[The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official position of Inderscience Publishers.]
A Short Overview of Data Protection Poses Challenges to Public International Law
Evelyne J.B. Sørensen
Editor in Chief, International Journal of Public Law and Policy
Globalisation and borderless electronic communication have brought huge benefits to users. At the same time, the fast development of technologies that anticipate, profile, cluster and classify personal data gathered via the Internet have caused widespread international concerns. These concerns call for legislative intervention, since there is a need to protect personal data on an international level. However, even though similar issues are faced by most countries, there has not been a uniform legal response (Lloyd (2014), chapter 2).
The lack of uniform legislation causes regulatory conflicts, as for example illustrated by several rulings of the Court of Justice of the European Union. In the Schrems ruling (Case C-362/14, Schrems), the differences between the US and European regimes for data protection became once more apparent, resulting in the annulment of the Safe Harbour Agreement. But even within the European Union, where omnibus data protection law has been implemented, conflicts arise since EU member states have implemented the data protection directive in different ways (e.g. C-230/14, Weltimmo).
At the EU level changes are on their way. With the application of the General Data Protection Regulation (2016/679) in May 2018 a single law will be introduced, directly applicable in all EU member states. This will hopefully remove many of the material differences in the approaches taken and remove fragmentation in terms of compliance requirements across member states. However, at the international level, data protection remains fragmented and weak, creating risks for all actors (ranging from individuals to private and public organisations) involved.
Data protection law is designed to protect personal identifiable information, in order to empower individuals to control their information and to protect them from abuses. Thus, data protection laws restrain and shape the activities of companies and governments. Data protection law emerged in the beginning of the 1970s. The first legislation dealing substantially and directly with data protection was the Hessian Data Protection Act (Hessisches Datenschutzgesetz) from 1970 (Simitis (2010), p. 1995). Sweden was the first country to enact data protection legislation at a national level in the form of the Privacy Act 1974, followed by the U.S. in the same year, which enacted the Privacy Act at the federal level (Ibid, p. 1969). Today, many countries’ national data protection laws have been influenced by the EU Data Protection Directive (95/46/EC), which as mentioned above will be replaced by the General Data Protection Regulation in May 2018.
Since data protection is closely linked to privacy it is rooted in many international human rights instruments, such as the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR) and the European Convention of Human Rights (ECHR). These instruments protect the right to private life, family life, the home and correspondence. The only instrument dealing with data protection directly at a constitutional level is the European Charter of Fundamental Rights. There are also a number of international instruments dealing with the protection of personal data more specifically, such as Convention 108, an international treaty implemented by the Council of Europe; the non-binding UN Guidelines for the regulation of computerised personal data; and the non-binding OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The need for international uniform data protection legislation
Even though there is greater recognition of personal data in international law, there are challenges in defining what a common approach could and should be. Today, great variations, differences and conflicts still exist between national sovereignties on the nature, tradition, approach and mechanism of data protection.
Uncertainty exists because expectations and legal requirements differ depending on culture and government. For example, there is no consensus on the appropriate mix of law, self-regulation and technological solutions in protecting privacy. In Europe and many developed countries, a comprehensive approach has been adopted, where a single law protects personal data in all industries and most contexts (Me´sza´ros (2015), p. 2). In contrast, the U.S. for example promotes a sectoral approach, where data protection is regulated on a sector-by-sector basis. Different industries have different regulations, some areas are subject to self-regulation and the public and the private sectors are regulated by different statues (Ibid.).
These uncertainties are connected with the fragmentation concerning data protection in different legal systems. Whereas a fundamental rights approach exists in the European Union, a consumer protection approach exists in the U.S. In addition, the international community lacks an appropriate and competent organisation to put the vision of international uniform legislation on the agenda, and to coordinate and adopt an international convention (Kong (2010), p. 456). Thus, at an international level the current situation is unsatisfactory, since there is a lack in presenting a clear normative basis for the recognition of data protection.
The above gives only a very brief overview of how important data protection is in public international law. More work is needed to implement data protection more firmly in public international law. Globalisation, the continuous development of information and communication technology, and the pervasiveness of such technology shows that there is a crucial need for data protection rights to be applicable at an international level. And since information and communication technologies are available in every corner of the world, data protection is a global concept.
The International Journal of Public Law and Policy (IJPLAP) is a global journal that provides a forum for researchers and academics to engage in discussion and analysis in a wide range of areas of law affecting national and international policy issues. It provides expert analysis on government law, policy initiatives and judicial decisions, and contributes to public debate by formulating its own law reform proposals. Its international editorial board consists of members working across a range of regulatory, legislative and policy contexts. This highly diverse mix has a broad appeal to encourage authors from different fields within the scope of the journal, while at the same time assuring a high academic standard.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23.11.1995, p. 0031 – 0050.
Judgment of the Court of Justice of the European Union of 6 October 2015, Maximillian Schrems v Data Protection Commissioner (Case C-362/14), OJ C 351, 6.10.2014.
Judgment of the Court of Justice of the European Union of 1 October 2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case C-230/14), OJ C 245, 28.7.2014.
Kong, Lingjie (2010): Data Protection and Transborder Data Flow in the European and Global Context. In: European Journal of International Law, Vol. 21, issue 2, pp. 441-456.
Lloyd, Ian J. (2014): Information Technology Law (7th ed.). Oxford: Oxford University Press, chapter 2.
Mészáros, János (2015): Two different approaches of the data protection law: the European Union and the United States. In: Hungarian Journal of Legal and Political Science, Vol. 9, no. 1/2015.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88.
Simitis, Spiros (2010): Privacy—An Endless Debate? In: California Law Review, Vol. 98, No. 6, pp. 1989-2005.
Download this article (PDF)