The right to privacy is a fundamental right enshrined in many constitutions around the world, as well as in international human rights law. The right to privacy is multi-faceted, but a fundamental aspect of it, increasingly relevant to people’s lives, is the data protection for each individual
Internation Law for Data protection
As early as 1988, the UN Human Rights Committee, the treaty body charged with monitoring implementation of the International Covenant on Political and Civil Rights (ICCPR), recognised the need for data protection laws to safeguard the fundamental right to privacy recognised by Article 17 of the ICCPR.
Protecting privacy in the digital age is essential to effective and good democratic governance. However, despite increasing recognition and awareness of data protection and the right to privacy across the world, there is still a lack of legal and institutional frameworks, processes, and infrastructure to support the protection of data and privacy rights.
At the same time, the increasing volume and use of personal data, together with the emergence of technologies enabling new ways of processing and using it, mean that regulating an effective data protection framework is more important than ever.
Protecting privacy is essential, and the majority of States have adopted some forms of protection; however, frameworks are often inadequate, and have not kept up with modern uses of data and challenges they pose. Data protection laws need to be updated to face emerging challenges.
For the last three decades, Privacy International has been promoting and advocating for the right to privacy and, through the Privacy International Network, we have been calling for the adoption and enforcement of the strongest data protection safeguards across the world.
Over the years, some of these issues have expanded and some entirely new ones have emerged: the dominant narratives we are challenging have evolved and new actors, both allies and adversaries, have entered our scope of intervention.
What is data protection ?
Data protection is commonly defined as the law designed to protect your personal data. In modern societies, in order to empower us to control our data and to protect us from abuses, it is essential that data protection laws restrain and shape the activities of companies and governments. These institutions have shown repeatedly that unless rules restricting their actions are in place, they will endeavour to collect it all, mine it all, keep it all, share it with others, while telling us nothing at all.1
Why is Data Protection Needed?
Every time you use a service, buy a product online, register for email, go to your doctor, pay your taxes, or enter into any contract or service request, you have to hand over some of your personal data. Even without your knowledge, data and information about you is being generated and captured by companies and agencies
Data Protection that you are likely to have never knowingly interacted with. The only way citizens that you are likely to have never knowingly interacted with. The only way citizens and consumers can have confidence in both government and business is through strong data protection practices, with effective legislation to help minimise state and corporate surveillance and data exploitation.
Since the 1960s and the expansion of information technology capabilities, business and government have been storing this personal data in databases. Databases can be searched, edited, cross-referenced, and their data shared with other organisations across the world.
Once the collection and processing of data became widespread, people started asking questions about was happening to their data once they provided it. Who had the right to access the data? Was it kept accurately? Was it being collected and disseminated without their knowledge? Could it be used to discriminate or violate other fundamental rights?
Data Protection, Explained
National laws emerged soon afterwards, beginning with Sweden, Germany, and France. As of January 2018, over 100 countries had adopted data protection laws, with pending bills or initiatives to enact a law in a further 40.3
Over time, regional legal frameworks were also adopted. In 1980, the Organisation for Economic Cooperation and Development (OECD) developed its guidelines, which included ‘privacy principles’; shortly afterwards, the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data entered into force – this was modernised in 2018.4
The sheer volume of data generated and the rapid development of technology, including sophisticated profiling and tracking, and artificial intelligence, means that some existing data protection laws are out of date and unfit to deal with processing as it currently functions. Frameworks fail to reflect the new potential for data processing which emerged with advancement of technologies which were deployed and embedded within governance systems and business models.
It has been reported that 90% of data in the world today was created in the last two years, and every two days we create as much data as we did from the start of time until 20135 . When many data protection frameworks were drafted the world was a very different place. For example, many laws were adopted before Google, Facebook or smartphones were even created, let alone widely used.
A data protection framework may have its limitations (which we are trying to identify and address by exploring what other regulations are needed to provide the necessary safeguards) but it does provide an important and fundamental starting point to ensure that strong regulatory and legal safeguards are implemented to protect personal data.
A strong data protection framework can empower individuals, restrain harmful data practices, and limit data exploitation. It essential to provide the much-needed governance frameworks nationally and globally to ensure individuals have strong rights over their data, stringent obligations are imposed on on those processing personal data (in both the public and private sectors), and strong enforcement powers can be used against those who breach these obligations and protections.
Data protection should ensure the following:
- There should be limits on the collection of personal data, and it should be obtained by lawful and fair means, as well as being done in a transparent manner
- The purposes for which the data and information is to be used should be specified (at the latest) at the time of collection, and should only be used
for those agreed purposes. Personal data can only be disclosed, used, or retained for the original purposes (i.e. the purpose at the time of collection), except with the consent of the individual or under law: accordingly, it must be deleted when no longer necessary for that purpose
- Personal data, as generated and processed, should be adequate, relevant, and limited to necessity of the purposes for which it is to be used
- The data should be accurate and complete, and measures should be taken to ensure it is up to date
- Reasonable security safeguards should be used to protect personal data from loss, unauthorised access, destruction, use, modification, or disclosure
- There should be no secret processors of data, sources, or processing. Individuals must be made aware of the collection and processing of their data, as well as the purpose of its use, who is controlling it, and who is processing it
- Individuals have a range of rights which enables them to control their personal data and any processing
- Those that use personal data must be accountable for and demonstrate compliance with the above principles, and facilitate and fulfil the exercise of these rights, abiding by applicable laws that enshrine those principles