IAPP: New Privacy Laws, Law Reforms Proliferating Globally
Privacy and data protection laws are mushrooming, with nearly 150 countries adopting such regulations, speakers said during a Thursday IAPP webinar. There are 144 nations with national data protection measures, covering nearly 82% of the world's population, IAPP said in an updated report.
Sign up for a free preview to unlock the rest of this article
Countries with new laws include Cameroon, Ethiopia, Malawi and Vatican City, said Westin Research Fellow Kayla Bushey. Countries with amended privacy measures include Botswana, Malaysia and Chile. The largest countries without national data protection legislation are the U.S., Pakistan, Bangladesh, Iran and Iraq, it said.
Amendments to national laws call for tougher data breach notification rules, requirements that companies appoint data protection officers and adopt enhanced data security measures, Bushey noted. Some nations, such as Botswana and Chile, expanded the scope of laws to have extraterritorial applications and addressed cross-border data transfer mechanisms. Updating cross-border data transfer mechanisms is a key trend, she added.
However, researchers found many countries with data protection laws remain at the implementation stage, while others are beginning enforcement, said IAPP Research & Insights Associate Aly Apacible-Bernardo.
Panelists highlighted activities in several countries, including India's passage of a digital personal data protection act in 2023. It is now focused on implementing it, said Apacible-Bernardo. Australia has a comprehensive privacy act, but last year released a first tranche of reforms, she noted. The second tranche may contain "heavy hitter" laws such as an update to the definition of "personal information" and creation of an obligation to treat data "fairly and reasonably."
There's enormous activity in Europe, given the plethora of measures, such as the AI Act, Digital Markets Act, Digital Services Act, and the Network and Information Security 2 directive, said Muge Fazlioglu, IAPP privacy law & policy principal researcher. The U.K. is reforming its longstanding data protection law, Fazlioglu noted. In general, privacy professionals will see European regulators ramping up enforcement against organizations that use large amounts of personal data, she predicted.
The "Europeanization" of the GDPR has had a worldwide "Brussels effect," but while the GDPR has been the foundation of privacy laws globally, each country enacts laws within its unique political context, Fazlioglu noted. Beyond the Brussels effect, the big question is where efforts are taking place on global cooperation, she said. Here, there's a lot more happening now on the international stage, such as in the Organization for Economic Co-operation and Development and the Council of Europe Convention 108.
Asked for top tips for privacy professionals navigating the complex global compliance environment, Fazlioglu said: (1) Use local experts and don't reinvent the wheel. (2) Forge relationships with regulatory authorities and focus on their enforcement agendas. (3) "Practice cultural humility" by understanding that different legal cultures exist and have varied expectations about what constitutes good compliance.