This module is a resource for lecturers

Data protection legislation

Personal data is protected under the right to privacy in international human rights instruments. For example, the European Court of Human Rights has held that telephone data, emails, and Internet use ( Copland v. the United Kingdom, 2007 §§ 41-42), and data stored on computer servers ( Wieser and Bicos Beteiligungen GmbH v. Austria, § 45), fall within the scope of protection of Article 8(1) of the European Convention on Human Rights. The mere storage of personal data can violate a user's right to privacy. The violation depends on the context in which the data was collected, the way it was collected, processed, and used, and the outcome of this processing ( S. and Marper v. the United Kingdom, 2008). Moreover, in Tristán Donoso v. Panama and Escher et al. v. Brazil (2009), the Inter-American Court of Human Rights held that data gathered and transmitted via new digital technologies and the Internet are covered under Article 11 of the American Convention on Human Rights of 1969. Furthermore, Article 8 of the African Union Convention on Cyber Security and Personal Data Protection of 2014 covers the right to "respect to personal data." What is more, Article 8(1) of the Charter of Fundamental Rights of the European Union of 2000 and Article 16(1) of the Treaty on the Functioning of the European Union of 1957 (a.k.a. Treaty of Rome) consider the protection of personal data as a fundamental human right.

Data protection covers the generation, collection, storage, analysis, use, and sharing of personal information. Data protection covers the generation and collection of personal data because "[t]he right to privacy is not only impacted by the examination or use of information about a person by a human or an algorithm…[(Bernal, 2016) but also]…the mere generation and collection of data relating to a person's identity, family or life…(see A/HRC/27/37, para. 20)…[( Rotaru v. Romania, 2000; Kopp v. Switzerland, 1998; and Roman Zakharov v. Russia, 2015)]" ( A/HRC/39/29, para. 7).

Databases that contain personal data can be queried, searched, edited, updated, and accessed by public and private agencies between and across countries. The governance of private and public agencies' collection, storage, use, and sharing of information varies by country. According to a 2018 Report of the United Nations High Commissioner for Human Rights,"[t]he increased interlinking of public and private data processing and the track record to date implying mass, recurrent misuse of personal information by some business enterprises confirm that legislative measures are necessary for achieving an adequate level of privacy protection" (citing A/HRC/RES/34/7, para. 5(f) and A/HRC/RES/38/7, para. A/HRC/39/29, para. 27). Personal data could be processed by countries with strong data protection laws, weak data protection laws, or countries with no data protection laws. For example, in Ghana, Section 60 of the Data Protection Act 2012 enables the Government to access personal data without a warrant or other legal order (e.g., court order) in the interests of national security.

Data protection practices also vary between public and private authorities. In the United States, for example, only certain types of data collected, stored, analysed, and shared by private companies is regulated (e.g., financial, health, education, and children's data; Maras and Wandt, 2019). Furthermore, in certain countries protections vary depending on the type of data (e.g., email content is afforded greater protection than the email address of sender or recipient). Data protection laws vary according to types and sources of data (e.g., sectoral data, online data, offline data, and sensitive data) and data subjects (e.g., adults and children). Mexico has two data protection laws, one that regulates the private sector, Federal Law on Protection of Personal Data Held by Private Parties of 2010, and one that regulates the public sector, General Law for the Protection of Personal Data in Possession of Obliged Subjects of 2017. Mexico also has certain provisions in the law that regulate private data relating to cloud services, including the regulation of law enforcement access to stored data in the cloud and the handling of data after the termination of cloud services.

The cross-border nature of the Internet requires transnational data protection regulation that extend beyond national frameworks and law. Examples include the African Union Convention on Cyber Security and Personal Data Protection of 2014 and the Economic Community of West African States (ECOWAS) Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS. These regional laws and frameworks were influenced by the EU Data Protection Directive ( Directive 1995/46/EC) (Greenleaf, 2011; Orji, 2017; Makulilo, 2013a; Makulilo, 2013b). Directive 1995/46/EC was replaced by the EU General Data Protection Regulation (GDPR) on 25 May 2018. This single data protection law governs data processing, storage, use, and exchange of data in EU Member States and other countries, agencies, and private organizations outside of the EU that provide goods and services to the EU, and process data of EU residents. The GDPR seeks to harmonize the secure data processing, storage, use and exchange of personal information. This law minimizes the digital footprint of users and the way apps, technology, and Internet services and platforms exploit this footprint. The GDPR strengthens the privacy rights of individuals and enhances the free flow of personal data across borders by harmonizing data protection practices. The GDPR provided clarity on what constitutes personal data, set rules for the handling of data, delineated roles and responsibilities of those who control and process personal data, created greater penalties for noncompliance, and compelled notification of data breach within 72 hours of the incident.

This regulation mandates new obligations for data controllers (i.e. the entity that determines the reasons for data processing and the methods used to process data), and data processors (i.e., the entity that is responsible for the processing of data based on methods identified by the data controller). The GDPR regulates data access, rectification, erasure, transparency of data processors and controllers; provides a right to object to profiling practices; imposes data security obligations on companies that process data; and provides increased powers to data protection authorities and facilitates the coordination and cooperation in data processing and protection. This regulation also provides steep fines and penalties for non-compliance.

Did you know?

In Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González (2014), the European Court of Justice identified search engine operators, such as Google, as data controllers because they control personal data held by third party websites by making these websites available to others and deciding the way these websites are made available.

Users have the right to be informed of data processing; the right to access processed data; the right to rectify processed data; the right to erasure ("right to be forgotten"; the data subject has the right to request and have his/her data deleted from the data controller logs, and prevent the further use and transfer of the data subject's personal data by third parties); the right to object to data processing; the right to restrict processing of data; the right to the portability of data (i.e., data subject has the right to request their personal data from the data controller and transfer that data to another data controller); and the right not to be subjected to a decision based exclusively on an automated process (e.g., profiling).

The Right to Be Forgotten

In Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González (2014), the European Court of Justice interpreted Directive 1995/46/EC as enabling users to request to have their personal data de-indexed from search engines and browsers. Specifically, the court held that individuals have the right to request that data controllers (e.g., browsers and search engine operators, such as Google) remove links to third party websites that include incorrect, incomplete, irrelevant, no longer relevant, or no longer valid information about them. Particularly, the individual can request to have the links that appear because of searches of the user's name to this content to be deleted. This de-indexing is limited to the content that has been indexed under the user's name. This de-indexing would not prohibit availability of this content indexed under a different search term based on content, publication or other source, or publisher or author of the content.

The GDPR applies to EU establishments, which has been broadly interpreted by the European Court of Justice as an organization that processes data in the context of its activities, even if these activities are minimal ( Weltimmo v. NAIH, 2014). As long as they occur in the context of some arrangement that exists in the European Union, this data processing is covered by the GDPR. Organizations with EU offices and those who promote or sell marketing or advertising services that target residents of the EU are also subject to the GDPR. Even certain non-EU establishments are subject to the GDPR, if they process personal data to offer goods and services to EU residents and to monitor consumer behaviour in the EU for consumer profiling, identifying patterns, and predicting personal preferences of users.

The GDPR does not apply to the processing of personal data for national security reasons and pursuant to the EU's common foreign and security policy (i.e., for defence and security matters). The GDPR also does not apply to data processed by EU institutions, which is governed by Regulation (EC) no 45/2001 of the of the European Parliament and of the Council of 18 December 2000 "on the protection of individuals with regard to the processing of personal data by the institutions and bodies of the Community and on the free movement of such data." The GDPR also does not apply to data processed by public authorities in the course of the prevention, detection, investigation, and prosecution of crime, which is governed by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 "on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data."

The Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processingof Personal Data of 1981 (ETS No. 108) is a legally binding international data protection treaty. An additional optional protocol to the Convention, the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows of 2001, called for the establishment of supervisory authorities to ensure the protection of data and respect for privacy in data sharing. A further protocol (CETS No. 223) amended and updated the 1981 Convention (i.e., the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 2018). According to the Council of Europe (n.d.), the modernisation of the Convention "pursued two main objectives: to deal with challenges resulting from the use of new information and communication technologies and to strengthen the Convention's effective implementation" (see further: the main novelties of the modernized Convention; and a comparative table of the 1981 Convention and the modernized Convention).

In addition to national, regional, and international data protection laws, there are guidelines and principles that have been created by countries and intergovernmental organizations and implemented by public and private sectors around the globe, such as the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980; 2013).

The Privacy and Data Protection Principles of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 2013 are as follows:

Collection Limitation Principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:

  • with the consent of the data subject; or
  • by the authority of law.

Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle

An individual should have the right:

  • to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
  • to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
  • to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
  • to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

Accountability Principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.

Similar principles have been adopted in national law. See, for example, New Zealand's Privacy Act of 1993 and Australia's Privacy Act of 1988.

Next: Data breach notification laws
Back to top