Regulations Impacting Data Privacy in Digital Governments

Published on November 16, 2023

Data breaches and security failures have become commonplace occurrences.

It seems almost inevitable that we, as participants in modern society, must accept this risk if we wish to leverage the benefits of technology and information exchange.

While we can attempt to mitigate some risks by choosing more secure companies over others, there is one aspect of our digital lives where we have little to no choice: interacting with the government.

As citizens, we are obliged to engage with government services, and (in doing so) we inevitably surrender some control over our personal data.

Governments around the globe possess a vast amount of sensitive information, making them attractive targets for cyberattacks.


Despite their earnest efforts to enhance cybersecurity, incidents still happen.

This concern is prevalent not only in countries like the United Kingdom, the United States, Europe, and China but also in various regions where a complex web of privacy and data laws is evolving.

The challenge lies in the fact that citizens must entrust their data to the government to access essential services, leaving them with little alternative.

Yet, the evaluation and scrutiny of government policies and procedures to prevent breaches are often lacking.

The US

The Privacy Act of 1974 establishes the guidelines for federal agencies when it comes to collecting and utilising data concerning individuals within their system of records.

According to the act, these agencies are not allowed to disclose personal information unless they obtain written consent from the individual, except in specific situations, such as sharing data with the Census Bureau for statistical purposes.

This legislation ensures that individuals retain certain rights regarding their information.

Furthermore, the act serve as a safeguard, protecting individuals from unwarranted invasion of their privacy by federal agencies.

Also, there’s the Computer Fraud and Abuse Act (CFAA) is one of the very few statutes that address privacy and data protection at a federal level, where it imposes criminal liability on anyone who “intentionally accesses a computer without authorisation.”

European Union

You surely have heard of the EU General Data Protection Regulation (GDPR), as it is widely recognised as one of the most robust and comprehensive privacy and security laws globally.

Under the GDPR, organisations can utilise contractual clauses to establish suitable data protection safeguards.

These clauses serve as a means for transferring data from the European Union to third countries.

By implementing these contractual provisions, companies can ensure that the data being transferred maintains a high level of protection and adheres to GDPR standards, even when it leaves EU borders.


Privacy Act 1988 is the principal piece of Australian legislation that protects the handling of personal information about individuals.

The Privacy Act regulates the handling of personal information by Australian government agencies and businesses.

It includes principles for the fair handling of personal information, the rights of access and correction, and requirements for data security.


Act on the Protection of Personal Information Act No. 57 of (2003) or otherwise known as APPI.

APPI governs the handling of personal data by both the public and private sectors in Japan.

It includes principles of fairness, purpose limitation, and data security. It also requires obtaining consent for data processing and grants individuals rights to access and correct their data.

Final remarks

Trusting the government to safeguard your data is akin to trusting the companies you interact with regularly.

However.. there are significant differences that set the government apart, making it a high-profile target for cyber threats.

Many countries seek to breach state secrets, and yet, the allocation of funds for security measures becomes challenging.

The difficulty lies in prioritising security spending since its benefits are not always immediately quantifiable (unlike fixing a pothole on a local highway.)

Security investments’ true value often becomes evident only after an attack has occurred…which, to be honest… can be too late.

So, while trusting the government’s data security efforts is essential, the nature of government operations and its attractiveness to “rival countries” necessitate heightened vigilance and ongoing investment in cybersecurity to safeguard sensitive information effectively.



About the Author

Mohammad J Sear is focused on bringing purpose to digital in government.

He has obtained his leadership training from the Harvard Kennedy School of Government, USA and holds an MBA from the University of Leicester, UK.

After a successful 12+ years career in the UK government during the premiership of three Prime Ministers Margaret Thatcher, John Major and Tony Blair, Mohammad moved to the private sector and has now for 20+ years been advising government organizations in the UK, Middle East, Australasia and South Asia on strategic challenges and digital transformation.

He is currently working for Ernst & Young (EY) and leading the Digital Government practice efforts across the Middle East and North Africa (MENA), and is also a Digital Government and Innovation lecturer at the Paris School of International Affairs, Sciences Po, France.

As a thought-leader some of the articles he has authored include: “Digital is great but exclusion isn’t – make data work for driving better digital inclusion” published in Harvard Business Review, “Holistic Digital Government” published in the MIT Technology Review, “Want To Make Citizens Happy – Put Experience First” published in Forbes Middle East.

More from Mohammad J Sear