Data protection across the world
Perspectives from Argentina, Chile and India
Privacy International is celebrating Data Privacy Week, where we’ll be talking about privacy and issues related to control, data protection, surveillance and identity. Join the conversation on Twitter using #dataprivacyweek.
In almost three decades of interventions across the world, and more recently through its International Network, Privacy International has observed the discrepancies and shortcomings of data protection. There are countries where privacy safeguards are encoded in law and data protection frameworks are in place, but these are not necessarily enforced. Then there are countries where there is no legal regime to protect the right to privacy or to uphold data protection principles.
In the research and policy engagement of the organisations within our International Network, it has been interesting to observe the diverse yet similar dynamics, challenges and opportunities faced by those who are trying to raise issues of data protection in their respective countries.
Today, we have the pleasure to interview Vladimir Garay from Derechos Digitales in Chile, Amber Sinha from the Centre for Internet and Society in India, and Eduardo Ferreyra from the Asociación por los Derechos Civiles in Argentina to discuss the work they have been doing on this issue.
Background on data protection
First of all, can you tell us about the general state of data protection in your country?
Vladimir: Chile has had an omnibus law since 1999 but no Data Protection Authority (DPA). There are clear general principles but a lack of specific rules to make them enforceable in the use of current technology, and very few possible sanctions with costly and unfriendly procedures that make it difficult to enforce the protections. An amendment was introduced in Congress in 2017 that updates regulations, creates a DPA and introduces higher fines and other sanctions.
Amber: So far there has been no comprehensive data protection law in India. We have had some limited sectoral confidentiality and data security laws. While there are some sectoral regulators and bodies who govern limited aspects of data protection, there is no DPA. The Ministry of Electronics and Information Technology is currently carrying out public consultations to frame principles that will inform the data protection law.
Eduardo: We have had a comprehensive data protection law in Argentina since 2000. In general terms, the law has good provisions but the DPA used to be very weak and dependent on the Executive. So, it often lacked the legal powers or resources -both financial and human- to enforce the law. In last November the DPA started to work under the newly created Access to Public Information Agency, which is an autonomous body. We are yet to see if this new scenario will improve the enforcement of the law. Also, in May the DPA published a draft bill to update the current data protection law but it hasn’t been submitted to Congress yet.
Drafting a data protection law
While there are 126 countries that have data protection laws, India is not one of them. In 2017, the government took initial steps to initiate the drafting of such a law. Why do you think it has taken them so long to do this?
Amber: For some years now, there has been a recognised need for a strong data protection law in India, both in civil society and in industry. We have also had a few different bills drafted by private members of the Parliament as well as the previous government. However, none of these efforts have had sufficient political support to lead to framing of a law. With significant concerns being raised about data collection practices by both the government and industry, the issues have now finally garnered significant attention and support.
Based on your research, what immediate improvements do you think will happen if India adopts a robust data protection framework?
Amber: We see the emergence of a data driven economy, as well as the use of data in governance. In order to effectively do both, without causing considerable harm to individual privacy, a strong data protection law is needed. A robust law will also enable cross border data flows with other economies and enhance the capacity of local industry to provide data processing services globally. However, it is important to recognise a good law is only the first step. We also need a powerful regulator, market incentives to get commitment from industry, mechanisms to facilitate the active involvement of data subjects and privacy-enhancing technologies.
Reforming data protection laws
Your research clearly illustrates the need to reform the current legal frameworks around data protection. What led you to this conclusion?
Vladimir: What we found was a long history of positive attempts of reform that were mostly deflated or defeated in Congress, and a few bills still ongoing at the time of publishing. We have a 1999 law with a few patches here and there that today does not provide enough substantive regulation or meaningful mechanisms to enforce the existing rules. Last year, a new bill was introduced, but with the political change of the last election it is unclear if it will be passed in the near future.
Eduardo: We found that if you don’t have a strong and independent data protection authority, no matter how good the law is, it will be useless. Also, we learned that we have to be careful when establishing exceptions to the general rules. Like I said above, we have good data protection provisions but most of them don’t apply to the state. This directly undermines the goal of providing a general protection for citizens. These are concerns we raised in the public consultation prior to the publication of the final draft bill proposed by the Argentinian Data Protection Authority.
Why do you think it has taken so long for a reform process to begin?
Vladimir: There have been expert voices in and out of government for decades. But we found that political will was often on the side of protecting and enhancing “the economy” (aka business interests), considering that stronger protections will be harmful for the competitiveness of local companies or the attractiveness of the country to foreign investors. This is very well reflected in the attempts to introduce very questionable rules like an “opt-out” system for spam marketing. Surprisingly enough, while the most recent attempt at reform started openly and transparently, the discussion was later closed off by the government for a couple of years before being re-introduced in Congress.
Amber: I would say that one of the main challenges is the limited attention that data protection issues receive compared to other issues considered more urgent or pressing by the general public and policy-makers. While specialised institutions — like the Data Protection Authority — do possess expertise, when it comes to initiating debate in Congress, the decision to call for reform is in the hand of other authorities, which lack the necessary knowledge or do not have the will to address this issue, because their priorities are elsewhere.
What next for data protection?
Vladimir and Eduardo, can you tell us about the upcoming challenges and opportunities for your work?
Vladimir: There are key issues that are poorly addressed by statute in Chile and in the region, and not necessarily as “data protection” topics, but well within the lines of security and human rights in general. For instance, the protection of anonymity and encryption, proper safeguards against discrimination by algorithms, or democratic controls over the procurement of surveillance technology. At the same time some opportunities are good: a new cybersecurity policy is currently in its early stages of implementation, and we have yet to see if a new data protection law will become a reality within the next couple of years.
Eduardo: We’ll be alert to see if the draft bill is finally submitted to Congress. If that happens, we would like to participate in the debate. Also, there are new challenges in issues like algorithmic decision-making or the use of personal data for political campaigns that may represent a great opportunity to support our engagement to call for stronger privacy safeguards.
Amber, now that the gears are in motion in India, what do you think will be the main hurdles you’ll face?
Amber: Data protection is a complicated subject of regulation with a full spectrum of measures required for effective enforcement. For a country the size and scale of India, there is the additional issue of drafting a law that will have to work well across different contexts. Some key issues of contention will be how to effectively enforce a notice and consent regime, what kind of positive obligations on data controllers are required to aid informed consent, and how to build effective enforcement mechanisms. It will be important to strike a delicate balance between a bottom-up approach involving industry stakeholders, and effective accountability and enforcement.
To find out more about data protection across the world, we invite you to refer to State of Privacy, a joint research collaboration of the Privacy International Network.
