International Data Privacy Law: A Comparative Approach

by Panagiotis Kontakos,

Introduction

Thanks to globalization and the massive technological development, many legal issues and questions arise from the use of the digital space. Data Privacy Law is a new legal field that is related to the rights and obligations in the digital space and the protection of fundamental human rights, especially the right to privacy. This research analysis intends to present the data privacy framework in the European Union, in the United States and in China through a comparative approach. It will also explain the different perspectives adopted by the EU, the United States and China in terms of the right to be forgotten.

The nature of Data Privacy

In order to better understand the data privacy legal frameworks, it is essential to explain the different definitions of data protection and privacy. Data Privacy is the area between data protection and privacy. It includes the protection of personal data against harms or violations arising from the use of Information and Communication Technologies (ICTs) for the purpose of securing privacy. Both two concepts are based on human rights law. For example, the Charter of Fundamental Rights of the European Union recognizes the right to privacy and to data protection (Articles 7 and 8). In addition, the right to privacy is included in the Universal Declaration of Human Rights (UDHR) as well as in the International Covenant on Civil and Political Rights (ICCPR) (Diggelmann, 2014, pp. 441-458).

Data protection and privacy are two different general and inclusive concepts. Nevertheless, in order to fall under the scope of data privacy, two conditions shall be fulfilled: a) harm or risk of harm to an individual’s privacy, and b) this harm shall result from the use of Information and Communication Technologies (ICTs). In this context, data privacy corresponds to an area, where privacy meets data protection (Kokkot, 2013, pp. 222-228).

The approach of the European Union

In 2018, the European General Data Protection Regulation (GDPR) came into effect, after years of discussions. This Regulation modernized the EU data protection legislation through an orientation in the digital age’s economic and social challenges. It replaced the Directive 95/46/EC (the Data Protection Directive) (Schwartz, 2017, pp. 115-179). Under EU law, even though the GDPR is directly applicable, Member-States are expected to adapt their national laws to the provisions of this Regulation^[1].

The GDPR recognizes the confidentiality of personal data as part of a general principle. According to the Article 5 (1) (f) of GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality).

It is important to underline that under the EU Human Rights Charter, both the right to privacy and the right to data protection are recognized. The Treaty of Lisbon establishes the data privacy rules as binding law. The International Bill of Human Rights imposes to the states the obligation to “respect, protect and fulfill” the rights of people (UNHRC, 2019). The obligation to “respect” imposes negative obligations to the state to abstain from violations of human rights; the obligation to “protect” implies positive obligations to prevent violations caused by third parties. The Article 8 of the ECHR imposes a negative obligation. However, several cases (such as Evans v. the United Kingdom^[2], Kroon and Others v. the Netherlands^[3]), under the light of the European Court of Human Rights jurisprudence, confirm the positive obligations imposed to party members, in order to protect individuals from harms of their right to privacy.^[4] The GDPR establishes a synthetic data privacy concept. Besides imposing negative legal responsibility on member states, the EU Regulation creates positive obligations to regulate operations in the private sector. In this way, states have the authority and obligation to protect the right instead of merely respecting that. (EU, 2018, pp. 29-31)

The approach of the United States

The data privacy law in the U.S. is incomplete and sectoral. There is no comprehensive framework protecting data privacy, but only some sectors (like health and financial) provide protection for data privacy. Emphasis is being given to market conditions and the free flow of personal data.

In the U.S. Constitution, there is no concrete reference to the right to privacy neither to data protection. Even though the right to privacy was recognized in the case of Griswold v. Connecticut^[5][6], there is a lack of specific constitutional basis for this right in the United States (Schwartz, 2017). The only indication of its protection could be found in the 4^th Amendment of the U.S. Bill of Rights. According to this provision, “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”. This Amendment refers only to a part of privacy and there is no legal obligation of the government to protect it (Cobb, 2016). Moreover, the Constitution reflects obligations to the governmental authorities, but not to the private sector that mainly hurts data privacy. The voice of commerce and national security agencies directs the U.S. privacy laws. In the San Bernardino case, unlocking an individual’s iPhone to retrieve personal information was not even legally questioned (Benner, 2016).

In addition, the 1^st Amendment of the U.S. Bill of Rights gives priority to the freedom of expression, setting aside the right to privacy. The freedom of expression enables the flow of information, creating a risk of harm on privacy rights. Under the light of the 10^th Amendment, there is a different approach to data privacy laws among the States and the federal levels as well as among the States (Cobb, 2016, p. 3). A single data privacy law regime would be helpful for the consistency and cohesion of the application of the law. The example is being given by California, which adopted a data privacy bill with many similarities to the EU legislation (Coldewey, 2016, pp. 1-17).

The approach of China

China recognizes the possible risks in the digital space through the Chinese Cybersecurity Law of 2017. Data privacy provisions can be also found in the Chinese Criminal Law.^[7] A provision on the protection of personal information was involved in the Chinese Civil Law in 2017.^[8] Despite these important for China steps, its approach is not mature and focuses mostly on the data protection side rather than on the privacy one (Triolo, 2017).

Privacy in China is influenced by the social structure. The interest of the group or public seems more “protected” than the privacy right. This results to the weak constitutional protection of data privacy.

The Chinese Constitution does not offer protection of all the aspects of the right to privacy under EU law. For example, personal dignity is recognized by Article 38 of the Chinese Constitution. However, in our example of personal dignity, the latter includes several aspects of the life and personality of the human being. Its total concept is beyond the one of the rights to privacy (Wang, 2011).

Under the light of the Chinese approach, the priority is given to Cybersecurity law through which some aspects of the right to privacy are protected. The efforts of China on its data privacy protection should conclude to establish data privacy as an individual right.

A Comparative Analysis

The strongest data privacy protection is provided by the EU legislation. On the one hand, the U.S. data privacy approach is sectoral and market-orientated, on the other hand, China focuses on cybersecurity issues.

In the European Union, the principles introduced by GDPR establish effective protection of data privacy. This de jure and de facto protection, the Supervisory Mechanism in terms of the application of the GDPR to the Member-States and the human rights approach on the right strengthen the comprehensive data privacy protection in the European Union. Some of the core principles of the GDPR are also reflected in Chinese law.

The data privacy law in China is a conjunction between the U.S and EU legislation, which are opposite to each other. In China, the collective interests, the non-binding nature of these legal provisions as well as the national security approach result to an “affiliated” data privacy law that could lead to protection standards similar to the EU’s. Nonetheless, the commercial and security concern and the weak legal basis on data privacy issues are the similarities of China’s and U.S. protection.

In the United States, the data privacy law is sectoral. Taking into consideration the different approaches between federal and state laws, the emphasis is given to the free flow of data as well as to the market-interest approach. (Schwartz, 2017).

The Right to be Forgotten

The right to be forgotten is recognized as an official right and obligation by the European Union in the General Data Protection Regulation (Article 17 of GDPR). The right to be forgotten is usually placed in the context of cyberspace, whereas the right to privacy applies to the physical and digital world. The five types of rights in which the right to be forgotten is analyzed are: the right to rehabilitation, the right to deletion, the right to delisting, the right to obscurity and the right to digital oblivion (Voss, 2016, pp. 281-344).

Firstly, the right to delisting stems from the right to deletion. The core of the right is the deletion and erasure via conduct, such as removing linkages to certain information. Deletion means the blocking of access to someone’s data, instead of deleting the data per se. In the case of Google Spain^[9][10], the right was for the first time confirmed, referring to the right to delisting.

Secondly, the right to obscurity intends to make an individual’s data obscure in order to fulfill privacy purposes. The aim is to increase the difficulty of data accessibility. Compared to the right to delinking, this right is less restrictive due to its incomplete erasure nature.

Thirdly, the right to digital oblivion refers to the actual removal of an individual’s data in the cyberspace. It creates an obligation for online data control and their removal for social concerns. Under the light of Article 17 GDPR, the oblivion right corresponds to erasure right (Voss, 2016, p. 335).

In the case of Google Spain, the Court of Justice of the European Union underlined that it is possible the public interest to outweigh individual privacy. Nonetheless, the freedom of expression shall be exercised with respect to other people’s rights and reputation, without violating public interests (Article 19(3) ICCPR). The European Union human rights law imposes stricter measures, such as prohibiting hate speech.^[11]

According to the Article 17 of the GDPR, “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month. You must also take reasonable steps to verify the person requesting erasure is actually the data subject.”

The right to be forgotten is connected to the people’s right to access their personal information in Article 15. The right to control one’s data is meaningless if people cannot take action when they no longer consent to the processing, when there are significant errors within the data, or if they believe information is being stored unnecessarily. In these cases, an individual can request that the data be erased. But this is not an absolute right. If it was, the critics who argue that the right to be forgotten amounts to nothing more than a rewriting of history would be correct. Thus, the GDPR walks a fine line on data erasure (EU, 2018, pp. 27-35).

Under the light of U.S. legislation, there is not any law referring to the right to be forgotten. As codified in the U.S. Constitution, freedom of expression has the priority. Moreover, due to the fact that the nature of the right to be forgotten is to control the flow of data, such a right cannot be easily protected in a market-interest based society (Voss, 2016).

In China, the protection of the right to be forgotten does not exist. There is no trace of hard or soft law nor legislative efforts to protect this human right. Tort Law and Cybersecurity Law provide only indirect protection of rights with data privacy dimensions (Triolo, 2017).

Conclusion

In conclusion, this analysis shows the different approaches adopted by the European Union, the United States and China on data privacy protection. The EU legislation, especially the GDPR, provides effective data privacy protection, with a human rights emphasis. Nonetheless, the U.S. approach is sectoral and influenced by the market’s interests. China focuses on data privacy through a cybersecurity perspective. Except for the governmental action, each one of us should be aware of the risks of the online navigation as well as of the ways of prevention of these harms, in order to be able to enjoy safely the economic and societal benefits of the digital transformation.

Bibliography

[1] Benner, K. &. L. E., 2016. US Says It Has Unlocked iPhone Without Apple., The New York Times.

[2] Cobb, 2016. Data Privacy and Data Protection: US law and legislation. ESET White Paper.

[3] Coldewey, E., 2016. The Right to be Forgotten. Oxford Research Encyclopedias.

[4] Diggelmann, O. &. C., 2014. How the Right to Privacy Became a Human Right. Human Rights Law Review.

[5] EU, 2018. Handbook on European Data Protection Law. Office of the European Union.

[6] Kokkot, J. &. S., 2013. The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR. C ed. International Data Privacy Law.

[7] Schwartz, P. M. &. P., 2017. Transatlantic Data Privacy. Georgetown Law Journal.

[8] Triolo, P. &. S. S. &. W. G. &. C. R., 2017. China’s Cybersecurity Law. New America.

[9] UNHRC, 2019. United Nations Human Rights Office of The High Commissioner. [Online]
Available here. 

[10] Voss, W. &. C.-R., 2016. Proposal for an International Taxonomy on the Various Forms of the Right to be Forgotten. Journal of Telecommunication and High Technology Law.

[11] Wang, H., 2011. Protecting Privacy in China: A Research on China’s Privacy Standards and the Possibility of Establishing the Right to Privacy and the Information Privacy Protection Legislation in Modern China. Heidelberg: Springer.

^[1] Concerning the EU Directives, the Member States need to incorporate to their national legislation specific measures in order to fulfill the goals of the Directive. A «directive» is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. In contrast, EU Regulations come into effect automatically, without the procedure concerning the Directives.

^[2] Case Evans v. the United Kingdom, No. 6339/05.

^[3] Case Kroon and Others v. the Netherlands, No. 18535/91.

^[4] The Court underlined that “the principal issue was whether the legislative provisions as applied in the case struck a fair balance between the competing public and private interests involved”. The so-called “margin of appreciation” by the Member-States played a primordial role in these cases.

^[5] In Griswold v. Connecticut (1965), the Supreme Court ruled that a state’s ban on the use of contraceptives violated the right to marital privacy. The case involved a «Connecticut Comstock law» that prohibited any person from using «any drug, medicinal article or instrument for the purpose of preventing conception.» The court held that the statute was unconstitutional, and that «the clear effect of [the Connecticut law …] is to deny disadvantaged citizens … access to medical assistance and up-to-date information in respect to proper methods of birth control.» The Supreme Court invalidated the law on the grounds that it violated the «right to marital privacy», establishing the basis for the right to privacy with respect to intimate practices. This and other cases view the right to privacy as a right to «protect[ion] from governmental intrusion.»

^[6] Case Griswold v. Connecticut, No. 381 U.S. 479 (1965).

^[7] See Articles 253 and 286 of the Chinese Criminal Law.

^[8] See Article 111 of the General Rules of Civil Law of PRC.

^[9] The outcome of the case is that an Internet search engine must consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name. Grounds for removal include cases where the search result(s) «appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed.»  If the search engine rejects the request, the individual may ask relevant authorities to consider the case. Under certain conditions, the search engine may be ordered to remove the links from search results.

The decision was claimed as a so-called right to be forgotten, although the Court did not explicitly grant such a right, depending instead on the data subject’s rights deriving from Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.

^[10] Google Spain SL, C-131/12.

^[11] Google Spain, Case C-131/12, para. 97.