The United Nations data privacy system and its limits

ABSTRACT

While the United Nations (UN) pioneered in recognizing the impact of modern technological developments on (data) privacy as far back as 1968, little has so far been achieved in terms of introducing a truly global data privacy framework. The present UN data privacy framework is by and large a mere patchwork of rules that exhibit a number of weaknesses. This weak structure of the present framework is a result of political and ideological controversies of the Cold War era. This article considers the extent to which the current UN data privacy system provides protection to data privacy and highlights its major limitations. It concludes that the discourse at the UN set in motion, particularly in the aftermath of the Snowden revelations, wields a potential to result in a major reform in the UN data privacy system.     

The future of data protection: Gold standard vs. global standard

While GDPR has been described as the new gold standard for data protection, Convention 108 may represent the potential global standard in this field. The recent progressive expansion of the Council of Europe's model and the modernised version of the Convention have revitalised its role in the global context.In a multipolar world of different regulatory approaches where data protection legislation in many countries is still absent or in its early stages, Convention 108 could be seen as representing the embodiment of the Latin saying “in medio stat virtus”. Between the extremes of a weak safeguarding of individual rights and a gold standard, Convention 108 provides a solution that is good enough and workable in many different contexts, without necessarily reaching a gold standard.     

The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition

The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.     

Framing Big Data in the Council of Europe and the EU data protection law systems: Adding ‘should’ to ‘must’ via soft law to address more than only individual harms

On 19 November 2019 the Council of Europe hosted an international conference, immediately preceding the annual plenary meeting of its Committee of Convention 108, on “Convention 108+ and the future data protection global standard”. One of the authors made a presentation on “Comparing the EU and Council of Europe approach to Big Data”, and it is its contents and findings that are further elaborated in this paper; Its aim is, in essence, to incorporate the feedback received and to adapt past research on Big Data, that was mostly relevant to the EU, also on the Council of Europe data protection system. After a few preliminary remarks on Big Data terminology and possible regulatory approaches, Big Data regulation is examined against the EU and the Council of Europe data protection systems. Particular emphasis is given to the Council of Europe regulatory approach both in terms of Convention 108+ and with regard to its Guidelines on Big Data and AI. The authors believe that, because both the EU and the Council of Europe have avoided to refer to Big Data in their basic data protection regulatory texts (a most likely intentional omission), guidance is indeed needed, and it may well come in the form of soft law. The Council of Europe has taken the lead in this through its Guidelines; Their timely, comprehensive and balanced approach showcases the Council's will for such processing to indeed take place, but within a well-regulated environment, albeit not under a rigid regulatory construction.     

How far can Convention 108+ ‘globalise’? Prospects for Asian accessions

The ‘globalisation’ of Council of Europe data protection Convention 108 through non-European accessions has continued steadily, with eight such accessions since the first in 2013. The ‘modernisation’ of the Convention was completed on 10 October 2018 when the amending protocol for the new ‘Convention 108+’ became open for signature. Any new countries from outside Europe wishing to accede will have to accede to both Convention 108 and the amending Protocol (ie to 108+). The standards required of the laws of acceding countries by 108+ are higher than those required by 108, and are arguably mid-way between 108 and those of the European Union's General Data Protection Regulation (GDPR).This article examines to what extent each of the 26 ‘countries’ (separate jurisdictions) in Asia are likely to be able to accede to 108+, if they wish to. As yet, none have acceded to 108. It proposes an efficient way to consider such a question across such a complex set of jurisdictions. Fifteen of the 26 Asian countries already have data privacy laws, and two others have official Bills for such laws. An assessment of the prospects for accession can be done by considering in order the following grounds which may be impediments to accession: Jurisdictions which are not States; States which are not democratic; Laws of inadequate scope; Laws lacking an independent data protection authority; Laws with substantive provisions falling short of 108+ ‘accession standards’; States with proposed Bills only; and States with no relevant laws or proposed Bills.The most difficult step in this procedure is in deciding which of the substantive provisions of 108+ constitute its ‘accession standards’, or elements essential for accession to be invited. Neither the Convention, nor the guidelines issued by its Consultative Committee, shed much light on this question. However, previous practice under Convention 108, show there is some flexibility involved.The article concludes with suggestions as to how such flexibility can be made more transparent, and observations on which Asian countries, in light of the seven step assessment carried out in the article, are the most likely candidates to be able to accede to 108+, in both the short and medium terms.     

‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

The ‘Strasbourg Effect’ on data protection in light of the ‘Brussels Effect’: Logic,mechanics and prospects

This article considers various factors that will shape the potential effect of the Council of Europe's modernised Convention on data protection (Convention 108+) on non-European states’ regulatory policy. It does so by elucidating the logic and mechanics of this effect in light of the ‘Brussels Effect’ that is commonly attributed, in part, to EU data protection law. The central arguments advanced in the article are that the impact of Convention 108+ beyond Europe will rest primarily on the Council of Europe's ideational power tempered by processes of acculturation, and secondarily on the degree to which the EU is willing to use the ‘Brussels Effect’ as a vehicle for promoting non-European states’ accession to the Convention.     

Schrems II,from Snowden to China: Toward a new alignment on transatlantic data protection

When the Court of Justice announced the judgment in Schrems I, commentators described the outcome as an "earthquake" that tossed aside the fragile legal framework for transatlantic data flows known as the “Safe Harbor”. The judgment of the Court in Schrems II has now toppled the second framework, the “Privacy Shield”. In this article, I restate recommendations to the US Congress following the first Schrems judgment: (1) enact a comprehensive privacy law, (2) establish an independent data protection agency, and (3) ratify Council of Europe Convention 108. But I also explain that the United States and Europe are more aligned today in the common enterprise of data protection than they were five years ago, as the backdrop has shifted from the disclosures of Edward Snowden to the surveillance ambitions of the Chinese government. A common approach is therefore in the interests of these two key trading partners. There is also today shared urgency in strengthening the foundations of democratic institutions.     

Privacy and the precautionary principle

The precautionary principle – which implies that where there are threats of serious or irreversible damage, lack of full scientific certainty shall not be used as a reason for postponing protective measures – has been adopted as a standard of environmental and health protection in international and European legislation. This article offers an overview of the precautionary principle as a legal standard applicable to European privacy and data protection legislation. For this reason, it takes particularly into account the guidelines of this legislation as well as the privacy impact assessment framework, raised by the European Commission through the Recommendation on Radio-Frequency Identification applications. In brief, the article stresses the role of the precautionary principle in improving privacy protection through liability, prudence and transparency.     

30 years on - The review of the Council of Europe Data Protection Convention 108

The Council of Europe is engaging in a process of revising its Data Protection Convention (Convention 108) to meet and overcome these challenges. The Council of Europe celebrates this year the 30th Anniversary of its Data Protection Convention (usually referred to as Convention 108) which has served as the backbone of international law in over 40 European countries and has influenced policy and legislation far beyond Europe’s shores. With new data protection challenges arising every day, the Convention is revising its Data Protection Convention. Computer Law and Security Review (CLSR) together with the Intl. Association of IT Lawyers (IAITL) and ILAWS have submitted comments in response to the Expert Committee’s public consultation on this document. CLSR aims to position itself at the forefront of policy discussion drawing upon the high quality scholarly contributions from leading experts around the world.     

Domestic violence and child participation: contemporary challenges for the 1980 hague child abduction convention

ABSTRACT

This article addresses two contemporary challenges for the 1980 Hague Child Abduction Convention: (i) domestic violence and (ii) child participation. It also outlines three components of a global socio-legal policy and research initiative undertaken to address these issues and, where relevant, their intersection. The published literature on these topics, including the children’s objections exception, is explored, as are the ways in which these challenges are addressed within some of the 101 Contracting States to the Convention and through the Guide to Good Practice on Article 13(1)(b) of the Convention. Regard is paid to the data provided by the statistical analysis of applications made under the Convention in 2015 by Lowe and Stephens, and the changes which will occur once the Recast of The European Brussels 11a Regulation comes into operation. The likely impact for 1980 Hague Convention abduction proceedings of the UK having left the European Union at 23.00 GMT on 31 January 2020 is contemplated. Other current international initiatives are discussed, including the development of a child-friendly version of the Convention through The International Association of Child Law Researchers. Training is a key to changing attitudes and upskilling family justice professionals to ensure the Convention operates in a fully child-centric way. This will maintain and strengthen the Convention by keeping it ‘fit for purpose’.     

The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.     

Privacy and personal data protection in China: An update for the year end 2009

This paper explores developments in privacy and data protection regulation in China. It argues that, since China is an emerging global economic power, the combination of domestic social economic development, international trade and economic exchange will encourage China to observe international standards of privacy and personal data protection in its future regulatory response.     

Human-centric data protection laws and policies: A lesson from Japan

This article examines the human dignity defined in Convention 108+ and, from a Japanese perspective, explores the possibility of a universal philosophy of data protection.The recent human resources scandal (the Rikunabi case) in Japan has made stakeholders to realise the importance of the basic philosophy of data protection. Convention 108+ declared ‘human dignity’ to prohibit an instrumental treatment of individuals in processing personal data, and thereby, in a positive sense, place the human in the centre of data processing cycle. Although there is no concept equivalent to ‘human dignity’ under the Japanese data protection laws, due to social norms in Japan, the human-centric approach is supported by recent Artificial Intelligence (AI) guidelines in Japan.The basic idea of the relationship between humans and machines is universal, even if the laws are local, in bridging the different legal regimes. The promise of Convention 108+ seems to take the processing of massive volumes of personal data, sorting out the individuals, and standardising the personality as its specific targets, and the defence of digital humanity as its noble ideal. In this sense, Convention 108+ has a universal value with its human dignity.     

Moving Children through Private International Law: Institutions and the Enactment of Ethics

This article examines how the Hague Convention on the Protection of Children and Co‐operation in Respect of Intercountry Adoption (Hague Adoption Convention) plays a central role in justifying the institution of legal adoption. The Hague Adoption Convention has often been regarded as a response to the challenges that the “global situation” brings to adoption practice. Based on private international law, the agreement contains protocols and norms to ensure the protection of the child in intercountry adoption. In the article, I propose that the Hague Convention can be understood as a “transparency device”; a complex assemblage working in pursuit of global “good governance.” The device, however, also operates as justification within the institutional domain, allowing adoption agencies to make distinctions between legitimate and illegitimate adoptions. Idemonstrate how the logic of transparency disguises as much as it promises to reveal. While the doctrine's aim is to validate adoptability and combat trafficking, it also helps to mainstream Euro‐American adoption knowledge to other parts of the world.     

Singapore's Personal Data Protection legislation: Business perspectives

As global digitalisation of information and interconnecting technologies along with new marketing practices and business processes vastly increase the opportunities for data collection, storage, usage and delivery, there is a corresponding increase in consumer expectations of data privacy. These expectations must be met if business organisations are to promote consumer trust and confidence and maintain their overall competitiveness in a global market. It goes without saying that information is the most valuable business asset and “privacy is good business and information can be the basis of bigger business”. The need to protect data privacy has long been recognised and implemented by major trading nations. Surprisingly, Singapore as a financial centre and nation aspiring to be a trusted data hosting hub has been slow in enacting specific data protection laws. The first piece of legislation that has emerged is a light-touch baseline framework applicable to all organisations except the public sector. This article considers the new legislation from the business perspective and the implications for private sector business organisations facing the challenges of compliance.     

International Refugee Protection Challenges and Opportunities

The new Millennium heralded a promise of change. For refugeesand other displaced persons, the start of the new Millenniumwas mixed; not much changed on the ground, but the fiftiethanniversary of the 1951 Convention brought Declaration of Statesparties reaffirming their commitments and the Agenda for Protection.Five years on, has the reaffirmation of States' commitment tothe international protection regime, and their endorsement ofthe Agenda for Protection, made a difference to refugees? Havewords been matched with actions to ensure access to asylum forthose who need it and a greater sharing of international responsibilityin this regard? This article looks at the major refugee protectionchallenges that confront us at the beginning of the 21^st centuryon both sides of the development divide. It also addresses whymany of these problems have developed and examines some of theemerging opportunities, which, if seized in good faith, couldprovide more robust protection for refugees, while respondingto the security, sovereignty and economic concerns of States.     

The work of revision of the Council of Europe Convention 108 for the protection of individuals as regards the automatic processing of personal data

Thirty years after the Convention 108 for the protection of individuals as regards the automatic processing of personal data was adopted, the Council of Europe launched a process of modernising this text in order to adapt it to the substantive technological revolutions that have occurred since its birth in 1981. After two years of work, the Committee of the Convention 108 (T-PD Committee) has adopted the proposal of a revised version of both the Convention 108 and its additional Protocol. This paper presents the main propositions of changes brought by the modernisation work. Major changes have been brought to certain definitions and to the scope of the Convention as well as to the basic principles and to the special regime for sensitive data. Important new rights have been added to the list of guarantees offered to data subjects. New duties appear now in the text. And the transborder data flow regime has been entirely rewritten.