Privacy and data protection: Reviewing notable policy frameworks
The evolved privacy principles and the resulting legislation across the world primarily aim to force the data collector to define the purpose for which the data is being collected along with the need to obtain explicit consent for the said purpose. But it often becomes extremely difficult to identify the exact uses of data when it is being collected e.g. the obvious future uses of geospatial information may not be identified when such information is collected.COE-EDP | Updated: 18-03-2021 10:49 IST | Created: 18-03-2021 10:49 IST
The twenty-first century has seen an unprecedented expansion in the pace and volume of collection of individual data. The surge has been backed by a slurry of technological and theoretical innovations that have allowed the data to be used in ways that could hardly be imagined a few decades earlier. However, as almost all of this data collection happens through the internet, it poses unconceived challenges in enforcing fair jurisdictions. The fluid nature of the internet means that the related activities can be carried out without entities having to actually enter inside the physical boundary of the concerned territory. As a result, laws written in the pre-internet era become inadequate in protecting the rights of citizens. Further, the distinct nature and scope of interaction between an individual and entities on the internet mean many interactions fall outside the ambit of the existing regulations.
Regulation and innovation have always been anathematic to each other but their contention is particularly worrying when it comes to privacy-related issues. The governments have the frugal task of balancing the needs of the protection of the rights of their citizens without impeding innovation. Any setback for innovators will ultimately affect the very individuals whose rights the governments want to protect. Racing to strike a balance between two competing goals, governments across the world have passed new laws and regulations seeking to better protect the privacy of people while also enabling innovation.
Privacy and its evolution
The literature primarily identifies three different types of privacy: spatial privacy, decisional privacy, and informational privacy. The concept of data privacy seems most closely linked to informational privacy, but its scope stretches to other two aspects as well.
Privacy, in definitive terms, is complex to define and as a result, its meaning and scope can depend on circumstances and may ultimately hinge on juristic discretion. Some experts suggest the harm arising out of the breach of the information is an important factor to assess if a user's privacy was violated while some suggest it can be assessed based on individual demand for data protection vis-à-vis social welfare. Some call for an absolute right to privacy while some say it should be flexible based on individual conduct e.g. an individual accused of serious crimes may lose some of the privacy protection.
In a nutshell, the amorphous nature of privacy makes it a challenge and it likely requires a precise, judicial definition of its scope in different circumstances to prevent the arbitrary and subjective breach of individual privacy by not only private entities but also the state.
Approaches to data protection
The European Union's (EU) approach to data and privacy is among the most stringent around the world while another notable approach is of the United States, which follows a different, more sector-specific framework.
- European Union's GDPR
In the EU, the right to privacy is a fundamental right and is mandated to protect an individual's dignity. The European Charter of Fundamental Rights (EU Charter) recognizes the right to protect data as essential to guarantee an individual's dignity. EU has sought to achieve a high level of data protection while keeping in mind the need for harnessing data for the public good as a result it has aimed to harmonize data protection legislation to ensure the free flow of data across national boundaries.
To this effect, the EU has come out with a comprehensive data protection framework called the General Data Protection Regulation (GDPR), which applies to processing of personal data by any means, and covers processing activities carried out by both the government as well as the private entities with notable exemptions regarding issues related to national security. The law follows a rights-based approach towards data protection and places individuals at the center of the law. As a consequence of this approach, the law imposes extensive control over the collection as well as dissemination of personal data.
The law also prohibits the collection of data defined as sensitive such as religious beliefs, political opinion, data concerning health among others with certain exemptions.
The law relies on purpose specification, data minimization, data quality, and security safeguards to ensure compliance with the said objectives. Individuals continue to enjoy participation rights over their data with the power to withdraw consent, restrict use or limit the ways in that the data is processed.
The EU model also envisages the establishment of a data protection authority called the European Data Protection Board (EDPB) that is tasked to ensure enforcement and has the power to impose penalties to ensure compliance.
The EU model seems to be the preferred approach for several countries. A variation of the law has been adopted in Australia, Canada, and a similar law is soon to be enacted in the Indian parliament, which although is very similar to EU GDPR but has some subtle differences which are less powerful from an individual's perspectives. There are issues about ownership of data that has been collected while intimation guidelines in case of data breach seem inadequate.
- United States approach to data protection
In the United States, privacy protection is essentially seen as a protection of liberty which is interpreted as the protection of personal space from the government. The US constitution does not explicitly grant a right to privacy, although the fourth amendment to the US constitution provides some direction. The courts in the US have also collectively identified the right to privacy by combining different forms of privacy protections in the first, fourth, fifth, and fourteenth amendments to the US constitution.
Unlike EU, there is no single and comprehensive principle or legislation that collectively address the collection and processing of data, instead, there are sector-specific regulations such as related sections in the health Insurance Portability and Accountability Act, the children's Online Privacy Protection Act, the Financial Services Modernization Act, which means that the different regulations are enforced on the financial industry, the health industry and for the online protection of children.
Additionally, the private and the public sector are treated differently. The activities and powers of government concerning collection, dissemination, and processing of information are well defined and are governed through legislation that is different from the private sector.
But for the private sector, the crux of the data protection regime hinges on notice and consent. For instance, Title V of the GLB Act has only three substantive restrictions on the processing of personal information and instead emphasizes procedural requirements, specifically, the need for institutions to "clearly and conspicuously" provide consumers with a notice about its disclosure practices and an opportunity to opt-out of such disclosure.
The Federal Trade Commission (FTC) is the agency that is responsible for enforcing the data country's data protection regime. The FTC has described notice to be the "most fundamental principle" and has focused all of its privacy-related efforts on getting websites to post privacy policies and its enforcement efforts in holding websites accountable when they fail to adhere to them.
Thus the US approach to data protection has two identifiable trends, the strict norms for the processing of personal information by the government and its affiliated agencies, and the notice and choice-led regime for the private sector.
The existing dichotomy between the US and EU model of data administration can be attributed to the hands-free approach of the US markets, which is in contradiction to the rights-centric culture of the EU.
The evolved privacy principles and the resulting legislation across the world primarily aim to force the data collector to define the purpose for which the data is being collected along with the need to obtain explicit consent for the said purpose. But it often becomes extremely difficult to identify the exact uses of data when it is being collected e.g. the obvious future uses of geospatial information may not be identified when such information is collected.
Over the past few years, countries are increasingly acknowledging the importance of data protection policies and even the developing countries are coming up with legislation to protect the rights of their citizens as the internet becomes a way of life. While doing so, countries must harmonize the need for protecting the individuals' privacy without compromising on the needs of the industry that thrives on innovation.
VisionRI's Centre of Excellence on Emerging Development Perspectives (COE-EDP) aims to keep track of the transition trajectory of global development and works towards conceptualization, development, and mainstreaming of innovative developmental approaches, frameworks, and practices.
- FIRST PUBLISHED IN: