The concept of privacy is notoriously hard to define, acquiring new meanings as its importance in varying legal contexts and cultures continues to grow. In "Privacy and Freedom," foundational scholar of privacy Alan Westin wrote, “(f)ew values so fundamental to society as privacy have been left so undefined in social theory or have been the subject of such vague and confused writing by social scientists.”
The various perspectives on privacy are influenced both by culture and the evolution of technology. Indeed, the definition of privacy has evolved with transformative technologies, such as geolocation data or genetic information — both are products of the advent of satellites and genomic sequencing tools, respectively.
In today’s global economy, understanding the evolution of privacy can help privacy professionals more effectively navigate privacy expectations worldwide and anticipate how policies may play out and define the success of technological innovation.
In 1890, future U.S. Supreme Court Justice William Brandeis and attorney Samuel Warren wrote that privacy was considered “the right to be left alone” in their seminal paper on “The Right to Privacy.” In response to increasing fears about government surveillance in 1967, Westin viewed privacy as the ability of people to choose freely under what circumstances and to what extent they would expose their private information.
In 1980, utilizing privacy as a means to important ends, Israeli human rights expert and law professor Ruth Gavison equated it with elements of secrecy, anonymity and solitude. Today, privacy has become global and fragmented, forging a delicate balance with other fundamental rights in the age of surveillance capitalism.
Privacy as a fundamental right
Although there is not a universal definition of privacy, almost all countries recognize that privacy is a fundamental human right in some way. The Universal Declaration on Human Rights was the first international treaty to recognize the right to privacy in 1948; several other treaties followed suit in the subsequent decades.
The Australian Privacy Charter recognizes privacy as a key value underpinning human dignity. In 2017, India’s Supreme Court recognized a fundamental constitutional right of privacy in Puttaswamy v. Union of India by focusing on human dignity in their decision. In its Data Protection Law, El Salvador also situates data protection alongside the rights of honor and dignity .
Nonetheless, the scope of privacy has been further changed profoundly by the rapid evolution of technology. Mostly, this has meant that control over information is included in most modern approaches to privacy. Just as George Orwell’s "1984" warned of a world under the watchful eye of the thought police, the real world took steps toward safeguarding personal data when the Organisation for Economic Co-operation Development introduced global guidelines to regulate the transfer of personal information in 1980.
From there, many countries made the leap to develop data privacy protections and adopted their own variances of these guidelines. The EU General Data Protection Regulation is among the most comprehensive and notable laws today. As of January 2025, 144 countries have a data privacy law in place.
The role culture plays in privacy and data protection
Political persuasions, geopolitics and national security objectives all play a role in crafting privacy legislation, but an oft-forgotten component of law is the different cultural norms of a region and how they can affect legislative priorities.
For example, some parts of the world have worked to remedy past privacy violations and injustices of authoritarian regimes and approach privacy differently than more historically democratic nations. These approaches are often guided by principles such as trust in government, emphasis on individual rights, and societal attitudes toward surveillance and control.
Moreover, privacy and data protection legislation can tend to reflect public values; consumers in Europe are generally less trusting than other countries of social media, advertising and marketing companies. According to the IAPP Privacy and Consumer Trust Report, only 39% of users trust tech companies; nearly 68% of consumers from 19 countries around the world reported being at least somewhat concerned about their online privacy. Yet, these privacy concerns vary significantly from country to country. For example, around 80% of South Koreans expressed some degree of concern about privacy, compared to the Netherlands, where 45% of consumers expressed the same concern.
Some research has shown that countries have different compositions of cultural dimensions, where behavior tends to be correlated to these principles. One major distinction between cultures that could account for different approaches to privacy is the preference between individualism and collectivism. Countries with more individualistic tendencies, like the U.S. and other Western countries, are generally thought to be more likely to engage more intimately with their close connections; those in a more collectivist society typically engage more broadly with numerous weak ties while being cautious about the information they share with them. However, research has shown that in some contexts, individuals in a collectivist culture are more likely to perceive a higher online privacy risk and tend to be more cautious about including weak ties in their online social network.
Other examples of cultural dimensions include a tendency to avoid uncertainty, a preference for indulgence versus restraint, and a preference for individual heroism versus cooperation. Each of these dimensions influences the behavior and values within a country and, thus, what privacy means.
For example, in cultures with a higher tendency to avoid uncertainty, like South Korea and Germany, studies have shown that users have greater privacy concerns and are less likely to over-share on social media, perceiving potential negative outcomes from doing so. Some trends in privacy perspectives span geographically, as Western countries — such as Canada, the U.S., and Europe — generally place a higher sensitivity on health data compared to Eastern countries.
Photographs and the right to one’s own image are split along geographic lines as well. In countries such as France and Germany, citizens have a right to their own image and consent is required before identifiable images taken in public are shared. Japan, South Korea and China take this protection a step further and mandate that cell phone cameras emit an audible shutter sound by default when a photo is taken.
Japan takes a stricter approach to data privacy protections and even protects some information that can be found on public directories if it can be used to identify an individual, much like the GDPR’s approach. Meanwhile, in most U.S. state privacy laws like California’s, information that is publicly available generally is not considered personal information and thus is not protected by the same safeguards.
In Kenya, the Data Protection Act reflects the culture of the people. Its law categorizes family details like the names of children, parents, spouse(s), etc. as “sensitive personal data” and requires a valid explanation to be provided when information relating to family or private affairs is collected.
Personal information is defined differently in Brazil, where the GDPR-inspired Lei Geral de Proteçao de Dados protects political opinion, trade union or religious affiliation, and philosophical or political organization membership information in its definition of personal information.
In New Zealand, the definition of personal information includes biometric data and many types of digital data that can be used to track behavior; this includes browser and search history, purchase and online shopping history, settings and website preferences, and even data about the speed of scrolling or the hovering of a cursor.
Even the notion of a private space can vary from culture to culture based largely on norms and traditions.
Notably, India has laws around the spaces it considers sacred and valued in its culture. In the state of Tamil Nadu, the use of mobile phones has been banned in temples to preserve their purity and sanctity. Indonesia is reportedly considering similar bans against photos and selfies in sacred spaces in Bali to preserve their sanctity and combat some of the effects of overtourism.
To preserve the privacy of its citizens, Mongolia enacted a provision that forbids installing “video recording equipment in locations where the right to personal liberty and immunity will clearly be violated” in spaces like bathrooms, dressing rooms, hotel rooms and karaoke boxes. Finland has a law against "illicit observation" that applies to saunas and dressing rooms; the data protection authority of the Netherlands, the Autoriteit Persoonsgegevens, has reportedly investigated the use of invasive security cameras in saunas.
Though it does not specifically protect physical spaces, Australia has a law that protects the sanctity of certain ceremonies by criminalizing the disruption of religious services, weddings or funerals in a “way that is calculated to be offensive.”
In each of these laws, countries reflect their cultural dimensions and values about what privacy means, which also shapes how they regulate emerging technologies in line with longstanding norms and traditions. Dubai, a city well known for its modernity and luxury, has set up the first government agency to regulate the metaverse and digital assets. Meanwhile, Chile is seeking to address legal issues surrounding neurotechnology by granting “neurorights ” to brain data and mental privacy.
Why this matters in a global economy
In a world increasingly defined by the cross-border flow of data, these nation-bound differences in the implementation of privacy rights matter more than ever before. Such differences arguably underlie years-long efforts to forge a consensus around international data transfers between the EU and the U.S. By default, the GDPR prohibits data transfers outside of the European Economic Area unless certain criteria are met.
The U.S., by contrast, has yet to pass any comprehensive federal privacy legislation. Since its first attempt at a compliant data transfer framework was invalidated in 2015 until its most recent successful adequacy decision in 2023, the U.S. had been working to balance the interests of domestic entities within the confines of the GDPR. While the U.S. has had a long reputation for being a global leader in innovation and entrepreneurship, this underpinning has run contrary at times to the EU’s rights-based approach to governance of privacy and data protection.
These are just a few examples of international variations in privacy laws. Cultural nuances will continue to shape how countries regulate emerging technologies and will help set the stage for international agreements and treaties.
Professionals and policymakers alike will benefit from appreciating these various approaches, particularly in a global digital economy where organizations are frequently navigating cross-border data flows and competing privacy regulations. There is no single correct approach to privacy; instead, privacy varies from border to border and is highly dependent on national legal contexts and cultural values.
Stephanie Forbes is a former summer privacy fellow for the IAPP.
