Governance: Data protection¶
To what extent do relevant laws, regulations, policies, and guidance provide a comprehensive framework for protection of personal data?
Definitions and Identification
More than 100 countries have some form of comprehensive data privacy law that sets out how the privacy of individuals should be protected by the public and/or private sector when data is handled. In other countries, there may be a patchwork of regulations that covers specific sectors (e.g., health), or that applies only to certain public sector entities.
Strong data protection frameworks should include:
-
Choice and consent—providing individuals with clear information on how their data may be used and the choice to consent or not to it being collected and processed;
-
Access and correction—providing individuals with the right to access data held about them, and to ask for inaccurate information to be corrected;
-
Responsibilities on data holders—requiring data holders to manage personal data appropriately;
-
Rights of redress—giving individuals (or groups) rights to complain or take action where their data protection rights are breached
Recent developments in global standards for data protection frameworks have also placed emphasis on:
-
Breach notification—placing a responsibility on data holders (e.g., companies, government departments, or others who collect and manage personal data) to notify the appropriate authority if personal data is accessed or shared illegally;
-
Algorithmic decision-making—creating specific rights and responsibilities in relation to personal data used within artificial intelligence systems or algorithms to make decisions that affect individuals;
-
Group privacy—recognizing collective rights to data protection, such as those detailed in various Indigenous data sovereignty principles. Also, creating specific responsibilities for data about group membership or that an individual shares that may simultaneously share information about others who have not provided consent.
This question also asks about how far frameworks apply in specific contexts, including:
- Location data—location data can bring specific privacy risks. In some countries, this is explicitly addressed in the main data protection law. In other countries, there may be location-specific laws or regulations. This element asks you to check for evidence that the privacy risks of location data are recognized either in the main laws/regulations or in some other related law or regulation.
Useful terminology:
-
Data subject—the individual human person that an item of data is about.
-
Data holder—the organization responsible for managing a collection of personal data.
Examples
-
The Protection of Personal Information Act (POPIA) in South Africa provides a comprehensive framework for safeguarding personal data. It mandates obtaining consent for data processing (Chapter 3, Article 11) and requires parties to correct personal information (Chapter 3, Article 24). Chapter 5 details the powers and duties of the Information Regulator, while Chapter 8 governs direct marketing and automated decision-making, and Chapter 9 addresses cross-border data processing
-
For guidance, you can also refer to the European Union’s General Data Protection Regulation (GDPR), which sets uniform data protection standards across all member states. The GDPR enhances citizens' control over their data and boosts confidence in digital security. Key areas include ensuring data processing security (Article 32), promoting international cooperation (Article 50), facilitating information exchange (Article 67), and enforcing penalties for non-compliance (Article 84).
For this question, you should consult existing resources detailing data protection frameworks, and identify which of the indicator's sub-questions these cover. You should also check for any recent updates that may not be reflected in the sources listed below and may affect your assessment.
Starting points
-
Sources:
-
DLA Piper maintains a detailed analysis of the privacy frameworks of over 100 countries. Comparing your country of study with other countries can help you assess the framework.
-
The Global Table of Data Privacy Laws and Bills (2017) contains details of countries that, as of 2017, had or were drafting laws with "largely comprehensive" coverage of public sector, private sector, or both, and notes the presence and name of a country's data protection authorities (DPA).
-
DataGuidance.com provides links to laws and summary information, organized by jurisdictions. (Note that the license of OneTrust's paid for services prohibits use of this content in third-party products. Use this source for background/contextual research only, and do not cite any verbatim text in summary boxes or other answers).
-
The United Nations Conference on Trade and Development (UNCTAD) maintains a dataset of draft or enacted privacy laws with links to specific legal texts. Check carefully to make sure the most recent law is referenced, as the UNCTAD data may not reflect recent legislative reforms.
-
The WorldLii National Data Privacy Legislation collection also provides access to laws for a number of countries.
-
The World Bank Digital Government/GovTech Systems and Services 2020 survey provides information on data protection & privacy laws (columns HC–HG) and data protection agencies (colums HH–HK).
-
-
Search:
-
For news and articles about recent data protection or data privacy framework reforms.
-
The website of any data protection authority.
-
For information about protection of location data in the country.
-
-
Consult:
- Officers of national civil society organizations focused on privacy issues.
What to look for?
Look for evidence that can answer the following questions:
-
Is there a single law that protects data in all settings? Is there a patchwork of laws that applies to specific sectors, localities, or media?
-
Does the framework apply to everyone, or are the specific populations, such as immigrants or the incarcerated, to whom data protection is denied either in full or partially?
-
What rights for data subjects does the framework recognize? Are there rights of choice and consent, access and correction, and redress?
-
What responsibilities on data holders does the framework recognize? Does it require particular data management practices? Breach notifications?
-
Does the framework include specific rights and responsibilities related to location data? To algorithmic decision-making?
-
Does the framework focus only on data protection for individuals, or does it include either explicit or implicit provisions related to groups as well?
Show/hide supporting questions
Existence
-
What is the nature of the framework?
- No framework exists.
Supporting questions: In the absence of a strong legal framework, are there alternative norms or customs that play this role in the country? If so, please explain.
- A framework exists but lacks full force of law.
Supporting questions: In the absence of a strong legal framework, are there alternative norms or customs that play this role in the country? If so, please explain. Please provide brief details.If there are draft laws or regulations not yet in force that would provide a more robust framework in the future, please provide brief details, including the date(s) of any relevant drafts. Please provide a URL(s) for where evidence can be found.
- A framework exists and has the force of law.
Supporting questions: Please provide brief details.Please provide a URL(s) for where evidence can be found.
- No framework exists.
-
Extent of existence:
-
How comprehensive, in terms of jurisdiction, is the coverage of the framework assessed for this question? (The framework covers one or more localities, but there are many other localities without such a framework, or with a framework of a lesser quality., The framework covers one or more localities and is representative of the kind of frameworks that can be found for all, or most, localities., The framework provides national coverage.)
Supporting questions (conditional)
If The framework covers one or more localities, but there are many other localities without such a framework, or with a framework of a lesser quality. or The framework covers one or more localities and is representative of the kind of frameworks that can be found for all, or most, localities.: Which locality or localities does this framework cover?
If The framework covers one or more localities, but there are many other localities without such a framework, or with a framework of a lesser quality. or The framework covers one or more localities and is representative of the kind of frameworks that can be found for all, or most, localities.: Please explain your response.
If The framework covers one or more localities, but there are many other localities without such a framework, or with a framework of a lesser quality. or The framework covers one or more localities and is representative of the kind of frameworks that can be found for all, or most, localities.: Please provide supporting URL(s) as necessary.
-
How broadly does this data protection framework apply? (The framework only applies in a narrow set of situations., The framework applies widely in one or more sectors., The framework applies widely across all sectors (including public and private sector).)
Supporting questions (conditional)
If The framework only applies in a narrow set of situations.: Please briefly describe the limits of the framework.
If The framework applies widely in one or more sectors. or The framework applies widely across all sectors (including public and private sector).: Please describe what sectors the framework applies to.
If The framework only applies in a narrow set of situations. or The framework applies widely in one or more sectors. or The framework applies widely across all sectors (including public and private sector).: Please indicate which section of the framework refers to this issue.
If The framework only applies in a narrow set of situations. or The framework applies widely in one or more sectors. or The framework applies widely across all sectors (including public and private sector).: Please provide supporting URL(s) as necessary.
-
Existence summary:
-
Please summarize your answers to the preceding existence sub-questions, including the extent of existence. [Open Text] Drawing on the research you have conducted and the evidence you have gathered for this section, describe what you have found (or not found) when answering the existence sub-questions for this indicator.
Supporting questions
Please provide the URL(s) for the evidence that supports the summary provided.
Elements
-
Rights and responsibilities:
-
The framework provides data subjects with rights to access and correct data about themselves. (No, Partially, Yes)
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
The framework provides rights of redress. (No, Partially, Yes) Individuals and communities should have the right of redress against public and private bodies that fail to respect data protection rules in relation to data about them. Remedies can be provided through self-regulation, private law actions, and government enforcement. Oversight of the system should be undertaken by an independent body. Answer “Yes” if there is a framework for redress AND independent oversight. Answer “Partially” if there is a framework for redress, but limited oversight.
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
The framework provides data subjects with rights of choice or consent. (No, Partially, Yes) People should normally be given the choice of whether their information is collected or shared, and should be able to give informed consent based on a clear statement of how their information will be used. There should be only limited exceptions to this where there is an overriding interest, defined in law, in the collection or sharing of such information.
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
The framework sets out clear responsibilities for data holders. (No, Partially, Yes) Answer “No” if the framework does not detail data holder responsibilities. For an answer of “Yes,” data holders should be responsible for: taking steps to ensure personal information is updated and accurate; limiting access to personal data in accordance with its intended use; only transferring data to third-parties if there are assurances they will also respect data protection rights; destroying or anonymizing data after it is no longer needed for its original intended use. Answer “Partially” if data holders only have some of these obligations.
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
The framework requires data controllers to notify an appropriate authority of data breaches. (No, Partially, Yes)
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
Specific considerations:
-
The framework explicitly addresses privacy and data protection for groups. (No, Partially, Yes) Answer “Partially” if the framework only addresses data holders’ responsibilities regarding data related to an individual’s membership in a group (e.g., ethnicity, nationality, race, religion, sex, etc.) or data holders’ responsibilities regarding individuals’ data that provides information about a group (e.g., genetic data, which provides information about a family group). Answer “Yes” if the framework explicitly addresses the rights of groups with regard to data protection and privacy (e.g., through adoption of Indigenous data sovereignty principles such as CARE or local versions, definitions of data subjects that include communities, rights of group consent or redress, etc.).
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Yes: What rights are addressed? What responsibilities are addressed?
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
The framework explicitly covers the protection of location-related data. (No, Partially, Yes)
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: If the protection of location data is addressed in separate law or guidance please provide the name and URL.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
The framework addresses algorithmic decision-making. (No, Partially, Yes) Answer “Partially” if there is a policy, regulation, or guidance that addresses specific privacy issues related to algorithmic decision-making, but these considerations are not included in law.
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
Negative scoring:
-
The framework excludes certain populations from data protection. (No, Partially, Yes) For example, immigrants, the incarcerated population, etc. Answer “Partially” if certain populations have weaker data protection.
Supporting questions (conditional)
If Partially: Please explain your “Partially” response.
If Partially or Yes: Which population or populations are excluded?
If Partially or Yes: Please indicate which section of the framework refers to this issue.
-
Elements summary:
-
Please summarize your answers to the preceding element sub-questions. [Open Text] Drawing on the research you have conducted and the evidence you have gathered for this section, describe what you have found (or not found) when answering the element sub-questions for this indicator.
Supporting questions
Please provide the URL(s) for the evidence that supports the summary provided.
Data protection rights are rooted in the universally recognized right to private life; they serve as a foundation for other fundamental freedoms, including freedom of association and expression. Since the 1970s, data protection rights have gained prominence as societies developed an awareness and understanding of the impacts of data-processing technologies. Data protection rights can be characterized as modern and active rights: creating positive duties on different actors to manage data in ways that respect the wider rights of data subjects, and establishing the need for independent supervision of how data is handled (Europäische Union and Europarat 2018).
Over the last forty years, the majority of countries in the world have passed some form of data privacy law (Greenleaf 2017). Rough consensus has formed regarding the essential principles of data protection law, drawing on the Council of Europe Convention 108 and OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Greenleaf identifies a total of fifteen key principles across these two frameworks (Greenleaf 2013), including limits on data collection, consent requirements, purpose limitations, individual access and correction rights, accountability of data controllers, and openness of policies on personal data. Greenleaf finds these principles widely applied in a sample of ten Asian countries, with the notable exception of the principle of openness of policies on personal data, which was only applied in six of the ten countries assessed (ibid.)
Over the last decade, a number of new concepts have gained prominence in data protection discourse, captured in updated OECD and Council of Europe documents. In particular, these updates strengthened requirements for notification of data breaches (both CoE and OECD) and established greater rights in relation to automated decision-making (CoE), responding to concerns about applications of algorithmic decision-making systems and potential risks from big data. Another area of increasing focus is collective rights to data protection, seen, for example, in the adoption of Indigenous data sovereignty principles (e.g., Carroll et al. 2020) or in specifications of data holders’ responsibilities with regard to data at the individual level that has group-level consequences or describes membership in groups.