The Need for International Standards on Data Protection: A Human Rights Perspective

In today's digital era, companies operating in states with inadequate or non-existent data protection regimes can pose a significant threat to human rights.  International and regional standards have already identified common principles, in instruments such as the OECD guidelines, the Convention 108+ of the Council of Europe, and at a regional level, the General Data Protection Regulation (GDPR). Nonetheless, the need for global minimum standards for the protection of personal data is more urgent than ever. To date, there has been no such unified global agreement on data protection and opinions have been split as to whether it is realistic (or even desirable) to aim for one.

What has been termed the ‘information revolution’ is affecting the manner in which we interact with individuals, organisations and governments[1] but has also brought about undesirable side effects, including dataveillance, discrimination and democratic erosion. The extent to which an international agreement on data protection is desirable or realistic is debatable; yet, its significance is undeniable. In the absence of a global treaty, states should aim for a common plan of action to safeguard human rights principles and the fundamental right to data protection. 

In this article, I will explore the possibility of developing a global agreement on data protection law and policy by reflecting on recent achievements. I will then analyse the obstacles to reaching a consensus and will critically discuss whether these can be overcome. Given the cross-sectoral nature of the topic, I will confine my discussion to concerns regarding national sovereignty. Through modern examples, I will attempt to show the need for reform.

Data Protection: Legal Framework

‘Data protection’ concerns the protection of information of persons (‘data subjects’) from the impact of data-processing[2]. ‘Data protection’ and ‘data privacy’ have a complex relationship; the latter is protected in numerous international legal treaties while the former is not. The Universal Declaration of Human Rights recognises in Article 12 that ‘no one shall be subjected to arbitrary interference with his privacy...’[3] and Article 8(1) of the European Convention of Human Rights provides that ‘everyone has the right to respect for his private and family life...’[4]. Directive 95/46/EC considers data protection as the protection of ‘the fundamental rights and freedoms…and in particular their right to privacy with respect to the processing of personal data’[5]. The GDPR, which repeals the aforementioned, states that it ‘protects fundamental rights and freedoms…in particular their right to the protection of personal data’[6]. Nonetheless, there is still confusion on a global level as to how data protection should be perceived[7]. This is because of the uneven approach to data protection across the globe. For instance, the OECD Guidelines originally described data protection as a requirement for economic growth[8], the US perceives it as a tool for consumer protection whereas the EU considers data protection a fundamental right. For the purposes of this article, I approach data protection through a human rights point of view, and argue therefore, that the right to data protection should be embedded in a global treaty.

Is a Universal Agreement Desirable?

One of the most noteworthy challenges for aiming for a global data protection agreement lies in states’ concerns over national sovereignty. Striking a balance between sovereignty and rights largely depends on the political and legislative structures of nations. For example, states that follow American-style regulation would be more likely to favour a ‘laissez-faire’[9] regime and self-regulation. Therefore, they would prefer to rely on private businesses to avoid government-related costs. In the EU, regulation is stricter: fines following GDPR have reached €50 million[10]. Russia and China, however, focus on the state as the epicentre of data protection and management. The Snowden revelations on the NSA’s activities and the use of profiling for conducting foreign policy were significant for global data sovereignty debates. Though the adoption of a global agreement would signify global consensus on the importance of the right to data protection, its enforcement would be, at best, questionable. Because treaties depend on the consent and willingness of states and not individuals to implement them, it is possible that an agreement will be little more than paying lip service. For as long as nations are unwilling to strike a balance between individual rights, sovereignty and security, and instead continue to regard individuals’ information as their sovereign property, approaches to data protection will continue to diverge.

Realistic? Contemporary Cases and the Need for Reform

Threats such as cybercrime, mass surveillance and the ability of artificial intelligence to intrude into our private lives and manipulate personal data, are ubiquitous. International espionage has become common practice, with the UN reporting 80% of sophisticated criminal gangs as one of the largest illegal economies globally.[11] These developments render the need for comprehensive reform urgent. The case of Cambridge Analytica revealed the ethically dubious means of political persuasion that were prevalent during both the Trump campaign and the Brexit referendum. These practices not only have implications for democracy, but they also exploit emotional vulnerabilities, potentially harming individuals. This is particularly needed in the current political climate: with populism as a rising global threat, there is increasing potential for the exploitation of data as a tool to promote certain political agendas.

An interesting example to look to is the PNR agreement, wherein the right to data protection had to be balanced against political concerns: the US imposed certain obligations regarding the transfer of passenger names in the name of combatting terrorism. In 2006, the CJEU invalidated the PNR agreement[12], as it was based on security issues and failed to consider other concerns. With respect to transborder data flows, the CJEU in Schrems[13] further invalidated ‘Safe Harbour’[14], stating that ‘legislation permitting the public authorities to have access…must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter’[15]. Given the global nature of the repercussions of the aforementioned issues, they cannot be limited to national borders, and therefore ought to be tackled at a global level.

Conclusion

Aiming for a global treaty is desirable in light of the contemporary political climate, though not the most realistic. The upsurge in data protection regulation is a ‘testament to data protection’s rising importance on the global agenda’[16]. The rising concerns over data protection necessitate urgent global response. This renders the adoption of an international agreement paramount for ensuring a harmonised and more coherent global policy on the individual’s fundamental right to data protection.

[1] Taffere Tesfachew, Data Protection Regulations and International Data Flows: Implications for Trade and Development (1st edn, United Nations 2016) iii

[2] Lothar Determann, Determann's Field Guide to Data Privacy Law (3rd edn, Edward Elgar Publishing 2017) xv

[3] UN General Assembly (UNGA), Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res 217 A(III) (UDHR)

[4] Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) (ECHR) Art. 8

[5] Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) (ECHR) Art. 8

[6] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ  L 119/01

[7] Maria Tzanou, “Data Protection as a Fundamental Right”. in The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Oxford: Hart Publishing 2017) 14

[8] OECD, Thirty Years After: The OECD Privacy Guidelines [2011] 14

[9] Harvard RCC, 'Privacy and Data Protection: The US Laissez-Faire Approach vs the European GDPR Standard' (Harvard.edu 2018)<https://rcc.harvard.edu/event/privacy-and-data-protection-us-laissez-faireapproach-vs-european-gdpr-standard> accessed 7 April 2019

[10] Le Service Public de la Diffusion du Droit, ‘Délibération de la formation restreinte n° SAN – 2019-001’ (Gouv.fr, 21 January 2019) <https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000038032552&fastReqId =2103387945&fastPos=1>accessed 7 April 2019)

[11] United Nations Office on Drugs and Crime (UNODC) ‘Report on The Globalisation of Crime: A Transnational Crime Threat Assessment’ (2010)

[12] Joined Cases C-317/04 European Parliament v Council of the European Union and C-318/04 Commission of the European Communities [2006] ECR 2006 I-04721

[13] Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650

[14] Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) [2000] OJ 2 215/7/01

[15] Schrems, (n19) 24 para. 94

[16] Consumers International, Report on ‘The State of Data Protection Rules around the world: A briefing for Consumer Organisations’ (2018) 5

About the author:
Evgenia Chamilou is a third year Warwick LLB Law student and upcoming LLM student at the London School of Economics and Political Science, aiming to specialise in Public International Law.  Her research interests are primarily international and EU law and she aspires to follow a career in international legal affairs and diplomacy. In the past, she has contributed to student blogs such as ‘The Law Hub’ and the ‘Peace Conference’. She is currently the Cypriot Youth Delegate at the Congress of Local and Regional Authorities of the Council of Europe, Coordinator of the GreenDeal4Youth and Board Member of the United Nations Youth and Student Association of Cyprus.

Connect with the author on LinkedIn.