codes falls to government agencies who can be aggressive in their enforcement of privacy breaches when stirred to action, imposing eye-watering fines in a number of high profile cases. Combine this with the propensity for class action cases and the USA’s ranking does not appear so strange after all.

Canada dropped 25 places down the rankings to near the bottom of the table. Although there have been no major changes to Federal data protection law, the release of a key Ontario Court of Appeal decision in January 2012 had the effect of recognising the existence of a tort of invasion of privacy, categorising ‘intrusion on seclusion’ as a course of action in Ontario. The decision potentially opens the way for more class actions to be brought through the provincial courts, effectively bypassing the existing requirement for a complaint to the Privacy Commissioner and action through the Federal court.

Our view

ReportThe GIPI4 results show that activity in jurisdictions outside Europe is an important new focus area for respondents, with European data protection law seen as more static and dated. One EU based respondent referred to the terms and concepts of the law poorly reflecting today's information technology. Another respondent summarised the position by saying that “Data Protection laws and organisations are still in the 90’s, and not ready for the internet and new business models.”

The current EC Draft data protection reform process should change this position. Provided a final agreement can be reached on the content of the proposed Regulation, this may lead to future GIPI ratings for EU member countries shifting and, at the same time, becoming more closely aligned.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

World plug
Vinod Bange

      

Sally Annereau

Sally Annereau

Vinod and Sally outline their findings from the GIPI4 report.

"The GIPI4 results show that activity in jurisdictions outside Europe is an important new focus area for respondents, with European data protection law seen as more static and dated."