Fighting for strong data protection around the world: a year in review

Happy International Data Protection Day! To celebrate, we’re taking you on a data protection world tour. Buckle up — it’s a wild ride.

In 2019, data protection made headlines worldwide. With India debating its first ever data protection law, Tunisians’ data leveraged for manipulation in national elections, a one year check-up on the implementation of the European Union General Data Protection Regulation (GDPR), and much more, it was an incredibly busy year for those of us defending data privacy.

Looking back, one thing remains clear: the more that our data are routinely collected, retained, and exploited, either by the private or public sector, the more urgent it becomes to implement strong data protection laws and policies to keep us safe. Whether it is our insurance and health records, social media chats, online purchases, location information, or other data that can be harvested and used for manipulation and control, our information is increasingly at risk and governments and companies must act now to protect it. The most vulnerable among us — such as activists, journalists, human rights defenders, and members of oppressed or marginalized groups — are the most at risk.

Raising the bar on data protection worldwide: a timeline

Throughout 2019, we at Access Now worked around the globe to improve data protection standards. Last year, governments continued to develop and update data protection legal frameworks. Unfortunately, in many cases, they failed to comply with robust standards, such as those in the GDPR. Much of our advocacy in regions like Latin America and the United States entailed advising against poorly designed laws and policies, while pushing for standards that better align with human rights principles.

So what were we up to in 2019? Our story begins with the GDPR . . .


  • 21st: The French Data Protection Authority fined Google 50 million euros for lack of transparency and valid consent surrounding the use of data for ads personalization. This was the first large fine imposed under the GDPR.
  • 23rd: The European Union and Japan signed a joint adequacy decision that allows for the transfer of personal data between the two jurisdictions.
  • 30-31st: We participated in the Computer, Privacy and Data Protection Conference in Brussels, where we contributed to discussions on the implementation of the GDPR, the development of data protection laws in Africa, and more.



  • 17th: One year after the Cambridge Analytica scandal, there had still been no major regulatory action to address the egregious data protection violations.
  • 20th: When Honduras held its first Internet Governance Forum, we issued a call to use the event as a platform to unpack the country’s problematic data protection bill, which contained carve-outs for the public sector to collect and process citizens’ data without appropriate safeguards.
  • 27th: We convened the Data Privacy Summit, a full-day conference in Washington, D.C., to examine the data privacy debate, the underlying technologies, and the relationships between privacy and security, civil rights, and safety. The conference aimed to find common ground with the ultimate goal of implementing a comprehensive data protection framework in the United States.



  • 25th: The GDPR turned one. To celebrate, we had cake, but more importantly, we published our first report on the law’s implementation, with recommendations to ensure that users will enjoy its full benefits.


  • 11-14th: We held RightsCon in Tunis, where data protection was at the center of many sessions. This year, we hope to see you from June 9-12 at RightsCon Costa Rica to continue building the discussion on how to strengthen data protection rights worldwide.
  • 24th: At the National Assembly of Ecuador, we presented at an event attended by lawmakers to highlight the importance of a human rights-respecting data protection law.




  • 2nd: We sent an open letter to Facebook, asking for more transparency in advertising and other sponsored content on their platform, specifically in regard to the 2019 Tunisian elections. Facebook provided an official response to our letter.
  • 12th: We contributed to a consultation from the Australian Government on the final report of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. The report, published in July, made bold suggestions to legislators on how to advance an array of proposals for strengthening privacy and data protection. In our submission, we focused on content governance and data protection-privacy issues, given their particular relevance for the advancement of individuals’ rights.
  • 18th: We called on the European Commission to strike down the E.U.-U.S. Privacy Shield since the arrangement fails to protect data and privacy rights.




  • 3rd: We led a coalition letter to the U.S. Senate Commerce Committee that outlines why the proposed “Consumer Online Privacy Rights Act” is one of the strongest pieces of privacy legislation under consideration in the U.S., as it would protect civil rights with strong anti-discrimination provisions.
  • 11th: After a long process, the Indian Government introduced the Personal Data Protection Bill 2019 in the Indian Parliament. The bill was referred to a Joint Parliamentary Committee, which will submit its comments and proposals in February. This bill is similar to the Srikrishna Committee proposal that we reviewed.
  • 11th: We co-hosted a U.S. Capitol Hill briefing on data privacy. The briefing, titled “Controlled and conditioned: How data abuse hurts the most vulnerable and threatens human rights,” included participation from Congresswoman Jan Schakowsky who provided opening remarks and announced draft data privacy legislation was forthcoming from the House Committee on Energy and Commerce.

As we look ahead to 2020, we remain committed to the goal of ensuring uncompromising privacy and data protections for all citizens around the world. Privacy and data protection are a cornerstone for human rights in the digital era, and our laws and policies must be adequate to protect it.