Towards an International Treaty for Data Protection? Cookies are Baking Our Privacy Crumble M

43  Download (0)

Full text

(1)

Cookies are Baking Our Privacy Crumble M

Towards an International Treaty for Data Protection?

Master’s Thesis

LLM in Public International Law

Student: Rizzo Anna Student Number: 13696203 e-mail: anna.rizzo@student.uva.nl Supervisor: Dr. Josef Ostransky

Date of Submission: 30 June 2022 Word Count: 12.958

(2)

Abstract

‘There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time.

But at any rate, they could plug in your wire whenever they wanted to. You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.’1 wrote George Orwell in ‘1984’.

On the Cookies Policy page of Meta Platforms Ireland Limited, better known as Facebook, cookies are explained as small pieces of text used to store information on web browsers, store and receive identifiers and other information on computers, phones and other devices. Cookies are used for the purpose, among many, of security and product integrity; advertising and recommendations, as they are used to measure how often people do things, such as make a purchase following an ad; site features and services, as cookies help store preferences, know when users have seen or interacted with Facebook’s content and provide customised content; performance, as they help record the ratio and dimensions of the user’s screen and windows.2 In synthesis, cookies are invisible trackers that provide users’ personal information.3

Let us compare… The two phrases are at a distance of 73 years. However, the telescreens and Big Brothers are no longer just a dystopian feature of Orwell’s book, but today’s reality as modem technology has begun to infringe upon the fundamental right to privacy. Calls for a uniform regulation and protection of data internationally to safeguard all world citizens’ privacy and data equally are increasingly made. Building on a positivistic, normative, comparative and doctrinal approach, this paper aims to analyse and compare the European and American legal frameworks to discern whether such an objective is attainable. All to conclude that their differences are too deeply rooted in their history and orientations to render feasible the objective of an international treaty on data protection in the near future.

1 George Orwell, 1984 (1st edn Penguin Books Ltd (UK) 2008) 5.

2 ‘Cookies & other storage technologies’ (Meta, 4 January 2022) <https://www.facebook.com/policy/cookies/> accessed 1 June 2022.

3 Robert Slattery & Marilyn Krawitz, ‘Mark Zuckerberg, the Cookie Monster: Australian Privacy Law and Internet Cookies’ (2014) 16(1) Flinders law journal 1. 9.

(3)

Table of Contents

Abstract ... 2

Table of Contents ... 3

Abbreviations ... 4

Introduction ... 5

I. Data ... 7

A. What is ‘Data’? ... 7

B. Growing Importance of Data ... 8

II. The International Legal Landscape ... 10

A. The Right to Privacy in International Law ... 10

B. The Right to Privacy and Data Protection ... 11

C. Data Protection in International Law ... 12

III. What Can We Find in the World? ... 14

A. European Union ... 14

1. Legal Provisions Today ... 15

2. Key Notions ... 18

B. United States... 21

1. Legal Provisions Today ... 22

2. Key Notions ... 25

IV. International Data Protection Treaty ... 28

A. Harmonisation Between EU and US ... 29

Conclusion... 33

Bibliography ... 35

(4)

Abbreviations

ABBREVIATIONS DEFINITIONS

CCPA California Consumer Privacy Act

CFR European Charter of Fundamental Rights

CJEU Court of Justice of the European Union

CoE Council of Europe

Convention 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

CPA Colorado Privacy Act

CPRA California Consumer Privacy Rights Act

Directive 95/46/EC Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data

DPO Data Protection Officer

ECHR European Convention of Human Rights

ECtHR European Court of Human Rights

EDPB European Data Protection Board

EEC European Economic Community

EU European Union

FCRA Fair Credit Reporting Act

FTC Federal Trade Commission

GDPR General Data Protection Regulation

HRC Human Rights Committee

ICCPR International Covenant on Civil and Political Rights

ILC International Law Commission

LGPD Lei Geral de Proteção de Dados

OECD Organization for Economic Cooperation and

Development

OECD Guidelines OECD Guidelines on Protection of Privacy and Transborder Flows of Personal Data

UCPA Utah Consumer Privacy Act

UDHR Universal Declaration of Human Rights

US United States

VCDPA Virginia Consumer Data Protection Act

(5)

Introduction

The dystopian world described by Orwell in 1949 in his renowned book ‘1984’ narrates a nation where people are constantly watched and listened to; they cannot have free thought, feelings, and any expression of individuality. An imaginary horror seemingly far off from reality. Yet, the Internet gets today’s world closer and closer to that Orwellian world. IP addresses can provide websites with information on a computer and its general location, for example. Cookies produce more complete information about the user: it not only collects material about which webpages the user visits but also about their activities on the website, for them to recognise a specific user, which can lead to the website remembering a user ID and memorising preferences for later visits.4

A simple solution would seem to be to stop using the Internet. However, it has become a necessity for everyday life, and it always will be. Thus, the main focus should be safeguarding the users’ rights on the web. The continuous developments of this ‘new’ environment have led to the introduction of new rights and obligations, but they have also led to a broader scope of pre-existing rights, such as the right to privacy and data protection, as they now also apply to the online world. As several online data breaches take place every year, and as the role of the Internet and data will be of even greater importance in the future, it is of utmost priority for it to be regulated. Trends have shown that more and more countries and regions are introducing privacy laws for data protection. As data is not restricted by geographical limits and moves from country to country – the scope of this paper is to analyse the existing data protection regulations in different regions, specifically the EU and the US.

Ideally, there should be a uniform regulation and protection of data and an international treaty for data protection to safeguard all world citizens’ privacy and data equally. This paper will present whether such an objective is feasible or not by acknowledging and reconciling the similarities or differences between the European and American legal frameworks.

This principal scope will be sustained by preliminary legal questions. The first one presents an overview of what is data and why it has become important in the last years. The second regards the understanding of the right to privacy in the sense of Article 12 UDHR and Article 17 ICCPR, as well as; its importance in the digital age. The third requests an outline of the connection between the right to privacy with the right to data protection, leading to an overview of international legislation in place today that protects the right to data protection in the online environment. Subsequently, the other preliminary questions are interconnected: how data is protected in the EU and how data is protected in the US. These last questions analyse the legal framework and the key notions of each of

4 Norman Gervais, ‘Governmental Internet Information Collection: Cookies Placing Personal Privacy at Risk’ 40(2) Bulletin of the American Society for Information Science and Technology (2014) 27. 28.

(6)

these systems: to draw comparisons between the two systems and understand their similarities and differences in safeguarding data in their scope.

In writing this paper, the methodology used will be positivistic, normative, comparative and doctrinal. Comparative as two different jurisdictions will be compared, namely the EU and the US and doctrinal because a critical, qualitative analysis of the issue at hand will be carried out by using primary sources, for example, the relevant articles from the ICCPR, the UDHR, the ECHR, the GDPR and pertinent case-law. Moreover, secondary sources will be studied, such as academic writings, books, journals, websites and newspapers. With these sources, research will be led to analyse and answer the aforementioned questions. And this paper will proceed in the following way. The first chapter will present a general introduction to the concept of data and why data protection is called for at the international level. Secondly, there will be an outline of the right to privacy, its connection to data protection and an overview of the laws in place today connected to data protection in the international sphere. In the third chapter: an introduction and analysis of the data protection legislation in two different systems will be presented, focusing on the EU and the US and their main takeaways. In the following chapter, there will be an outline of their similarities and differences and whether such differences could be reconciled: for a multilateral international treaty for data protection.

To conclude, the paper will summarise the analysis and the answers to the questions posed.

(7)

I. Data

A. What is ‘Data’?

The Cambridge Dictionary defines data as ‘information, especially facts or numbers, collected to be examined and considered and used to help decision-making or information in an electronic form that can be stored and used by a computer.’5 Relative to today’s computers and transmission media, data is information translated into a form efficient for movement or processing, converted into binary digital form.6 Simply put, it is a translation of people, things, behaviours and relations into information that can be stored, computed and visualised by computers.7

In the context of computing, the concept of data has its roots in the work of Claude Shannon, an American mathematician known as the father of information theory. Early on, data’s importance in business intelligence became clear by the popularity of the terms ‘data processing’ and ‘electronic data processing’, which, for a period of time, entailed the full range of what is now known as information technology. Over the past decade, the growth of the web and technological devices led to a surge in digital data creation. Data now includes text, audio and video information, log and web activity records. Furthermore, data has meaning beyond its use in data processing computing applications. For example, in science, the term data is used to describe a gathered body of facts; that is also the case in fields such as finance, marketing and health.8 Normally, a user’s mundane data – an email, a GPS location, or a visit to any website – is meaningless in itself: when this data is combined, secured together and operationalised, that people, as data, become worthwhile. People’s datafied lives: when aggregated and transcoded into quotation-marked categories, increasingly define who they are and who they can be. Derived from every search, like, click, and purchase, algorithms determine the news people get, the ads they see, the information accessible to them and even who their friends are. Algorithms are everywhere, organising the limitless data that exists in the world.

They use the data to assign and reassign gender, race, sexuality, and citizenship status. They can recognise people as celebrities or mark them as terrorists. Contemporary data collection entails more than gathering information about people. Entities like Google and Facebook also decide what that information means, constructing the worlds and identities they inhabit. There is little control over

5 ‘Data’ (Cambridge Dictionary) <https://dictionary.cambridge.org/dictionary/english/data> accessed 11 March 2022.

6 ‘What Is Data? - Definition from WhatIs.Com’ (SearchDataManagement, July 2019)

<https://www.techtarget.com/searchdatamanagement/definition/data> accessed 11 March 2022.

7 Rocco Bellanova, ‘Digital, politics, and algorithms: Governing digital data through the lens of data protection’ (2017) 20(3) European Journal of Social Theory 329. 331.

8 SearchDataManagement (n.6).

(8)

who persons are algorithmically as persons’ identities are made not for them but for someone else.9 As Lupton recently suggested, data are ‘companion species that have a life of their own that is beyond our complete control’.10 However, their production, processing and existence affect people. Hence, protecting data is of both governmental and political relevance.11

B. Growing Importance of Data

In older data systems, a simple print-out or summary would suffice to give the data subject oversight over the content of the data undergoing processing. Today, however, many data systems collect such a large amount of data that this is not possible anymore.12

This change began on Friday, April 13, 2007, when the ‘Data Wars’ commenced. Google had just acquired targeted-advertising DoubleClick for $3.1 billion in cash, ushering a massive collection of data between Google search information and DoubleClick user-tracked marketing data. With this announcement, data had become a business. Before the deal, Google had access only to emails and search history. Now, Google could also know which pages people visited, how often, how long they stayed on them, and which pages they went to; before and after visiting a site. Four months later, Microsoft spent $6.3 billion to buy digital-marketing company aQuantive. And Yahoo! had purchased two companies; Right Media and advertising network Blue Lithium. These ‘wars’ were not about Google, Microsoft, and Yahoo! wanting to invade privacy but rather to show a new type of market power: collecting enough data to grow from mere search engines into much more profitable advertising giants, capable of providing enquiry results next to defined commercial propaganda. The consequences of such collection go well beyond these companies and their role in the general erosion of privacy online.13 They surveil the users but also require surveillance.

Deep concerns have also been expressed as surveillance practices impact people’s human rights, including their rights to privacy, freedom of expression and opinion, freedom of assembly, family life and health.14 Indeed nowadays, digital files concerning a person’s health, finances, travel, and consumption are stored online in ‘the cloud’, and users typically have little direct ability to shield

9 John Cheney-Lippold, ‘We Are Data: Algorithms and the Making of Our Digital Selves’ (NYU Press 2017) 1. 220.

10 Deborah Lupton, ‘Digital Companion Species and Eating Data: Implications for Theorising Digital Data–Human Assemblages’ (2016) 3 Big Data & Society 1. 3.

11 Bellanova (n.7), 331.

12 Jef Ausloos, Michael Veale & Réne Mahieu, ‘Getting Data Subject Rights Right: A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance’ (2019) 10(3) Journal of Intellectual Property, Information Technology and Electronic Commerce Law 283. 286.

13 Cheney-Lippold (n.9).

14 UNCHR ‘Summary of the Human Rights Council panel discussion on the right to privacy in the digital age’ (19 December 2014) A/HRC/28/39, para.6.

(9)

their stored records from outside scrutiny. Government access to such records has grown exponentially faster and cheaply.15 Thus when multiple data sources are combined with unknown infrastructure and algorithms, people become increasingly fearful of participating in society, curtailing their right to liberty. The consequences for mental health and well-being are profound and require investigation and research urgently. States and non-State actors have human rights obligations to protect the right to health, including mental health. However, the omnipresent surveillance, enabled by data, is a fundamental erosion of that right,16 among many others. Such erosion can also be seen in the recent COVID-19 pandemic scenario, where Governments and technology companies processed personal and health-related data. In many instances, systems limiting data processing to what is strictly required for specific health-related purposes were not in place. Government-mandated contact tracing apps could have been used to access users’ personal data as a government surveillance tool. Thus, the pandemic has revealed limitations in existing data protection laws for covering emerging risks to personal data and privacy.17

The existing human rights framework provides essential guidance to the use and governance of digital technologies. Nonetheless, the advances in digital technology are transforming the capabilities of States, global tech giants, and private entities as they can now carry out surveillance on entire populations to an unprecedented degree.18 Perhaps, the most significant challenge is that the users’ right to privacy can be compromised without the individual being aware.19 That is why a comprehensive international legal instrument for data protection has been requested more and more.

15 Stephen J. Schulhofer, ‘An international right to privacy? Be careful what you wish for’, (2016) 14(1) International Journal of Constitutional Law 238. 241.

16 UNCHR ‘Report of the Special Rapporteur on the right of everyone to the enjoyment of the highest attainable standard of physical and mental health’ (15 April 2020) A/HRC/44/48, para.78.

17 UNGA ‘Right to privacy - Note by the Secretary-General’ (23 July 2021) A/76/220, para.17, 81, 84.

18 A/HRC/44/48 (n.16), para.76.

19 ‘What Is Privacy?’ (Privacy International, 23 October 2017) <http://privacyinternational.org/explainer/56/what- privacy> accessed 15 March 2022.

(10)

II. The International Legal Landscape

A. The Right to Privacy in International Law

Privacy is usually defined as the right of any citizen to control their personal information and decide whether to disclose information. Article 12 UDHR20, Article 17 ICCPR21 and many other international and regional human rights conventions recognise the fundamental importance of the right to privacy and the need to ensure its safeguard in law and practice.22 Defining the concept of privacy is difficult. Although this does not undermine its importance: it has been described as ‘the right most valued by civilized men’.23 The right to privacy has a crucial role in a democratic society and in the balance of power State-individual. It is an expression of human dignity and is connected to human autonomy and personal identity protection.24 The safeguard of the right to privacy is broad.25 It is not limited to private spaces, such as people’s homes, but extends to public areas and information publicly available.26 For example, it comes into play when a Government observes individuals by monitoring a public space, such as a train station. Similarly, when information publicly available about an individual on social media is collected, it also implicates the right to privacy.27

The right to privacy applies to everyone. Differences in its protection based on race, colour, sex, religion, political or other opinions, etc. are inconsistent with the principle of non-discrimination laid down in Articles 2(1) and 3 ICCPR28. In other words, pursuant to Article 2(1) of the Covenant, States must not only refrain from violating the rights recognised in the Covenant but also take positive steps to protect the enjoyment of those rights. This implies a duty to adopt adequate legislative measures to safeguard individuals against interference in their privacy: from State authorities, natural or legal persons. 29 However, interferences may take place. According to Article 17 ICCPR, only if

20 Universal Declaration of Human Rights (adopted 10 December 1948) UNGA Res 217 A(III) (UDHR), art. 12.

21 International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR), art. 17.

22 UNCHR ‘Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age’

(30 June 2014) A/HRC/27/37, para.13.

23 Maria Tzanou, ‘Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new right’ (2013) 3(2) International Data Privacy Law 88. 88.

24 UNCHR ‘Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age’

(13 September 2021) UN Doc A/HRC/48/31, para.7.

25 A/HRC/27/37 (n.22), para.19.

26 HRC ‘Concluding observations on the seventh periodic report of Colombia’ (17 November 2016) CCPR/C/COL/CO/7, para.32.

27 UNCHR ‘Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age’

(3 August 2018) UN Doc A/HRC/39/29, para.6.

28 ICCPR (n.21), art. 2(1), art. 3.

29 A/HRC/48/31 (n.24), para.22.

(11)

they are neither arbitrary nor unlawful.30 Human rights mechanisms have consistently interpreted those words as pointing to the overarching principles of legality, necessity and proportionality.31 In General Comment No.16, the HRC explained that “Interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant”. 32 Moreover, limitations can only be lawful and non-arbitrary if they serve a legitimate purpose: they must be necessary; in proportion to the aim and the least intrusive options available.

Lastly, the essence of the right should not be rendered meaningless.33

Notably, the right to privacy is central to the enjoyment; and exercise of human rights online and offline.34 In July 2015, the appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age took place, reflecting the rising prominence of privacy in global digital policy.35 Thus, its importance for the enjoyment and exercise of other human rights online and offline in an increasingly data-centric world is growing, and the need to address the challenges that the digital world brings to the right to privacy is more acute than ever.36

B. The Right to Privacy and Data Protection

Thus, interrelated to privacy is: data protection, a legal mechanism that ensures privacy. To paint a picture: data protection can be seen as an offspring of privacy, inextricably tied to it by a birth cord.

However, data protection is trying to break free to mark its way in life.37 As technology advances, it becomes easier to access individuals’ personal information without much effort, merely by pressing a button. Today, data protection appears to be at the forefront of privacy concerns, and people are worried about losing their privacy. However, the current legal framework of data protection in the context of online technologies is unclear and insufficient to deal with the current technologies.38

It must be noted: however, that the concepts ‘data protection’ and ‘privacy’ are twins but not identical. Generally speaking, data protection law seeks to give rights to individuals: how data identifying them or about them are processed and to subject such processing to a defined set of

30 ICCPR (n.21), art.17.

31 A/HRC/27/37 (n.22), para.21-27.

32 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, 8 April 1988, 1.

33 A/HRC/39/29 (n.27), para.10.

34 ‘International standards – OHCHR and privacy in the digital age’ (UN Human Rights Committee (HRC))

<https://www.ohchr.org/en/privacy-in-the-digital-age/international-standards> accessed 19 April 2022.

35 Clément Perarnaud, ‘Privacy And Data Protection In 2022 | DW Observatory’ (digWatch)

<https://dig.watch/topics/privacy-and-data-protection> accessed 20 April 2022.

36 A/HRC/39/29 (n.27), para.11.

37 Tzanou (n.23).

38 Alexandra Rengel, ‘Privacy as an International Human Right and the Right to Obscurity in Cyberspace’ (2014) 2(2) Groningen Journal of International Law 33. 33.

(12)

safeguards.39 Data protection seems to be part of the side of privacy known as control over personal information. However, ‘what privacy protects is irreducible to personal information’. 40 Data protection refers to regulation over the gathering and further use of personal data to safeguard the privacy of the individual to whom the data pertains. Privacy as a concept is broader: intrusion into one’s home generally falls within the ambit of privacy but not data protection. Likewise, the violation of data protection law does not always entail the violation of privacy: using an individual’s inaccurate personal data may constitute a data protection infringement, but not necessarily that of an individual’s privacy.41 Privacy may be the central value behind data protection legislation, but data protection rules further other interests and attend to other fundamental rights. Thus, privacy is ‘one, if not the, major’ value that data protection laws aim to safeguard. 42

C. Data Protection in International Law

Historically, data protection legislation is relatively a newcomer. The first data protection legislation was enacted in 1970 by the German state of Hesse.Today, a fundamental international document on privacy and data protection is the OECD Guidelines from 1980. Even though these guidelines are non-binding, together with the OECD’s subsequent work, they have inspired many international, regional, and national regulations on privacy and data protection. Nowadays, virtually all OECD countries have enacted privacy laws and empowered authorities to enforce those laws.43 Usually, the normative basis of data protection law relies heavily on human rights treaties such as the UDHR and ICCPR. However, these conventions do not explicitly mention data protection, and the only data protection instrument issued so far by the UN takes the form of a non-binding guidance document.

Thus, ‘there does not exist a truly global convention or treaty dealing specifically with data privacy’.44 In 1999, the Hague Conference on Private International Law contemplated the issue of jurisdiction and the applicable legislation in data protection in the scope of its ‘Geneva Round Table on Electronic Commerce and Private International Law’. But this work merely resulted in a statement that the

39 Christopher Kuner, ‘An International Legal Framework for Data Protection: Issues and Prospects’ (2009) 25 Computer Law & Security Review 307. 308.

40 A/HRC/39/29 (n.27), para.90.

41 Daniel Cooper & Christopher Kuner, ‘Data Protection Law and International Dispute Resolution (Volume 382)’ (2017) Collected Courses of the Hague Academy of International Law 18. 60.

42 A/HRC/39/29 (n.27), 91.

43Perarnaud (n.35).

44 Kuner (n.39), 310.

(13)

subject required further study.45 The ILC has admitted that data protection is an area ‘in which State practice is not yet extensive or fully developed’.46

Nonetheless, calls for a binding international legal instrument are increasingly made. Yet while there is a need for a global legal approach in the field, realistically, there is a scarce chance of an UN-sponsored convention being adopted in the short term. Nevertheless, numerous international and regional instruments on data protection exist, and they take the form of guidelines, recommendations, or codes of practice. Although ‘soft law’ only, some carry a great deal of political and commercial weight; accordingly, they have considerable influence on the development of data protection law.47 The OECD Guidelines of 1980, for example, are to be regarded as minimum standards for the protection of privacy and individual liberties. They introduced principles such as the collection limitation principle, the data quality: as personal data should be accurate, complete and kept up-to-date, purpose specification; as the purpose of the collection needs to be clearly stated, use limitation, security safeguards of the personal data, openness: about developments, practices and policies concerning personal data and individual participation of persons as they have a right to obtain the data, communicate with the controllers and to challenge the processing for data to be erased, rectified, completed or amended, and lastly, the accountability of the controller. All these features helped the Member States to implement legislation domestically.48 And this will be seen in the following chapters.

45 Christopher Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’ (2010) 18(2) International Journal of Law and Information Technology 176. 186-187.

46 Kuner (n.39), 310.

47 Lee A. Bygrave, ‘Privacy and Data Protection in an International Perspective’ (2010) Stockholm Institute for Scandinavian Law & Lee A Bygrave, 166, <https://www.scandinavianlaw.se/pdf/56-8.pdf> accessed 22 March 2022.

183.

48 Organisation for Economic Cooperation and Development (OECD), Guidelines Governing the Protection of Privacy and Transborder Flow of Personal Data, 23 September 1980.

(14)

III. What Can We Find in the World?

As people share more and more data online, some governments have started protecting that data through legislation.49 There is a growing global consensus on minimum standards that should govern the processing of personal data by States, business enterprises and other private actors. 50 The regional legal and human rights instruments containing privacy provisions may be classified into two sub- groups: the non-EU instruments and the EU instruments, since Europe is considered the home of the world’s oldest and most comprehensive data privacy regulations.51 Even though most data protection legislation is based on the same international documents and fundamental principles,52 differences in data protection persist because of different historical experiences, as reflected in the diverse approaches to the legal protection of personal data. Some countries or regions present a horizontal legal basis for data protection, like the EU,53 while others have more of a fragmented and sector- specific line, like the US. Another considerable difference is between the view of data protection: a non-alienable fundamental right for the EU and an alienable interest in the US.54

Thus, this chapter provides an overview of the principal data protection legal instruments at regional and national levels: specifically, the legal frameworks present in the EU and US.

A. European Union

While in the International context, the right to privacy and the right to data protection are recognised as two separate rights, in Europe, they are considered vital components of a sustainable democracy;

both rights are deemed instrumental in preserving and promoting fundamental values and rights. At the same time, they need to be balanced against other EU values, human rights, or public and private interests, such as the fundamental right to freedom of expression.55

Both the ECHR and the CFR have a provision for privacy: Article 8 ECHR and Article 7 CFR provide that everyone has the right to respect their private and family life, home, and

49 ‘The Future of Data Protection: What We Expect in 2021’ (Access Now, 28 January 2021)

<https://www.accessnow.org/the-future-of-data-protection-what-we-expect-in-2021/> accessed 24 March 2022.

50 A/HRC/39/29 (n.27), para.28.

51 Toriqul Islam, ‘A Brief Introduction to the Right to Privacy – An International Legal Perspective’ (2022) GlobaLex

<https://www.nyulawglobal.org/globalex/Right_To_Privacy_International_Perspective.html>, accessed 24 March 2022.

52 Kuner (n.39), 310.

53 Gavin Robinson, ‘Data protection reform, passenger name record and telecommunications data retention’ (2012) 95(4) Nomos Verlagsgesellschaft mbH 394. 394.

54 Cooper & Kuner (n.41), 48.

55 ‘Data Protection’ (EDPS – European Data Protection Supervisor) <https://edps.europa.eu/data-protection/data- protection_en> accessed 02 May 2022.

(15)

communications.56 In addition, the right to respect for private life was and continues to be; protected as a general principle of EU law. Furthermore, Article 8 CFR retains the protection of personal data as a fundamental right.57 The entry into force of the Lisbon Treaty in 2009 gave the CFR the same legal value as the constitutional treaties of the EU: hence, the EU institutions, bodies and the Member States are bound by it. This means that in the European constitutional context, at least, data protection is considered to add something to privacy. 58 Even though the ECHR does not contain anything on such a matter, the ECtHR has applied Article 8 ECHR to give rise to a right of data protection in data storage relating to an individual’s private life.59 Likewise, the CJEU interprets ‘private life’ as comprising the protection of personal data: defined as any information relating to an identified or identifiable individual:60 including, for example, names, dates of birth, photographs and email addresses.61 Moreover, the processing of personal data that reveals the racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and health is prohibited as a default rule in the European data protection context due to the high risk it may cause to the rights and freedoms of the individual.62

1. Legal Provisions Today

At the European level, there are many instruments on privacy and data protection; one of them is the CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981, also known as the ‘Convention 108’. It aims to secure in the territory of each party respect for every individual’s right to data protection, whatever their nationality or residence.63 This Convention enabled more proactive and systematic protection of personal data, as it applies to all personal data, regardless of whether the right to privacy is at stake.64 The Convention allows the

56 Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended), art.8; Charter of Fundamental Rights of the European Union, 26 October 2012, 2012/C 326/02, art.7.

57 Juliane Kokott & Christoph Sobotta, ‘The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR’ (2013) 3(4) International Data Privacy Law 222. 223.

58 EDPS (n.55).

59 Amann v Switzerland App No 27798/95 (ECtHR, 16 February 2000), para. 65; Rotaru v Romania App No 28341/95 (ECtHR, 4 May 2000), para.43.

60 Joined Cases C–92/09 and C–93/09 Volker und Markus Schecke and Eifert [2010] ECR I-11063, para.52.

61 EDPS (n.55).

62 Andreas Nautsch, Catherine Jasserand, Els Kindt, Massimiliano Todisco, Isabel Trancoso and Nicholas Evans, ‘The GDPR & Speech Data: Reflections of Legal and Technology Communities, First Steps towards a Common Understanding’ (2019) Cornell University <https://arxiv.org/abs/1907.03458> accessed 30 May 2022.

63 Lingjie Kong, ‘Data Protection and Transborder Data Flow in the European and Global Context’ (2010) 21(2) European Journal of International Law 441. 442.

64 Peter Hustinx, ‘The Reform of EU Data Protection: Towards More Effective and More Consistent Data Protection Across the EU’ in Astrid Epiney & Tobias Fasnacht (eds), Die Entwicklung der europarechtlichen Vorgaben im Bereich des Datenschutzes und Implikationen für die Schweiz/Le développement du droit européen en matière de protection des données et ses implications pour la Suisse (Schulthess Juristische Medien 2012) 15.

<https://edps.europa.eu/sites/edp/files/publication/13-01-15_speech-fribourg_en.pdf> accessed 29 March 2022. 2.

(16)

collection and processing of personal data: but it restricts the processing of sensitive data, such as race, sex, or health data, and data relating to one’s sexual life, religious, or political views. It also affords individuals the right to know about their stored personal data and to have it corrected if necessary.65 On transborder data flow, the core criterion is the equivalence principle. Obstacles between the Contracting States are not permitted, and the transfer of personal data to non-Contracting States is prohibited unless equivalent protection is provided to the data transferred.66 Indeed, although the GDPR was adopted by an EU regional organisation, it is open for ratification by States not belonging to the CoE, though only upon the Council’s invitation.67 Because of the technological advances ever since the CoE felt the need to modernise this instrument to address emerging privacy challenges and enhance its follow-up mechanism.68 In May 2018, after seven years of intense deliberation, Convention 108 was modernised. The novelties of Modernized Convention 108 can be summarised as follows: it introduced some new rights for the data subjects, for example, the right not to be subject to automated decision making, profiling, and algorithms; the right to object, and it added several new protections. Overall, the standards offered by the Modernized Convention 108 are manifestly higher than the standards of the previous Convention 108 and its Additional Protocol of 2001. 69

The EU Data Protection Directive 95/46/EC was also an important EU legislation for personal data processing and – not only – has had an enormous impact on the growth of national legislation in Europe but globally.70 The Directive set the international standard for data privacy and security regulation and facilitated a trend among technologically advanced Countries toward adopting national data privacy laws.71 As recitals of the Directive note, economic and social integration resulting from the establishment of the internal market led to a substantial increase in the cross-border data flow of personal data in the different Member States.72 The difference in levels of data protection in the Member States may have prevented the transmission of personal data from one State to another and constituted an obstacle to the pursuit of several economic activities at the Community level. Therefore, there was a need for harmonisation to guarantee a minimum level of data protection at the Community level, and the Directive did so.73

65 Islam (n.51).

66 Kong (n.63), 442.

67 Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108, art.23.

68 Council of Europe, ‘Explanatory Report of Convention 108’ (2018) Treaty Series - No.223.

69 Islam (n.51).

70 Perarnaud (n.35).

71 McKay Cunningham, ‘Complying with International Data Protection Law’ (2016) 84(2) University of Cincinnati law review 421. 426.

72 European Union, Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 24 October 1995, recital 5.

73 Kong (n.63), 443.

(17)

However, subsequently, Directive 95/46/EC was abolished by the GDPR in 2018, which made several changes in almost everything following the OECD Guidelines of 1980. 74 The GDPR is a legal framework with the scope to ensure transparency and fairness in data collection and processing;75 as the UN Special Rapporteur on the right to privacy remarked, ‘the protection of personal information online should be a priority with the adoption of provisions equivalent or superior to GDPR, for countries that are not parties to the Regulation’.76 It is the most comprehensive and progressive piece of data protection legislation in the world: updated to deal with the implications of the digital age. It has created new rights for individuals and several new and comprehensive obligations in the digital environment. 77 The GDPR highlights consent and autonomy while also assigning importance to the data controllers’ duties.78 Notably, it also applies to organisations or companies not established in the EU who offer goods and services to individuals in the EU or monitor their behaviour.79 This extraterritorial application of the GDPR gives rise to tension worldwide as non-compliance leads to severe fines and penalties of up to €20million or 4% of annual turnover, whichever is higher.80 Thus, global tech giants are gradually shaping their business models in compliance with the provisions of the GDPR. For example, Microsoft proclaimed to meet the GDPR key requirements to all their customers.81 Facebook has changed their privacy settings and tools in compliance with current EU data protection laws, including the GDPR.82 And Google has updated its privacy policies to be compliant with all applicable data protection laws: GDPR, LGPD and the CCPA.83 Thus, the GDPR is playing an increasingly prominent role in today’s global technological environment and is now widely viewed as privacy law, not just for the EU; but for the world.84 It certainly provides the strongest privacy protections of any law today.85

74 Islam (n.51).

75 Dobber T, ‘Data’ (PhD thesis, University of Amsterdam 2020).

76 UNCHR ‘Report of the Special Rapporteur on the right to privacy’ (27 February 2019) A/HRC/40/63, 16.

77 EDPS (n.55).

78 Özgür Heval Çınar, ‘The Right To Privacy In International Human Rights Law’ (2019) 13(1) Journal of Information Systems & Operations Management 1. 9.

79 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, art.3.

80 ibid, art.83(5).

81 ‘Microsoft’s GDPR Commitments to Customers of our Generally Available Enterprise Software Products’ (Microsoft)

<https://docs.microsoft.com/en-us/legal/gdpr> accessed 25 May 2022.

82 ‘What is the General Data Protection Regulation (GDPR)?’ (Meta) <https://www.facebook.com/business/gdpr>

accessed 25 May 2022.

83 ‘We are committed to complying with applicable data protection laws’ (Google Business Data Responsibility)

<https://business.safety.google/compliance/> accessed 25 May 2022.

84 Islam (n.51).

85 Vivek Krishnamurthy, ‘A Tale of Two Privacy Laws: The GDPR and the International Right to Privacy’ (2020) 114 AJIL Unbound 26. 28.

(18)

2. Key Notions

From the analysis of the legal provisions that were and are in place in the EU, several key notions can be taken away. In this paper, not all will be considered in depth: only those that, arguably, could be regarded as the essential ones, or as provided in the OECD Guidelines, those that could be seen as the minimum standards for the protection of privacy and individual liberties.

According to Convention 108 and Article 5 GDPR, personal data must be obtained and processed fairly, lawfully, transparently and stored for specified and legitimate purposes: it can be processed only for the scope said; unless the data is completely anonymised. 86 The collection must be adequate, relevant and not excessive in relation to the purposes for which they are stored and, where necessary, kept up to date and preserved in a way which permits identification of the person whose personal data are processed and no longer than required.87 In Europe, common points of departure are present for national data protection regimes. One is the extensive use of ‘opt-in’

requirements for valid consent by data subjects.88 ‘Consent’ entails a ‘clear affirmative action’ that is freely given, specific, informed, unambiguous, documented and easily withdrawn. It cannot be implicitly assumed from pre-ticked boxes, inactivity or silence. 89 People have to make a clear action when agreeing to their data being stored and re-used: signing a consent form or selecting ‘yes’ from a clear yes/no option on a website. Also, it cannot be asked for with vague or confusing language or bundled with other terms and conditions, nor it can be hidden. 90 In this context, Recommendation CM/Rec(2010)13 envisaged the right of Internet users to consent to personal data use for profiling, such as with cookies, and the right to withdraw such consent.91 Consent can be withdrawn at any time, easily and without explanation, although this will not have a retroactive effect. Once the permission is withdrawn, the company can no longer use personal data.92

Furthermore, every user has individual rights, including the right to be informed, access, rectification, erasure and object. Before the user decides to opt-in, certain information needs to be given. 93 The right to be informed, as provided in Articles 13 and 14 GDPR, entails being informed

86 Convention 108 (n.67), art.5; GDPR (n.79), art.5.

87 Committee of Ministers Recommendation (CM) CM/Rec(2014)6 and explanatory memorandum to member States on a guide to human rights for Internet users [2014]; Convention 108 (n.67), art.5(c); GDPR (n.79), art.5(1)(c).

88 Bygrave (n.47), 189.

89 Case C‑673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH [2019] ECLI:EU:C:2019:801, para.62; Case C‑61/19 Orange Romania SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) [2020]

ECLI:EU:C:2020:901, para.37; GDPR (n.79), recital 32.

90 ‘Data protection and online privacy’ (YourEurope, 7 Januray 2022)

<https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_en.htm>

accessed 30 March 2022.

91 Committee of Ministers Recommendation (CM) CM/Rec(2010)13 and explanatory memorandum on the protection of individuals with regard to automatic processing of personal data in the context of profiling [2010]. 10.

92 YourEurope (n.90).

93 YourEurope (n.90).

(19)

about the identity and contact details of the data controller – necessary in the cases where users want to object to the use of data or want to start a case.94 As well as information about the company that will process the data and the contact details of the DPO,95 if there is one, the reason why the company will use the personal data, retention period, and details of any other company that will receive the data and information on the user data protection rights.96 There are exceptions, however; in certain instances, individuals do not have to be informed if the individual already possesses the information, if providing the information to the individual would be difficult, if it would involve a disproportionate effort or if it would render impossible or seriously impair the achievement of the objectives of the processing.97

Secondly, the right to access, as provided in Article 15 GDPR98, entails that in some instances, data subjects can request the data being processed, and they have the right to get a copy of their data, free of charge, in an accessible format.99 Sometimes, it could also be that because of someone’s health, it is better to not share the data with them. After a person can access their data, Article 16 GDPR, with the right to rectification, gives them the possibility to rectify inaccurate or incomplete data.100 Internet users should also be able to exercise control over their data as developed in Convention 108.101 Moreover, after accessing the data, pursuant to Article 17 GDPR, users can enforce their right to erasure, also known as ‘the right to be forgotten’.102 When the personal data is no longer necessary for the purpose for which it was collected or processed, for example, or when an individual’s data was processed unlawfully or in compliance with a legal ruling or obligation, it must be erased.

Furthermore, the entity processing the data has also to inform any other website where the data has been shared, requesting it to be deleted.103 In certain instances, exceptions arise: the data is being used to exercise the right of freedom of expression and information, to perform a task for the public interest or to exercise an organisation’s official authority and when the data represents important information that serves the public interest, scientific research, historical research and where erasure of the data would likely impair the achievement of the processing’s aim, among many. As mentioned in Google

94 GDPR (n.79), art.13(1), 14(1).

95 According to the GDPR, the controller or processor needs to involve the DPO in issues that relate to personal data and their protection. Its main role is to ensure that companies approach data protection issues and compliance seriously.;

Paul Lambert, The Data Protection Officer: Profession, Rules, and Role (CRC Press 2016, 391).

96 YourEurope (n.90); GDPR (n.79), art.13(2), 14(2).

97 GDPR (n.79), art.14(5).

98 GDPR (n.79), art.15.

99 YourEurope (n.90).

100 GDPR (n.79), art.16.

101 CM/Rec(2014)6 (n.87), 20.

102 GDPR (n.79), art.17.

103 GDPR (n.79), art.17(2); YourEurope (n.90).

(20)

v CNIL, the right to erasure, the right to be forgotten, and the right to delisting are not fundamental;

it is recognised only within the EU.104

Moreover, as seen in the previous sub-section, another principle needs to be relied on in situations of international data transfer; adequacy. Adequacy has been the cornerstone of transfers within EU data protection since Directive 95/46/EC.105 Data protection laws are domestic, but in the online environment, data does not respect geographical borders. Cross-border collaboration to provide effective data protection is essential, especially if the EU has to preserve its values and uphold its principles.106 Article 45 GDPR provides for adequacy decisions, which are proposals from the European Commission on the basis of an opinion of the EDPB, and approved by EU countries’

representatives,107 which guarantee the adequacy of the level of data protection in a third country through an evaluation in light of all the circumstances surrounding data transfers.108 Particular consideration is given to the nature of the data, purpose and length of the planned processing operation, the Country of origin, the Country of final destination and the rules of law in place in the third Country.109 The Commission also looks at the existence and effective functioning of one or more independent supervisory authorities and the international commitments or other obligations arising from legally binding conventions or instruments and multilateral or regional systems.110 In Schrems I, the Court further explained what is meant by an ‘adequate level of protection’: when a third country cannot ensure a level of protection identical to that guaranteed in the EU legal order, but essentially equivalent one.111 Today, there are adequacy decisions with Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Due to the strict requirements of adequacy decisions, the number of countries is limited. And every four years, the Commission reviews these decisions. Thus, those who rely on adequacy cannot hope that their adequacy decision will remain in place indefinitely once approved. Nevertheless, when an adequacy decision is available, it remains the preferred mechanism for transfer obligations112 to comply with EU regulations.

104 Case C-507/17 Google LLC, successor in law to Google Inc. v Commission nationale de l'informatique et des libertés (CNIL) [2019] ECLI:EU:C:2019:15, para.57; GDPR (n.79), art.17(3).

105 Mark Phillips, ‘M. International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR)’ (2018) 137(8) Hum Genet 575. 579.

106 EDPS (n.55).

107 GDPR (n.79), art.45.

108 Directive 95/46/EC (n.72), art.25(2); GDPR (n.79), art.49(1).

109 Kong (n.63), 444.

110 GDPR (n.79), art.45.

111 Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, para.73.

112 Phillips (n.105), 579.

(21)

B. United States

As data protection has become a priority, concerns have also been raised in the US.113 However, while many countries and regions have passed laws to protect people’s data, and the EU even recognised data protection as a human right, the US has yet to do this. 114

In the US, privacy is a frequently used concept in public, academic and judicial discourse.115 However, the term ‘privacy’ does not appear in the US Constitution or the Bill of Rights; its recognition first occurred in the Supreme Court decision Griswold v Connecticut.116 Subsequent judgements illustrate that the Court finds a right to privacy in the Bill of Rights and the concept of liberty guaranteed by the due process clause of the Fourteenth Amendment.117 In 1977, with Whalen v Roe, the Supreme Court first recognised the right to information privacy. It noted that the Constitution protected two kinds of individual interests: avoiding disclosure of personal matters and making certain kinds of important decisions.118 Overall, the US Supreme Court has derived the right to privacy from the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments.119 For example, the First Amendment provides some level of informational privacy regarding defamatory speech.120 But the Fourth Amendment suggests a right to privacy in electronically stored information. Its guarantee of the ‘right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizure’121 is understood to encompass certain data attributed to a person, such as phone numbers or banking records. However, it only applies in cases where the individual has a ‘legitimate expectation of privacy’, excluding when individuals have voluntarily turned over their information to third parties, such as telephone service providers. Extensive areas of personal

113 Mike Tierney, ‘Data Privacy Laws by State: Different Approaches to Privacy Protection’ (Newtrix Blog, 13 January 2022) <https://blog.netwrix.com/2019/08/27/data-privacy-laws-by-state-the-u-s-approach-to-privacy-protection/>

accessed 13 April 2022; Jean Slemmons Stratford & Juri Stratford, ‘Data Protection and Privacy in the United States and Europe’ <https://iassistquarterly.com/public/pdfs/iqvol223stratford.pdf> accessed 14 April 2022, 17.

114 Amie Stepanovich, ‘Data protection in the United States: Where do we go from here?’ (accessnow, 23 April 2018)

<https://www.accessnow.org/data-protection-in-the-united-states-where-do-we-go-from-here/> accessed 13 April 2022.

115 Bygrave (n.47), 167.

116 Griswold v Connecticut, 381 U.S. 479 (1965), para.12, 14.

117 Jennifer M. Myers, ‘Creating Data Protection Legislation in the United States: An Examination of Current Legislation in the European Union, Spain, and the United States’ (1997) 29(1) Case Western Reserve journal of international law 109. 133.

118 Whalen v Roe, 429 U.S. 589 (1977), para.21.

119 Slemmons Stratford & Stratford (n.113), 17.

120 Domingo R Tan, ‘Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union’ (1999) 21(4) Loyola of Los Angeles international and comparative law journal 661, 670; U.S. Const. amend.I, Amdt1.2.3.3.2.1.

121 U.S. Const. amend.IV, Amdt4.2.2.2.

(22)

data are eliminated from Fourth Amendment protection.122 Thus, individuals are not provided sufficient privacy protection at the Federal level.123

1. Legal Provisions Today

The first data privacy legislation in the US, the FCRA, was enacted in 1970 to impose limits on data sharing in the consumer credit reporting industry.124 After the Watergate scandal in 1974, Congress ratified the Privacy Act,125 which aimed to control the dissemination of information stored in federal data banks;126 it addressed the problems posed by electronic technologies127 and the potential misuse of personal data held by the government.128 It aimed to regulate the collection and dissemination of information by federal agencies that could disclose the identities of individuals and that could be used in undesirable ways.129 However, the reach of the Privacy Act is extremely limited because it only concerns information stored by the public sector.130

In contrast to the EU’s data protection approach, the dominant approach in the US is grounded in consumer protection regulations. Accordingly, the FTC, an independent US law enforcement agency charged with protecting consumers, has become the primary privacy enforcement agency.131 The agency is an investigative and enforcement authority that enforces consumer protection and antitrust laws and a rulemaking authority: it may use trade regulation rules to address unfair or deceptive practices that occur commonly.132 It can act against companies that, for example, fail to create, implement and maintain reasonable data security breach measures or violate consumer data privacy rights.133 For example, in 2012, it filed a complaint against Facebook because it introduced changes to its privacy policies, including settings that made users’ confidential profile information

122 Parliament, E. & Policies of the Union, D.-G., ‘A comparison between US and EU data protection legislation for law enforcement purposes., Publications Office of the European Union’ (2015)

<https://policycommons.net/artifacts/294146/a-comparison-between-us-and-eu-data-protection-legislation-for-law- enforcement-purposes/1181747/>, accessed 14 April 2022. 51.

123 Myers (n.117), 134.

124 Fair Credit Reporting Act (FCRA), 15 U.S.C.§1681.

125 Shawn M Boyne, ‘Data Protection in the United States’ (2018) 66(1) The American journal of comparative law 299, 300; The Privacy Act of 1974, as amended, 5 U.S.C.§552a.

126 Andy Green, ‘Complete Guide to Privacy Laws in the US’ (Inside Out Security Blog, 2 April 2021)

<https://www.varonis.com/blog/us-privacy-laws> accessed 17 April 2022.

127 Slemmons Stratford & Stratford (n.113), 18.

128 Green (n.126).

129 Jerome J. Hanus & Harold C. Relyea, ‘A Policy Assessment of the Privacy Act of 1974’ (1976) 25 Am U L Rev 555.

577.

130 Myers (n.117), 136.

131 Boyne (n.125), 301; Tierney (n.113).

132 ‘A Brief Overview of the Federal Trade Commission’s Investigative, Law Enforcement, and Rulemaking Authority’

(Federal Trade Commission, May 2021) < https://www.ftc.gov/about-ftc/mission/enforcement-authority>, accessed 27 May 2022.

133 Tierney (n.113).

Figure

Updating...

References

Related subjects :