Data Protection and Security Law: Sociolegal Issues

Get Complete Project Material File(s) Now! »

CHAPTER THREE: DATA PROTECTION AND SECURITY LAW: INTERNATIONAL LEGAL STANDARDS

Instead of a model act or international privacy regulation, the solution will most likely involve a multifaceted approach that will include both international oversight checked by local governance and changes in social institutions. It cannot be a comprehensive initiative, nor can it be left totally to each municipality or state to decide. It will have to have a broad international framework within which local flexibility is allowed and encouraged. Dan Bustillos1

Overview

As SA develops and other nations evaluate and update DPSIP laws and regulations, an understanding of historic and current international standards provides essential facts and insights. Much of the current flow of information is international. This chapter examines a number of ancient legal documents that address DPSIP-related issues. Modern international treaties2 are analyzed. The various European Declarations, the Asia-Pacific Economic Cooperation (APEC) Privacy Charter, and relevant African privacy declarations are explored. Selected national and non-governmental organizations’ privacy standards are studied. A critique of International DPSIP legal standards is provided. The international literature and issues are summarized and reviewed.
Dan Bustillos, Privacy and Consent Concerns in International Genetic Databanks. (2005), at http://www.law.uh.edu/healthlaw/perspectives/August2005/(DB)GeneticDatabanks.pdf (last visited on 7 September 2012), at 3.
Also termed accord; conventions, covenants, declarations, pact, or guidelines. See Bryan A. Garner, Black’s Law Dictionary (Bryan A. Garner ed., West Group 17 ed. 1990), at 1507. Also termed agreement, mutual understanding, promise, protocol, and stipulation. See William C. Burton, Legal Thesaurus (Maxwell Macmillan 2nd ed. 1992), at 966.

Background

A number of historic codes of behavior and laws present insights into modern DPSIP issues. Some were formal legal codes. Others were international treaties that bound the signatories to accept the principles as a matter of law. A third set was an organizational or national declaration on the proper protection of private information. An understanding of those areas of consensus is an important background to comparing AU, CA, SA, UK, and US DPSIP standards. Principles and concepts that have particular relevance to DPSIP issues are highlighted in bold face font in the discussion below.

 Ancient Codes

The Code of Hammurabi establishes a principle for privacy and data protection law responsibilities. Section 53 declared: “If any one be too lazy to keep his dam in proper condition, and does not so keep it; if then the dam break and all the fields be flooded, then shall he in whose dam the break occurred be sold for money, and the money shall replace the corn which he has caused to be ruined.”3 The Code presents a doctrine of responsibility that should apply to businesses and governments that collect and hold personal data because like agricultural land, personal data is an asset and commodity that has value that can be distributed. Such data is personal property that can be misused or stolen.
Section 125 of the Code of Hammurabi establishes the principle of liability for lost property, even personal property, entrusted to another.
If any one place his property with another for safe keeping, and there, either through thieves or robbers, his property and the property of the other man be lost, the owner of the house, through whose neglect the loss took place, shall compensate the owner for all that was given to him in charge.4
Data subjects have a reasonable expectation that data controllers will protect their property.
The classic Hippocratic Oath, which has historically been taken by physicians, specifically refers to privacy and data protection concepts. “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”5
While the oath was and is sworn by physicians, the principle of confidentiality applies to many business and governmental DPSIP activities. The concept is also the basis for trade secret laws.
The maxim of the Code of Justinian, established in the Roman Empire during the 6th century A.D. is to “live honestly, to hurt no one, to give every one his due.”6 This code also addresses the issue of ownership of property. Part 1, Divisions of Things, declares: “But things sold and delivered are not acquired by the buyer until he has paid the seller the price, or satisfied him in some way or other, as by procuring some one to be security, or by giving a pledge.”7 The Justinian code shows that possession of another’s data does not constitute ownership. Any transfer of ownership must be clear and involve compensation.
Code declares the following: “But he who has received a thing lent for his use, is indeed bound to employ his utmost diligence in keeping and preserving it; nor will it suffice that he should take the same care of it, which he was accustomed to take of his own property.”8
Book IV, entitled Obligations Arising from Delicta (acts that fall short of some approved standard of conduct), addresses the holder’s misuse of property and recognizes that the owner of property has the power to determine its use. The Section reads: “It is theft, not only when anyone takes away a thing belonging to another, in order to appropriate it, but generally when anyone deals with the property of another contrary to the wishes of its owner.”9 Personal data is often appropriated and misused without informed consent.
These ancient codes no longer have legal power except as persuasive authority. However, the principles noted in the codes do relate to some current DPSIP legal issues of ownership and data collectors’ responsibilities.

Modern International Treaties

Additional persuasive authority and some binding legal authority can be found in modern international treaties and declarations that address civil and human rights related to DPSIP legal responses. Signatories are bound to comply with the documents, and the treaties set a general standard for businesses and governments.

The Universal Declaration of Human Rights

The Universal Declaration of Human Rights10 declares a number of DPSIP related principles. The declaration is the cornerstone of all modern privacy protections. Article 12 of the declaration makes the following proclamation:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Moreover, Article 12 makes two relevant proclamations:
“Everyone has the right to own property alone as well as in association with others.”
“No one shall be arbitrarily deprived of his property.”
The Declaration is not a legally binding treaty but originally was a General Assembly resolution. Over time, however, the declaration reached the status of international customary legal standards binding on all member states. While the declaration clearly establishes privacy and related property rights as a human right, seeking redress is difficult if not impossible.

READ  Legal accountability fora and their mechanisms

American Declaration of the Rights and Duties of Man

The Organization of American States (OAS) is one of a number of regional alliances the US helped to form after the Second World War. In 1948, the OAS passed the American Declaration of the Rights and Duties of Man. Article 5 declares that, “Every person has the right to the protection of the law against abusive attacks upon his honor, his reputation, and his private and family life.” Article 9 declares, “Every person has the right to the inviolability of his home.” Article 10 declares, “Every person has the right to the inviolability and transmission of his correspondence.”11 The Declaration recognizes a privacy right, including the right to have boundaries and privacy in one’s correspondence. The right to privacy in one’s correspondence, family, and home life is echoed in a number of other declarations as noted below and is the basis for the right to data protection, data security, and information privacy.
Article 11 of the American Convention on Human Rights addresses the Right to Privacy. The article makes the following declarations:
Everyone has the right to have his honor respected and his dignity recognized.
No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation.
Everyone has the right to the protection of the law against such interference or attacks.12
The Convention permits cases only when there are state parties. If two states are involved, both must agree to the same jurisdiction. Despite its role in creating the organization, the US never ratified the agreement.
In May of 1948, the newly organized Organization of American States (OAS) established the declaration of rights and duties of man. In 1979, the OAS agreement created the Inter-American Court of Human Rights and the Inter-American Commission on Human Rights. The Inter-American Court of Human Rights ruled that the Declaration “defines the human rights referred to in the Charter…and is a source of international obligations related to the Charter of the Organization.”13 The Court determined that the declaration is a source on international obligation. However, the decisions of the Court are not legally binding.

 European Convention of Human Rights and Fundamental Freedoms

The European Convention of Human Rights and Fundamental Freedoms also addresses the issue of privacy and data protection. Article 8, Section 1, Right to respect for private and family life declares, “Everyone has the right to respect for his private and family life, his home and his correspondence.” Section 2 provided a number of exemptions, some of which need mentioning:
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.14
The European Court of Human Rights enforces the convention. The Court can evaluate individual and inter-state disputes. The decisions are only binding on state parties. The Convention not only provides for a government obligation to respect the right to abstain from intervention but also a positive obligation to protect the rights.

 International Covenant on Civil and Political Rights

Part Three, Article 17, Section 1 of the International Covenant on Civil and Political Rights15 declares that, “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation.” Section 2 states that, “Everyone has the right to the protection of the law against such interference or attacks.” The major flaw of the covenant is that individuals have no clear legal mechanism to enforce privacy rights.
The US ratified the Covenant as a matter of international law. However, the Senate declared that Articles 1 to 26 of the Covenant are not self-executing; thus, the ratification “will not create a private cause of action [in] the US Courts.”16 Supreme Court Justice Sandra Day O’Connor rejected this view. She argues that the Supremacy Clause of the US Constitution gives legal force to treaties and thus full compliance for the Covenant.17
Australia also signed the Covenant, but it does not automatically become national law without enabling domestic legislation.18 The Covenant does have indirect influence in statutory interpretations and common law development.19

Chapter One: Data Protection and Security Law: The Problem
Chapter Two: Data Protection and Security Law: Sociolegal Issues
Chapter Three: Data Protection and Security Law: International Legal Standards
Chapter Four: Data Protection and Security Law: Australian Legal Standards
Chapter Five: Data Protection and Security Law: Canadian Legal Standards
Chapter Six: Data Protection and Security Law: South African Legal Standards
Chapter Seven: Data Protection and Security Law: United Kingdom Legal Standards
Chapter Eight: Data Protection and Security Law: United States of America Legal Standards
Chapter Nine: Data Protection and Security Law: Comparative Evaluation
Chapter Ten: Data Protection and Security Law: Gold Standard Proposal
Appendix 
Bibliography
GET THE COMPLETE PROJECT

Related Posts