FP Analytics Special Reports: Data Governance – Part 1

Power Maps

By identifying key players, quantifying relative influence, and assessing the competitive landscape, FP Analytics breaks down complex foreign policy issues by mapping out spheres of influence and the risks and opportunities these topics present. LEARN MORE

Global Data Governance

Part One: Emerging Data Governance Practices

UPDATED: Sept. 15, 2021
PUBLISHED: May 13, 2020

In FP Analytics’ Power Map, 5G Explained, we detailed the complex physical infrastructure necessary to create 5G networks and broke down the issues surrounding the control of that infrastructure, setting of international standards, bandwidth ownership, and security. In Part I of this series, we examine the emerging regulatory challenges surrounding governance of the data and information that flow through not only 5G networks, but digital infrastructure globally. While 5G networks will be vast, they represent only a fraction of the interconnected computer networks that the entirety of the Internet comprises. As the Internet serves as the circulatory system allowing data to flow to connected users globally, data represents the lifeblood of this system. How it is allowed to move throughout this system has immense consequences for governments, companies, and individuals and has catalyzed governments to regulate data flows at micro and macro levels. Emerging global data governance practices are already impacting the competitive landscape for companies around the world and helping determine how individual users and organizations interact with the rapidly digitizing global economy.

Read Executive Summary

Executive Summary

Data governance has long been the domain of corporate and organizational strategy, lending a competitive advantage to those able to optimize their data collection, organization, transfer, and discovery practices. With the increasing digitalization of organizations and economies, data governance—and clear establishment of data collection standards, storage, transfer and use protocols—is becoming an increasingly pressing and global issue.

While intellectual property and proprietary data have long been governed through strict legal frameworks, relatively scant protections have existed for user data and personal information. This lax regulatory environment for consumer data in particular has enabled the rise and dominance of global tech companies from Facebook and Google to Baidu and Tencent and has spurred a wave of privacy-focused regulation around the world.

In FP Analytics’ Global Data Governance Power Map series, we examine the emerging laws, regulations, and technologies that are both enabling greater data collection and impacting cross-border data flows. By cataloging the data localization laws, comprehensive national data regulations, government data collection, monitoring and surveillance technologies, and cybersecurity norms and standards shaping the global data governance landscape, we identify and analyze the wide-ranging impacts for individuals, companies, governments, multilaterals, and non-profits.

Emerging data regulations are fundamentally altering how organizations of all types operate internationally. Major data privacy frameworks developed by first movers are serving as templates for other national frameworks under development, many of which are being tweaked to suit prevailing governments’ domestic agendas. For example, the recent passage of the EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law—two of the most comprehensive packages of data privacy regulations—have already had cascading impacts on businesses and organizations in these markets and on their trading partners. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, and these types of protectionist measures are rapidly proliferating worldwide. And that is just the beginning.

Simultaneously, many national governments are crafting exemptions to their data privacy laws, empowering them to expand monitoring capabilities and build up massive data collection infrastructure. New digital technologies, such as artificial intelligence (AI), biometric monitoring and facial-recognition software, are making data collection increasingly efficient. The onset of the COVID-19 pandemic accelerated the adoption of these technologies as governments began rapidly deploying surveillance technology to enforce quarantines and track the spread of the coronavirus. This mass accumulation of sensitive data can have transformative impacts on societies but pose new cybersecurity and privacy risks as regulation struggles to match the pace of technological advancement.

FP Analytics’ Data Governance Power Map series breaks down key emerging trends in global data governance by:

  • Pinpointing emerging global data governance trends;
  • Cataloguing specific data localization and data privacy laws by country;
  • Mapping encryption policies around the world;
  • Charting the global sales of data collection and surveillance technology; and
  • Exploring cybersecurity and privacy risks and the implications for businesses and individuals.

FP Analytics provides the most comprehensive assessment and mapping of data localization and privacy laws to date, as well as one of the most complete assessments and mappings of government data collection and regulation trends around the world. It is a powerful tool for businesses and others seeking to understand how evolving global governance regimes are shaping our digital world.

PART ONEEmerging Data Governance Practices

Introduction

Increasingly, government regulation is impacting the global flow of data, with varying, interconnected factors and incentives driving this proliferation of regulation. Specifically, governments are debating what information qualifies as personal data, and how private and public entities can collect, utilize, transfer, and monetize this data. The myriad measures implemented to date reflect a delicate balance of political, economic, and social factors, influenced by government officials, private companies, and citizens. Regulators around the world face the challenge of balancing nuanced and fraught issues of access and privacy, support for economic development, and establishing a functional, cross-border framework for the international transfer and collection of compounding volumes of data. Additionally, multiple parties must ensure data security across governmental, commercial, and personal realms. Varying efforts to craft regulations that optimize for national interests and constituencies are producing an increasingly complex mix of global Internet and data regulations expressing differing visions for how digital infrastructure should ultimately function, how big data is managed, and by whom. In this Power Map series, we break down the most comprehensive and impactful of these regulations and explain what they mean for businesses and citizens in our increasingly digital world.

Part 1

The Digital Economy and Drivers Behind Increasing Regulation

The massive volume of data flowing through global digital networks fueled the rise of many of the world’s largest companies, including global behemoths such as Alphabet and Tencent. It spawned multinational social media companies, such as Facebook and WeChat, allowing individuals to generate, access, and spread information at unprecedented rates. But new regulations are threatening to break up the party. The data collection practices upon which these companies’ business models are predicated are coming under increasing scrutiny from governments concerned about domestic and foreign companies’ collection and handling of their citizens’ data. This concern, coupled with some governments’ desire to expand their own digital economies and tax bases, is accelerating the global proliferation of data-related laws—from privacy, to data security, to data localization—as these government officials and regulators attempt to assert authority and capture value.

Key Takeaways

  • The Issue

    U.S. and Chinese companies dominate the global digital landscape. The digital economy accounts for 15.5 percent of world GDP, with the combined value of Internet platform companies—such as Alphabet (Google) and WeChat—accounting for roughly 9.4 percent of world GDP (roughly $7 trillion, larger than the GDP of any country in the world besides the U.S. or China). The vast majority of revenues accrue to a handful of U.S. and Chinese companies whose power and influence continue to grow as they collect and monetize data from citizens around the world.

  • The Reaction

    Governments’ increasing concern over foreign companies’ collection and monetization of user data is a primary driver of digital regulation. The rise of data privacy, security, and localization laws to protect citizens’ data rights and countries’ economic interests, while boosting individuals’ control over their data, is creating an increasingly complex legal and regulatory environment while raising operational and compliance costs for multinational companies operating across borders.

  • What’s at Stake

    While offering some protection for domestic companies, onerous and conflicting data governance regimes and regulations risk companies’ market access and further value creation in the digital economy Beyond threatening to create different regulatory regimes, government intervention in the market could push major tech companies to break up, or fundamentally change the rules of the Internet.

The Breakdown
The Rise of the Digital Economy and the Economic Drivers of Regulation
The Rise of the Digital Economy and the Economic Drivers of Regulation
User data is, by far, the most valuable commodity in the global economy.
  • GRAPHIC 1: The Size of the Digital Economy
  • GRAPHIC 2: Data Collected by Major Tech Companies
  • GRAPHIC 3: Market Dominance of Major Digital Economy Companies
Click to expand

The global digital economy encompasses the vast physical infrastructure enabling the Internet, the full range of Internet-connected user devices, and the immense amount of data flowing through them. The rapid growth of each of these components has collectively generated tremendous economic activity. Over the past 15 years, the global digital economy has grown two and a half times faster than global GDP. One key driver behind this robust growth is the exponential volume of data being generated, processed, and monetized. Every second, there are 2.7 million emails sent, 71,966 Google searches executed, 8,342 Tweets, and a total of 289,351 gigabytes (GB) of new user data generated. For context, 1 GB of data is equal to 677,963 pages of text, meaning that every second the equivalent a 196.2 billion-page book of new data is generated. 5G technology will connect billions more devices to the Internet through the enabling of the Internet of Things (IoT), and the combination of this vast expansion of Internet-connected devices and more of the world coming online in the next decade will exponentially increase the amount of data being generated. Currently, roughly 60 percent of the global population is online, with estimates showing that nearly 90 percent of the world’s population will come online by 2030 as Internet access is expanded throughout the developing world. This growing reservoir of data will fuel the world’s emerging and incumbent technology companies, with the ability to collect and monetize this data a matter of survival for some and a determinant of future growth for all.

Over the past fifteen years, the global digital economy has grown two and a half times faster than global GDP.

Among the digital giants, U.S. companies hold a dominant position, which has been gained largely through first-mover advantage, but Chinese companies are rapidly catching up. Led by Google, Amazon, and Facebook, 19 of the world’s twenty largest Internet companies are either American or Chinese. The five largest tech companies by market cap (Google, Amazon, Facebook, Alibaba, and Tencent) had a combined market value of nearly $3.5 trillion dollars at the end of 2020,8 and held dominant market positions. In 2020, Google accounted for 91 percent of the Internet search market, Facebook accounted for 69 percent of the global social media market, Amazon was responsible for 33 percent11 of the world’s cloud infrastructure services market These companies leveraged first-mover advantage by reinforcing network effects—the more users in the network, the more valuable the network is for all users—accumulating a competitive data edge early on, and turning their data edge into integrated services offerings that increase the cost to users if they switch to a competitor’s platform. Chinese companies have been able to replicate this success with domestic Internet and tech companies—such as Alibaba, Baidu, and JD.com—through a combination of limiting outside competition on the Internet, state funding, and the controversial joint-venture policy--which critics say has enabled Chinese firms to coopt outsiders’ technology. Critically, maintaining these advantages relies heavily on these companies’ ability to collect users’ data across international borders, with minimal if any restrictions, and integrate it into algorithms or sell it to advertisers. The proprietary algorithms used to monetize companies’ collected data are already governed through strict legal protections. However, the broader value of these companies is derived from their ability to generate, freely access, and smoothly transfer vast amounts of usergenerated data with minimal legal restrictions. This access to data enabled the meteoric rise of companies such as Facebook and Google, among others, which rely on being able to collect troves of global data to enable services such as Google Maps. The race to develop artificial intelligence applications is amplifying this demand.

Limited regulation of these companies to date has enabled them to capture the majority of revenue associated with data flows across borders. However, countries are increasingly developing measures to regulate data flows and e-commerce transactions to exert greater control over data generated within, and passing across, their national borders. In fact, data localization laws are becoming a standard mechanism for countries to exert control over the foreign collection of their citizens’ data and capture a share of the value. These laws and associated regulations place restrictions on how data can be stored within, and transferred outside of, a country. Their aims vary, from restricting foreign companies’ and governments’ access to sensitive user data, to boosting foreign and domestic investment in server infrastructure, to, in limited cases, handicapping or completely inhibiting foreign companies’ ability to operate within a country’s borders.

To date, roughly 75 percent of all data localization measures in place are meant to ensure data privacy and security when data is transferred outside of a country. These measures focus on restricting data transfers to countries that are deemed to have inadequate data privacy frameworks. However, roughly 25 percent of existing data localization measures include more extensive restrictions that aim to exert influence over data flows through physical data storage infrastructure. Countries that are intent on boosting their domestic economy (and tax base) through increased foreign investments in server infrastructure, or developing their domestic data storage industry, use data localization laws to mandate that data collected in a country be stored on a server within that country. This strategy is currently being pursued in Indonesia and Vietnam, for example. In a more extreme case, China has combined data localization laws with tight restrictions on foreign companies’ operations, beginning as early as 1996, to protect and foster the rise of its own multinational digital giants, such as Tencent and Alibaba, which use data to drive services from artificial intelligence to e-commerce. China’s development and increasing protection of its digital giants through regulation have provided a roadmap for other countries to emulate. In contrast, the U.S. and its digital giants have greatly benefited from the ability to collect data internationally through open data borders and have generally been at the forefront of opposition to emerging data localization laws.

Graphic 1

The Size of the Digital Economy

The modern digital economy constantly generates massive amounts of personal data.

Internet of Things

Internet of Things (IoT)

26.6B

connected devices

400 zettabytes of data generated per year

Mobile Phones

Mobile Phones

7.2B

mobile phones

23 billion texts sent per day

Mobile Apps

Mobile Apps

3M

unique apps

205 billion annual app downloads

Internet Access

Internet Access

4.4B

Internet connnections (57.3% of population)

5 billion internet searches per day

Digital Platforms

Digital Platforms

294B

emails sent per day

500 million tweets per day

65 billion whatsapp messages per day

Finance Data

Finance Data

111B

credit card transaction per year (U.S.)

189 countries with financial transaction databases

SOURCES: World Economic Forum. How Much Data Is Generated Each Day?, UN Report: Radical Transformation or Dystopia?

Graphic 2

Personal Data Collected by Major Tech Companies

The largest U.S. and Chinese tech companies collect and store extensive personal data.

  • Personal Data
  • Usage Data
Global Data Localization Laws and Their Severity
SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook.

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Part 3

Beyond Data Localization: Other Influential Data Regulations and Emerging Data Governance Practices

In addition to data localization, varying economic, political, and social factors are driving governments to craft other data governance measures. Due to each country’s unique regulatory environment, data governance practices can differ significantly globally. However, common frameworks, particularly for data privacy laws, are emerging. As with GDPR, to date, a few influential countries with significant market power are leading the way by enacting comprehensive data regulation laws.

Key Takeaways

  • The Issue

    Led by the EU and China, countries with large domestic markets and significant global influence are defining data governance trends internationally. Within the past four years, the EU, China, India, and Brazil all enacted or drafted comprehensive data regulations focused on their national interests. These regulations are reshaping the global data governance landscape and are being emulated, revised, or adapted by other nations with similar interests.

  • The Reaction

    Variations within and among data governance regimes are disrupting multinationals’ ability to operate in the global digital economy and raising costs. Data regulations are fundamentally dividing cyberspace into different spheres and upending businesses’ ability to operate seamlessly across borders, forcing businesses to adhere to a complex mix of often conflicting regulations in order to operate within different national borders.

  • What’s at Stake

    While aiming to protect privacy more effectively, the layering of data regulations is making operating internationally in the digital economy more complicated and costly. Despite the GDPR and similar data privacy laws being enacted largely in response to the international dominance and data collection practices of large U.S. tech companies, a more complicated regulatory landscape will likely favor larger and more established firms, as they can better bear the increased legal costs and potential fines.

The Breakdown
Key Regulations and Emerging Data Governance Practices
Key Regulations and Emerging Data Governance Practices
Comprehensive data privacy regulations in the EU and China are establishing new norms for global data governance.
  • GRAPHIC 6: Comprehensive Regulations Reshaping Global Data Governance Norms
  • GRAPHIC 7: GDPR Fines to Date
  • GRAPHIC 8: Mapping Global Data Privacy Regulations
Click to expand

Data privacy laws have undergone numerous transformations globally since the first national level data privacy law, Bundesdatenschutzgesetz (BDSG), was enacted in Germany in 1970. The rapid advancement of digital technologies in the Internet age and growing consumer awareness, particularly over the past two decades, are putting increasing pressure on countries to update their privacy laws. Currently, 160 countries have a law or laws that reference data privacy, and 102 countries and territories have specific laws dedicated primarily to data privacy. In an early effort to harmonize the increasingly fractured regulatory landscape, international data privacy standardization frameworks emerged. The international framework currently covering the greatest share of global economic activity is the Asian Pacific Economic Cooperation’s Cross-Border Privacy Rules (referred to as the APEC Privacy Framework), which was established in 2011. Twenty-one countries have opted into these data privacy standards, including the U.S., Mexico, Canada, Japan, South Korea, Singapore, and Australia, as well as twenty-three multinational corporations, including Apple, HP, IBM, and Merck. However, this international framework is not legally enforceable as it is not backed by a specific government jurisdiction.

The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy.

Until 2016, it appeared that the APEC Privacy Framework, and similar international data privacy agreements, would foster harmonization of international data governance going forward. However, in 2016, the APEC Privacy Framework and the global data regulatory landscape were upended with the passing of the EU’s GDPR and China’s Cybersecurity Law. Both laws introduced key changes to how data privacy is regulated and were consequentially enacted in two of the world’s largest economic blocs and most globally influential countries. Driven by concerns over civil liberties and foreign companies’ data collection activities, the GDPR introduced an expansive definition of how personal data applies broadly to any business offering services to EU citizens, set higher compliance standards, and is enforceable directly through fines. China’s Cybersecurity Law uses the GDPR principles as a base but built on the GDPR standards by setting significantly stricter limits on data transfers outside of the country, placing export restrictions on data deemed essential to the public interest and granting the government broad access to data collected within its borders. Critically, China’s Cybersecurity Law adapted the GDPR principles to suit its own national interests, effectively creating its own data governance framework and further dividing digital commerce instead of harmonizing it under GDPR standards. The GDPR initially received some criticism from businesses due to increased compliance costs and the risk of fines, with small businesses in particular struggling to meet new requirements. The GDPR also impacted small businesses with little brand recognition, who lacked the established consumer trust necessary for data collection consent. The end result has been that, in practice, many small businesses in the EU have simply opted not to comply with the GDPR—fewer than half of businesses (44 percent) report compliance with key measures in 2019—leaving them vulnerable to being fined.

The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy. The U.S. government and private sector are vocal critics of this trend, broadly preferring the APEC Privacy Framework, as it is more flexible and favorable to business, is less costly, and allows companies to expand internationally with greater ease. However, comprehensive national frameworks are shaping global digital commerce, with the volume of goods and services traded under the EU’s GDPR standard ($8.1 trillion) and China’s Cybersecurity Law ($2.5 trillion), dwarfing the volume traded under the APEC Privacy Framework ($1.2 trillion). Additionally, India and Brazil, two of the world’s top-five countries in terms of Internet users, have both adopted or drafted comprehensive national-level data privacy regulations similar to the GDPR. Overall, thirty-five countries, besides the EU countries and China, have updated or adopted more comprehensive data privacy laws since 2016, generally using the GDPR as a minimum standard from which to construct a unique national data privacy framework. This demonstrates a clear trend toward national-level regulation and stricter data privacy standards enforceable through fines.

While there remains a debate on the long-run impact of compliance and which companies it will hit hardest, the GDPR has undeniably impacted EU tech startups, as the overall venture funding for EU tech firms decreased by €12.5 million per month per member state, between May 2018 and April 2019. Additionally, advertisers have been hit particularly hard by the GDPR. Advertising vendors, particularly smaller companies, lost between 18 and 31 percent market reach in the EU, between April and July 2018. If the trend toward more comprehensive data governance regulations modeled after the GDPR standards continues, these impacts are likely to be replicated around the world. As countries adopt similar standards, the ability to fully understand diverse regulatory environments, and to take proactive measures as legislation is adopted, will provide a competitive advantage for businesses with the capacity and resources to comply.

Graphic 6

Breakdown of Major Existing Data Governance Regulations

While there are hundreds of data governance laws and regulations globally, a handful of comprehensive laws in the EU, China, Brazil, and India are shaping the emerging data governance frameworks globally. Understanding these regulations, and their impact, will be critical to the future of e-commerce due to the size and importance of their markets. (China’s is the world’s largest e-commerce market with $2.3 trillion in sales in 2020, the EU is third, and India is seventh.) Understanding these data privacy regulations provides insight into what provisions future comprehensive data regulations in smaller regional markets are likely to contain. The key data localization and privacy provisions of each regulation are broken down below. Additional cyber and national security provisions will be covered in Part II of this series.

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Breakdown of Major Existing Data Governance Regulations

Four major data privacy regulations in the EU, China, India, and Brazil are reshaping global data governance. Their key provisions are broken down below.

Major Regulations
Region map
EU: GDPR

(Passed: 2016, In effect since 2018)

Snapshot: Establishes a comprehensive data privacy framework for EU citizens.

Background: Europe has a long history of data privacy laws dating back to 1970, with varying versions of data privacy regulation enacted across its member states. Adopted in April 2016, and enforceable since May 2018, the GDPR is an attempt to harmonize the EU’s Member States’ data collection and data transfer practices. The GDPR increases privacy around individuals’ personally identifying data, makes data laws enforceable through fines, harmonizes data laws across Member States, and makes national data laws enforceable on international firms. To date, €284 million in fines have been levied, with the largest fine being €50 million against Google for having an insufficient legal basis for processing data.

Data Localization Elements

Personal data can only be transferred to another country, and that is acceptable when an “adequate level of protection,” defined as a country with comparable data privacy laws, is provided. Countries and jurisdictions that are currently considered to have an adequate level of protection are Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan. For data transfers outside of these countries, data protections must be guaranteed through a legally binding contractual clause.

Data Privacy Elements
  • Consumers must give expressed, unambiguous consent to having their personal data shared, and that consent can be withdrawn at any time.
  • Companies must notify the GDPR supervisory board within seventy-two hours of a data breach, or fines of up to 4 percent of yearly revenue will be imposed.
  • Individuals have the “right to be forgotten” and may request that information be removed from Internet searches and other directories.
  • Platforms are held legally liable for removing copyright-infringing material and can be fined for non-compliance.
China: Cyber Security Law

(Passed: 2016, In effect since 2017)

Snapshot: Significantly restricts foreign companies’ ability to operate in China through strict data localization laws and increases government private-sector oversight.

Background:China’s Cyber Security Law, passed in 2016 and enacted in June 2017, is broad, sweeping legislation that dictates how national companies must approach security and privacy. Critically, it reforms data management and Internet-usage regulations in China, enhancing the government’s jurisdictional control over content on the Internet and data collected by private companies. In addition to the Cyber Security Law, the Chinese government also introduced a draft Data Security Law and a draft Personal Information Protection Law (PIPL) in 2020. These laws differ in scope from the Cyber Security Law, but if passed, they would create new data security requirements and binding obligations on personal data protection for organizations and further restrict cross-border data transfer. The PIPL is a comprehensive personal data protection law, modeled on the EU’s GDPR. Like the GDPR, under the draft PIPL, data processors could process personal data without consent in certain cases, such as when needed to fulfill a contract or perform a legal duty, or when responding to a public health emergency. The PIPL’s jurisdiction would extend outside of China and would require large data processors to store personal data within China.

Data Localization Elements
  • Require network operators in critical sectors to store data gathered or produced in the country within mainland China, which both allows government access to the data and increases the need for companies in key sectors, such as banking, to have their services within China.
  • Require business information and data on Chinese citizens gathered within China to be kept on domestic servers and not transferred abroad without permission.
Data Privacy Elements
  • Network product and service providers that collect users’ information are required to inform and obtain consent from the users.
  • Individuals have the right to require network operators to correct errors in personal information collected or stored by them.
  • Fines for non-compliance are up to €20 million or 4 percent of annual global revenue.
Brazil: Lei Geral de Proteção de Dados (General Data Protection Act, or LGPD)

(Passed: 2018; In effect: 2020)

Snapshot: Modeled after the GDPR, it establishes a data privacy framework similar to the EU’s in Brazil.

Background: Inspired by the GDPR, the Brazilian General Data Protection Act is a comprehensive data governance regulation establishing rules on collecting, handling, storing, and sharing of personal data managed by any organization operating in Brazil or handling Brazilians’ data. The bill differs from the GDPR most significantly in its enforcement mechanisms, having significantly lower maximum fines of €11 million (R$50 million) or 2 percent of annual global revenue and no time requirements for data breach reporting, and places less stringent legal requirements on data processors, thus allowing them additional justifications for collecting and processing individuals’ data (such as to protect an individual’s credit score).

Data Localization Elements
  • Data can be transferred with minimal restrictions to countries deemed to have adequate levels of privacy protections in place.
  • Personal data can be transferred internationally with the express consent of the data subject, which must be obtained prior to the transfer.
  • User data may be transferred internationally if there is a guarantee by the controller through contractual instruments, such as binding corporate rules and standard clauses, that it will comply with the principles, data subject rights, and data protection regime provided by law.
Data Privacy Elements
  • Require implied authorization for collection and sale of personal data, a modified and slightly less stringent standard than the GDPR; the wording leaves it ambiguous compared to the GDPR, which states that consent must always be given through an opt-in, a declaration, or an active motion.
  • Users have the right to anonymize (remove personally identifying information from the data) or block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD.
  • Users have the right to request elimination of personal data processed with the consent of the holder.
India: Personal Data Protection Bill (Draft)

(Drafted: August 2018, Pending)

Snapshot:Includes stricter local copy data localization provisions than the GDPR, but less restrictive than China’s, and requires written consent for data collection and transfer for sensitive data.

Background: The bill is currently up for consideration in the Indian parliament and is still being analyzed by a joint parliamentary committee. The bill represents India’s first comprehensive approach to regulating data privacy and security. If passed, the bill will significantly alter the global digital economy by enforcing data localization standards on the world’s second-largest IT market—India has the second-largest number of citizens online in the world, with 560 million, compared to China’s 854 million. While the bill is modeled after the GDPR to an extent, provisions on data localization, users’ consent for businesses to collect data, and government access to users’ data go significantly further.

Data Localization Elements
  • Require the storage and processing of personal data on servers located within India.
  • Sensitive personal data may not be transferred outside of India.
  • Financial records and any personal banking data may not be transferred outside of India.
Data Privacy Elements
  • Require companies to obtain parent or guardian consent for collecting data belonging to children.
  • Individuals have the “right to be forgotten” as well as the “right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them.”
  • Data fiduciaries are required to prepare a “privacy by design” policy to apply when building their internal IT systems.
SOURCES: GDPR Text, China Cybersecurity Law Text, Brazil LGPD Text, India Data Privacy Draft Law Text

Graphic 7

GDPR Fines to Date

To date, the EU has levied 714 fines related to GDPR infractions; their distribution is broken down below.

  • USD
  • EURO

Totals: 714 Violations / $347,099,396 Total Cost / $486,134 Average Cost

Totals: 714 Violations / €291,680,165 Total Cost / €408,516 Average Cost

SOURCE: GDPR Enforcement Tracker
Largest Fines by Company (USD)
as of June 30, 2021

Google Inc.

$59,500,000

H&M

$41,957,863

TIM

$33,082,000

British Airways

$26,234,740

Marriot International, Inc

$24,335,500

Wind Tre S.p.A.

$19,873,000

Vodafone Italia S.p.A.

$14,579,405

notebooksbilliger.de

$12,376,000

Eni Gas e Luce

$10,115,000

Vodafone España, S.A.U.

$9,698,500
SOURCE: GDPR Enforcement Tracker

Graphic 8

Mapping Global Data Privacy Regulations

The most comprehensive and influential data governance regulations to date, listed above, are already serving as templates for data governance throughout the world, a trend that is likely to continue. As of July of 2021, 113 countries have laws that specifically address data privacy elements. However, few countries have one comprehensive data governance law covering all aspects of data privacy. Existing laws often restrict private companies’ access to personal data, limit the sale of data on secondary markets without user consent, and seek to ensure safe international transfer of data. Critically, existing data privacy laws are meant to protect citizens’ data from being exploited by private companies, foreign governments, and bad actors. Generally, they are not meant to protect citizens’ data from domestic government access. In fact, many of these privacy laws actually increase government access to user data. The issues of government access and surveillance will be covered in the second installment of this Power Map.

Below, we map out the different data privacy laws in place throughout the world and list the data privacy issues they address. The dropdown menu below the map includes details on the provisions included in each data privacy law, and the corresponding level of data localization measures included (which were mapped out in the previous section).

Global Privacy Laws
  • National Data Protection Authority: A central government authority is established to oversee and enforce data privacy laws.
  • Registration Requirement: Businesses are required to register their databases with the national data protection authority.
  • Data Protection Officer: A data protection officer is designated at either the national, regional, or organizational level.
  • Data Localization Provisions: There is some form of restriction on the international transfer of data in place.
  • Cybersecurity Provisions: There are cybersecurity standards established, which data processors are legally bound to uphold.
  • Breach Notification: Data controllers and processors must notify individuals if their personal data has been compromised.
  • Enforcement Through Fine: Laws can be enforced through a monetary fine.
  • Online Data Privacy Element: Online collection of data is restricted to some degree.

Hover over the countries for details or see the table below.

See the table below for details.

Data Privacy Laws
SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook.

*Map only includes countries with laws specifically governing electronic data and addressing similar standards to other major data privacy regulations or international frameworks. Countries with data privacy laws that are not enforceable, or do not address any of the key areas covered in other major data privacy regulations and frameworks, are not included.

National level data privacy laws including embedded degree of data localization restriction
Conditional restrictions on data transfers
Local copy restrictions on one or more types of personal data
Local only restrictions on one or more types of personal data
No data localization laws

Search for a country or view by region:

  • All Regions
  • Africa & Middle East
  • Asia & Pacific
  • Europe
  • The Americas
Click to expand

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Navigating an Increasingly Fractured Future

The implementation of new and updated data governance regulations across the world is fundamentally changing the business landscape across the digital landscape. Data localization requirements, more comprehensive and widely enforceable data privacy laws, and increased cybersecurity laws (which will be explored in Part II of this series) are creating a complicated and increasingly costly web of regulations for businesses to navigate. These factors stand to impact small businesses disproportionately, though increasing compliance costs have been a major point of contention for large businesses as well. However, with the recent adoption of comprehensive privacy laws in major e-commerce markets, data regulation is likely to continue to accelerate. While privacy laws to date have been passed to protect users’ data from being exploited by large international companies and foreign governments, there is a concurrent wave of data privacy laws around the world that are enabling governments to have sweeping access to user data. These laws range from China’s Cybersecurity Law (elements of which we have covered in this section) to the Patriot Act in the U.S. For individuals, the amount of data being accessed by governments through surveillance and requests to private companies is rising sharply. Simultaneously, governments are embarking on a drive to repeal cybersecurity provisions, such as end-to-end encryption as in the case of the U.S.’s EARN IT Act, in order to collect citizens’ data more effectively. In Part II of our Data Governance Power Map series, we dive into these and other measures and how governments are increasing their data collection efforts globally, and what this means for businesses and private citizens.

READ PART TWO NOW:Evolving Government Data Collection Practices

EXPLORE FP ANALYTICS’ GLOBAL DATA GOVERNANCE POLICY DATABASE

Written by Christian Perez. Edited by Allison Carlson. Copyedited by David Johnstone. Design by Andrew Baughman and Jon Benedict. Development by Andrew Baughman. Art direction by Lori Kelley.

FP Analytics

Learn more about how FP Analytics can enable your organization to act strategically through data-driven insights at ForeignPolicy.com/FP-Analytics.

[ related articles heading here ]:

References

Back to top

Loading graphics