Читать книгу International Data Protection Laws - Amit Luhach - Страница 6

The Right to Privacy as a fundamental right emerged from the Universal Declaration of Human Rights (UDHR) adopted in 1948. It has been referred to as the right to respect for private and family life in the European Convention on Human Rights (ECHR) adopted in 1950. The ECHR provides that “everyone has the right to respect for his or her private and family life, home and correspondence”, but this right is subject to interference by public authorities where such is in accordance with the law, follows legitimate public interest and/or is necessary for a democratic society.¹ The UDHR and ECHR came into play before the development of computers and the internet. These technological advancements brought enormous benefits to individuals as well as society and created a new world of communication, a space in itself as some hold.² Business processes, as well as communication, has gained ever-increasing speed, efficiency and productivity. Simultaneously, this technical revolution posed new dangers to the right to private and family life as illustrated by Edward Snowden in his book “Permanent Record”³. The rapid developments in the field of electronic data processing and computers in the 1970s caused extensive data collection, storage and processing by big corporations, individuals, enterprises, academic and other public institutions.⁴ Not surprisingly this required the development of a new privacy concept, now known as ´informational privacy´ or ´right to self-determination.⁵ In Europe, the legal safeguards of the era such as the law of torts, secrecy and confidentiality failed to provide sufficient protection to the personal data of citizens. Over time it became apparent, that increased cross border trade and automated data processing require a new set of rules and standards enabling individual and market participants to exercise better control over their data. The need to provide a balance between personal freedom and privacy of the individual and commercial data processing as well as international data flows generated the development of special regulations for the protection of personal data.

In 2012, the Charter of Fundamental Rights of the European Union (EU Charter) provided the right to respect for private and family life, home and communications to everyone.⁶ Justice Tugendhat called these core components confidentiality and intrusion prevention and held that “the right to respect for private life embraces more than one concept. The two core components of the right to privacy are to prohibit unwanted access to private information and unwanted access to one’s personal space.”⁷ In Article 8 of the EU Charter, data protection is addressed. Therein everyone is granted a right to the protection of their personal data. Moreover, the data processing must be fair, and must be undertaken for specific purposes, and shall be based on consent or some legitimate basis. Also, the individual should have the right to access and rectification of personal data, and there must be a supervisory authority to oversee compliance by the controller and the processor. In essence, Article 8 deals with the data subject rights, obligations of data controllers and supervision by independent authorities. The Court of Justice of the European Union (CJEU) observed that “Article 8 of the EU Charter concerns a fundamental right which is distinct from that enshrined in Article 7 of the EU Charter and which has no equivalent in the European Convention on Human Rights (ECHR).”⁸ The adoption of the Lisbon Treaty⁹ has contributed immensely to the development of data protection by elevating the status of the EU Charter to a binding legal document. It grants the EU an independent legal basis and the power to legislate on data protection matters. Further, it provides for the protection of individuals when their personal data is processed by EU institutions. Moreover, it provides for an independent authority to oversee compliance over these rules.¹⁰ Based on these core principles, the EU enacted Directive 95/46/EC (Directive) on Data Protection in 1995¹¹ which, however, could not create a harmonized legal concept within the EU.

Accordingly, to achieve harmonization, in 2018, the EU promulgated the General Data Protection Regulation (GDPR) “on the protection of natural persons concerning the processing of their personal data and the free movement of such data and repealing Directive 95/46/EC.” From the outset, it was clear that the GDPR would set a threshold with international significance given the EU Member States´ economic significance. The GDPR aimed at setting an international standard for data processing rules and not surprisingly triggered legislative activity throughout the world. Therefore, this book starts with a description of the GDPR, then looks at the situation in the United States which traditionally follow a fundamentally different approach regarding the protection of personal data. While under the GDPR, the processing of personal data is forbidden unless it can be justified based on one of the grounds set out in Article 6; the US privacy laws allow for the processing of personal data unless such processing contravenes the rules and standards imposed by the law. It is noteworthy to mention that the US Federal laws follow a sector-specific approach as described in Chapter 1 of Part II. The US States however hold legislative competence to enact privacy laws and the most prominent example is the California Consumer Privacy Act (CCPA), 2018 that is inspired by the GDPR. Other US States are also in the process of evaluating their position or have already enacted privacy laws, some of which have incorporated concepts of the GDPR that are summarized in Part II. The third example is India’s draft Personal Data Protection Bill, 2019 that may be called the Personal Data Protection Act (PDPA), 2019, soon to be passed by the parliament. It is close to the European privacy concept with a couple of noteworthy deviations.

It remains to be seen in the years to come, where this journey will end and how those various legal systems and approaches will work together – hopefully ultimately helping to shape a space of free but safe virtual travelling.