The study identifies core issues that data protection and privacy legislation needs to address. The study includes key policy options for nations developing, reviewing or amending their data protection laws. A core set of principles appears in the vast majority of national data protection laws and in global and regional initiatives.
The EU's Data Protection Directive (1995) attempts to address this issue by placing a number of restrictions (and exceptions) on the transfer of personal data outside of Europe. Summary of key findings on key challenges in developing and implementing data protection laws.
KEY CHALLENGES IN THE DEVELOPMENT AND
Addressing gaps in coverage
These requirements are difficult (but not always impossible) to meet in the absence of basic data protection legislation. Challenges faced by ASEAN countries and selected countries in ECOWAS, Latin America and the Caribbean (48 countries) in adopting data protection legislation. First, the company can join a data protection scheme (for example the EU-US Safe Harbor Framework/.
Addressing new technologies
The Internet of Things is also developing rapidly and has a direct connection to handling data. Data protection laws have often struggled to keep pace with the rapid development of technology, but the Internet of Things is probably the biggest challenge of its kind. The Big Data method advises against 'data minimisation' - the focus is on collecting and storing all data as it may be 'useful' at a later stage.
Managing cross-border data transfers
Two frequently cited examples of data localization requirements are Indonesia and the Russian Federation, which have enacted restrictions on the transfer of data abroad. Potential for unfairness in situations where there is a large power imbalance between parties Potential to encourage fragmentation rather than harmonization of data protection practices. This four-part test appears to fully address the use of data localization requirements and could set a possible basis for a global standard to determine whether a restriction has gone 'too far'.
Balancing surveillance and data protection
The CJEU found that a presumption of adequacy created by Decision 2000/520 (the decision that endorsed the EU-US Safe Harbor Principles as an adequate level of protection) did not prevent EU citizens from challenging it on grounds of enforcement of their personal rights and freedoms. As a result, Safe Harbor members no longer enjoy a presumption of sufficiency that allowed for the expedient movement of data from the EU to the US. An important outcome of the case was the renegotiation of the Safe Harbor Agreement, now known as the EU-U.S.
Strengthening enforcement
The court was of the view that legislation allowing public authorities to access personal information on a generalized and unspecified basis for reasons related to national security, without giving notice or remedy to the individual, was inconsistent with the fundamental rights of citizens of the EU and did not ensure processing that was "strictly necessary" and "proportionate" as required by the EU Data Protection Directive. The United States has initiated numerous reforms that strengthen the governance and oversight of intelligence agencies and provide consumers with potential avenues for redress. On March 12, 2015, the FTC issued a complaint against True Ultimate Standards Everywhere Inc (TRUSTe) for allegedly violating Section 5 of the Federal Trade Commission Act.
Determining jurisdiction
The complaint noted that some of the searches provided detailed telephone records, which are a category of information protected in the United States by the Telecommunications Act of 1996. Most of the global and regional initiatives include language warnings against complexity, overburdened requirements and unintended consequences in implementing the regimes. Businesses are also extremely well represented in most debates/forums/committees regarding the development, implementation and review of data protection laws. a) the offering of goods or services to such data subjects in the Union; or. b) monitoring their behavior.
Managing the compliance burden for business
The strengths and limitations of key global initiatives in addressing key challenges in the development and enforcement of data protection laws. Advantages and limitations of key regional frameworks in addressing key challenges in developing and implementing data protection laws.
GLOBAL DEVELOPMENTS AND LESSONS LEARNED
The United Nations
The Special Rapporteur on the right to privacy A Special Rapporteur is an independent expert appointed by the UN Human Rights Council to investigate a specific issue and report back on it. In July 2015, the Human Rights Council appointed Professor Joseph Cannataci (of Malta) as the first Special Rapporteur on the right to privacy. In March 2016, the Special Rapporteur prepared his first report on the right to privacy, which was submitted to the Human Rights Council (A/HRC/31/64).
The Council of Europe Convention 108
To facilitate the process of further discussion of the dimensions of the right to privacy and its relationship with other human rights, the Special Rapporteur has developed a ten-point framework action plan. 42. The strengths of UN initiatives include: .. wide respect and global coverage; .. a long history of promoting and protecting human rights; and .. recognition of privacy as a fundamental right.;. Limitations of UN initiatives include: .. current treaty provisions too high for day-to-day impact – the right to privacy needs to be translated into further detailed principles; and .. the UN faces some significant resource constraints.
The OECD
Overall, the CoE Convention is the most promising international development in an area where any initiative faces significant challenges.
International Data Protection Commissioner’s initiatives
Such divergences are already evident in the structure of the Kenyan and Ugandan data protection bills.
REGIONAL INITIATIVES
The European Union (EU)
The EU Data Protection Directive (1995) sets requirements for the transfer of data outside the European Union. The EU BCRs are specific to the countries within the European Union; However, many other privacy frameworks are modeled after or closely followed. Companies or business groups must first designate a “lead authority” among the European national data protection authorities if they are interested in subscribing to the EU BCR program.
Asia-Pacifi c Economic Cooperation (APEC)
The number of users is almost impossible to estimate, as the system is voluntary and companies can adopt the clauses without being included in a central register. In theory, other countries will participate in the CBPRs and 'accept' this third party accreditation as a sign of compliance. APEC CBPRs is a very new program and as of early 2016 there are only 13 approved organizations, all from the United States.
African Union (AU)
The accountability agent is supposed to certify the organization and then re-certify them annually. Once deemed compliant, organizations are included in a compliance directory.56 Organizations are subject to potential enforcement, through law or contract, by Accountability Agents and also privacy enforcement authorities in participating economies.
The Commonwealth
The adoption of the model laws by several countries has had a positive impact on harmonization. The Commonwealth also provides some technical and capacity building assistance to its members, particularly the less developed Member States in Africa, the Caribbean and the Pacific. Overall, the Commonwealth initiative is quite limited, but it does help reach a number of countries that are not part of other regional initiatives.
Trade agreements
SELECT NATIONAL INITIATIVES AND EXPERIENCES
PRIVATE SECTOR AND CIVIL SOCIETY PERSPECTIVES
The private sector
The private sector regularly contributes to the debate on data protection and international data flows. government on the need to improve controls and oversight in relation to national security surveillance following Edward Snowden's revelations in June 2013;65. The APEC CBPRs is a good example of a data protection regime introduced and promoted by both government and business.
It is an example of a recent trend for the private sector to engage directly with privacy-related policy development, rather than being a passive observer or simply 'responding' to government policy initiatives. Through all these initiatives, the private sector has presented a fairly clear and consistent set of arguments on the need to balance data protection. Interestingly, these private sector policy positions are supported by a wide range of stakeholders within and outside the private sector.
The private sector has also expressed some support for strong enforcement, particularly the use of fines and sanctions by the Federal Trade Commission in the United States. Harmonized and comprehensive privacy regulation, combined with active enforcement and significant fines, establishes a strong deterrent to encourage compliance with privacy and security requirements in the US – perhaps even stronger than in the EU.67. Overall, the private sector has played an important role in ensuring the right balance between data protection, innovation and competition.
They have also drawn attention to the difficulties faced by small businesses in complying with some specific data protection requirements.
Civil society
The law on data protection and privacy aims to provide mechanisms and measures for the protection of personal data.
CONCLUSIONS
POLICY OPTIONS
Computer and Communications Industry Association Commentary on Data Protection Regulations and International Data Flows: Impact on Businesses and Consumers. The specific city of the AU Convention on Cyber Security and Protection of Personal Data makes it unique – it addresses PDP, electronic transactions, cybercrime and cyber security in one place. The APEC Privacy Principles (and a commentary on the Principles) are the core of the APEC Privacy Framework.
The scope of the Supplementary Act is very broad, as it includes the processing of all personal data. One of the key provisions in the Act is Article 14 on the establishment of an independent Data Protection Authority in each member state. A working group on the Protection of Individuals with regard to the Processing of Personal Data is composed of representatives of the national supervisory authorities, representatives of the European Data Protection Supervisor and a representative of the Commission.
In the new proposal, Brazil should create a new public authority to determine the conditions of data transferability. In 2009, the Government of Mauritius sought accreditation from the European Union regarding the adequacy of data protection safeguards in Mauritius. Nigeria has chosen to introduce data protection into the legal framework through a modification of the penal code.
In the absence of a comprehensive legal framework, data protection and privacy issues are provided for piecemeal in the following laws.
