INTERNAL ONLY - Sales Enablement Portal

Forrester Research Data Privacy Heat Map, 2015

Download the PDF »

North America

Click on a country for more information

Canada

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

No. The country has no constitutional support for privacy rights and no identifiable privacy laws.

Description

Canada is a North American country that has grown in parallel with the US both economically and technologically. Canada has a market-oriented economic system and affluent living standards, which has helped mark the country as a high-tech industrial society. As a founding country of the OECD and adopter of the OECD's guideline to privacy, Canada is deemed as having "adequate" data privacy standards by the EU. Canada does not prohibit transfer of data to a different jurisdiction for processing but has chosen an organization-to-organization approach to data transfer that is not based on the concept of adequacy. The new Canadian Anti-spam Legislation (CASL) came into effect July 1, 2014; CASL regulates most electronic interactions and has implications for collection and use of personal information or electronic addresses. On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA) into law. The DPA amends PIPEDA to require organizations to simplify consent forms and terms around the use of individuals' data. The DPA also contains new data breach notification requirements for companies subject to PIPEDA; companies in violation of those requirements will be subject to fines of up to 100,000 CAD.

Costa Rica

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Costa Rica is located in Central America, bordered by Nicaragua to the north and Panama to the south. Costa Rica has rightfully earned a reputation for its flora and fauna: Despite occupying only .03% of the planet's surface, the country hosts more than 5% of the world’s biodiversity. Costa Rica published a new data protection law in 2011 called the Law on the Protection of Individuals Against the Processing of Personal Data, making it the seventh country in Latin America to do so. On March 5, 2013, Costa Rica enacted the Regulations of the Law of Protection of the Individual in the Processing of Personal Data. The wide-ranging regulation took effect immediately, expanding and clarifying many aspects of the law. Critics of the law cite its lack of breach notification regulations, which would be necessary for Costa Rica to ever be considered an "adequate" third-party data handler by the EU.

Mexico

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Mexico is a federal constitutional republic in North America. Police corruption and continual violence from drug cartels plague the Mexican state. Mexico has proved its commitment to data privacy by enacting a comprehensive data protection law, the Federal Law on the Protection of Personal Data Held by Private Parties, in 2010. This replaced the previous 33 separate sectoral laws governing data privacy in Mexico. In 2014, the Mexican data protection authority (the Institute of Access to Information and Data Protection) announced that it would be stepping up investigations and regulatory fines associated with noncompliance with the law. However, its struggle with organized crime and drug cartels has led it to enact surveillance laws that impact its privacy stance.

United States of America

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

Limited. Selected personal information is covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Integrated. An enforcement agency has been established but with no clear separation from regular law enforcement agencies.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Limited. The country is recognized as a EU "third country" with substantial (not just PNR) protections, has specialized Safe Harbor status (currently US-only), or has been recommended for "adequacy" status under Article 29.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

The United States of America is a federal constitutional republic whose contiguous states are in central North America; it also has outlying states Alaska and Hawaii, along with other territories. The US is one of the major world economic powers, and as such the EU has carved out a set of Safe Harbor rules that US companies can be certified to follow in order to allow relatively easy flow of data between the regions. In 2013, a US citizen (Edward Snowden) working as a contractor for the United States National Security Administration (NSA) released evidence of widespread government electronic surveillance conducted by the United States government. This surveillance has been purported to span phone, email, and web communications. In May 2015, the United States Court of Appeals ruled that this form of bulk collection of telecommunications metadata is illegal. In response, on June 2, 2015, Congress hastily passed the US Freedom Act after key provisions of the War on Terror-era USA Patriot Act expired. The Freedom Act is compromise legislation that prohibits the government's bulk collection of metadata on US citizens but preserves surveillance in other forms.

Europe

Austria

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Austria is a parliamentary representative democracy composed of nine federal states. Austria has been a member of the UN since 1955, joined the EU in 1995, and was a founder of the OECD. It also signed the Schengen Agreement in 1995 and adopted the euro in 1999. The Austrian Federal Constitutional Law neither explicitly recognizes the right to privacy nor contains a clear competence clause. As a result, power is split between the federal and state levels. The federal data privacy act, known as the Datenschutzgesetz 2000 and based on the EU Directive 95/46/EC on data protection, contains several constitutional provisions, including the fundamental right to data protection. Beyond that, Article 8 of the European Convention on Human Rights is referred to in most privacy cases. In the course of 2014, privacy advocates' criticisms rose against the Austrian government as it emerged that the US National Security Agency had widely tracked Austrian citizens' communications. In 2015, all parties of the Austrian parliament have adopted a resolution calling upon the government to take effective measures against illegal spying activities. Across all European member states, Austria currently has the lowest fines for noncompliance with data protection laws, but changes to the current regime will be introduced by the upcoming General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Belgium

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Belgium is a member state of the EU. It is also a member of the CoE and has ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Belgium is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy. The Belgian general data protection commission, together with sector-specific committees, oversees data privacy practices in the country. Belgium is the first European country to implement smartcard-based national ID cards, allowing citizens to use the same eID card for both eCommence activities and day-to-day authentication. Privacy advocates have widely criticized this practice because it makes it relatively easy to correlate citizens' data on a wide spectrum of activities. Belgian law bans anonymity for telecommunications services subscribers. In 2013, the data protection commission issued new guidelines on information security, and a year later it published guidelines for compliance with regulatory requirements on cookies. Also in 2014, the Belgian government appointed a secretary of state responsible for privacy matters and introduced a draft bill regarding amendments to the Belgian Data Protection Act in line with the new EU data protection law. This includes, for example, new requirements about "consent." The amended Act is expected to be enacted in the course of 2015 and will be a transitional legal framework to the European General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Bulgaria

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Bulgaria is a parliamentary republic. It adopted the European Convention on Human Rights in 1992, 15 years before formally joining the EU in 2007. Bulgaria is also a member of NATO, the UN, the CoE, and the World Trade Organization. It was also a founding member of the OSCE and the Black Sea Economic Cooperation Organization. The Bulgarian constitution of 1991 affirms the right to privacy for all citizens, as well as secrecy of communications and access to information. Beyond that, the PDPA was adopted in 2001 as preparation for accession to the EU and modified in 2013 to fully implement the European Directive 95/46/EC. After fraudulent use of citizens' personal data by political parties sparked an outcry in 2014, the Bulgarian Commission for Personal Data Protection put together plans for a meeting to address the complaints. New legislation is currently being discussed. Additional changes to the current regime will also come from the General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Czech Republic

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

The Czech Republic joined the EU in May 2004 and is a member of the CoE. It is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Data Protection Act and a number of sector-specific regulations govern citizens' privacy in the Czech Republic. In 2015, the government has committed to strengthen its control over citizens' communications to protect against terrorism, but no progress has been made so far. While wiretapping must be authorized by a court, there is an exception for the Czech Security Information Service, whose actions are justified by reasons of "national interest" and answers directly to the prime minister (and not to the Parliament). However, evidence has emerged that the supervision of the Czech Security Information Service is not watertight and their actions are not authorized and therefore illegal. The government has pledged to make security and vigilance tighter at the national level, but it has not taken action so far. In the Czech Republic, workplace privacy for employees is an issue that is under constant debate; current laws do not clearly guarantee workplace privacy. The Czech data protection regime is due to be updated with the introduction of the General Data Protection Regulation (GDPR). This regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Denmark

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Denmark is a member state of the EU; the Kingdom of Denmark also includes the autonomous country of Greenland. Denmark is a member of the Council of Europe and has ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Denmark is a member of the Organisation for Economic Co-operation and Development and has adopted the OECD Guidelines on the Protection of Privacy. The original Danish data protection acts apply within Greenland, but the amendments in accordance with the EU Data Protective Directive do not extend to Greenland. Danish privacy laws previously prohibited spamming, but the adoption of the EU privacy and Electronic Communications Directive in 2003 has somewhat relaxed that rule. However, the Danish court system still frowns on electronic spamming and has fined some companies for it. The EU Commission, EU Parliament, and Council of Ministers are working on a new EU General Data Protection Regulation (GDPR). The regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Estonia

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Estonia is a member of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. The Personal Data Protection Act divides personal data into "personal data," "sensitive personal data," "biometric data," and "genetic data." "Personal data" is any data concerning an identified natural person or a natural person to be identified, regardless of the form or format in which such data exists. Processing of "sensitive personal data" requires the processor to register with data protection authorities or to appoint a person responsible for the processing of sensitive personal data. Examples of sensitive personal data include data revealing a person's political opinions or religious or philosophical beliefs, ethnic or racial origin, or state of health. The EU Commission, EU Parliament, and Council of Ministers are working on a new EU General Data Protection Regulation (GDPR). The regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Finland

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Finland joined the EU in 1995. It is also a member of the CoE and has ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Finland's Electronic Communications Act ensures citizens' rights to confidential communications. Finland is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy. The EU Commission, EU Parliament, and Council of Ministers are working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

France

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

France is a founding member state of the EU. It is part of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. France is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The French Data Protection Act complies with the European Data Protection Directive 95/46/EC, and French employees have a recognized right to privacy in the workplace. In 2014, France passed a new consumer rights bill, which now includes data protection principles such as informed consent in relation to canvassing and expands control and investigation powers of the national data protection authority (CNIL). Evidence of extensive surveillance activities has heightened criticism of France's privacy stance in recent years. Additionally, in 2015 the French parliament adopted new laws which restructured the legal framework of French surveillance agencies, granting them significant new powers. Watchdog organizations have questioned the French government for implementing procedures potentially leading to privacy violation, such as building a national database and using biometrics in schools. The EU Commission, EU Parliament, and Council of Ministers are working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Germany

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Germany has one of the world's largest economies and highest standards of living. The country is a founding member state of the EU. Germany is part of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Germany is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Federal Data Protection Act (the "Bundesdatenschutzgesetz") governs data privacy practices regarding federal and private entities in Germany; state-controlled data falls under the auspices of specific state-level regulations. Germany has traditionally been viewed as an exemplar of strong respect for privacy and data usage control on both the legislative and cultural levels. For example, it has taken a leading role in challenging the practices of some social networks to offer features that affect privacy. Additionally, in early 2015, Germany’s federal cabinet approved a new bill that gives consumer protection associations the right to sue private businesses directly for improper handling of consumer data. Despite these examples of a strong commitment to data privacy, revelations by whistleblower Edward Snowden detail a partnership with the German government in which private citizens' electronic communications were shared with the US. It is this potential surveillance activity that causes Germany to fall out of the group of "very restrictive" countries for the first time since the Forrester Data Privacy Heat Map was first published in 2012. The NSA revelations have also raised questions about the effectiveness of the current legal basis (so-called Safe Harbor Regulation) to transfer EU citizens' personal data safely in the US. While the EU has still to make a final decision on its suspension, data protection authorities in Berlin and Bremen have already expressed their intention to suspend data transfers between Germany and US-based companies. Moreover, additional changes to the current regime will come from the General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Greece

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Greece has been a member of the EU since 1981 and the Eurozone since 2001; it was also a founding member of the United Nations. It is part of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Greece is a founding member of the OECD and as such has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Greek Data Privacy Authority is independently led by a high-ranking official and may impose administrative or penal sanctions, which may include imprisonment. The EU Commission, EU Parliament, and Council of Ministers are working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Hungary

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Hungary has been a member of the CoE since 1990 and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Hungary became a member of the EU in 2004. In 2014, Hungary was found to have contravened EU Data Protection law when, in 2012, it terminated the country's Data Protection Commissioner's term early. Hungary became a member of the OECD in 1996 and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Overall, there is a paradoxical relationship between law enforcement and privacy in Hungary. It has been reported that Hungarian National Security Service regularly installs black boxes on ISPs' networks and intercepts communications without warrants. In 2007, the constitutional court ruled that the current judicial guarantees in the criminal procedure law and in the national security sector were inadequate to provide sufficient protection to the right to privacy of the citizens. This led to the passage of a revised data protection framework, the Hungarian General Data Protection Act, enacted in January of 2012. The new laws expanded on existing data privacy regulations, giving the data privacy authority broader enforcement measures as well as additional laws for data controllers. Additionally, in 2015, new amendments to the act were proposed to provide for Binding Corporate Rules (BCRs) and stronger penalties for noncompliant companies, among others. The EU Commission, EU Parliament, and Council of Ministers is also working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Iceland

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Iceland is a member of the European Economic Area and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. As a member of the European Free Trade Association, Iceland is obliged to ensure that its laws, in certain fields, are compatible with those of the EU. Iceland is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Icelandic Data Protection Act mirrors the EU Data Protection Directive 96/46/EC, and it is part of a broader regulatory regime for the protection of privacy, which also includes the Information Act, National Archives Act, and Rules on Electronic Surveillance. The data protection laws in Iceland distinguish between sensitive and nonsensitive data. In 1998, the parliament approved an act to create a nationwide centralized database of medical records for genetic research. In 2000, the minister of health granted an exclusive 12-year license to operate that database to an Icelandic subsidiary of American biotech company deCODE genetics. Due to its stringent privacy laws, Iceland has been dubbed a "free-speech haven" in the media. However, revelations of widespread surveillance activities by the US National Security Agency have generated doubts about the real level of surveillance protection offered by the country.

Ireland

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Ireland is a founding member state of the EU. It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Ireland is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Ireland adopted the Data Protection Act in 1988 and further amended it in 2003 to strengthen the standards for personal data protection in line with the EU Directive 95/46/EC. Moreover, the Irish supreme court has ruled that an individual may invoke the personal rights provision contained in the constitution as an implied right to privacy. Ireland hosts the European headquarters of the world's largest technology companies such as Facebook, LinkedIn, and Google. Despite its activities, the Irish data protection authority has often been criticized for allegedly operating a light-touch regulatory regime. As a result, in 2014, the Irish government took measures to increase resources and enforcement powers of the authority. Further changes to the national data protection regime are expected due to the new EU General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member States, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Italy

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Italy is a founding member state of the EU. It is part of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Italy is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Italy adopted its data protection act in 1996 and amended it in 2003 to better reflect the standards of the European Directive 95/46/EC. Italy has some of the toughest antispam rules in Europe. Spamming is considered an act of theft and it is punishable by up to three years' imprisonment. The Italian government, however, has been widely criticized by privacy advocates for passing a law in 2013 that weakens the legal requirements for governmental surveillance. Breaking a tradition of more stringent rules, the Italian government now allows public bodies to access data from telecommunication providers, Internet providers, and energy companies for public safety and security reasons without previous authorization. Further changes to the current national data protection regime are expected due to the new EU General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Latvia

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

After a time as part of the Soviet Union, Latvia declared its independence in 1991. Latvia became a member of the EU in 2004 and signed the Lisbon Treaty in 2007. Latvia adopted a comprehensive data protection law based on standard fair information practices and the EU Data Protection Directive. Data processing systems in the areas of "public safety, combating of crime or national security and defense" or those maintained "by institutions specially authorized by law" are exempt from certain regulations, although the police do not fall under these exemptions. Changes to the national data protection regime are expected due to the new EU General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Lithuania

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

After a time as part of the Soviet Union, Lithuania declared its independence in 1991. Lithuania has been a member of the EU since 2004. It is part of the CoE since 1993 and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Lithuania's data privacy laws have foundation in the Civil Code as well as in the Law on Legal Protection of Personal Data. Although the data protection authority is financed by the government, it maintains its independence while carrying out its duties. In 2011, the Lithuanian government included in the Law on Protection of Personal Data a separate section on video surveillance, establishing video surveillance as ultima ratio and shortly after that, the State Data Protection Inspectorate showed its teeth by barring Google from capturing "street view" images in the country. However, privacy watchdogs have criticized Lithuania when in 2014 it came to light that Lithuanian secret service had wiretapped journalists. This opened a debate about the discretionary powers of law enforcement agencies. Changes to the privacy regime of the country are expected to take place as the EU Commission, together with the EU Parliament and Council of Ministers, is working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Luxembourg

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Luxembourg is a founding member state of the EU. It is a part of the Council of Europe. Luxembourg has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Luxembourg is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In Luxembourg, the Data Protection Authority has extensive powers over data controllers. Laws on electronic commerce stipulate that unsolicited electronic communications must be opt-in. In 2015, the Luxembourg government has proposed a new bill to govern data retention, which forces telecom and Internet providers to delete irrevocably telephone and Internet traffic data of their customers after six months. Failing to respect this term might be charged with up to two years of imprisonment. Wiretapping and police surveillance are strictly controlled under the Criminal Investigation Code. In 2013, the Luxembourg data protection commissioner launched an investigation against Skype over allegations of granting the US National Security Agency (NSA) access to customer data of Luxembourg citizens. The investigations did not bring to light any elements of mass surveillance, but in early 2014, NSA's contractor Edward Snowden claimed that mass surveillance took place in the country. Changes to the privacy regime of the country are expected as the EU Commission, together with the EU Parliament and Council of Ministers, is working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Netherlands

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

The Netherlands is a founding member state of the EU. It is a part of the Council of Europe. Netherlands has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Netherlands is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Netherlands' strict Data Protection Act reflects the high standards for the protection of personal data of the EU Directive 95/46/EC. Electronic spamming is prohibited by Dutch laws (but work email addresses are not covered by the law). In early 2015, the Dutch government updated cookie regulation and has proposed amendments to the current data protection regime to introduce the duty to report personal data breaches and make them public. A review of the Dutch Intelligence and Security Act 2002 (Wiv 2002) is also being carried out by the Dutch government, which has committed to improve the law in line with the requirements of the European Convention of Human Rights, and to create a dedicated committee for reporting suspected wrongdoings. In addition, the Telecommunications Act requires all Internet service providers to provide the capabilities for wiretapping. Changes to the current national data protection regime are expected due to the new EU General Data Protection Regulation (GDPR), which the EU Commission, together with the EU Parliament and Council of Ministers, is working on. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Norway

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Norway is a member of the CoE and part of the Schengen area. Norway is not a member of the EU. Norway has signed and ratified the European Convention on Human Rights, the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Although Norway is not a member of the EU, its Personal Data Act is designed to bring Norwegian law into accordance with the EU Data Protection Directive. Norway is a member of OECD and has adopted the OECD Guidelines on the Protection of Privacy. The country has a history of publishing tax-assessed personal income data. Various proposals have been made to tighten the general media's access to such data, but no concrete progress has been made. Norwegian police keep a DNA sample database for anyone who has ever been convicted of a crime. Laws governing access to this data are fragmented.

Poland

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Poland joined the EU in 2004. It is also a member of the CoE and has ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Poland is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy. Poland's recent amendments to data protection laws are largely viewed as restrictive; they impose strict sanctions on data collectors that are not compliant. Polish courts adopt the view that IP addresses are private data and should be protected. However, the Polish police are believed to have carried out a great deal of wiretapping every year without much oversight. The laws governing the retention and use of data gathered during wiretapping is fragmented. Several provisions in the Police Act have been found unconstitutional by the courts. Changes to the privacy regime of the country are expected as the EU Commission, together with the EU Parliament and Council of Ministers, is working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Portugal

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Portugal joined the EU in 1986. It is part of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Portugal is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Portugal has a mandatory national ID card system, which is widely adopted. In 1998 Portugal adopted national regulations to protection citizens' privacy in data collection and processing operations. In 2014, the Portuguese data protection authority charged a mobile operator for unlawful access to telephone records with the highest fine ever imposed in the country's history. Portugal is one of few countries with no recent record of government surveillance activities. The General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on, will change the current data protection regime in the country. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national Data Protection Laws of the EU member States, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Russia

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Russia, also known as the Russian Federation, is a country in northern Eurasia and is the largest country in the world by land area. It has been governed as a federal republic since the fall of the Soviet Union in 1991. Russian privacy and data protection law is fairly comprehensive in formal terms but fines for noncompliance are very low. Russia is considered by some to be one of the "endemic surveillance societies" based on its culture and history. In 2014, Federal Law No 242-FZ was signed by the president and will require all "data operators" who are processing personal data of Russian citizens to do so on servers/databases within Russia. This law will come into effect on September 1, 2015.

Slovakia

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Slovakia is a member of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Slovakia joined the EU in 2004. As of 2009, the European Court of Human Rights has twice found that Slovakia violated the right to privacy, per the EU's definition. In one case, the ministry of the interior authorized an investigative team to wiretap a lawyer's mobile phone to obtain information concerning one of the lawyer's clients who was suspected of being involved in organized crime activities. In April 2015, the Constitutional Court of the Slovak Republic ruled that the mass surveillance of citizens is unconstitutional. The General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on will change the current data protection regime in the country. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Slovenia

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Slovenia is a member of the EU, the eurozone, and the Schengen Area. It is part of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Slovenia is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Its data privacy laws are comprehensive and frequently updated to reflect changes in technology. Slovenia has taken action on many aspects of privacy, including classifying location data as protected information. In July 2015, the Slovenian constitutional court ruled data retention unconstitutional and has made changes to original provisions to delete such data retained in electronic communications due to major breaches in privacy; the commissioner has issued guidelines on privacy impact assessments (PIAs) for the introduction of new police measures to better enforce this new provision. The General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on, will change the current data protection regime in the country. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Spain

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Spain is a member state of the EU. It is also a member of the CoE and has ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the Convention on Cybercrime. Spain is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy. Additionally, Spain is a member of the Ibero-American Data Protection Network. The Spanish data protection regime includes not only the data protection act (LOPD) which mirrors EU rules, but also the royal decree 1720/2007 (RLOPD) and a number of sector-specific regulations. The Spain Data Protection Agency has published numerous guidelines intended to help companies implement its data protection laws, including the Data Protection Guide for Database Owners, the privacy impact assessment for businesses, and a guide on the proper use of video surveillance. In early 2015, the Spanish Minister of Internal Affairs launched a new electronic identity card to prevent identity theft and improve safety. Changes to the national data protection regime are expected due to the new EU General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Sweden

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Sweden has been in the EU since 1995. It is a member of the CoE and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Sweden is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Despite criticism over the government's use of communication interception, Sweden was among the first countries in Europe to introduce data protection legislation, with the Swedish Personal Data Act of 1998. In March 2012, Sweden passed a new data retention law in line with the EU Data Retention Directive, which has created much controversy among privacy advocates due to the increased power of government surveillance. The General Data Protection Regulation (GDPR), which the EU Commission, EU Parliament, and Council of Ministers are working on, will change the current data protection regime in the country. The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Switzerland

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Switzerland has a long history of neutrality, refusing to join the UN until 2002. It is now home to many large international organizations. Switzerland is a founding member of the European Free Trade Association but is not a member of the EU or the European Economic Area. Switzerland enacted the Federal Data Protection Act of 1992, which regulates personal information held both by the federal government and private entities. In spite of this central law, almost all 26 Swiss cantons (states) have separate data protection laws, and each has its own commissioner. To allow them to work together, Privatim, the Swiss Association of Privacy Groups, was founded by these cantonal data privacy commissioners.

United Kingdom

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

The United Kingdom entered the EU in 1973. Encompassing England, Scotland, Wales, and Northern Ireland, the UK is a member of the CoE and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and the European Convention for the Protection of Human Rights and Fundamental Freedoms. The UK is also a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In early 2015, the UK expanded the reach of national privacy laws, which now allow victims of personal data violations to claim compensations for emotional distress, without having the burden to prove suffering financial damages. The UK data protection authority (ICO) is already implementing this new principle. Widespread government surveillance and a recent ruling of the Investigatory Powers Tribunal declaring that regulations covering access by Britain’s GCHQ to emails and phone records are in breach of human rights strengthen criticisms over British intelligence agencies' activities. Moreover, In July 2014, the UK government introduced an emergency bill (The Data Retention and Investigatory Powers Act 2014, or DRIP) which grants intelligence and law enforcement agencies broad access to telecommunications data. In addition, in early 2015, the UK parliament passed a new law (The Counter-Terrorism and Security Act 2015), which forces telecommunications companies to retain more data linking users with their devices. The EU Commission, together with the EU Parliament and Council of Ministers, is working on a new EU General Data Protection Regulation (GDPR). The Regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Asia

China

Effectively no restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

As the most populous country in the world, China has the world's fastest-growing economy and is undergoing what has been described as a second industrial revolution. China currently has a variety of decisions, rules, a voluntary national standard, and drafts that augment the national standard and existing law to bring additional personal information and privacy protections for consumers. In March 2015, the Measures for Punishments against Infringements on Consumer Rights and Interests took effect. The State Administration of Industry and Commerce has provided definitions and examples of what constitutes personal information, as well as penalties for compliance failures.

Cyprus

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Cyprus, a former British colony, is an island country in the eastern Mediterranean Sea. It is home to some of the earliest records of human history. Following a two-year weakening of the Cypriot economy, a bailout plan was announced in March 2013 by the European Central Bank to aid the county's failing banking industry. Cyprus is a member of the European Union and the eurozone. Cyprus adopted a national law on the processing of personal data in 2001 and updated it in 2003 and 2012 to fully implement the European Directive 95/46/EC. Today, Cyprus has a modern and well-governed privacy and data protection apparatus. Its Processing of Personal Data Law harmonized the country's laws with the requirements of the EU Data Protection Directive. According to revelations of NSA's contractor Edward Snowden, Cyprus is home of British and US secret bases for the surveillance of the Middle East territories. The EU Commission, EU Parliament, and Council of Ministers are working on a new EU General Data Protection Regulation (GDPR). The regulation will replace the existing Data Protection Directive 95/46/EC and the national data protection laws of the EU member states, harmonizing data protection legislation across Europe. It is expected to be approved in late 2015 and enter into force in 2017.

Hong Kong

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Hong Kong is a Special Administrative Region of the People's Republic of China (PRC). As of 1990, it is governed by a constitution known as the Basic Law, which differs significantly from China's constitution and governance practices. Hong Kong has fairly strong provisions for preserving data privacy. Its close relationship with the PRC, however, may give pause. Amendments have given PCO enforcement powers of penalties, such as fines of between 500,000 HKD and 1 million HKD (64,500 USD and 129,000 USD) for malicious disclosure of personal data without consent. Recent additional amendments to Hong Kong's PDPO includes significant changes that relate to the use, transfer, and sale of personal data for direct marketing, and powers of the Privacy Commissioner. Other new changes relate to exemptions and penalties. In January 2015, Hong Kong published guidance on cross-border data transfers, although at this time following this guidance is voluntary.

India

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Located in South Asia, India is the second most populous country in the world and seventh largest country by area. India has been one of the fastest growing major economies since the early 1990s, and it ranks seventh among countries in overall military expenditure. Textiles, chemicals, and rice are among the country's top exports. In 2011 a new data protection framework was enacted, but only applicable to the private sector. Under the rules, organizations are required to obtain written consent from individuals, have clear and easily accessible statements of privacy policies, implement reasonable security practices, and have comprehensively documented security policies. Transferring personal data to a third party requires certain conditions, including that the third party afford the same level of data protection in India; and the transfer is necessary for the performance of the lawful contract; or the information provider has consented to such transfer. Disclosure of "personal information" with the intent of causing wrongful loss or wrongful gain is punishable by imprisonment for up to three years or by a fine of 500,000 INR. A draft Right to Privacy Bill was circulated in 2014, and it proposed a Data Privacy Authority to oversee privacy regulation and impose fines for violations. The bill has not yet been signed. It is also worth noting that government corruption and surveillance present challenges to privacy in the country.

Israel

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

The State of Israel is a parliamentary republic in the Middle East, bordering Lebanon, Syria, Jordan, Egypt, the West Bank, and the Gaza Strip. Israel is widely recognized as the only Middle East nation with significant privacy legislation. The right to privacy is anchored at the basic constitutional level, although the country does not have an entrenched constitution. In 2010, Israel became a member of the OECD and has adopted OECD's guideline for privacy. Israel is officially recognized by the EU as providing an "adequate" level of protection.

Japan

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Integrated. An enforcement agency has been established but with no clear separation from regular law enforcement agencies.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Limited. The country is recognized as a EU "third country" with substantial (not just PNR) protections, has specialized Safe Harbor status (currently US-only), or has been recommended for "adequacy" status under Article 29.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Japan is a country composed of multiple islands off the eastern coast of Asia. After its defeat in World War II, in 1947 it adopted a monarchy governed by a constitution that bears similarities to that of the US. Japan passed a comprehensive privacy act in 2003, which came into effect from April 1, 2005, applicable to entities that process personal data on 5,000 or more individuals for six months or longer. Violation may result in penalties of up to six months in prison and civil penalties of up to 300,000 JPY (around 3,000 USD). There is no single supervising agency to exercise the act. Instead, multiple ministries published guidelines specific to their supervised industries. In December 2013, their comprehensive privacy act came under review, and new amendments to this act are expected in 2015.

Malaysia

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

Limited. Selected personal information is covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Malaysia is a federal constitutional monarchy located in Southeast Asia, consisting of 13 states and three federal territories. It is a founding member of the Association of Southeast Asian Nations and has participated in the Electronic Commerce Steering Group's Data Privacy Subgroup since 2003. Despite an ongoing pattern of government surveillance, Malaysia has shown its dedication to enforcing data privacy within private entities through the passage of a comprehensive data protection law. The Personal Data Protection Act appoints a Personal Data Protection Commissioner and establishes a category of sensitive personal data that requires explicit consent in order to process. The law also imposes cross-border transfer restrictions, restricts direct marketing, and designates classes of data users who must register data processing activities.

Singapore

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

Limited. Selected personal information is covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Singapore is a Southeast Asian city-state off the southern tip of the Malay Peninsula. It is a member of the UN and has adopted the Universal Declaration of Human Rights in its constitution. Singapore has a personal data protection act in effect today. Despite this, the government has a long history of communication interception against its citizens in order to suppress political rivals, and it remains to be seen whether its enforcement of the Universal Declaration of Human Rights will live up to the promise.

South Korea

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

South Korea is a sovereign state in East Asia, located on the southern portion of the Korean Peninsula. Over the past decade, it has undergone a massive campaign to upgrade its telecommunications infrastructure, greatly increasing the number of broadband-connected citizens. In 2011, South Korea demonstrated its commitment to data privacy by enacting a comprehensive data protection framework. This replaces the previous patchwork of legislation, which only covered certain agencies and sectors. Amendments to the Act in 2014 increased penalties and fines equivalent to 3% of revenue, in addition to other requirements like breach notification within 24 hours.

Taiwan

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Integrated. An enforcement agency has been established but with no clear separation from regular law enforcement agencies.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Taiwan (formerly Formosa) is an island off the southeast coast of mainland China. It largely operates and wishes to be seen as a fully independent country, although its constitution formally ties it to the People's Republic of China (PRC). Taiwan's 2010 update of its Personal Data Protection Law gives it some tools for managing privacy concerns in a consistent fashion. However, Taiwan's ties to the PRC compromise its ability to be seen as an entirely safe player.

Thailand

Effectively no restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

Limited. Selected personal information is covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Alarm. Surveillance practices are known to impact privacy negatively, or the country is known to have no laws controlling surveillance.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Thailand is located at the center of the Indochina peninsula and Southeast Asia. Over the past two decades, economic growth has been steadily high within the kingdom due to strong exports and tourism. Thai society does not have privacy inherent in its culture, as it has been historically bureaucratic and collective. Therefore, collection of personal information by the government is often seen as legitimate and correct. There are laws governing public entities and sectoral laws for private entities, but a comprehensive data protection plan is yet to be reached. Government surveillance is also rampant within the country. In 2015, the Cabinet of Thailand approved a draft data protection bill that allows data subjects to request access to and update data held by controllers. The proposed bill also calls for a Protection of Personal Data Commission that would enforce compliance with the new law.

Turkey

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Located in western Asia, Turkey is a member of the CoE and the OECD. With a long and culturally significant history, Turkey has slowly integrated itself with the West through memberships such as these. Turkey has a long history of government surveillance on its citizens. As part of its bid for entrance into the EU, Turkey has been working on a comprehensive data protection law that will cover both public and private individuals when enacted.

South America

Argentina

Most restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Argentina is constituted of a federation of 23 provinces and the autonomous city, Buenos Aires. It is a founding member of the UN, Mercosur, the Union of South American Nations, the Organization of Ibero-American States, the World Bank Group, and the World Trade Organization. It is also one of the G-15 and G-20 major economies. Article 43 of the Argentinian constitution provides a right of "habeas data," which gives any person the right to "file an action to obtain knowledge of the content and purpose of all the data pertaining to him or her" for both public and private entities. This was further bolstered in 2000 with the passing of the Law for the Protection of Personal Data. It is based on the EU Data Protection Directive and the Spanish Data Protection Act of 1992. In 2015, Argentina also passed new data privacy regulations pertaining to the use of CCTV as well as more clearly defined DPA sanctions for data privacy violations related to the use of "do not call" registries.

Brazil

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

Limited. Selected personal information is covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Brazil is the largest country in South America and the world's fifth largest country. Its rapid economic development comes with severe income inequality, although government investment in education in recent years has reduced the education gap in the country. Privacy in Brazil is currently governed by the Brazilian constitution and a number of provisions such as the Consumer Protection Law, Telecommunications Act, and The Brazilian Civil Code. Additionally, a new law that went into effect on June 23, 2014 (called the "Marco Civil da Internet" or Brazilian Internet Law) mandates that any Internet service provider (ISP), search engine, social media site, or any web service that hosts user-generated content must implement data protection measures to safeguard personally identifiable information. The legislation extends to any Brazilian or non-Brazilian company that stores data on Brazilian citizens. On January 28, 2015, the Brazilian government released the Preliminary Draft Bill for the Protection of Personal Data ("Anteprojeto de Lei para a Proteção de Dados Pessoais"), which aims to restrict the automated processing of personal data processed or gathered in Brazil. The bill prohibits the processing of personal data without express consent, limits data transfer to countries with less stringent data protection laws, and requires immediate reporting of data breaches to the appropriate authorities. The government created a website to host debate over the bill, and the debate is currently ongoing.

Chile

Minimal restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Chile is a long, narrow country on the west coast of South America, with the Andes mountains to the east. It is one of the most prosperous countries in the region. In 2010, it became the first South American country to join the OECD. Chile was the first Latin American country to enact a data protection law, the Law on the Protection of the Private Life, which was promulgated in 1999 and is based on Spain's framework data protection statute. Although the country has constitutional privacy protections, its actual enforceable protections are relatively weak. A new data privacy bill is set to be unveiled in 2015, with amendments that seek to bring Chile in line with Organization for Economic Cooperation and Development (OECD) data protection standards as a means of developing trust in the financial services industry and balance individual privacy issues with public disclosure requirements of businesses. The new bill would create an autonomous National Council for Data Protection that would promote control of personal data by individuals and have powers to impose fines of up to 342 million CLP (565,421 USD) if personal data is fraudulently collected or misused.

Colombia

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

Colombia was the first constitutional government among the South American countries; the government was formed in 1811, and it is the only South American country that has never had a coup. Colombia has a longer history than most of putting privacy and data protection rules onto paper, having relied on vague constitutional provisions and a patchwork of laws to regulate data privacy in the country. However, in October 2012, the Colombian government passed its first omnibus data privacy law covering data controllers and processors for both private sector and public records. Subsequent regulations were issued on June 27, 2013 to implement its data protection laws.

Paraguay

Effectively no restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

Limited. Selected personal information is covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Voluntary. Data protection legislation exists, although compliance is not enforced. .

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

No. The country does not meet EU adequacy but does have data protection legislation.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Paraguay is located in South America, just east of Brazil. The constitution governing this republic came into force in 1992. The Latin American region generally challenges its constituent nations, including Paraguay, to live up to privacy legislation in deed. As it is, Paraguay's legal protections are not very deep. They have also recently put forward a bill which, if passed, will require Paraguayan telecom providers to store personal information about their customers' Internet use for one year (for future access by law enforcement agencies).

Uruguay

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

The Eastern Republic of Uruguay is located in South America, southwest of Brazil. It has Spanish, Italian, and Portuguese roots. The country has high literacy rates and a large urban middle class. Uruguay's constitutional and legislative protections for privacy and data are sophisticated, and it has won a coveted recommendation of EU "adequacy" from the Article 29 Working Party. This is a sign of trust in the country, given the tendencies in the Latin American region toward privacy-overriding government corruption and surveillance related to drug trafficking.

Australia

Australia

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

Limited. All private entities or all public entities are covered by enforceable legislation, or some mix or large exceptions in either category exist.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Limited. The country is recognized as a EU "third country" with substantial (not just PNR) protections, has specialized Safe Harbor status (currently US-only), or has been recommended for "adequacy" status under Article 29.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Australia comprises the Australian continent, the island of Tasmania, and additional islands. Several British colonies federated in 1901 to form today's Australia organized into states and territories. Australia has not been granted EU-adequate status and makes some significant exceptions in the handling of personal data by many smaller commercial entities. However, it has a broad definition of personal data and has an enforceable legal regime for its protection. In March 2014, new Australian Privacy Principles (APPs) were published that consolidate and supersede the previous public sector and private sector regulations. The APPs strengthen direct marketing and cross-border transfer provisions. The newness of the APPs suggests that interpretation in practice will take a while to stabilize. Note that the 2014 reforms do not apply to Australian Capital Territory agencies.

New Zealand

Some restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Yes. The country fully meets "adequacy" requirements, whether an EU member or nonmember.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Caution. The legal barrier to substantiate necessity for surveillance is low, or surveillance practices do not follow legal restrictions.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

New Zealand is an island country in the Pacific Ocean, part of the "Australia and Oceania" region. New Zealand is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Telecommunications Act requires that all ISPs equip the capability of communication interception by law enforcement. In December 2012, the European Commission announced that New Zealand is considered to have an "adequate" level of data protection.

Africa

Nigeria

Effectively no restrictions

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

None. No data protection legislation exists.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

None. No data protection legislation exists.

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

No. No enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

None. No data protection legislation exists.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Unknown. The extent of surveillance practices impacting privacy are unknown, or it's not possible to determine the operative surveillance law.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Limited. The country has no explicit constitutional support for privacy rights but does have either sector-based or regional privacy laws.

Description

Nigeria is an African country with over 187 million inhabitants, making it the largest African country in terms of population. In April 2007, it underwent its first democratic transition between two civilian governments. Nigeria has some constitutional privacy protections but no laws enforcing practical privacy or data protection. Currently, the government of Nigeria is in the nascent stages of establishing a data protection law that will cover data processed by private entities.

South Africa

Restricted

Scope of protection i

A rating of the types of personal data covered by each country's data privacy legislation

All. All personal information is broadly covered.

Covered entities i

A rating of legal obligations placed on public and private organizations in each country

All. All private and public entities are covered by enforceable legislation (possibly with a few well-defined and limited exceptions).

Established Agency i

A rating of each country's ability to enforce data privacy regulations through a dedicated, independent agency

Yes. An enforcement agency has been established.

EU "adequacy" i

A rating of each country’s attainment of the European Union’s official "adequacy" standard for data protection and privacy

Limited. The country is recognized as a EU "third country" with substantial (not just PNR) protections, has specialized Safe Harbor status (currently US-only), or has been recommended for "adequacy" status under Article 29.

Government surveillance i

A rating of the legislative and cultural barriers limiting government surveillance over communications within each country

Controlled. Surveillance is well- and objectively controlled by law and enforcement practice, impacting privacy only minimally.

Privacy in constitution i

A rating of each country's dedication to data protection as evidenced through constitutional backing for data privacy laws

Yes. The country has clear constitutional support for rights to privacy, or its highest court has inferred rights to privacy from the constitution.

Description

South Africa occupies the southern tip of the African continent. After leaving the British Empire for the second time in 1994, it formed a parliamentary democracy governed by a constitution that went into effect in 1997. South Africa is friendly to privacy rights from both a cultural and legislative perspective. In 2013, a comprehensive data protection law was passed, called the Protection of Personal Information Act (POPIA). The law is based on the 1995 EU Data Protection Directive, with certain aspects of the latest proposed EU data protection reform measures such as the "right to be forgotten" and mandatory breach notification.

Download a copy of the Forrester report

Fields marked with a * are required.

I would like to receive news about FTI Technology resources or invitations to special events. You can withdraw your consent to receive emails from us at any time. Please refer to our privacy policy or contact us for more details.
Thank you. Download the report. You will also receive an email with a link to the PDF for your records.

Privacy and Data Protection by Country

Africa
Asia
Australia
Europe
North America
South America
China
Taiwan
Japan
India
Thailand
South Korea
Malaysia
Singapore
Australia
New Zealand
Nigeria
South Africa
United States
Canada
Mexico
Colombia
Brazil
Argentina
Paraguay
Uruguay
Chile
Russia
Finland
Sweden
Norway
Denmark
Netherlands
Germany
Belgium
Poland
Lithuania
Latvia
Estonia
Czech Republic
Slovakia
Hungary
Austria
Italy
Switzerland
France
Turkey
Bulgaria
Greece
Spain
Portugal
United Kingdom
Ireland
Iceland
  • Most restricted
  • Restricted
  • Some restrictions
  • Minimal restrictions
  • Effectively no restrictions
  • No legislation or no information
  • Government surveillance may impact privacy

Download a copy of the Forrester report

Fields marked with a * are required.

I would like to receive news about FTI Technology resources or invitations to special events. You can withdraw your consent to receive emails from us at any time. Please refer to our privacy policy or contact us for more details.
Thank you. Download the report. You will also receive an email with a link to the PDF for your records.

Organizations regularly face legal and regulatory matters that are global in scope. Ensuring that corporate data is handled in a matter consistent with local data privacy laws is an ongoing challenge, especially as local data privacy laws evolve.

To help corporations and law firms better understand current data privacy laws, FTI Technology is providing a complimentary copy of Forrester’s Data Privacy Heat Map Report, 2015. Users can select the geographic region above, then simply roll over the map to learn about data privacy laws in individual countries.

To download the full report, please complete the registration below.

top