Governance: Data protection¶
To what extent do relevant laws, regulations, policies, and guidance provide a comprehensive framework for protection of personal data?
Definitions and Identification
More than 100 countries have some form of comprehensive data privacy law that sets out how the privacy of individuals should be protected by the public and/or private sector when data is handled. In other countries, there may be a patchwork of regulations that covers specific sectors (e.g., health), or that applies only to certain public sector entities.
Strong data protection frameworks should include:
- Choice and consent—providing individuals with clear information on how their data may be used and the choice to consent or not to it being collected and processed;
- Access and correction—providing individuals with the right to access data held about them, and to ask for inaccurate information to be corrected;
- Responsibilities on data holders—requiring data holders to manage personal data appropriately;
- Rights of redress—giving individuals (or groups) rights to complain or take action where their data protection rights are breached
Recent developments in global standards for data protection frameworks have also placed emphasis on:
- Breach notification—placing a responsibility on data holders (e.g., companies, government departments, or others who collect and manage personal data) to notify the appropriate authority if personal data is accessed or shared illegally;
- Algorithmic decision-making—creating specific rights and responsibilities in relation to personal data used within artificial intelligence systems or algorithms to make decisions that affect individuals
This question also asks about how far frameworks apply in specific contexts, including:
- Location data—location data can bring specific privacy risks. In some countries, this is explicitly addressed in the main data protection law. In other countries, there may be location-specific laws or regulations. This element asks you to check for evidence that the privacy risks of location data are recognized either in the main laws/regulations or in some other related law or regulation.
Useful terminology:
- Data subject—the individual human person that an item of data is about.
- Data holder—the organization responsible for managing a collection of personal data.
For this question, you should consult existing resources detailing data protection frameworks, and identify which of the indicator's sub-questions these cover. You should also check for any recent updates that may not be reflected in the sources listed below and may affect your assessment.
Starting points
- Sources:
- DLA Piper maintains a detailed analysis of the privacy frameworks of over 100 countries. Comparing your country of study with other countries can help you assess the framework.
- The Global Table of Data Privacy Laws and Bills (2017) contains details of countries that, as of 2017, had or were drafting laws with "largely comprehensive" coverage of public sector, private sector, or both, and notes the presence and name of a country's data protection authorities (DPA).
- DataGuidance.com provides links to laws and summary information, organized by jurisdictions. (Note that the license of OneTrust's paid for services prohibits use of this content in third-party products. Use this source for background/contextual research only, and do not cite any verbatim text in justifications).
- The United Nations Conference on Trade and Development (UNCTAD) maintains a dataset of draft or enacted privacy laws with links to specific legal texts. Check carefully to make sure the most recent law is referenced, as the UNCTAD data may not reflect recent legislative reforms.
- The WorldLii National Data Privacy Legislation collection also provides access to laws for a number of countries.
- With regard to governance exceptions or amendments in the context of COVID-19, the COVID-19: Data Privacy & Security Guidance on Handling Personal Data During a Pandemic (Global) Tracker lists specific governance guidance and updates related to handling personal data and data protection in the context of COVID-19 by country. Note: this database doesn't guarantee comprehensiveness, so finding no relevant information here should only be understood as a starting point for looking elsewhere, not as proof of nonexistence.
- The World Bank Digital Government/GovTech Systems and Services 2020 survey provides information on data protection & privacy laws (columns HC–HG) and data protection agencies (colums HH–HK).
- Search:
- For news and articles about recent data protection or data privacy framework reforms.
- The website of any data protection authority.
- For information about protection of location data in the country.
- Consult:
- Officers of national civil society organizations focused on privacy issues.
What to look for?
Look for evidence that can answer the following questions:
- Is there a single law that protects data in all settings? Is there a patchwork of laws that applies to specific sectors, localities, or media?
National and sub-national considerations
When a country's data protection framework is divided into different sub-jurisdictions—e.g., data protection laws are set at the state level, or certain special zones are excluded from the main national data protection regime (c.f. Greenleaf, 2013; pg. 5)—researchers should record this in their answer to the sub-question on geographic scope ("Does this framework apply across the whole country?") and clearly explain in the indicator's justification box.
Show/hide supporting questions
Existence
- What is the nature of the framework?
- No framework exists.
Supporting questions: In the absence of a strong legal framework, are there alternative norms or customs that play this role in the country? If so, please explain how. If there are draft laws or regulations not yet in force, but that would provide a more robust framework in future, please provide brief details here.
- A framework exists but lacks full force of law.
Supporting questions: In the absence of a strong legal framework, are there alternative norms or customs that play this role in the country? If so, please explain how. If there are draft laws or regulations not yet in force, but that would provide a more robust framework in future, please provide brief details here.
- A framework exists and has the force of law.
Supporting questions: Please identify the framework(s) you have assessed (e.g. name of law(s) or regulations)
- No framework exists.
Elements
-
Rights and responsibilities:
-
The framework provides data subjects with rights of choice or consent. (No, Partially, Yes) Individuals should normally be given the choice of whether their information is collected, and should be able to give informed consent based on a clear statement of how their information will be used. There should be only limited exceptions to this where there is an overriding interest, defined in law, in the collection of such information.
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue.
-
The framework provides data subjects with rights to access and correct data about themselves. (No, Partially, Yes)
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue.
-
The framework sets out clear responsibilities for data holders. (No, Partially, Yes) Answer 'No' if the framework does not detail data holder responsibilities. For and answer of 'Yes', data holders should be responsible for: taking steps to ensure personal information is updated and accurate; limiting access to personal data in accordance with its intended use; only transferring data to third-parties if there are assurances they will also respect data protection rights; destroying or anonymising data after it is no longer needed for its original intended use. Answer 'Partially' if data holders only have some of these obligations.
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue.
-
The framework provides rights of redress (No, Partially, Yes) Individuals and communities should have the right of redress against public and private bodies that fail to respect data protection rules in relation to data about them. Remedies can be provided through self-regulation, private law actions, and government enforcement. Oversight of the system should be undertaken by an independent body. Answer 'Yes' if there is a framework for redress AND independent oversight. Answer 'Partial' if there is a framework for redress, but limited oversight.
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue.
-
The framework requires data controllers to notify an appropriate authority of data breaches. (No, Partially, Yes)
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue.
-
Specific considerations:
-
Frameworks explicitly cover the protection of location-related data. (No, Partially, Yes)
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue. If the protection of location data is addressed in particular laws or guidance please give the name and URL of that here.
-
The framework addresses algorithmic decision making. (No, Partially, Yes) Answer 'Partially' if guidance, policy, or regulation address specific privacy issues related to algorithmic decision making, but these considerations are not included in law.
Supporting questions (conditional)
If Partially: Please indicate which section of the framework refers to this issue and explain your 'Partially' response.
If Yes: Please indicate which section of the framework refers to this issue.
-
Negative scoring:
-
Exceptions to the usual data protection framework have been made as part of the country's COVID-19 response. (No, Partially, Yes) Answer 'Yes' if significant rights have been weakened or suspended; answer 'Partially' if there have been some minor adjustments, such as grace periods for compliance with rules.
Supporting questions (conditional)
If Partially: Please indicate the name and url of the source of these exceptions and explain your 'Partially' response.
If Yes: Please provide the name and url of the source of these exceptions.
Extent
-
How broadly does this data protection framework apply?
- The framework only applies in a narrow set of situations.
Supporting questions: Please briefly describe the limits of the framework.
- The framework applies widely in one or more sectors.
Supporting questions: Please list the specific sectors the framework applies to.
- The framework applies widely across all sectors (including public and private sector).
Supporting questions: Please describe all sectors included in the framework and indicate which section of the framework refers to this issue.
- The framework only applies in a narrow set of situations.
-
Does this framework apply across the whole country?
- The framework assessed applies only to one sub-national region or city.
Supporting questions: Please indicate to which region it applies.
- The framework assessed relates to one sub-national region or city, but is representative of the kind of framework that exists for most regions or cities.
Supporting questions: Please indicate to which region it applies and mention some of the similar ones from other regions.
- The framework assessed, or equivalent frameworks, apply across the whole country.
Supporting questions: Please indicate if the framework applies to the whole country, and if not, mention some of the equivalent ones from other regions.
- The framework assessed applies only to one sub-national region or city.
Data protection rights are rooted in the universally recognized right to private life; they serve as a foundation for other fundamental freedoms, including freedom of association and expression. Since the 1970s, data protection rights have gained prominence as societies developed an awareness and understanding of the impacts of data-processing technologies. Data protection rights can be characterized as modern and active rights: creating positive duties on different actors to manage data in ways that respect the wider rights of data subjects, and establishing the need for independent supervision of how data is handled (Europäische Union and Europarat 2018).
Over the last forty years, the majority of countries in the world have passed some form of data privacy law (Greenleaf 2017). Rough consensus has formed regarding the essential principles of data protection law, drawing on the Council of Europe Convention 108 and OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Greenleaf identifies a total of fifteen key principles across these two frameworks (Greenleaf 2013), including limits on data collection, consent requirements, purpose limitations, individual access and correction rights, accountability of data controllers, and openness of policies on personal data. Greenleaf finds these principles widely applied in a sample of ten Asian countries, with the notable exception of the principle of openness of policies on personal data, which was only applied in six of the ten countries assessed (ibid.)
Over the last decade, a number of new concepts have gained prominence in data protection discourse, captured in updated OECD and Council of Europe documents. In particular, these updates strengthened requirements for notification of data breaches (both CoE and OECD) and established greater rights in relation to automated decision-making (CoE), responding to concerns about applications of algorithmic decision-making systems and potential risks from big data.
A number of emerging issues related to data protection may be addressed by future development of this indicator after the pilot edition of the Barometer, including:
- Group privacy: Whilst data protection frameworks have generally been presented in terms of individual rights, there is growing focus on the need to address risks of big data that play out on the collective level (Taylor, Floridi, and Sloot 2017), with resulting impacts both on individual autonomy and collective rights.
- Regulatory capacity: In January 2019, the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data published Guidelines on Artificial Intelligence and Data Protection that call on governments to ensure that: "Supervisory authorities [are] provided with sufficient resources to support and monitor the algorithm vigilance programmes of AI developers, manufacturers, and service providers."