The right to privacy has been a long established principle in many countries, enshrined in laws and often in the Constitution of a country. For example, of many in Latin America,* as habeas data or the right of a citizen to own their own data.
The challenges arise from four major sources. First, in the case of habeas data, the right can only be exercised after the event when the information has already been made public. Second, the capacity of the legal system to uphold the rights of the individual and enforce the law is not always adequate. Third, the laws are often specific to particular sectors, such as telecommunications, the media, health services, legal services, government agencies and they do not lay down what lawyers call the general ‘principles of purpose’ that can be applied across the board. In the absence of such a generic law, regulations governing consumer protection provide some safeguards. Fourth, laws and regulations enacted before the Internet era need revision and updating.
The question is how to apply personal data privacy principles to an interconnected digital world of the Internet. This is especially challenging when information can be gleaned from a whole range of digital sources such as social media, email servers, websites, blogs, online purchases, online inquiries, etc., by persons and companies who are often located outside the jurisdiction in which the citizen resides; when feeds to sites such as Facebook, Twitter and YouTube can go viral within minutes; when ‘Big Data’ and business analytics can be used to match and correlate people, ideas, actions, postings, etc., in both text form and in image. This means that laws prohibiting the identification of individuals may no longer work.
New laws, regulations and codes of practice must aim to balance the interests of individuals who have a right to privacy with the social benefits of a growing digital economy. In an interconnected world anything online can be located anywhere on the planet, and with the rise of cloud computing and PaaS (Platform as a Service), SaaS (Software as a Service) and IaaS (Infrastructure as a Service) anything online can, in principle, be transferred between countries. This is not a by-product of the rise of a digital economy, it is the digital economy.
3.9.1 Date Protection and the Principles of Purpose
A key principle of habeas data is the right to own or know and control what information is being gathered and stored about you and by whom and for what purpose. This right carries the implication of the right to demand corrections or possibly even to delete the information, which is also known as the ‘right to be forgotten’. Personal information usually refers to information that can be used directly or indirectly to identify a ‘natural’ living person, although in a digital age there is very little that cannot be used to traced back to a living person. There is a further issue of who has the right of ownership, if anyone, over information of a deceased person. This means that the drafting of new laws or regulations or codes of practice needs to be flexible to changes in technologies and proportionate to the level of harm that can accrue from inaccurate information or lack of privacy.
By 2013, over 90 countries had some sort of Freedom of Information legislation,* the earliest dating back to 1766 in Sweden, but mostly these laws only apply to information held by the State, not the private sector. In that regard they do not fully enable the Universal Declaration of Human Rights adopted by the UN General Assembly in 1948 which states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
More recently many countries have introduced personal data privacy legalisation which extends to the private sector. These laws go beyond existing laws on consumer protection that provide the right of customers to fair contract conditions rather than unreasonable tie-in contracts, return of impaired goods, protection against price gouging, the right to itemized billing, and so forth. Consumer protection of this sort has been particularly prevalent in the telecommunications sector. Under new data protection laws, the data ‘controller’ of the information (the agent of the company collecting the information) as opposed to the data ‘processor’ (the sub-contractor who may store, transfer or manage the data) is required to seek the ‘informed consent’ of the individual, either through an opt-in or an opt-out procedure, and a statement on how the data may be used is necessary, with the understanding that it cannot be retained once the original purpose for its collection has been fulfilled. Web-based enterprises are required to state their policy towards ‘cookies’ and offer the user a way to agree to accept them or to disable them.
Balanced against these requirements to protect the individual are certain public safety requirements. For example, Internet access service providers such as Google and Yahoo! and social media companies may be required to retain email traffic and postings for up to two years or more to provide a trail of traceable evidence. Especially after the 9/11 attack on the World Trade Center in New York, law enforcement agencies have been much more concerned to have access to digital communications, but this will only be acceptable to the public if there are strong safeguards in place. This means the public must have faith in the quality and integrity of the legal process in their country. It also means that the enforcement of such policies has to cross jurisdictional boundaries and that raises questions of which laws are enforceable on, for example, a company that has multiple global locations. The most common legal wrangles tend to be over tax liabilities, but take-down notices, defamation suits, compliance orders and other legal tussles add up to the need for international cooperation even when the laws of different countries are not in harmony with each other. This becomes especially important in cases of national security and serious crimes such as child abuse and trafficking.
Data Protection Laws
By 2013, some 89 countries had adopted privacy or data protection laws. The European Data Protection Directive of 1995 was the first pan-European policy document in which the concepts of personal data protection in a digital world were embodied in legislation. It was followed by the e-Privacy Directive of 2005, revised 2009, which deals with digital communications and issues such as the integrity of data traffic, giving users ways to reject spam and to control cookies. Under the 1995 Directive companies may not move personal data, for example store data, to jurisdictions that do not have legislation that conforms to the standards set by Europe. This becomes important with the rise of cloud computing which technically allows data of any kind to be stored, processed and retrieved from any Internet location in the world.
A revised EU draft European Data Protection Regulation was proposed in 2012 which will extend applicability of the Directive to non-EU entities outside the EU when the data involved concerns EU citizens, will impose an ‘opt-in’ rather than an ‘opt-out’ requirement to ensure personal rights to data are fully protected, will allow for a ‘right of portability’ and a ‘right to be forgotten’ which will allow citizens to wipe out the history of their data, and strict conditions on notification of breaches in data protection and penalties for non-compliance. A further enhancement of citizen rights are anti-spam regulations, typically a Do-Not-Call (DNC) register which can also cover Do-Not-Send (DNS) in the case of phone text messaging, and a proposal in the US for a Do-Not-Track (DNT) web function as part of a wider package of consumer rights as proposed in the Consumer Privacy Bill of Rights brought before Congress in 2012.*
The US approach to data protection is generally less proscriptive. The Federal Trade Commission (FTC) has overall responsibility of supervising the enforcement of federal requirements on different sectors of the economy, such as the way information is collected and used about customers by telecom companies, confidentiality of health records, inland revenue data, etc., and to generally apply consumer protection regulations. But there is no prevention on the international transfer of data except tax records.
The threat of disrupting cross-border trade from a mismatch between the EU rules-based approach the more voluntary approach to the private sector in the US was averted in 2000 when the EU approved the US seven ‘Safe Harbor Principles’* which allow for company self-certification:
- Notice - Individuals must be informed that their data is being collected and about how it will be used.
- Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security - Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
- Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement - There must be effective means of enforcing these rules.
However the emphasis in the US shifted significantly following the 9/11 terrorist attack towards greater state security and the need to assess and share information and the passing of the Patriot Act in 2001. This, together with some doubts about how effective self-certification really is, has kept the harmonization of approaches an open issue.
3.9.2 Cross-border data and cloud computing
One of the earliest set of policy recommendations on cross-border transfers of data arising from the computerization of business transactions was the OECD 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Information. * More recently, the rise of cloud computing has made it imperative that countries introduce updated personal data protection legislation that conforms to minimum safeguards, for example, to those enshrined in the EU Directive. For cloud computing to become a truly global means of data storage, retrieval, file sharing and data transfers under secure conditions there needs to be universally acceptable standards that at minimum allow for interoperability, otherwise the ‘clouds’ will remain constrained by economic and political boundaries. As a report from Cisco in 2009 pointed out “Special consideration must be given to using cloud computing to handle information that is vital to national security, to maintaining public trust and confidence in government, or to managing certain core government functions such as foreign relations, maintenance of property rights, law and order, and defense.”* There are two approaches to holding companies responsible for safeguarding confidentiality in cross-border data traffic. The EU approach is geographical, so data is allowed into countries that are deemed to meet the minimum standards set by the EU Directive. In reality, this has not stopped data crossing borders into some major economies such as China and Japan, despite the EU not having determined the adequacy of safeguards in either country. The alternative approach adopted by APEC and by Canada among others is based upon accountability. For example, Singapore’s Personal Data Protection Act of 2012 places accountability on the shoulders of the ‘data controller’ which is the company that authorizes the collection of the data even when the actual collection or handling of the data and the storage and retrieval of the data is undertaken by a subcontracted ‘data processor’. This can be seen as a more flexible approach that skirts around the country-profiling required by the EU and keeps the responsibility on the data controller wherever the data is transferred to and whoever handles it.* The ultimate market test will be whether international companies and their clients are willing to trust locating data in countries with the accountability approach.
The need to update and add flexibility to data protection laws is driving the shift in most Latin American countries from a habeas data approach to a legislative approach, mostly based upon the EU Directive but largely without the EU rules on data retention which suggests less of a priority given to cyber-security issues.* Several factors may account for this, for example, a public wariness towards state surveillance, a lack of public awareness, a lack of cyber-crime experience by law enforcement agencies, and a slower pace of development of private cloud computing as much of the take-up has been e-government. But as the digital economy of Latin America grows with the spread of broadband access and traffic the need for more explicit data protection regulations and codes of practice will emerge. As of 2012, the only countries in Latin America not to have some form of over-riding personal data protection legislation were Bolivia, Cuba, Dominican Republic, El Salvador, Guatemala, Nicaragua and Venezuela. Progress towards such protection has being going on for more than a decade promoted by the Ibero-American Network of Data Protection (RIPD), created in 2003, and now has over 20 member states.*
In countries of the Asia Pacific region the situation varies.* APEC’s Cross Border Privacy Enforcement Arrangement * adopts the accountability approach rather than the geographical approach which perhaps reflects the emerging status of many of the economies involved and the need for a flexible regime of data protection to benefit from the rapid growth of cloud computing and data centre managed storage, retrieval, processing, security and transit business throughout the region.* In Asia Pacific countries, such as Australia and New Zealand, Hong Kong and Singapore, and the Philippines clear cut data protection laws are in place. In Japan the Act on the Protection of Personal Information (APPI) provides a degree of protection covering data on employees, while ministries such as health, education and labour have issued non-legally binding sets of guidelines based upon APPI. The central administrative authority is the Consumer Affairs Agency. South Korea enacted the Personal Information Protection Act(PIPA) in 2011 under the authority of the Minister of Public Administration and Security (MOPAS) but also has legislation governing particular sectors, such as financial sector and the IT Network Act administered by the Korea Communications Commission (KCC). Taiwan revised the Computer Processed Personal Data Protection Law (CPPL) to become the Personal Data Protection Law (PDLP) effective from 2012, but no separate national data privacy authority has yet been established. Indonesia brought together different references to data protection and privacy under a Government Regulation No. 82 of 2012 regarding Provision of Electronic System and Transaction, and also has sector legislation, for example governing telecoms. Beyond these cases, other countries of the region have yet to pass general personal data privacy laws or to set up privacy commissions, relying upon legacy legislation governing telecoms, finance, health and other sectors. But the Ministry of Industry and Information Technologies (MIIT) in China in 2013 for the first time issued a public consultation of a non-binding code of practice.
Africa and the Middle East
Throughout Africa and the Middle East there is no country that has an all-embracing data protection policy. In most cases in Africa privacy is a constitutional right and in Malawi, Namibia, Tanzania and Zambia this includes the right to privacy of communications, but only Angola, Mauritius and Zimbabwe have enacted a separate data protection act and South Africa has one pending. In some cases, such as Mauritius, Namibia, South Africa and Zambia, privacy rights are included in their e-commerce legislation. Most countries in Africa do have a freedom of information act but none has an independent commission to oversee the privacy rights of individuals. In most cases there are regulations governing particular sectors, such as spamming provisions. An important aim of policy makers in Africa should be towards the harmonization of laws on data and personal privacy as a way of attracting investment in data centres and in cloud computing services by making it easier and safer to move data across borders. This was one of the objectives of the ITU’s programme ‘Harmonization of the ICT Policies in Sub-Sahara Africa’*
3.9.3 Awareness and Alertness
As with cyber-security, so with personal data protection, in an interconnected world there are no guarantees of privacy. To reduce the risks of unauthorized leaks of personal data, or more seriously of identity theft, the number one and two issues are awareness and alertness. The former relies upon frequently available updated information about the dangers and risks involved and of the need for adequate protection, from laws and regulations (the ‘rights’) and from the practices used by data controllers (the potential for ‘wrongs’). A good example comes from the frequent changes in the privacy rules of social media sites and user reactions to them, which is often to switch to other social media. Where there is a real choice in the market, customers have real market power. Therefore, one of the aims of an information campaign should be to give meaning to the term ‘informed consent.’
Alertness calls for self-aware and sensible behaviour by users. Often this comes with experience as for example when a regular user of email has a sixth sense that an incoming email is malicious and should not be opened or replied to and a web-link should not be clicked on. On the other hand, fraud, sexual grooming, the release of passwords, all happen all too often on the Internet because users are not careful or not controlled enough. So both helpful information and education about sensible behaviour and etiquette on the Internet are topics that policy makers and regulators can be pro-active about, especially if they work closely with industry. Activities can include running safety and cyber-security workshops, seminars and competitions, school and college visits, webinars and websites, and recruitment of young volunteers to participate in peer-to-peer knowledge-sharing. Making ‘Safer Internet Day’ (SID) a big occasion will help.
Regulators should also take steps to update themselves and keep abreast of fast-moving software developments, such as Privacy-Enhancing Technologies (PETs). As well as advising users about these advances, regulators can review the adoption of security measures by data centres and cloud computing service providers. In some industries, such as telecoms and finance, reporting on their use could be part of a code of practice.
3.9.4 International Enforcement and Policy Cooperation
International cooperation and enforcement of privacy and data infringements can take place through various mechanisms, including bilateral and multilateral efforts, through more structured international organizations such as Interpol and through a mutual legal assistance treaty (MLAT) between countries for the purposes of exchanging data and information on legal and security issues.*
See the reference to MLAT above. Given the many different approaches and laws reviewed above, it has been suggested that using the EU Directive as a general guideline is a good way to ease data transfer issues, but even though this may bring recognition that cross-border data transfers are acceptable it will not solve all the problems. Law enforcement will still be necessary, especially when serious crime is involved.
There are several global and regional privacy and data protection organizations in addition to law enforcement cooperation agencies such as Interpol. The Global Privacy Enforcement Network* was started in 2010 following the adoption in 2007 by the OECD Council of the Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy * which provided that
“[m]ember countries should foster the establishment of an informal network of Privacy Enforcement Authorities and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement co-operation, share best practices in addressing cross-border challenges, work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns.”
By 2013, GPEN had 27 participating authorities, but none in Africa or the Middle East or Latin America, and only Australia, New Zealand and South Korea in the Asia Pacific. As with so many inter-government organizations, GPEN has a website that is restricted entry which rather misses the point that open access is the way to encourage participation in an interconnected world. However, countries who are members of the Asia Pacific Privacy Authorities (APPA) receive regular updates in GPEN activities,* and invitations to the annual International Conference of Data Protection and Privacy Commissioners.
Even where privacy commissioners and national agencies for data protection have not yet been established, policy makers and regulators should consider establishing liaison points to support national initiatives in this direction and regular attendance at these security forums. In other words, policy makers and regulators should themselves practice awareness and alertness to become more effective as catalysts in society and industry for greater personal and public safety.