Data protection continues to be a growing concern for policymakers and consumers in the digital economy. As a result, many governments have put in place data protection frameworks and laws, such as data privacy laws, or personal data protection and privacy laws, in order to strengthen protection against the misuse and abuse of collected personal information.

There have been some attempts to assess and measure how each jurisdiction has fared in strengthening their data protection regulations and laws. The existing body of data protection assessments and indexes make assumptions on what a strong data protection regime comprises. However, many of the assessments made depend on subjective factors, such as freedom of speech, and may not be universally accepted by countries as evidence for or against a strong data protection regime.

The inaugural TRPC Data Protection Index 2020 (DPI 2020) is the first index to establish an objective, data protection assessment mechanism. Based on the seven Principles of Personal Data Protection in the ASEAN Framework on Personal Data Protection 2016, it poses 12 questions to assess an economy’s data protection laws and regulatory environment. Economies are then scored against these questions, to derive an overall score that demonstrates if it has a strong data protection regulatory environment.

In this first iteration of the DPI, 30 economies have been scored. To enable policymakers to conduct comparisons on a national and international level, these countries include all economies represented in ASEAN (10 member states), APEC (21 member economies) and the G20 (20 member economies).

The results of the DPI are listed below. The full report can be downloaded here.

MARKETQ1 Data protection (DP) law?Q2 Privacy enforcement authority (PEA)?Q3 Consent required for collection, use, discloser of personal info?Q4 Does DP law allow for exemptions?Q5 Does PD law require data to be accurate and complete for its purpose of collection?Q6 Does PD law require appropriate security safeguards?Q7 Does PD law allow the individual to access and correct his data?Q8 Does the PD law require consent for overseas transfer of data?Q9 Does the PD law provide legal limits to retaining data (right to be forgotten)?Q10 Does the PD law require the collecting organisation to provide clear data collection policies, and a contact point for queries? Q11 EU GDPR participant or adequate?Q12 APEC CBPR participant or similar accountability mechanism?Total ScoreNormalizedRank
South Korea666666666626689.42
United States* 526666666666679.33
Australia666666666606669.2equal 4
Estonia666666666660669.2equal 4
Germany666666666660669.2equal 4
Mexico666666666606669.2equal 4
Singapore666666666606669.2equal 4
United Kingdom666666666660669.2equal 4
Brazil666666666600608.3Equal 10
Canada666666606660608.3Equal 10
Hong Kong666666666600608.3Equal 10
Malaysia666666666600608.3Equal 10
New Zealand666666606660608.3Equal 10
Peru666666666600608.3Equal 10
Russia666666666600608.3Equal 10
South Africa666666666600608.3Equal 10
Taiwan666666606606608.3Equal 10
Thailand666666666600608.3Equal 10
UAE*666666666600608.3Equal 10
Brunei266666666600567.8Equal 21
Philippines666666606602567.8Equal 21

* The scores for India and Indonesia are based on draft laws which have not been officially passed yet. For the United States, the EU-US Privacy Shield Framework has been used for the purpose of assessing data privacy. For the UAE, the Dubai Data Protection Law (DIFC Law No. 1 of 2007) was used. For Laos, no English translation was available for the Laos Electronic Data Protection Law (EDPL) which was only available officially as a scanned non-machine-readable copy, and therefore scores are based on data from Data Guidance.