Authors: Gonzalo Zeballos, James Sherer, and Alan Pate

2013 was a year in contrasts within data privacy. To begin with the “normal” course, Canada sought (but failed) to pass a mandatory breach notification amendment to its federal privacy law, and Uruguay acceded to the European Convention regarding personal data processing. China introduced its Decision on Strengthening Internet Information Protection in very late 2012, and Japan introduced its “Common Number” Bill. Personal data regimes came into effect in Costa Rica, Columbia, Peru, Malaysia, Kazakhstan, Singapore, and Hong Kong. In Brazil, the draft Personal Data Protection Act of 2011 went another year without being enacted.

South Korea amended its already stringent data protection efforts with an additional Act focused on information processing, South Africa passed its first comprehensive data protection legislation, and India presented a new privacy protection bill for government consideration. And the EU and United States sought to find common ground when discussing the Transatlantic Trade and Investment Partnership that would respect the European data protection philosophy, while corporations based in the United States were admonished for “counter-productive” lobbying efforts that ultimately strengthened the proposed EU data protection laws.

But aside from some selected days of national excitement, the normal course did not grab the headlines in 2013; instead, a “high school dropout,” a “29-year-old former technical assistant for the CIA and [former] employee of the defense contractor Booz Allen Hamilton” left his career and family behind on May 20, 2013 bound for Hong Kong, landing and remaining in Russia on June 3. Through his efforts, collection, and subsequent dissemination of collected files, Edward Snowden “prompted much-needed debate about the scale of intelligence activities and exposed the limits of laws drawn up in the pre-internet era.” The repercussions have already begun, with the EU stating that the Snowden documents’ revelations have had a negative impact on relationships already at odds on the subjects of data privacy and security. And there is likely much more to come, where the British news agency the Guardian has stated that they have “published…26 [Snowden] documents so far out of the 58,000 [they]’ve seen.”

Therein lies the two contrasts starkly evident within data privacy news in 2013: The attempts to direct and curb behavior at a government level that sometimes take years between passage and force (2 years for Costa Rica; 3 years for Malaysia; 4 years and still counting for South Africa) contrasted with the matter of weeks it took one individual to collect and disseminate tens of thousands of ostensibly extraordinarily sensitive documents. The concerted efforts within the EU to even propose a new standard law for data privacy again contrasted with the efforts of one individual to undermine years of U.S.-EU negotiation, diplomacy, and representations. 2013 was the year big data, concerns about data privacy, and one man proved Archimedes’ assertion from ~250 BC; with at least 57,974 or so documents still awaiting release, 2014 should shape up to be even more interesting.