Quantifying Key Characteristics of 71 Data Protection Laws
curious whether the perception of privacy control
by individuals matches actual stringency in the law
such as the height of penalties. Moreover, policy
organizations that try to map different aspects of
Internet governance and regulation are potentially
assisted by an overview of privacy control in
DPLs.1 Legal scholars and practitioners can benet
because the privacy control index gives them a quick
overview of privacy control in different countries.
The following insights were obtained:
Only 5 out of 71 countries have a maximum
penalty for non-compliance above 1 million
euro. Although the threshold of 1 million euro
is obviously arbitrary, penalties (far) below this
amount possibly have a limited deterrent effect
on non-compliance with the law, especially when
considering the low likelihood of detection.
Hence, it seems that most DPLs have a limited
Only 21 out of 71 countries have an obligation to
notify data breaches, while in the US, 47 out of 50
states have such a Data Breach Notication Law.
Approximately half the DPLs I analyzed have
criminalized non-compliance with the DPL.
Two unobservable factors explain variance
within two sets of characteristics; I call these
‘basic characteristics’ and ‘add-ons’.
• There are some unusual suspects in the top of
the privacy index (the sum of the individual
characteristics), such as Mauritius, Mexico and
This introduction rst addresses developments of
DPLs in the US and the rest of the world. Hereafter,
the law and economics of DPLs are introduced briey.
Next, the limitations of this study are addressed.
I. Developments in Data Protection
Laws in the U.S. and the world
Recently, there has been a signicant amount
of attention on US data protection standards by
legislators, organizations and privacy advocates.
On June 1 2015, the United States congress
allowed crucial parts of the US Patriot act expire.
One of the key elements of the Patriot act - the
extensive powers of the National Security Agency
1 Organizations such as the webindex [<http://thewebindex.
org>] of the World Wide Web Foundation, the privacy index
[<https://www.privacyinternational.org>] of privacy rights
international and the United Nations [<http://www.unodc.
org>] have been striving for categorizing different aspects
of cybersecurity and cybercrime.
to collect personal data on a large scale - was
terminated. On June 8 2015, the G7 discussed the
implementation of the Transatlantic Trade and
Investment Partnership (TTIP) at their annual
conference in Bavaria, Germany. The differences in
data protection law between the European Union
(EU) and US was a central topic at this conference.
According to experts, the risk of infringement of EU
data protection standards by US companies could
hinder the entry into force of TTIP.2 Companies in
the US have different data protection standards
because of differences in data protection regulation
between the EU and U.S. For instance, on October
6 2015, the European Court of Justice declared the
US safe harbor regulation, which enables free ow
of data between the US and EU invalid because of
the existence of different data protection standards.
Also outside the EU, DPLs are becoming ubiquitous.
By September 2013, 101 countries had implemented
a data protection law.4 In addition to that, in 2013,
more than 20 privacy regulations were under
consideration by other governments.
In the US, data protection regulation is scattered
over sectors and states. Therefore, on March 25 2015
the House Energy and Commerce Subcommittee on
Commerce, Manufacturing and Trade proposed
a federal data breach notication law, the Data
Security and Breach Notication Act of 2015.
However, this federal law has been criticized for
being “less stringent than many state laws”.5
This paper argues that it is necessary to identify
other DPLs outside of the US to foster the design of
a federal law. US DPLs inherently interact with other
DPLs in the world. Not only because of the borderless
nature of the Internet, but also because major US
companies such as Amazon, Google, Facebook and
Microsoft have a large inuence over the Internet.
For instance, in 2014, 13 of the 20 largest Internet
companies by revenue were American. None were
European. The fact that current US data protection
law differs from other countries is well known.
However, there is a knowledge gap in systematic
oversight of the key elements of DPLs in other
countries. There is a scientic and societal demand
to map those differences between those laws and
analyze them. Accordingly, this paper aims to
answer the following research question:
2 M. Pérez. ‘Data protection and privacy must be excluded
from TTIP’ (2015) EDRi.
3 Judgment in Case C-362/14 Maximillian Schrems v Data
4 G. Greenleaf. ‘Sheherezade and the 101 Data Privacy Laws:
Origins, Signicance and Global Trajectories’ (2014) 23(1)
Journal of Law, Information and Science, Special Edition,
Privacy in the Social Networking World.
5 S. Breitenbach. ‘States at odds with feds on data breach
proposals’ (2015) Stateline.