Skip to main content

Beyond the Atlantic: Data privacy laws around the world

Lacking centralised standards

It's a view that's confirmed by CipherCloud, whose useful global compliance map gives country-specific information. "As our interactive compliance map demonstrates, Asian privacy laws are country-specific rather than regional," says Willy Leichter, global director of cloud security at CipherCloud. "Singapore has much stricter privacy laws, which likely developed because of its historically vibrant banking sector … but Asia lacks centralised control or standards between data protection authorities."

For example, take India, whose Information Technology Act was passed 15 years ago. "India has passed a principles-based law to protect data privacy," says Harkins. It's a start, but so far it's about specific sectors, not wide-ranging principles.

There's a similar scenario in China, a market of 1.3 billion people. "China is headed for a data localisation model, whereas jurisdictions are aiming for a more cautious approach," says Pang. China has had a national law on the collection of electronic information since 2012.

The model China is chasing is perhaps that of Russia. "All Russian citizen personal data can only be stored in Russia," says Nicky Stewart, Commercial Director at Skyscape Cloud Services. A reaction to NSA snooping, the law effectively makes Western technology companies' data on Russian citizens open to snooping by Russian authorities.

Indonesia still uses Blackberry laws

Indonesia still uses 'Blackberry laws'

Fast growing economies

Elsewhere in Asia there is a lack of blanket rulings, largely in the 'tiger' economies. "Some countries, such as Indonesia, have offered very particular rules surrounding the country's attitude to data privacy for years now – the old Blackberry requirements are an example," says Penny Jones, senior analyst for European services at 451 Research. In 2011, Indonesia, the world's most populous Muslim nation, forced Blackberry-maker, Canada's RIM, to censor pornography viewed via its handsets.

Another fast growing market, Latin America, is also in flux, with some specific targeted laws, but no blanket protection. "Uruguay, Colombia, Costa Rica and Mexico are all still developing their technological base and face speedy evolution in emerging requirements, meaning legislation and policy is difficult to keep up to date," says Robert Stroud.

China is moving towards data localisation

China is moving towards data localisation

A world in flux

When it comes to data privacy law, the world is in flux, and it's unlikely to come to equilibrium any time soon. "As much as an approach based on 'one size fits all' will not be the solution, many countries will continue to observe what the EU does and seek to select parts of the legislation that work well, leaving the not-so-practical elements," says Pang.

"There are 195 countries worldwide, and each may have their own laws and regulations – it is a complex task to be up to date with every country's laws," says Nigel Hawthorn, chief European spokesperson at Skyhigh Networks.

He recommends checking out the resources of law firms like DLA Piper, which give access to all current data protection laws around the world. From there it's straightforward to evaluate an organisation's compliance and gain insights into legal and regulatory compliance with data protection laws around the globe.

Politics will always play a part in data protection – see Turkey's recent banning of PayPal as one example (here's another) of the populist bashing of US technology firms.

Privacy standards may be feeding off each other, and to some extent they are harmonising, but before you do business in a new country check whether you're collecting data legally. In global data collection, less is always more.