Image: Termly

The New Age of Data Privacy: 3 Core Concepts in Privacy Laws Around the World

  • Viewpoint
  • By KJ Dearie (Termly)
  • 30 July 2019

KJ Dearie, product specialist and privacy consultant at Termly, reviews three core concepts in global privacy laws: transparency, accountability and user control

Less than 30 years ago, the World Wide Web became available to the public. Since then, people and organizations across the globe have mobilized in an effort to create a safe and effective online space. Through efforts like the #GoodID Movement, the calls of citizens for greater digital privacy rights, and the response of legal bodies worldwide, the internet is evolving into a conscientious space.

In fact, over 100 laws have now been passed across six continents that govern the appropriate collection, protection, and exchange of web-based data.

On top of the sheer number of countries with data privacy laws of their own, many of these laws have extraterritorial influence, meaning even companies outside of the law’s host country are subject to comply.

With this new and growing trend toward data privacy legislation, it’s nearly impossible for business owners, website operators, and everyday internet users to keep track of the rules and rights that govern their interactions on the web.

Luckily, the majority of these laws share variations of the same core principles: transparency, accountability, and user control. Let’s explore what these mean when it comes to data privacy and protection laws around the world.

1. Transparency

Data privacy, as a concept alone, wasn’t on the public’s radar until the social media boom of the last ten years. Even then, it took the culmination of high-publicity incidents — like the Cambridge Analytica–Facebook election scandal and the 2018 Google data breach — for the term “data privacy” to enter the public vernacular with the weight it carries today.

Given the shift in consumer attitude toward skepticism in the face of data collection, the law has been fast to follow (and in some cases, lead the way), ushering in the era of transparency.

Take Australia’s Privacy Act 1988, for example. This was one of the earliest privacy laws to be enacted, and continues to be amended as technology and digital practices evolve. Among the groundbreaking statutes written into the law is the thoroughness the legislation mandates of companies’ privacy policies.

The act determines the need for any subject company to create a privacy policy that outlines how and why data is collected — a requisite that can be seen in other early transparency-focused laws, like the California Online Privacy Protection Act (CalOPPA).

Where Australia’s law surpasses the scope of other privacy policy-requiring laws is in the depth of transparency it necessitates. For example, the Privacy Act 1988 demands privacy policies disclose:

  • Who data may be shared with
  • How users can edit or request access to their data
  • How someone can make a privacy-related complaint or breach claim
  • Whether data may be transferred outside the country, and what countries this could involve

These strict disclosure guidelines have since been adopted in laws across the globe — from the EU’s General Data Protection Regulation (GDPR) to India’s Personal Data Protection Bill 2018.

Now, given both the legal precedent and the public’s concern over their personal data, it would be unheard of to encounter a privacy law void of strict transparency requirements.

2. Accountability

The United States alone saw 446.5 million exposed records due to data breaches in 2018.

As data becomes a highly valuable commodity, and hackers adapt to security systems and protection measures, a great responsibility is being placed on companies to protect the data they collect, store, and share.

Notably, the California Consumer Privacy Act (CCPA), which is based in California but has extraterritorial scope, introduced a groundbreaking consumer right for Americans — the right to sue for loss of privacy.

Under the act, California consumers whose data is breached can sue the company responsible for storing the data for loss of privacy, even if no physical or monetary damages are suffered.

The onus of protecting the privacy of individuals has long been a concept rather than a mandate for businesses and websites worldwide. Now, the law is trying to define what responsible data collecting and storing means, and what consequences lie on the other side of negligence.

3. User Control

Company responsibilities aren’t the only matters being addressed in the new wave of privacy laws — internet users are also being given more rights over their own data.

Among these new rights are two major themes: rights over already-collected data, and rights over the future collection of data.

Rights over collected data

One of the most notable laws regarding consumer rights over their data is the GDPR. Articles 15–21 of the regulation grant data subjects rights, such as to access, edit, delete, or transfer personal data that has been collected from them.

Other privacy laws have followed suit, notably Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), which gives data subjects these same rights, and adds the right to explanation — meaning data subjects can request information about why and how their data is being processed.

Rights over the future collection of data

Not only do today’s data privacy laws expand user rights over collected data, but many of them also offer new rights to users regarding the future collection and processing of data.

The main example of this — and a data privacy concept growing rapidly — is cookie consent. Under legislation like the ePrivacy Directive (also known as the EU Cookie Law), consumers are asked to consent to the collection of data through cookies via banners and modals that pop up upon visiting a website.

Even more, laws like ePrivacy require businesses to allow users to set their cookie category preferences (e.g., a user can consent to a website using analytics cookies, but deny the deployment of advertising cookies).

An updated version of the ePrivacy Directive — the ePrivacy Regulation (institution date yet to be determined) — is on the horizon, promising even more comprehensive guidelines for cookies.

Organizations, technologists, and worldwide voices of influence have a responsibility to help shape the new digital era.


While the sheer number and scope of privacy laws acting on a global scale is a mark of how far we’ve come, there are clear signs of how far we have yet to go. For example, the U.S. — currently the world’s largest economy and the nation with the third highest population of internet users — does not have a federal data privacy law.

While the U.S. is expected to pass such a law at the federal level shortly, the current state of affairs only demonstrates how recent the data privacy boom truly is.

Furthermore, the concepts these laws are founded on — transparency, accountability, and user rights — are not the sole responsibility of the law. Organizations, technologists, and worldwide voices of influence have a responsibility to help shape the new digital era. To learn more about the #GoodID movement and how you can take action to create the internet landscape you want visit https://www.good-id.org/en/about/

To check out all the major players in the data privacy game so far, along with some fast facts about the new order of data privacy laws, take a look at the infographic below:

Image: Termly / https://termly.io/resources/infographics/privacy-laws-around-the-world/