Quantifying Key Characteristics of 71 Data Protection Laws

Abstract

This research is the first ever systematic study that unlocks six paramount characteristics in the literal text of 71 Data Protection Laws (DPLs). The quantification fosters comparison of a potential federal U.S. law with DPLs in the rest of the world. It can also be used for empirical legal research in information security by linking the index or subsets to data concerning, for instance, deep packet inspection. This research is exploratory: adding more characteristics to the database is one of the key next steps for future research.There are some noteworthy initial results: only 5 out of 71 DPLs have penalties that deter companies for non-compliance. Also, compared to the U.S. states, few countries have data breach notification laws. Principal component analysis reveals more information. Characteristics can be grouped in two unobserved factors, which explain ‘basic characteristics’ across laws and ‘add ons’ to these characteristics.By summing these two factors a privacy index is constructed. Countries that are not known for their stringent privacy control such as Mauritius and Mexico cover a top position of this index. Member States of the European Union have DPLs with a privacy control score above average but no absolute top position.