Data privacy laws & government surveillance by country: Which countries best protect their citizens?

Comparitech has assessed privacy protection and the state of surveillance in 47 countries to see where governments are failing to protect privacy and/or are creating surveillance states.

To do this we looked at a number of categories, from the use of biometrics and CCTV to data sharing and retention laws.

What did we find?

Not one country is consistent in protecting the privacy of its citizens, most are actively surveilling their citizens, and only five could be deemed to have “adequate safeguards.”

Are things improving or getting worse?

In the EU, the General Data Protection Regulation (GDPR) is helping improve privacy laws, on the whole. However, it doesn’t prevent some countries from entering into agreements that encroach on residents’ privacy through data sharing with other countries, e.g. the Treaty of Prüm. It doesn’t stop some countries from increasing their use of biometric surveillance, either.

Outside of the EU, several countries are creating what can only be described as surveillance states, with privacy rights seemingly taking a serious back seat. Perhaps unsurprisingly, China and Russia are the biggest culprits.

How do countries like the UK and US fare?

We’ll find out below.

Key findings

Here are some notable findings from the study:

  • China’s government not only fails to protect citizens’ privacy, but actively invades it
  • Collection and retention of biometric data—fingerprints and faces—is ramping up worldwide
  • EU countries tend to share a large amount of their citizens’ data with fellow member states
  • Immigrants are often most impacted by government surveillance, particularly when they enter or leave a country
  • Only five countries have adequate privacy safeguards according to our scoring system, and all of them are in Europe. The GDPR plays a large role in this, but does not account for everything
  • No countries earned a perfect score, or even a near-perfect score
  • Enforcement varies widely even among those countries with good privacy laws

Scoring system (for each category and overall)

4.1-5.0 = Upholding privacy standards on a consistent basis

3.6-4.0 = Significant safeguards and protections

3.1-3.5 = Adequate safeguards against abuse

2.6-3.0 = Some safeguards but weakened protections

2.1-2.5 = Systemic failure to maintain safeguards

1.6-2.0 = Extensive surveillance

1.1-1.5 = Endemic surveillance

EU and non-EU privacy ranking

TotalScore CardConstitutional ProtectionStatutory ProtectionPrivacy EnforcementIdentity Cards and BiometricsData-sharingVisual SurveillanceCommunication InterceptionWorkplace MonitoringGovernment Access to DataCommunication Data RetentionSurveillance of Medical, Financial and MovementBorder and Trans-Border IssuesLeadershipDemocratic Safeguards
EU
Ireland 3.2Adequate Safeguards3.33.23.13.33.73.02.93.23.13.12.63.23.53.2
France3.1Adequate Safeguards2.93.43.43.42.73.13.13.33.12.83.23.12.73.1
Portugal3.1Adequate Safeguards3.12.83.43.63.33.22.83.33.12.92.83.12.72.9
Denmark 3.1Adequate Safeguards2.93.33.02.93.43.23.23.13.12.62.73.13.33.1
Malta3.0Some Safeguards/Weakened Protection3.13.53.82.92.83.22.73.33.13.42.72.92.82.2
Lithuania3.0Some Safeguards/Weakened Protection3.33.13.32.62.93.33.13.23.03.22.72.82.93.0
Cyprus3.0Some Safeguards/Weakened Protection3.13.13.22.33.13.63.13.13.02.93.22.72.83.1
UK3.0Some Safeguards/Weakened Protection2.93.43.43.22.93.13.12.83.12.82.73.22.72.6
Netherlands3.0Some Safeguards/Weakened Protection2.73.33.82.62.93.12.93.13.22.92.62.72.73.3
Greece3.0Some Safeguards/Weakened Protection3.22.53.32.82.82.92.93.82.93.42.53.02.82.9
Czech Republic3.0Some Safeguards/Weakened Protection3.13.22.93.03.13.13.13.42.82.82.92.62.82.6
Bulgaria3.0Some Safeguards/Weakened Protection3.33.23.32.83.03.13.23.42.82.62.82.82.82.2
Poland2.9Some Safeguards/Weakened Protection3.13.23.43.12.72.83.13.22.32.63.32.92.72.6
Slovakia2.9Some Safeguards/Weakened Protection3.13.32.62.92.73.12.63.23.22.93.13.22.92.1
Latvia2.9Some Safeguards/Weakened Protection3.13.23.32.92.72.92.83.22.92.72.72.82.72.8
Sweden2.9Some Safeguards/Weakened Protection2.63.12.82.73.02.73.43.13.12.82.33.12.23.7
Estonia2.9Some Safeguards/Weakened Protection2.92.73.12.42.73.22.82.92.82.23.62.93.13.3
Romania2.9Some Safeguards/Weakened Protection3.43.12.82.92.83.23.32.82.53.13.02.62.22.7
Austria2.9Some Safeguards/Weakened Protection2.93.33.32.82.73.33.13.22.92.63.12.92.22.1
Luxembourg2.9Some Safeguards/Weakened Protection2.73.13.13.22.52.92.63.02.43.13.12.92.72.9
Finland 2.9Some Safeguards/Weakened Protection2.92.62.82.72.72.72.43.62.12.92.92.73.14.1
Belgium2.9Some Safeguards/Weakened Protection3.23.13.32.62.62.92.73.03.12.62.82.72.62.9
Spain2.9Some Safeguards/Weakened Protection3.43.23.12.72.63.22.93.42.72.62.72.62.62.4
Germany2.8Some Safeguards/Weakened Protection3.33.43.82.32.72.42.63.12.82.43.02.32.82.8
Slovenia2.7Some Safeguards/Weakened Protection2.42.62.62.82.62.82.73.42.92.52.92.42.23.0
Hungary2.7Some Safeguards/Weakened Protection2.72.83.32.32.22.72.42.82.72.62.92.82.62.9
Italy2.7Some Safeguards/Weakened Protection2.73.13.32.42.72.62.73.42.81.72.92.72.32.4
Non-EU
Norway3.1Adequate Safeguards3.13.33.22.92.93.13.23.22.93.22.82.82.84.1
South Africa3.0Some Safeguards/Weakened Protection3.63.33.12.93.13.03.33.03.12.82.92.72.92.9
Switzerland3.0Some Safeguards/Weakened Protection3.13.23.33.12.93.22.72.93.13.13.02.72.73.3
Argentina3.0Some Safeguards/Weakened Protection3.13.13.12.72.93.23.13.23.02.62.73.33.02.8
Canada3.0Some Safeguards/Weakened Protection3.23.22.82.92.63.13.03.32.73.12.82.63.32.9
Iceland3.0Some Safeguards/Weakened Protection3.23.12.73.02.93.13.03.12.73.32.82.72.83.1
New Zealand2.9Some Safeguards/Weakened Protection3.03.13.23.02.82.82.93.02.93.12.72.62.53.2
Israel2.9Some Safeguards/Weakened Protection2.83.13.32.73.12.82.73.42.72.62.92.63.02.2
Taiwan2.8Some Safeguards/Weakened Protection3.23.12.93.12.82.72.92.42.92.42.82.92.82.7
Australia2.8Some Safeguards/Weakened Protection2.43.33.33.43.02.82.32.62.72.62.72.82.53.1
Japan2.8Some Safeguards/Weakened Protection3.23.22.72.32.72.73.32.92.82.92.92.62.72.6
Philippines2.8Some Safeguards/Weakened Protection2.93.23.12.72.82.03.12.72.83.12.82.93.12.2
Brazil2.8Some Safeguards/Weakened Protection3.12.92.42.63.12.23.13.22.92.73.12.83.22.0
USA2.7Some Safeguards/Weakened Protection3.12.93.22.72.72.93.12.62.92.32.22.82.52.5
Singapore2.7Some Safeguards/Weakened Protection2.63.23.22.72.82.82.32.62.52.82.62.72.72.3
Malaysia2.6Some Safeguards/Weakened Protection2.72.72.92.42.62.42.72.82.72.92.52.62.82.3
Thailand2.6Some Safeguards/Weakened Protection2.73.22.32.62.82.52.22.62.32.82.82.62.71.7
India2.4Systemic Failure to Maintain Safeguards3.42.72.31.62.42.31.82.32.42.62.72.82.42.1
Russia2.1Systemic Failure to Maintain Safeguards2.72.92.62.91.31.91.42.81.41.42.62.21.61.7
China1.8Extensive Surveillance2.52.32.71.12.11.31.22.11.71.22.61.41.21.3

Bottom 5 non-EU countries

  1. China – 1.8 – Extensive surveillance
  2. Russia – 2.1 – Systemic failure to maintain safeguards
  3. India – 2.4 – Systemic failure to maintain safeguards
  4. Thailand – 2.6 – Some safeguards but weakened protections
  5. Malaysia – 2.6 – Some safeguards but weakened protections

China

China’s ranking isn’t much of a surprise but where does its extensive surveillance arise from?

  • Privacy laws lack clear guidelines, which makes them difficult to enforce
  • ID cards are mandatory in China for anyone over the age of 16
  • China is heavily reliant on biometrics and artificial intelligence (AI). For example, facial recognition cameras are now catching jaywalkers, triggering a text message, and sending their image to large screens to publicly shame them. China also uses these types of cameras to track and monitor Uighurs, the country’s Muslim minority
  • Data is frequently shared among agencies and state intelligence has a green light to request data from any organization or citizen
  • Surveillance cameras with facial recognition are now the “norm” in China and there are few limitations in place on CCTV as a whole
  • Intelligence services and law enforcement can intercept communications without a court order – and how they perform these interceptions is still largely unknown
  • Employees aren’t protected when it comes to their communications, despite the data subject needing to give their consent for data collection. Courts have been known to rule in favor of the employer (where an employee didn’t give their consent for email monitoring) and employees’ brainwaves have even been monitored to “aid productivity”
  • There are no time limits on data retention but there are specific requirements on what data needs retaining. For example, text message service providers have to store various information for a minimum of five months
  • Medical data is frequently used for research or as “public interest records”
  • All financial transactions over a certain amount have to be reported to a government agency
  • Extreme surveillance is being implemented at China’s borders with apps being installed on people’s phones (without consent) to scan for “inappropriate content”
  • China is a member of Interpol but many countries are wary of sharing data with China due to how it may use it
  • The government controls most media sources

It is difficult to draw any positives from China’s privacy rights. Even if they are mentioned in law, the reality is often very different.

Russia

Closely following China is Russia, with its poor score coming from:

  • Its regulatory body, the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor), is incredibly active but often in cases of censorship rather than privacy
  • It is in the process of creating an eGovernment framework which will allow for inter-agency data sharing but will also grant the general public access to government-held information
  • Companies are often required to hand over data to the government with the most recent example being Tinder. If they fail to comply, they are blocked
  • Started to build its own “sovereign internet” with fears that this will remove its need for the world wide web and will create a highly-censored internet that’s used for surveillance
  • Facial recognition is already being used in cameras to track down debtors
  • Despite clear safeguards to protect against communication interception (i.e. a court order is required in most cases), there were 540,000 approved interceptions in 2012, showing little limitation on what is and isn’t granted
  • Intercept capability need not be offered by service providers as the System of Operative-Search Measures (SORM) enables the Federal Security Service (FSB) to eavesdrop on communications via a direct line from internet service providers. In most cases, operators and ISPs aren’t even aware this is happening
  • Telecom service providers have to store call and message records for a minimum of six months
  • All transactions over the value of 600,000 roubles have to be reported to the relevant agency
  • AI technology is being implemented at Russia’s borders to collect data
  • Member of Interpol and various tax agreements that involve the sharing of data
  • Laws against “fake news” were recently passed but many believe this is just a bid to aid censorship. Furthermore, independent media outlets are being squeezed out or “brought under control” and TV channels are known for showing propaganda, highlighting some of the reasons why Russia is ranked 149th in the world in the World Press Freedom Index

Again, it’s hard to find anything constructive within Russia’s “privacy policies.” On the same day that the European Court of Human Rights (ECHR) ruled against Russia, Russia introduced a new law that allows it to overrule decisions made by the ECHR. And although Russia has fined Facebook because it failed to comply with its local data privacy law (which requires all foreign and domestic companies that are processing, storing, or accumulating data of Russian citizens to store this data on a server within Russia), it is questionable as to how much this relates to privacy and how much this relates to control over data.

We have marked Russia relatively well for workplace monitoring because there are safeguards in place and Russia should, in theory, apply the case of Barbulescu v. Romania (employees should always be notified of monitoring) because it’s a member of the ECHR. However, as noted above, there are no guarantees this will happen.

India

A number of concerning aspects of India’s laws and regulations threaten citizens’ privacy, including:

  • Its Data Protection Bill is yet to take effect and there isn’t a data protection authority in place, meaning privacy protections are weak at present
  • The Aadhaar Identification Scheme gives citizens a unique ID number and is also home to the largest biometric database, which contains 1.23 billion people
  • This database also contains information such as purchases, bank accounts, and insurance
  • Trying to get WhatsApp to make messages traceable by adding a digital fingerprint to every message sent
  • CCTV isn’t regulated and any privacy laws relating to it are very vague and open to interpretation
  • 10 government agencies have recently been given the authorization to decrypt, monitor, and intercept data on any computer (but this must be approved by the Home Secretary)
  • Should service providers fail to offer intercept capabilities, they could face prison for up to seven years
  • Looking to install hi-tech border surveillance at certain borders
  • Frequently shares information with the US and has multiple Mutual Legal Assistance Treaties with different countries
  • Ranks 140th in the world for the Press Freedom Index with 6 journalists (at least) being killed in 2018

What is clear is that the laws and courts of India are starting to protect data privacy. For example, the courts changed the law so private companies did not have the right to request ID numbers, and government agencies’ access to the Aadhaar database has been recently withdrawn. Covert surveillance will also be banned when the new data protection law comes into power. However, with surveillance tactics and biometrics already going incredibly far, it’s questionable as to how much a law will change things.

Thailand

  • National ID card with fingerprints
  • Biometrics are heavily used and are a requirement for many day-to-day things. For example, a biometric check must be performed to buy a SIM card
  • CCTV is widely used and accepted in Thailand. But a new law does require a data owner to be informed that they’re being monitored
  • Although the Special Case Investigation Act states a chief judge must grant permission for communication interception to occur, a military coup in 2014 enabled the military to intercept any messages under Martial Law
  • The Computer Crimes Act allows officers of the Ministry of Digital Economy and Society (MDES) to request documents and computer data from service providers. This is all done without a warrant. With a warrant, they are able to request much more information
  • Thai police have a technology that can gain access to chat room messages, emails, and text messages – but this should be conducted under a court order
  • Fingerprints are collected when people enter the country
  • Part of numerous international data-sharing agreements
  • New laws and the Junta do impose restrictions on the freedom of speech in Thailand, with many believing that the new cybersecurity law will be used by the government to silence critics

Thailand recently implemented the Personal Data Protection Act (PDPA) on May 28 2019. It is hoped this will create Thailand’s very first consolidated data protection act but people are being given a one-year grace period to adjust to these new laws. Workplace monitoring and data retention policies should improve. A recent development (which happened post-study) also means Thai cafes are being forced to create a log of customers’ browsing data for 90 days – at least. The government has suggested that this is to help identify users who are violating Thai law and are creating “fake news.”

Malaysia

  • Calls for a more in-depth privacy law that covers all matters. At present, there is only the Personal Data Protection Act 2010 (PDPA) which protects the personal data of a data subject
  • However, the courts have been quite proactive in enforcing this law, and the data protection agency frequently inspects businesses and offers recommendations on their data practices
  • A national ID card (MyKad) is compulsory from the age of 12 and contains biometrics (thumbprints). It also stores bank details, certain health information, can be used to make purchases, and stores data for up to 20 years (the card’s only valid for 10, though)
  • For children up to the age of 12, MyKid carries parents’ religion details, birth data, health information, and education data
  • Face recognition technology is also on the rise with Grab Malaysia teaming up with the Ministry of Transport to improve driver safety and provide safeguards against crimes
  • Few laws surrounding the use of face recognition technology
  • Data sharing does require written consent in most cases, but the government does have a platform (MyGDX) which facilitates intergovernmental agency data sharing
  • CCTV is prevalent in Malaysia and there are few safeguards in place. However, a “CCTV Guide” that is yet to come into law will enforce a few more protections, e.g. notifying people of CCTV monitoring
  • Several large data breaches involve financial and medical details
  • Founder of the ASEAN Treaty on Mutual Legal Assistance in Criminal Matters

The introduction of the data protection law in 2010 did make some improvements to Malaysia’s data privacy – but, as technology advances and times change, these need updating to better protect all types of data, including biometrics.

Bottom 5 EU countries

  1. Italy – 2.7 – Some Safeguards/Weakened Protection
  2. Hungary – 2.7 – Some Safeguards/Weakened Protection
  3. Slovenia – 2.7 – Some Safeguards/Weakened Protection
  4. Germany – 2.8 – Some Safeguards/Weakened Protection
  5. Spain – 2.9 – Some Safeguards/Weakened Protection

Italy

Italy fails to uphold privacy protections in a number of areas. This includes:

  • An ID card that contains biometrics
  • Extensive use of biometrics, including facial recognition in airports, is causing concern among citizens
  • Data-sharing agreements as part of the Treaty of Prüm and Schengen Agreement
  • Extensive CCTV use (including with facial recognition)
  • Lengthy data retention periods (six years for internet and telephone traffic data)
  • It lacks freedom of the press

The Italian regulatory body in charge of enforcing the GDPR, Garante, hasn’t been very active. This could be due to there being a lack of data breaches or it may indicate a lack of implementation. However, Italy has made efforts to prohibit workplace monitoring.

Hungary

  • Hasn’t always protected its people’s right to privacy, even ruling that police officers were not entitled to their right to privacy because their roles as agents of public power outweighed it
  • ID card contains owner’s fingerprint
  • Employers are also allowed to use biometrics in certain situations, i.e. to prevent unauthorized access to information
  • Building a facial recognition database from the identification photos of its citizens and tourists
  • Government agencies are able to take data from telecommunication companies without a warrant
  • Part of the Treaty of Prüm and the Schengen Agreement

GDPR is helping to make some improvements in Hungary, for example, helping enforce people’s rights when it comes to CCTV footage and protecting data as a whole through fines given by The Hungarian National Authority for Data Protection and Freedom of Information.

Slovenia

With the highest record of human rights violations per capita in Europe, Slovenia is constantly being monitored to see if and how it is improving the protection of its citizens. We’ve found:

  • Although Slovenia is part of the EU and the GDPR law applies, it hasn’t implemented it through its own legislation, leaving leaves large question marks over its data protection policies
  • This also removes some of the integrity and strength of its regulatory body, the Information Commissioner (IC)
  • It relies on biometrics in its passports
  • It’s part of the Treaty of Prüm and Schengen Agreement

Although the GDPR should, in theory, improve things in Slovenia, there are reports to suggest that it isn’t being properly implemented in many EU countries. And with Slovenia’s lack of laws, this is likely the case. Equally, the draft bill proposed by Slovenia has been criticized by many as “overstepping” the boundaries put in place by GDPR.

Germany

Despite privacy enforcement in a number of areas (sensitive data and the implementation of the data protection law, Bundesdatenschutzgesetz) and the active role of its Data Protection Conference, Germany is failing its citizens in a number of areas. These include:

  • Its extensive use of biometrics, including in a national ID card
  • Being a founding member of the Treaty of Prüm and Schengen Agreement
  • Its allowance of CCTV cameras with facial recognition
  • Controversial data retention directives
  • Lack of privacy protection for journalists
  • Heavy censorship of social media posts through “hate speech” laws

Spain

Again, Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has been effective in implementing the GDPR laws, fining La Liga €250,000 for privacy violations. However, the privacy rights of its citizens are significantly reduced due to:

  • Its increasing use of biometrics (and the general overall acceptance of this)
  • ID card that contains biometrics
  • It being a founding member of the Treaty of Prüm, the Schengen Agreement, and tax data-sharing agreements
  • Its communication data retention policies have been met with a lot of criticism (12 months after the communication but this can be extended to 2 years)
  • A gag law on journalists

Top 5 non-EU countries

  • Norway – 3.1 – Adequate Safeguards
  • South Africa – 3.0 – Some Safeguards/Weakened Protection
  • Switzerland – 3.0 – Some Safeguards/Weakened Protection
  • Argentina – 3.0 – Some Safeguards/Weakened Protection
  • Canada – 3.0 – Some Safeguards/Weakened Protection

Norway

As the only non-EU country to be found to have “adequate safeguards,” Norway is succeeding at:

  • Implementing GDPR laws
  • Fining companies who are not protecting data (the municipality of Bergen was fined €170,000 for violating GDPR laws by leaving 35k usernames and passwords of primary school students and employees openly accessible)
  • Protecting freedom of speech (it’s ranked number one in the World Press Freedom Index and has been for the last three years)
  • Offering extra privacy protection for certain jobs, e.g. lawyers and medical practitioners

Biometrics do let Norway down. It is looking to introduce them into ID cards in 2020 and law enforcement does have access to biometric data. Norway is also a member of the Schengen Agreement and parts of the Treaty of Prüm.

South Africa

  • Privacy rights are protected through the constitutional court
  • Landmark case in which bulk interception by the National Communications Centre was declared unlawful by the High Court (amaBhungane Centre v Minister of Justice)
  • Limits on data sharing, even between agencies within the same sector
  • Not part of any invasive international treaties (but it is involved in tax-sharing agreements)

South Africa is in the process of introducing an Information Regulator and the Protection of Personal Information Act (POPIA) which will help to further enforce privacy rights. But as these aren’t yet fully in place, it does create some gray areas. Biometrics are also on the rise and the newly introduced South African ID card contains fingerprints.

Switzerland

  • Actively enforcing privacy rights with its Federal Act on Data Protection (due to be updated in 2020)
  • Its data protection agency, the Federal Data Protection and Information Commissioner (FDPIC), is rumored to be the regulator Facebook wants to manage its cryptocurrency, Libra
  • No mandatory ID card with biometrics
  • Freedom of speech and the media

Despite Switzerland being a “tax haven” for many years, it is now clamping down on this by sharing tax details with other countries. It is also part of the Schengen Agreement and has signed an agreement with member states of the Prüm Decision so they can share data. Switzerland also allows workplace monitoring without permission, so long as an employee is informed.

Argentina

  • Actively trying to improve data privacy and keep up with other laws (i.e. the GDPR) and technological advancements
  • Adequate safeguards for areas of surveillance and workplace monitoring
  • Warrants are required for communications to be intercepted

Argentina’s mandatory ID card does contain biometrics. Biometrics are widely implemented and accepted on the whole. The Data Protection Act is in need of an update, particularly when it comes to data retention laws (there are no clear guidelines as such, leaving it very open to interpretation). Argentina also actively shares personal information with other countries

Canada

  • 28 different statutes protecting data privacy in the private, public, and health sectors
  • Adequate safeguards for areas of surveillance and workplace monitoring
  • Very similar data retention laws to the GDPR

Canada’s regulatory body, the Office of the Privacy Commissioner of Canada, is criticized as being lackluster in its authority but there are talks to improve its powers so it can levy fines. Biometrics are on the rise with fingerprints now being a requirement for people applying for certain kinds of visas. Data sharing is also an issue due to the agreements Canada has with other nations (approximately 17). And Canada recently ruled against a journalist, requiring him to disclose a source.

Top 5 EU countries

Due to the recent implementation of the GDPR laws, there isn’t much difference in the scores of EU countries. What tends to differentiate them is their data-sharing agreements with other countries, their freedom of speech, their use of biometrics, and other country-specific rules and regulations.

  1. Ireland – 3.2 – Adequate Safeguards
  2. France – 3.1 – Adequate Safeguards
  3. Portugal – 3.1 – Adequate Safeguards
  4. Denmark – 3.1 – Adequate Safeguards
  5. Malta – 3.0 – Some Safeguards/Weakened Protection

Ireland

Ireland tops the list when it comes to privacy and surveillance protection due to:

  • The active role the Data Protection Commission of Ireland is playing in protecting privacy (18 ongoing investigations into US technology companies, for example)
  • Its resistance toward biometrics on ID cards, despite it being an EU regulation
  • It not being part of invasive data-sharing agreements, i.e. the Treaty of Prüm or the Schengen Agreement
  • An active role in overturning the EU’s data retention directive due to its breach of privacy and human rights
  • Its opt-out clause for EU laws

The categories that let Ireland down were its weakened protections for sensitive data (i.e. several data breaches in the medical industry), the subsidization of CCTV, and a threat to press freedom due to the concentrated ownership of media outlets.

France

Just behind Ireland is France, which scored reasonably well because of:

  • Its data regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), successfully enforcing GDPR laws by fining Google €50 million because it didn’t get proper consent from users for its ad personalization (it used pre-ticked boxes)
  • The CNIL being proactive before the implementation of GDPR, fining Uber €400,000 for its data breach
  • No biometrics required for the mandatory French ID card
  • The CNIL actively debating and preventing the use of biometrics in other areas, e.g. in the workplace
  • The requirement for a Data Protection Impact Assessment (DIPA) before surveillance is installed for large-scale public monitoring

However, France is a member of the Treaty of Prüm and the Schengen Agreement. There is active data sharing occurring within France, too. For example, suspicious transactions must be reported as part of anti-money laundering laws. Communication data is retained for one year.

Portugal

Portugal also makes the top three due to:

  • Its regulator, the Comissão Nacional de Protecção de Dados (CNPD), actively enforcing the GDPR
  • Its recent €400,000 fine of a hospital for various data breaches – one of the largest GDPR fines to date
  • Biometric databases being forbidden
  • Its restriction and regulation of CCTV use
  • Has a history of protecting employees’ privacy through domestic legislation

Portugal was one of the last European countries to implement the GDPR law (one year and three months after it was enforced). It is also a member of the Treaty of Prüm but, due to its lacking DNA database (less than 0.1% of its citizens are on it), it doesn’t share much information and only shares data with select countries. That said, it is also a member of the Schengen Agreement and data is regularly shared internally, too, i.e. for anti-money laundering laws.

Denmark

Denmark receives its score of “adequate safeguards” because of:

  • The active role of the Danish data protection agency, the Datatilsynet (DPA), since the implementation of the GDPR
  • Its general success at implementing GDPR across a range of categories
  • The Danish ID card not containing biometrics
  • Its opt-out agreement with EU laws
  • The protection of freedom of expression

Yet, there is a worrying acceptance of both biometrics and CCTV cameras within Denmark which may allow privacy controls to slip. The sharing of data, both within Denmark and with other countries (part of the Schengen Agreement) also lowers the score, as do the queries over data retention (location data from mobile phones).

Malta

Although Malta does make the top 5, it does also fall into a lower category than the other four EU countries. It received a “some safeguards but weakened protections” score due to:

  • Courts ruled in favor of privacy when it comes to short data retention periods (the case of Maltapost PLC Vs Kummissarju Ghall-Informazzjoni u l-Protezzjoni tadData)
  • Its data protection authority, the Information and Data Protection Commissioner (IDPC), works proactively to enforce the GDPR and fines
  • The Maltese ID card does not contain biometrics
  • The IDPC requires notification before CCTV is installed

Malta is, however, a member of the Treaty of Prüm and the Schengen Agreement and does have weakened protections when it comes to communication interception and sensitive data. It also has a systemic failure to uphold safeguards when it comes to democratic issues like freedom of the press (the majority of media sources are owned by politicians).

Where do the US and UK rank?

United States

The US is seventh from bottom in our non-EU rankings. This is due to:

  • Biometrics growing in use with the Biometric Exit Program predicted to be in place within four years, processing 97% of people who leave the US
  • Courts rule in different ways when it comes to biometrics. There are several debates over topics like whether the police could ask you to unlock your phone with your fingerprint
  • Building a database of biometric information containing digital facial images and the 10 fingerprints of over 200 million people who have tried to enter, have entered, or have exited the US
  • Private companies are able to set their own guidelines when it comes to processing personal data
  • There are no federal laws regarding the use of CCTV, meaning usage varies drastically on a state-by-state basis. For example, some states include a safeguard that prohibits CCTV use in areas where people expect privacy, e.g. changing rooms, but some do not
  • Only two states require companies to inform their employees of workplace monitoring
  • Numerous data breaches across all sectors
  • Part of numerous international data-sharing agreements
  • Recently created the Clarifying Lawful Overseas Use of Data (CLOUD) Act which allows law enforcement of cooperating countries to request data directly from service providers rather than having to go through the government

Data protection in the US is governed by multiple sectoral laws and laws also differ by state. This can cause some confusion and inconsistency, and it can leave some huge gaps in certain areas/states. Nevertheless, some of the governing bodies actively pursue data privacy. For example, the Federal Trade Commission (FTC) recently fined Facebook $5 billion for privacy violations.

United Kingdom

At present, the UK is governed by GDPR laws but has also implemented its own Data Protection Act, which will remain in place post-Brexit.

  • The governing body, the Information Commissioner’s Office (ICO), has already issued a number of fines, including one of £183 million to British Airways for breaching customer data and one of £99 million to hotel chain Marriott for exposing 399 million guest records
  • The UK is not part of the Prüm Decision (but has requested to be and is involved in parts of it – see below) or the Schengen Agreement
  • Certain safeguards are in place for CCTV usage (i.e. businesses must inform the ICO why they are using CCTV and must tell people they are being recorded), communication interception (warrants are required), and government access to data (again, warrants are often required)
  • Does have opt-out agreements with EU laws

Despite some of these safeguards, the UK is moving toward more biometrics, more CCTV, and could involve itself in further international treaties post-Brexit. It has recently joined the Prüm DNA framework, which allows law enforcement agencies to share DNA profiles and fingerprints, giving member states access to the UK’s database of over 5 million people. Workplace monitoring is also accepted (if employers can justify their reasons for doing so) and there have been cases of employees being fired for things they have said on social media.

How things look overall

If we merged the rankings of both the EU and non-EU countries, the leaderboard wouldn’t look much different to the EU one. All that would change is Norway taking second place, pushing Malta out of the top five.

What is interesting about these top five (the only ones to receive an “adequate” score) is that they are all governed by the GDPR laws. So, while there is still huge room for improvement in all countries, the GDPR laws do seem to be encouraging them to move in the right direction.

Constitutional ProtectionStatutory ProtectionPrivacy EnforcementIdentity Cards and BiometricsData-sharingVisual SurveillanceCommunication InterceptionWorkplace MonitoringGovernment Access to DataCommunication Data RetentionSurveillance of Medical, Financial and MovementBorder and Trans-Border IssuesLeadershipDemocratic Safeguards
Slovenia, Australia, China, Sweden, Singapore, Netherlands, Luxembourg, Hungary, Italy, MalaysiaChina, Greece, Slovenia, Finland, Malaysia, Estonia, India, Hungary, Portugal, RussiaIndia, Thailand, Brazil, Slovenia, Russia, Slovakia, China, Iceland, Japan, FinlandChina, India, Japan, Cyprus, Hungary, Germany, Malaysia, Estonia, Italy, ThailandRussia, China, Hungary, India, Luxembourg, Malaysia, Belgium, Spain, Slovenia, CanadaChina, Russia, Philippines, Brazil, India, Malaysia, Germany, Thailand, Italy, HungaryChina, Russia, India, Thailand, Sinapore, Australia, Hungary, Finland, Germany, LuxembourgChina, India, Taiwan, Thailand, Singapore, Australia, US, Philippines, Russia, HungaryRussia, China, Finland, Thailand, Poland, India, Luxembourg, Singapore, Romania, AustraliaChina, Russia, Italy, Estonia, US, Germany, Taiwan, Slovenia, Poland, IndiaUS, Sweden, Malaysia, Greece, China, Russia, Singapore, Netherlands, Ireland, IndiaChina, Russia, Germany, Slovenia, Malaysia, Spain, New Zealand, Thailand, Canada, Israel China, Russia, Slovenia, Romania, Austria, Sweden, Italy, India, New Zealand, USChina, Russia, Thailand, Brazil, Austria, India, Slovakia, Bulgaria, Malta, Israel

Methodology

Each country was given a score per category based on a number of criteria (listed below). Then, to gain an overall score, we added up the total of these scores before dividing by 14 (the number of categories in total).

Constitutional Protection

  • Does a constitution exist and does it protect privacy?
  • Does the constitutional court have a ruling over privacy protection? If so, does it have a history of providing these protections?
  • Is the country a member of the EU (the GDPR plays a key role)?

Statutory Protection

  • Are there laws in place that protect people’s privacy against companies and governments?
  • Are there sectoral laws? E.g., anti-money laundering laws or medical laws.
  • Do these laws succeed in protecting privacy?

Privacy Enforcement

  • Is there a regulatory body, e.g. a Data Protection Authority, that has the power to investigate privacy cases?
  • Are they proactive at doing this? Are there any cases that have been taken through the courts/legal systems?

Identity Cards and Biometrics

  • Does the country have a national ID card? Does this have biometrics?
  • Are biometrics common? Are they used to aid privacy or are they used for surveillance?
  • Is there a privacy debate in the country about this use of biometrics? Or are most happy with the technology?

Data Sharing

  • Are there laws to prevent the secondary use of data?
  • Does the government share personal data between its agencies?
  • Do companies have to hand over personal data to the government?

Visual Surveillance

  • How prevalent is CCTV in the public and private sector?
  • Are CCTV cameras regulated?
  • Is there any debate surrounding the use of CCTV?

Communication Interception

  • Are there laws that prevent abuse?
  • When can law enforcement intercept communications, i.e. with a warrant, if they have reasonable doubt, etc.?
  • What types of investigations can result in communication interceptions?
  • Who authorizes their access, if anyone?
  • Are telecommunication providers expected to allow interception capabilities?

Workplace Monitoring

  • Are there laws that prevent abuse?
  • Are there legal avenues/cases?
  • Are companies given adequate guidelines to follow?

Government Access to Data

  • What are the warrant regimes? For example, can they enter a property without a warrant?
  • How does law enforcement gain access to private sector databases?
  • What powers do various agencies have to access data?

Communications Data Retention

  • Do telecommunication providers have to retain data for a specific period of time? If so, how long?
  • Are there considerations for different types of data and how the retention periods may differ?

Surveillance of Movement, Finances, and Medical Data

  • Although this data is sensitive, is it adequately protected?
  • Are there laws which allow for the monitoring of these types of data? E.g. anti-money laundering laws.
  • Have there been data breaches involving this type of data?

Border Issues

  • Does the country have biometrics at its borders?
  • Is the country cooperating with other countries when it comes to law enforcement and surveillance?

Leadership

  • Is the government part of any anti-privacy treaties? E.g., Five Eyes or the Treaty of Prüm?
  • What data is the government sharing with other countries?

Democratic Safeguards

  • Is there freedom of speech in the country?
  • Are there protections in place for journalists?

Sources

For each country’s report, sources, and scores, please see this spreadsheet: https://docs.google.com/spreadsheets/d/1uPCfyzwT2b47oX0kcYg3kn3V4H6IWUikp4jMOVUWmJA/edit?usp=sharing