Informational Privacy and Data Protection
Constitutions are grand statements of principle. The challenge becomes how do we translate a statement of principle into a legal regime? For instance, in Bangladesh, the constitutional guarantees of the right to privacy of home and communications, require specific laws that explain this right and offer guidance on 'reasonable restrictions'. Similarly, promises made in the Thai constitution for the right of data protection require further elaboration.
But when we are dealing with the need to establish a comprehensive regime of privacy protection across all sectors and industries, to both protect privacy rights and manage personal information, the challenge becomes quite interesting. Though some countries' constitutions only protect privacy in specific circumstances, such as protection of the home or correspondence, and other constitutions say little about privacy at all, nearly all developed countries consider the comprehensive protection of privacy as a matter of constitutional importance. As a result, governments have extended the right to privacy of communications into other realms, such as the right to privacy of personal health records when held in government databases. The challenge is further exacerbated by the advent of computing and networking technologies.
Thus, a specific set of rules has been developed by legal and technology experts to protect privacy in the context of information flows and data stores around the world. This set of rules is commonly called the Fair Information Practices, and is in turn enshrined into numerous 'data protection' regimes. The first modern data protection law in the world was enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), Germany (1977), and France (1978). Today, nearly all developed information economies have data protection laws. Some of these however apply only to the public sector, while most apply to both private and public sectors.
Data protection rules hinge on the above-mentioned Fair Information Practices. These were developed in the late 1960s in response to the threat of secret databases holding vast amounts of information on individuals. In simple terms the fair information practices place requirements on ‘controllers’ (organisations that collect personal information), so that
- personal data should be collected only for specified, explicit and legitimate purposes
- the persons concerned should be informed about such purposes and the identity of the controller
- any person concerned should have a right of access to his/her data and the opportunity to change or delete data which is incorrect and
- if something goes wrong, appropriate remedies should be available to put things right, including award of damages through the competent national courts.
In essence, data should be collected with the informed consent of the individual; processed fairly and lawfully, for limited purposes and limited use, and retained for a limited period of time. Data must be kept secure and accurate, and not transferred to other countries without adequate protections. Individuals must be able to know what information is held on them, and must be able to correct the information when it is wrong.
If only a single country had data protection law, it would be impossible for that government or economy to conduct trade and business with other governments and economies unless they too had data protection laws. If a company in England was subject to English data protection law but then it sent this information to Pakistan, which has no data protection law, it could illegally process this information in Pakistan beyond the reach of English law. For this reason, data protection has become a global phenomenon. International organisations have enshrined data protection standards into conventions and guidelines such as the European Union 1995 Directive on Data Protection, the Organisation for Economic Co-operation and Development's Guidelines of 1980 and the Council of Europe Convention of 1981. These standards require that
- Data must be processed fairly and lawfully.
- They must be collected for explicit and legitimate purposes and used accordingly.
- Data must be relevant and not excessive in relation to the purpose for which they are processed.
- Data must be accurate and where necessary, kept up to date.
- Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
- Data that identifies individuals must not be kept longer than necessary.
Meanwhile, tighter regulations tend to apply to the category of ‘sensitive data’. In the EU Directive of 1995, this type of information is defined as
"data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sexual preference. In principle, such data cannot be processed. Derogation is tolerated under very specific circumstances. These circumstances include the data subject’s explicit consent to process sensitive data, the processing of data mandated by employment law, where it may be impossible for the data subject to consent (e.g. blood test to the victim of a road accident), processing of data has been publicly announced by the data subject or processing of data about members by trade unions, political parties or churches."1
But again the privacy and security dynamic arises. Governments exempt themselves from restrictions on processing sensitive personal data for reasons of substantial public interest. Such exceptions are permitted if they are necessary on grounds of national security, defence, crime detection, enforcement of criminal law, protection of data subjects or the rights and freedom of others.
Like privacy law, data protection laws are not universal. This results in a complicated regime of law that requires powerful regulators, which is difficult to achieve in many political systems. There has been significant reluctance to pass such laws in the U.S. for fear of regulating the private sector and reducing economic choice, though recently there has been a great deal of discussion of changing this situation. Many countries in Asia have long considered data protection laws but have failed to implement them. And even if implemented, regulators often lack adequate powers to enforce these laws. This hinders international trade because, again, European companies may not outsource their activities to Asian economies for lack of adequate data protection. It is therefore in the economic interest of these countries to develop data protection rules to take advantage of the global economic opportunities in the information economy. At the same time, U.S. industry organisations lobby these same economies to prevent the spread of 'onerous' privacy rules from preventing global data flows.
As a result, Asia is the key battleground for data protection laws. International institutions such as the EU, the Council of Europe, and the OECD have standards and directives that could act as models for Asian countries. Meanwhile the international industry leaders would rather see weaker safeguards to limit burdens on U.S. companies operating abroad. This conflict has resulted in the APEC principles on data privacy, an initiative established to avoid an EU-like comprehensive regime that would apply to both governments and companies, thereby omitting restrictions on governments and requiring piecemeal and limited policies in Asia. Governments in Asia are thus caught in the bind of wishing to abide by European requirements so that their economies can be the recipient of outsourced data, but also wishing to appease the interests of industry, while simultaneously limiting the reach of these laws into their own data processing capabilities.
- 1. European Commission, 'Data Protection in the European Union', available at http://europa.eu.int/comm/internal_market/en/dataprot/guide/guide_en.pdf