{"id":930,"date":"2022-09-20T17:35:40","date_gmt":"2022-09-20T16:35:40","guid":{"rendered":"https:\/\/www.mediadefence.org\/ereader\/?post_type=publication&p=930"},"modified":"2022-09-22T10:54:05","modified_gmt":"2022-09-22T09:54:05","slug":"data-protection","status":"publish","type":"publication","link":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-on-litigating-freedom-of-expression-and-digital-rights-in-south-and-southeast-asia\/module-4-data-privacy-and-data-protection\/data-protection\/","title":{"rendered":"Data Protection"},"content":{"rendered":"\n

Data protection laws are aimed at protecting and safeguarding the processing of personal information or personal data, which is defined in the EU\u2019s General Data Protection regulation as \u201cany information relating to an identified or identifiable natural person (\u2018data subject\u2019)\u201d.[footnote]Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC at Article 4(1) (accessible at: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679<\/a>).[\/footnote] An \u201cidentifiable natural person\u201d is in turn defined as:<\/p>\n\n\n\n

\u2026 one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.<\/p><\/blockquote>\n\n\n\n

Data protection is one of the primary measures through which the right to privacy is given effect. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws, in particular those adopted within the European Union, restrict cross-border data transfers in circumstances where one state does not provide an adequate level of data protection.<\/p>\n\n\n\n

In recent years, increasing attention to the issue of data protection has led to a number of Asian states enacting new privacy laws.[footnote]For an overview of regional trends, see Deloitte, \u2018The Asia Pacific Privacy Guide 2020-2021: Stronger Together\u2019(2020) (accessible: https:\/\/www2.deloitte.com\/ph\/en\/pages\/risk\/articles\/asia-pacific-privacy-guide.html<\/a>) and Graham Greenleaf, \u2018Advances in South Asian Data Privacy Laws: Sri Lanka, Pakistan and Nepal\u2019, (2019) Privacy Laws & Business International Report<\/em>, 22-25 (accessible at: https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=3549055<\/a>).[\/footnote] Since the onset of the COVID-19 pandemic, the greater reliance on digital technologies for remote working and contact tracing has raised novel challenges with respect to privacy and data protection, adding further momentum and urgency to the need to strengthen data protection laws. \u00a0Nonetheless, many states continue to protect individuals\u2019 privacy only inadequately, especially from state surveillance activities.[footnote]Digital Reach, \u2018Digital Rights in Southeast Asia 2021\/2022\u2019, (2022)<\/em> (accessible at: https:\/\/digitalreach.asia\/event\/report-launch-digital-rights-in-southeast-asia-2021-2022\/<\/a>); Smitha Krishna Prasad & Sharngan Aravindakshan (2021) ‘Playing catch up \u2013 privacy regimes in South Asia\u2019, The International Journal of Human Rights<\/em>, 25:1, 79-116, p. 105 (accessible at: https:\/\/www.tandfonline.com\/doi\/full\/10.1080\/13642987.2020.1773442<\/a>).[\/footnote]<\/p>\n\n\n\n

In relation to data protection, General Comment No. 16 on article 17 of the ICCPR (General Comment No. 16) provides as follows[footnote]General Comment No. 16 at para. 10.[\/footnote]<\/p>\n\n\n\n

\u201cThe gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. \u00a0Effective measures have to be taken by States to ensure that information concerning a person\u2019s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. \u00a0In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. \u00a0Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. \u00a0If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.\u201d<\/p><\/blockquote>\n\n\n\n

Most comprehensive data protection laws typically make provision for the following principles:[footnote]Information Commissioner\u2019s Office, \u2018Data protection principles\u2019 (accessible at: https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/data-protection-principles\/<\/a>).[\/footnote]<\/p>\n\n\n\n