Privacy laws have expanded around the world, and security leaders now work within a crowded field of requirements. New research shows that these laws provide stronger rights and duties, but the protections do not always translate into reductions in harm. The study looks at thirty five years of privacy history, from the rise of early data protection efforts to the current landscape of AI driven risk, cross border transfers, and uneven enforcement.
The researchers from the Beacom College of Computer and Cyber Sciences at Dakota State University conducted a long range analysis of global privacy laws and the harms they aim to prevent. They focused on five areas that continue to trouble both regulators and CISOs. These include breaches, algorithmic discrimination, surveillance, manipulative targeting, and dignitary harms. Their work highlights steady growth in regulations, wide gaps in enforcement, and a widening divide between legal expectations and the ways technology produces sensitive data.
A rise in privacy laws
The review shows how quickly privacy rules have multiplied. The GDPR reshaped global activity and encouraged a series of follow up laws. Brazil’s LGPD, China’s PIPL, Africa’s POPIA and NDPR, and reforms across Asia all draw from its structure. Canada, Japan, and Australia have also strengthened their systems. In the United States, privacy law remains sector driven at the federal level, but nineteen states have passed consumer privacy statutes.
This growth shows strong government interest in setting boundaries on data use. The research notes that new rules have expanded rights related to erasure, portability, consent, and profiling. They have also increased obligations in areas such as governance, impact assessment, and record keeping. These changes signal a shift toward rights based privacy systems, but the study finds that outcomes vary across geographies and sectors.
Enforcement outcomes remain uneven
Data in the research points to inconsistent enforcement. Since 2018, GDPR fines have reached about 6.72 billion euros. Roughly 3 billion euros of that amount comes from violations tied to an invalid legal basis for processing. These numbers stand out next to U.S. totals. CCPA and CPRA fines from 2020 to 2025 add up to about 2.75 million dollars. HIPAA penalties from 2003 to October 2024 total about 144 million dollars.
Compliance levels also vary. The review reports that about 28 percent of organizations in the scope of the GDPR meet its requirements. Under the CCPA and CPRA, compliance is estimated at about 11 percent. The authors point to complex rules, resource limits among regulators, and inconsistent guidance as factors that shape these numbers.
The study also tracks expected timelines for enforcement. Many GDPR cases conclude in three to six months. CCPA and CPRA cases often take four to eight months. HIPAA cases can extend to twelve months. These ranges influence deterrence and planning for CISOs who must factor potential exposure into risk programs.
Technology pressure grows faster than legal updates
AI, machine learning tools, and IoT systems raise new concerns for privacy teams. These systems produce inferences and telemetry in ways that strain long standing rules built on notice and consent. The report explains how AI models can draw sensitive conclusions from routine data. IoT devices operate continuously, which makes oversight difficult. These developments place pressure on privacy principles such as minimization, purpose limitation, and transparency.
The study links these issues to growing concern around algorithmic discrimination. GDPR rules on automated decision systems help set parameters but are not always applied consistently. Audits under the EU AI Act may help strengthen this area in time, although the report notes that current evidence does not establish broad improvement across regions.
Cross border transfers continue to create uncertainty
The analysis covers the long running tension between European privacy law and United States surveillance rules. After the Schrems II decision struck down Privacy Shield, companies relied on Standard Contractual Clauses and transfer impact assessments. The EU and US have since created the Data Privacy Framework for certified firms, but many organizations continue to use SCCs based on their business needs.
This environment affects planning for CISOs who manage global data flows. The report notes that changing guidance and inconsistent enforcement among supervisory authorities increase the burden on organizations that depend on partners in multiple jurisdictions.
Tools help, but governance determines success
The study also examines privacy enhancing technologies, including differential privacy, homomorphic encryption, trusted execution environments, federated learning, zero knowledge proofs, and tokenization. These tools help protect data in various stages of processing. The authors explain that technical measures have limits without strong governance. They caution that privacy problems often stem from misuse of data rather than technology alone.
A need for measurable improvement
The researchers conclude that privacy laws have strengthened protections, but the link between compliance and reduced harm remains weak. They argue that privacy programs need metrics that show progress against breaches, discrimination, manipulation, and wrongful sharing of sensitive information.
Without measurable indicators, privacy efforts risk turning into procedural work that does not change outcomes.