Data PrivacyEvolution of Data Protection Laws across the Globe

INTRODUCTION

The evolution of data protection laws across the globe can be traced back to the 1970s when countries began to recognize the need to regulate the use and processing of personal information. Since then, data protection laws have continued to evolve and become more sophisticated, responding to the ever-increasing amounts of personal data being generated, collected, and processed.

The Right to Privacy has its relevance way before data protection was prevalent. We can see that Governments all around the world have included the Right to Privacy in their Constitutions.. Data protection regulations came after the increased usage of the Internet and the issue of data privacy suddenly rising with peaks and bounds.

A BRIEF TIMELINE OF EVOLUTION OF DATA PROTECTION LAWS ACROSS THE GLOBE

1890: The Right To Be Let Alone

In 1890 two American lawyers in their article wrote about Right to Privacy, where they described privacy as “the right to be alone” and titled their artcile as “The Right to Privacy”. They identified technology as the root cause for the urgent need of data protection, and warned that “instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life”.”

1948: United Nations Declaration of Human Rights

The United Nations Declaration of Human Rights (hereinafter referred to as “UNDHR”), discussed the concept of Right to Privacy clearly under Article 12 wherein it was stipulated that “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks”.

1950: European Convention on Human Rights

Article 8 of the European Convention on Human Rights (hereinafter referred to as ‘ECHR’) inspired by “the UNDHR provides protection for an individual’s ‘private and family life, his home and his correspondence”, although subject to certain restrictions that are ‘in accordance with law’ and ‘necessary in a democratic society’.

2012: European Charter of Fundamental Rights of the European Union

The European Charter of Fundamental Rights of the European Union (hereinafter referred to as ‘the Charter’) is the second legal tool to ensure the protection of fundamental and human rights in Europe after the ECHR. While the ECHR was drafted by the Centre of Excellence (hereinafter referred to as “CoE”) and applies to 47 Member States, the Charter applies only to the EU Member States.

Interestingly, Article 7 of the Charter and the abovementioned Article 8 of the ECHR both provide for a similar Right of Privacy for ‘private and family life, home and communications’; however, Article 8 of the Charter goes further and provides a separate and distinct right to data protection, stating that ‘everyone has the right to the protection of personal data concerning him or her’.

2021: China’s Personal Information Protection Law

The Personal Information Protection Law (hereinafter referred to as ‘PIPL’) is China’s first comprehensive data protection law, and outlines requirements for personal information handlers.

In line with international standards, the PIPL establishes duties for personal information handlers, such as the appointment of a Personal Information Protection officer and includes provisions on conducting personal information protection impact assessments, creates restrictions on international data transfers, as well as provides individual rights.

The Right to Privacy in 2023 and beyond

Privacy and Data Protection are ever-changing fields with new and amended Data Protection and privacy laws emerging to keep pace with technological advancements. In particular, 2023 saw and will continue to see the expansion of privacy laws with a number of privacy laws entering into effect and progressing through national legislatures. A notable mention is the American Data Privacy and Protection Act (hereinafter referred to as ‘ADDPA’) which represents the first bi-partisan federal data protection legislation in the US and is currently under consideration in the U.S. House of Representatives.

COMPARISON OF LAWS IN DIFFERENT COUNTRIES

The United States

The United States has a sectoral approach to Data Protection, with different laws governing different industries. The first law regulating data protection was the Fair Credit Reporting Act of 1970, which established guidelines for credit reporting agencies. Other key laws include the Electronic Communications Privacy Act, 1986, the Health Insurance Portability and Accountability Act, 1996, and the Children’s Online Privacy Protection Act, 1998.

The Family Educational Rights and Privacy Act (hereinafter referred to as “FERPA”) is a federal law in the United States that was enacted in 1974. FERPA is designed to protect the privacy of student education records and applies to all schools that receive funding from the U.S. Department of Education.

FERPA establishes the following rights for parents and eligible students:

1. The right to inspect and review their education records within 45 days of making a request.
2. The right to request that a school correct any education records that are inaccurate, misleading, or otherwise in violation of their privacy rights.
3. The right to consent to the disclosure of their education records, except in certain limited circumstances, such as when the disclosure is to school officials with a legitimate educational interest, or to comply with a judicial order or subpoena.
4. The right to file a complaint with the U.S. Department of Education if they believe their privacy rights have been violated.

FERPA also requires schools to notify parents and eligible students annually of their rights under the law and to establish reasonable procedures for handling and responding to requests for access to education records.

In addition to these requirements, FERPA also includes provisions for the protection of student data in the context of research, prohibiting the disclosure of personally identifiable information without the consent of the parent or eligible student or under certain limited circumstances.

Overall, FERPA is an important law that ensures the privacy of student education records and helps to protect the rights of parents and eligible students.

Europe

Europe has been a leader in Data Protection legislation, with the European Union’s General Data Protection Regulation (hereinafter referred to as “GDPR”) being one of the most comprehensive Data Protection laws in the world.

The GDPR was implemented in May 2018 and applies to all organizations operating within the EU, as well as those outside the EU that process the data of EU citizens. The GDPR sets out strict rules around Data Protection, including the right to be forgotten, the right to access and rectify personal data, and the requirement for data controllers to obtain explicit consent from individuals to process their data.

The European Union Data Protection Directive, also known as Directive 95/46/EC, was adopted by the European Union in 1995. The Directive is one of the most significant pieces of legislation in the history of data protection, as it established a comprehensive framework for the protection of personal data in the European Union.

The main objective of the Directive was to harmonize data protection laws across the EU and ensure that individuals had control over their personal data. The Directive laid down a set of principles for the processing of personal data, which included:

• Personal data must be processed fairly and lawfully.
• Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed.
• Personal data must be accurate and, where necessary, kept up to date.
• Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or processed.
• Personal data must be processed in accordance with the rights of data subjects.
• Appropriate technical and organizational measures must be taken to prevent unauthorized access, unlawful processing, or accidental loss or destruction of personal data.

The Directive also established a number of key rights for individuals, including the right to access their personal data, the right to have their data corrected or deleted, and the right to object to the processing of their data.

The European Union Data Protection Directive was a landmark piece of legislation, and its principles have been incorporated into many data protection laws around the world. In May 2018, the Directive was replaced by the GDPR, which strengthened and extended the principles established by the Directive.

Asia

Asia is a diverse continent with various countries having their own laws and regulations regarding data protection. However, there are some commonalities among the data protection laws in Asia, such as:

1. Personal Data Protection Laws: Many countries in Asia have Personal Data Protection laws that regulate the processing of personal data. These laws generally require organizations to obtain consent from individuals before collecting, using, or disclosing their personal data. Examples of such laws include the Personal Data Protection Act in Singapore, the Personal Information Protection Act in Japan, and the Data Privacy Act in the Philippines.

2. Cross-Border Data Transfer: Many countries in Asia have restrictions on cross-border data transfers. These restrictions require organizations to obtain consent from individuals before transferring their personal data outside of the country or to a third party. Examples of such laws include the Cybersecurity Law in China, the Personal Data Protection Act in Thailand, and the Personal Information Protection Commission in South Korea.

3. Cybersecurity: Many countries in Asia have cybersecurity laws that regulate the protection of information systems and data from cyber threats. These laws generally require organizations to implement appropriate security measures to protect personal data. Examples of such laws include the Cybersecurity Law in China, the Cybersecurity Act in Malaysia, and the Cybercrime Prevention Act in the Philippines.

4. Sector-Specific Laws: Some countries in Asia have sector-specific laws that regulate the processing of personal data in specific industries. Examples of such laws include the Health Data Protection Act in Taiwan, the Financial Data Protection Act in South Korea, and the Personal Data Protection Decree in Vietnam.

Africa

Data protection laws in Africa are still in their infancy, but some countries have introduced specific data protection legislations. South Africa introduced the Protection of Personal Information Act (hereinafter referred to as “POPIA”) in 2013, and this came into effect on July 1, 2021. Nigeria’s National Information Technology Development Agency (hereinafter referred to as “NITDA”) introduced the Nigeria Data Protection Regulation (hereinafter referred to as “NDPR”) in 2019.

Data protection laws in Africa vary widely by country, with some countries having comprehensive data protection laws, while others do not have any legislation in place. However, there is a growing trend towards data protection regulation on the continent, with several countries enacting new laws in recent years.

AMLEGALS REMARKS

Data protection laws have evolved significantly over the past few decades, with many countries recognizing the need to regulate the use and processing of personal data. The trend towards comprehensive Data Protection laws, such as the GDPR, is likely to continue, as more countries seek to protect the privacy and personal data of their citizens.

It is worth noting that many African countries are also signatories to the African Union Convention on Cyber Security and Personal Data Protection, which was adopted in June 2014. The Convention establishes a framework for the protection of personal data across the continent, but its implementation and enforcement remain a challenge.

Overall, the Data Protection laws in Asia are evolving rapidly, with many countries updating their laws to align with international standards and best practices. However, enforcement of these laws can be a challenge, and organizations must ensure that they comply with the applicable Data Protection laws in the jurisdictions in which they operate.

– Team AMLEGALS assisted by Ms. Bhavika Lohiya (Intern)