New blog post published in IAPP Privacy Perspectives by Paul de Hert and Vagelis Papakonstantinou on 28 April 2016.
While the protection of privacy constitutes by now a global concern, new technologies or methods of processing, such as big data, the Internet of Things, cloud computing, or smartphone applications, may easily drive to despair any legislator who attempts to apply local jurisdiction approaches on personal data processing that is by design addressed directly to individuals anywhere in the world and treats national borders as irrelevant.
Quite contrary to what is urgently needed, an entrenchment attitude may be identified even in data protection models devised today: The EU General Data Protection Regulation is intended to govern in a detailed and direct manner all personal data processing in the EU and place them under its strict conditions and procedures. Its extraterritorial effect is warranted not only through the adequacy criterion that is preserved more or less intact in its text but also through an ambitious approach on its scope, as recently reinforced by important CJEU case law.
The Council of Europe Data Protection Convention, also currently under a modernisation process, broadly follows the EU Regulation model, implementing an adequacy criterion and strict rules with regard to personal data processing. This probably explains why non-EU countries have viewed its ratification as a preliminary stage to be granted with “adequacy” finding by the EU. Even the OECD – through the amendment of its data protection guidelines that took place in 2013 – moved towards a more structured and formal approach to personal data processing.
On the other hand, the rest of the world shows an increased interest in data protection issues, with more than 100 countries having by now enacted some sort of data protection law within their respective jurisdictions. However, this does not necessarily mean that they all approve of and subscribe to the EU model – or even to models similar to it.
What we are therefore faced with is a chronicle of a collision foretold.
Regulatory approaches are diverging, failing to reach out to each other. Even compatibility among them is hard to achieve, as the current Privacy Shield saga demonstrates. While the right to privacy, or to data protection in the electronic context, is globally acknowledged as an important safeguard for individuals in the digital era, the way to protect it is understood differently in different parts of the world. Consequently, it appears that global cooperation and coordination is imperative. However, the ways to achieve it vary considerably and seemingly insurmountable obstacles lie ahead.
Some hope may come from the UN. Since July 2015, the UN Human Rights Council has appointed Prof. Joseph Cannataci as its first-ever Special Rapporteur on “The Right to Privacy in the Digital Age.” His mandate is, among others, to gather information, identify obstacles, take part in global initiatives, and raise awareness. Cannataci embarked enthusiastically on his new role, having undertaken an impressive number of initiatives during his first year in office. In mid-March 2016 he presented his first annual report to the UN Human Rights Council.
We have argued before about the need for an international treaty to govern data privacy; they have pointed to the WIPO and the intellectual property protection model as useful inspiration and have identified the UN Guidelines of 1991 as a suitable regulatory model that could meet global consensus and attain the basic data protection purposes, constituting the global information privacy minimum.
The hope for a global privacy treaty has also been expressed by Prof. Graham Greenleaf, as soon as the new Rapporteur has been appointed. A few months later, in October 2015, the 37th International Conference of Data Protection and Privacy Commissioners welcomed the new Rapporteur, reaffirmed its older idea on releasing an additional protocol to Article 17 ICPPR, and called upon him to promote the start of negotiations on such a protocol within his first mandate.
This opportunity was indeed duly noted by Cannataci, who took special care to insert in his first annual report as part of his “ten-point action plan” the “investment in international law.” While agreeing with the above approach of releasing an additional protocol to Art. 17 of the ICCPR, he takes a step further and carefully notes that “some other privacy-relevant matters, especially issues of jurisdiction and territoriality in cyberspace cannot be addressed satisfactorily unless there is a clear international agreement to that effect, one which would normally take the form of agreement in a multilateral treaty most probably on a specific topic or set of issues.” Nevertheless, he immediately clarifies that “for the avoidance of doubt it should be stated that what is envisaged is not one new global all-encompassing international convention covering all of privacy or Internet governance. It is far more realistic to expect that protection of privacy can be increased through incremental growth of international law,” leaving to mid- or long-term the development of entirely new legal instruments.
We feel that this approach, while sensible and even perhaps realistic, sets the bar too low.
Pressing global personal data processing concerns may not be addressed by means of obscure and remote to individuals additional protocols or incremental changes to existing instruments. Instead, we believe that it is time to launch the idea of setting up a new UN specialised agency to regulate data privacy globally. Its text of reference could very well be the UN 1991 Guidelines. They include all the basic components of good data protection legislation without at the same time threatening to stifle personal data processing. They are the right means to achieve global consensus on the absolutely minimum standards for personal data protection.
We believe that global issues cannot be addressed locally or even regionally. The protection of their privacy troubles individuals everywhere in the world. In response, countries and regions hurry to introduce some form of data protection legislation, indifferent to, if not competing with, the regulatory models of their neighbors.
A bottom-up approach, as the one applied today in practice, will not work. Instead, a top-down approach whereby an international organisation will set the global tone and minimum level of protection has far better chances to address individual concerns in a satisfactory way. The only candidate until today for this role has been the Council of Europe, which has cleverly opened up its Convention to ratification from non-members as well. However, by definition, the Council remains regional and therefore unable to convince individuals in other continents.
The UN is the obvious candidate for this role.
It has the necessary legal tools as well as the global visibility and good will – and now it also has a high-profile individual to use them and promote this cause and even take up the global go-to role when certain country approaches create difficulties to their citizens (as was already the case with the UK).
On the other hand, if the bar is set too low and global issues are addressed through specialised, little-known legal instruments, data protection could be lost in micro-management, implementing such complicated and remote to individuals schemes such as the Privacy Shield arrangement. We therefore believe that it is time to raise our eyes from the routine, legalistic treatment of personal data processing issues and face the greater picture. There has been until today no better time and no better circumstances to launch the idea of a new UN specialised agency for the protection of information privacy globally.