Quantifying Key Characteristics of 71 Data Protection Laws

Author:Bernold Nieuwesteeg

This paper presents a pioneering study that unlocks six characteristics in the literal text of 71 Data Protection Laws (DPLs). The characteristics are: the type of collection requirements; the presence of data protection authorities; data protection officers; data breach notification laws; monetary-; and criminal penalties. The quantification allows comparison of data protection laws with each... (see full summary)

Bernold Nieuwesteeg
Quantifying Key Characteristics
of 71 Data Protection Laws
by Bernold Nieuwesteeg*
© 2016 Bernold Nieuwesteeg
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
Recommended citation: Ber nold Nieuwesteeg, Quantifying Key Char acteristics of 71 Data Protecti on Laws, 7 (2016) JIPITEC
182 para 1.
Keywords: Data Protection Laws; comparative law; privacy control; quantitative text analysis; empirical legal
the United States (US), few countries (21 out of 71)
have data breach notification laws. Principal compo-
nent analysis reveals that the six characteristics can
be grouped in two unobserved factors, which explain
‘basic characteristics’ across laws and ‘add-ons’ to
these characteristics. By combining these two fac-
tors a privacy index is constructed. Moreover, coun-
tries that are not known for their stringent privacy
control such as Mauritius and Mexico occupy a top
position in this index. Member States of the Euro-
pean Union have DPLs with a privacy control score
above average but hold no absolute top position. It is
hoped that these findings will open avenues for new
research, such as adding more characteristics to the
database and further quantification of (internet) law.
Abstract: This paper presents a pioneering
study that unlocks six characteristics in the literal
text of 71 Data Protection Laws (DPLs). The charac-
teristics are: the type of collection requirements; the
presence of data protection authorities; data pro-
tection officers; data breach notification laws; mon-
etary-; and criminal penalties. The quantification al-
lows comparison of data protection laws with each
other, such as a potential federal U.S. DPL with Eu-
ropean DPLs. It can also be used for empirical legal
research in information security by linking the data
to other variables, for instance, deep packet inspec-
tion. There are some noteworthy initial results: only
5 out of 71 DPLs have penalties for non-compliance
that exceed 1 million euro. Moreover, compared to
A. Introduction
This paper codes six key characteristics of 71
Data Protection Laws (DPLs). The following six
characteristics are selected from the perspective
of privacy control: 1.) the type of collection
requirements and the presence of 2.) data protection
authorities, 3.) data protection ofcers and 4.) data
breach notication laws and 5.) monetary- and 6.)
criminal penalties. Hereafter a principal component
analysis is performed and two underlying factors
are distinguished: ‘basic characteristics’ in the law
and ‘add-ons’. Subsequently, by combining these two
underlying factors, a privacy control index is created.
This research is, to the best of my knowledge, the
rst analysis to look at six key elements of data
protection laws in 71 countries. The dataset consists
of all continents and 70% of the world population.
By quantifying elements of the law, it can be
unlocked for statistical analysis. Quant ication
provides an overview of DPLs and coded
characteristics across countries. This has benets
for economists, policy makers and legal scholars.
Economists benet because they can measure the
effect of data protection legislation on information
security by relating the index of underlying variables
with proxies for privacy control. An example is the
intensity of deep packet inspection (DPI), for which
quantitative data is available. Policy makers could be
Quantifying Key Characteristics of 71 Data Protection Laws
curious whether the perception of privacy control
by individuals matches actual stringency in the law
such as the height of penalties. Moreover, policy
organizations that try to map different aspects of
Internet governance and regulation are potentially
assisted by an overview of privacy control in
DPLs.1 Legal scholars and practitioners can benet
because the privacy control index gives them a quick
overview of privacy control in different countries.
The following insights were obtained:
Only 5 out of 71 countries have a maximum
penalty for non-compliance above 1 million
euro. Although the threshold of 1 million euro
is obviously arbitrary, penalties (far) below this
amount possibly have a limited deterrent effect
on non-compliance with the law, especially when
considering the low likelihood of detection.
Hence, it seems that most DPLs have a limited
deterrent effect.
Only 21 out of 71 countries have an obligation to
notify data breaches, while in the US, 47 out of 50
states have such a Data Breach Notication Law.
Approximately half the DPLs I analyzed have
criminalized non-compliance with the DPL.
Two unobservable factors explain variance
within two sets of characteristics; I call these
‘basic characteristics’ and ‘add-ons’.
There are some unusual suspects in the top of
the privacy index (the sum of the individual
characteristics), such as Mauritius, Mexico and
South Africa.
This introduction rst addresses developments of
DPLs in the US and the rest of the world. Hereafter,
the law and economics of DPLs are introduced briey.
Next, the limitations of this study are addressed.
I. Developments in Data Protection
Laws in the U.S. and the world
Recently, there has been a signicant amount
of attention on US data protection standards by
legislators, organizations and privacy advocates.
On June 1 2015, the United States congress
allowed crucial parts of the US Patriot act expire.
One of the key elements of the Patriot act - the
extensive powers of the National Security Agency
1 Organizations such as the webindex [<http://thewebindex.
org>] of the World Wide Web Foundation, the privacy index
[<https://www.privacyinternational.org>] of privacy rights
international and the United Nations [<http://www.unodc.
org>] have been striving for categorizing different aspects
of cybersecurity and cybercrime.
to collect personal data on a large scale - was
terminated. On June 8 2015, the G7 discussed the
implementation of the Transatlantic Trade and
Investment Partnership (TTIP) at their annual
conference in Bavaria, Germany. The differences in
data protection law between the European Union
(EU) and US was a central topic at this conference.
According to experts, the risk of infringement of EU
data protection standards by US companies could
hinder the entry into force of TTIP.2 Companies in
the US have different data protection standards
because of differences in data protection regulation
between the EU and U.S. For instance, on October
6 2015, the European Court of Justice declared the
US safe harbor regulation, which enables free ow
of data between the US and EU invalid because of
the existence of different data protection standards.
Also outside the EU, DPLs are becoming ubiquitous.
By September 2013, 101 countries had implemented
a data protection law.4 In addition to that, in 2013,
more than 20 privacy regulations were under
consideration by other governments.
In the US, data protection regulation is scattered
over sectors and states. Therefore, on March 25 2015
the House Energy and Commerce Subcommittee on
Commerce, Manufacturing and Trade proposed
a federal data breach notication law, the Data
Security and Breach Notication Act of 2015.
However, this federal law has been criticized for
being “less stringent than many state laws”.5
This paper argues that it is necessary to identify
other DPLs outside of the US to foster the design of
a federal law. US DPLs inherently interact with other
DPLs in the world. Not only because of the borderless
nature of the Internet, but also because major US
companies such as Amazon, Google, Facebook and
Microsoft have a large inuence over the Internet.
For instance, in 2014, 13 of the 20 largest Internet
companies by revenue were American. None were
European. The fact that current US data protection
law differs from other countries is well known.
However, there is a knowledge gap in systematic
oversight of the key elements of DPLs in other
countries. There is a scientic and societal demand
to map those differences between those laws and
analyze them. Accordingly, this paper aims to
answer the following research question:
2 M. Pérez. ‘Data protection and privacy must be excluded
from TTIP’ (2015) EDRi.
3 Judgment in Case C-362/14 Maximillian Schrems v Data
Protection Commissioner.
4 G. Greenleaf. ‘Sheherezade and the 101 Data Privacy Laws:
Origins, Signicance and Global Trajectories’ (2014) 23(1)
Journal of Law, Information and Science, Special Edition,
Privacy in the Social Networking World.
5 S. Breitenbach. ‘States at odds with feds on data breach
proposals’ (2015) Stateline.

To continue reading