Drivers for privacy law initiatives

Privacy Laws & Business has been reporting on new data protection bills and laws for over 33 years. My experience in January of moderating a session on Digital Identity in Africa and the Middle East - at the CPDP Conference in Brussels - led me to reflect on the different motives for governments to propose new privacy laws.

Often there is more than one factor but I suggest that the following are distinct drivers for privacy law initiatives:

  1. To win more contracts for processing personal data, as in the United Kingdom in 1984
  2. To gain entry to a regional economic and/or political group, as in Bulgaria, Romania, Albania and North Macedonia to help them to gain entry to the European Union
  3. Pressure from human rights and consumer Non-Governmental Organisations, as in Australia
  4. The finance sector and/or outsourcing companies which want to ensure a relatively simple legal basis for transferring personal data from countries with existing data protection laws, as in Mauritius in 2017
  5. A wish by the government to be regarded as having an “adequate” or “essentially equivalent” legal regime to that in the European Union, as in Japan
  6. A plan by the government to establish a national digital identity programme, as in Ghana
  7. A trade-off for potentially privacy invasive schemes by governments, as in India
  8. A wish to have a uniform data protection standard across all sectors to achieve a level playing field for business, charities and other parts of the economy
  9. A plan to diversify an economy from oil and gas to knowledge and innovation, and improve delivery of government services, as in Abu Dhabi

Of course, a combination of factors can apply. For example, Professor Graham Greenleaf, PL&B’s Asia-Pacific Editor, comments that Australia’s 1988 public-sector-only privacy law is a good example of the combination of 6. and 3. and that Australia’s 2001 extension of the law to the private sector was a combination of 4. and 5.

I asked our Indonesia Correspondent, Andin Aditya Rahman, for the main factors behind the government’s publication of the bill covered in our lead article. His (edited) explanation below demonstrates how different factors have come together to make 2020 the right time for a privacy law in Indonesia, the world’s 4th most populous country, the largest economy in Southeast Asia, the world’s 10th largest economy in terms of purchasing power parity, and a member of the G-20.

He explained that the Facebook case happened in early 2018, which sparked talks surrounding the Bill but was ultimately delayed until Indonesia’s general elections in 2019. At the end of 2019, the government finished drafting the revised version of the Bill discussed in this article.

From 2018, the main driving force for the Bill for Indonesia was:

  1. Pressure from human rights and consumer NGOs, especially in 2019, citing that the Bill is critical to having a clear legal regime for preventing personal data protection violations.
  2. The government’s intention to have one main law on personal data protection, as separate provisions are spread across different laws in many sectors, for example, health, banking, and telecommunications.
  3. Indonesia policy makers saw that neighbouring states, such as Singapore and Malaysia, already had their own personal data protection legal regime. In 2019, Thailand introduced theirs and this was also a point of discussion.
  4. A plan by the government to establish a national digital identity programme was not a factor, as Indonesia’s national digital ID card was implemented back in 2012 before any significant talks about the Bill. But the Bill and personal data protection for public purposes in general was discussed in 2019, after the residential and civil record data of Indonesian nationals (mostly data on the ID card) were leaked online.

Well-publicised data breaches can play an influential role in gaining political support for stronger powers for a regulator in general, as in Canada, or for dealing with a specific privacy risk, such as the use of facial recognition systems, in the US.

Once a privacy law is adopted, the resources provided by the government to appoint a Data Protection Authority and fund its enforcement role depends on how the government balances competing interests. Several countries are keen to sign up to the Council of Europe Convention 108+ or become observers at their meetings in Strasbourg. But how their laws work in practice is an ongoing exercise and a complex issue which is our monitoring role at Privacy Laws & Business.

We hope that you and your team are keeping healthy, as is our PL&B Team. We are working remotely. Our next survey will be on how your organisation is managing remote working, from the data protection law perspective.


Stewart Dresner, Publisher

International Report 164

Lead stories:

Indonesia’s DP Bill lacks a DPA, despite GDPR similarities

Graham Greenleaf and Andin Aditya Rahman of Assegaf Hamzah & Partners, Indonesia, analyse the Bill’s provisions.

Finland invests in European cooperation, prepares to fine

Finland’s DPA’s workload has stabilised after the immediate post-GDPR rush. The first GDPR fines are now in the pipeline. Laura Linkomies reports from Helsinki.

Click for full contents list