The principles of data protection: not new and actually quite familiar
“The gathering and holding of personal information on computers, data banks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.”
- UN Human Rights Committee, General Comment No. 16, 1988
Underpinning the obligations of those who process personal data, both public and private institutions, the grounds on which they may do so, and the rights of individuals, there are various data protection principles which promote and uphold values and boundaries to ensure that any regulation which oversees the processing of personal respects similar principles than those upheld to protect and respect a qualified right, such as the right to privacy, to prevent arbitrary nor unlawful interference. These include but not need to be limited to the following:
- There should be limits on the collection of personal data, and it should be obtained by lawful and fair means, as well as being done in a transparent manner;
- The purposes for which the data and information is to be used should be specified (at the latest) at the time of collection and should only be used
for those agreed purposes. Personal data can only be disclosed, used, or retained for the original purposes (i.e. the purpose at the time of collection), except with the consent of the individual or under law: accordingly, it must be deleted when no longer necessary for that purpose;
- Personal data, as generated and processed, should be adequate, relevant, and limited to necessity of the purposes for which it is to be used;
- The data should be accurate and complete, and measures should be taken to ensure it is up to date;
- Reasonable security safeguards should be used to protect personal data from loss, unauthorised access, destruction, use, modification, or disclosure;
- There should be no secret processors of data, sources, or processing. Individuals must be made aware of the collection and processing of their data, as well as the purpose of its use, who is controlling it, and who is processing it;
- Individuals have a range of rights which enables them to control their personal data and any processing;
- Those that use personal data must be accountable for and demonstrate compliance with the above principles, and facilitate and fulfil the exercise of these rights, abiding by applicable laws that enshrine those principles.
Whether in relations to data protection or not, any government (and industry) interventions must fair, lawful and transparent, their power to interfered with the rights of individuals must be strictly and demonstrably limited to what is necessary to achieve a legitimate aim and proportionate in a democracy. They must respect due process and be subject to oversight. The principles outlined above are not new, nor unfamiliar as they are integrated within much of most nation’s legal and regulatory frameworks as these are at the core of international human rights law and standards. National laws and regulations, across sectors, provide for such principles.
When it comes to data protection these rules that regulate data processing have evolved over time. International texts such as the Council of Europe’s 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its modernized version, as well as the 1980 Organization for Economic Cooperation and Development Privacy Guidelines, updated in 2013, have received prominent attention over the years as authoritative texts. But they are not the only source of principles to regulate the processing of personal data.
The protection of personal data has been upheld by Constitutions across the world including in Brazil and Colombia as well as regulated by regional mechanisms across the world through the 2014 African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the Supplementary Act on Personal Data Protection within the Economic Community of West African States (ECOWAS),the 2015 Asia-Pacific Economic Coordination Privacy Framework, among others. Also, more than a 120 countries worldwide have adopted comprehensive data protection frameworks. All of these different efforts at national and regional level across the world demonstrate that recognition of the need and urgency to regulate the processing of personal data according to certain principles. It is not just a Western approach but a global one.
Also, for us as an international privacy organisation, the mere existence of and increased prominence of the Privacy International Network, which we have been leading and sustaining for a decade, is also a true testimony that worldwide communities and individuals value their privacy and they want their personal data protected, but in today’s data exploitation ecosystem people across the world are increasingly concerned about ensure that both are effective protected.
In the above context at play, we welcome the emphasis placed by the United National High Commissioner for Human Rights by dedicating their annual report on the principles, standards and best practices regarding the promotion and protection of the right to privacy in the digital age (A/HRC/39/29). The report outlines key dynamics when it comes to the processing of personal data, and it makes a series of recommendations to States and to businesses, with the OHCHR stating that:
“if implemented – will help to ensure that fundamental freedoms are upheld in the digital age. It also identifies key issues for further study, including possible discriminatory impact of invasions of privacy; the effects of big data and machine learning on the right to privacy and other human rights; regulation of surveillance technology markets; and possible remedies that can respond effectively to violations of the right to privacy.”
Similarly, Privacy International is continuing with its own efforts to advocate for the highest data protection safeguard, and so we take the opportunity to highlight a policy guide recently launched by Privacy International, “The Key to Data Protection”. This guide was developed to serve as a tool to support the efforts of civil society organisations to analyse proposed data protection law and assess existing legislation to identify any shortcomings. It also provides the basis to advocate for comprehensive, enforceable data protection laws to hold the public and private sector accountable.
Whilst there are no universally-recognised data protection standards, regional and international bodies have developed principles which have become internationally-agreed and constitute the foundation of many data protection laws around the world. Part 3 of the guide presents these in detail, and explains why they matter in practice.
Adopting and enforcing the highest data protection standards is key to ensuring that individuals and their data are protected. That’s where our efforts should be. We should not be distracted by where principles come from, who developed them and who enforces them, or not. The focus should be on ensuring they are encoded in law and effectively enforced everywhere so that people are protected from undue harm and they are able to fully exercise the enjoyment of their fundamental rights and freedoms.