101: Data Protection
What is Data Protection?
Individuals, as citizens and consumers need to have the means to exercise their right to privacy and protect themselves and their information from abuse. This is particularly the case when it comes to our personal information. Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international and regional laws and conventions.
Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system. In modern societies, to empower us to control our information and to protect us from abuses, it is essential that data protection laws restrain and shape the activities of companies and governments. These institutions have shown repeatedly that unless rules restrict their actions, they will endeavour to collect it all, mine it all, keep it all, while telling us nothing at all.
Why is data protection needed?
Every time you use a service, buy a product online, register for email, go to your doctor, pay your taxes, or enter into any contract or service request, you have to hand over some of your personal information. Even without your knowledge, information about you is being generated and captured by companies and agencies you are likely to have never knowingly interacted with. The only way citizens and consumers can have confidence in both government and business is through strong data protection practices, with effective legislation to help minimise needless monitoring by officialdom and regulate surveillance by companies.
Since the 1960s and the expansion of information technology capabilities, business and government organisations have been storing this personal information in databases. Databases can be searched, edited, cross-referenced and data shared with other organisations and across the world. Once the collection and processing of data became widespread, people started asking questions about was happening to their information once it was turned over. Who had the right to access the information? Was it kept accurately? Was it being collected and disseminated without their knowledge? Could it be used to discriminate or abuse other fundamental rights?
From all this, and growing public concern, data protection principles were devised through numerous national and international consultations. The German region of Hesse passed the first law in 1970, while the US Fair Credit Reporting Act 1970 also contained some elements of data protection. The US led development of the 'fair information practices' in the early 1970s that continue to shape data protection law today. The UK also established a committee around the same time to review threats by private companies and came to similar conclusions. National laws emerged soon afterwards, beginning with Sweden, the US, Germany and France. Further momentum was added in 1980 when the Organisation for Economic Cooperation and Development (OECD) developed its privacy guidelines that included 'privacy principles', and shortly thereafter the Council of Europe's convention came into force.
While over 100 countries now have laws, in many countries there is still a great need for stronger legal safeguards to give citizens and consumers confidence in what is done to their personal information by government and business. Although most countries have accepted data protection is necessary in selected sectors they have not yet developed comprehensive data protection law that applies to all business sectors and to government.
So how does data protection work?
Where a comprehensive data protection law exists, organisations, public or private, that collect and use your personal information have the obligation to handle this data according to the data protection law. This law is based on a number of basic principles. Briefly, these principles require that:
- there should be limits to what is collected: there should be limits on the collection of personal information, and it should be obtained by lawful and fair means, with the knowledge or consent of the individual
- the information should be correct: personal information should be relevant to the purposes for which it is used, should be accurate, complete and up to date;
- there must be no secret purposes: the purposes for which the information is to be used should be specified at least at the time of collection and should only be used for those agreed purposes;
- there must be no creeping purposes: personal information can only be disclosed, used, or retained for only the original purposes, except with the consent of the individual or under law, and accordingly it must be deleted when no longer necessary for that purpose;
- the information must be secure: reasonable security safeguards are used to protect personal information from loss, unauthorised access, destruction, use, modification or disclosure;
- no secret organisations, sources, or processing: we must be made aware of the collection and use of our information, we should know the purpose for its use, and we must know about the organisation that is the data controller;
- individuals have rights to be involved: we should be able to have access to our information, and we must have the right to challenge the information held and to seek its deletion, rectification, completion or modification;
- organisations must be held to account: the organisation that collects and manages your information must be accountable for providing the above principles and rights.
Data protection rules need to be enforced by a regulator or authority, often called a Privacy Commissioner. The strength of the powers invested in these authorities varies from country to country and so does its independence from Government. These powers, for example, can include the ability to conduct investigations, act on complaints and impose fines when they discover an organisation has broken the law.
Apart from enforcement through regulatory means, we also believe that technologies can play a strong role in ensuring data protection rules are followed. Through technological means and careful design, it is possible to limit data collection, to mathematically restrict further data processing, to assuredly limit unnecessary access, amongst other privacy measures. Laws can influence and when necessary compel such developments. Though their adoption has been slow, as companies and governments are resistant to limit their future capabilities or aspirations to mine our information, even as they are legally supposed to limit purpose creep.
How many countries in the world have data protection laws?
As of now August 2014, over 100 countries around the world have enacted comprehensive data protection legislation, and several other countries are in the process of passing such laws. Other countries may have privacy laws applying to certain areas, for example for children or financial records, but do not have a comprehensive law. For instance, while an early leader in the field of data protection, the US Privacy Act 1974 applies only to the Federal Government, and subsequent laws applies to specific sectors, but there is no comprehensive law to date.
The strongest and most comprehensive laws are in the countries of the European Union and European Economic Area that have implemented the 1995 Data Protection Directive. This is currently undergoing adifficult process of revision in Brussels. Canada is another leading example with two separate pieces of legislation applying at the national level to government and industry, with additional laws at the provincial level as well. For more information on data protection laws, broken down by country, check out the comprehensive reports published over the years by Privacy International.
Are data protection laws the same in all countries that have them?
No, and increasingly this is part of the problem. As our information travels around the world through borderless networks, our data may end up in countries that have different laws of varying strength or no law at all, meaning we’d have no remedies if our rights are abused. In essence, depending on what services you use, different pieces of your data will be in various countries.
Data protection law has become not only a vehicle for protecting citizens and consumers, it has became a gateway to trade. Various international conventions and guidelines have been established in order to ensure that information can circulate around the world without causing too much damage to ‘data subjects’ and that businesses do not base themselves in countries with the weakest laws. The OECD Guidelines on the Protection of Privacy, first agreed in 1980 and revised in 2013, were the pioneer in establishing the data protection principles, adopted by many countries in their legislation. A driving motivation for the OECD Guidelines was to enable protection of privacy while enabling data to flow across borders, and opening up markets.
The international instrument with most teeth however is the Council of Europe 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. This has the force of law for the countries that have signed up to it. Countries from outside Europe can sign-up to it, but unfortunately only Uruguay has done so so far.
The EU's 1995 Directive standardised laws to some extent across European Union member states, partly to enable trade within the European market. The Directive required that data could only be sent to foreign jurisdictions if those countries had adequate laws with protections in place. One notable exception however is the US which has repeatedly failed to implement a comprehensive law, and the 1974 Privacy Act only applies to the Federal Government, and only protects US citizens and residents.
As an attempt at a quick fix, there’s a separate agreement on personal information transfers between the EU and the US – called the Safe Harbor agreement. This arrangement has been heavily criticised by both Privacy International and the European Commission itself, as it is a voluntary and self-regulatory system which is not adequately implemented and not sufficiently enforced. Though the Obama administration has promised to extend the Privacy Act to European citizens and has repeatedly mentioned introducing a comprehensive law, no meaningful action has yet occurred. It is therefore highly problematic that much of the world's information passes through and exists under the jurisdiction of US law, where non-Americans have no rights at all.
The EU and Council of Europe are trying to update their instruments to consider new challenges to privacy, and to strengthen protections. These laws were drafted before the rise of internet giants and marketing associations with significant lobbying capabilities; and before the rise of the anti-terrorism policy agenda. As such, government agencies and companies have been working hard to undermine these legal instruments. For instance, over 3000 amendments were introduced in the European Parliament when the draft General Data Protection Regulation was being discussed, some of them introduced by members of the European Parliament who had copied and pasted the amendments from industry lobbyists briefings. The interests in undermining data protection are stronger than ever.
What is considered as personal information under data protection laws?
Roughly speaking, personal information means any kind of information (a single piece of information or a set of information) that can personally identify an individual or single them out as an individual. The obvious examples are somebody’s name, address, national identification number, date of birth or a facial image. A few perhaps less obvious examples include vehicle registration plate numbers, credit card numbers, fingerprints, a computer’s IP address, CCTV video footage, or health records. You can be singled out from other people even if your name is not known; for example online profiling companies assign a unique number and use tracking techniques to follow you around the net and build a profile of your behaviour and interests in order to present you with advertisements. Some personal information is considered more sensitive than other, and therefore subject to stricter rules; this includes your racial or ethnic origin, political views, religion, health, and sex life. Such information cannot be collected or used at all without your specific consent.