Data Protection

Data Protection laws seek to protect people's data by providing individuals with rights over their data, imposing rules on the way in which companies and governments use data, and establishing regulators to enforce the laws.


Versión en Español

In this section, you can access the different parts of our guide for policy engagement on data protection "The Keys to Data Protection". The guide is intended to help organisations and individuals improve their understanding of data protection, by providing a framework to analyse the various provisions which are commonly presented in a data protection law.  

The guide was developed from Privacy International’s experience and expertise on international principles and standards applicable to the protection of privacy and personal data, and our leadership and research on modern technologies and data processing. 

Part 1 introduces data protection: what it is, how it works and why it is essential for the exercise of the right to privacy.  

While data protection laws vary from country to country, there are some commonalities and minimum requirements, underpinned by data protection principles and standards which tend to be reflected in the structure and content of relevant legislation. Each part of the report presents these, including: 

  • General provisions, definitions and scope (Part 2);
  • Data protection principles (Part 3);
  • The rights of data subjects (Part 4);
  • The grounds for processing personal data (Part 5);
  • The obligations of controllers and processors (Part 6); and
  • Oversight and enforcement structures (Part 7).

Part 8 provides some additional resources on data protection, and outlines opportunities for organisations to engage on data protection. 

Much of our engagement on data protection for the last decade has been undertaken through our work with our partners in the Privacy International Network. We would like to take the opportunity to acknowledge their incredible efforts to promote and advocate for the adoption of data protection laws across the world. 

Please reach out to us via social media or email if you have any feedback on the guide:


What Is The Problem

Protecting privacy in the modern era is essential to effective and good democratic governance. However, despite increasing recognition for and awareness of the right to privacy and data protection across the world, there is still a lack of legal and institutional processes and infrastructure to support the protection of rights. Some parts of the world in particular suffer from a void: a lack of regulatory and legal frameworks in many countries, and the poor implementation and enforcement in others.

As a result, innovations in policy and technology, private and public sector data practices, are largely left unregulated and unchecked, and this will have significant implications for rights of individuals, as well as for the development of the economies and societies.

There is also a systemic and structural challenge which is aggravating this situation. Decision-making and legislative processes are all too often not subject to any or only very limited public scrutiny. 

What Is The Solution

Institutions, public or private, that collect and use your personal data must:

  • be subject to rigorous regulations providing them with standards on how to handle any data they process;
  • be compelled to be transparent and accountable;
  • be subject to checks and balances;
  • fulfill the rights of individuals
  • respect the rule of law.

There are a number of a basic principles upheld by widely recognised codes, practices, decisions, recommendations, and policy instruments which provide the framework for effectively regulating the processing of personal data.  However, it is essentail for the protection of individuals rights that a data protection framework is given the force of law.

Data Protection legislation must be carefully scrutinised to seek to ensure that the resulting framework is as strong as possible and not undermined by legal loopholes and exemptions. Once in force, data protection legislation must be accompanied by effective implementation and enforcement. This requires an independent regulator or authority must be appointed to ensure the law protection law is enforced, and it must have the mandate and resources to conduct investigations, act on complaints and impose fines when they discover an organisation has broken the law. An important safeguard is a strong and critical civil society, with the ability to raise complaints, research abuses and be constantly vigilant of implementation.

Furthermore, recognising the need for multi-disciplinary nature of such mechanisms, technological measures from the conception phase to the processing of data can support a regulatory framework to minimise data collection, to mathematically restrict further data processing, to assuredly limit unnecessary access, amongst other privacy measures. Such measures can be adopted by both companies and governments.The onus must be squarely on those processing our data to protect it both by design and by default.