Module 4: Data Privacy and Data Protection
Data protection laws are aimed at protecting and safeguarding the processing of personal information or personal data, which is defined in the EU’s General Data Protection regulation as “any information relating to an identified or identifiable natural person (‘data subject’)”.(1) An “identifiable natural person” is in turn defined as:
… one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data protection is one of the primary measures through which the right to privacy is given effect. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws, in particular those adopted within the European Union, restrict cross-border data transfers in circumstances where one state does not provide an adequate level of data protection.
In recent years, increasing attention to the issue of data protection has led to a number of Asian states enacting new privacy laws.(2) Since the onset of the COVID-19 pandemic, the greater reliance on digital technologies for remote working and contact tracing has raised novel challenges with respect to privacy and data protection, adding further momentum and urgency to the need to strengthen data protection laws. Nonetheless, many states continue to protect individuals’ privacy only inadequately, especially from state surveillance activities.(3)
In relation to data protection, General Comment No. 16 on article 17 of the ICCPR (General Comment No. 16) provides as follows(4)
“The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.”
Most comprehensive data protection laws typically make provision for the following principles:(5)
- Personal information must be processed fairly and lawfully, and must not be processed unless the stipulated conditions are met.
- Personal information must be obtained for a specified purpose (or purposes) and must not be further processed in any manner incompatible with that purpose.
- Personal data must be adequate, relevant and not excessive in relation to the purpose (or purposes) for which it is processed.
- Personal information must be accurate and, where necessary, kept up to date.
- Personal information must not be kept for longer than is necessary for the purpose of collection.
- Personal information must be processed in accordance with the rights of data subjects provided for under the data protection law, including the right to access, review and where necessary correct the data.
- Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.
The Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’)(6) opened for signature on 28 January 1981 and was the first binding international instrument protecting against abuses stemming from the collection and processing of personal data. The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.(7) Convention 108 provides for the free flow of personal data between states parties to the Convention.
Convention 108 is open for accession by non-members of the Council of Europe. Although a number of non-European member states have acceded to it, no South or Southeast Asian states have yet done so.
In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to personal information. In this regard, most data protection laws provide for data subjects to request, and be given access to, the information being held about them by a controller. This mechanism can enable data subjects to ascertain whether their personal information is being processed in accordance with the applicable data protection laws, including whether the information held is correct, and whether their rights are indeed being upheld.