Introduction to Privacy and Data Law

Data law applies to all sorts of data processing, from personal data protection to artificial intelligence, financial transactions, and cybersecurity.

Privacy and Data Protection

In the context of Data Law, Privacy and Personal Data Protection play an important role. They are commonly recognised as two complementary but distinct rights. The right to privacy, private life, and private communications is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). It aims at protecting individuals against intrusion by third parties in their private life. Data protection is aimed at protecting personal data and ensuring the fair processing (collection, use, storage) of any information relating to an identified or identifiable natural person (data subject). Personal data protection continues to apply to data that have been voluntarily disclosed. Both set of rights complement each other and partially overlap.

Institutional oversight

In many countries, compliance with privacy and data protection law is overseen by independent supervisory or regulatory authorities. As established in the Council of Europe (CoE) Convention for the Protection of Individuals with regard to the processing of personal data (Convention 108+) the powers and duties of such an authority may include:

• duties to monitor, investigate and enforce compliance with individual privacy and data protection rights;
• duties to monitor developments and their impact on individual privacy and data protection rights;
• powers to receive complaints and conduct investigations of potential violations of individual privacy and data protection rights;
• powers to issue decisions on violations of such rights and order remedial action or meaningful sanctions;
• duties to promote public awareness of the rights of individuals and the responsibilities of those entities holding and processing personal data; and
• a duty to give specific attention to the data protection rights of children and other vulnerable individuals.
• power to issue opinions prior to the implementation of data processing operations;
• advise on legislative or administrative measures;
• recommend codes of conduct or referring cases to national parliaments or other state institutions;
• issue regular reports, publishing opinions and other public communications to keep the public informed about their rights and obligations and about data protection issues in general.

PRIVACY PRINCIPLES

Privacy Principles are specified in several instruments, including Convention 108+ of the Council of Europe and the OECD Privacy Principles.

• Collection Limitation. There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject.
• Data Quality. Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
• Purpose Specification. The purposes for which personal data are collected should be specified not later than at the time of data collection, and the subsequent use should be limited to the fulfillment of those purposes or other compatible purposes.
• Use Limitation. Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law.
• Security Safeguards. Personal data should be protected by reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.
• Openness. There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
• Individual Participation. Individuals should have the right to: (a) obtain confirmation of whether or not the data controller has data relating to them; (b) have data relating to them communicated within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible; (c) Be given reasons if a request is denied, and to be able to challenge such a denial; and (d) challenge data relating to them and, if the challenge is successful, have the data erased, rectified, completed, or amended.
• Accountability. A data controller should be accountable for complying with measures that give effect to the principles stated above.

DATA PROTECTION PRINCIPLES

Building upon the existing principles, the General Data Protection Regulation (GDPR), constitutes an important example of a comprehensive regulation of data protection and privacy, setting a new threshold for international good practices. Article 5 of the GDPR, enshrines the core data protection principles, requiring that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation');
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
• accurate and, where necessary, kept up to date ('accuracy');
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation');
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality');
• the controller shall be responsible for, and be able to demonstrate compliance with these principles ('accountability').

DATA TRANSFER: INTERNATIONAL CERTIFICATION FRAMEWORKS

The Global Cross-Border Privacy Rules (CBPR) System

The Global Cross-Border Privacy Rules (CBPR) System is an international certification framework designed to facilitate secure and responsible data transfers across different jurisdictions. Established to build on the APEC CBPR System, the Global CBPR aims to create an interoperable data protection standard that accommodates diverse regulatory approaches while ensuring high standards of data privacy. The system is voluntary and relies on Accountability Agents to certify that organizations' privacy policies meet the established requirements. Participating economies include the United States, Canada, Japan, South Korea, the Philippines, Singapore, and Chinese Taipei, among others. This framework helps enhance consumer trust and supports global data flows critical for business operations and innovation.

EU-US Data Privacy Framework

The EU-U.S. Data Privacy Framework ensures the secure transfer of personal data between the EU and the U.S. by addressing concerns from the Schrems II decision. It includes binding privacy obligations for U.S. companies, limits U.S. government access to what is necessary and proportionate, and introduces a Data Protection Review Court (DPRC) for EU individuals to seek redress. This framework provides a reviewed and strengthened mechanism for data protection which seeks to be comparable to EU standards and is subject to periodic reviews to ensure ongoing compliance and effectiveness.

Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System

The APEC CBPR System was developed by APEC economies to protect personal information and facilitate data flows across the region. This system aims to harmonize privacy protections across member economies, thus reducing barriers to cross-border data flows and supporting global trade. By implementing data privacy regulations and policies consistent with the APEC Privacy Framework, businesses can gain certification that demonstrates their commitment towards privacy protection while promoting the harmonization of differing national privacy laws within the APEC jurisdictions.

Standardisation Organizations

• British Standards Institution (BSI)
• DigComp
• European Communications Standards Institute (ETSI)
• International Data Spaces Association (IDSA)
• Internet Engineering Task Force (IETF)
• International Organisation for Standardisation (ISO)
• International Organisation for Standardisation & International Electrotechnical Commission (ISO/IEC)
• International Telecommunications Union
• National Cyber Security Centre
• National Institute for Standards and Technology (NIST)
• OASIS Open Cyber Threat Intelligence Technical Committee

CYBERSECURITY LAW

Cybersecurity law encompasses a range of regulations, standards, and guidelines aimed at protecting information systems, networks, and data from cyber threats and attacks. These laws are designed to ensure the confidentiality, integrity, and availability of information.

Examples of cybersecurity laws

• General Data Protection Regulation (GDPR), the EU
• The Cybersecurity Act, the EU
• NIS Directive (Directive on Security of Network and Information Systems), the EU
• California Consumer Privacy Act (CCPA), the US
• Cybersecurity Information Sharing Act (CISA), the US
• Federal Information Security Modernization Act (FISMA), the US
• Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the US
• Personal Data Protection Act (PDPA), Singapore

TELECOMMUNICATIONS LAW

Telecommunications laws are essential for managing the complex landscape of modern communication technologies. They ensure that telecommunications services are delivered efficiently, competitively, and fairly, protecting both consumers and service providers. These laws cover a wide range of issues, including licensing, spectrum management, consumer protection, and data privacy, adapting to technological advancements and changing market dynamics. By implementing robust telecommunications regulations, governments aim to foster innovation, expand service access, and safeguard the rights of all stakeholders in the telecommunications ecosystem.