Globalization and borderless electronic communication has brought huge benefits to individuals. At the same time, the increased exploitation of personal data by the private sector and reported intelligence gathering of personal data via the Internet have caused widespread international concern. The recent appointment by the UN Human Rights Council of a Special Rapporteur on the right to privacy in the summer of 2015, and the adoption on 18 December 2013 by the UN General Assembly of a resolution on “the right to privacy in the digital age”, demonstrate the growing international interest in data protection rights.
There is a growing need for legal rules protecting the processing of personally-identifiable data, known as data protection, to be anchored more firmly in public international law. The increasing number of regulatory conflicts caused by differing national and regional conceptions of data protection, as illustrated by the judgment of 6 October 2015 of the Court of Justice of the European Union in Maximillian Schrems, should be a wake-up call to the international community in this regard.
Indeed, data protection at the international level remains fragmented and weak, creating risks for individuals and problems for international organizations (such as UN entities and international humanitarian organizations), many of which process large amounts of personal data.
Issues under public international law
Data protection law subjects the processing of personal data to defined legal rules, in order to protect the rights of individuals and the interests of society. It is closely related to the right to privacy and intersects with it in many ways, but has its own identity. For example, some data covered by data protection law may not by themselves be particularly “private”, but when combined may serve to identify an individual, with a resultant impact on his or her privacy, family life, freedom of expression, and other important interests.
Data protection law is rooted in international human rights instruments such as the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR) that protect the right to private life, family life, the home, and correspondence. In particular, the ICCPR has been interpreted by the UN Human Rights Commission (General Comment 16) to include certain data protection guarantees. The only UN instrument dealing specifically with data protection is the set of non-binding UN Guidelines for the regulation of computerized personal data files, dating from 1990. The international treaty in this field with the most States Parties is Council of Europe Convention 108, while a number of other international organizations (such as APEC, the OECD, ECOWAS, and the Organisation of American States) have adopted data protection instruments, most of which are non-binding
Over 100 countries have now enacted data protection laws, many of which have been influenced by EU Directive 95/46. EU law also includes the right to data protection at the constitutional level (for example, in the EU Charter of Fundamental Rights), and the European Court of Human Rights has construed Article 8 of the European Convention on Human Rights to include data protection.
Despite all this, the status of data protection in public international law remains uncertain because of a number of factors:
–International human rights treaties like the ICCPR do not specifically mention data protection, and their provisions on the protection of private life are formulated so broadly that they do not provide much guidance in determining the details of data protection rights.
–Most of the other international instruments that deal specifically with data protection are either regional rather than global or are not legally binding.
–Differences in cultural and legal perceptions of privacy means there is a lack of international consensus about basic questions, such as the distinction between privacy (i.e., protection of an individual’s personal sphere) and data protection (i.e., restrictions on processing data relating to an identifiable individual), and the purposes and ultimate aims of data protection (e.g., ensuring fairness in data processing, control or informational self-determination, protecting the liberty of the individual, rectifying power imbalances in data processing, etc.).
–There is considerable fragmentation concerning data protection in national and regional legal systems. This can be seen, for example, in the distinction between the fundamental rights approach in EU law and the consumer protection approach in the United States. Besides, few countries agree with the US position that international law does not prohibit unauthorized “passive intelligence gathering activity” of copying data as long as such activity does not involves commercial or industrial espionage or the destruction or manipulation of data.
The fragmented international legal framework for data protection led the UN International Law Commission to conclude in 2006 that “the international binding and non-binding instruments, as well as the national legislation adopted by States, and judicial decisions reveal a number of core principles” of data protection, but that it is an area “in which State practice is not yet extensive or fully developed”.
The current situation is unsatisfactory, since it fails to present a clear normative basis for the recognition of data protection at an international level
Avenues for future international development of data protection law
Greater recognition of data protection in international law presents challenges to define how such a right arises and what its content is. The fact that in many legal systems there is no clear differentiation between data protection and privacy will make it difficult to reach an internationally-accepted definition of data protection as a distinct right. Another problem relates to the politicization of data protection law. As scholars such as Koskenniemi and Raz have argued, human rights are reflections of the moral or political views of their proponents, and data protection is an area where legal language is often used to clothe what are in essence political arguments.
Two main options present themselves for further development of data protection law at the international level. The first would be to draft an international agreement dealing with data protection. This would have the advantage of providing a clear and uniform legal framework. However, a number of important issues make this unlikely or infeasible in the new future. No international organization currently seems to have the combination of global scope, mandate to produce international treaties, and expertise in data protection law that would be needed. Experience has shown that legal harmonization initiatives are difficult enough even in technical areas of the law, and that they can be much more so in areas where there are profound cultural differences between states. A treaty-based solution is unlikely by itself to provide an adequate way forward given the fast-moving nature of data protection law.
However, the negotiation of an international treaty could still bring benefits in terms of states discussing and learning more about the differences between their approaches to data protection. This suggests that states and international organizations should begin to investigate the options for such a treaty, even if its conclusion is a long way off.
The second option would be to regard data protection as an area of fragmentation in international law where “no homogenous, hierarchical meta-system is realistically available”, to use the terminology of the 2006 report of the International Law Commission on fragmentation of international law (p. 249). This would allow different approaches to data protection to develop naturally, with international cooperation producing interfaces that allow them to gradually grow closer together over time. For example, using the experience of UNCITRAL, an international model law on data protection could be adopted that states could implement voluntarily at a national level, and which would provide a common internationalized starting point for national and regional legislation.
The work of international bodies and institutions in adopting their own internal data protection policies could play a key role by providing a valuable body of experience as to how international rules on data protection can operate in practice. In May 2015 the Office of the UN High Commissioner for Refugees issued its own data protection policy, and other international organizations are currently working on similar policies, which could provide a vehicle for the progressive development of data protection law at the international level.
Work is needed to anchor data protection more firmly in public international law. The globalization of society and the pervasiveness of electronic communications make it imperative that data protection rights be applicable and enforceable at an international level.
Conclusion of a binding international treaty would face uncertain prospects, given the cultural differences and the lack of an international body with expertise in data protection to coordinate the work. The fragmentation of the law makes it more feasible to examine ways of allowing existing data protection regimes to interact and grow together over time.
States and international organizations should thus work on dual tracks by both beginning discussions on an international legal framework for data protection, while at the same time finding ways for existing frameworks to co-exist and interact.