The European Union: the Right of Privacy - Dissertation Example

 The European Union: the Right of Privacy Introduction Many technological changes characterize the 21st century, especially in the field of telecommunication and information technology in general. These technological changes have resulted in numerous and controversial privacy issues (Agre & Rotenberg, 1998). These controversies have culminated in questions being asked on the countries and regional unions that have enacted laws, which provide for the best privacy protection (Hasty, Nagel & Subjally, 2008). Evidently, some countries or partner states offer better privacy and protection for personal data than others (Morozov, 2013). The European Union is quite ahead of other regions in passing overarching and comprehensive privacy regulations. Consequent to this huge volume of data circulating through video cameras, smart phones and social websites such as Facebook, Tweeter and Google+, the issue of optimal privacy has become contentious. According to Irwin Altman, privacy is a dynamic and dialectic issue in which an individual has the right to regulate access to self by others (Tavani, 2007). That is, an individual has the right to seek and avoid interactions with others, a right that should be respected (Warren & Brandeis, 1890). According to Irwin Altman, private data should be regulated with the main objective of realizing optimum privacy (Margulis, 2003). Optimum privacy relates an individual’s perception of the best form and level of social interaction, closeness or openness. Therefore, in their regulation of privacy, governments should ensure that citizens achieve the practical privacy that is as close to the desired privacy as possible (Pearce & Platten, 1998). The EU directive on data privacy was passed in 1995 by the 27 member states. This directive restricts the collection, sharing, storage and usage of personal data and information from the public. The directive especially focuses on data that can exclusively identify a person. This data could be image or address of an individual. Compared to the privacy laws in the US and other countries, which are rather pieced-together, the EU directive is a bit different regarding its tough standards and enforcement or penalty policies (Hofstede, 1997). Other countries and regions such as the US and China are trying to catch up with the EU privacy laws and regulations. To make its directives more optimal in protecting privacy, the EU is considering enacting stricter personal privacy directives or measures (Baumer et al., 2004). A new and quite controversial measure proposed is the right to be forgotten, which requires that an individual’s past data be erased from the internet to avoid future processing or storage (Rosen, 2012). This contentious directive has been fervently opposed by big corporations such as US companies in the Silicon Valley (Morozov, 2013). EU-US Cooperation on Data Protection With threats to security increasingly becoming transnational, the EU and its agencies have formed agreements and cooperation with countries such as the USA (Bennett & Raab, 1997). These agreements are intended to achieve greater prevention, detection, investigation and suppression of data-related crimes. The agreements also permit data-sharing for purposes of justice, freedom, and security. The first directive to be operational in the EU area was the Directive 95/46/EC2 (Bergkamp, 2002). This directive set data protection standards within the EU legal order. In fact, this instrument is still being used as a benchmark since it is quite exhaustive in the regulation of the use, sharing and storage of personal data (Bergkamp, 2002). This paper discusses the extent to which the cooperation between the EU and the USA and their agencies affect the data protection standards and practices in China. The EU versus other Regions The EU privacy directives are based on the principle of transparency with which member countries must abide. The other principles of the EU privacy laws are adequate data security and individual consent in data collection, usage and storage. Within the EU, different members have their own mechanisms and agencies to enforce privacy laws. However, the EU itself has an agency to enforce its privacy directives and laws. Across the EU, violators of the privacy directive are punished by hefty fines for crimes such as illegal transfer of data, which violates consumer rights (Bellman et al., 2004). Asian states such as China, Singapore, and South Korea are also trying to catch up with the EU in data privacy regulations, the region still lags behind in the passing private data laws and regulations. Thus, in Asia, the data protection laws are not enforced as effectively as it is done in the EU. The EU’s clout and cooperation in privacy protection with other powers such as the United States has played quite an important role in driving privacy policies and rules in other regions and countries (Milberg et al., 1995). Following the EU's and USA’s global crackdown on the illegal and commercial use of personal information, other states such as China has also issued a number of draft guidelines on data protection (Clinton & Gore, 1997). However, China’s approach to data protection differs dramatically from the EU’s approach. Because of the social, economic and political differences, different countries need different measures to create a favourable environment for their businesspersons (Posner, 1981). Data Protection in China In China, the Personal Information Protection Law was proposed and drafted in 2003. However, this draft failed to succeed, resulting in regional experimentation and arbitrary rulings from ministries (Linchuan, 2004). Consequent to these rulings, businesses and consumers in China remained largely confused for quite some time. Luckily, in January 2011, the Chinese Ministry of Industry and Information Technology made and issued draft rules on data protection (Linchuan, 2004). These rules’ purpose was to restrict the organisations’ ability to transport personal data without informed and prior consent from the concerned individuals (Milberg et al., 2000). The data protection discrepancy between the EU and China is mainly contributed by the social and political settings in China. For instance, in China, government officials have the powers to manipulate data protection regulations to citizens based on their social, economic, and political statuses. Because of conflict of interest, government officials also apply data protection rules selectively to achieve their political and economic objectives. In addition, in China, there is restriction on Facebook and You Tube access. In fact, China ranks highest among governments that censor and monitor their citizens’ internet usage and access. As a communist state, the data privacy laws in China are sparse with the constitution only indirectly referring to privacy. Although its constitution seems to provide for data privacy at home and for purposes of correspondence, China lacks sufficient and comprehensive legal system to provide for data privacy. The data protection and privacy rules in China not only define personal information or data as information that identifies a person, on its own but also in combination with other forms of data such as names and passwords, usernames, or login (Linchuan, 2004). A notable weakness of China's data privacy regulations is their arbitrarily and/or selective enforcement. In fact, cases are reported in which China’s information-processing firms are moving to Hong Kong, where they feel the enactment and enforcement are not exceedingly arbitrary or selective but more relaxed and predictable (Linchuan, 2004). It has been rather difficult to build one European data-protection regime because harmonising interests across the globe cannot be achieved easily. It is not only hard to align it with the US data protection regimes but also quite a task to deal with the bureaucracy of the Indian systems and the Chinese mandarins, which have the sole goal of protecting the interests and the data of their citizens (Huie, Laribee & Hogan, 2002). Data geopolitics thus hampers the close and integrated functioning of data protection laws and regulations across the UE, the USA and China (Linchuan, 2004). The data protection approach used in the EU-USA agreements does not exist in China. In addition, China is not a member of any treaty between EU and the USA such as the EU-US safe harbour framework (Long & Quek, 2002). China also does not have any legislation to specifically deal with personal data collection, storage, transmission, and operation. However, the Civil Code and Tort Liability Law provide legal recourse for infringement of rights to privacy (Grobowski, 2013). China has a few provisions for data protection in its laws and regulations. Generally, these provisions deal with the issue of the protection of personal information by the regulation of the telecommunication sector (Grobowski, 2013). The provisions also target and regulate certain information of a specific nature such as individual citizens’ financial credit information, consumer information, population health information and medical records (Grobowski, 2013). The Peoples Republic of China’s laws that have provisions for personal data protection are the PRC Constitution, the Decision of the Standing Committee of the National People's Congress on Strengthening the Network Information and the Protection (NPC Decision) (Grobowski, 2013). Other data protection provisions are found in several sectoral laws, including the Decision of the Standing Committee of the National People's Congress on Revising the Consumer Rights, the Protection Law of the People's Republic of China (Consumer Rights Law) and the Regulation on Personal Information Protection of Telecom and Internet Users (MIIT Regulation). Other sectoral data protection-related laws are Administrative Measures for Online Transactions, Medical Records Administration Measures of Medical Institutions and Measures for Administration of Population Health Information (PHI Measures). The PRC’s data protection laws target different sectors, depending on the nature of the personal information (Practical Law, 2014). Evidently, in China, different laws and regulations target different types of personal information. For an illustration, the NPC Decision regulates the electronic information often used to identify individual citizens and electronic information on the privacy of citizens (Practical Law, 2014). Similar to the EU and the USA cases, PRC’s laws and regulations define personal information as any data or information that is capable of being used to identify the user. This data include name, date of birth, identification number, address, telephone number, account numbers and passwords (Linchuan, 2004). Notably, some of this data require to be used in combination or singly to identify an individual. Private data also refers to data that can identify the location of a person, especially people using telecommunication services (Practical Law, 2014). PRC has also covered some ground in protecting its population’s health information (Practical Law, 2014). In spite of the ideological, economic, social and political differences, the EU-USA agreements and cooperation on data protection have encouraged the PRC to develop strong principles on which its data protection laws and regulations are enforced (Linchuan, 2004). These rules and principles are geared towards the attainment of data protection obligations. First, the implementing agencies and individual citizens must endeavour to adhere to the principles of legality, fairness and necessity in the collection and use of personal information. Second, enforcers should specify and comply with the set policies regarding the purpose, method and scope of the collection and usage of personal information (Lancelot & Peyrat-Guillard, 2014). Collectors and users of personal data must be based on a legally obtained consent from the individuals targeted. Users of data must also desist from collecting and using personal information in a way that breaks the laws or regulations on data protection as well as any prior agreements mad with the target individual (Lancelot & Peyrat-Guillard, 2014). Users and collectors of personal data should also keep them confidential, without disclosure or sale to other entities. The PRC has special rules for personal data relating to medical records, population health information, personal information collected by commercial banks and personal credit information. Moreover, several rights are provided for individuals from who personal data is collected (Etzioni, 2006). AS provided for in the MIIT Regulation, internet service providers and telecom business operators are required to provide certain information when collection personal information from the public. This information includes the purpose, method and scope of information to be collected and used, the methods or tool of collection and the consequences, if any, of refusing to provide the sought information (Lancelot & Peyrat-Guillard, 2014). For increased safety and protection of individual rights, the PRC’s data protection laws and regulations listed earlier have several security requirements for collection and use of personal data, especially by internet service providers and telecom businesses (Lancelot & Peyrat-Guillard, 2014). These security requirements are contained in the MIIT Regulation. The MIIT Regulation demands that telecom and internet providers specify the responsibilities of each its individual employee or department involved in the collection and management of personal information security (EDRM, 2014). Second, the MIIT Regulation requires that these organisations create work processes and security management systems for use in the collection and use of personal information (Wessing, 2014). These work processes and systems should be effective in the management of staff members and agents. There should also be processes and systems to review the export, duplication and destruction of personal data and information, in the process taking the necessary measures to prevent confidential information from leaking to unauthorised persons (Lancelot & Peyrat-Guillard, 2014). The MIIT Regulation also requires business collection and using personal information from the citizens to safely keep the gadgets containing and recording users' personal information (Lancelot & Peyrat-Guillard, 2014). The New PRC Consumer Rights Law became effective on 15th March 2014. Its main objective is the address the privacy issues emanating from modern business practices. It has provisions to govern the collection, use and security of consumers’ personal information. The Decision of the National People’s Congress Standing Committee on Strengthening Internet Information Protection (the Decision) only focuses on the protection of electronic information. Thus, the inclusion of data privacy provision in the new Consumer Rights Law fills the legal void in the Decision. Through this inclusion, the consumer rights law has been integrated into data privacy laws and regulation in the PRC. The State Administration for Industry and Commerce also developed and released measures for the administration of online transactions. These measures are intended to strengthen the regulation of online transactions. Specifically, the measures seek to improve the protection of consumers’ interest and private data as well as control competition among businesses. In addition, the measures define the marketplace and service operations such as storage and courier services. The measures also define their obligations clearly, regarding the protecting intellectual property rights. However, the measures do not change the administrative powers, thus blocking the effective enforcement of against online market infringements. The PRC also has no regulations and laws that address international transfer of data. Nonetheless, there are provisions for the transfer of personal data of specific nature in the industrial regulations and rules (Etzioni, 2006). For instance it commercially banks are prohibited from processing personal information (Maisog & Wei, 2014). The EU-USA cooperation in personal data protection has also not hindered the PRC from enforcing its personal information protection laws and regulations. Although China has not national regulator with enforcement and sanction powers over its personal data protection regulations, it has agencies that function as national regulators (Etzioni, 2006). These agencies are the Ministry of Industry and Information Technology (MIIT), The National Health and Family Planning Commission (NHFPC), the State Post Bureau (SPB) and the State Administration for Industry and Commerce (SAIC). The main function of MIIT in this context is the regulation of the personal data collected and used in telecommunication and internet sectors. On the other hand, the National Health and Family Planning Commission (NHFPC) have a mandate to regulate medical records and population health information (China Law and Practice, 2014). The State Post Bureau (SPB) has sanction and enforcement powers in the regulation of all personal data collected and used in mailing and courier services (China Law and Practice, 2014). The State Administration for Industry and Commerce (SAIC) regulates consumer personal information. The sanction and enforcement powers of these agencies and ministries are limited and do not extend into sectors that have established specific authorities to oversee enforcement (China Law and Practice, 2014). Conclusion The PRC does not have a systematic approach to data protection regulation. However, China attempts to improve its data protection to align it with standards achieved elsewhere such as in the EU and the USA. Although unions such as the EU and the USA have introduced specific sanctions for data breach, the new developments across regions do not exceed the general principles contained in the old directives. The PRC, however, continue to put in place systems and regulations that will result in the creation and implementation of a substantive data protection framework within its borders. Despite current attempts to streamline PRC’s data protection are somehow similar to the EU data protection framework, the Chinese data protection regime has many China-specific features. A notable feature of the Chinese data protection regime is the apparent absence of a systematic approach and lack of national data protection law. Earlier attempts to enact such law, in the name of Personal Information Protection Law flopped in 2008. The general framework provided by the NPC is quite far from the standards set by the European Data Protection Directive. Consequent to this situation, China has a rather complicated data protection regime. There are different laws, regulations and agencies addressing data protection in the PRC. These laws, regulations and agencies have different objectives and areas of focus, resulting in conflicts of interests and ambiguities. The result is neglect of areas such as employee data protection, which is keenly regulated in the USA and the EU. While The EU and the USA have dedicated government agencies to enforce data protection laws, China lacks such an agency. In China’s case, the enforcement and sanction powers are spread across various ministries and agencies. For example, while the MIIT deals with technical issues, the SAIC is mainly concerned with consumer protection issues. The consequence of this system is inconsistency, conflicts and competition among the regulatory agencies. Eventually, the competency of data protection in the PRC is diluted. With the emergency and spread of new technological innovations that use huge volumes of personal data, the idea of privacy as a basic human right that should be protected has attracted quite divergent views (Posner, 1978). The divergent paradigms with which privacy is viewed have resulted in shifts in the geopolitics of personal data across the globe. The conflicts associated with the geopolitics of personal data currently plays out in the form of the new EU Draft Regulation on privacy protection. Some nations have refrained from working with the EU regarding this draft. The reason cited for the shunning of this EU draft include the perception that the regulation would be burdensome, cost jobs, trade, and investment and kill the internet advertising industry. The draft is also believed to have the effect of unreasonably extending the influence of the European law into other countries and regions and worsen the transatlantic divide between the protectionist and regulatory Europe and the more open and innovative United States. Because of these perceptions, it is quite unlikely that China, the EU and the USA may adopt a united privacy protection laws. Hence, there is expected to be an increased discrepancy in the data protection policies, laws and regulation among these countries because of lack of trust and ideological, political and socioeconomic differences. References Agre, P. E., and Rotenberg, M. (1998) Technology and privacy: the new landscape. MIT Press. Baumer, D.L. et al (2004) “Internet Privacy Law: A Comparison between the United States and the European Union.” Computers & Security, 23(5): 412. Bellman, S. et al (2004) “International Differences in Information Privacy Concerns: A Global Survey of Consumers.” The Information Society, 20(5): 50. Bennett, C., and Raab, C. (1997) “The Adequacy of Privacy: The European Union Data Protection Directive and the North American Response.” The Information Society, 13(3): 245. Bergkamp, L. (2002) “The Privacy Fallacy: Adverse Effects of Europe's Data Protection Policy in an Information-Driven Economy.” Computer Law & Security Report, 18(1): 47. China Law And Practice (2014) “Keeping Track Of The New Personal Data Protection Act. Retrieved on December 24, 2014 from http://www.chinalawandpractice.com/Article/2630020/Channel/9937/Keeping-track-of-the-new-Personal-Data-Protection-Act.html Clinton, W. J., and Gore, A. Jr., (1997) “A Framework for Global Electronic Commerce.” Retrieved on December 24. 2014 from http://www.technology.gov/digeconomy/framewrk.htm. Etzioni, A. (2006) “A Communitarian Approach: A Viewpoint on the Study of the Legal, Ethical and Policy Considerations Raised by DNA Tests and Databases.” The Journal of Law, Medicine & Ethics, 34(2): 221. Etzioni, A. (2007) Are New Technologies the enemy of privacy? Knowledge, Technology and Policy, 20(2), 119. Grobowski, J. V. (2013) “New Rules for Personal Data Protection in China.” Retrieved on December 24, 2014 from http://www.faegrebd.com/20322 Hasty, R., Nagel, T. W., and Subjally, M. (2008) Data protection law in the USA. (Advocates for International Development. Hofstede, G. (1997) Cultures and organizations: software of the mind. McGraw-Hill. Huie, M. C., Laribee, S. F., and Hogan, S. D. (2002) The right to privacy and person data: The EU prods the U.S. and controversy continues. Tulsa J. Comp. & Int'l L. Lancelot, C. M., & Peyrat-Guillard, D. (2014) “Cultural and Generational Influences on Privacy Concerns: A Qualitative Study in Seven European Countries.” European Journal of Information Systems, 23, 103125. Linchuan, J. Q. (2004) "China and the internet: technologies of freedom in a statist information society," In Manuel Castells (ed.) The Network Society: A global perspective. London: Edward Elgar Publishing Ltd. Long, W. and Quek, M. (2002) “Personal Data Privacy Protection in an Age of Globalization: The US-EU Safe Harbor Compromise.” Journal of European Public Policy, 9(3): 344. Margulis, S.T. (2003) “On the Status and Contribution of Westins and Altmans Theories of Privacy.” Journal of Social Issues, 59, 411-429. Milberg, S. J., Burke, S. J., and Smith, H. J (2000) “Information Privacy: Corporate Management and National Regulation.” Organization Science, 11(1): 57. Milberg, S. J., Burke, S. J., Smith, H. J. and Kallman, E. A. (1995) “Values, Personal Information Privacy, and Regulatory Approaches.” Communications of the ACM, 38(12): 74. Morozov, E. (2013) “The Real Privacy Problem.” MIT Technology Review Pearce, G. and Platten, N. (1998) “Achieving Personal Data Protection in the European Union.” Journal of Common Market Studies, 36: 529547. Posner, R. A. (1978) “The Right of Privacy: Sibley Lectures.” Retrieved on December 24, 2014 from http://digitalcommons.law.uga.edu/lectures_pre_arch_lectures_sibley/22 Posner, R. A. (1981) “The Economics of Privacy.” The American Economic Review, 71(2); 45. Practical Law (2014) “Data Protection in China: Overview.” Retrieved on December 24, 2014 from http://uk.practicallaw.com/4-519-9017 Rosen, J. (2012) “The Right to Be Forgotten, Stanford Law Review.” Retrieved on December, 24 from http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten?em_x=22. Tavani, H. T. (2007) “Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy.” Metaphilosophy, 38; 22. Warren, S., & Brandeis, L. D. (1890) “The Right to Privacy.” Harvard Law Review, 4; 193220. Wessing, T. (2014) “Revisiting the Data Protection Regime in China.” Retrieved on December 24, 2014 from http://www.taylorwessing.com/globaldatahub/article_china_dpregime.html EDRM (2014) “Data Protection in China.” Retrieved on December 24, 2014 from www.edrm.net/resources/data-privacy-protection/data-protection.../china Maisog, M. E., and Wei, Z. (2014) “China - Data Protection 2014.” ICLG. Retrieved on December 24, 2014 from http://www.iclg.co.uk/practice-areas/data-protection/Data-Protection/china Read More