Privacy: which legal frameworks should be implemented on an international scale?

Cybersecurity and digital trust

Posted on

Since the introduction of digital privacy in legislative literature, regulations have become increasingly stringent. The European Union is the engine driving this trend with the General Data Protection Regulation (GDPR), although other countries have not flatered behind as we sitness a global effort in establishing regulation for the handling of personal data. 

This blog post is a part of a series of articles which is itself the result of a synthesis on Privacy at the digital age published on our website. 

An increasingly international regulatory framework

The concept of privacy, as understood in history, can be understood across several centuries of legislation. It began taking shape in 1948, inscribed in Article 12 of the Universal Declaration of Human Rights: “No one will be the object of arbitrary interference in his private life (…). Everyone has the right to be protected by law against such interference or attacks”.

Regulation around the protection of personal data is a more recent phenomenon. It is directly linked to the development of information technology and the increased collection of data by organisations. In addition, the market value of data adds a further layer of complexity with the emergence of an international regulatory consensus. Sweden was the first state to establish legislation on the subject in 1973. In France, the “Loi Informatique et Libertés” was enacted in 1978, following debates over the Safari project, aimed at creating a centralised database of information about individuals.

Without reviewing each national law and its timeliness, an analysis of the initiatives implemented on regional scales provides a holistic view of the main privacy trends.

European Union: the state protecting its citizens

The European Union was the first institution to establish legislation on the subject in 1995 with the publication of Directive 1995/46/EC. This first attempt at creating legislative harmony on an institutional and European scale has been followed by the implementation of numerous principles, defined in the law of various Member States, including the establishment of supervisory authorities. This legislation is rooted in the “Guidelines for the Protection of Privacy and Transborder Flows of Personal Data” published by the OECD in 1980, which were non-binding.

In April 2016, the European Union elected to strengthen its legislation with the General Data Protection Regulation (GDPR), which, unlike the 1995 directive, will be directly applicable in the law of the Member States of the European Union.

Its implementation is planned for May 2018, when organisations must ensure their compliance with the requirements of the regulation. Developments will soon take place in e-privacy in the near future, aligning traditional requirements on privacy with more recent developments and innovation, thus addressing the topics of secrecy and correspondence in the digital age. Through such literature, the European Union will adopt the position as a protector of citizen data.

US: Making people aware of their responsilities

There is no specific regulation nor regulator within American law which oversees the collection and use of personal data at a federal level. Instead, the United States operates under a combination of laws which apply to certain sectors or states. Some regulation covers specific categories of personal data, such as financial data or health-related data, while others regulate activities which exploit such data, such as digital marketing. In addition to such regulations, best practices developed by federal agencies and industrial groups are also used as a means of auto-regulation. The Fourth Amendment of the US Constitution can also be referenced for the protection of personal privacy. Finally, laws around consumer protection, while they do not regulate personal privacy, forbid practices around the disclosure of personal data. Nevertheless, American citizens display a certain degree of flexibility regarding the distribution of their personal data.

As shown by the evolution of “Safe Harbor”, differences exist between the American and the European vision. This legal mechanism was implemented to ensure the protection of data transfer between the EU and the USA until October 2015, thereafter invalidated by the Court of Justice of the European Union (CJEU). According to the CJEU, the level of data protection offered by the United States was no longer satisfactory in light of the information leaked by Edward Snowden regarding the global surveillance programme operated by the American government. In February 2016, the United States and the EU drew up a new arrangement, the Privacy Shield, which came into force in August 2016 and is designed to offer better protection for data transfers.

Asia: a situation under development

With respect to data protection, we can categorise Asian countries and territories in two ways. Some are relatively mature on the subject, including South Korea, Singapore, Hong Kong or Taiwan. Until recently, China did not have any specific personal data protection legislation. However, in November 2016, new regulations applicable to operators from June 2017 were implemented. This new regulation will integrate widely agreed principles on respecting personal privacy and will require the storage of personal data on Chinese territory. On the other hand, other countries in the area are yet to implement regulations regarding the protection of personal data on a large scale, despite on-going debates.

Rest of the world: regional initiatives under development

In Africa, the first legislation on the subject was implemented in 2001, in Cape Verde. In 2004, Burkina Faso was the first state to establish a national regulator. At the regional level, the African Union Convention on Cybersecurity and Personal Data Protection, signed by 18 countries in 2014, incorporates notions derived from European legislation, with no legal binding.

In the Middle East, states such as the United Arab Emirates (UAE) and Saudi Arabia do not have specific legislation regarding the protection of personal data. Specific to these countries is the application of Sharia law, stating that damage can be claimed if the disclosure of personal data leads to abuse or damage.

In South America, several countries implement independent regulators. Moreover, they benefit from constitutional guarantees regarding personal data protection. This is particularly the case in Uruguay and Argentina, two countries recognised by the European Union as providing sufficient levels of data protection.