Global internet freedom has declined for 15 consecutive years. China and Myanmar score 9 out of 100. Mexico just mandated biometric ID for all citizens. Russia now fines people for using VPNs to read banned content. The EU is reviving mass data retention. India opened its 1.4 billion-person biometric database to private companies. And somewhere, your government is probably watching.
But not everywhere. Switzerland still protects privacy constitutionally. Iceland shields whistleblowers. Estonia built digital identity without centralized surveillance. The world is splitting—some countries building unprecedented surveillance infrastructure, others strengthening privacy rights. Your location determines which side you're on.
The Global Picture
15
Consecutive years of declining global internet freedom [1]
80%+
Of global population covered by some data privacy law [2]
€6.72B
GDPR fines issued since 2018 [2]
86B
Digital ID verification checks projected in 2025 [3]
According to Freedom House's 2025 report, internet freedom deteriorated in 27 countries this year. Kenya dropped 6 points. Venezuela dropped 4. Georgia dropped 4. The authoritarians are winning. [1]
The Worst: Where Privacy Goes to Die
China & Myanmar: Tied at the Bottom (Score: 9/100)
China maintains the world's largest and most sophisticated mass surveillance system. As of 2019, over 200 million CCTV cameras watched Chinese streets—four times as many as the United States. The five most surveilled cities in the world are all Chinese. [4]
China's Surveillance Arsenal
- Facial recognition: Cameras scan crowds in real-time, matching against databases
- Social credit system: Tracks behavior, restricts travel for low scores
- WeChat monitoring: One app handles chat, payments, ID, government services—all logged
- Public shaming: Jaywalkers' faces displayed on billboards in Shenzhen
- Flight bans: 17+ million people banned from flying by 2018 due to low social credit
If you're blacklisted, you can't fly, take high-speed trains, stay in good hotels, or send your children to prestigious schools. Facial recognition projects your face on billboards when you jaywalk. [4]
Russia: Building the Digital Iron Curtain
Russia's surveillance has intensified since the 2022 Ukraine invasion. The 2019 "Sovereign Internet" law installed state-controlled hardware on all ISP networks, giving censorship agency Roskomnadzor direct power to filter, slow, and block traffic. [5]
2025 Developments:
- VPN criminalization: New law passed July 2025 fines citizens 3,000-5,000 RUB (~$38-64) for using VPNs to access banned content—the first time Moscow penalizes consuming (not just distributing) banned material [5]
- Search monitoring: Systems like Vepr and Oculus automatically detect requests for "extremist" content [5]
- Cloudflare blocked: Cut off access to vast swathes of the internet [5]
- SORM system: Since 1995, requires telecom operators to install FSB hardware for warrantless monitoring [6]
Half of Russia's population doesn't know how to use VPNs. Authorities are making sure the other half pays for trying.
Middle East: Pegasus and Beyond
Israel's NSO Group developed Pegasus spyware, which can remotely install on phones and extract everything—messages, calls, location, camera, microphone. Israel uses Pegasus licenses as diplomatic currency, approving sales to countries it wants something from. [7]
Key clients:
- Saudi Arabia: Crown Prince MBS personally called Netanyahu to restore Pegasus access after it was revoked following Khashoggi's murder. Khashoggi's fiancée's phone was infected 4 days after his assassination. [7]
- UAE: Used Pegasus to spy on Yemen's internationally recognized government, including the president and his family [7]
- Bahrain, Morocco, Azerbaijan: All documented Pegasus clients with histories of surveilling dissidents [7]
The leaked Pegasus Project database contained 50,000 phone numbers concentrated in Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and UAE. [7]
India: 1.4 Billion Biometric Records, Now Open to Business
Aadhaar is the world's largest biometric database—1.4 billion people's fingerprints, iris scans, and photos linked to a 12-digit number used for everything from banking to government benefits. [8]
January 2025: India opened Aadhaar to private companies—e-commerce, travel, hospitality, healthcare can now verify identities against the biometric database. No guardrails defined against misuse. [8]
The problems:
- Multiple mass data breaches—850 million records leaked to dark web in October 2023 [8]
- 49% biometric failure rate in Jharkhand state—failed matches mean denied benefits [8]
- New data protection rules (November 2025) give government immediate powers, delay citizen rights until mid-2027 [8]
- 50+ organizations launched "Beware of Aadhaar" campaign warning it's "not a model to emulate" [8]
Countries including Kenya, Nigeria, Uganda, and the UK are considering Aadhaar-style systems. Big Brother Watch warns Britain's "Brit Card" plan would "make Britain less free." [8]
Africa: $1 Billion/Year on Surveillance
Nigeria, Ghana, Morocco, Malawi, and Zambia alone spend over $1 billion annually on surveillance technology. Nigeria has spent at least $2.7 billion over a decade. [9]
Chinese "Safe City" systems:
- Nairobi was Africa's first Huawei Safe City deployment (2014)—1,800 HD cameras, national police command center [9]
- Now in Egypt, Nigeria, South Africa, and 12+ other African countries [9]
- Kenya's Konza Data Center: $665.4 million deal with China, $172.5 million from Huawei [9]
The promised benefits? Unverified. Huawei claimed 46% crime reduction in Kenya from 2014-2015. Actual police data showed smaller reductions. By 2017, Nairobi's crime rates exceeded pre-installation levels. [9]
What's documented: surveillance used to "single out citizens for harassment, detention and torture for expressing opposing views." In Nigeria, a pharmacist was jailed 3 months without trial for a social media post criticizing the president. [9]
Latin America: Mexico's Biometric Dystopia
On July 18, 2025, Mexico signed mandatory biometric digital ID into law—what critics call "the most comprehensive citizen surveillance apparatus in the Western Hemisphere." [10]
What it requires:
- Every citizen must register fingerprints, facial scans, and iris patterns
- Data encoded into QR codes that government and private businesses can scan
- Creates "a portable surveillance device that citizens are legally required to carry" [10]
Brazil, Argentina, and Colombia are watching closely. The World Bank and IMF praised Mexico's system as a model. If it succeeds without international consequences, expect similar systems across Latin America within five years. [10]
Brazil already has facial recognition in 40 cities. Argentina's fugitive facial recognition system was suspended after collecting biometric data on thousands of innocent people. [11]
The Best: Where Privacy Still Exists
Switzerland: Constitutional Protection
Article 13 of the Swiss constitution guarantees privacy rights. The Federal Data Protection Act (FADP) provides robust legal protections. Swiss banking secrecy, while weakened internationally, reflects a cultural commitment to privacy that extends beyond finance. [12]
Switzerland is not an EU member and maintains independent data protection standards often exceeding GDPR requirements.
Iceland: Digital Rights Hero
Iceland has made itself "a global hero for digital rights" with: [12]
- Low surveillance
- Strong whistleblower protections
- The Icelandic Modern Media Initiative (IMMI)—laws creating a safe haven for freedom of information
- Focus on keeping information out of wrong hands
Germany: GDPR Plus
Germany doesn't just follow GDPR—it often goes beyond. German courts consistently prioritize user rights. Public awareness of surveillance is high, shaped by memories of both Nazi and Stasi surveillance. [12]
Germany has historically resisted centralized digital ID systems and maintains strong restrictions on biometric data collection.
Estonia: Digital ID Done Right
Estonia proves digital identity doesn't require mass surveillance: [12]
- Decentralized data exchange (X-Road) ensures personal data isn't stored in single locations
- Secure digital ID enables encrypted transactions
- Citizens can see exactly who accesses their data and when
- Government transparency, not government surveillance
Nordic Countries
Finland: Data privacy treated as human right. GDPR strictly enforced. Clear limitations on data collection.
Norway: GDPR-equivalent protections via EEA membership, built on strong pre-existing Personal Data Act.
Sweden: BankID considered one of the world's most secure digital identification systems. Strong commitment to data privacy.
Key Global Trends in 2025
1. Data Retention Revival
European governments are reviving mass data retention after courts struck down previous laws for treating everyone as a potential suspect. [13]
New proposals include:
- Up to 1 year retention across internet services
- Coverage of VPN providers, hosting companies, crypto traders, gaming platforms, ridesharing, e-commerce
- Recording device serial numbers
- Collecting "communication connection data"—who interacts with whom, when, how
The UK's Investigatory Powers Act ("Snooper's Charter") already requires 12-month retention of Internet Connection Records—websites visited, email headers, IP addresses. [13]
2. Encryption Under Attack
The Five Eyes alliance (US, UK, Canada, Australia, New Zealand), plus Japan and India, continue demanding encryption backdoors. [14]
Status:
- Australia passed backdoor law in 2018—the first Five Eyes nation to do so
- UK issued Apple backdoor orders (reports suggest possible retreat)
- No other Five Eyes member has passed similar legislation yet
- Security experts: "It's impossible to create an encryption backdoor that only law enforcement can take advantage of" [14]
3. Digital ID Explosion
Digital ID verification checks will hit 86 billion in 2025 (up from 75 billion in 2024). The biometric tech market will reach $85 billion by 2029. [3]
The convergence problem: Digital ID systems + central bank digital currencies + online surveillance laws + anti-anonymity measures = unprecedented infrastructure for monitoring and controlling human behavior. [3]
New mandatory biometric systems (2025):
- Mexico (July 2025)—most comprehensive in Western Hemisphere
- Australia's Digital ID Act (December 2024)—coincides with age verification laws
- India's expanded Aadhaar access (January 2025)
4. AI Surveillance Amplification
AI makes existing surveillance exponentially more powerful:
- Real-time facial recognition across thousands of cameras
- Gait recognition (identifying people by how they walk)
- Emotion detection (claims to read feelings from faces)
- Predictive policing (flagging "suspicious" individuals)
The EU AI Act bans some uses (real-time facial recognition in public, emotion detection at work). Most of the world has no such restrictions.
5. Surveillance Technology Export
Countries with large defense sectors export surveillance tech worldwide, including to authoritarian regimes. Major exporters: China, Israel, US, Russia, European nations. [15]
China's role in Africa:
- Huawei Safe City systems in 12+ countries
- ZTE providing CCTV with facial recognition
- Chinese loans funding surveillance infrastructure
Israel's role in authoritarian surveillance:
- NSO Group's Pegasus sold to Saudi Arabia, UAE, Bahrain, Morocco
- Used against journalists, activists, dissidents
- Israeli Ministry of Defense approves sales as diplomatic tool
US State Privacy Progress
With no federal privacy law, US states are creating a patchwork. Eight new state privacy laws took effect in 2025, doubling the number in force. [2]
As of October 2025, 20 state-level comprehensive data privacy laws exist. States with laws effective in 2025: Iowa, Delaware, New Hampshire, Nebraska, New Jersey. Coming later: Tennessee, Minnesota, Maryland. [2]
Illinois's BIPA produced $650M Facebook settlement and $1.4B+ Texas settlements against Google and Meta. That's what happens when laws have teeth.
What's Actually Working
Laws That Produce Results
- Private right of action: Citizens can sue directly (Illinois BIPA)
- Meaningful fines: €6.72 billion GDPR fines since 2018
- Clear prohibitions: EU AI Act banning real-time facial recognition
- Constitutional protections: Switzerland's Article 13
- Decentralized design: Estonia's X-Road preventing single points of failure
Laws That Don't
- Guidance without enforcement: UK's facial recognition "guidelines"
- Fines foreign companies ignore: Clearview AI's €100M+ unpaid European fines
- Self-regulation: Voluntary compliance produces 11% CCPA compliance [2]
- Rules on paper only: China's consent requirements with "national security" exceptions
Region-by-Region Summary
| Region | Privacy Trend | Key Developments 2025 |
|---|---|---|
| China | Total surveillance | 200M+ cameras, social credit, WeChat monitoring |
| Russia | Rapidly deteriorating | VPN fines, search monitoring, Cloudflare blocked |
| Middle East | Authoritarian surveillance | Pegasus expansion, no meaningful restrictions |
| India | Expanding surveillance | Aadhaar opened to private sector, delayed privacy rights |
| Africa | Chinese-funded expansion | $1B+/year spending, Safe City systems spreading |
| Latin America | Biometric mandates | Mexico mandatory ID, Brazil facial recognition in 40 cities |
| UK | Expanding surveillance | No FR law, 7M faces scanned, consultation to expand |
| EU | Strongest protections | AI Act bans, €6.72B GDPR fines, but data retention revival |
| US | State-by-state chaos | 20 state laws, no federal law, billion-dollar settlements |
| Switzerland/Iceland/Nordics | Privacy leaders | Constitutional protections, GDPR+, whistleblower haven |
What You Can Do
Know Your Location's Laws
Protection depends on where you are. Research your country's data protection laws, biometric rules, and surveillance powers.
Use Encryption
End-to-end encrypted messaging (Signal), encrypted email (ProtonMail), VPNs where legal. Make surveillance harder.
Support Privacy Organizations
• EFF (US)
• noyb (Europe)
• Privacy International (Global)
• Freedom House (Global)
Political Pressure
Privacy laws exist where citizens demanded them. The EU didn't accidentally get GDPR. Contact legislators. Vote on privacy.
The Bottom Line
The world is splitting. On one side: China's social credit, Russia's VPN fines, Saudi Arabia's Pegasus, Mexico's mandatory biometrics, Africa's Chinese-funded Safe Cities. On the other: Switzerland's constitutional privacy, Iceland's whistleblower protections, Germany's court-enforced data rights, Estonia's transparent digital ID.
Global internet freedom has declined 15 straight years. The surveillance infrastructure being built today—biometric databases, AI-powered cameras, mandatory digital ID—will be extremely difficult to dismantle later. The choices made now determine whether privacy survives as a right or becomes a historical curiosity.
Your protection depends on your passport. For now. But borders are porous for data, and surveillance technology exports faster than privacy rights. The fight isn't just local anymore.
References
- Freedom House - 15th Consecutive Year of Decline in Global Internet Freedom
- Help Net Security - What 35 years of privacy law say about the state of data protection
- MyPrivacy Blog - Global Digital ID Systems Status Report 2025
- Wikipedia - Mass surveillance in China
- Human Rights Watch - Russia: Internet Blocking, Disruptions and Increasing Isolation
- Zona Media - New Russian law targets VPN usage
- Wikipedia - Pegasus (spyware)
- TechCrunch - India expands Aadhaar authentication for businesses
- IDS - African nations spending $1bn a year on surveillance
- MyPrivacy Blog - Mexico's Biometric Dystopia
- AlSur - Facial recognition and surveillance technologies in Latin America
- Privacy HQ - Data Privacy Rankings: Top 5 and Bottom 5 Countries
- Reclaim The Net - EU Revives Plan for Year-Long Data Retention
- HiveLife - Five Eyes, Japan & India Demand Encryption Backdoor
- EPIC - The Rise of Chinese Surveillance Technology in Africa
- Human Rights Watch - Azerbaijan's Surveillance Platform
- IDR Online - India's new data rules put the state above citizens