UNDP GUIDE

DRAFTING DATA PROTECTION

LEGISLATION:
A Study of Regional Frameworks
 2 INTRODUCTION

CONTENTS

Acknowledgements II
Intent and Methodology IV
Executive Summary VI
List of Abbreviations XV
List of cases XI

Introduction 1
1.1 Privacy as a core international human right 5
1.2 Privacy and the United Nations 7
1.3 Facets of the right to privacy 9
1.4 Evolution of data protection principles 10
1.5 Introduction to the Identified Regional Frameworks 12
1.6 Conclusion 16

Key Definitions 17
2.2 Personal Data and Personal Information 18
2.3 De-identification Methods 21
2.4 Data subject 25
2.5 Specific categories of data 27
2.6 Controller and Processor 31
Key considerations and summary points 34

Established data protection principles 35

3.1 Introduction 36
3.2 Fair, lawful and transparent 39
3.3 Notice and consent 42
3.4 Purpose limitation 45
3.5 Data minimisation 46
3.6 Accuracy 48
3.7 Integrity, confidentiality, and availability 49
3.8 Transparency and accountability 51
Key considerations 51

Measures for transparency and accountability 53

4.1 Introduction 54
4.2 Privacy by design 54
4.3 Information and access to personal data 59
4.4 Security safeguards 63
4.5 Reporting of personal data breach 67
4.6 Maintenance of records relating to processing activities 71
4.7 Data protection impact assessments 72
4.8 Data protection officer 76
Key considerations 78
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 3

Rights of data subjects 79

5.1 Introduction 80
5.2 The rights to access, confirmation, and information 81
5.3 The rights to rectification and erasure or deletion 87
5.4 The rights to be forgotten and to data portability 89
5.5 The rights to object and to restrict processing 93
5.6 The right against automated decision-making and profiling 95
5.7 The right to delegate (or for third-party to exercise) rights 97
5.8 Whistle-blower protection 98
5.9 General exceptions to rights of data subjects 99
Key considerations 100

Special protections for children’s data 101

6.1 Introduction 102

6.2 Current international and regional regulatory frameworks on children’s
data 105
6.3 Factors and risks involved in protecting children’s personal data and
online privacy 106
Key considerations 114

Data processing and access by governments 117

7.1 Introduction 118

7.2 Government access to personal data and the first principles of international
human rights law 120
7.3 Exemptions governments can legitimately claim from data protection
obligations 135
Key considerations 139

Regulation of Cross-Border Flows of Data 141

8.1 Introduction 142

8.2 Regulatory objectives and origins of cross-border data flows 143
8.3 Adequacy and conditions for transfer permitting cross-border data
flows 146
8,4 Oblications on data controllers and accountability 150
8.5 Derogations, exceptions, and specific grounds for transfer in place of
adequacy 152
8.6 Non-compliance, sanctions and penalties 155
Key considerations 160

Structure of Regulatory Authorities, Offences and Penalties 161

9.1 Introduction 162

9.2 Effective Regulatory Design 166
9.3 Structure of the Regulator 168
9.4 Functions and Powers of the Regulator 174
9.5 Penalties, remedies, and appeals 181
Key considerations 185
I INTRODUCTION

UNDP is the leading United Nations organization fighting to

end the injustice of poverty, inequality and climate change.
Working with our broad network of experts and partners in 170
countries, we help nations to build integrated, lasting solutions
for people and planet.

Learn more at undp.org or follow at @UNDP

One United Nations Plaza
New York, NY 10017. USA
http://www.undp.org

Copyright © UNDP 2023. All rights reserved.

The views expressed in this publication are those of the

author(s) and do not necessarily represent those of the
United Nations, including UNDP, or the UN Member States.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS II

ACKNOWLEDGMENTS

This report was authored by the Centre for Privacy and data protection have been focus areas
Communication Governance at National Law for CCG since its inception and the Centre has helped
University Delhi (CCG), with guidance from the shape discourse in this domain through research
United Nations Development Programme’s (UNDP) and analysis, policy inputs, capacity building, and
Governance Team in the Bureau for Policy and related efforts. In 2020, the Centre launched the
Programme Support. Privacy Law Library, a global database that tracks
and summarises privacy jurisprudence emerging in
CCG is a research centre at the National Law courts across the world, in order to help researchers
University Delhi, one of India’s premier law and other interested stakeholders learn more about
universities. Nine years since its foundation, the privacy regulation and case law. The PLL currently
Centre continues to be India’s only academic centre covers 200+ cases from 15+ jurisdictions globally and
dedicated to researching information technology also contains a High Court Privacy Tracker that tracks
laws and policies and has globally established itself emerging High Court privacy jurisprudence in India.
as a leading research centre on these issues. CCG
undertakes academic research, provides policy input
both domestically and internationally, and facilitates
the capacity building of relevant stakeholders at the
domestic and international levels.

This guide was produced thanks to the generous support from Government of Japan,
Government of Switzerland and Government of Sweden
 III INTRODUCTION

Team

The report was conceptualised by Jhalak M. The team would like to thank the National Law
Kakkar, Smitha K. Prasad, and Shashank Mohan in University of Delhi (NLUD) for its continued support.
collaboration with UNDP. The research and drafting This report could not have been possible without
of the report were led by Jhalak M. Kakkar, Executive the constant guidance and mentorship of the Vice
Director, CCG and Shashank Mohan, Programme Chancellor of NLUD, Prof. (Dr) Srikrishna Deva Rao.
Manager, CCG. The core authorship team includes We are grateful to the Registrar of NLUD, Prof. (Dr)
Jhalak M. Kakkar, Shashank Mohan, Aishwarya Harpreet Kaur for her continued encouragement and
Giridhar, Swati Punia, Nidhi Singh, Sangh Rakshita, support. Special thanks is owed to Dr. Daniel Mathew,
Sharngan Aravindakshan, Joanne D’ Cunha, Vasudev Faculty Advisor at CCG, for his steady direction and
Devadasan, Akriti Gaur, and Arpitha Desai. Editors counsel.
and reviewers include Jhalak M. Kakkar, Shashank
Mohan, Aishwarya Giridhar, Joanne D’Cunha, The review process for this paper was anchored
Vasudev Devadasan, Akriti Gaur, Arpitha Desai, and by UNDP’s Risa Arai, Programme Specialist, Legal
Geetha Hariharan. Research support was provided Identity, and Niall McCann, Consultant, Legal Identity,
by Bilal Mohamed, Mira Swaminathan, Priyanshi Dixit, with oversight by Sarah Lister, Head of Governance.
Srishti Joshi, Aanchal Khandelwal, Aarya Pachisia, The authors would like to thank Heidi Modro for
Anamika Duvaani, Anna Kallivayalil, Anushka Pandey, copy-editing, and Matthew Gibbons for designing this
Avani Airan, Kunika Champawat, Raghav Ahooja, report.
Soham Chakraborty, and Swastik Sharma.

Contact information

For further information on this issue, you can contact:

Risa Arai, Programme Specialist, Legal Identity

Niall McCann, Consultant, Legal Identity
Jhalak M. Kakkar, Executive Director, CCG NLUD and
Visiting Professor NLUD CCG
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS IV

INTENT AND METHODOLOGY

Intent
This report has been drafted in the context of Target
16.9 of the Sustainable Development Goals that
aims to provide “legal identity for all, including birth
registration, by 2030.” Conferring proof of legal
identity (via a birth certificate or a ‘foundational’ identity
document such as a national ID card) to individuals is
crucial in order for them to be recognised as persons
before the law, enable them to exercise legal rights,
and fully participate in society’s social, political,
and economic systems. Providing legal identity to
all involves the collection and processing of large
quantities of personal data. As privacy continues to
be recognised as a crucial human right around the
world, the collection and processing of such data
must adhere to globally established standards of data
protection.

With the increase in digitisation of social and economic

infrastructure, governments have expanded the use
of new digital technologies in identity management
schemes, to potentially enhance the delivery of
public and welfare services. This shift, although with
the potential to be beneficial, raises certain unique
challenges from the perspective of protecting the
privacy rights of individuals. Consequently, it behoves
UN Member States to establish robust data protection
laws and institutional frameworks when designing
modern-day legal identity systems. Additionally,
increased internet penetration has meant an
increase in the cross-border flow of personal data
for the provision of services, making data protection
frameworks essential to ensure robust standards of
privacy around the world.

The COVID-19 pandemic has spurred UN Member

States to increase their reliance on technology as they
seek to manage its effects on their populations. While
technological solutions have played a significant role
in the global response to the Covid-19 pandemic,
they have also highlighted the prospective privacy
risks that accompany digitisation, and have made
the formulation of robust data protection laws and
institutional frameworks more urgent. In this context,
this report aims to provide UN Member States with
suggested guidance on developing domestic data
protection legislation, and creating a robust privacy-
protecting regulatory framework.
 V INTRODUCTION

Methodology • the Caribbean Community’s (CARICOM)

Harmonization of ICT Policies, Legislation
and Regulatory Procedures in the Caribbean
As this report is aimed at equipping countries with (HIPCAR);
the necessary tools and context to draft privacy- • the Organization of American States Principles,
protecting domestic data protection legislation, we and
have divided the report into various chapters covering • the Organisation for Economic Co-operation
specific themes. Each chapter contains insights that and Development (OECD) Guidelines.
are intended to assist UN Member States in framing
robust privacy-respecting regulatory frameworks. In addition to the regional frameworks, national laws,
These thematic areas are based on the elements programmes and significant case law are analysed,
most commonly covered in a typical data protection where relevant. Both foundational and contemporary
legal framework. They include: international academic and policy literature on
privacy and data protection have been drawn upon to
• definitions of key terms in data protection highlight both the diversity and commonality in global
frameworks; approaches to data protection.
• core data protection principles;
• measures to operationalise transparency and This report has been primarily written from the
accountability; perspective of data protection in the context of
• data protection rights for data subjects; legal identity systems, such as for birth and death
• special protections for children’s data; registration.
• state exemptions from data protection
obligations; In addition, the report focuses primarily on personal
• regulation of cross-border flows of data; data processing by UN Member States, and does
• structure of regulatory authorities, and not comprehensively comment on the processing of
• offences and penalties. personal data by private actors in the digital economy.
While the report analyses the growing trend of
These components have been identified based regulating cross-border data flows between nations,
on a comparative analysis of various regional data it does not specifically analyse the challenges of
protection frameworks. Regional diversity has been international data sharing between countries for law
a cornerstone of the research, and trends in data enforcement and intelligence purposes. This report
protection from the following regional data protection has also been drafted in the context of the COVID-19
frameworks have been analysed: pandemic and recognises and highlights the unique
privacy and data protection challenges that have
• the Asia-Pacific Economic Cooperation (APEC) arisen as a result of the ongoing global health
Privacy Framework; emergency.
• the Association of South-East Asian (ASEAN)
Framework; We hope that this report provides UN Member States
• the African Union Convention on Cybersecurity with a foundational framework to enable them to
and Personal Data Protection; formulate robust data protection frameworks that
• the Commonwealth of Nations Frameworks safeguard individuals’ privacy and human rights,
(the Model Bill on the Protection of Personal as well as support the development of societal and
Information, and the Model Privacy Bill); policy goals.
• the Council of Europe Convention 108+;
• the European Union’s General Data Protection
Regulation;
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS VI

EXECUTIVE SUMMARY

This report aims to guide policymakers and This report aims to help UN Member States develop
legislators in drafting and implementing privacy- domestic data protection legislation and create a
protecting domestic data protection frameworks. The robust privacy-protecting regulatory framework. It
report was prepared in the context of Sustainable identifies key considerations and various approaches
Development Goal (SDG) Target 16.9, which aims to data protection for Member States to contemplate
to provide “legal identity for all, including birth when crafting domestic data protection laws. Over
registration, by 2030.” Legal identity is central to the course of different chapters, the report examines
the achievement of several other SDGs, and data various regional data protection frameworks and
generated from legal identity programmes is crucial explores the key elements of data protection typically
for the measurement of over 60 other SDG targets. covered in these frameworks. The following section
In addition to traditional identification systems, briefly describes the issues covered in each chapter
such as the core civil registration of births, deaths, and summarises key concepts covered in them.
marriages, adoptions, divorces, etc., governments
are also increasingly implementing related, digitally-
enhanced, identity management programmes, which
often process biometric data, and which are popularly
referred to as ‘digital ID’ systems. These new systems
seek to enhance the efficiency of public service
delivery, formulation of public policy, and monitor
implementation, while leveraging advancements
in digital and information technologies. By their
very nature, legal identity programmes rely on the
collection and processing of citizens’ and residents’
personal data. While such programmes may support
the achievement of various policy goals, they also
“This report aims to help
have significant implications for the privacy rights of UN Member States develop
individuals. Consequently, it is more important than
ever for governments to develop identity systems domestic data protection
that respect individuals’ right to privacy and enable
effective protection of their personal data. legislation and create a robust
privacy-protecting regulatory
framework.”
 VII EXECUTIVE SUMMARY

CHAPTER 1: INTRODUCTION

Several international human rights instruments With increased digitisation, digital ID programmes
recognise the right of every person to be recognised are also being developed to confer legal identity to
as an individual with rights before the law, via individuals. These digital ID systems involve large-
legal identity. Target 16.9 of the UN’s Sustainable scale collection and processing of personal data from
Development Goals — to provide legal identity for all, citizens and residents, and can include a wide range
is primarily carried out via birth registration. In the of sensitive data, such as biometric information.
absence of birth registration, it can also be granted This collection, processing, and use of aggregated
via registration in national identity management personal and sensitive information could pose
programmes (such as national ID card schemes). security and surveillance concerns, risks of exclusion,
and stigmatisation of marginalised and vulnerable
As global society moves towards rapid digitisation communities. The need to institute data protection
of social and economic infrastructure, nation states laws with robust data protection principles to regulate
and private corporations collect and process more how such data is used, therefore, has become more
data. Such actions, however, have implications urgent. Comprehensive, human rights-based laws can
for the right to privacy, which is an internationally ensure that governments provide legal identity for all
recognised human right. It is multi-faceted and also its citizens and resident foreigners while ensuring
protects an individual’s identity, autonomy, safety, individual privacy.
and dignity. Advancements in information technology
have highlighted the need for informational self-
determination, and more particularly informational
privacy, which may be understood as the right of
individuals to control and determine how information
about them is communicated to others, including
State agencies. It is also a key aspect of other facets
of privacy, such as bodily integrity, decisional privacy,
and behavioural privacy, and is central to how the right
is understood in the context of digital technology. The
UN and its Member States have been instrumental
in advancing the right to privacy and have included
the right in landmark human rights treaties, such as
the Universal Declaration of Human Rights and the
International Covenant on Civil and Political Rights. In
2015, the UN also designated a Special Rapporteur to
examine and advance the right to privacy.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS VIII

The report explores the development of data

protection principles across the world and how they
are treated in regional and domestic frameworks.
The development of international and regional data
protection frameworks dates back to the 1970s and
1980s. Early examples of frameworks include the
OECD Guidelines governing the Protection of Privacy
and Transborder Flows of Personal Data (1980) and
the Council of Europe’s Convention for the Protection
of Individuals with regard to Automatic Processing
of Personal Data (1981). Since then, several regional
frameworks have emerged, and demonstrate the
growing consensus on core data protection principles
while also reflecting diversity in regional approaches.
This report undertakes a comparative analysis of the
following ‘Identified Regional Frameworks’:
“The report explores the
development of data • the Asia-Pacific Economic Cooperation (APEC)
Privacy Framework;
protection principles across • the Association of Southeast Asian Nations
(ASEAN) Framework on Digital Data
the world and how they Governance, and ASEAN Framework on
Personal Data Protection;
are treated in regional and • the African Union Convention on Cyber-
Security and Personal Data Protection;
domestic frameworks” • the Commonwealth of Nations Model Bill on
the Protection of Personal Information, and the
Model Privacy Bill;
• the Council of Europe’s Modernised Convention
on the Protection of Individuals with regards
to Automated Processing of Personal Data
(Convention 108+);
• the European Union’s General Data Protection
Regulation (GDPR);
• the Caribbean Community’s Harmonization
of ICT Policies, Legislation and Regulatory
Procedures in the Caribbean (HIPCAR) Privacy
and Data Protection Model Policy Guidelines
and Legislative Text;
• the Organization of American States’ Updated
Principles on Privacy and Personal Data, and;
• the Organisation for Economic Co-operation
and Development (OECD) Privacy Framework.

The background and context necessary to appreciate

the relevance of each of these frameworks is
discussed in Chapter 1.
 IX EXECUTIVE SUMMARY

CHAPTER 2: DEFINITIONS OF KEY TERMS IN

DATA PROTECTION FRAMEWORKS

Defining key terms and concepts (e.g., personal • High threshold for de-identification: Because
data or data controller) reduces the ambiguity in anonymised or de-identified data is subject
interpreting a data protection framework and also to fewer safeguards under data protection
helps delineate a framework’s scope of applicability. frameworks, such frameworks should ensure
Chapter 2 provides definitions of personal data, that data must only be considered anonymous
anonymised data, data subject, data controller, data if it is unreasonably difficult or impossible for it
processor, and health, biometric, and genetic data. to be used to re-identify individuals, otherwise
Some of the key concepts covered in this chapter are known as re-identification.
as follows: • Special categories of data: Health, biometric,
and genetic data are intimately connected
• Broad definition of personal data: The with an individual’s identity and their use could
processing of personal data triggers the have significant implications, such as during
applicability of personal data protection criminal investigations or securing health
frameworks, and data protection frameworks insurance. Such data is typically treated as a
apply at all stages of the data processing special category of data subject to additional
lifecycle. A broad definition of personal data safeguards.
ensures that a framework is comprehensive • Public and private data controllers: The
and future-proof, and does not exclude from its definition of data controller should include both
ambit any privacy-infringing uses of individuals’ private organisations and public authorities, as
data. This also allows courts and regulators to they are the entities responsible for processing
protect individuals in the face of changing and data and ensuring compliance with privacy
ever-evolving technologies. obligations. This ensures that the framework
comprehensively protects individuals from
any harms arising from the processing of their
personal information.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS X

CHAPTER 3: CORE DATA PROTECTION

PRINCIPLES

An analysis of the Identified Regional Frameworks • Fairness and lawfulness: All processing
reveals a shared consensus over seven data of personal data must be undertaken for
protection principles that are essential to a robust legitimate purposes and be governed by law, in
data protection framework. These principles, which line with international human rights obligations
are explored in Chapter 3 consist of: (i) fairness of States.
and lawfulness; (ii) notice and consent; (iii) purpose • Notice and consent: These principles
limitation, (iv) data minimisation; (v) accuracy of data; traditionally protect the autonomy of
(vi) integrity, confidentiality, and availability; and (vii) individuals by informing them of how their
transparency and accountability. personal data will be processed and allowing
them to make decisions whether they consent
to such processing. However, emerging
scholarship also recognises that placing the
onus of privacy entirely on individuals through
notice and consent policies may result in
compromised protection due to factors, such
as ‘consent fatigue’ and power asymmetries
between data subjects and data controllers.
Purpose limitation: Collected data must only
be used for the purposes that it was collected
for, or those legitimately connected to this
original purpose. This principle guards against
collected data being misused later in its
lifecycle for unforeseen purposes, especially
in a manner that may impact individual privacy.
• Data minimisation: Data minimisation is one
of the core data protection principles, and it
calls for limiting data collection to only what
is required to fulfil a specific and legitimate
purpose. By mandating the collection of as little
data as possible, this principle protects against
excessive data aggregation and the privacy
harms associated with this practice.
• Integrity, confidentiality, and availability:
These principles impose obligations on data
controllers and processors to treat individuals’
personal data with a minimum standard of
care to foster information security and data
protection. Adopting reasonable security
safeguards mitigate against risks such as
unauthorised access or use and the destruction
or loss of data, among others. This protects
individuals in the case when personal data
records may be inaccurate or unavailable, or
where their data has been accessed without
authorisation.
 XI EXECUTIVE SUMMARY

CHAPTER 4: MEASURES TO OPERATIONALISE

TRANSPARENCY AND ACCOUNTABILITY

The principles of transparency and accountability • Transparency obligations: Transparency

are essential to ensure the effective implementation obligations that require data controllers and
of a data protection framework. They require data processors to provide information on the data
controllers and processors to comply with the being collected and related information, such
data protection principles, as well as demonstrate as purposes of processing and the intended
compliance through measures such as the recipients of the information, to data subjects
maintenance of records and providing information on is critical to enable data subjects to exercise
data processing and management practices. their rights under data protection frameworks
since they would otherwise be unaware of
Chapter 4 discusses the measures typically required processing based on their personal data. Other
to operationalise transparency and accountability, transparency measures such as requiring
which include: (i) adoption of privacy by design; (ii) notifications in case of data breaches allow
providing data subjects access to their data and individuals to mitigate privacy risks, and
related information; (iii) imposing security safeguards incentivise data controllers and processors to
for personal data; (iv) reporting data breaches; (v) adopt strong data security practices.
maintaining records relating to data processing; (vi) • Other accountability measures: Measures
carrying out data protection impact assessments; and such as imposing security safeguards, record
(vii) appointing data protection officers for monitoring maintenance obligations, and appointing data
compliance. protection officers can support transparency
and accountability and help the overall
Such measures are essential to ensure that a data enforcement of the data protection framework.
protection regime is effective, accountable and
rights-based. They also enable regulators to more
effectively enforce data protection laws. In addition,
these measures help data subjects obtain redress
for violations of their rights due to transparency
obligations imposed on controllers.

• Privacy by design and data protection impact

assessments: Requiring privacy by design and
data protection impact assessments ensures
that privacy and data protection are built into
the design and functioning of systems and
processes. This ensures that relevant risks are
accounted for based on the kinds of personal
data being processed and the purposes of
processing. In addition to ensuring privacy, they
help foster trust in the system and data security.
It is particularly important for controllers and
processors to comply with objective data
protection standards so that user-consent is
not relied on as the sole data protection tool.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS XII

CHAPTER 5:
RIGHTS OF DATA SUBJECTS

Chapter 5 discusses a central pillar of data protection, • Rights to access and information: The right
the rights of data subjects. Providing comprehensive of data subjects to know that a controller is
rights is crucial to empower data subjects to protect processing their personal data and related
their privacy and obtain redress for data protection information, such as the data being collected,
violations by data controllers and processors. The the purposes of processing, and the recipients
rights provided to data subjects operationalise privacy of data, and of access to the relevant information
in the context of data protection frameworks along may be a necessary first step to exercising all
with the obligations imposed on data controllers and other rights under data protection legislation.
processors. Chapter 5 explores the following rights Without this information, data subjects would
of data subjects: (i) access and confirmation of data also be unable to meaningfully consent to the
relating to them; (ii) rectification, erasure, or deletion; use of their personal data.
(iii) the right to be forgotten; (iv) data portability; (v) • The right to rectification and against
object to processing; (vi) restrict processing; (vii) automated decision-making:
against automated decision making and profiling; From the perspective of legal identity systems,
and (viii) allow third parties to exercise data rights. the right to rectification in combination with
the right to access information is likely to be
• among the most important rights available to
data subjects. If a controller or processor has
incorrect information, data subjects may be
excluded from public welfare and financial
services if they are not able to correct errors.
The rights to rectification and the right
against automated decision-making also
guard against unfair or incorrect outcomes
based on an individual’s data. Establishing
comprehensive data standards therefore
ensures equal and fair treatment and
safeguards human rights.
• The right to be forgotten: The right to be
forgotten is a contemporary data protection
right that enables data subjects to request that
their data is erased in certain circumstances.
In the digital context, this right is usually
exercised to require search engines and
websites to remove information from search
results and webpages. The operationalisation
of this right can have significant implications
for access to information and the freedom of
expression, and it must be carefully balanced
against these factors.
• Comprehensive data protection: Rights, such
as the right to object to or restrict processing,
data portability and allowing third parties to
exercise rights on behalf of data subjects
support the exercise of other data protection
rights and objectives, as well as provide
comprehensive protection to data subjects.
 XIII EXECUTIVE SUMMARY

CHAPTER 6: SPECIAL PROTECTIONS FOR

CHILDREN’S DATA

The vulnerability of children to privacy risks highlights • Age verification: Some forms of age
the need for specific protections to be built into data verification may involve excessive collection
protection frameworks to protect children and their of data that could result in further risks to
personal data. Children may face greater risks from children. Consequently, the sophistication
both governmental and private use of their data, of such techniques must be context and
particularly in light of the COVID-19 pandemic, as use-appropriate. Nevertheless, it can also
access to education and other activities becomes be challenging to employ age verification
more reliant on the internet. Chapter 6 discusses mechanisms. Often simpler forms of age
factors that need to be taken into consideration when verification, such as provision of date of birth,
regulating children’s data. can be easily manipulated. Assessing the
likelihood that a child may access a platform
• Need for focus on children’s data: Among and be exposed to the resultant risks should
the Identified Regional Frameworks, only the determine the verification methods that are
GDPR and the OAS Principles discuss consent employed as opposed to prescribing blanket
specific to children in the digital context. In forms of verification. Furthermore, personal
protecting children and their personal data, data collection and processing, when it relates
data protection frameworks must account to children of certain age groups, should be
for children’s varying levels of cognitive explicitly based on opt-in policies, with no
development, differing cultural contexts and personal data being shared without explicit
socioeconomic settings. They must also consent.
balance a protectionist approach with the • Measures to protect children’s data: It is
participatory rights of children. crucial for data protection frameworks to
• Age of consent: Data controllers and mandate minimal collection of children’s
processors largely use consent-based privacy data that is strictly necessary to provide
management tools. This may not be the best services. Additionally, data controllers can
approach for children, who may be unable to provide children with information and tools to
truly provide informed consent. Further, data understand potential harms in a manner that
protection frameworks often prescribe a digital is easily comprehensible. It is also important
age of consent which does not account for the to provide children, teachers and parents with
varying capacities and cognitive development resources to understand privacy risks and
of children. assess potential harms that may arise from the
• Parental consent: Many data protection use of digital products and services.
frameworks allow for parents or guardians to
provide consent on behalf of children. However,
there are a few issues that can arise in this
context. Firstly, this approach is dependent
on the notion that parents or guardians act
in the best interests of the child. This may
not always be the case and can conflict with
the participatory or emancipatory rights of
children, which could extend to the child’s right
to decision-making and online expression.
Secondly, parents or guardians themselves
may be unaware of the privacy risks to children
that could arise in the digital context.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS XIV

CHAPTER 7: STATE EXEMPTIONS FROM

DATA PROTECTION OBLIGATIONS

This report recognises that governments are likely to

be among the largest public collectors and processors
of data, and proceeds to identify the first principles
applicable to government access of personal data in
the context of a data protection law. Data protection
frameworks provide exemptions to the state from
data protection obligations for certain legitimate
purposes, such as national security, maintaining
public order, and undertaking criminal investigations.
Chapter 7 explores the requirements that such
exemptions are typically required to conform to.

• Applicable safeguards: Typically, under

international human rights law, restrictions
on core fundamental rights such as the right
to privacy require the restrictions to: (i) be
provided by law; (ii) not be arbitrary; (iii) pursue
a legitimate aim; and (iv) be necessary and
proportionate to the legitimate aim pursued.
These factors aim to narrowly tailor restrictions
on rights and seek to balance legitimate
governmental objectives with the rights of data
subjects.
• Narrow, targeted exemptions: It is essential
for data protection principles and obligations
in regulatory frameworks to apply to both
the government and the private sector,
especially given that the right to privacy is
an internationally recognised human right.
In order to have an effective data protection
framework that safeguards the right to privacy,
any exemptions for governments to obligations
under data protection regulatory frameworks
must be narrowly tailored, specific, proportional
to the aims sought to be achieved, and contain
robust safeguards to ensure accountability.
 XV EXECUTIVE SUMMARY

CHAPTER 8: REGULATION OF CROSS-

BORDER FLOWS OF DATA

Provisions in data protection frameworks affecting • Absence of adequacy: Frameworks may have
cross-border data flows must balance the need for differing standards of adequacy. In the absence
seamless data transfers and economic interests of adequacy or comparable safeguards,
with the legitimate need of governments to protect frameworks still allow for cross-border data flows
the privacy of their citizens and prevent data by placing specific data protection obligations
misuse. Chapter 8 examines both geographical and on data controllers through legally binding
organisational norms for cross-border data flows instruments, such as Standard Contractual
and highlights the key goal of ensuring that data Clauses. A self-certification mechanism which is
controllers remain accountable to protect data as it considered adequate may also be a substitute
moves across jurisdictions. for an adequacy assessment. However, such
mechanisms can pose risks to privacy and
• Objectives of regulating cross border data other human rights in the absence of adequate
flows: A key objective for regulation is to protections in domestic law. As noted by the
ensure that personal data that is transferred European Court of Justice in Schrems v Data
to another territory receives a comparable Protection Commissioner and Another (Schrems
level of protection and security. Commercial I), self-certification mechanisms must be
and economic interests can also drive such founded on state-based systems that identify
regulation. and penalise infringements of privacy and data
• Adequacy requirement: The cross-border protection rights.
transfer of personal data is generally • Specific grounds for transfer: Frameworks
dependent on an assessment of the adequacy may allow for additional grounds under which
of protection, i.e., a reasonable level of personal data may be transferred. These
protections afforded to personal data by the grounds do not operate as exemptions from
receiving territory, typically being made by the obligation to protect data, but instead
an independent authority in a country. There provide for flexibility in certain situations, such
is a list of factors to consider while making as when explicit consent is given by the data
an adequacy assessment which includes the subject, or when transfers are required for the
nature of data, the legislative framework of the performance of contracts, or in the case when
destination country, and the purpose and the transfers are necessary in the public interest.
duration of processing. Adequacy assessments
should ideally be made by independent
authorities in a transparent and consultative
manner. Furthermore, assessments must also
be periodically monitored.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS XVI

CHAPTER 9:
STRUCTURE OF REGULATORY AUTHORITIES,
AND OFFENCES AND PENALTIE

Having a regulatory framework that can effectively • Transparency and accountability:

enforce data protection obligations is essential to Accountability mechanisms for regulators
protect data subjects. While the exact design of are important to guard against abuse of
a regulatory framework may vary depending on powers by the regulator and to ensure
national legal systems and regulatory contexts, the effective implementation of the data
the report stresses the importance of establishing protection framework. Measures seeking
a regulatory system that can effectively enforce to ensure transparency, such as reporting
data protection legislation. Chapter 9 explores requirements, publishing guidelines on the
the regulatory frameworks found in the Identified operation of the regulator, and undertaking
Regional Frameworks, and considers the following public consultations can aid in creating
factors: the components of effective regulatory accountability for, and engendering trust in
design; the structure of regulators (including factors the regulator. Measures to hold regulators
such as composition, appointment requirements, accountable to multiple stakeholders, such
funding, etc.); functions and powers of regulators; as the public, legislature, and regulated
and penalties, remedies, and appeals. entities can also aid in these objectives.
• Resource allocation: Effective enforcement
• Independent functioning: Ensuring the of data protection frameworks relies on
independent functioning of the relevant the regulator’s ability to keep pace with
regulator is key to setting up any effective upcoming technology and coordinate with
regulator. However, it is particularly important various sectoral regulators. Consequently,
in the context of a data protection framework the provision of adequate human and
since the regulator would be required to financial resources are likely to be extremely
oversee the data processing activates of important for the regulator to be able to
both private, as well as State entities. The perform its functions effectively.
manner and source of funding, process for
appointments and dismissals of members of By analysing the foundational components of the
the regulatory body, and assessing conflicts Identified Regional Frameworks, this report aims to
of interest are some measures that have serve as a guide on emerging best practices in data
been addressed in the Identified Regional protection laws and policy, and unpack the critical
Frameworks and are explored in this report. challenges faced in designing, implementing, and
enforcing data protection frameworks.
XVII INTRODUCTION

LIST OF ABBREVIATIONS

Aadhaar Act, 2016 – Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act
2016 (India)
Aadhaar Amendment Act, 2019 – Aadhaar And Other Laws (Amendment) Act, 2019 (India)
Aadhaar Judgement – Justice KS Puttaswamy v Union of India (2019) 1 SCC 1 (Supreme Court of India)
African Court – African Court on Human and Peoples’ Rights
APEC – Asia-Pacific Economic Cooperation (forum)
APEC Privacy Framework – APEC Privacy Framework (2015)
ASEAN – Association of Southeast Asian Nations
ASEAN Digital Governance Framework – ASEAN Framework on Digital Data Governance (2018)
ASEAN DP Framework – ASEAN Framework on Personal Data Protection (2016)
AU Convention – African Union Convention on Cyber-Security and Personal Data Protection
BCRs – Binding Corporate Rules
CBPR – APEC Cross Border Privacy Rules
CMB – Citizenship and Migration Bureau (Estonia)
CoE – Council of Europe
Commonwealth PPI Bill –Model Bill on the Protection of Personal Information (The Commonwealth)
Commonwealth Privacy Bill –Model Privacy Bill (The Commonwealth)
Convention 108 – Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data (1981)
Convention 108+ – Convention for the Protection of Individuals with regard to Processing of Personal Data
(2018)
COPPA – Children’s Online Privacy Protection Act (United States)
CRC – UN Convention on the Rights of the Child
DPIA – Data Protection Impact Assessment
ECHR – European Convention on Human Rights
ECIPIE – European Centre for International Economic Policy
ECJ – European Court of Justice
ECtHR – European Court of Human Rights
EDPB – European Data Protection Board
EDPI – Estonian Data Protection Inspectorate
EDPS – European Data Protection Supervisor
EEA – European Economic Area
FIPPS – Fair Information Practice Principles
GDPR – General Data Protection Regulation (European Union)
HEW Advisory Committee – United States Department of Health, Education and Welfare Secretary’s Advisory
Committee on Automated Personal Data Systems
HIPCAR Privacy Framework – Harmonization of ICT Policies, Legislation and Regulatory Procedure in the
Caribbean (Privacy and Data Protection: Model Policy Guidelines & Legislative Texts)
Huduma Judgement – Nubian Rights Forum v Attorney General of Kenya and Ors [2020] eKLR, [1040] (High
Court of Kenya)
IACHR – Inter-American Court of Human Rights
ICCPR – International Convention on Civil and Political Rights
ICT – Information and Communications Technology
Identified Regional Frameworks -
Indian Privacy Judgement – Justice KS Puttaswamy v Union of India (2017) 1 SCC 1 (Supreme Court of India)
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS XVIII

IPRS – Integrated Population Registration System (Kenya)

ISP – Internet Service Provider
Johannesburg Principles – Johannesburg Principles on National Security, Freedom of Expression and Access
to Information
Katiba Judgement – Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and
Technology, Ex Parte Katiba Institute & another [2021] eKLR, 22 (High Court of Kenya)
LED – European Union Law Enforcement Directive
MLATs – Mutual Legal Assistance Treaties
MNIC –Multipurpose National Identity Card (India)
NIIMS Rules – Registration of Persons (National Integrated Identity Management System) Rules, 2020 (Kenya)
NIMS – National Integrated Identity Management System (Kenya)
OAS – Organization of American States
OAS Principles – Proposed Statement of Principles for Privacy and Personal Data Protection in the Americas by
the Inter-American Juridical Committee (26 March 2015)
OECD – Organisation of Economic Cooperation and Development
OECD Guidelines – OECD Privacy Framework Booklet (2013)
Ofcom – Office of Communications, United Kingdom
PAN – Permanent Account Number (India)
PIC – Personal Identification Code (Estonia)
PII – Personally identifiable information
PR – Population Register (Estonia)
RPA – Registrations of Persons Act (Kenya)
SCCs – Standard Contractual Clauses
Schrems I – Schrems v Data Protection Commissioner and Another Case C-362/14 (European Court of Justice)
Schrems II – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems Case C-311/18 (European
Court of Justice)
Siracusa Principles – Siracusa Principles on the Limitation and Derogation Provisions in the International
Convention on Civil and Political Rights
UDHR – Universal Declaration of Human Rights
UIDAI – Unique Identification Development Authority of India
UK ICO – United Kingdom Information Commissioner’s Office
UN – United Nations
UN Legal Identity Task Force – UN Legal Identity Agenda Task Force
SDGs – Sustainable Development Goals
UNHRC – UN Human Rights Council
UNICEF – UN International Children’s Emergency Fund
VID – Alternative Virtual Identity (India)
 XIX INTRODUCTION

LIST OF CASES

1. Antonius Cornelis Van Hulst v Netherlands Communication No. 903/1999

2. Ben Faiza v. France, Application no. 31446/12, (ECHR 2018)
3. Benedik v. Slovenia, Application No 62357/14
4. Big Brother Watch and Others v. The United Kingdom, (2015) Applications nos. 58170/13, 62322/14 and
24960/15).
5. BVerfG, Judgment of the First Senate of 27 February 2008 - 1 BvR 370/07
6. Case C-131/12 Google Spain v AEPD [2014] OJ C 212
7. Case C-136/17 GC and Others v CNIL [2019] ECLI:EU:C:2019:773
8. Case C-201/14 Smaranda Bara and Others v Președintele Casei Naționale de Asigurări de Sănătate and Others
[2015] ECLI:EU:C:2015:638
9. Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems [2020]
ECLI:EU:C:2020:559.
10. Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] EU:C:2015:650;
11. Case C-40/17 Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV decision dated 29 July [2019]
ECLI:EU:C:2018:1039
12. Case C-507/17 Google v CNIL [2019] ECLI:EU:C:2019:15
13. Case C-518/07 European Commission v Federal Republic of Germany [2010] OJ C113/3
14. Case C-553/07 College van burgemeester en wethouders van Rotterdam v MEE Rijkeboer [2009] E.C.R.
I-03889
15. Case C-582/14, Patrick Breyer v. Bundesrepublik Deustchland, ECLI:EU:C:2016:779, 1–2 (Oct. 19, 2016)
16. Case C-614/10 European Commission v Republic of Austria [2012] OJ L281/31
17. Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, (2015) Case C-311/18
18. Entick v Carrington 1558-1774 All E.R. Rep. 45; Boyd v United States 116 U.S. 616.
19. Esbester v. The United Kingdom, European Commission of Human Rights, Application No. 18601/91.
20. Escher v Brazil IACHR (ser. C) No. 200/2009
21. Fontevecchia and D’amico v. Argentina Am. Ct. H.R. (ser. C) No. 238/2011
22. G v Australia (2017), CCPR/C/119/D/2171/2012.
23. In Re Sony BMG Music Entertainment, US FTC Matter 062-3019 (29 June 2007) Complaint.
24. Justice K. S. Puttaswamy (Retd.) v. Union of India and Ors. (2017) 10 SCC 1
25. Kennedy v United Kingdom [2010] ECHR 682 (18 May 2010)
26. Klass and Others v. Germany, Liberty and Others v. the United Kingdom, Application No 58243/00,1 July
2008
27. Leander v. Sweden, IHRL 69 (ECHR 1987)
28. Malone v United Kingdom (1984) 7 EHRR 14
29. Minister of Police v Grace Nomazizi Kunjana [2016] ZACC 21 (South Africa)
30. Nubian Human Rights Forum and Ors. v The Hon. Attorney General and Ors., Petition 56, 58, and 59 of 2019
(Consolidated), (2020) eKLR
31. Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested
Parties) [2020]
32. Okoiti v. Communications Authority of Kenya Constitutional Petition no.53 of 2017 [2018] eKLR
33. Peck v United Kingdom (2003) 36 EHRR 41
34. PG and JH v The United Kingdom (2001) App no. 44787/98, ECHR 2001 IX.
35. Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others
Ex Parte Katiba Institute & another; Immaculate Kasait, Data Commissioner (Interested Party) [2021] eKLR, 22
36. Rev. Christopher R. Mtikila v. Tanzania Application No. 009/2011
37. Roman Zakharov v. Russia, Application No. 47143/06
38. Rotaru v Romania ECHR 2000-V, App No 28341/95
39. S and Marper v United Kingdom ( 2004)ECHR 1581, Application no. 30562/04 and 30566/04
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS XX

40. Satakunnan Markkinaporssi Oy v Finland, App no 931/13 ECtHR (27 June 2017)
41. Shimovolos v. Russia, (2011) ECHR 987
42. Silver and others v. the United Kingdom, (1983) 5 EHRR 347, paras. 85-86
43. Smith and Grady v The United Kingdom (1999) 29 EHRR 493.
44. Sri Vasunathan v The Registrar General WP 62038/2016
45. Subhranshu Rout @ Gugul v. State of Odisha BLAPL No 4592 of 2020
46. Tanganyika Law Society and the Legal and Human Rights Centre v. Tanzania, Application No. 011/2011
47. Toonen v Australia, Communication No. 488/1992, (1994) UN Doc CCPR/C/50/D/488/1992
48. Tristán Donoso v Panamá (2009 IHRL 3064 (IACHR 2009
49. Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein,
Case C-210/16 decision dated 5 June 2018.
50. Uzun v. Germany, Application No. 35623/05, (ECHR 2010)
51. Weber and Saravia v. Germany, Application no. 54934/00, (ECHR 2006)
52. Zulfiqar Ahman Khan v Quintillion Business Media [2019] (175) DRJ 660
1 CHAPTER 1: INTRODUCTION

CHAPTER 1

INTRODUCTION
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 2

The digital revolution has opened new gateways to human development, but also raised novel
human rights challenges. As social and economic activities increasingly shift online, there
has been a greater focus on the need to protect personal data and privacy rights through the
adoption of national legislation, the expansion of fundamental rights, and the formulation
of international and regional norms.

Several international human rights instruments implementation, the monitoring of outcomes and the
recognise the right of every person to be recognised better delivery of services.2 Inclusive legal identity
as an individual with rights before the law (i.e., possess systems help tackle systemic discrimination and
legal identity), including the right to registration at exclusion and are essential for the realisation of the
birth. As per the official UN ECOSOC-approved larger ambition of the SDG’s ‘Leaving No-One Behind’
working definition, legal identity is granted via birth agenda.3
registration. In the absence of birth registration,
legal identity can be conferred by a legally- In the recent past, legal identity initiatives (particularly
mandated identity authority (such as, for example, a in the ‘identity management domain’ such as
‘unique identity authority’ or a ‘national registration via national ID card schemes) have increasingly
bureau’, managing a national identity management incorporated the use of technology as a consequence
programme, such as a national ID card scheme). The of an overall move toward digitisation. Estonia, The
conferral of legal identity ensures that individuals Gambia, India, Indonesia, Mexico, Iceland, Norway,
are recognised by the law, helping secure the rights and Kenya are examples of countries that have
and benefits that are guaranteed to them by law. introduced (or an in the process of adopting) digital
Universal birth registration is essential to ensure legal identity programmes (shortened to ‘digital ID’
that unregistered and uncounted children are not hereafter). Digital ID systems are also being used to
left stateless and unable to access justice systems, confer legal identity to adults who have no record of
as well as their basic human rights.1 To ensure that their birth registration. The Principles on Identification
these rights are operationalised, the 2030 Agenda for Sustainable Development acknowledge that
for Sustainable Development established a specific modern day identification systems use digital forms of
target within the Sustainable Development Goals credentials to access both public and private services
(SDGs), Target 16.9, which aims to provide “legal through automated authentication.4 Most recently, and
identity for all, including birth registration, by 2030.” of particular interest from a human rights perspective,
Data generated from legal identity programmes digital ID systems are being used in some countries
is necessary to measure over 60 SDG indicators. to address COVID-19 public health concerns.5 Such
Furthermore, experts recognise that legal identity systems are relying on digital ID to provide access to
systems help improve public policy formulation, their benefits and services to carry out contact tracing, and

1 UN Office of the High Commissioner for Human Rights, 'Input from a child rights perspective to the United Nations High-level
Political Forum on Sustainable Development', (July 2019) https://sustainabledevelopment.un.org/content/documents/24291OHCHR_
ChildRightsReport_HLPF_July19.pdf.
2 Mia harbitz and Maria del Carmen Tamargo, ‘The Significance of Legal Identity in Situations of Poverty and Social Exclusion’ (Inter-
American Development Bank, 2009), https://publications.iadb.org/publications/english/document/The-Significance-of-Legal-
Identity-in-Situations-of-Poverty-and-Social-Exclusion-The-Link-between-Gender-Ethnicity-and-Legal-Identity.pdf
3 Bronwen Manby, 'Legal identity for all and childhood statelessness' (Institute on Statelessness and Inclusion) http://children.
worldsstateless.org/3/childhood-statelessness-and-the-sustainable-development-agenda/legal-identity-for-all-and-childhood-
statelessness.html.
4 World Bank, ‘Principles on Identification for Sustainable Development: Toward the Digital Age’ (February 2021) https://documents1.
worldbank.org/curated/en/213581486378184357/pdf/Principles-on-Identification-for-Sustainable-Development-Toward-the-
Digital-Age.pdf.
5 Joseph Cannataci, Report of the Special Rapporteur on the right to privacy, A/75/147, July 2020 https://documents-dds-ny.un.org/doc/
UNDOC/GEN/N20/195/60/PDF/N2019560.pdf?OpenElement
 3 CHAPTER 1: INTRODUCTION

even for the provision of COVID-19 vaccine certificates. impact on marginalised communities and vulnerable
Jamaica, for instance, considered accelerating the groups. Governments and related institutions, for
implementation of its National Identification System instance, may sometimes enter into agreements with
to provide individualised aid and benefits to combat commercial partners to manage and/or build digital ID
the effects of the pandemic.6 In some cases, the systems.10 Privacy concerns may be exacerbated with
process of providing public and private services the involvement of such private entities, particularly, if
is also accomplished through the use of digital there is little clarity and transparency on their specific
biometric identification technology.7 A 2013 survey engagement.
by the Centre for Global Development pointed to 160
identification programmes worldwide that have relied Furthermore, some types of data, such as biometric
on biometric identification for economic, political, and or genetic data or health data, merit a higher level of
social purposes in developing countries.8 protection, as it is more sensitive in nature. Processing
and sharing of such data without adequate data
An area of examination, and often conflict, is between protection measures in place could result in greater
legal identity and the associated privacy challenges. risks to an individual’s rights and freedoms. Data
The right of every person to be recognised as a person protection concerns may be exacerbated not only
before the law involves the collection and processing due to digitisation, but also due to the inclusion of
of personal data by state actors. Risks to personal biometric identifiers, which may separately raise
data may occur as a consequence of the large-scale unique issues. While the use of biometrics can aid
collection and processing of data by any identification in facilitating social and economic development
system, particularly, in a digital identification system. by bridging information gaps to improve access to
Such systems involve the storage of aggregated public services or to combat fraud, it is accompanied
personal information and biometrics in a single by a necessary sharing of such sensitive personal
place, which could pose security concerns. These data. Through biometrics, the identity of an individual
concerns could involve data and storage related is authenticated using biometric records stored in
risks, such as security breaches leading to identity a database. With a common biometric identifier, an
theft, unauthorised disclosure, or challenges from individual’s identity can be linked across various
maintaining inaccurate data on an individual.9 As accessible databases and may lead to greater
digital ID systems involve extensive collecting and privacy risks to a person and even groups of people.
processing of personal and sensitive personal data, Responsible processing of personal data may or may
such systems could be exposed to surveillance risks, not be explicitly outlined in domestic legal identity
or threats of data being shared beyond purposes for laws, which might add to privacy risks.
which it was originally collected. Additionally, digital
ID systems extensively rely on technological solutions Given the sensitive nature of the data collected,
that may have inherent error rates, which may result in processed, shared and stored in the operation of
limiting access to these systems for certain vulnerable legal identification systems, it may be necessary to
citizens. Without adequate safeguards to protect have in place robust data protection legislation that
against these risks, such digital ID systems may run incorporate relevant data protection principles to
risks of exclusion, that may have an especially onerous regulate how such data is used.11 These principles

6 ‘Jamaica fast-tracks national ID system to help distribute aid and benefits’ (Privacy International, March 2020), https://
privacyinternational.org/examples/3627/jamaica-fast-tracks-national-id-system-help-distribute-aid-and-benefits.
7 While biometric data has been captured, particularly in the law enforcement context, for many decades (e.g. via ink fingerprinting),
it is the capturing and processing of digital biometric data that has raised privacy concerns, particularly as such data can be used to
identify individuals across large databases, often times without their consent.
8 Many countries have begun or are in the process of implementing country wide systems that rely on biometric identification to form
the basis of their national identity and civil registration projects; Gelb and Clark, ‘Identification for Development: The Biometrics
Revolution', Centre for Global Development Working Paper, pg. 315, https://www.cgdev.org/sites/default/files/1426862_file_
Biometric_ID_for_Development.pdf.
9 Julia Clark and Conrad Daly, ‘Digital ID and the Data Protection Challenge’ (October 2019) https://openknowledge.worldbank.org/
bitstream/handle/10986/32629/Digital-ID-and-the-Data-Protection-Challenge-Practitioners-Note.pdf?sequence=1&isAllowed=y
10 The Engine Room, ‘Understanding the Lived Effects of Digital ID: A Multi-Country Study’, (January 2020), https://digitalid.
theengineroom.org/assets/pdfs/200123_FINAL_TER_Digital_ID_Report+Annexes_English_Interactive.pdf.
11 UN Legal Identity Agenda Task Force, ‘Implementation of the United Nations Legal Identity Agenda: UN Country Team Operational
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 4

are discussed in greater detail in Chapter 3 (Data protection or regulatory frameworks that aim to
Protection Principles). It is important for legal identity address the challenges of evolving technology.
laws to include data protection principles. Purpose Creating regional or international frameworks that
limitation, for instance, can necessitate clarity in the harmonise privacy and data protection laws at the
scope of the legal identity programme and its data national level supports the free flow of data across
operations.12 Ensuring that only relevant data is borders without legal or regulatory hurdles. These
collected to fulfil a specific and legitimate purpose, laws also help to foster improved personal data
through the principle of data minimisation, may aid governance by creating specific duties for data
in avoiding excessive collection and could mitigate controllers, the entities that collect and process
privacy risks. Transparency and accountability are personal data, and guarantee protections for data
principles within data protection law that involve subjects and the individuals to whom the personal
measures such as privacy by design, or establishing data belongs. In this context, the term ‘personal data’
security safeguards to avoid breaches, all of which includes all information relating to an identified or
may be vital for digital identification systems. With identifiable natural person.
such safeguards in place, it would also allow for
greater transparency of private entity involvement in Various regional and national data protection
processes related to digital ID systems. frameworks seek to guarantee the privacy of
individuals. Different jurisdictions have several levels
These concerns have also been consistently raised of privacy protection. Some countries, for example,
and addressed by the UN’s Legal Identity Agenda may only permit data collection and processing for
Task Force, which has emphasised the importance legislatively sanctioned purposes, while others may
of protecting individuals’ personal data and that strictly regulate the cross-border flow of personal
conferring legal identity should not compromise data. There is currently no global international
a person’s privacy. In order to solve some of these normative treaty on data protection, despite privacy
challenges across jurisdictions, the Task Force, in the being recognised as a human right in several national
UN Country Team Operational Guidelines, highlight constitutions. Consequently, this chapter explores
the indispensable role of strong legal, institutional, the evolution of the right to privacy as an international
and technical safeguards within a comprehensive human right, its relationship with informational privacy
data protection legislation so as to provide legal and data protection, and outlines the evolution of
identity while safeguarding privacy.13 The guidelines global data protection principles. It introduces the
also recognise the above principles and highlight key regional frameworks that will be examined in this
that it is crucial to have legitimate objectives when report.
developing and maintaining a legal identity system
due to the sensitive and highly personal nature of the
information collected, processed, used, and shared.
The Task Force notes that Member States must
ensure that only necessary and proportional means
are used to achieve such objectives. The Task Force
emphasises that all Member States, therefore, should
adopt data protection and privacy frameworks to
regulate how identity data is used and protected by
the state.

On the international stage, several regional inter-

governmental organisations have developed data

Guidelines’ (May 2020) paras 83, 86, https://unstats.un.org/legal-identity-agenda/documents/UNCT-Guidelines.pdf.

12 Article 29 Data Protection Working Party, 'Opinion 03/2013 on Purpose Limitation' (2 April 2013) WP 203, 4 https://ec.europa.eu/
justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf.
13 UN Legal Identity Agenda Task Force, ‘UN Strategy for Legal Identity for All’ (June 2019), para 26 https://unstats.un.org/legal-identity-
agenda/documents/UN-Strategy-for-LIA.pdf.; UN Legal Identity Agenda Task Force, ‘Implementation of the United Nations Legal
Identity Agenda: UN Country Team Operational Guidelines’ (May 2020) paras 83, 86, https://unstats.un.org/legal-identity-agenda/
documents/UNCT-Guidelines.pdf.
 5 CHAPTER 1: INTRODUCTION

1.1 Privacy as a core international human right

One of the first articulations of a right to privacy was a with his privacy, family, home or correspondence,
law review article authored by Samuel D. Warren and nor to attacks upon his honour and reputation.” The
the future United States Supreme Court Justice, Louis International Covenant on Civil and Political Rights
D. Brandeis, in 1890.14 Warren and Brandeis argued (ICCPR), adopted in 1966 and since ratified by over
that protecting privacy requires the recognition of 170 UN Member States, guaranteed the right against
emotional harms and of the right to be left alone. arbitrary and unlawful interference with the right to
The right to privacy has since obtained a definitive privacy.15 In its interpretative guidance to the ICCPR,
international and legal character. In 1948, the UN the UN Human Rights Committee has stated that only
General Assembly adopted the Universal Declaration relevant and competent national authorities should be
of Human Rights (UDHR) which states in Article 12 that able to access information regarding an individual’s
“No one shall be subjected to arbitrary interference private life, and only in the interests of society.16

14 Warren and Brandeis, 'The Right to Privacy', (1890), Harvard Law Review, https://groups.csail.mit.edu/mac/classes/6.805/articles/
privacy/Privacy_brand_warr2.html.
15 UN General Assembly, ICCPR, 16 December 1966, UN Treaty Series, vol. 999, page 171 Art 17.
16 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy,
Family, Home and Correspondence, and Protection of Honour and Reputation, 8 April 1988, para 7, https://www.refworld.org/
docid/453883f922.html.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 6

national constitutions provide a minimum standard

The Human Rights Committee’s guidance also of privacy protection that includes the inviolability of
requires national legislation to state: the home and secrecy of communications.20 Where
not expressly guaranteed by the constitution, courts
• the exact circumstances when interferences have sometimes ruled that the right to privacy is part
with privacy are permitted; of other constitutionally enumerated rights, such as
• that correspondence shall remain confidential the right to life and personal liberty.21
and not be intercepted, and;
• that surveillance of communications must be Today, privacy is understood as a crucial right,
prohibited. necessary for the enjoyment of other fundamental
rights and freedoms. The right to privacy encompasses
The European Convention on Human Rights (ECHR) several cognate rights, such as the right to protect
was adopted in 1950 and became one of the first a person’s intimacy, identity, name, gender, honour,
regional instruments that recognised the right to dignity, appearance, feelings and sexual orientation.
privacy. Drafting was influenced by the then recently Professor Alan Westin initially conceptualised privacy
adopted UDHR, and the recommendations of the as an individual right and defined privacy as control
International Committee of the Movement for European over personal information.22 It has since evolved to
Unity. Unlike the UDHR and ICCPR, the ECHR does include broader concepts like collective privacy.
not use the umbrella term ‘privacy’. However, Article
8 of the ECHR, which protects the right to private The initial conception of privacy as a right to be
and family life, home, and correspondence, has been left alone without any interference with a person’s
interpreted by courts as a clause that guarantees a bodily autonomy and property has given way to a
broader right to privacy.17 Over time, this right was more nuanced understanding as a result of modern
expanded to incorporate various facets of privacy. realities. With the rapid increase in the evolution and
The European Court of Human Rights (ECtHR) has adoption of technology, more and more of our day-to-
provided an expansive definition to private and family day activities now occur electronically. The increase
life, which covers sexual orientation and autonomy, in the generation of data by and about individuals has
informational privacy in relation to collecting led to an increased focus on protecting informational
individuals’ data, covert surveillance by the state, and privacy. Informational privacy can be defined as
bodily integrity.18 “the claim of individuals, groups, or institutions to
determine for themselves when, how, and to what
The constitutional right to privacy guaranteed by extent information about them is communicated to
states typically covered specific aspects of privacy, others.”23 The protection of informational privacy,
such as the right against unlawful search and seizure, often through data protection laws, has become a
protection of private property, and the inviolability of key focus of international, regional, and domestic
home and correspondence. Since the adoption of the levels of governance.
UDHR and ECHR, states have adopted laws protecting
the right to privacy in different ways. Some states have
created explicit guarantees protecting the right to
privacy in their national constitutions.19 However, the
type and extent of protection granted varies. Several

17 Satakunnan Markkinaporssi Oy v Finland, App no 931/13 ECtHR (27 June 2017).

18 Smith and Grady v The United Kingdom (1999) 29 EHRR 493 https://privacylibrary.ccgnlud.org/case/smith-and-grady-vs-the-united-
kingdom?searchuniqueid=238652; Rotaru v Romania ECHR 2000-V, App No 28341/95 https://privacylibrary.ccgnlud.org/case/rotaru-
vs-romania?searchuniqueid=310832; PG and JH v The United Kingdom App no. 44787/98, ECHR 2001 IX https://privacylibrary.
ccgnlud.org/case/pg-and-jh-v-the-united-kingdom?searchuniqueid=817039; S and Marper v United Kingdom ECHR 1581, Application
no. 30562/04 and 30566/04 https://privacylibrary.ccgnlud.org/case/s-and-marper-vs-united-kingdom?searchuniqueid=483790.
19 Art 14 of the Constitution of the Republic of South Africa.
20 Article 10 of the Constitution of Finland; Article 18(2) of the Constitution of Ghana; Article II.2 of the Constitution of Philippines.
21 Justice K S Puttaswamy v Union of India AIR 2017 SC 4161 (India) https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-
and-ors-vs-union-of-india-uoi-and-ors?searchuniqueid=504175.
22 Alan F Westin, ‘Privacy and Freedom’ (1968), Wash. and Lee Law Review 166 https://scholarlycommons.law.wlu.edu/wlulr/vol25/
iss1/20.
23 Alan F Westin, ibid.
 7 CHAPTER 1: INTRODUCTION

1.2 Privacy and the United Nations

The right to privacy has been codified by several interaction with others, free from state intervention
international and regional bodies over the last two and from excessive unsolicited intervention by other
decades. The regional privacy and data protection uninvited individuals.”29
jurisprudence is vast and contains both binding
and non-binding legal instruments. The UN has
made significant international contributions to the
development of the field of data protection and privacy.
This includes reporting by the High Commissioner for
Human Rights, as well as the reports submitted by the
Special Rapporteurs on the Freedom of Expression,
Counter Terrorism and Xenophobia. Several UN
agencies have also contributed to the debate on the
right to privacy and data protection, including the UN
Human Rights Committee,24 the UN Development
Group,25 the UN General Assembly26 and the UN
Legal Identity Agenda Task Force.27

In 1988, the UN Economic and Social Council published

guidelines for the regulation of computerised data
files which recognised that the computerisation of
personal data had implications for individuals’ right
to privacy and might also threaten other freedoms.28
These guidelines articulated broad principles
such as fairness, non-discrimination and purpose-
specification for the use of data that could be used by
Member States to frame national legislations for the
collection of data. The ‘contours’ of the right to privacy
were subsequently defined even more broadly by
the UN. In 2013, UN Special Rapporteur Frank La Rue
described the concept of privacy as the availability
of “[an] area of autonomous development, interaction
and liberty, a “private sphere” with or without

24 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of
Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation https://tbinternet.ohchr.org/Treaties/CCPR/
Shared%20Documents/1_Global/INT_CCPR_GEC_6624_E.doc.
25 ‘Data Privacy, Ethics and Protection Guidance Note on Big Data for Achievement of the 2030 Agenda’ (United Nations Development
Group) https://unsdg.un.org/sites/default/files/UNDG_BigData_final_web.pdf.
26 UN General Assembly, 'Resolution adopted by the General Assembly on 18 December 2013', UN A/RES/68/167 https://undocs.org/A/
RES/68/167.
27 'Maintaining Civil Registration and Vital Statistics during the COVID-19 pandemic' (United Nations Legal Identity Agenda Task
Force, 9 April 2020), https://unstats.un.org/legal-identity-agenda/documents/COVID-19-Guidelines.pdf.
28 Louis Joinet, ‘Guidelines for the regulation of computerized personal data files’ (UN Economic and Social Council, 21 July 1988) para
7 https://digitallibrary.un.org/record/43365?ln=en.
29 Frank La Rue, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/
HRC/23/40, April 2013 https://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 8

UN Member States have periodically adopted

resolutions recognising and reaffirming the right to
privacy in the digital age. The UN General Assembly
adopted resolution 68/167, explicitly affirming that
“the same rights that people have offline must also
be protected online, including the right to privacy.”30
The increase in information and communications
technology has allowed more people to participate
in global discourse, express their opinions and
has fostered democratic participation. As noted “UN Member States have
by the UN High Commissioner for Human Rights,
however, technology has also allowed governments, periodically adopted
enterprises, and individuals to conduct surveillance
and intercept and collect personal data.31 resolutions recognising and
In 2015, the United Nations Human Rights Council reaffirming the right to
(UNHRC) appointed a Special Rapporteur on the Right
to Privacy,32 with a dedicated mandate to promote and
privacy in the digital age”
protect the right to privacy. The Special Rapporteur
has advanced the discourse on privacy, addressing
issues such as governmental surveillance activities,
big data and open data, privacy and technology
from a gender perspective, the protection and use
of health-related data, the business use of personal
data, and the privacy dimensions of the COVID-19
pandemic.33 In 2019, the Special Rapporteur for the
Right to Privacy noted that while many Member States
unequivocally committed themselves to international
instruments which uphold the right to privacy, they
act in direct contravention of such obligations by
employing new technologies that are incompatible
with the right to privacy.34

30 UN General Assembly, 'The Right To Privacy In The Digital Age' UN Doc A/RES/68/167 (Dec 2013) https://undocs.org/A/RES/68/167.
31 Report of the High Commissioner for Human Rights, 'The Right To Privacy In The Digital Age' (2014) A/HRC/27/37 https://www.
ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf
32 UN Human Rights Council (A/HRC/RES/28/16, April 2015) https://undocs.org/A/HRC/RES/28/16
33 United Nations Human Rights Special Procedures, Special Rapporteur on the right to privacy, https://www.ohchr.org/en/special-
procedures/sr-privacy.
34 Report of the Special Rapporteur on the right to privacy, A/HRC/40/63 (16 October 2019), https://undocs.org/A/HRC/40/63.
 9 CHAPTER 1: INTRODUCTION

1.3 Facets of the right to privacy

The definition of privacy differs based on different

cultures and legal systems, and there is no • physical or spatial privacy – expectations of
universally accepted definition. However, several privacy around a person’s home;
scholars have discussed the various facets of • informational privacy – a broad concept that
privacy, all of which come together to form the right includes information about the person and
to privacy which regional and international actors their communications;
seek to protect. In 1992, Roger Clarke developed • decisional privacy – the right of individuals to
what was then considered an updated typology of make personal choices about their lives free
the types of privacy, which could keep pace with from governmental interference;
technological developments. He proposed four • proprietary privacy – a person’s right to their
dimensions of privacy, namely privacy of the person, reputation;
privacy of personal behaviour, privacy of personal • associational privacy – relates to groups and
communication, and privacy of data.35 In 2015, their internal relationships, including their
he added another dimension to privacy, namely values and criteria for inclusion or exclusion.
the privacy of personal experience, which was in
response to the widespread use of the internet and One of the more recent models of privacy proposed
mobile media.36 Another famous classification comes by Koops et al puts forth a different model.38 They
from Anita Allen’s scholarship on unpopular privacy, identify eight types of privacy: bodily privacy, spatial
which bases the classification of privacy on moral and privacy, communicational privacy, proprietary privacy,
social values.37 These are: intellectual privacy, decisional privacy, associational
privacy, and behavioural privacy. Informational privacy
is a key aspect of each of these eight facets and is
also central to how privacy is understood today.

35 Roger Clarke, ‘What's Privacy?’, (Workshop at the Australian Law Reform Commission, July 2006) http://www.rogerclarke.com/DV/
Privacy.html.
36 Roger Clarke, ‘A Framework for Analysing Technology’s Negative and Positive Impacts on Freedom and Privacy’ (2016) Datenschutz
Datensich, pgs 79-83 https://link.springer.com/article/10.1007/s11623-016-0550-9.
37 Anita L Allen, Unpopular Privacy: What Must We Hide? (Oxford University Press 2011) pgs 6-11 and 25-26.
38 Koops, Newell, Timan, Škorvánek, Chokrevski, and Galič, ‘A Typology of Privacy’ (2017, University of Pennsylvania Journal of
International Law, pg. 483) https://scholarship.law.upenn.edu/jil/vol38/iss2/4.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 10

1.4 Evolution of data protection principles

Contemporary conceptions of the right to privacy The definition of privacy as control over personal
have carved out informational privacy as a distinct information influenced the development of the
category. This has been a direct response to rapid Fair Information Practice Principles (FIPPS) in the
technological advancements and the associated need 1970s.39 These specialised principles and guidelines
to secure the digital lives of citizens, including their constitute the foundation from which modern data
personal information. As both private and state actors protection laws have evolved.
increasingly rely on the gathering and processing of
data to ensure the delivery of products and services,
enacting data protection laws has emerged as the
foremost step in protecting the informational privacy
of individuals. This section discusses the evolution of
data protection principles as an important element of
the right to privacy and evolving global commitments.

39 Austin, Lisa M., 'Re-reading Westin' (2019) 20 Theoretical Inquiries in Law 1, pgs. 53-81 https://din-online.info/pdf/th20-1-5.pdf
 11 CHAPTER 1: INTRODUCTION

The FIPPs were first articulated in a report by the US

1.4.1 Origin of Fair Information Department of Health, Education and Welfare (HEW)
Practice Principles (FIPPS) Secretary's Advisory Committee on Automated
Personal Data Systems titled Records, Computers
The 1970s witnessed intense investigations and and the Rights of Citizens in 1973.44 The report
legislative deliberations about privacy and data recommended the enactment of laws to enforce
protection across the globe. For instance, the US the Code of First Information Principles articulated
Congress passed the Privacy Act 1974 after vigorous in its report. Many of these recommendations were
deliberations in the wake of the Watergate scandal. incorporated in the U.S. Privacy Act 1974, which
The Act established the US Privacy Protection Study established principles of fair information practices
Commission to further evaluate, research and make that govern the collection, maintenance, use, and
recommendations to protect privacy.40 Similarly, dissemination of information about individuals by
European countries like Sweden, Germany and federal agencies, which include:
France also enacted privacy laws in the 1970s.41
• Personal data record keeping systems should
The FIPPs, which first emerged in the US, are follow a “policy of openness” and should not
internationally recognised guidelines about the be ‘secret’;
protection of individuals’ informational privacy. Most • Records should be accessible and rectifiable
modern data protection laws and guidelines are based by an individual about whom the data is stored;
on them. They are often described as a minimum set of • The use of personal data should be limited by
principles that an effective data protection law should the purpose of its collection;
incorporate.42 The FIPPS have been included in the • the record-keeping organisation should ensure
data protection laws of over 100 countries43 and in that “reasonable and proper information
international guidelines and frameworks, such as the management policies” are followed, and
UN Guidelines for the Regulation of Computerized information about an individual is necessary,
Personal Data Files (1990), the EU Data Protection lawful accurate and current.
Directive (1995), and the APEC Privacy Framework of
the Asia-Pacific Economic Cooperation (2015).

40 Office of Privacy and Civil Liberties, 'Overview of The Privacy Act of 1974' (United States Department of Justice, 2020) https://www.
justice.gov/opcl/overview-privacy-act-1974-2020-edition.
41 Robert Gellman, 'Fair Information Practices: A Basic History' (Independent, 3 Sept 2021) https://bobgellman.com/rg-docs/rg-
FIPShistory.pdf
42 Graham Greenleaf, 'Sheherezade and the 101 Data Privacy Laws: Origins, Significance And Global Trajectories' (2014) Journal of Law,
Information and Science, http://www.austlii.edu.au/au/journals/JlLawInfoSci/2014/2.html
43 Robert Gellman, 'Fair Information Practices: A Basic History' (Independent, 3 September 2021) https://bobgellman.com/rg-docs/rg-
FIPShistory.pdf.
44 Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, ‘Records Computers and the Rights of Citizens’
(Library of Department of Justice, July 1973) https://www.justice.gov/opcl/docs/rec-com-rights.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 12

1.5 Introduction to the Identified Regional Frameworks

The FIPPs also form the core of several important legislation, with the twin aims of upholding human
and leading regional data protection frameworks, rights and preventing disruptions in international data
discussed below. These frameworks reflect both flows.
the regional diversity in, and universality of, data
protection efforts, with frameworks from the Americas, The Guidelines Governing the Protection of Privacy
Africa, the Asia-Pacific region, the Caribbean, and and Transborder Flows of Personal Data (1980)45
Europe. Certain frameworks transcend specific are among the most widely accepted and influential
regions and are the product of inter-governmental operationalisations of the FIPPs. They are not
organisations with cross-cutting memberships from legally binding and only provide recommendations
different regions, and include countries from both the for minimum data protection standards. When the
Global South and the Global North. Guidelines were adopted in 1980, only about one
third of the Member States had adopted a data
The regional frameworks reflect each region or privacy law. By 2011, almost every OECD Member
organisation’s consensus on the regulation of and State had a data privacy law with the FIPPs at its
best practices for data protection. A summary of core. The 1980 Guidelines were revised in 2013,
these frameworks demonstrates that there are but the essence of the principles was retained. The
several common threads tying them together. Guidelines were revised in tandem with the “changing
For instance, they all espouse fundamental data technologies, markets and user behaviour, and
protection principles such as notice and consent, the growing importance of digital identities.”46 Two
transparency and accountability, security safeguards, main themes govern the updated Guidelines. First,
purpose limitation, rights of data subjects, and a focus on the practical implementation of privacy
a complaints mechanism. Nevertheless, there protection through an approach grounded in risk
are crucial differences in how each framework management. Second, the need for greater efforts
approaches and applies these principles based on to address the global dimension of privacy through
the regional diversity that the frameworks represent. improved interoperability. The 2013 Guidelines have
Consequently, a study of the regional frameworks is been published alongside the 1980 Guidelines and a
necessary for a truly holistic understanding of data supplementary report to form a comprehensive
protection regimes around the world. The following OECD Privacy Framework (OECD Guidelines).
paragraphs briefly outline the Identified Regional
Frameworks that will be examined in this report. Therefore, the OECD Guidelines continue to serve the
twin goals of preserving privacy and ensuring the free
1.5.1 OECD Guidelines flow of data, while staying relevant in the fast-evolving
digital landscape. These Guidelines represent a
In the 1970s, several Member States of the consensus on the basic principles of data protection
Organisation for Economic Cooperation and which have been built into several national legislative
Development (OECD) enacted data protection laws frameworks and are likely to be a guiding force for
based on the FIPPs. To prevent disparities in national many other countries that are yet to adopt a data
legislations that could hamper the free flow of protection law. The OECD Guidelines are not directly
personal data across frontiers and cause disruption binding on OECD members, which continue to enact
to different economic sectors, the OECD developed national data protection statutes. But the Guidelines
guidelines to harmonise national data protection and associated commentary focus on the formulation

45 OECD, 'Guidelines Governing the Protection of Privacy and Transborder Flow of Personal Data' (Sept 1980), https://www.oecd.org/
digital/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
46 'The OECD Privacy Framework' (2013), www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.
 13 CHAPTER 1: INTRODUCTION

of basic personal data protection principles which been integrated in the modernised instrument”.50
can be built into domestic data protection legislation. The instrument requires Member States to apply the
The OECD Guidelines consider the regulatory culture principles set out in the convention to their domestic
of the Member States and allow for context-specific legislation.
adoption of the Guidelines in each state, which has
ensured their continued and widespread relevance. 1.5.3 Data Protection Directive, 1995
and GDPR (European
1.5.2 Convention 108 and 108+
Union)
(Council of Europe)
One of the most important regional frameworks
In 1981, the Council of Europe (CoE) adopted its governing data protection is the EU’s General Data
first legally binding international instrument on data Protection Regulation (GDPR), which came into force
protection.47 The Convention on the Protection of in 2018, replacing the Data Protection Directive. The
Individuals with Regards to Automated Processing Data Protection Directive was one of the first regional
of Personal Data (Convention 108) is similar to the instruments on data protection and “contained one
OECD Guidelines in its twin aims of safeguarding of the world’s most stringent implementation of the
informational privacy and ensuring the trans-frontier FIPPs.”51 It laid down a framework for data protection
flow of personal data. It has been ratified by all 46 for all EU Member States and required them to enact
Member States of the CoE and by nine non-CoE implementing national legislation. However, the
countries.48 Convention 108 embodies the FIPPs and Data Protection Directive failed to fully harmonise
addresses the quality of data, special categories of national data protection laws within the EU, and this
data, data security, and individual rights to access, resulted in enforcement problems. For example,
correction, and erasure. Convention 108 consists of the Data Protection Directive allowed EU Member
three key parts: (i) basic principles of data protection; (ii) States flexibility in setting fine amounts for violations
rules on transborder data flows; and (iii) guarantees of of the Directive, and some EU Member States set
cooperation and mutual assistance between Member their maximum fines under the Directive to very low
States. It was also the first instrument to introduce amounts, which has made the sanction process, in
the concept of adequacy for the exchange of data the opinion of some commentators, ineffective.52
between two countries. In 2018, Convention 108 was
modernised through an amending protocol to address The GDPR was enacted to meet the EU’s need for
the challenges of rapidly advancing technology and a comprehensive approach to data protection. The
growing data processing volumes. The resulting GDPR imposes binding obligations, and is applicable
instrument, described as Convention 108+, introduced not only on Member States, but also to organisations
the need for regulatory authorities, the principles of outside EU territory if they target or collect data
proportionality and data minimisation, and addressed related to data subjects in the EU. The extra-territorial
issues of algorithmic decision making. Convention application, and binding nature of the GDPR, are some
108+ has been signed by 43 Member States.49 It of the most distinctive features of this instrument.
was clarified that “the principles of transparency,
proportionality, accountability, data minimisation,
privacy by design, etc. are now acknowledged as
key elements of the protection mechanism and have

47 Council of Europe, 'Convention for the Protection of Individuals with Regards to the Automatic Processing of Individual Data', (ETS
108, Jan 1981), https://www.refworld.org/docid/3dde1005a.html.
48 Council of Europe, ‘Chart of Signatures and Ratifications of Treaty 108’, https://www.coe.int/en/web/conventions/full-list.
49 Council of Europe, ‘Chart of Signatures and Ratifications of Treaty 223’, https://www.coe.int/en/web/conventions/full-
list?module=signatures-by-treaty&treatynum=223t.
50 Council of Europe, 'Modernisation of Convention 108' (2018), https://www.coe.int/en/web/data-protection/convention108/
modernised.
51 Borgesius, Gray and Van Eechoud, ‘Open Data, Privacy, and Fair Information Principles: Towards A Balancing Framework’, (2015),
Berkeley Technology Law Journal, https://lawcat.berkeley.edu/record/1127406>.
52 Hoofnagle, van der Sloot and Borgesius, 'The European Union General Data Protection Regulation: What It Is And What It Means'
[2019] Information and Communications Technology Law, https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 14

cross-border data in the APEC region.55 The APEC’s

1.5.4 Commonwealth Framework principle-based framework seeks to move towards
(Commonwealth of Nations) common standards resulting in consistent – rather
than identical – privacy protections in the region. The
There is no binding framework that is applicable to framework aims to reconcile the need for consumer
all Commonwealth countries. The Commonwealth privacy with business and commercial interests, while
frameworks for data protection recognise diversity recognising the cultural and other diversities that exist
and seek to promote the ‘best fit’ instead of best within the member economies. The APEC Privacy
practice.53 In 2002, the Commonwealth Law Ministers Framework does not impose binding obligations on
released three inter-related model Bills on privacy member economies that undertake the commitments
and freedom of information, namely the Freedom of on a voluntary basis.
Information Bill, the Privacy Bill, and the Protection
of Personal Information Bill. These model bills seek In addition to the privacy frameworks, the region
to assist Commonwealth nations which are yet to also has the APEC Cross-Border Privacy Rules (CBPR
enact laws regulating the access to, processing and System). The CBPR System is a government-backed
protection of personal information by providing them data privacy certification that companies can adopt
with a model framework to serve as a useful starting to demonstrate compliance with internationally
point for draft legislation. The Privacy Bill and the recognised data privacy protections. The CBPR
Protection of Personal Information Bill deal with the system is used to implement the principles recognised
regulation of informational privacy. by the APEC Privacy Framework.56

The Protection of Personal Information

Commonwealth (PPI Bill) focuses on the processing
1.5.6 HIPCAR - Harmonization of ICT
of personal information by private organisations and Policies, Legislation and Regulatory
acts as a model data protection bill for countries Procedures in the Caribbean
seeking to enact such legislation. It does not apply
to public authorities or to information processed for
Community (Caribbean Community57)
personal or domestic, journalistic, artistic, or literary
The HIPCAR project was launched by the International
purposes. The Commonwealth Privacy Bill was
Telecommunications Union and the European Union
created to give effect to the OECD guidelines and
in Grenada in December 2008, in collaboration
regulates data processing by public authorities.54
with the Caribbean Community Secretariat and
the Caribbean Telecommunications Union.58 Its
1.5.5 APEC Privacy Framework (Asia- objective was to harmonise ICT laws and policies
Pacific Economic in the Caribbean region by working with Caribbean
governments, regulators, service providers, and
Cooperation) civil society. The HIPCAR framework provides for six
inter-related model frameworks on subjects ranging
The APEC Privacy Framework was published in 2004
from eCommerce, Interception of Communications
and updated in 2015. It seeks to set a common data
and Cybersecurity. One of these frameworks, the
privacy standard for the 21 APEC member economies
HIPCAR Model Policy Guidelines on Privacy and
in the Asia-Pacific region. The framework aims to
Data Protection, suggest that Member States adopt
protect data privacy while facilitating the free flow of

53 'Data Protection in the Commonwealth - Key Instruments Current Practices' (The Commonwealth, 20 April 2016), https://unctad.org/
system/files/non-official-document/dtl_eweek2016_EBakibinga-Gaswaga_en.pdf.
54 The Commonwealth (Office of Civil and Criminal Justice Reform), Model Privacy Bill, https://thecommonwealth.org/sites/default/
files/key_reform_pdfs/P15370_9_ROL_Model_Privacy_Bill_0.pdf.
55 APEC Privacy Framework, part i, preamble
56 APEC Secretariat, ‘What is the Cross-Border Privacy Rules System?’ (15 April 2019) <https://www.apec.org/about-us/about-apec/
fact-sheets/what-is-the-cross-border-privacy-rules-system
57 The Caribbean Community (CARICOM) is a group of twenty countries (twenty members and five associate members) including
Grenada, Barbados, Saint Lucia, Jamaica, and Montserrat. CARICOM countries are home to an estimated 16 million people. See
CARICOM, Who we are <https://caricom.org/our-community/who-we-are
58 Cybercrime/e-Crimes: Model Policy Guidelines & Legislative Texts’ (HIPCAR, 2012) <https://www.itu.int/en/ITU-D/Cybersecurity/
Documents/HIPCAR%20Model%20Law%20Cybercrimes.pdf
 15 CHAPTER 1: INTRODUCTION

a clear legal and institutional framework ensuring OAS Principles,63 which serve as a guide for national
the protection of personal information, adherence frameworks in the region. The OAS Principles are
to key data protection principles and appropriate accompanied with annotations by the Juridical
governance structures. While the Model Policy Committee that provide valuable context and
Guidelines are not legally binding on Member States, additional detail to each principle.
the framework constitutes a valuable resource for
national authorities seeking to develop domestic The OAS Principles contain 13 principles, which
data protection legislation. serve as a basis for data protection legislation. The
principles are not binding, but rather they generally
focus on the goals to be achieved by national
1.5.7 The African Union Convention legislation. The principles are meant to act as general
(African Union) guidelines which the Member States may choose to
follow when developing their domestic legislation.
The African Union Convention on Cyber-Security
and Personal Data Protection (AU Convention) was 1.5.9 ASEAN Frameworks (ASEAN
adopted by the AU in 2014. The AU Convention is
different from other regional frameworks examined, region)
in that it aims to facilitate regional and national
legal frameworks for cybersecurity, prevention of The Association of South-East Asian Nations (ASEAN)
cyber-crime and electronic transactions, in addition region has two main data protection frameworks,
to personal data protection. The AU Convention namely the ASEAN Framework on Personal Data
attempts to strengthen existing ICT legislation within Protection, introduced in 2016,64 and the ASEAN
the African Union59, making it a valuable resource Framework on Digital Governance (ASEAN Digital
for countries seeking to develop domestic data Governance Framework), introduced in 2017.65 Both
protection legislation. It highlights the necessity of instruments seek to foster regional integration and
adhering to national constitutions and regional and cooperation and promote the growth of trade and
international human rights law when creating and flow of information within and among ASEAN Member
implementing data protection laws. 60 States and boost their digital economies. The
framework’s provisions are not binding. Instead, they
highlight the consensus amongst ASEAN members
1.5.8 Organization of American States on the importance of harmonised and robust national
Principles data protection laws and set out certain principles
that such laws should be guided by.
The Organization of American States (OAS) released
the Preliminary Principles and Recommendations on
Data Protection in 2011.61 The OAS’s Inter-American
Juridical Committee released the OAS Principles on
Privacy and Data Protection in 2015.62 In November
2021, the General Body of the OAS adopted the
Updated Principles on Privacy and Personal Data

59 African Union Convention on Cyber Security and Personal Data Protection, Preamble https://www.opennetafrica.org/?wpfb_dl=4
60 NATO Cooperative Cyber Defence Centre of Excellence, ‘Mixed Feedback on the African Union Convention on Cyber Security and
Personal Data Protection’ (2015) <https://ccdcoe.org/incyder-articles/mixed-feedback-on-the-african-union-convention-on-cyber-
security-and-personal-data-protection/
61 Department of International Law, of the Secretariat for Legal Affairs, ‘Preliminary Principles and Recommendations on Data Protection’
(Committee on Juridical and Political Affairs-OAS, Oct 2011), http://www.oas.org/dil/CP-CAJP-2921-10_rev1_corr1_eng.pdf.
62 86th Regular Session, ‘Protection of personal data - Organization of American States’ (OAS, Mar 2015), https://www.oas.org/en/sla/
dil/docs/CJI-doc_474-15_rev2.pdf.
63 Inter-American Juridical Committee, Updated Principles of the Inter-American Juridical Committee on Privacy and Personal Data
Protection, with Annotations, http://www.oas.org/en/sla/iajc/docs/CJI-doc_638-21_EN.pdf.
64 ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN), Framework on Personal Data Protection,
Nov 2016, https://asean.org/wp-content/uploads/2012/05/6B-ASEAN-Framework-on-Digital-Data-Governance_Endorsedv1.pdf.
65 ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN), Framework on Digital Data Governance,
Dec 2018, https://asean.org/wp-content/uploads/2012/05/6B-ASEAN-Framework-on-Digital-Data-Governance_Endorsedv1.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 16

1.6 Conclusion

Legal identity programmes have emerged as crucial

tools for: the securing of sustainable development
goals; the formulation, implementation, and
monitoring of public policy; and the eradication of
systemic discrimination. However, legal identity
programmes raise a corollary concern for the right
to privacy of the individuals whose data is being
collected and processed in the operationalisation of
these programmes. The adoption of the Identified
Regional Frameworks demonstrates a widespread
recognition of the need and desire to protect the
privacy of individuals as legal identity programmes
are implemented across the world. Data protection
has emerged as a key tool to guarantee the right to
privacy, autonomy, and dignity of the individual without
stymieing legal identity programmes or technological
innovation. The remaining chapters of this report
discuss the various elements of data protection
legislation based on a study of the Identified Regional
Frameworks.
17 CHAPTER 2: KEY DEFINITIONS

CHAPTER 2

KEY DEFINITIONS
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 18

2.1 Introduction

This chapter highlights some frequently used terms in the data protection and privacy sphere
across the Identified Regional Frameworks, and discusses the challenges associated with each
term. In data protection law, a chapter on definitions is usually necessary and serves three
basic functions: (i) it permits conciseness by conveying key concepts in one or two words;
(ii) it helps reduce the risk of ambiguity in interpretation of these concepts; and (iii) it defines
the scope of applicability of the framework. All the Identified Regional Frameworks include
a set of definitions, except for ASEAN’s frameworks on Personal Data Protection and Digital
Governance.

2.2 Personal Data and Personal Information

The definition of personal data is a key determinant specific data", such as factual items or electronically-
in deciding the scope of a data protection framework. stored "bits" or digital records”. Scholars have also
Upon defining personal data or information, the data expressed preference for the term personal data
or information covered by the definition is regulated and have argued that it allows for “the inclusion of
by the data protection framework. Any data or data used by future technologies and new methods
information not covered by the definition falls outside of doing business.”67 In the case when a framework
the framework’s protections. All Identified Regional defines personal data in a broad and open-ended
Frameworks that have a definitions clause, provide a manner, it allows the framework to adapt to many
definition of either the term ‘personal data’ or ‘personal contexts and to be interpreted widely by the courts
information’. The concept of personal data is centred and authorities.
around the idea of the identifiability of an individual.
It is generally understood that ‘personal data’ is a The GDPR defines the term personal data to include
broader term than ‘personal information.’ This is information relating to an identified or identifiable
because all the elements of personal information, or natural person.68 It further provides for the definition
personally identifiable information (PII), are subsumed of an identifiable natural person as one ‘’who can be
within the concept of personal data. directly or indirectly identified’’ in reference to a list of
identifiers and a range of factors. A non-exhaustive list
The OAS Principles specifically highlight the difference of identifiers is set out including name, identification
between data and information. They note that the number, location data, and an online identifier. The
term personal data is used intentionally because range of factors include physical, physiological,
it provides the “broadest protection to the rights genetic, mental, economic, cultural or social identity
of the individuals concerned without regard to the of a natural person. It provides that an individual can
particular form in which the data is collected, stored, be identified directly or indirectly through one of the
retrieved, used or disseminated.”66 They clarify that identifiers, or a combination of identifiers and factors
the term ‘personal information’ has been avoided as specified above.
it could be construed literally and might not “include

66 OAS Principles with Annotations, Definitions, (Page6 definition of personal data).

67 Voss WG and Houser KA, ‘Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies’ (2019) 56 American
Business Law Journal 287.
68 GDPR, art 4(1).
 19 CHAPTER 2: KEY DEFINITIONS

The influence of the GDPR is widely acknowledged.

Many countries have gravitated towards it when
framing their data protection frameworks. However, a
study of the Identified Regional Frameworks reveals
that several regional frameworks have adopted a
similar definition of personal data irrespective of
whether adopted before or after the GDPR and
include the AU Convention, the Convention 108+,
the OAS Principles, the OECD Guidelines and the
APEC Privacy Framework. For example, the 2014 AU
Convention also defines personal data as data that
directly or indirectly identifies an individual.69 The OAS
Principles substitute the term identifiable individual
with information that ”reasonably” identifies a specific
individual directly or indirectly.70 Convention 108+
also introduces the element of reasonableness by
“Personal data being a broad stating that data does not identify an individual if their
and open-ended term allows identification requires “unreasonable time, effort or
resources.”71
for it to be interpreted widely Several of the Identified Regional Frameworks
in favour of data subjects and provide an illustrative list of identifiers or factors
that would render an individual identifiable, and
help secure their fundamental could consequently cause the data to be treated as
personal data.72 Other frameworks do not provide
rights.” a list of factors or identifiers,73 however, relying,
instead on the concept of identifiability. For example,
the Explanatory Report to Convention 108+, when
discussing the notion of an identifiable individual,
refers to aspects or traits that individualise or single
out one person from others, which allows scope
for differential treatment.74 It does not refer to any
specific aspect or traits.

69 Art 1 (definition of personal data).

70 OAS Principles with Annotations, Definitions, page 6 (definition of personal data).
71 Explanatory Report to Convention 108+, para 17 p. 17.
72 Commonwealth PPI Bill, S 4; Commonwealth Privacy Bill S 4; HIPCAR Model Legislative Text, S 3(1)(h). Identifiers and factors in the
HIPCAR Privacy Framework include nationality, address, age, marital status, racial or ethnic origins, education, and employment and
educational records. The Commonwealth PPI Bill and Privacy Bill use similar identifiers including identifying numbers and medical
and criminal records.
73 See Convention 108+; OECD Guidelines; APEC Privacy Framework.
74 Explanatory Report to Convention 108+, para 18 p.17.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 20

A framework adopting a broad definition of personal secure their fundamental rights. For example, the ECJ
data would result in more data being regulated interpreted the definition of personal data to include,
by the data protection framework. For some time names and addresses, names with a telephone
now, researchers have been deliberating about the number, dynamic IP address, biometric data, and
scope of ‘personal data’, with some even expressing individuals’ video images.78
criticism that the expanding definition of personal
data has become too broad.75 Understandably, a wide
definition of personal data would provide the highest
legal protection, but it may, in practice, be challenging
to ensure compliance, and may, as a consequence,
be deemed unreasonable. For instance, the GDPR
offers a broad definition of the term personal data and
focuses on whether the available data can identify a
natural person based on “an analysis of all means likely
to be used and by reference to available data.”76 The
benefit of this broad definition is that almost nothing
is outside the scope of EU privacy regulation. The
drawback is that information is treated as personal
data, and uniformly high compliance burdens are
created, irrespective of whether the data refers to an
identified individual, or one who can be “indirectly
identified” – i.e., someone who is “identifiable.” This
has prompted discussions on the need to create
a definition of personal data based on the risk of
identification, whereby data protection is triggered by
the probability that the data identifies an individual.77
The concept is especially relevant when data may be
anonymised or pseudonymised to reduce the risk of
identification.

However, a wide definition of personal data need not

necessarily give rise to onerous compliance burdens
or implementation challenges if the provisions
operationalising data protection principles are
applied strategically and are based on identifiability.
The obligations related to notification and consent,
for example, may be exempted in situations where
the data being processed does not directly identify
individuals. Such a targeted and nuanced approach
helps preserve the benefit of adopting a broad
definition of personal data. Personal data being
a broad and open-ended term allows for it to be
interpreted widely in favour of data subjects and help

75 Purtova N, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 Law, Innovation
and Technology 40.
76 Schwartz PM and Solove DJ, ‘Reconciling Personal Information in the United States and European Union’ (2014) 102 California Law
Review 877, 887.
77 Purtova N, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 Law, Innovation
and Technology 40; Schwartz PM and Solove DJ, ‘The PII Problem: Privacy and a New Concept of Personally Identifiable Information’
(2011) 86 New York University Law Review 1814.
78 Case C-582/14, Patrick Breyer v. Bundesrepublik Deustchland, ECLI:EU:C:2016:779, 1–2 (Oct. 19, 2016) http://curia.europa.eu/juris/
celex.jsf?celex=62014CJ0582&lang1=fr&type=TXT&ancre=.
 21 CHAPTER 2: KEY DEFINITIONS

2.3 De-identification Methods

Emerging scholarship about de-identification and refer to de-identified data or de-identification, and
personal data protection acknowledges that data may instead use de-identification techniques, such
identifiability cannot be seen as binary, whereby as anonymisation and pseudonymisation. Some
personal data is covered under data protection recent data protection frameworks, such as the
frameworks and anonymised data is not.79 Discussions GDPR, recognise intermediate de-identification tools
have progressed from the dichotomy of whether data by introducing the concept of pseudonymisation/
is personally identifiable or not to a trichotomy, which pseudonymised data, and also the highest form of
comprises of identified, identifiable (possible risk of de-identification, i.e., anonymised data, with the latter
identification) and non-identifiable (remote risk of explicitly kept outside the purview of the framework.81
identification). This allows for shades of de-identified However, legislation drafted post GDPR, such as
data to be recognised within the category of personal India’s Data Protection Bill and China’s Personal
information, based on the probability or risk that such Information Protection Law, merely recognise
de-identified data may ultimately lead to individuals anonymised data.82
being identified.
To steer clear of the definitional ambiguity, and to
Data has multiple gradients of identifiability, and the better understand the terminologies and taxonomy of
process of de-identification helps remove information de-identified data, we discuss the three most widely
that may identify individuals from existing personal used terminologies below, which are anonymised
data. Depending on the purpose of processing, data, pseudonymised data, and de-identified data.
different types of de-identification methods may
be used. De-identification has a wide spectrum, 2.3.1 Anonymised Data
whereby different levels of de-identification have
different regulatory and policy implications. For The term “anonymisation” can be described as a
instance, anonymised data is generally kept outside process that breaks the identifiability link between
the purview of data protection frameworks, and softer identifying data and an individual. Privacy laws
and fewer obligations apply to pseudonymised data across the globe indicate that ‘anonymised’ data is
in comparison to identifiable and identified data. not subject to principles of data protection since it
does not contain any PII, eliminating any attributes
Although the need and value of de-identification that will directly or indirectly identify the individual.
tools is widely acknowledged and reflected in many For example, anonymised data under the GDPR
new and emerging frameworks, there exists a lack of can be shared freely and does not come within the
uniformity in adopting standards of de-identification Regulation’s ambit.83
and common terminology.80 Frameworks may not

79 Mike Hintze, ‘Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance’ (Future of Privacy
Forum, 2016), https://fpf.org/wp-content/uploads/2016/11/M-Hintze-GDPR-Through-the-De-Identification-Lens-31-Oct-2016-002.
pdf.
80 Polonetsky J, Tene O and Finch K, ‘Shades of Gray: Seeing the Full Spectrum of Practical Data De-Identification’ (2016) 56 Santa Clara
Law Review 593.
81 GDPR, recital 26.
82 Personal Information Protection Law, China 2020), 2. 73(4) (China) http://www.npc.gov.cn/npc/c30834/202108/
a8c4e3672c74491a80b53a172bb753fe.shtml; Data Protection Bill (2021) S. 3(2) (India) http://164.100.47.193/lsscommittee/Joint%20
Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_
Protection_Bill_2019_1.pdf. India’s pending data protection legislation was first introduced into Parliament as the ‘Personal Data
Protection Bill, 2019’ and referred to a Joint Parliamentary Committee for additional scrutiny. The revised bill, as reported by the Joint
Parliamentary Committee, is titled the ‘Data Protection Bill, 2021’.
83 GDPR, recital 26.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 22

The OAS Principles expressly define the term Some studies show that anonymised data can be
anonymization as “measures of any nature aimed re-identified90 particularly as a result of technical
at preventing the identification or reidentification of innovations. Re-identification is primarily carried out
natural persons without disproportionate effort.”84 by linking large publicly available datasets and other
The term is discussed in recitals to the GDPR,85 while auxiliary data or metadata to the anonymised data.
the Explanatory Report to Convention 108+ notes Therefore, when assessing the risk of re-identification,
that data is only to be considered anonymous if it is factors such as the time and cost of potential re-
either impossible to re-identify individuals, or such identification, and technological advancements,
re-identification would require unreasonable effort or should be considered. Increasing the threshold
resources.86 against re-identification ensures that potential
personal data does not elude the intended scope of
The following are the essential characteristics of data protection frameworks. Additionally, legislation
anonymised data: can provide appropriate redress and compensation
to those harmed by wrongful re-identification.
2.3.1.1 Not identifiable
2.3.1.3 Application of data protection
The GDPR’s Recital 26 states that information that principles
does not relate to an identified or identifiable person
is ‘anonymous information’’. Both direct and indirect Generally, because anonymised data is not personal
identifiers should be removed, transformed, or data, it does not come under the scope of regulations
distorted to an extent which guarantees that data governing data privacy.91 However, it has been
cannot be linked to an individual. argued that because there always exists a risk of re-
identification with anonymised data, certain standards
2.3.1.2 Avoids re-identification of data protection principles must continue to be
applied to anonymised data as well.92 The French
As stated, PII must be “irreversibly’’ removed for data National Administrative Court has noted, for example,
to be considered anonymous. However, it has been that data can only be anonymous if any direct or
suggested that since irreversible anonymisation is indirect identification is impossible.93 The ECJ has
often not possible, it is best to assess the degree also ruled that data allowing indirect identification of
of risk associated with re-identification.87 The GDPR individuals must be considered personal data.94 This
considers data to be anonymous if it is not “reasonably is because metadata consisting of time and place of
likely’’ to identify the concerned data subject,88 while communication combined with other data, such as IP
Convention 108+ notes that anonymous information address assist with re-identification.
must either be impossible to re-identify or require
an ‘‘unreasonable level of effort or resource’’ to re-
identify.89

84 OAS Principles with Annotations, Definitions, page 6.

85 GDPR, recital 26. “The principles of data protection should therefore not apply to anonymous information, namely information which
does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data
subject is not or no longer identifiable.”
86 Explanatory Report to Convention 108+, Paras 19 and 20 p. 17.
87 Alvaro Moreton, ‘The problem of complete, irreversible anonymisation’, (Comprise, 28 December 2020) https://www.compriseh2020.
eu/the-problem-of-complete-irreversible-anonymisation/.
88 GDPR, recital 26.
89 Explanatory Report to Convention 108+, paras 19 and 20.
90 Lubarsky B, ‘Re-Identification of “Anonymised Data’ (2017) 1 Georgetown Law Technology Review 202.
91 Ian Walden, ‘Anonymising Personal Data’ (2002)10 Int'l J.L. & Info. Tech., 224.
92 Michèle Finck, Frank Pallas, ‘They who must not be identified—distinguishing personal from non-personal data under the GDPR’
(2020) 10 1, International Data Privacy Law, 11-36.
93 Conseil d’État, 10ème – 9ème ch. réunies, décision du 8 février 2017, N° 393714 (citing art 2 of the Law of 6 January 1978); Michèle
Finck, Frank Pallas, ‘They who must not be identified—distinguishing personal from non-personal data under the GDPR’ (2020) 10 1,
International Data Privacy Law, 11-36.
94 Cases C-293/12 And C-594/12, [2014] Eu:C:2014:238; Michèle Finck, Frank Pallas, ‘They who must not be identified—distinguishing
personal from non-personal data under the GDPR’ (2020) 10 1, International Data Privacy Law, 11-36.
 23 CHAPTER 2: KEY DEFINITIONS

To mitigate the privacy risks, experts have suggested

that anonymised data should remain within the
definition of personal information, but only a selective
application of data protection principles be carried
out.95

2.3.2 Pseudonymised Data

Like anonymisation, pseudonymisation is also
a security measure adopted by data controllers
and supports the data minimisation principle.96
Pseudonymisation differs from anonymisation by
being a reversal process; whereby pseudonymised
data can be combined with additional information
to enable re-identification.97 In contrast, once data is
anonymised, re-identification should be impossible
or require unreasonable effort. Data controllers can
choose either anonymisation or pseudonymisation
based on the type of data that is being processed,
the purpose of data processing, and the risk of a data
breach.

The process of pseudonymisation “consists of

replacing one attribute (typically a unique attribute)
in a record by another” and is not a method of
anonymisation.98 By employing pseudonymisation,
the identity of the data subject is substituted with a
pseudonym, which does not disclose an individual’s
personal information. The pseudonym is an
additional piece of information accessible only by the
pseudonymising entity. It is merely a substitute and
can be reversed. The re-identification would depend
on additional information, such as a reference
number. For example, the Internet company AOL
released pseudonymised search data of its users in
2006, replacing users’ names with numbers; but a
simple investigation of users’ search results led to the
re-identification of several users, including their real
names and locations.99

Pseudonymisation is considered a useful security

95 Smitha Krishna Prasad, Yesha Paul and Aditya Singh Chawla, ‘Comments on the Draft Personal Data Protection Bill, 2018’ (2018)
Centre for Communication Governance at NLU Delhi, p. 29 https://www.medianama.com/wp-content/uploads/CCG-NLU-
Submission-India-Draft-Data-Protection-Bill-Privacy-2018-and-Srikrishna-Committee.pdf.
96 Gerald Spindler, Philipp Schmechel, ‘Personal Data and Encryption in the European General Data Protection Regulation’ (2016) 7,
JIPITEC 163.
97 Information Commissioner’s Office, Introduction to Anonymisation, (Draft Anonymisation, Pseudonymisation, And Privacy Enhancing
Technologies Guidelines, May 2021), p 4 Https://Ico.Org.Uk/Media/About-The-Ico/Consultations/2619862/Anonymisation-Intro-
And-First-Chapter.Pdf.
98 European Commission, EUROPA, Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymization Techniques, (10
April 2014) 3 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
99 Michael Barbaro and Tom Zeller Jr., ‘A Face Is Exposed for AOL Searcher No. 4417749’ (New York Times, 09 August 2006) https://www.
nytimes.com/2006/08/09/technology/09aol.html.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 24

measure since it reduces the risk of link-ability of Of the frameworks studied, only the Commonwealth
a dataset with the identity of the data subject.100 PPI Bill specifically provides for the definition of
Companies can use it to enable secondary use ‘de-identify.’105 Section 4 of the Bill defines de-
of data, such as service evaluation or research. In identification as the removal of information which:
addition, whether data is pseudonymised may be (i) identifies the individual; (ii) can be manipulated by
one of the factors to assess in determining whether a foreseeable method to identify the individual; and
additional processing of data beyond the original (iii) can be linked by a foreseeable method to other
purpose should be permitted; for example, for information which identifies the individual or can be
scientific, historical or statistical purposes.101 foreseeably manipulated to identify an individual.

Of the Identified Regional Frameworks, only the

GDPR and the Convention 108+ regulate the use of
pseudonymised information. Both these frameworks
consider pseudonymised data as personal data, and
subject it to the principles of data protection.102 As per
Convention 108+, the quality of the pseudonymisation
technique must be assessed on the basis of privacy
safeguards incorporated in the technique.103

2.3.3 De-identified Data “Data has multiple gradients

De-identified data prevents re-identification by
of identifiability, and the
removing or manipulating both direct and known
indirect personal identifiers. Like anonymisation and
process of de-identification
pseudonymisation, it is also a useful data minimisation helps remove information
technique executed by data controllers to protect the
privacy rights of individuals and re-use data or share that may identify individuals
it with third parties.104 De-identified data is often
used for medical and pharma-related research. For from existing personal data.
instance, sensitive health data can be de-identified
by removing identifiers that would allow individual Depending on the purpose of
patients to be discerned and used to analyse market
trends and efficacy of a drug.
processing, different types of
de-identification methods may
be used.”

100 Waltraut Kotschy, Ludwig Boltzmann, ‘The new General Data Protection Regulation - Is there sufficient pay-off for taking the trouble
to anonymize or pseudonymize data?’ Institute for Human Rights, Vienna https://fpf.org/wp-content/uploads/2016/11/Kotschy-
paper-on-pseudonymisation.pdf.
101 Information Commissioner’s Office, Introduction to Anonymisation, (Draft Anonymisation, Pseudonymisation, And Privacy Enhancing
Technologies Guidelines, May 2021), p 4 https://Ico.Org.Uk/Media/About-The-Ico/Consultations/2619862/Anonymisation-Intro-
And-First-Chapter.Pdf.
102 GDPR, recital 26; Convention 108+, Explanatory Report, para 18.
103 Convention 108+, Explanatory Report, para 18-20.
104 Khaled El Emam, Guide to De-Identification of Personal Health Information (CRC Press 2013) 135.
105 Commonwealth PPI Bill, s 4 (definition of “de-identify”).
 25 CHAPTER 2: KEY DEFINITIONS

2.4 Data subject

The definition of data subject is considered “the Most scholars agree that the idea of a data subject
most important definition” of a data protection relates to a natural living person, and does not include
framework. Similar to the definition of personal data, deceased persons.110 However, concerns have been
it decides the scope of the framework’s application. raised with respect to the processing of deceased
The term generally refers to a natural person whose persons’ data, with certain scholars arguing that the
personal data undergoes processing, whereby right to privacy could apply to a deceased person
the term ‘processing’ is broadly interpreted to as the personality right of the deceased continues
include instances of collection, processing, storage, to exist.111 The Commonwealth PPI Bill extends the
use, encryption, dissemination, disclosure, and scope of its beneficiaries to both living and deceased
deletion.106 Any individual whose data is subject to individuals.112 Although the Explanatory Report to
these processes would therefore be a data subject. Convention 108+113 observes that the framework is
Data subjects are the primary beneficiaries of data not intended to cover deceased data subjects, it also
protection frameworks. provides that individual parties to the Convention
may extend protection to deceased persons within
A majority of the Identified Regional Frameworks their domestic jurisdictions. The HIPCAR Privacy
expressly define the term data subjects either in Framework allows for the delegation of a data
relation to data processing (individuals whose data subject’s rights to the ‘personal representative’ of the
is being processed),107 or as individuals identified deceased data subject.114
or identifiable through their personal data (the
individual whom the personal data identifies).108 Some
frameworks do not use the term data subject. For
example, the Commonwealth PPI Bill and ASEAN DP
Framework refer to the beneficiaries whose data is
being protected simply as an individual.109

106 OAS Principles with Annotations, Definitions, page 6 (Definition of data processor); AU Convention, Article 1 (definition of Processing
of Personal Data); Convention 108+, Article 2(b) (definition of data processing); HIPCAR Model Legislative Text, s 3(1)(j) (definition
of processing); Commonwealth Model Bill on Personal Information, Section 4 (Definition of “process”).
107 AU Convention, art 1 (Definition of data subject); HIPCAR Model Legislative Text, Section 3(1)(d); OAS Principles with Annotations,
Definitions Page 6 (Definition of data subject).
108 GDPR, art 4(1); Convention 108+, art 2(a); OECD Guidelines, Chapter 1, Part 1, para 1(b).
109 Commonwealth PPI Bill, s 4 (definition of individual); ASEAN DP Framework, para 6(a).
110 Edina Harbinja, ‘Does the EU Data Protection Regime Protect Post-Mortem Privacy and What Could Be The Potential Alternatives?’
(2013) 10(1) SCRIPTed https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-privacy-potential-
alternatives/>; GDPR, recital 27 states that the GDPR does not apply to the personal data of deceased persons.
111 Buitelaar JC, ‘Post-Mortem Privacy and Informational Self-Determination’ (2017) 19 Ethics and Information Technology 129.
112 Commonwealth PPI Bill, s 4 (definition of individual).
113 Convention 108+, Explanatory Report, para 30. See also GDPR, recital 27 adopting a similar approach of discretion.
114 HIPCAR Model Legislative Text, s 25.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 26

Data protection frameworks typically protect

the personal data of natural persons. The APEC
Privacy Framework categorically mentions that the
framework is “intended to apply to information about
natural persons, not legal persons,” and that personal
information relates to information about an identified
or identifiable individual.115 However, Convention
108+ allows extending the protection to legal persons
to protect their legitimate interests.116

The concepts of personal data and data subject are

closely linked. For example, the GDPR defines “data
subject” with reference to the definition of “personal
data.”117 Article 4(1) GDPR states, “personal data
means any information relating to an identified or
identifiable natural person (data subject)”. A person
becomes a data subject if they “can be identified,
directly or indirectly.”118 As with the GDPR, Convention
108+ and the OECD Framework also include a data
subject within the definition of personal data.119

115 APEC Privacy Framework, part ii, commentary to para 9

116 Convention 108+, Explanatory Report, para 30.
117 GDPR, art 4(1).
118 GDPR, art 4(1).
119 Convention 108+, art 2(a); OECD Guidelines, Chapter 1, Part 1, para 1(e).
 27 CHAPTER 2: KEY DEFINITIONS

2.5 Specific categories of data

the health sector.124 For instance, the principles of

2.5.1 Health data data retention, transparency and consent become
difficult to impose and enforce due to the deployment
Healthcare data is increasingly being digitised to
of machine learning techniques, which use large
generate new scientific insights. The importance of
amounts of data that cannot be specifically identified
healthcare data has increased exponentially during
and articulated. Technological developments are
the COVID-19 pandemic. Data analytics can even
therefore expanding the scope of health data that
help policymakers make more informed healthcare
may need to be protected by legal frameworks.
decisions contributing to better public health. There
are several examples worldwide where technology
Among the Identified Regional Frameworks, only the
platforms are delivering public health services often
AU Convention and the GDPR expressly provide for
in partnership with governments to help fight COVID-
a definition of the term ‘health data’.125 The HIPCAR
19.120 However, these instances also raise privacy
Privacy Framework, Commonwealth PPI and Privacy
concerns. A recent consumer survey indicated that
Bills cover health-related information within the
only 11 percent of people in America were willing to
ambit of their definition of personal information.126
provide technology companies with their health data,
Convention 108+ does not expressly define the term
as opposed to those willing to provide their health
but identifies personal data relating to “health or
data to pharmaceutical companies (20 percent) or
sexual life” as a special category of data requiring
even the government (12 percent).121
additional protection.127 Several other frameworks
such as the HIPCAR Privacy Framework, and the OAS
Health data is not limited to data relating to ill health,
Principles also mark health data as a sensitive or
but also relates to data collected through health
special category of data.128
and wellness apps.122 The WHO acknowledges that
health data is a broad umbrella term encompassing
Health data is generally related to: the past, present,
eHealth and other emerging sectors, such as the
and future, mental or physical state, health, or
use of advanced computing sciences in big data,
condition of a data subject.129 Health data may include
artificial intelligence and genomics.123 Against
a sick or healthy person, genetic data, or data related
this backdrop, scholars have opined that current
to the provision of health care services.130
regulatory frameworks may be inadequate to
regulate current data processing developments in

120 Sara Nyman, ‘COVID-19, tech firms, and the case for data sharing’ (World Bank Blogs, 14 July 2020) https://blogs.worldbank.org/psd/
covid-19-tech-firms-and-case-data-sharing.
121 Christina Farr, ‘Tech companies see health data as a huge opportunity, but people don’t trust them’ (CNBC, 13 February 2019) https://
www.cnbc.com/2019/02/13/consumers-dont-trust-tech-companies-with-health-data-rock-health.html .
122 Article 29 Working Party, ANNEX - health data in apps and devices, 2015; https://ec.europa.eu/justice/article-29/documentation/
other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf
123 Executive Board, mHealth: use of appropriate digital technologies for public health: report by the Director-General, 142. (‎2017)‎
World Health Organization. https://apps.who.int/iris/handle/10665/274134
124 Marelli L, Lievevrouw E and Van Hoyweghen I, ‘Fit for Purpose? The GDPR and the Governance of European Digital Health’ (2020)
41 Policy Studies 447.
125 GDPR, art 4(15); AU Convention, art 1 (definition of health data).
126 HIPCAR Model Legislative Text, s 3(1)(h)(v); Commonwealth PPI Bill, s 4; Commonwealth Privacy Bill, s 4.
127 Explanatory Report to Convention 108+, para 60 p. 22
128 HIPCAR Model Legislative Text, s 3(2)(a)(iv); OAS Principles with Annotations, Definitions, Page 7 (definition of sensitive personal
data).
129 AU Convention, art 1; GDPR, art 4(15), recital 35; HIPCAR Model Legislative Text, s 3(1)(h), s 3(1)(h)(v); Explanatory Report to
Convention 108+, para 60 p. 22.
130 AU Convention, art 1; GDPR, art 4(15), recital 35; Convention 108+, Explanatory Report, para 60 p. 22.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 28

Health data is information that relates to the physical or other professionals, hospitals, medical devices or
or mental health of an individual. It includes all types of in vitro diagnostic tests.”137
data related to health status and services, treatment
choices, plans and reports, health security or policy Although the GDPR and the HIPCAR Privacy
numbers, as well as socio-economic parameters Framework consider health data as sensitive data,
regarding health and well-being. Data gathered as they allow its processing in certain situations. The
a result of managing a healthcare system, providing GDPR permits processing of health data under
healthcare services, or conducting health research is necessary circumstances, such as for preventive or
considered as health data.131 Clearly, all personal data occupational medicine, assessment of an employee’s
having clear and close links to information relating working capacity, medical diagnosis, and for the public
to an individual’s health status is also covered under interest of the healthcare sector.138 The HIPCAR Privacy
the concept of health data.132 It would include medical Framework makes exemptions for national security
or clinical data, administrative data and financial and health management purposes.139 It allows ‘health
data related to health, and personal health policy care professionals’ and ‘health care institutions’ to
information within the health sector.133 For instance, process health information without the requirement
when the purpose of the application is to monitor of consent.140 The HIPCAR Privacy Framework defines
the health or well-being of the individual, it does not the terms “health care professional” and “health care
matter whether it is in a medical context or otherwise. institution” and emphasises the need to appropriately
define these terms “as they form a recurrent basis
The GDPR, Convention 108+, AU Convention and the for non‐applicability of the law” with respect to the
HIPCAR Privacy Framework cover both physical and data subject’s consent for the purpose of collection,
mental health-related data.134 In addition, the GDPR processing and disclosure of personal information.141
and Convention 108+ also clarify that such information It explains that the basis of providing the exemption
may relate to the individual’s health status at different is to ensure “that the data protection framework does
points of time in the past, present, and future.135 not hamper the natural operation of such services”.142
The GDPR also covers information collected for the
purpose of providing health care services that reveals
an individual’s health status.136 It considers personal
data concerning health to include: (i) information that
uniquely identifies the concerned person for health
purposes; (ii) information derived from biological
testing/samples such as genetic data; (iii) information
related to any disease and associated risks, disability,
and medical history; and (iv) clinical treatment or the
physiological or biomedical state of an individual. It
also clarifies that such information may be derived
“independent of its source,” such as from “physicians

131 ‘What is Health Data’ (IGI Global) https://www.igi-global.com/dictionary/health-data/42215 .

132 European Data Protection Supervisor, ‘EDPS opinion on patients' rights: specific data protection dimension of cross-border healthcare
needs to be addressed in more concrete terms’ (Brussels, 3 December 2008) https://edps.europa.eu/sites/default/files/edpsweb_press_
releases/edps-2008-12_patients_rights_en.pdf.
133 European Data Protection Supervisor, ‘Prior-checking Opinion regarding the processing of health data at the European Insurance
and Occupational Pension Authority (EIOPA) (EDPS case 2017-0284)’ https://edps.europa.eu/sites/default/files/publication/18-05-
23-opinion-eiopa-case-2017-0284_en.pdf.
134 GDPR, art 4(15); AU Convention, art 1; HIPCAR Model Legislative Text, s 3(1)(h)(v); = Explanatory Report to Convention 108+, para
60 p. 22.
135 GDPR, art 4(15); Explanatory Report to Convention 108+,, para 60 p. 22.
136 GDPR, art 4(15).
137 GDPR, recital 35.
138 GDPR, art 9.
139 HIPCAR Model Legislative Text, s 15(3)(b), (e).
140 HIPCAR Model Legislative Text, s 15(3)(b).
141 HIPCAR Model Legislative Text, Section III, para 11.
142 HIPCAR Model Legislative Text, Section III, para 11.
 29 CHAPTER 2: KEY DEFINITIONS

characteristics of a natural person, the GDPR

2.5.2 Biometric Data also makes use of behavioural characteristics,
which include analysis of unique patterns such as
Biometric data is understood to be distinctive,
handwritten signature, gait, and gaze.147 On the
measurable human characteristics that identify a
other hand, Convention 108+ refers to biological
person uniquely. They generally include fingerprints,
characteristics,148 which are based on genetic and
face or iris scans, voice, DNA, and hand or body
molecular markers.
geometry.143
Both the GDPR and Convention 108+ mark biometric
Biometrics are increasingly being used for
data that uniquely identifies an individual as a special
authorisation and security purposes including access
category of data/sensitive data.149 The Explanatory
control, monitoring, identification, and authentication
Report to Convention 108+ notes that biometrics touch
by both public and private actors across sectors,
upon the “most intimate sphere” of a data subject’s
such as banking and finance, healthcare, travel,
life and could affect crucial outcomes concerning the
social services, education, intelligence and crime
subject, such as their physical safety, dignity, and guilt
detection. Emerging technological systems use
or innocence in criminal proceedings.150
human characteristics (such as gait, voice pattern
and emotions); physiological traits (such as face, iris
The GDPR and Convention 108+ both limit the scope
and fingerprints), and biological markers (such as
of biometric data to personal data resulting from
DNA and blood) to assign unique identification and
specific technical processing that uniquely identifies
authentication methods.144
and authenticates an individual.151 The definition
excludes raw biometric data,152 such as facial images,
While biometric systems may enhance user comfort,
video footage, voice recordings or fingerprints stored
support development and humanitarian initiatives,
or retained in databases that have not undergone
and improve the efficiency of government intelligence
“processing using specific technical means.’’
operations and security, they also raise data protection
Therefore, raw biometric data does not come within
challenges due to the sensitive nature of the
the ambit of sensitive or special data despite being
information being collected and processed.145 Many
biometric data from a strictly technical standpoint.
national and regional data protection frameworks
Nevertheless, such data constitutes personal data.
distinctly regulate biometric data to protect data
However, if the processing of images reveals racial,
subject rights. Of the Identified Regional Frameworks,
ethnic or health related data, it will be considered
the GDPR and the Convention 108+ define the term
as sensitive data.153 For instance, processing images
“biometric data’’.146
that have visible health characteristics (use of a
wheelchair, broken leg, glasses) will be considered
The GDPR and the Convention 108+ differ subtly
as processing sensitive data if it is based on health
when it comes to biometric data. While both include
information extracted from the images.154
personal data relating to physical or physiological

143 Article 29 Data Protection Working Party, Opinion 3/2012 on developments in biometric technologies dated 27 April 2012 https://
ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf.
144 Fenu G and Marras M, ‘Leveraging Continuous Multi-Modal Authentication for Access Control in Mobile Cloud Environments’ in
Sebastiano Battiato and others (eds), New Trends in Image Analysis and Processing – ICIAP 2017 (Springer International Publishing
2017).
145 Alan Gelb and Julia Clark, Identification for Development: The Biometrics Revolution, Working Paper 315 Centre for Global
Development https://www.cgdev.org/sites/default/files/1426862_file_Biometric_ID_for_Development.pdf.
146 GDPR, art 4(14); Convention 108+, Explanatory Report, para 58.
147 GDPR, art 4(14).
148 Explanatory Report to Convention 108+, para 58 p. 22.
149 GDPR, art 9(1); Convention 108+, art 6(1).
150 Explanatory Report to Convention 108+,para 55 p. 21.
151 GDPR, art 4(14); Explanatory Report to Convention 108+, para 58 p.22.
152 Data that is biometric by nature but is not considered as biometric data from a legal standpoint as it has not undergone processing
using specific technical means to uniquely identify a natural person.
153 GDPR, art 9, Explanatory Report to Convention 108+, para 59 p 22.
154 Explanatory Report to Convention 108+, para 60 p. 22.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 30

The HIPCAR Privacy Framework subsumes biometric individual’s biological sample.163 Both frameworks
data within the definition of personal information.155 consider analysis from other molecular or biological
Similarly, the Commonwealth PPI and Privacy Bills sources, such as chromosomal, DNA or RNA
also refer to certain physiological and biological analysis, as well as analysis arising from any other
traits like fingerprints and blood type when defining element that would produce equivalent information,
personal information.156 The AU Convention, while as genetic data.164 Neither framework clarifies
not defining biometric data, only allows processing whether genealogical information gathered through
of biometric data after obtaining permission from the questionnaires would be considered as information
national data protection authority.157 derived from an “analysis of any other element’’
providing equivalent information as the analysis from
2.5.3 Genetic Data a biological sample.165

Genetic data is considered to be among the most The peculiar characteristics of genomic information
sensitive forms of personal data. It relates to inherited can enable scientific advances and create insights
or acquired genetic characteristics of an individual, about an individual’s health or predisposition to
acquired through DNA or RNA analysis.158 It contains disease. However, processing genetic data for these
both health and non-health-related information purposes also creates tensions with the principles
about the individuals and their family members.159 of data minimisation, anonymisation, and deletion.166
It can reveal information about disorders, diseases, Nevertheless, the current definition of genetic
susceptibility to specific illnesses, as well as help data provides a good starting point with scope
track a person's ethnic origins and identify genetic for improvement to adapt to present and future
relationships between individuals. Hence, genetic developments.
data also provides personal information related to
family members and relatives.

Of the Identified Regional Frameworks, only the

GDPR and Convention 108+ expressly define the
term genetic data.160 The AU Convention refers to
genetic data while defining health data and allows
processing of “data involving genetic information and
health research only after seeking permission from
the national protection authority.”161

Both the GDPR and Convention 108+ treat genetic

data as a special category of sensitive data.162 They
define genetic data as personal data relating to the
inherited or acquired genetic characteristics of a
natural person, which result from an analysis of an

155 HIPCAR Model Legislative Text, s 3(1)(h)(vi).

156 Commonwealth PPI Bill, s 3(1)(h); Commonwealth Privacy Bill, s 4.
157 AU Convention, art 10(4)(d).
158 Convention 108+, Explanatory Report para 57.
159 Shabani M and Borry P, ‘Rules for Processing Genetic Data for Research Purposes in View of the New EU General Data Protection
Regulation’ (2018) 26 European journal of human genetics: EJHG 149.
160 GDPR, art 4(13); Convention 108+, art 6 Explanatory Report para 57.
161 AU Convention, arts 1, 10(4)(a).
162 GDPR, art 9; Convention 108+, art 6.
163 GDPR, art 4(13); Convention 108+, Explanatory Report para 57.
164 GDPR, art 4(13) read with recital 34; Convention 108+, Explanatory Report para 57.
165 Chassang G, ‘The Impact of the EU General Data Protection Regulation on Scientific Research’ (2017) 11 ecancermedicalscience 709.
166 Colin Mitchell, Johan Ordish, Emma Johnson, Tanya Brigden and Alison Hall, ‘The GDPR and genomic data: The impact of the GDPR
and DPA 2018 on genomic healthcare and research’ (PHG Foundation, May 2020) 58 <https://www.phgfoundation.org/media/123/
download/gdpr-and-genomic-data-report.pdf?v=1>.
 31 CHAPTER 2: KEY DEFINITIONS

2.6 Controller and Processor

Controllers and processors play a crucial role in compliance with organisational, technical and security
the operationalisation of data protection law. Both measures along with the data protection principles.170
engage in processing the personal data of data Similarly, a processor is either: a natural or legal
subjects. Hence, it is important to clearly delineate person, a private organisation, association, entity, or
their responsibilities, obligations, and liabilities within body, or a public authority or body.171 Crucially, the
the data protection framework. The framework must processor undertakes processing of personal data
make it incumbent on the controller and processor on behalf of the controller.172 The processor is under
to implement data protection principles, such as an obligation to comply with the scope of processing
accountability and transparency, confidentiality, and and assist and facilitate the controller’s organisational,
integrity to protect and secure the personal data technical and security measures,173 and must inform
and rights of the data subjects. The definition of a the controller in case of a breach.174A processor is
controller or processor determines which entities usually an entity or third party outside the controller’s
are bound by the obligations set out by the data organisation.175 An employee of the controller cannot
protection framework. be considered as a processor.176

Under the Identified Regional Frameworks, typically, a 2.6.1 Controllers

controller is either: a natural or legal person, a private
organisation, association, entity, or body, or a public Of the Identified Regional Frameworks, the APEC
authority or body.167 The inclusion of public agencies or Privacy Framework, the AU Convention, the GDPR,
authorities as controllers ensures that data protection the HIPCAR Privacy Framework, the OAS Principles,
principles apply to the processing of data by the state and Convention 108+ provide an explicit definition
and its various bodies. Some frameworks do not use of the term controller.177 Others, such as the ASEAN
the term controller and simply place obligations on DP Framework, Commonwealth PPI and Privacy
organisations that carry out data processing.168 The Bills do not define the term, but refer to entities
controller is responsible for processing personal data or persons processing personal data.178 The AU
and holds decision-making powers with regards to convention, GDPR, OAS Principles, Convention 108+,
processing of the personal data. It determines the Commonwealth Privacy Bill expressly allow public
purpose and manner of personal data processing, authorities to be identified as data controllers and
either alone or jointly,169 and is also responsible for

167 APEC Privacy Framework, part ii, para 10; AU Convention, art 1 (definition of data controller); GDPR, art 4(7); OAS Principles with
Annotations, Definitions, page 6 (definition of data controller); Convention 108+, art 2(d); Commonwealth Privacy Bill s 4 (definition
of public authority); Commonwealth PPI Bill, s 5(1) (use of ‘organisation’).
168 ASEAN DP Framework, para 6(a) (use of the term ‘organisation’); Commonwealth PPI Bill, s 3.
169 AU Convention, article 1 (definition of data controller); GDPR, art 4(7); HIPCAR Model Legislative Text 3(1)(c); OAS Principles with
Annotations, Definitions, page 6 (definition of data controller); Convention 108+, art 2(d).
170 GDPR, arts 5(2), 24; AU Convention, art 13 (principle 6(b).
171 GDPR, art 4(8); OAS Principles with Annotations, Definitions, page 6 (definition of data processor); Convention 108+, art 2(f).
172 GDPR, art 4(8); Convention 108+, art 2(f); HIPCAR Model Legislative Text, s 14.
173 AU Convention, art 13 (principle 6(b); GDPR, art 28(3).
174 GDPR, art 33(2).
175 OAS Principles with Annotations, Definitions, page 6 (definition of data processor).
176 Convention 108+, Explanatory Report para 24.
177 APEC Privacy Framework, part ii, para 10; AU Convention, art 1 (definition of data controller); GDPR, art 4(7); HIPCAR Model
Legislative Text, s 3(1)(c); OAS Principles with Annotations, Definitions, page 6 (definition of data controller); Convention 108+, Art
2(d); OECD Guidelines, Chapter 1, Part 1, para 1(a).
178 ASEAN DP Framework, para 6; Commonwealth PPI Bill, s 5(1); Commonwealth Privacy Bill, s 3.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 32

regulate their processing of personal data.179

All the regional frameworks that define a data

controller agree that the controller has decision-
making power with respect to data processing.180
It is an entity that decides the contents and use of
personal data.181 It includes a person or organisation
that instructs another person or organisation to collect,
hold, process, use, transfer or disclose personal
information on their behalf. However, controllers may
also themselves collect and process data.182
“All the regional frameworks
The ECJ has analysed whether Google, a search
engine, is a controller by virtue of processing that define a data controller
personal data, which was uploaded on its website
without its knowledge; and found that since Google agree that the controller has
was the entity determining the purposes and means
of personal data processing, it should be considered
decision-making power with
as a data controller.183 respect to data processing.”
Citing this case, Facebook, and the administrator of
a Facebook fan page, were also declared as data
controllers in another case.184 In another landmark
case, the ECJ determined that a website operator
featuring the Facebook ‘Like’ button, would be a
joint controller of personal data under the GDPR.185
However, the Court limited the website operator’s
liability to its role in collecting and transmitting personal
data to Facebook, and not for any subsequent data
processing carried out by Facebook.

179 AU Convention, art 1 definition of data controller); GDPR, art 4(7); HIPCAR Model Legislative Text s 3(1)(c) (definition of data
controller) read with Part IV; OAS Principles with Annotations, Definitions, page 6 (definition of data controller); Convention 108+,
Art 2(d), Commonwealth Privacy Bill, s 6.
180 OAS Principles with Annotations, Definitions, page 6 (definition of data controller); APEC Privacy Framework, part ii, para 10;
AU Convention, art 1 (definition of data controller); GDPR, art 4(7); HIPCAR Model Legislative Text, s 3(1)(c) (definition of data
controller); Convention 108+, art 2(d); OECD Guidelines, Chapter 1, Part 1, para 1(a).
181 OAS Principles with Annotations, Definitions, page 6 (definition of data controller); GDPR, art 4(7); Convention 108+, art 2(d); AU
Convention, art 1 definition of data controller); HIPCAR Model Legislative Text s 3(1)(c) (definition of data controller).
182 OAS Principles with Annotations, Definitions, page 6 (definition of data controller).
183 Google Spain SL v AEPD (The DPA) and Mario Costeja Gonzalez, Case No C-131/12 decision dated 13 May 2014 https://privacylibrary.
ccgnlud.org/case/spain-sl-vs-agencia-espaola-de-proteccin-de-datos-aepd?searchuniquei d=7211620.
184 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein, Case C-210/16
decision dated 5 June 2018.
185 Fashion ID GmbH and Co KG v Verbraucherzentrale NRW eV Case C-40/17 decision dated 29 July 2019 (paras 75-83).
 33 CHAPTER 2: KEY DEFINITIONS

2.6.2 Processors
The GDPR, the OAS Principles, and Convention
108+186 are the only instruments amongst the
Identified Regional Frameworks that define a data
processor. However, the AU Convention, the HIPCAR
Privacy Framework, and the OECD Guidelines refer
to processors indirectly. They speak of entities
undertaking processing on behalf of a controller that
will duly comply with security measures.187 The AU
Convention and HIPCAR Privacy Framework make it
incumbent on a controller to select a processor that
can ensure a level of data protection consistent with
the framework.188

Likewise, the GDPR also requires controllers to

delegate processing to processors that are able to
provide data protection guarantees.189 The GDPR
clarifies that although a processor can make its own
operational decisions, it must strictly adhere to the
controller’s instructions190 when processing data, as
well as comply with the framework.191 The controller
may provide a certain degree of discretion to the
processor to choose the most suitable technical and
organisational means to process the data. However,
broadly speaking, the processor is required to act
“on behalf of” the controller and cannot carry out
processing except as instructed by the controller.192
When a processor goes beyond the controller’s
instructions and starts determining its own purposes
and means of processing, it would be considered as
a controller.193 In such cases, the responsibilities and
liabilities of a data controller will become applicable
to the processor. Additionally, the processor may
face sanctions from the controller for bypassing the
controller’s instructions.194

186 GDPR, art 4(8); Convention 108+, art 2(f); OAS Principles with Annotations, Definitions, Page 6.
187 AU Convention, art 13 (Principle 6(b)); HIPCAR Model Legislative Text s 14(2); OECD Guidelines, Chapter 2, Page 23.
188 AU Convention, art 13, Principle 6(b); HIPCAR Model Legislative Texts 14.
189 GDPR, art 28(1).
190 GDPR, art 29.
191 GDPR, art 28.
192 GDPR, art 29.
193 Case C-40/17 decision dated 29 July 2019(para 79).
194 GDPR, art 82(2).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 34

Key considerations and summary points

◊ The scope of the ‘personal data’ definition ◊ Biometric data refers to distinctive and
determines which type of data will be measurable characteristics of data subjects,
regulated by a data protection framework. such as fingerprints and body geometry. It
◊ Most modern frameworks rely on the concept is typically treated as a special category of
of identifiability which defines personal data sensitive data with additional safeguards, as
as data that can directly or indirectly identify it is intimately related to the data subject’s
an individual. Several frameworks provide identity and could impact them significantly
lists of identifiers and factors that would (e.g., during criminal proceedings).
cause individuals to be identified through ◊ Genetic data concerns inherited or acquired
data. genetic characteristics of data subjects
◊ Broad definitions of personal data ensure the acquired through DNA or RNA analysis.
most protective and future-proof approach, Like health and biometric data, it is typically
which allows courts and data regulators the treated as a special category of sensitive
opportunity to protect individuals in the face data by legal frameworks.
of changing technologies. ◊ The definition of a data controller and data
◊ De-identification methods attempt to reduce processor determine which public and
or eliminate the possibility that data identifies private entities are subject to the obligations
individuals. of a data protection framework.
◊ Processes such as anonymisation break ◊ Data controllers determine how and for what
the link between datasets and individuals, purposes data is processed. Controllers
rendering them non-identifiable. Because must therefore demonstrate compliance
anonymous data is often exempt from with the data protection framework.
data protection requirements, however, ◊ Data processors are entities which
legislation should ensure that re-identifying process data on behalf of controllers.
anonymised data is ‘reasonably’ difficult or Data processors must comply with the
impossible. controller’s instructions and any other
◊ Pseudonymised data can be reidentified obligations imposed on processors by the
and therefore continues to be governed by data protection framework.
data protection frameworks. ◊ Ensuring that public agencies and the state
◊ Data subjects are individuals whose data is itself are treated as data controllers ensures
processed and are the primary beneficiaries that key data protection principles apply to
of data protection frameworks. the processing of citizens’ information by
◊ Data subjects are typically living, natural the relevant public institutions.
persons, although in certain situations, the
benefits of data protection frameworks may
be extended to deceased and legal persons.
◊ Health data covers data related to the past,
present, and future physical or mental health
of a data subject, including treatment plans,
reports, health expenditure, and disease
risk. Health data is often treated as a special
category of data, subject to enhanced data
protection safeguards.
35 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

CHAPTER 3

ESTABLISHED
DATA PROTECTION
PRINCIPLES
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 36

3.1 Introduction

This chapter draws on the Identified Regional Frameworks to discuss the data protection
principles that should be incorporated within domestic legislation. This includes the
principles to be followed by data controllers, such as government agencies or private
companies, when collecting, processing, and using personal data. Technical mechanisms to
achieve optimum data privacy, such as the concept of privacy by design, are discussed in
Chapter 4 (Transparency and Accountability).

Multilateral organisations have observed that the A strong data protection regime must be based on
state’s use of digital technologies to confer legal clear principles governing the processing, storing
identity or verify the identities of its citizens and and sharing of data.
resident foreigners is a powerful tool to achieve
the SDG goal of providing legal identity for all.195 The last decade has witnessed several high profile
However, these initiatives raise certain concerns incidents when personal data has been illegitimately
for citizens’ privacy rights, in particular for their used by both private and public actors, which has
informational privacy.196 With numerous countries accelerated the demand for robust data protection
across the world implementing digital ID systems (e.g. laws. The consulting firm Cambridge Analytica, for
Argentina, Estonia, India, Malawi, Senegal, Uganda),197 example, purchased large amounts of personal data
198
questions concerning privacy and the use of about American citizens from Facebook without their
personal data must be addressed by introducing knowledge, in order to allegedly influence voting
legal safeguards to adequately protect individuals behaviour during the 2016 US elections.199
and ensure state accountability.
As an example of governmental digital response
In the absence of a robust data protection law, the to the COVID-19 pandemic, Israel’s contact tracing
personal data of citizens may be vulnerable to misuse. app relied on collecting metadata from voice calls,

195 World Bank, Principles on Identification for Sustainable Development (2021) https://documents1.worldbank.org/curated/
en/213581486378184357/pdf/Principles-on-Identification-for-Sustainable-Development-Toward-the-Digital-Age.pdf; UN Legal
Identity Agenda Task Force, ‘UN Strategy for Legal Identity for All’ (June 2019), para 26 https://unstats.un.org/legal-identity-agenda/
documents/UN-Strategy-for-LIA.pdf.
196 See Reetika Khera, ‘Impact of Aadhaar on Welfare Programmes’ (2017) 52 (50) EPW https://dx.doi.org/10.2139/ssrn.3045235.
197 CIVIPOL Project, Senegal: Support Programme to Strengthen the Civil Registration Information System and Consolidation of a
National Biometric Identification Database < https://www.civipol.fr/en/projects/senegal-support-programme-strengthen-civil-
registration-information-system-and; National Identification and registration Authority, Uganda https://www.nira.go.ug/; Calum
Handforth and Matthew Wilson, ‘Digital Identity Country Report, Malawi’ (GSM Association, 2019) https://www.gsma.com/
mobilefordevelopment/wp-content/uploads/2019/02/Digital-Identity-Country-Report.pdf; World Bank Group, Argentina ID Case
Study: The Evolution of Identification (2020) https://olc.worldbank.org/system/files/Argentina-ID-Case-Study-The-Evolution-of-
Identification.pdf.
198 National Identification Authority, Republic of Ghana https://nia.gov.gh/; Huduma Namba, Republic of Kenya; National Identity
Management Commission, Nigeria; World Bank Group, ‘ID4D Country Diagnostic; Ethiopia’ (2017) https://documents1.worldbank.
org/curated/en/822621524689442102/ID4D-Country-Diagnostic-Ethiopia.pdf.
199 Issie Lapowsky, ‘How Cambridge Analytica Sparked the Great Privacy Awakening’ (Wired, 17 March 2019) <https://www.wired.com/
story/cambridge-analytica-facebook-privacy-awakening/>.
 37 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

text messages and browsing histories.200 In light of

these events, several nations are in the process of
introducing new data protection laws or overhauling
existing ones. Brazil is developing and adopting new
data protection legislation,201 while the EU’s GDPR
is now applicable across borders to any entity that
offers its goods and services to EU residents.202 A
data protection framework is also being debated
in India.203 The US state of California,204 and the
countries of Nigeria and Kenya have also drawn
inspiration from the GDPR and recently updated their
privacy laws.205 In keeping with this trend, several
nations have also participated in the creation of
regional data protection instruments that reflect the
growing consensus among states of the importance
of data protection.

Despite differences in legal traditions and

sociocultural values, several regional data protection
and privacy frameworks provide for certain core rules
or principles that domestic data protection legislation
should include.206 Known as data protection
principles, or core privacy principles, these set out the
approach that data controllers and processors ought
to incorporate when processing personal data and
designing their systems and controls. Incorporated
across all the Identified Regional Frameworks the
principles include legal, management, administrative,
and technical safeguards.

200 Tehilla Shwartz Altshuler and Rachel Aridor Hershkowitz, 'How Israel's COVID-19 mass surveillance operation works' (Brookings, 6
July 2020) https://www.brookings.edu/techstream/how-israels-covid-19-mass-surveillance-operation-works/.
201 The General Personal Data Protection Law 13709/2018 is a statutory law on data protection and privacy in the Federative Republic of
Brazil http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709.htm.
202 Regulation (EU) 2016/679 of 27 April 2016 addresses the transfer of personal data outside the EU and EEA areas [2003] OJ L 119/1.
203 Report of the Joint Committee on the Personal Data Protection Bill, 2019 available at https://prsindia.org/files/bills_acts/bills_
parliament/2019/Joint_Committee_on_the_Personal_Data_Protection_Bill_2019.pdf.
204 California Consumer Privacy Act, 2018 gives consumers more control over the personal information that businesses
collect about them. California Consumer Privacy Act 2018 https://leginfo.legislature.ca.gov/faces/codes_display Text.
xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.
205 Brian Daigle, 'Data Protection Laws in Africa: A Pan-African. Survey and Noted Trends'2021 (Journal of International Commerce and
Economics11 https://www.usitc.gov/publications /332/journals/jice_africa_data_protection_laws.pdf.
206 David H. Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the
United States (UNC Press Books, 2014).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 38

Box 3.1: Key principles adopted by the European Union

and OECD

The EU’s and OECD’s approaches to data protection provide useful starting points for
countries working to develop data protection frameworks and represent nearly four
decades of engagement with the issue of data protection.

The EU’s GDPR is a comprehensive data protection framework that has helped set
new thresholds for privacy standards. Article 5 sets out the core principles that data
controllers and processors are required to adopt. These principles require personal
data to be:

• processed lawfully, fairly and in a transparent manner in relation to the data

subject;
• collected for specified, explicit, and legitimate purposes;
• adequate, relevant, and limited to what is necessary for the purposes it was
processed for;
• accurate and, where necessary, kept up to date;
• kept in a form that permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data is processed, and;
• processed in a manner that ensures appropriate security of the personal data.

The OECD Guidelines have been accepted as an international standard for personal
information processing principles. The Guidelines set out the following eight principles
with respect to data collection and processing:

• Collection Limitation – data collection should only occur with the prior
knowledge and consent of the data subject.
• Data Quality – data controllers and processors should only collect personal
data which is relevant and accurate for a particular aim.
• Individual Participation – the concerned individual should know if their personal
data has been collected and must be able to access such collected data.
• Purpose Specification – the intended use for a particular piece of information
must be known at the time of collection.
• Use Limitation – collected data must not be used for purposes other than the
ones specified at the time of collection.
• Security Safeguards – reasonable measures must be taken to protect data
from unauthorised use, destruction, modification, or disclosure of personal data.
• Openness – individuals should be able to establish that data collection has
occurred and be able to contact the entity collecting this information.
• Accountability – data collectors should be held accountable for failing to abide
by any of the above principles.
 39 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

The remainder of this chapter analyses the specific

principles found in the Identified Frameworks
including: (i) that processing be fair, lawful, and
transparent; and the principles of (ii) notice and
consent; (iii) purpose limitation; (iv) data minimisation;
(v) data accuracy; (vi) and integrity, confidentiality and
availability; and (vii) transparency and accountability.

3.2 Fair, lawful and transparent

It is critical that data controllers and processors

demonstrate their compliance with data protection
laws and principles when collecting and processing
personal data. This ensures that data subjects enjoy
their right to privacy and can seek legal redress
for any infringement of their rights. To ensure this,
“It is critical that data frameworks such as the GDPR and OECD mandate
that data controllers and processors abide by the
controllers and processors principles of fairness, lawfulness and transparency in
demonstrate their compliance data processing activities.207

with data protection laws and

principles when collecting and The principle of lawfulness is often applied in
processing personal data.” conjunction with the principles of fairness and
transparency that require data controllers and
processors to process the personal data of data
subjects only after providing adequate notice to
the data subject in a format that is concise, easily
accessible, easy to understand, in clear and plain
language and in a manner that is fair.211

A data controller or processor must provide a privacy

notice that sets out how an organisation collects, uses,
retains, and discloses personal data. This notice must
clearly inform users of the ways in which their personal
data will be used and managed, along with the legal
grounds or bases for doing so.212 Such processing
should keep in mind the best interests of the data
subjects and must not be harmful, discriminatory,
deceptive, misleading or unexpected.213 Furthermore,

207 GDPR, art 5(1); OECD Guidelines, Chapter 1, paras 7, 9, 10-12.

211 Damian Clifford, Jef Ausloos, ‘Data Protection and the Role of Fairness’ (2018) 37 Yearbook of European Law 130–187 https://doi.
org/10.1093/yel/yey004.
212 F. H. Cate and V. Mayer-Schonberger, 'Notice and Consent in A World Of Big Data' (2013) 3 International Data Privacy Law.
213 See Daniel-Mihail Sandru, ‘The Fairness Principle in Personal Data Processing’ (2020) 10(1) Law Review http://dx.doi.org/10.2139/
ssrn.3641883.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 40

Box 3.2: What is fairness, lawfulness, and transparency?

What is fairness?

In general, fairness means that data controllers and processors should only handle
personal data in ways that data subjects would reasonably expect and not use it in
ways that could potentially have any unforeseen or adverse effects on them. For
example, a default setting in software that leads to unexpected sharing of personal
computer files was held to be unfair by a US court because it hindered consumer
choice.208 Similarly, the French data protection authority, la Commission nationale de
l’informatique et des libertés (CNIL), sanctioned Les Pages Jaunes (Yellow Pages) for
collecting information about individuals from their public social media profiles and then
aggregating that information in Les Pages Jaunes’ online directory service. 209 The
CNIL found the processing unfair (déloyal) because data subjects were not adequately
informed that information about their public profiles would be collected by Les Pages
Jaunes. They were also not given an opportunity to grant informed consent.

What is lawfulness?

For the processing of personal data to be lawful, data controllers and processors must
identify and determine the legal bases for processing different types of data. These
bases may include specific purposes and contexts of processing. Frameworks such
as the GDPR specifically outline legitimate grounds for processing data which include:
the consent of the data subject;

• the performance of a contract;

• the performance of a task carried out in the exercise of an authority’s
compliance with a legal obligation;
• legitimate interests of the controller or third parties;
• the protection of the data subject's vital interests.210

Lawfulness also refers to the requirement that data controllers and processors comply
with statutory or other legal obligations whether they be criminal or civil. For example,
data controllers and processors would be required to comply with corporate filing and
disclosure requirements under company law and abstain from committing offences
such as fraud or forgery that are prohibited by penal statutes.

What is transparency?
Transparent processing of personal data means being clear, open, and honest with data
subjects about which entities constitute the chain of data controllers and processors
and how and why they use the personal data.

208 In Re Sony BMG Music Entertainment, US FTC Matter 062-3019 (29 June 2007) Complaint.
209 CNIL Deliberation 2011-203 of 21 September 2011 https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000024583206/.
210 GDPR, art 6(1).
 41 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

any subsequent changes to the uses of personal data

must be communicated to the data subject prior to
such use.214

These principles assume greater importance when

personal data is processed by the state or its agencies.
The COVID-19 pandemic has seen governments use
technological tools to contain the spread of infection
and trace infected individuals. Many governments
have justified the collection and processing of sensitive
health data and other personal data as necessary to
protect public health. However, this has led to the
use of individuals’ personal data in new and at times
unexpected ways. Some countries have resorted
to emergency measures to collect data from CCTV
cameras, cell phones, and credit-card transactions in
order to track potentially infected persons and their
movements and interactions with other people.215 As
noted by the OECD, data collection and processing
efforts should preferably be authorised by law and
specify how such data collection and processing will
be limited to a section of the population, for a limited
time period, and solely for the purpose of combatting
COVID-19.216

Adherence to the principles of fairness, lawfulness,

and transparency may help mitigate these adverse
impacts. For example, states and health agencies can
ensure that the data collected is strictly necessary for
the stated purpose of responding to a public health
emergency. Crucially, the data must not be used in
any manner incompatible with the purpose of a public
health response. The collection and processing of this
data must also be disclosed to data subjects, and the
data must not be retained for longer than necessary.

214 See GDPR, art 13(3).

215 Aditi Agarwal, 'Aarogya Setu Updated Its Privacy Policy: All You Need To Know' (Medianama, 14 April 2020) https://www.medianama.
com/2020/04/223-aarogya-setu-privacy-policy/; Maya Wang, 'China: Fighting COVID-19 With Automated Tyranny' (Human Rights
Watch, 1 April 2020) https://www.hrw.org/news/2020/04/01/china-fighting-covid-19-automated-tyranny; 'Israel uses surveillance
tech to track coronavirus patients' (DW News, 20 March 2020) https://www.dw.com/en/israel-uses-surveillance-tech-to-track-
coronavirus-patients/av-52864272; Aaron Holmes, 'Singapore is using a high-tech surveillance app to track the coronavirus, keeping
schools and businesses open. Here's how it works.' (Business Insider, 24 March 2020) https://www.businessinsider.com/singapore-
coronavirus-app-tracking-testing-no-shutdown-how-it-works-2020-3; Douglas Busvine, 'Switzerland, Austria align with 'Gapple'
on corona contact tracing’ (Reuters, 22 April 2020) https://www.reuters.com/article/health-coronavirus-europe-tech/switzerland-
austria-align-with-gapple-on-corona-contact-tracing-idUSL3N2CA36L.
216 OECD, Ensuring data privacy as we battle COVID 19 (April 2020) https://www.oecd.org/coronavirus/policy-responses/ensuring-
data-privacy-as-we-battle-covid-19-36c2f31e/.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 42

3.3 Notice and consent

Most legal and regulatory approaches to protecting to make informed decisions about their personal
informational privacy rely on obtaining informed data.220 Given that privacy notices come in various
consent as a lawful basis to limit how the personal forms, such as documents posted on websites, click-
information of a data subject can be collected or wrap agreements in software, signs posted in public
processed.217 Among international frameworks, spaces informing individuals about surveillance,
consent-based privacy management provisions can a lack of access to such notices in a concise,
be found in the GDPR, APEC Privacy Framework, intelligible format makes it challenging for individuals
ASEAN DP Framework, HIPCAR Privacy Framework, to provide meaningful consent. Furthermore, the
OAS Principles, Commonwealth PPI Bill, and OECD lack of digital literacy among diverse populations
Guidelines.218 For decades, legislation has required as well as language barriers prevent data subjects
that data subjects be informed about what types of from adequately understanding privacy policies in
data are being collected and how their information order to exercise effective control over their data and
will be used by data controllers. This information is anticipate the consequences of their consent.
generally provided through privacy policies. These
policies allow data subjects to exercise control
over their data and provide consent based on their
understanding of the privacy policy or notice shared
with them prior to their data being collected. However,
the notice-and-consent mechanism has its limitations
and has been criticised on several grounds, described
below.

3.3.1 Consent fatigue

With individuals increasingly availing themselves
of online products and services in the digital world,
consenting to numerous privacy notices and policies
may result in what is known as ‘consent fatigue’, or
diminished consent, whereby one agrees to the
privacy notice and provides consent without effectively
comprehending the details and consequences of
the privacy policy.219 Additionally, privacy policy
documents are often long and complicated, consisting
of legal jargon which is changed frequently and is
also beyond the reasonable understanding of an
ordinary individual, making it challenging for them

217 Bailey R and others, 'Disclosures in Privacy Policies: Does “Notice And Consent” Work?' (National Institute of Public Finance and
Policy, 2018) https://www.nipfp.org.in/media/medialibrary/2018/12/WP_246.pdf.
218 GDRP, art 6(1), 7; APEC Privacy Framework, part iii, para 21-24; ASEAN DP Framework, principle 6(a); HIPCAR Model Legislative
Text, s 9(1); OAS Principles with Annotations, principle 2; Commonwealth PPI Bill, s 8; OECD Guidelines, Chapter 1 OECD Privacy
Framework, para 7.
219 Daniel S, 'Introduction: Privacy Self-Management and The Consent Dilemma' (2013) 126 Harvard Law Review; Aaron Smith, ‘Half
of Online Americans Don’t Know what a Privacy Policy Is’ (Pew Research Center, 4 December 2014) https://www.pewresearch.org/
fact-tank/2014/12/04/half-of-americans-dont-know-what-a-privacy-policy-is/.
220 Aleecia M. McDonald and Lorrie Faith Cranor, ‘The Cost of Reading Privacy Policies’ (2008) 4(3) ISJLP.
 43 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

3.3.2 Power asymmetry 3.3.3 Opt-out mechanisms and the

illusion of choice
The principle of informed consent is based on the idea
that individuals should be able to voluntarily make Most traditional frameworks give data subjects the
decisions concerning their exposure to potential option to opt-out of providing consent for the collection
dangers. The principle emphasises the importance of and processing of their personal data.224 But when
individual autonomy and responsibility for balancing consent is revoked or withheld by data subjects, data
risks and benefits.221 In the context of data protection, controllers and processors can stop providing their
informed consent refers to such consent that is services. This leaves data subjects with no option
freely-given, specific, unambiguous and revocable. but to give consent if they want to avail themselves
For example, the APEC Privacy Framework calls on of specific services. Moreover, given the ubiquity
data controllers to provide data subjects with a “clear, of personal data collection at several points when
prominent, easily understandable, accessible and consent and personal data are mandatory for access
affordable mechanism to exercise choice in relation to services, opt-out mechanisms are impractical and,
to the collection, use and disclosure of their personal in some cases, impossible. In our networked society,
information” to ensure that individuals are provided where connectivity is essential for participation in
with choice in relation to the collection, use, transfer modern life, the choice to withdraw completely is
and disclosure of their personal information.222 challenging. In such a scenario, the benefits of being
connected may outweigh the drawbacks of privacy
However, requiring individuals to consent to a data erosion.225
controller’s data practices based on privacy notices
places the onus on an individual to be aware of the Taken together, the shortcomings discussed above
terms of data practices to which they are giving make it clear that existing notice-and-consent
their consent, which benefits data controllers mechanisms in privacy regulations are insufficient
more than data subjects. This amplifies the power to meet the standard of informed consent. Countries
asymmetry between the user and the data controller, worldwide are realising the challenges stemming
and undermines user empowerment.223 In some from new technologies, such as artificial intelligence,
instances, such as in the context of employment or machine learning, and big data that collect as much
when personal data is required to be given to public data as possible and retain such data for undisclosed,
authorities, consent may not always be given freely. ambiguous, and potentially unethical purposes.226
This puts data subjects in a vulnerable position Legislation is now relying on a rights-based model,
and may be especially challenging when the data wherein the burden of assessing the privacy risk to
controller is the state and has the power to deny personal data is placed on the data controller, thereby
persons access to benefits and public resources. obligating the data controller to be transparent of,
and accountable for, its data collection, processing,
transfer and storage.227

221 Bailey R and others, 'Disclosures in Privacy Policies: Does “Notice And Consent” Work?' (National Institute of Public Finance and
Policy 2018) https://www.nipfp.org.in/media/medialibrary/2018/12/WP_246.pdf.
222 APEC Privacy Framework, part iii, para 26.
223 Lorrie Faith Cranor, ‘Necessary But Not Sufficient: Standardized Mechanism For Privacy Notice and Choice’ (2012) 10 Journal on
Telecom and High Technology Law http://jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF.
224 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the
SPDI Rules’); Regulation (EU) 2016/679 (General Data Protection Regulation).
225 Lee Rainie, Janna Anderson, ‘The Internet of Things Connectivity Binge: What Are the Implications’ (Pew Research Center 6 June
2017) https://www.pewresearch.org/internet/2017/06/06/the-internet-of-things-connectivity-binge-what-are-the-implications/.
226 Hervé A, “Data Protection and Artificial Intelligence” in Shin-yi Peng, Ching-Fu Lin and Thomas Streinz (eds), Artificial Intelligence
and International Economic Law: Disruption, Regulation, and Reconfiguration (Cambridge University Press 2021)
227 OAS Principles with Annotations, principle 9 (“The burden should be placed on Data Controllers to assess the material risks to Data
Subjects as part of the overall process of risk management and privacy impact assessment. Holding accountable whoever effectively
exercises control over the Data will result in more meaningful protection of Data Subjects from material harm across a wide range of
cultural contexts.”). See also HIPCAR Model Legislative Texts, s 28; GDPR, section 3.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 44

While data-driven private organisations are required can help mitigate the limitations of the notice and
to comply with numerous obligations prescribed consent approach.
within frameworks, governments or state agencies
are often exempted from the purview of such While notice and consent remains integral to a robust
regulations and are permitted to process personal data protection framework, it must be supplemented
data without the consent of data subjects when by additional norms and safeguards to ensure
concerns regarding national security, defence, consent is not rendered meaningless by issues such
or public security are raised. The grounds for as consent fatigue and denial of services. However,
government access of personal data are discussed in many entities that collect and process personal data,
more detail in Chapter 7 (Government Access). While including state actors and private organisations,
these grounds are specified within regulations, critics benefit from the status quo and do not see any
argue that in the absence of clear definitions of terms incentive to adopt practices that make data collection
such as national security, defence or public security, and processing more burdensome for them, but
a state’s power over individuals’ personal data largely could potentially empower data subjects.232
goes unchecked, leading to concerns of personal
data misuse.228 Though countries such as Estonia,
India, and Kenya require state actors to collect and
process personal data in line with the principles of
legality, necessity, and proportionality,229 the legal
authorisation of such practices without appropriate “While notice and consent
oversight and safeguards can create risks, such as
government-authorised surveillance and exclusion
remains integral to a robust
from government benefits and services.230 data protection framework,
There is a growing need to develop and adopt new it must be supplemented
norms for notice-and-consent mechanisms that
not only maximise access to data while ensuring by additional norms and
transparency, but also protect each individual’s
right to control their informational privacy.231 A safeguards to ensure consent
human-centric approach towards this whereby the
rights, needs, values, capabilities, and limits of data
is not rendered meaningless by
subjects are placed at the centre of any technological
system, and risks are assessed prior to collection or
issues such as consent fatigue
processing of personal data is essential to fortify the and denial of services.”
digital privacy of individuals. Additionally, the rigorous
implementation of other principles discussed in this
chapter, such as fair and lawful use of data, purpose
limitation, and privacy by design and as the default

228 Ira S. Rubinstein, Gregory T. Nojeim, Ronald D. Lee, ‘Systematic government access to personal data: a comparative analysis’ (2014)
4(2) International Data Privacy Law 96–119 https://doi.org/10.1093/idpl/ipu004.
229 Constitution and Personal Data Protection Act, 1996 (revised 2003 and 2008), Public Information Act, 2001 (last revised in 2018);
Justice K. S. Puttaswamy (Retd.) v. Union of India and Ors. (2017) 10 SCC 1 https://privacylibrary.ccgnlud.org/case/justice-ks-
puttaswamy-and-ors-vs-union-of-india-uoi-and-ors?searchuniqueid=504175; Okoiti v. Communications Authority of Kenya
Constitutional Petition no.53 of 2017 [2018] eKLR https://privacylibrary.ccgnlud.org/case/okiya-omtatah-okoiti-vs-communication-
authority-of-kenya-8-ors?searchuniqueid=995610.
230 Report of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age (3 August 2018) UNGA
A/HRC/39/29 https://documents-dds-ny.un.org/doc/UNDOC/GEN/G18/239/58/PDF/G1823958.pdf?OpenElement; Prashant
Agrawal, Anubhutie Singh, Malavika Raghavan, Subodh Sharma and Subhashis Banerjee, An operational architecture for privacy
by design in public service applications, (December 2020), p 5, https://www.dvara.com/research/wp-content/uploads/2020/12/An-
operational-architecture-for-privacy-by-design-in-public-service-applications.pdf.
231 Richard Warner & Robert Sloan, ‘Beyond Notice and Choice: Privacy, Norms, and Consent’ (2013) 14(2) J. High Tech. L.
232 ‘Redesigning Data Privacy: Reimagining Notice & Consent for human technology interaction’ (World Economic Forum White Paper,
July 2020) http://www3.weforum.org/docs/WEF_Redesigning_Data_Privacy_Report_2020.pdf.
 45 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

3.4 Purpose limitation

Data protection principles demand that personal data possibly have detrimental effects on individuals and
be processed only to the extent that is compatible lead to abuse.
with the purposes for which it was collected or
subsequently consented to by the individual. This However, several frameworks including the GDPR, the
stems from the principle of ‘Purpose Limitation.’ Across Commonwealth PPI Bill, HIPCAR Privacy Framework,
data protection regimes, such as the APEC Privacy and the OAS Principles also provide for exceptions
Framework, GDPR, Commonwealth PPI Bill, the to the purpose limitation principle whereby further
HIPCAR Privacy Framework, and OECD Guidelines, processing of personal data is permissible with the
the purpose limitation principle requires that personal consent of the data subject.236 Based on several
data must be collected by data controllers “for examples around the world, it is also possible that
specified, explicit and legitimate purposes” only.233 the state and its agencies, in the exercise of their
(Personal data must not be further processed in a mandated functions, could share the personal data
way that is incompatible with the purposes for which of their citizens with other state agencies. Therefore,
it was collected.) any exceptions to the purpose limitation principle that
permit further processing of data, especially by state
Broadly, the purpose limitation principle requires agencies should be narrowly tailored and information
data controllers to carefully consider what purpose(s) sharing between state agencies tightly regulated.237
the personal data will be used for and restricts Otherwise, there exists a risk that the data subject’s
them from collecting personal data which is not consent is rendered meaningless.
necessary, adequate or relevant for this intended
purpose(s).234 Such intended purpose(s), which must
be in accordance with law, should be communicated
to data subjects at the point of collection in clear
and unambiguous language so that individuals can
determine what kind of processing is included within
the specified purpose.235

The intention behind this principle is to ensure that

data controllers are transparent, clear, and open
from the outset about their proposed processing of
personal data and the purposes are in line with data
subjects’ reasonable expectations. Moreover, this
principle becomes critical in today’s data-driven world
when personal information of individuals, groups, and
communities could be used for other objectives and

233 GDPR art 5(1)(b). See also APEC Privacy Framework, part iii, para 25; Commonwealth PPI Bill, S 12(1); HIPCAR Model Legislative
Text, S 7(b); OECD Guidelines, Chapter 1, Part 1, Para 9.
234 Article 29 Data Protection Working Party, Opinion 03/2013 on Purpose Limitation (2 April 2013). See also GDPR art 5(1)(b); APEC
Privacy Framework, part iii, para 25; Commonwealth PPI Bill, S 12(1); HIPCAR Model Legislative Text, S 7(b); OECD Guidelines,
Chapter 1, Part 1, Para 9.
235 Article 29 Data Protection Working Party, Opinion 03/2013 on Purpose Limitation (2 April 2013).
236 GDPR art 5(1)(b), art 6; Commonwealth PPI Bill, S 12(1); HIPCAR Model Legislative Text, s 15(1); OAS Principles with Annotations,
principle 4.
237 See Privacy International, A Guide for Policy Engagement on Data Protection, page 39 https://privacyinternational.org/sites/default/
files/2018-09/Part%203%20-%20Data%20Protection%20Principles.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 46

3.5 Data minimisation

At the core of privacy and data protection laws should should also apply to retention and the deletion of
lie the principle of data minimisation, which calls for unnecessary data.240 Therefore, once the purpose
limiting data collection to only what is required to fulfil for which data was collected has been fulfilled, data
a specific and legitimate purpose. When public and controllers must cease to store personal data. They
private organisations collect, process, and retain only must also subsequently delete the personal data
the minimum necessary amount of personal data, unless required for any other specified purpose and
it can limit privacy leakage and mitigate the risks consented to by the data subject. While frameworks
associated with amassing large volumes of personal do not specify what can be classified as adequate,
information. For example, an individual applying for relevant, and limited, data controllers must periodically
a job should not be required to mandatorily disclose review the amount and nature of personal data in
sensitive health information, such as their HIV status, its possession based on the circumstances of their
unless it is required under certain reporting rules or intended processing operations.241
to provide specific benefits. Since such information is
not likely to be useful and could also result in potential In this regard, regulatory obligations imposed on
discrimination, mandating the furnishing of such data controllers and processors must determine and
information could be excessive and in contravention justify: (i) the nature of data collected on an ongoing
of the data minimisation principle. basis; (ii) the legal basis for collecting such data; (iii)
the purposes for which such data is collected; and
Data minimisation can be described as the principle (iv) the deletion of data that is no longer of any use.
of proportionality, necessity, non-excessiveness (or For example, the New York Department of Financial
frugality) with respect to the quantity of personal Services Cybersecurity Regulations mandated that
data to be processed.238 The GDPR, the Personal regulated entities maintain a data minimisation
Data Protection Guidelines for Africa, and the OAS program that calls for secure disposal of any non-public
Principles, as well as some domestic legislations, information that is no longer necessary for business
such as the California Consumer Privacy Act (US), and operations and does not need to be maintained
the Australian Privacy Act, 1988 limit personal data because of a legal or regulatory obligation.242 Such
collected, processed or retained to the extent that it regulatory supervision over data controllers and
is relevant, required or necessary to accomplish the processors has enhanced the enforcement of the
purposes specified.239 Such minimisation should be principle of data minimisation.243
undertaken not only at the point of collection, but

238 Lee A. Bygrave, ‘Data Protection by Design and by Default: Deciphering the EU’s Legislative Requirements’ (2017) 4(2) Oslo Law Review
https://pdfs.semanticscholar.org/2abd/ebe58f95bce0bd6e605bbea808917caf4ef5.pdf?_ga=2.86142232.1863169313.1635746977-
836047564.1635271278.
239 GDPR, art 25(1); The Internet Society and the Commission of the African Union, ‘Personal Data Protection Guidelines for Africa’
(19 May 2018) https://www.internetsociety.org/wp-content/uploads/2018/05/AUCPrivacyGuidelines_2018508_EN.pdf; OAS
Principles with Annotations, principle 3 (‘relevance and necessity’); California Consumer Privacy Act, 2018 gives consumers more
control over the personal information that businesses collect about them https://leginfo.legislature.ca.gov/faces/codes_displayText.
xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5; The Privacy Act 1988, Schedule 1 (Australian Privacy Principles), principle
3 https://www.oaic.gov.au/privacy/the-privacy-act/.
240 OAS Principles with Annotations, principle 7 (‘as per the ‘minimization’ and limited Processing and retention criteria, the processed
Personal Data should correspond to the minimum required for the stated purpose and should not be kept for longer than necessary
for such purposes’).
241 Explanatory Report to Convention 108+, para 53.
242 New York State Department of Financial Services, 23 NYCRR 500, 500.13 (Limitations on Data Retention).
243 European Data Protection Board, ‘Berlin Commissioner for Data Protection Imposes Fine on Real Estate Company’ (5 November
2019) https://edpb.europa.eu/news/national-news/2019/berlin-commissioner-data-protection-imposes-fine-real-estate-company_
en#:~:text=On%20October%2030th%202019%2C%20the,Data%20Protection%20Regulation%20(GDPR).
 47 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

The implementation of data minimisation supports

“privacy or data protection by design and default’’ and
requires data controllers and processors to integrate
data protection and privacy features into their system
engineering, practices, and procedures.244

To achieve data minimisation, data controllers

and processors should adopt data minimisation
measures, such as: use aggregate data when
possible; pseudonymise personal data as soon as it
is no longer necessary to have personally identifiable
data; or anonymise or delete personal data once the
purpose for which it was collected has been fulfilled.

244 OAS Principles with Annotations, principle 3 (‘Necessity and Proportionality’); GDPR, art 25.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 48

3.6 Accuracy

As countries grapple with an unprecedented global corrupts data stored on a device. According to an MIT
health crisis, data has been an essential tool for Sloan study, such inaccurate or corrupt data could cost
crafting public policy responses to the pandemic, such businesses approximately 15 to 25 percent of their
as allocating resources, measuring the effectiveness revenues.246 Therefore, there is a need to ensure data
of interventions (social distancing), and providing quality to build data subjects’ trust in data collectors
insights that can help lift movement restrictions and processors and prevent any detrimental impact
and reopen economies. For example, data relating inaccurate data could have on businesses or
to infections, as well as medical resources such operations or individuals. With accurate and reliable
as the number of healthcare workers or available data, individuals and organisations can make the
ventilators, has been useful in crafting healthcare most informed decisions to protect the privacy of data
responses across nations. Similarly, COVID-19 subjects and, at the same time, be compliant with
vaccine programmes have used public data sets such regulatory obligations. More importantly, keeping
as census records to monitor vaccine hesitancy.245 data updated and accurate reduces the costs
Such information can ensure the delivery of life- associated with ineffective decisions and reduces the
saving services and benefits to thousands of people risks of inaccurate data. Data protection frameworks
worldwide. can ensure organisations maintain accurate and high
quality data, most notably by granting individuals the
While technology-based solutions such as contact- right to access and correct data concerning them.247
tracing applications can be useful tools to address
the challenges of the pandemic, the risk of bad data Almost all the Identified Regional Frameworks
could have severe implications on the individuals that governing data privacy, including APEC Privacy
share their personal data with the state and other Framework, ASEAN DP Framework, GDPR,
third parties, including violations of their human rights Convention 108+, the Commonwealth PPI Bill, OAS
against discrimination and exclusion. For instance, Principles, OECD Guidelines, and the HIPCAR
inaccurate, incomplete, or unreliable data could have Privacy Framework, incorporate the principle of data
adverse effects on public health at large, as this data accuracy.
could obscure the needs of specific communities
or socioeconomic realities, or even disinform
populations. Policies reliant on inaccurate data may
damage their effective implementation and fail to
protect the public.

Given the nature of data that is continuously collected,

processed, stored, updated, altered and transferred,
data could potentially be damaged, raising concerns
regarding the quality of data. For example, data can
be damaged in transit when it is transferred from one
network to another, or when any technical failure

245 Lydia Anderson et al., ‘New Tool Tracks Vaccination and Vaccine Hesitancy Rates Across Geographies, Population Groups’ (United
States Census Bureau, 21 April 2021) https://www.census.gov/library/stories/2021/04/how-do-covid-19-vaccination-and-vaccine-
hesitancy-rates-vary-over-time.html.
246 Thomas C. Redman, ‘Seizing Opportunity in Data Quality’ (MIT Sloan Management Review, 27 November 2017) https://sloanreview.
mit.edu/article/seizing-opportunity-in-data-quality/.
247 See Chapter 6 on the rights of data subjects.
 49 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

3.7 Integrity, confidentiality, and availability

To secure personal data that is collected, processed,

and stored on systems, and prevent unlawful or
3.7.1 Confidentiality
unauthorised access, use and disclosure, as well
The objective of the confidentiality principle is to
as loss, destruction, or damage of data, entities are
ensure that adequate data protection controls are
required to implement organisational and technical
in place to prevent any unauthorised or unlawful
controls while handling personal data. These are
disclosure, access or use of data or damage, loss or
typically in the form of encryption, authentication,
destruction of data.249 Given that several members of
and restricted access tools. Such controls form the
staff within the organisation, as well as third parties,
organisation’s security policy and generally focuses
may be authorised to access certain data, such data
on protecting three key aspects of their data and
should be made available on a “need to know” basis,
information: confidentiality, integrity, and availability,
with security controls that ensure that personal data
which taken together form the core of information
stored is secure and kept private. Several measures
security and data protection. International and
such as using virtual private networks, enabling strong
regional frameworks including the OECD, Convention
passwords or two-factor authentication, segregating
108+, and GDPR, mandate data controllers and
data, and assigning privileges to restricted members
processors to take necessary security measures
of the organisation ensures data confidentiality. Based
against the risks discussed above by adopting
on the nature of data, data controllers and processors
reasonable security safeguards.248 These safeguards
engaging with sensitive personal data such as health
are directed at ensuring the confidentiality of data, its
data or digital ID data should adopt stronger security
integrity and its availability.
controls.250

248 OECD Guidelines, Chapter 1, Part 2, para 11; Convention 108+, art 7(1); GDPR, art 32. See GDPR, art 5(1)(f); OAS Principles with
Annotations, principle 6; Commonwealth PPI Bill, S 18; APEC Privacy Framework, part iii, para 28; HIPCAR Model Legislative Text,
S 14.
249 World Bank, ‘ID4D Practitioner’s Guide: Version 1.0’ (October 2019) https://documents1.worldbank.org/curated/
en/248371559325561562/pdf/ID4D-Practitioner-s-Guide.pdf.
250 Beck EJ, Gill W and De Lay PR, ‘Protecting the confidentiality and security of personal health information in low- and middle-income
countries in the era of SDGs and Big Data’ (2016) Global Health Action 9 https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5123209/;
Olivia White et al., 'Digital identification: A key to inclusive growth' (McKinsey Global Institute, April 2019) https://www.mckinsey.
com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Digital%20identification%20A%20key%20
to%20inclusive%20growth/MGI-Digital-identification-Report.ashx.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 50

communication channels that allow for the seamless

3.7.1 Integrity storage and processing of data. Some of the most
fundamental threats to availability are non-malicious
The principle of data integrity seeks to ensure
in nature and include hardware failures, unscheduled
the accuracy, trustworthiness, and validity of data
software downtime and network bandwidth issues.252
throughout its lifecycle. Since information only
Conversely, malicious attacks include various forms of
holds its value as an asset to any organisation if it is
sabotage intended to cause harm to an organisation
accurate and complete, effective measures need to
by denying users access to the information system.
be taken to prohibit the alteration of data, whether
Popular methods adopted by organisations to ward
stored in a system or in transit (such as with email) by
against such threats include using proxy servers,
unauthorised individuals or data processes. Towards
access controls, and firewalls, ensuring adequate
this, organisations need to both ensure legitimate
bandwidth, as well as backing up data and updating
access to systems and prevent any unauthorised
the systems at regular intervals, with some data
alteration or loss at the hands of those who have
backups possibly stored in foreign locations. Estonia,
access to data. For example, to ensure that any lost
for instance, maintains an "out-of-border" backup of
data can be restored if altered, regular backups
its citizens’ data to ensure the continuity of operations
are essential to an organisation that holds critical
in the event of an emergency.253 Additionally,
information in its systems.251 Similarly, organisations
organisations also adopt incident response plans to
should also formulate policies that spell out access
mitigate the risks associated with loss of data caused
privileges and version controls to ensure the
by breaches or unauthorised access to data.
network’s safety.

3.7.3 Availability
The compliance of this principle ensures that
information on systems is readily accessible by
authorised personnel when required. Given that
organisations possess large volumes of data
needed for business continuity, availability of, and
uninterrupted access to, accurate data relies on the
maintenance of hardware, software, equipment, and

251 John M. Borky, Thomas H. Bradley, 'Protecting Information with Cybersecurity' in Effective Model-Based Systems Engineering
(Springer 2019) doi: 10.1007/978-3-319-95669-5_10.
252 Soila Pertet and Priya Narasimhan, 'Causes Of Failure In Web Applications' (2005) CMU-PDL-05-109 Parallel Data Laboratory
Carnegie Mellon University https://www.cs.cmu.edu/~priya/PDL-CMU-05-109.pdf.
253 Peter Teffer, 'Estonia picks Luxembourg for 'ultimate backup'' (EU Observer, 30 June 2017) https://euobserver.com/digital/138406.
 51 CHAPTER 3: ESTABLISHED DATA PROTECTION PRINCIPLES

3.8 Transparency and accountability

These principles are covered in detail in Chapter 4

(Transparency and Accountability) below.

Key considerations

◊ A comprehensive and robust data ◊ As private organisations collect increasing

protection legislation incorporates several amounts of personal data and more states
key principles, such as: fairness; lawfulness; implement digital ID programmes, the
transparency and accountability; notice and principle of data minimisation attempts
consent; purpose limitation; accuracy; and to limit the amount of data collected and
integrity, confidentiality, and availability. processed, reducing the potential for
◊ The principle of lawfulness ensures that both leakages and misuse.
private and public organisations’ handling of ◊ The principles of accuracy, integrity,
personal data is governed by law. confidentiality, and availability impose
◊ The principles of notice, consent, and obligations on controllers and processors to
transparency protect an individual’s treat the data they do collect with a minimum
autonomy over their data and ensures that standard of care to protect individuals
they are informed of how and when their from the harms arising from inaccurate or
data is collected. The principles of fairness unavailable data, or the unauthorised access
and purpose limitation prevent collected to data.
data from being abused later in its lifecycle
for unanticipated purposes.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 52
53 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

CHAPTER 4

MEASURES FOR
TRANSPARENCY
AND
ACCOUNTABILITY
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 54

4.1 Introduction

The principles of transparency and accountability form an essential part of modern data
protection law. The principles of transparency and accountability concern both compliance
with data protection principles by data controllers and data processors, as well as the need
to demonstrate this compliance.

Transparency and accountability measures in data • maintenance of records relating to processing

protection laws typically require: activities;
• carrying out of data protection impact
• adoption of privacy by design; assessments, and;
• furnishing of information and access to data • appointment of data protection officers for
subjects of their personal data; monitoring and compliance.
• imposition of security safeguards for personal
data;
• reporting of personal data breaches;

4.2 Privacy by design

Privacy by design focuses on ensuring privacy and • Proactive and not reactive – events risking
data protection rights from the “design phase of privacy are anticipated and prevented before
any system, service, product or process and then they occur;
throughout its lifecycle.”254 Instead of thinking about • Privacy by default – privacy is built into the
privacy as an afterthought, privacy by design calls for system by default and is not dependant on
proactively embedding good privacy practices into actions undertaken by data subjects;
the design and operation of systems, infrastructure, • Privacy embedded into design – privacy is a
and business practices, as explored in Fig. 4.1 below. core feature and is integrated into operations,
Privacy by design strategies are useful to ensure technologies, and information systems rather
privacy, generate trust, and secure data.255 The than being thought of as an add-on;
former Information and Privacy Commissioner of the • Full functionality – privacy by design aims
Canadian Province of Ontario, defines privacy by to satisfy all legitimate objectives and not
design as generally consisting of seven foundational pit privacy against other objectives such
principles:256 as security. Privacy is to be embedded in a

254 ‘Data Protection by Design and Default’ (UK Information Commissioner’s Office) https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-
default/.
255 Farida H. Semantha, Sami Azam, Kheng Cher Yeo and Bharanidharan Shanmugam, ‘A Systematic Literature Review on Privacy by
Design in the Healthcare Sector, (2020) 9(3) Electronics 452, 453.
256 Ann Cavoukian, 'Privacy by Design - The 7 Foundational Principles’ (2011) https://www.ipc.on.ca/wp-content/uploads/
resources/7foundationalprinciples.pdf.
 55 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

technology, process, or system in a way that The application of the principles described above can
does not impair its full functionality while also be exemplified in the design and operation of a typical
ensuring security; web page that automatically collects information from
• End-to-end security over the entire lifecycle users. In this case, privacy by design can require that
– privacy, once embedded into the system, the user interface is laid out in such a way that users are
extends throughout the data lifecycle and proactively informed of the web page’s cookie usage
serves to foster accountability and data and are given a clear option to accept or refuse them.
security; It would require that consent for such data collection
• Visibility and transparency – to ensure is not based on pre-checked box forms. Rather, they
accountability and increase trust, component require active consent, which requires that users be
parts and operations are open and transparent, able to check the box form themselves. Such models
and stakeholders are assured that all business could, however, lead to issues such as consent
practices and technologies are operating as fatigue (as discussed in Chapter 3 on Data Protection
per stated promises and objectives; Principles). Privacy by design also involves designing
• User-centricity – design and operation of the collection and storage process in such a way
systems should be designed around the that only strictly necessary information is collected.
interest and needs of individuals, through It also involves promoting the ability to unlink the
measures such as maintaining privacy as the identifiability of an individual from their personal data
default mode. through measures, such as pseudonymisation.

Fig 4.1: The Privacy by Design Trilogy

PbD

Accountable Business Physical design and

IT systems
Practice networked infrastructure

PbD as a concept applies to a trilogy of encompassing applications.257

257 Ann Cavoukian, 'Privacy by Design - The 7 Foundational Principles’ (2011) https://www.ipc.on.ca/wp-content/uploads/
resources/7foundationalprinciples.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 56

also calls for specific obligations which take into

4.2.1 Existence of requirement to account the risk of harm that may result from misuse
institute privacy by design of such information, and taking remedial measures
which should be “proportionate to the likelihood and
Not all the Identified Regional Frameworks have severity of any harm threatened by the collection or
incorporated privacy by design as a concept that use of personal information”.259
requires data controllers and processors to build their
systems around the principle of individual privacy. The GDPR has specific provisions dealing with
Among the frameworks, privacy by design principles data protection by design and default. Article 25(1)
are acknowledged only in Convention 108+, the prescribes that data controllers shall implement
OECD Guidelines, the APEC Privacy Framework, the “appropriate technical and organisational measures,
GDPR, and the OAS Principles. such as pseudonymisation” that are “designed to
implement data protection principles, such as data
4.2.2 Content of privacy by design minimisation” in an effective manner and to integrate
the necessary safeguards into the processing. These
requirements measures will be implemented both “at the time of
the determination of the means of processing and
Article 10(2) of Convention 108+ requires data
at the time of the processing itself.” The measures
controllers and processors to “examine the likely
will be implemented “taking into account the state
impact of intended data processing on the rights
of the art, the cost of implementation and the nature,
and fundamental freedoms of data subjects” before
scope, context and purposes of processing, as well
they commence such processing. It also states that
as the risks of varying likelihood and severity for
data processing should be designed to “prevent or
rights and freedoms of natural persons posed by the
minimise the risk of interference with those rights and
processing.”
fundamental freedoms.”
The GDPR also adopts the principle of data
The OECD Guidelines have provisions that are
protection by default. Recital 78 requires technical
relevant to privacy by design under data controller
and organisational measures to be accounted for
obligations on implementing accountability. They
at the time of planning a processing system to
require data controllers to have in place a privacy
protect data safety. Article 25(2) requires that data
management programme that not only gives effect
controllers implement the appropriate technical and
to the OECD Guidelines for all personal data under
organisational measures such that by default, only
their control, but is tailored to their processing
personal data which is necessary for each specific
operations (structure, scale, volume, and sensitivity),
purpose is processed. The GDPR also specifies that
and provides for appropriate security safeguards.
this obligation applies to the amount of personal
The programme must also be integrated into their
data collected, the extent of processing, the period
governance structures with internal oversight
of storage, and its accessibility. Such technical and
mechanisms. It must include plans for responding
organisational measures would ensure that that by
to inquiries and incidents, and must be periodically
default the personal data will not be made accessible
reviewed and updated. The data controller is also
without the relevant individual’s intervention “to an
required to “demonstrate its privacy management
indefinite number of natural persons.”260 Importantly,
programme” at the request of a competent privacy
Article 25(3) also indicates that compliance with
enforcement authority.258
requirements relating to technical and organisational
measures can be demonstrated through approved
The APEC Privacy Framework prescribes that
certification mechanisms under Article 42 of the
personal information protection should be “designed
GDPR.261
to prevent the misuse of [personal] information”. It

258 OECD Guidelines, Chapter 1, Part 3, para 15(a,b).

259 APEC Privacy Framework, Part iii, para 20. These obligations include measures such as: (i) self-regulatory efforts; (ii) education and
awareness campaigns; and (iii) laws, regulations, and enforcement mechanisms.
260 GDPR, art 25(2).
261 Certification mechanisms (and data protection seals or marks) would also enhance transparency and enable data subjects to assess the
data protection levels of products and services. See GDPR, recital 100.
 57 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

The GDPR also leaves the adoption of specific accountability measures and safeguards to address
measures to implement privacy by design open the risks of large-scale data collection and use,
to legislation. Recital 78 gives the example of such as exclusions, discrimination, and surveillance.
pseudonymisation, which involves de-identification of It is especially important for data controllers and
personal data through the use of artificial identifiers processors to adhere to, and demonstrate compliance
(as discussed in Chapter 2 on Key Definitions). with, objective standards of data protection when the
use and collection of personal data is linked to the
The OAS Principles note that privacy by design is provision of essential services. Technical guarantees
a form of proactive accountability and relates to that support privacy laws and regulations, as well
processor and controller actions before they even as the protections provided therein, are essential to
collect or begin to process data. It requires privacy and meaningfully enforce data protection obligations.264
security considerations to be incorporated into every
stage of product design. Data processing should also
prioritise user privacy and data protection. It also
notes that privacy by default requires personal data
to be treated proportionally to the purpose for which
it was collected, and that privacy by default should be
“completely implemented” prior to data processing.
It specifies that special care should be taken to
reinforce the protection of sensitive data when
operationalising privacy by design and default, that
risks be identified and measures be taken to mitigate
them based on requirements under domestic law.262

More generally, the OAS principle of accountability

“Requiring both public and
requires controllers to establish and comply with private data controllers and
data protection goals. However, data controllers
can be permitted to determine the most appropriate processors to institute such
ways to reach those goals and monitor compliance
in a manner that best serves their business models programmes can significantly
and customers. They note that controllers should
be able to implement appropriate technical and
contribute to the protection of
organisational measures to demonstrate compliance
with data protection principles. Processors should
individuals’ privacy.”
also be required to provide sufficient guarantees
to ensure the protection of a data subject’s rights.
Codes of conduct or certification mechanisms
may be used to demonstrate compliance. National
regulatory frameworks should provide guidance
for data controllers, especially to demonstrate
accountability.263

Privacy by design forms a core component of

data protection. Requiring both public and private
data controllers and processors to institute such
programmes can significantly contribute to the
protection of individuals’ privacy. It also helps create

262 OAS Principles with Annotations, Principle 10, p 22-23.

263 OAS Principles with Annotations, Principle 10, p 22.
264 Prashant Agrawal, Anubhutie Singh, Malavika Raghavan, Subodh Sharma and Subhashis Banerjee, An operational architecture
for privacy-by-design in public service applications, December 2020, 5. available at https://www.dvara.com/research/wp-content/
uploads/2020/12/An-operational-architecture-for-privacy-by-design-in-public-service-applications.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 58

Box 4.1: Privacy Enhancing Technologies

According to the European Commission, privacy enhancing technologies, or PETs, are
defined as “a coherent system of ICT measures that protects privacy by eliminating or
reducing personal data or by preventing unnecessary and/or undesired processing of
personal data, all without losing the functionality of the information system”.265 Using
PETs is an important way to implement privacy by design. Well known PETs include
pseudonymisation, encryption and obfuscation.266

Box 4.2: Privacy by Design Application Areas

Ontario’s former Information and Privacy Commissioner, who coined the term ‘privacy
by design’, has identified nine application areas that directly relate to privacy by
design:267

• CCTV/surveillance cameras in mass transit systems

• Biometrics used in casinos and gaming facilities
• Smart meters and the smart grid
• Mobile devices and communications
• Near field communications (NFC)
• RFIDs and sensor technologies
• Redesigning IP geolocation data
• Remote home health care
• Big data and data analytics.

265 Commission of the European Communities, ‘Communication from the Commission to the European Parliament and the Council on
Promoting Data Protection by Privacy Enhancing Technologies (PETs)’ COM (2007) 228 final.
266 European Union Agency for Network and Information Security, ‘Privacy by design in big data: An overview of privacy enhancing
technologies in the era of big data analytics’, December 2015, Chapter 4, available at https://arxiv.org/abs/1512.06000; Zbigniew
Kwecka and others, ‘“I am Spartacus”: privacy enhancing technologies, collaborative obfuscation and privacy as a public good’ (2014)
22/2 Artificial Intelligence and Law pp 114-115 https://www.research.ed.ac.uk/en/publications/i-am-spartacus-privacy-enhancing-
technologies-collaborative-obfus.
267 Ann Cavoukian, ‘Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices’ (Information and Privacy
Commission, Ontario, December 2012), pp 55-58 https://collections.ola.org/mon/26012/320221.pdf.
 59 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

4.3 Information and access to personal data

Transparency is a key requirement of privacy and data

protection law. In data protection law, transparency
4.3.2 Content of information to be
engenders trust in citizens about data processing provided
activities by enabling them to understand and
challenge those activities. It is an expression of the All the Identified Regional Frameworks require data
data protection principle of “lawfulness and fairness’’. controllers to provide information to data subjects
When duly complied with, transparency requirements regarding the processing of their data. Generally, this
empower data subjects to exercise control over their information includes:
personal information, for instance by withdrawing
consent, or by holding controllers and processors • the fact that personal data is being collected;
accountable. Transparency obligations on controllers • the data controller’s identity and address;
are complemented by the right of data subjects to • the legal basis and the purposes of the intended
access their personal data and related information.268 processing;
• the categories of personal data processed;
Data protection law usually aims to achieve • the recipients or categories of recipients of the
transparency in data processing by requiring personal data, if any;
controllers and processors to implement a series • the means by which data subjects can exercise
of practical measures to provide information to rights such as the right to access, correct and
data subjects regarding their data processing and rectify personal data.270
management practices. Emphasis is also placed on
the quality, accessibility and comprehensibility of the The GDPR requires more information to be provided.
information provided to data subjects.269 It requires providing information, such as the
controller’s intention to transfer personal data to third
countries or international organisations.271 Where
4.3.1 Existence of requirement to applicable, the existence of adequacy decisions by
provide information and access the European Commission and suitable safeguards
in such cases are also to be mentioned. Other
All the Identified Regional Frameworks have information must also be provided, such as the fact
incorporated provisions that specifically enshrine and that data subjects have the right to lodge a complaint
promote transparency by data controllers. with the national supervisory authority, whether the
provision of data by the data subject to the controller
is based on a statutory or a contractual requirement,
and the existence of any automated decision-making,
specifically including profiling.272

268 Art. 29 Working Party, Guidelines on Transparency under Regulation 2016/679 of 29 November 2017 by the working party on the
protection of individuals with regard to the processing of personal data [2017] WP260 rev.01 (as revised and adopted on 11 April
2018), pp 4-5.
269 Art. 29 Working Party, Guidelines on Transparency under Regulation 2016/679 of 29 November 2017 by the working party on the
protection of individuals with regard to the processing of personal data [2017] WP260 rev.01 (as revised and adopted on 11 April
2018), p 5.
270 Convention 108+, art 8; OECD Guidelines, paragraph 12, and paragraph 12, OECD Guidelines, Original Explanatory Memorandum,
Chapters 1 and 3, OECD Guidelines; Commonwealth PPI Bill, s 21(5); Commonwealth Model Privacy Bill, s 8(2); APEC Privacy
Framework, Part iii, para 21; AU Convention, art 16; ASEAN DP Framework, para 6(a); OAS Principles with Annotations, principle
2; HIPCAR Model Legislative Text, s 10; GDPR, arts 12-14.
271 GDPR, art 13(1)(f).
272 GDPR, art 13(2).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 60

The GDPR and Convention 108+ provide exceptions

when it is not necessary to provide this information,
namely when the data subject already has the
information or when it proves impossible or involves
disproportionate efforts because the data subject
is not clearly identifiable or the controller has no
way of contacting the data subject.273 The APEC
Privacy Framework exempts situations, such as
the collection of publicly available information and
business contact information.274 However, the AU
Convention, OAS Principles, OECD Guidelines,
HIPCAR Privacy Framework and the Commonwealth
PPI and Privacy Bills do not permit specific exceptions
to this requirement. The ASEAN DP Framework
simply provides that controllers may collect, use
or disclose personal data without notification to or
consent of the data subject, when such actions are
authorised or required under domestic laws.275 Public
bodies and government agencies are not specifically
exempted from this transparency requirement under
the Identified Regional Frameworks. The obligation
placed on controllers to provide information is
complemented by the data subjects’ right to access
information. This right, and applicable exemptions are
discussed in Chapter 5 (Rights of Data Subjects).

4.3.3 When to provide this

information
In most of the frameworks, this information is to be
provided at the time of collection. When this is not
possible it should be provided as soon as reasonably
possible following collection. For instance, the OAS
Principles require that the legal basis for processing,
the data processing purposes and other information
must, as a rule, be specified at or before the time
of data collection. The practices and policies of the
entities collecting data must also be provided so that
the data subjects are able to make informed decisions
whether to give the relevant information.276 The GDPR
not only requires information to be provided when
the data is collected, but at all stages of processing
under Article 12.

273 GDPR, arts 13(4) and 14(5); Convention 108+, art 8(2) and 8(3).
274 APEC Privacy Framework, Part iii, paras 21-23.
275 ASEAN DP Framework, Para 6(a)(ii).
276 OAS Principles with Annotations, Principle 2, p 9.
 61 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

Box 4.3: Transparency under the GDPR

As the Article 29 Data Protection Working Party’s Guidelines on Transparency state,
transparency under the GDPR should be applied at all stages of the data processing
lifecycle:
• before or at the start of the data processing cycle (i.e., at the time when the
personal data is being collected, either from the data subject or otherwise
obtained);
• throughout the whole processing period (i.e., when communicating with data
subjects about their rights); and
• at specific points while processing is ongoing (e.g., when data breaches occur
or in the case of material changes to the processing).277

277 Art. 29 Working Party, Guidelines on Transparency under Regulation 2016/679 of 29 November 2017 by the working party on the
protection of individuals with regard to the processing of personal data [2017] WP260 rev.01 p 6.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 62

Transparency in government processing is important

4.3.4 How to provide the information since governments collect large amounts of personal
data for various purposes, such as for identity
Mandating that data controllers are required to
documents, state bank records, and evidence
provide the information discussed above to data
gathering by law enforcement. The need for limits
subjects is not sufficient. The requirement that the
on governmental use of personal data has become
information should also be easily understandable,
critical in light of the large-scale collection of personal
accessible, and conveyed through clear and plain
data during the COVID-19 pandemic. Much of this
language is common across the frameworks. This
data collection, such as contact tracing through
is to enable the average person to understand the
many methods, such as geospatial tagging and flow
information provided by data controllers so that as a
modelling, was conducted in the absence of enabling
data subject, they can make meaningful choices with
laws or regulations governing data-sharing. Sensitive
respect to the use of their data. Although children
health data collected during this time is at heightened
can also be data subjects, specific provisions relating
risk in jurisdictions without data protection laws.
to these categories of data subjects are found only
Some countries have reportedly shared such contact-
in the GDPR and the OAS Principles. They highlight
tracing data with law enforcement, 282 or have used
that information provided to children should be
intelligence software originally intended to track
in a concise, transparent, intelligible and easily
terrorist activity for contact-tracing efforts.283
accessible form, using clear and plain language.278
Data controllers can also be required to provide
information in alternative formats to those with
disabilities pursuant to the right of data subjects to
access information,279 as noted in Chapter 5 (Rights
of Data Subjects).

4.3.4.1 Transparency in government

processing

Transparency provisions are essential for public

authorities and government agencies. The ECJ has
ruled that the transfer of personal tax data by one
Romanian public authority to another for processing,
without first informing the data subjects, violated
the fair processing requirement.280 This decision
was rendered on the basis of the Data Protection
Directive.281

278 GDPR, art 12(1); OAS Principles with Annotations, Principle 2, p 9.

279 Commonwealth PPI Bill, s 26; HIPCAR Model Legislative Text, s26(2); OAS Principles with Annotations, Principle 8, p 18.
280 Case C-201/14 Smaranda Bara and Others v Președintele Casei Naționale de Asigurări de Sănătate and Others [2015] pp 34-35, 38,
41, 46.
281 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard
to the Processing of Personal Data and on the Free Movement of such Data (repealed as on 25 May 2018).
282 BBC News, Andreas Illmer, ‘Singapore reveals Covid privacy data available to police’, 5 January 2021 https://www.bbc.com/news/
world-asia-55541001.
283 The Indian Express, ‘Covid-19: Pakistan uses militant-tracking technology for contact tracing’, 28 May 2020 https://indianexpress.
com/article/pakistan/pakistan-surveillance-technology-militants-coronavirus-6431271/; Moran Amit and others, ‘Mass-surveillance
technologies to fight coronavirus spread: the case of Israel’ (2020) Nat Med 26, 1167–1169 https://doi.org/10.1038/s41591-020-0927-z
 63 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

4.4 Security safeguards

Across the world, security threats to personal data security.

information are on the rise. The average number of
cyberattacks and data breaches increased 15% in 2021
from the previous year, and are set to rise further.284 4.4.2 Level of data security prescribed
By imposing mandatory data security measures, data
protection laws can serve to mitigate the adverse Since data security involves the imposition of
effects of data and cybersecurity threats.285 measures that can be quite varied and complex,
the standard commonly employed in the Identified
Data security involves processing data securely Regional Frameworks is that of “appropriate(ness)”
by means of certain technical and organisational or “reasonable(ness)” to ensure that the measures
measures. Technical measures include both physical to be used for ensuring data security are required
measures, such as quality of doors and locks, CCTV to be “appropriate” or “reasonable.”288 Although
and disposal policies, as well as ICT security, which data security is a mandatory requirement across
includes security of network and information systems, all Identified Regional Frameworks, the specific
online security, authorisation and authentication measures to be implemented are often left to national
policies and device security, among others.286 regulators or supervisory authorities to develop later,
and authorities should take into account different
Legal provisions requiring data security measures factors such as the sector, kind of controller or
seek to prevent privacy violations. Their objective processor, and the nature of data. The obligation to
is to protect the “confidentiality, integrity and ensure data security focuses more on the conduct
availability” of personal data to ensure: (i) that only of controllers and processors rather than on the
those authorised to do so can access, alter, delete, outcome of processing.
or disclose data within the limits of their authority; (ii)
the accuracy and completeness of data; and (iii) the 4.4.3 A risk-based approach
accessibility, usability and recoverability of personal
data.287 Relatedly, the frameworks also acknowledge that the
safeguards can vary depending on several factors
and emphasize that the security safeguards should
4.4.1 Existence of requirement to be proportional to the risk of harm. The APEC Privacy
provide security safeguards Framework provides that safeguards should be
“proportional to the likelihood and severity of the
Data security is broadly recognized as a basic harm threatened, the sensitivity of the information
principle of data protection across all Identified and the context in which it is held.”289 The GDPR states
Regional Frameworks. All frameworks have provisions that factors such as “the state of the art, the costs
requiring data controllers and processors to ensure of implementation and the nature, scope, context

284 ' Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know’ (Forbes) https://www.forbes.com/sites/chuckbrooks/2022/06/03/
alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/.
285 Gloria González Fuster and Lina Jasmontaite ‘Cybersecurity Regulation in the European Union: The Digital, the Critical and
Fundamental Rights’ in Markus Christen, Bert Gordijn and Michele Loi (eds) The Ethics of Cybersecurity (Springer 2020).
286 UK Information Commissioner’s Office, ‘Guidance on Data Security: Guide to the General Data Protection Regulation’ https://ico.org.
uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/#6.
287 Ibid.
288 GDPR, art 5(1)(f); ASEAN DP Framework, para 6(d); APEC Privacy Framework, Part iii, para 28; HIPCAR Model Legislative Text, s
14(1); OAS Principles with Annotations, principle 6, p 15; Commonwealth Model Privacy Bill, s 18(1).
289 APEC Privacy Framework, Part iii, para 28.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 64

and purposes of processing,” and the likelihood and The determination of what is reasonable and
severity of risks to the rights and freedoms of natural appropriate would be based on best-practice
persons, will determine the security safeguards to be and other factors, such as the proportionality and
employed.290 necessity of measures taken and the evolution of
privacy threats. The Principles require the measures
The OAS Principles note that the measures adopted undertaken to be subject to "periodic review,
to protect personal data can depend on the effects reassessment, audit, updating and improvement”.
on data subjects’ rights, implementation costs, the They also specify that protecting the privacy of data
nature of data and purposes of processing, and the subjects requires that they have control over their
sensitivity of the relevant data.291 They also specify online experience, and that controllers should “have
that the principle of security is not necessarily violated the flexibility” to provide users with tools to effectively
by data controllers in case of unauthorised access, control data sharing.292 They also state that controllers
destruction, and other such consequences as long as should be responsible for ensuring that any third
the safeguards implemented were “reasonable and parties who receive personal data from them comply
appropriate.” with applicable safeguards and requirements.293

Box 4.4: Obligation of Conduct, Not Result

The obligation to put in place security safeguards to protect personal data generally
appears to focus on the conduct of controllers and processors and not on the result,
such as a breach of personal data. For instance, a 2015 hack leaked personal data from
the popular e-Bay internet auction website in South Korea. The country’s Supreme
Court upheld the lower court’s ruling that eBay had not violated its obligations under
the Standards for Technical and Administrative Protective Measures for Personal
Information established by the Ministry of Information and Communication, since it
had taken all reasonable and necessary measures to protect personal information.294
The Supreme Court took into context the hacking methods used, the level of security
technology available at the time, and the overall security measures taken by eBay.

290 GDPR, art 32(1).

291 OAS Principles with Annotations, Principle 6, p 15.
292 OAS Principles with Annotations, Principle 6, p 15.
293 OAS Principles with Annotations, Principle 10, p 23.
294 Supreme Court Decision 2013Da43994, 44003, decided February 12, 2015 <https://library.scourt.go.kr/SCLIB_data/decision/06-
2013Da43994.htm> accessed 31 October 2021.
 65 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

service providers, such that they may be required to

4.4.4 Harms to be protected against access the sensitive personal information of more than
1000 individuals, government agencies must require
A study of the Identified Regional Frameworks
the service providers to register their data processing
indicates that the typical harmful consequences
systems with the supervisory authority. They are also
that data security measures seek to prevent include
required to comply with other obligations under the
accidental or unlawful destruction, loss, alteration,
Act that are applicable to government agencies and
and unauthorised disclosure or access to personal
their employees.
data.295 The ASEAN DP Framework, Commonwealth
PPI Bill, and the APEC Privacy Framework also include
From a transparency point of view, the security
copying, modification, destruction, and similar risks.296
safeguards or data security measures taken by the
controllers and processors can also be one of the
4.4.5 Processing on behalf of the details that should be disclosed to data subjects, as
required in the Commonwealth PPI Bill.300
controller and third-party processing Furthermore, the GDPR provides that certification
mechanisms or adherence to codes of conduct can
Data protection legislations also require compliance
demonstrate compliance with security requirements.301
with data security measures in cases where processing
Periodic review of the security measures taken is also
is undertaken on behalf of the controller or by a third
a requirement of data protection law, as evidenced
party. For instance, the Commonwealth PPI Bill holds
by the OAS Principles and the GDPR.302
an organisation responsible for personal information
in its custody or control, including information that has
The legal requirement to establish security safeguards
been transferred to a third-party for processing.297
is complementary to more specific obligations, such
The AU Convention provides that “where processing
as data breach notifications, data minimisation, and
is undertaken on behalf of a controller, the latter shall
data quality.303 Notably, provisions pertaining to data
choose a processor providing sufficient guarantees,”
security are more commonly framed as obligations on
and that it is “incumbent on the controller and the
data controllers and processors, and not as rights to
processor to ensure compliance with the security
be exercised by data subjects. Commentators have
measures defined in [the] Convention.”298 The HIPCAR
pointed out that it may be useful to also include them
Privacy Framework also requires the controller
as data subjects’ rights and to empower them with
to ensure that the person processing personal
remedies against data controllers.304
information on its behalf “can implement the security
measures that must be taken” and “actually takes the
measures so identified.”299

In a related provision, Section 33 of the Implementing

Rules and Regulations of the Data Privacy Act of 2012
(implementing the Philippines’ Data Privacy Act, 2012)
contains additional obligations for private service
providers acting on behalf of government agencies.
Where the government enters into contracts with

295 GDPR, art 32(2).

296 ASEAN DP Framework, para 6(d); s 18(1), Commonwealth PPI Bill; APEC Privacy Framework, Part iii, para 28.
297 Commonwealth PPI Bill, s 18(2).
298 AU Convention, principle 6, art 13.
299 HIPCAR Model Legislative Text, s 14(2).
300 Commonwealth PPI Bill, s 18(4).
301 GDPR, art 32(3).
302 OAS Principles with Annotations, Principle 6, p 15; GDPR, art 32(1)(d).
303 Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, ‘A Free and Fair Digital Economy: Protecting Privacy,
Empowering Indians’ (2018), 66.
304 Dvara Research, ‘ Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill 2019 introduced
in the Lok Sabha on 11 December 2019’ (2020) p 4 https://www.dvara.com/research/wp-content/uploads/2020/01/Initial-Comments-
on-the-Personal-Data-Protection-Bill-2019.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 66

Box 4.5: Illustrations of the Cost of Data Security Breaches

• In March 2020, SolarWind, a third-party vendor to several US government
agencies and Fortune 500 companies, was hacked through a software update
that it had sent to its clients. Discovered in December 2020, the breach is one
of the biggest in history, with the breach costing the company at least $18
million in the first quarter of 2021.305 The full scale of the breach is still being
investigated.306

• In March 2017, the failure to patch a well-known vulnerability at Equifax, a US

credit rating agency, resulted in a security breach that disclosed the personal
data and sensitive financial data of hundreds of millions of people in the United
States. The settlement is expected to cost Equifax at least $650 million.307

• In 2014, a data breach at Marriott International resulted in the personal data

(including credit and debit card details) of 383 million guests being leaked,
putting them at risk of identity theft and social-engineering frauds.308

305 Reuters, Raphael Satter, ‘SolarWinds says dealing with hack fallout cost at least $18 million’, 14 April 2021 https://www.reuters.com/
technology/solarwinds-says-dealing-with-hack-fallout-cost-least-18-million-2021-04-13/.
306 ‘SolarWinds hack was 'largest and most sophisticated attack' ever: Microsoft president’ (Reuters, 15 February 2021) https://www.
reuters.com/article/us-cyber-solarwinds-microsoft-idUSKBN2AF03R.
307 Stacy Cowley, ‘Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement’, The New York Times (2019) https://www.
nytimes.com/2019/07/22/business/equifax-settlement.html; Neil Daswani and Moudy Elbayadi, Big Breaches: Cybersecurity Lessons
for Everyone (Springer 2021), ch 4.
308 Neil Daswani and Moudy Elbayadi, Big Breaches: Cybersecurity Lessons for Everyone (Springer 2021), ch 3.
 67 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

4.5 Reporting of personal data breach

The breach notification requirements in data

protection laws typically oblige entities that control
4.5.2 Defining a personal data breach
and process data to notify a supervisory authority
Among the Convention 108+, the OECD Guidelines,
and/or affected data subjects if there has been
the GDPR and the OAS Principles (that have the
unauthorised access to data.309 The objective of
mandatory data breach disclosure requirements),
notifications is to enable the affected data subjects to
only the GDPR defines what constitutes a personal
take steps to mitigate the risks to their data, as well
data breach. Defining a personal data breach adds
as to incentivise entities to implement and strengthen
clarity on notification requirements, and reduces
their data security measures.310
the possibility of confusion or lack of clarity among
controllers, processors and supervisory authorities as
4.5.1 Existence of breach notification to when to notify and when to not.312 A personal data
requirements breach in the GDPR is defined as a “breach of security
leading to the accidental or unlawful destruction,
Among the Identified Regional Frameworks, loss, alteration, unauthorised disclosure of, or access
Convention 108+, the OECD Guidelines, the GDPR to, personal data transmitted, stored or otherwise
and the OAS Principles have mandatory notification processed.”313
requirements if a personal data breach takes place.
Meanwhile the Commonwealth PPI and Privacy Bills, 4.5.3 Threshold requirements for
the AU Convention, ASEAN DP Framework and
the HIPCAR Privacy Framework do not. The APEC
personal data breach notifications
Privacy Framework notes that requiring that the data
Convention 108+, OECD Guidelines, and GDPR
protection authority and/or data subjects are notified
require minimum thresholds to trigger the notification
of breaches can reduce the risk of harm to the
requirement. Convention 108+ requires notifications
relevant individuals, and notes that Member States
of data breaches which may “seriously interfere
should “consider encouraging or requiring personal
with the rights and fundamental freedoms of
information controllers to provide notice” in case of
data subjects”.314 Instances that qualify as serious
significant data security breaches.311
interference are provided by the Explanatory Report
to Convention 108+, which include “disclosure of data
covered by professional confidentiality, or which may
result in financial, reputational, or physical harm or
humiliation”.315

309 Ravi Sen and Sharad Borle, ‘Estimating the Contextual Risk of Data Breach: An Empirical Approach’ (2015) 32(2) Journal of
Management Information Systems 314.
310 See ‘Security Breach Notification Laws: Views from Chief Security Officers’ (December 2007) Samuelson Law, Technology and Public
Policy Clinic, University of California-Berkeley School of Law, available at https://www.law.berkeley.edu/files/cso_study.pdf.
311 APEC Privacy Framework, Part iii, para 20 and Part iv, para 54.
312 Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, ‘Comments on the (Draft) Personal Data Protection Bill, 2018’ (2018)
NIPFP, 13 https://www.medianama.com/wp-content/uploads/NIPFP-Submission-India-Draft-Data-Protection-Bill-Privacy-2018.
pdf.
313 GDPR, art 4(12).
314 Convention 108+, art 7(2).
315 Explanatory Report to the Convention 108+, p 22, para 64. The text of the Explanatory Report to the Convention 108+ is intended to
guide and assist the application of the provisions of the Convention and provides an indication as to how the drafters envisaged the
operation of the Convention.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 68

The OECD Guidelines require notification to entities responsible for cybersecurity). Breach
supervisory authorities when a “significant security notification laws may, in limited and specific situations,
breach affecting personal data” takes place and to impose obligations on controllers to cooperate with
data subjects when “the breach is likely to adversely law enforcement agencies and share personal data
affect” them.316 without the consent of the relevant data individuals.
However, the OAS Principles require that states are
Similarly, the GDPR requires notification to the careful to not impose conflicting notification and
supervisory authority only when the breach is likely to confidentiality obligations on controllers.322
result in a “risk to the rights and freedoms of natural
persons,” while notifications to the data subjects are
required when the “personal data breach is likely to
result in a high risk to the rights and freedoms of natural
persons.”317 The OAS Principles note that controllers
should notify data subjects and relevant authorities
in some cases, but do not specify thresholds. They
also note that reporting requirements are imposed by
relevant domestic law by member states.318 “The objective of (breach)
Who data controllers are required
notifications is to enable
to notify in case of personal data the affected data subjects
breaches to take steps to mitigate the
Convention 108+ requires notifying only the risks to their data, as well
supervisory authority mandatorily.319 However, its
Explanatory Report recognises that the controllers as to incentivise entities to
may need to notify data subjects in other situations,
for example when the breach is likely to result in implement and strengthen
a significant risk for the rights and freedoms of
individuals (e.g., discrimination, identity theft or their data security measures”
fraud, financial loss, damage to reputation, loss of
confidentiality of data protected by professional
secrecy or any other significant economic or social
disadvantage).320

The OECD Guidelines and the GDPR require

notifications to both supervisory authorities and data
subjects on meeting their respective threshold, as
explained above.321

The OAS Principles require data controllers to notify

relevant data subjects in the event of a breach, and
to also inform relevant criminal or civil authorities.
They note that notification laws may also require
controllers to cooperate with other agencies (e.g.

316 OECD Guidelines, Chapter 1, Part 3, para 15(c).

317 GDPR, arts 33(1) and34(1).
318 OAS Principles with Annotations, Principle 6, p 16.
319 art 7(2), COE 108+.
320 Explanatory Report to the Convention 108+, paras 64-66, pp 22-23.
321 OECD Guidelines, Chapter 1, Part 3, para 15(c); GDPR, arts 33(1) and 34(1).
322 OAS Principles with Annotations, Principle 6, p 16.
 69 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

Box 4.6: Breach Notification Database

Some experts have noted the utility of making breach notifications public, either on
the website of the supervisory authority,323 or in a centralised database.324 This would
not only incentivise organisations to improve security for fear of reputational loss,
but also make available data for research and assist enforcement agencies without
compromising security incentives.

While none of the Identified Regional Frameworks

4.5.5 Applicability of notification distinguish between government and private data
obligations for personal data breaches controllers with respect to breach notification
requirements, they do envisage exemptions to
By and large, the frameworks place the obligation to this provision, typically on the grounds of national
notify data breaches on data controllers. The GDPR security, public safety, public order and investigation
applies it specifically to processors and requires them and prosecution of criminal offences for government
to notify all personal data breaches to controllers, entities.328 Notably, the GDPR does not exempt
regardless of thresholds. They are required to do so compliance with this provision on these grounds.
without delay after becoming aware of the breach.325
It then falls to the controllers to notify the supervisory Providing exemptions from such requirements,
authorities and/or the data subjects, depending especially for a broad range of purposes, can
on whether the personal data breach meets the significantly impair the ability of data subjects
threshold requirements. Commentators have pointed impacted by a breach to exercise their rights under
out that since processors under the GDPR also have data protection law, and to take the necessary
the responsibility for ensuring data security,326 it is measures to mitigate the effects of the breach.
arbitrary to not require the processor to directly report
breaches to supervisory authorities or data subjects,
especially since security breaches can take place
at many different levels including at the processor
level.327

323 Angela Daly, ‘The introduction of data breach notification legislation in Australia: A comparative view, Computer Law & Security
Review’ (2018) Computer Law & Security Review 16.
324 ‘Security Breach Notification Laws: Views from Chief Security Officers’ (December 2007) Samuelson Law, Technology and Public
Policy Clinic, University of California-Berkeley School of Law, p 13, available at https://www.law.berkeley.edu/files/cso_study.pdf.
325 GDPR, art 33.
326 GDPR, art 30(2)(d).
327 P Blume, ‘Controller and Processor: Is There a Risk of Confusion?’ (2013) 3 IDPL 140, 144.
328 Convention 108+, art 11; para 4, OECD Guidelines, Chapter 1.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 70

Box 4.7: Breach notification requirements

A study by the Samuelson Law, Technology and Public Policy Clinic, University of
California Berkeley School of Law, which examined the views of several Chief Security
Officers in major organisations, found that:329

• Breach notification requirements are directly related to companies increasing

and improving their data security measures to avoid reputational loss and to
avoid seeming irresponsible.
• They raise awareness levels within organisations and increase cooperation
among different departments within organisations.
• As organisations are made responsible for data breaches, they exert pressure
on other organisations holding data to meet data security standards, improving
overall industry standards through flow-on effects.

329 ‘Security Breach Notification Laws: Views from Chief Security Officers’ (December 2007) Samuelson Law, Technology and Public
Policy Clinic, University of California-Berkeley School of Law, available at https://www.law.berkeley.edu/files/cso_study.pdf.
 71 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

4.6 Maintenance of records relating to processing activities

Maintaining records is an organisational requirement activities carried out on behalf of a controller. Such
and a measure of good data governance.330 As records must be “in writing, including in electronic
an element of the accountability principle, it helps form” and must be made available to the supervisory
supervisory authorities monitor organisations to show authority if so requested.333
compliance with data protection laws. Organisations
are ordinarily required to keep a record of their The GDPR also specifies the details that need to be
processing activities, including processing purposes, contained in such records, which include the name
data retention and sharing activities. Among other and contact details of the controller and its data
areas, records pertaining to categories of data protection officer, the purposes of and legal basis
subjects and personal data, transfers to third parties for processing, categories of personal data and data
and their practices, and use and processing of subjects, the use of profiling, categories of cross-
personal data without consent are also included. border transfers and a general description of the
technical and organisational security measures.334
4.6.1 Existence of record maintenance There are similar obligations placed on processors.
The obligation to maintain records of processing
requirements activities can increase costs for data controllers and
processors. However, they also provide increased
The GDPR and the Commonwealth PPI Bill are the accountability and provide necessary information in
only regional frameworks that recognise and impose case of investigations of violations of data protection
record maintenance requirements as distinct from laws.
data retention obligations.

4.6.2 Form and content of records to

be maintained
The Commonwealth PPI Bill requires an organisation
to record of “all uses and disclosures that it makes
of personal information about an individual” without
consent.331 Organisations are also required to note
personal information about the individual that they
have in their custody or control, either as part of the
records of such personal information or in a form
linked to those records.332

The GDPR requires the maintenance of far more

detailed records. It requires controllers to maintain a
record of processing activities. Meanwhile, processors
must maintain records of all categories of processing

330 UK Information Commissioners Office, ‘Guide to the General Data Protection Regulation’ 1 January 2021, 171 https://ico.org.uk/
media/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr-1-1.pdf.
331 Commonwealth PPI Bill, s 19(1).
332 Commonwealth Bill, s 19(2).
333 GDPR, art 30(1-4).
334 GDPR, art 30(1)(g).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 72

Box 4.8: Data Retention versus Record Maintenance

Obligations
Although the concepts appear to overlap, there is a distinction between data retention
obligations and requirements to maintain records relating to processing. The former
is concerned with the actual retention of personal data with obligations relating to
the kinds of personal data to be preserved, the time periods for which they should
be retained and their destruction post the specified periods. The latter is concerned
with information on the processing of personal data and related practices, including
the kind of processing activities by controllers and processors, the categories of data
subjects and personal data, records of transfers to third parties and their practices, use
and processing of personal data without consent, etc.

4.7 Data protection impact assessments

A data protection impact assessment (DPIA) is a principals as well as action that can minimise the
process by which data protection risks are identified risks.338
and managed and is a key measure through which
privacy by design is implemented. The objective of 4.7.1 Existence of DPIA requirements
a DPIA is to carry out a systematic assessment of
data processing activities to highlight risks to data Convention 108+, the OECD Guidelines, the GDPR,
protection and to determine whether the processing and the HIPCAR Privacy Framework require privacy or
is compliant with the law.335 This in turn allows data protection impact assessments to be conducted,
organisations to take appropriate action to minimise whereas the Commonwealth PPI and Privacy Bills, AU
those risks.336 Convention and the ASEAN DP Framework do not.
The APEC Privacy Framework notes the importance
DPIAs can be carried out for a system, database, of “privacy management programmes” in ensuring
programme, application, scheme or service, and even accountability, and observes that Member States
draft legislation.337 The scope, context and nature of “should consider encouraging” data controllers to
processing are detailed in the DPIAs. It also involves develop such programmes for all personal information
making necessity and proportionality assessments, under their control.339
and considering the risks and harms posed to data

335 Peter Carey, Data Protection – A Practical Guide to UK and EU Law (6th edn, OUP 2020) p 206.
336 Eduardo Ustaran (ed)European Data Protection Law and Practice ( nd edn., IAPP 2019).
337 David Wright, ‘Should Privacy Impact Assessments be Mandatory?’ (2011) 54(8) Communications of the ACM 121, 124.
338 UK Information Commissioner’s Office, ‘Data Protection Impact Assessments’ https://ico.org.uk/for-organisations/guide-to-
data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-
assessments/.
339 APEC Privacy Framework, Part iii, para 32 and Part iv, paras 43-45.
 73 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

Though the OAS Principles do not specifically provide

for DPIAs, they note that privacy protection “depends
4.7.3 Procedure and content of DPIAs
upon a credible assessment of the risks” to data
Among the frameworks, only the GDPR and APEC
subjects and mitigation of such risks. They also state
Privacy Framework provide details on the procedure
that appropriate resources should be provided for
and content of DPIAs. According to the GDPR,
the implementation of data protection programmes,
the data controller must describe the proposed
such as risk management systems and training and
processing operation and the purpose being served
supervision.340
by such operations. The DPIA must also reflect an
assessment of the necessity and proportionality of
4.7.2 Threshold requirements for the processing operation against its stated purpose.
DPIAs Lastly, it must contain an assessment of the possible
risks to rights and freedoms of data subjects, and
proposed security measures to address these risks
Among the frameworks, Convention 108+, the OECD
and ensure compliance with the GDPR.345
Guidelines, and the HIPCAR Privacy Frameworks
do not impose any thresholds for triggering DPIA
The APEC Privacy Framework notes that privacy
requirements.341 The HIPCAR Privacy Framework
management programmes should: (i) be tailored to
only requires public authorities to undertake privacy
the structure and scale of operations of the relevant
impact assessments. This is to be done “for any
controller and the sensitivity of personal data that is
proposed enactment, system, project, programme or
being processed; (ii) provide appropriate safeguards
activity.”342
based on the risk assessment; (iii) establish internal
oversight and response mechanisms; (iv) be
However, the GDPR requires a DPIA where
overseen by appropriately trained personnel; and (v)
processing, “in particular using new technologies,
be monitored and regularly updated. It also requires
and taking into account the nature, scope, context
data controllers be prepared to demonstrate their
and purposes of the processing” is likely to result in a
privacy management programmes at the request
high risk to the rights and freedoms of individuals.343 It
of the relevant data protection authority or other
also specifically requires DPIAs in cases where: (i) the
appropriate entity.346
data processing involves an extensive evaluation of
personal aspects, such as profiling; (ii) the processing
involves special categories of data (such as revealing 4.7.4 Role of supervisory authority in
racial or ethnic origin), or data relating to criminal DPIAs
offences or convictions; or (iii) where the processing
involves a systematic monitoring of a public space on None of the frameworks require approval for the DPIA
a large scale.344 from the supervisory authority. However, the GDPR
allows Member States to make DPIAs mandatory
when processing is required by the controller for the
performance of a task which is in the public interest,
such as for the purposes of social protection or public
health.347

340 OAS Principles with Annotations, Principle 10, p 22.

341 Convention 108+, Art 10(2); Explanatory Report to the Convention 108+, p 25, para 88; para 15 OECD Guidelines, p 24 Supplementary
Explanatory Memorandum to the OECD Guidelines, Chapters 1 and 2, OECD Privacy Framework; HIPCAR Model Legislative Text,
s 28.
342 HIPCAR Model Legislative Text, s 28(1).
343 GDPR, art 35(1).
344 GDPR, art 35(3).
345 GDPR, arts 35(7)(a-d).
346 APEC Privacy Framework, Part iv, paras 44-45.
347 GDPR, art 36(5).d
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 74

The GDPR also provides the most scope for

involvement from the supervisory authority. The
supervisory authority is required to publish a list
of processing activities that are subject to DPIAs
and a list of processing activities that are not. The
supervisory authority has to be consulted by the
data controller when the processing will result in a
high risk in the absence of mitigating measures.348
If the supervisory authority is of the opinion that the
processing will infringe the GDPR, especially in cases
where the risks have not been sufficiently mitigated
or identified by the controller, the supervisory
authority will provide written advice to the controller
and the processor within eight weeks of receipt of the
request for consultation.349 The supervisory authority
is also enabled to issue warnings, reprimands, order
compliance with the GDPR’s provisions, as well as
temporarily ban processing.350 The GDPR also lists
the information to be provided by the controller to
the supervisory authority, such as the respective
responsibilities of the controllers and processors
involved in the processing, the purposes of the
intended processing, and the safeguards used to
protect the rights and freedoms of data subjects.
States must also consult supervisory authorities when
proposals are prepared for legislative or regulatory
measures relating to processing.351

Mandating the use of DPIAs is central to implementing

and designing effective privacy by design
mechanisms. It can be tremendously useful in both
public and private sector applications and forms part
of data protection best practice. It can be especially
important for the use of personal data by state
agencies where vast amounts of personal data are
collected and processed, and where the risks to data
subjects can be the most significant, such as being
excluded from public services or discrimination.

348 GDPR, art 36(1).

349 GDPR, art 36(2).
350 GDPR, art 58.
351 GDPR, art 36(3,4).
 75 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

Box 4.9: Data Protection Impact Assessment Checklist

The UK Information Commissioner’s Office has formulated a useful checklist for data
controllers to carry out data protection impact assessments:352

• Describe the nature, scope, context and purposes of the processing;

• Ask data processors to help understand and document their processing activities
and identify any associated risks;
• Consider the best way to consult relevant stakeholders (including data subjects);
• Ask for the advice of the data protection officer;
• Carry out necessity and proportionality assessments and describe how data
protection principles will be complied with;
• Assess the likelihood and severity of risks to individuals’ rights and interests;
• Identify measures that can reduce or eliminate high risks;
• Record decision-making with respect to the outcomes of the DPIA (including
difference of opinions with DPOs);
• Review the DPIA and revisit, if necessary.

Box 4.10: Data Audits

Data audits are assessments of whether organisations are following good data
practices. A data audit helps identify whether an organisation has effective controls,
policies and procedures in place to comply with its data protection obligations. It
typically involves identifying the different personal data an organisation collects, the
sources for such data, the purposes for which it is collected, storage and retention
practices and processing activities including third party transfers and the categories
of third party recipients. The findings are then reviewed to determine whether the
organisation is compliant with its data protection obligations, and if not, what needs to
be done to make it compliant. The United Kingdom’s Information Commissioner has
published a Guide to Data Audits that can be referred to for further information.353

352 UK Information Commissioner’s Office, ‘Data Protection Impact Assessments’ https://ico.org.uk/for-organisations/guide-to-

data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-
assessments/.
353 UK Information Commissioner’s Office, ‘A Guide to ICO Audits’ (2021) <https://ico.org.uk/media/for-organisations/documents/2787/
guide-to-data-protection-audits.pdf> accessed 31 October 2021.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 76

4.8 Data protection officer

The Data Protection Officer (DPO) is an expert officer

appointed by controllers to facilitate their compliance
4.8.1 Existence of requirement for
with data protection obligations, thereby ensuring DPOs
transparency and accountability with data protection
law. They play an important role in ensuring that Convention 108+, OECD Guidelines, Commonwealth
controllers comply with data protection regulation. PPI Bill, the GDPR, the HIPCAR Privacy Framework
The DPO’s functions ordinarily include compliance and the OAS Principles envisage the appointment
monitoring, developing procedures to demonstrate of a designated official by controllers to ensure data
compliance and accountability, informing and advising processing activities are compliant with data protection
on data protection obligations, as well as operating law.355 The APEC Privacy Framework, ASEAN DP
as a point of contact with both supervisory authorities Framework and AU Convention do not provide for
and data subjects. DPOs are usually independent such an official. In the HIPCAR Privacy Framework,
and report to the highest management, with several this functional requirement is only required for the
organisations often having a common DPO.354 state due to the importance of effective oversight of
data protection in public institutions.356 None of these
frameworks have exempted public or governmental
authorities from compliance with this requirement.

Box 4.11: DPOs under the GDPR

Under the GDPR, the controller and processor must appoint a DPO if:357

• they are a public body with the exception of courts acting in a judicial capacity;
• their core activities involve large scale processing requiring regular and
systematic monitoring of data subjects, such as tracking and profiling, both
online and offline, and;
• their core activities consist of large scale processing of special categories of data,
such as genetic and biometric data, racial or ethnic data, or sexual orientation.

354 UK Information Commissioner’s Office, ‘Guide to Data Protection Officers’ <https://ico.org.uk/for-organisations/guide-to-data-

protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/>
accessed 31 October 2021.
355 Explanatory Report to Convention 108+, p 25, para 87; Supplementary Explanatory Memorandum to the Revised OECD Privacy
Guidelines, Chapter 2, p 24; Commonwealth PPI Bill, s 21(3); GDPR, arts 37-39; HIPCAR Model Legislative Text, s 31; OAS Principles
with Annotations, Principle 10, p 22.
356 HIPCAR Model Legislative Text, s 31 and para 47, p 51.

357 GDPR, art 37.

 77 CHAPTER 4: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

The GDPR363 and HIPCAR Privacy Framework364

4.8.2 Responsibilities of the DPO provide for the independent functioning of the DPOs.
Given the range of responsibilities described above,
Although phraseology of DPOs differs, the common
it is essential for DPOs to be able to perform their
responsibility of the DPO across frameworks is to
functions independently. To avoid conflicts of interest
demonstrate or ensure their controllers’ compliance
and exercise autonomy, DPOs must be provided
with applicable data protection law. According to
with the necessary resources and shielded from
the Supplementary Explanatory Memorandum to
interference.365
the Revised OECD Guidelines, they may play an
important role in designing and implementing the
privacy management programmes that controllers
are required to have in place.358 The Commonwealth
PPI Bill requires that they facilitate the organisation’s
compliance, ensure the organisation’s employees
are duly informed of their duties and respond to
inquiries from the public about their information
management practices.359 This requirement applies
only to organisations in the private sector and not to
public bodies.
“Although phraseology of
The GDPR similarly requires DPOs to: (i) inform
and advise controllers and processors of their data
DPOs differs, the common
protection obligations; (ii) monitor compliance; (iii)
train staff; (iv) provide advice with respect to and
responsibility of the DPO
monitor data protection impact assessments; and across frameworks is to
(v) cooperate with and act as the contact point for
supervisory authorities.360 demonstrate or ensure their
In the HIPCAR Privacy Framework, the data protection controllers’ compliance with
officer (called the personal data representative) has to
independently ensure that the controller is processing
applicable data protection
personal data in a lawful and correct manner and in
accordance with good practice. The personal data
law. ”
representative would be an independent person
within the controller who would have to report
non-compliance with data protection obligations
to the supervisory authority.361 This could be why
the CARICOM framework imposes this requirement
only on public authorities. According to the OAS
Principles, the designation of a Chief Information and
Privacy Official within controllers is meant to serve
the purpose of controllers adopting effective privacy
management programmes, conducting internal
reviews and trainings designed to promote the
privacy of individuals, and other functions.362

358 Supplementary Explanatory Memorandum to the Revised OECD Privacy Guidelines, p 24.
359 Commonwealth PPI Bill, s 21.
360 GDPR, art 39.
361 HIPCAR Model Legislative Text, s 31.
362 OAS Principles with Annotations, principle 10, p 22.
363 GDPR, art 38(3) and recital 97.
364 HIPCAR Model Legislative Text, s 31(2).
365 Miguel Recio, 'Data Protection Officer: The Key Figure to Ensure Data Protection and Accountability' (2017) 3 Eur Data Prot L Rev
114, p 117.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 78

Key considerations

◊ Transparency and accountability measures ◊ Reporting breaches of personal data:

are essential to effectively implement data Data breach notification obligations require
protection and operationalise privacy. data controllers and processors to notify
They complement and support all other supervisory authorities and/or affected data
components of data protection frameworks subjects of unauthorised access to data.
and are usually operationalised through the enables data subjects to mitigate risks,
measures discussed in the chapter. ensures accountability for breaches after
◊ Other transparency and accountability they occur, and incentivises controllers to
measures typically provided for in data strengthen and maintain strong data security
protection frameworks include: mechanisms.
◊ Maintenance of records: Maintaining
◊ Privacy by design: It creates accountability records relating to processing activities
and safeguards against risks arising from forms part of ensuring accountability
large-scale processing of personal data, by for controllers and processors, and is a
requiring organisations to proactively embed measure of good data governance. It helps
good privacy practices into the design and organisations demonstrate compliance with
operation of systems, infrastructure, and data protection laws, and they are ordinarily
business practices and ensuring privacy required to keep a record of their processing
and data protection throughout the entire activities, including purposes of processing,
lifecycle of the data. data retention and sharing activities.
◊ Data protection impact assessments ◊ Data protection officers (DPOs): The
(DPIAs): DPIAs aid in the design and appointment of DPOs helps controllers
implementation of effective privacy by comply with data protection obligations
design systems. They help identify and and helps ensure transparency and
manage risks arising from data processing accountability. DPOs are generally
activities and take the necessary steps to independent and report to the highest
mitigate those risks. management, and usually are required to
◊ Information and access to data: Information notify relevant authorities of controllers’ non-
and access requirements for data controllers compliance with data protection obligations.
equips data subjects to effectively exercise
their rights and increases accountability.
Frameworks typically require controllers
and processors to implement a series of
practical measures to provide information
to data subjects on data processing and
management practices, in easily accessible
and comprehensible formats.
◊ Security safeguards: Data security is a core
component of data protection frameworks.
All data protection frameworks require
controllers to implement data security
through technical and organisational
measures aimed at protecting the
“confidentiality, integrity and availability” of
personal data.
79 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

CHAPTER 5

RIGHTS OF DATA
SUBJECTS
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 80

5.1 Introduction

As discussed in Chapter 1 (Introduction), the right to privacy and its various components
flow from international instruments like the UDHR and ICCPR, and principles such as the
FIPPs. Providing legal rights to data subjects so that they can protect their privacy is one of
the ways in which these principles are operationalised. These rights are at the core of data
protection frameworks.

This chapter explores the following key rights that are Most of the Identified Regional Frameworks do not
conferred on data subjects in the Identified Regional distinguish between data controllers that are private
Frameworks: parties, and those that are state entities, for the
exercise of data subject rights. The exception is the
• the rights to access, confirmation, and Commonwealth Privacy Bill, which only focuses on the
information; processing of personal information by state entities.
• the rights to rectification and erasure or It does not contain specific data subject rights but
deletion; does include some obligations for data controllers,
• the rights to be forgotten and to data portability; as covered in Chapters 3 and 4 (on Data Protection
• the rights to object and to restrict processing; Principles, and Transparency and Accountability),
• the right against automated decision-making and as discussed in relevant sections below. The
and profiling; Commonwealth PPI Bill covers data processing by
• the right to delegate (or for third-party to private sector organisations and provides for data
exercise) rights; and subject rights and controller obligations.
• whistle-blower protection.

These rights are meant to provide data subjects with

control over their personal information, increase
transparency and accountability of data controllers
and processors, as well as support data subjects
obtain redress for the misuse of their personal
data. This chapter also explores the restrictions on
these rights along with relevant obligations on data
processors.
 81 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

5.2 The rights to access, confirmation, and information

The rights of a data subject to access and confirm the

personal information that a data controller possesses
5.2.1 Framework overview of the
about them are among the most basic rights provided rights to access, confirmation, and
by the Identified Regional Frameworks. In fact, the information
ability to exercise these rights is a necessary first
step in meaningfully exercising the other rights There are differences in the way each Identified
available to data subjects: without understanding Regional Framework provides these rights, which are
what information a data controller has about a data explored below.
subject, the data subject would not be able to assess
the ways in which the information is used.366 5.2.1.1 Confirmation and access
The Identified Regional Frameworks generally The GDPR, Convention 108+, AU Convention, OECD
provide for two related rights, namely the right of Guidelines, OAS Principles, and APEC Privacy
a data subject to get the data controller to confirm Framework all contain the rights to confirmation and
whether it is processing personal information relating access, which confirms whether a data controller is
to them, and the right to access that personal data. processing a data subject’s personal information. If
Usually, the right of access and confirmation requires a data controller is in possession of an individual’s
data controllers to provide the relevant information data, it provides the individual the right to access that
within a reasonable time, either free of charge, or information and related details.368 The GDPR specifies
through the payment of a nominal fee. The information that this right is provided to data subjects to “be aware
must be in a form that is easily understood, and which of, and verify, the lawfulness of the processing.”369 The
enables data subjects to either challenge or deny the OECD Guidelines note that the right to access should
accuracy of the relevant information.367 be simple to exercise, and that there are different
ways in which the requirement to communicate
Some frameworks contain additional details on how requested data within a reasonable timeframe can be
these rights apply for certain kinds of information satisfied by controllers. Data controllers who provide
such as health data, or where automated decision- information to data subjects at regular intervals could,
making technologies are used, as explored below. for instance, be exempted from the requirement to
The right to access and confirmation is not absolute respond immediately to individual requests.370 The
and can be restricted in limited circumstances, such information to be provided to data subjects pursuant
as for legal or statutory duties of confidentiality. to this right is covered in section 5.2.2 below.

366 Case 553/07 College van burgemeester en wethouders van Rotterdam v MEE Rijkeboer [2009] E.C.R. I-03889 https://privacylibrary.
ccgnlud.org/case/college-van-burgemeester-en-wethouders-van-rotterdam-vs-mee-rijkeboer?searchuniqueid=234711.
367 OAS Principles with Annotations, Principle 8, page 31; APEC Privacy Framework, Part iii, Principle VIII, para 29; Original Explanatory
Memorandum OECD Guidelines, Paragraph 13 – Individual Participation Principle, p 58; ASEAN DP Framework, principle 6(e).
368 GDPR, art 15; Convention 108+, arts 9(1)(b), 9(1)(c); AU Convention, arts 16 and 17; Original Explanatory Memorandum OECD
Guidelines, Paragraph 13 – Individual Participation Principle, p 58; APEC Privacy Framework, Part iii, Principle VIII, para 29; OAS
Principles with Annotations, Principle 8, page 17.
369 GDPR, Recital 63.
370 Original Explanatory Memorandum OECD Guidelines, Paragraph 13 – Individual Participation Principle, p 58.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 82

5.2.1.2 Access data and the purposes of processing. This generally

needs to be provided at the time of collection of data
The HIPCAR Privacy Framework and the or soon thereafter. The right to access information
Commonwealth PPI Bill do not provide data subjects is related but separate, and allows data subjects to
the specific right to confirm whether a data controller access information from controllers on request.
has information on them, but they do contain the right
to access any information in their custody or control.371 The OCED Guidelines, APEC Privacy Framework,
However, data controllers under both frameworks the ASEAN DP Framework, OAS Principles, HIPCAR
are nevertheless required to inform data subjects of Privacy Framework, and Commonwealth PPI Bill do
the types of data being collected from them and the not specify the categories of information that are to be
processing purposes at the time of collection.372 While made available to data subjects. They simply provide
this would mean that data subjects are ostensibly that data subjects should have the right to access,
informed about the fact that a controller has collected and to have communicated to them the information
their personal information, the Commonwealth PPI that a controller has in its possession that relates to
Bill also contains provisions allowing data collection the data subjects.375 This information would have to
without the knowledge and consent of the data be communicated to the data subject by the relevant
subjects in some cases, such as when it is “clearly controller at the data subject’s request. In contrast,
in the interests of the individual and consent cannot the GDPR, Convention 108+, and the AU Convention
be obtained in a timely manner”.373 Such exceptions require data controllers to provide specific categories
can impair the ability of data subjects to exercise their of information following a request from the data
rights. subject. This includes:

• the categories of personal data processed;

5.2.1.3 Access and rectification
• the purpose for data processing;
• the recipients or categories of recipients to
The ASEAN DP Framework does not provide for
whom the data has been or will be disclosed;
specific rights, but enumerates the principles of data
• the period of personal data storage or the
protection, and merges the rights of access and
criteria used to determine this period;376
rectification as part of these principles. It couches the
• information on the data source when it is not
rights to access and correction as obligations of data
collected from the data subject directly.377
controllers, requiring them to provide data subjects
access to their personal data and to correct errors
The GDPR and AU Convention also require data
or omissions unless prohibited by law.374 The right to
controllers to provide information on the existence of
rectification is explored in detail in section 5.3 below.
other rights available to the data subject, such as the
right to rectify or correct information and the right to
5.2.2 Information to be provided to redress with the relevant national authorities.378
data subjects
The GDPR and Convention 108+ specify that data
As noted in Chapter 4 (Transparency and subjects have the right to be informed of appropriate
Accountability), the transparency principle requires safeguards that exist when their personal information
data controllers to provide data subjects with is transferred to a third country or international
information such as the fact of collection of personal organisation.379 Such measures can help provide

371 HIPCAR Model Legislative Text, s 22; Commonwealth PPI Bill, s 22.
372 HIPCAR Model Legislative Text, s 9, 10; Commonwealth PPI Bill, s 8 and s 9.
373 Commonwealth PPI Bill, s 11.
374 ASEAN DP Framework, principle 6(e).
375 Original Explanatory Memorandum OECD Guidelines, Paragraph 13 – Individual Participation Principle; ASEAN DP Framework,
principle 6(e); OAS Principles with Annotations, Principle 8, page 17; APEC Privacy Framework, Principle VIII, para 29; HIPCAR
Model Legislative Text, s 22(1); Commonwealth PPI Bill, part IV and s 22.
376 GDPR, art 15; Convention 108+, art 9(1)(b); AU Convention, art 16.
377 GDPR, art 15; Convention 108+, arts 9(1)(b) and 8(1); AU Convention, art 17(c).
378 GDPR, arts 15(1)(e)-(f); AU Convention, arts 16 (e)-(f).
379 GDPR, art 15(2); Council of Europe, ‘Explanatory Report to the Convention for the Protection of Individuals with Regard to Automatic
Processing of Personal Data’ (1981), [68] (Explanatory Report –Convention 108+).
 83 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

data subjects with more control to decide how their

personal information is used and the kinds of data
5.2.4 Information to be provided on
processing acceptable to them. automated decision-making
While most frameworks require information to As noted in Chapter 4 (Transparency and
be provided in an easily understood format, a Accountability), the GDPR and Convention 108+
few specifically require controllers to provide require data controllers to share information about:
information in alternative formats for data subjects (i) the existence of automated decision-making
with disabilities.380 The OAS Principles specify that technologies, including information about profiling;
domestic law should provide mechanisms by which (ii) the logic underlying such processing; and (iii) the
access to information should be provided to groups significance and anticipated consequences of such
at greater disadvantage or who face greater risks of processing for the data subject.383 This is based on the
exclusion. It also notes that exercising these rights understanding that having access to such information
should not result in discrimination, denial of service, contributes to the data subject’s ability to exercise
or differential service to data subjects.381 other rights and to avail themselves of safeguards,
such as the right to object to personal data collection
and to complain to the relevant supervisory authority.
5.2.3 Controller obligations to provide Data subjects would therefore be able to contest the
information to data subjects logic underlying automated processing that is applied
to them, such as for credit scoring, providing benefits,
Some of the requirements outlined above are etc.
framed as controller obligations in some frameworks,
as outlined in Chapter 4 (Transparency and The OECD Guidelines highlight the practical
Accountability). More generally, transparency and challenges that may arise when implementing the
accountability obligations imposed on data controllers right to access and correction in the digital age. For
are complementary to the rights to confirmation and instance, it is not clear how data subjects would
access. The Commonwealth Privacy Bill requires exercise the right to access their information from
that public authorities collect data only for lawful a platform undertaking a street mapping exercise.
purposes and when data collection is necessary In the context of automated risk management and
for those purposes. They must take “reasonable” profiling, the Guidelines point out that it is essential
steps to ensure that the relevant data subjects are for information to be accurate and up to date due
made aware that some of their personal information to the increasing reliance on transactional data for
is being collected at the time it is obtained, or soon automated risk management and profiling. In this
thereafter. The purposes of collection and the context, authenticating the identity of individuals who
intended recipients should also be communicated to are exercising this right with no prior relationship
data subjects at the time of collection and thereafter. with the relevant organisation could be especially
It also requires that the authorities take reasonable challenging.384
steps to ensure the accuracy of the information,
limit its use and disclosure with certain exceptions,
and ensure the storage and security of personal
information.382

380 Convention 108+, Art 9(1)(b); Explanatory Report – Convention 108+, [68] and [76]; APEC Privacy Framework, Part iii, Principle
VIII, para 29(b)(iv); OAS Principles with Annotations, Principle 8, page 18; Original Explanatory Memorandum OECD Guidelines,
Individual Participation Principle, para 13(b)(iv), GDPR, recitals 39, 58; Commonwealth PPI Bill, s 26; HIPCAR Model Legislative
Text, s26(2).
381 OAS Principles with Annotations, Principle 8, pages 18-19.
382 Commonwealth Privacy Bill, ss 9-14.
383 GDPR, art 15; Convention 108+, art 9(1)(c)
384 OECD, ‘The Evolving Privacy Landscape: 30 Years After the OECD Privacy Guidelines’ in OECD (ed), The OECD Privacy Framework
(2013), 100-101.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 84

5.2.5 Information to be provided on

health data
Typically, frameworks provide that data subjects can
approach data controllers to exercise the rights to
access and confirm personal information. However,
Convention 108+ and OECD Guidelines recognise that
in some cases, it may be more appropriate to provide
for access to personal data through an intermediary.
For example, where health data is concerned, it
may be appropriate for a data subject to use the
assistance of a health professional to exercise their
right to access their health information.385 Convention
108+ notes that the health professional could assist in
helping the data subject understand the information,
or in ensuring that their psychological state is
accounted for when receiving sensitive information.
Such measures can be very helpful in meaningfully
exercising the right to access and information, since
the data subject would be able to rely on expert
assistance to understand the information that is
made available to them. Convention 108+ also
specifies that an intermediary to the supervisory
authority may be involved in exercising this right
“in exceptional circumstances”, though it does not
provide information on the circumstances in which
this may be beneficial.386

The GDPR also addresses health data and specifies

that data subjects must have the right to access
information concerning their health, such as
information included in their medical records.387

385 Explanatory Report – Convention 108+, [74]; Original Explanatory Memorandum OECD Guidelines, Paragraph 13 – Individual
Participation Principle, p 58.
386 Explanatory Report – Convention 108+, [74].
387 GDPR, recital 63.
 85 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

included in the framework. Nevertheless, the OECD

5.2.6 Denial of information requests Guidelines recognise that a right to obtain reasons
from data subjects for adverse decisions to data subjects based on the
use of personal data, broader than in the context of
Data controllers can in some circumstances deny access to information, may be appropriate and enable
requests made under this right. However, per data subjects to effectively exercise their rights.392
Convention 108+, the OAS Principles, the GDPR,
and the OECD Guidelines, they would be required
to provide the data subjects with justifications for
5.2.7 Exemptions to the rights to
denial of requests, and the OAS Principles and OECD access, confirmation, and information
Guidelines require data subjects to be allowed to
challenge denials for information.388 This provision The AU Convention, Convention 108+, and the OECD
exists in addition to the general ability of data subjects Guidelines do not contain specific exemptions to
under most Identified Regional Frameworks to lodge the rights to access, confirmation and information.
complaints with the relevant data protection authority The OAS Principles note that exceptional situations
with regards to possible violations of the relevant exist that would require personal data to be kept
frameworks.389 confidential. It provides that the restrictions should be
set out in appropriate legislation or other instruments
Within this context, the OAS Principles require data and should be as narrow and restrictive as possible. It
controllers to have an effective method by which provides an illustrative list of circumstances in which
data subjects can be made aware of the reasons for a the restrictions should apply, such as where it would
denial of information and challenge the decision. This compromise trade secrets, or when a data subject is
is to prevent arbitrary rejections and to allow data suspected of wrongdoing and is the subject of law
subjects to correct errors and mistakes, which is seen enforcement investigations.393
as a fundamental right under some frameworks.390 The
OECD Guidelines specify that the right to challenge
denial of information is broad enough to include
not only initial challenges to the data controller, but
also subsequent challenges according to domestic
procedures in front of the courts, administrative
bodies, and other bodies. The data subject would be
entitled to the reliefs determined by law and domestic
procedure in such cases.391

Importantly, the OECD’s Expert Group that drafted

the Guidelines contemplated broadening the right to
obtain reasons for any adverse decisions relating to
the use of personal data, beyond denials of requests
under the right to access and confirmation. However,
it ultimately decided that it was too broad to be

388 OAS Principles with Annotations, Principle 8, page 17; GDPR, recital 59, art 12 (3,4); Explanatory Report – Convention 108+, [76];
OECD Guidelines, Paragraph 13(c) – Individual Participation Principle, Original Explanatory Memorandum OECD Guidelines,
Paragraph 13 – Individual Participation Principle, p 59.
389 GDPR, art 77; Convention 108+, arts 12 and 15(4); Explanatory Report – Convention 108+, [99]-[100], [122]; AU Convention, art
12(2)(e) (framed as a duty of the supervisory authority); OAS Principles with Annotations, Principle 13, page 27; HIPCAR Model
Legislative Text, part VI; Commonwealth PPI Bill, s 29 (framed as a duty of the supervisory authority); Original Explanatory
Memorandum OECD Guidelines, Paragraph 19 – National Implementation; APEC Privacy Framework, para 53. The ASEAN DP
Framework does not specifically describe remedies but requires that organisations should be accountable for complying with measures
which give effect to the principles (ASEAN DP Framework, principle 6(h)).
390 OAS Principles with Annotations, Principle 8, page 19.
391 Original Explanatory Memorandum OECD Guidelines, p 58.
392 Original Explanatory Memorandum OECD Guidelines, p 59.
393 OAS Principles with Annotations, Principle 8, pages 18-19.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 86

The other frameworks provide specific exceptions to specific purposes as provided by law, and other
these rights, which include: specified circumstances.399

• Contravention of the rights and freedoms of The Commonwealth PPI Bill also contains a provision
others in some contexts, such as the invasion of that is not contained in other frameworks. If an
another individual’s privacy, the life or security organisation receives a request to access personal
of another individual, or health data that could information that was previously disclosed to a
harm the health and safety of any individual;394 governmental agency, the organisation is required to
• Information relating to investigations, breach of provide the agency written notice of the request. If
law, or subject to confidentiality obligations, or the governmental agency objects to the request, the
if provided by law;395 organisation is not allowed to provide the relevant
• Information that would reveal confidential information to the data subject.400 The Bill does not
information that could reasonably be expected specify whether the data subject should be informed
to harm the data controller or reveal trade of the reason for the denial of their information
secrets and other similar information;396 request. Such provisions could significantly restrict
• Unreasonable or repetitive requests from a data the data subjects’ right of access, especially when
subject that would impose disproportionate they are unaware of the reasons for information
costs, the identity of the requester is not denial.
established, or the requests are made in bad
faith.397

Where some information requested by the data

subject is exempt from disclosure, the HIPCAR Privacy
Framework and APEC Privacy Framework require
controllers to sever information which is exempt, and
“the ability to exercise these
make the non-exempt information available to data rights (i.e. the rights of data
subjects.398
subject to access and confirm
The GDPR only specifically restricts the right of data
subjects to access their personal information when the personal information)
the rights and freedoms of others are affected.
However, as discussed in Chapters 3 and 4 (on
is a necessary first step in
Data Protection Principles, and Transparency and
Accountability), controllers must provide certain
meaningfully exercising the
information to data subjects when collecting personal other rights available to data
data. The GDPR provides additional exemptions to
this obligation when the controllers obtain personal subjects.”
data from sources other than the data subjects
themselves. Exemptions would apply when the data
subject already has the relevant information, when
it involves a disproportionate effort to provide such
information, especially when processing occurs for

394 GDPR, art 15(4); HIPCAR Model Legislative Text, s 23(1)(a) and 23 (1)(d). See also APEC Privacy Framework, Principle VIII, para
30(iii); Commonwealth PPI Bill, s 22(1).
395 HIPCAR Model Legislative Text, s 23(1)(c); Commonwealth PPI Bill, s 22(1); APEC Privacy Framework, principle VIII and para
30(ii); ASEAN DP Framework, principle 6(e)(ii).
396 Commonwealth PPI Bill, s 22(1). The APEC Privacy Framework also exempts disclosure that would benefit a competitor – see APEC
Privacy Framework, commentary to Principle VIII and paras 29-31.
397 HIPCAR Model Legislative Text, s 23(2); Commonwealth PPI Bill, s 23(6). See also APEC privacy framework, principle VIII and para
30(i) and related commentary.
398 HIPCAR Model Legislative Text, s 24; APEC Privacy Framework, commentary to Principle VIII and paras 29-31.
399 GDPR, art 14(5) and 15(4).
400 Commonwealth PPI Bill, s 22(6).
87 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

5.3 The rights to rectification and erasure or deletion

All Identified Regional Frameworks contain a right to

rectification. This is among the most important rights
5.3.1 Framework overview of the rights
for data subjects since inaccurate data can lead to to rectification and erasure or deletion
exclusions, inaccurate decisions, and other harms
based on the nature of data and processing. Most All Identified Regional Frameworks provide data
of them also provide the right to erase information subjects the right to rectify information that a data
in some contexts, as discussed below. These rights controller possesses about them.402 Convention 108+,
permit data subjects to require the data controller to the AU Convention, and the APEC Privacy Framework
rectify or erase personal information, which has been also provide the right to erase data. However, the
processed in contravention of applicable law, or OAS Principles also specify that there may be some
when the information is inaccurate or incomplete.401 situations in which it may be more appropriate for
They also usually require the data controllers to data controllers to add more information to their
notify other recipients with whom the controllers existing records to accurately reflect the history of
have shared the data of such rectification or deletion the information rather than to delete it.403
when possible. Data controllers have the discretion
to refuse to comply with rectification or erasure Interestingly, the OECD Guidelines specify that the
requests when they are not satisfied with the data data subject’s right to challenge the personal data
subject’s claim or in other limited circumstances. held by data controllers does not imply that they are
The right allowing for information to be erased in able to choose the remedy, such as to rectify the
the context of rectification as presently described is information, erase data, or annotate that the data is in
distinct from the GDPR’s conception of the right to be dispute, but that it must be determined by domestic
forgotten. law and regulation. The HIPCAR Privacy Framework
references the OECD’s Individual Participation
Principle, which allows for data to be erased, rectified,
completed, or amended when it is successfully
challenged, but does not contain a specific right to
erasure.404

401 AU Convention, art 19; HIPCAR Model Legislative Text, s 27; ASEAN DP Framework, principle 6(e)(ii); OAS Principles with
Annotations, Principle 8, page 19; Commonwealth PPI Bill, s 28; APEC Privacy framework, para 29(c).
402 GDPR, art 16; HIPCAR Model Legislative Text, s 27(1); Commonwealth PPI Bill, s 28(1); Convention 108+, art 9(1)(e), Explanatory
Report - Convention 108+, [72]; AU Convention, art 19; ASEAN DP Framework, principle 6(e); OAS Principles with Annotations,
Principle 8, page 19; APEC Privacy Framework, principle VIII and para 29(c); Original Explanatory Memorandum OECD Guidelines,
Paragraph 13(d) – Individual Participation Principle.
403 Convention 108+, art 9(e). The explanation specifies that this includes the right to the right to rectify or erase inaccurate, false,
or unlawfully processed data (Explanatory Report - Convention 108+, [72]); AU Convention, art 19; APEC Privacy Framework,
principle VIII and para 29; OAS Principles with Annotations, Principle 8, page 19.
404 OECD, ‘Original Explanatory Memorandum to the OECD Privacy Guidelines (OECD, 1980)’ in OECD (ed), The OECD Privacy
Framework (2013), p 59 (Original Explanatory Memorandum OECD); HIPCAR, ‘Explanatory Notes to Model Legislative Text on
Privacy and Data Protection’ in HIPCAR (ed), Privacy and Data Protection - Model Policy Guidelines and Legislative Text (HIPCAR,
2012), [15] and [34]. It also allows for the Authorities to order data controllers to rectify or erase information ([68]).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 88

The rights of a data subject to access information

5.3.2 Notice of rectification and rectify any errors are likely the most important
rights from the perspective of public bodies, as well
Convention 108+ and the GDPR specifically require
as to establish digital identities. This is both because
that data controllers notify other recipients with
these rights are the basis to meaningfully exercise
whom the controllers have shared the data of any
other rights available to data subjects, and because
rectification that takes place. The HIPCAR Privacy
they can lead to significant consequences for data
Framework goes further and requires controllers to
subjects depending on the nature of the data and its
annotate the data with the relevant requests when
use.
they are made, and to notify other data controllers
and third parties to whom the data was disclosed to
Digital ID systems use individuals’ information to
one year prior to the request. Other controllers or
identify them and authorise systems to interact with
third parties must also similarly correct or annotate
them, and any errors in such information can lead
the personal data if it is still in their custody or
to exclusions. The consequences of inaccurate
control. The Commonwealth PPI Bill similarly requires
information can be particularly severe if it is the basis
controllers to “ensure that it does not obliterate the
to access services or decisions that can significantly
text of the record” as it existed before correction,
affect the data subject. To be effective, it is essential
where practicable. The OAS Principles explicitly
that the rights to rectification and erasure can also
caution that data subjects must not be allowed to
be enforced against the state and public bodies. It is
introduce incorrect information into the controller’s
therefore essential for digital ID systems to be situated
records.405
within a robust data protection framework and to be
established pursuant to legislation that takes into
5.3.3 Refusal of requests for account these concerns. It is also important for data
rectification and erasure or deletion protection authorities to operate independently, and
to enforce data subject rights against state actors.
All Identified Regional Frameworks provide data
subjects the rights to access and correction, and a few
also explicitly recognise these rights as among the
5.3.4 Exemptions to the rights to
most important safeguards to protect an individual’s rectification and erasure or deletion
privacy.406 However, data controllers can also refuse
to comply with rectification or erasure requests The OAS Principles note that the right to rectification
when:407 or correction is not absolute and can be restricted
when personal data is legally required to be retained
• they are not satisfied of the data subject’s claim; by national legislation for the carrying out of an
• it is required or authorised by law; obligation, among other circumstances. It notes that
• necessary to protect commercial interests; national legislation must specify the conditions of
• the general exceptions to the rights of data access and rectification, applicable restrictions, and
subjects apply. the specific grounds for such restrictions.408

405 Explanatory Report - Convention 108+, para 81; GDPR, art 19; HIPCAR Model Legislative Text, ss 27(3) - (4); Commonwealth PPI
Bill, s 28(3); OAS Principles with Annotations, Principle 8, page 19.
406 Original Explanatory Memorandum OECD Guidelines, [13], p 58; OAS Principles with Annotations, Principle 8, page 19; APEC
Privacy Framework, commentary to Principle VIII and paras 29-31.
407 Commonwealth PPI Bill, s 28(1); ASEAN DP Framework, principle 6(e)(ii); OAS Principles with Annotations, Principle 8, page 19;
The APEC Privacy Framework provides additional grounds, APEC Privacy Framework, commentary to Principle VIII and paras 29-
31.
408 OAS Principles with Annotations, Principle 8, page 19.
 89 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

5.4 The rights to be forgotten and to data portability

The GDPR and the OAS Principles engage with these

rights. The GDPR provides an explicit right to be
forgotten. Nevertheless, several national authorities
in other jurisdictions have also engaged with it
in certain contexts, and the OAS Principles have
acknowledged the right without explicitly providing
for it. The GDPR and OAS Principles also provide the
right to data portability.

5.4.1 The right to be forgotten

As discussed in the section above, some frameworks
provide data subjects the right to erase personal
information held by data controllers. This right
can typically be exercised when the data subject’s
personal information is inaccurate or incomplete, or
“some frameworks provide where the data has been unlawfully processed. The
GDPR provides a separate “right to be forgotten”,
data subjects the right to which allows data subjects to request that their
information be erased in specified circumstances. It is
erase personal information not an absolute right, and can be exercised in broader
held by data controllers” range of situations, such as when the personal data is
no longer necessary for the purpose for which it was
collected or when the data subject withdraws consent
to processing or objects to the processing pursuant
to the right to object, or if the personal data has been
unlawfully processed, among other circumstances. 409
In the context of the internet, the right to be forgotten
is typically exercised to remove information relating
to a data subject from results of search engines and
websites.410

409 GDPR, art 17.

410 See for example Case C-131/12 Google Spain v AEPD [2014] OJ C 212 (Google v Spain) https://privacylibrary.ccgnlud.org/case/spain-
sl-vs-agencia-espaola-de-proteccin-de-datos-aepd; Case C-507/17 Google v CNIL [2019] ECLI:EU:C:2019:15 https://privacylibrary.
ccgnlud.org/case/google-llc-vs-commission-nationale-de-linformatique-et-des-liberts-cnil; and Case C-136/17 GC and Others v
CNIL [2019] ECLI:EU:C:2019:773 (GC v CNIL) https://privacylibrary.ccgnlud.org/case/gc-af-bh-ed-vs-commission-nationale-de-
linformatique-et-des-liberts-cnil.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 90

In terms of search engines, this has manifested itself controllers who made the personal data public must
as a right to de-list information, meaning that data take reasonable steps to inform other data controllers
subjects can require search engine operators to not processing the information to erase links and copies
display links to certain information in search result. to the information.415
Given the potential implications on other rights such
as freedom of speech and access to information, the The OAS Principles also engage with the right to
GDPR provides for situations in which this right would be forgotten and note that some national schemes
not apply, such as when the processing is necessary provide data subjects with the right to erase publicly
to exercise the right of free speech, complying with available data when it is “no longer necessary or
legal obligations, and other such circumstances.411 relevant”, or in the case that they object to or withdraw
Data controllers would have to take these and various consent to processing. They recognise that this right
other factors into account when assessing whether involves balancing different interests and principles,
to erase information pursuant to a data subject’s not only of privacy, but of “access to truth, freedom
request.412 of information and speech, (and) proportionality”.
They note that states should use national legislation
5.4.1.1 Framework overview of the right to be to establish this right “where appropriate”, along
forgotten with the terms of its use and exemptions. They note,
however, that it remains contentious and is subject
Although versions of this right have existed before, to differing definitions and conceptions of personal
the right to be forgotten was brought into prominence data, especially when it concerns factual data that
in 2014. In Google v Spain, the ECJ found that data is nevertheless considered excessive, personally
subjects could require search engines to remove embarrassing, or irrelevant by the data subject.416
personal data from search results, when the linked
information was “inadequate, irrelevant or no longer 5.4.1.2 Scope of the right to be forgotten
relevant, or excessive”.413 It noted that search engines
had the ability to significantly affect a person’s right The right to de-list information as formulated by
to privacy since any internet user had the ability to ECJ jurisprudence does not require search engines
obtain a wide range of information on a person’s life to delete the relevant information, but instead to
which would otherwise have been inaccessible.414 significantly restrict access to it online.417 The Court
The GDPR highlights the importance of this right more recently provided guidance to data controllers
when data subjects consent to processing of with regards to factors that they would have to consider
information as children, which is at a time they are when assessing requests to delist information,
not fully aware of the risks and implications of online which would require them to strike a “fair balance”
processing. It allows them to subsequently withdraw between the data subject’s right to respect for
their consent from processing and to remove the private life and the public’s freedom of information.418
relevant personal information from the internet. It It also requires search engine operators to assess
also specifies that whenever exercised, the data the relevance of information relating to previous

411 GDPR, art 17(3).

412 ECJ case law provides some guidance: see for example Case C-507/17 Google v CNIL [2019] ECLI:EU:C:2019:15 https://privacylibrary.
ccgnlud.org/case/google-llc-vs-commission-nationale-de-linformatique-et-des-liberts-cnil; and Case C-136/17 GC and Others v
CNIL [2019] ECLI:EU:C:2019:773 (GC v CNIL) https://privacylibrary.ccgnlud.org/case/gc-af-bh-ed-vs-commission-nationale-de-
linformatique-et-des-liberts-cnil. See also Article 29 Data Protection Working Party, ‘Guidelines on the Implementation of the Court
of Justice of the European Union Judgment on “Google Spain and Inc v. Agencia Española De Protección De Datos (Aepd) and Mario
Costeja González” C-131/12’ (2014) https://privacylibrary.ccgnlud.org/case/spain-sl-vs-agencia-espaola-de-proteccin-de-datos-aepd.
413 Case C-131/12 Google Spain v AEPD [2014] OJ C 212 (Google v Spain) https://privacylibrary.ccgnlud.org/case/spain-sl-vs-agencia-
espaola-de-proteccin-de-datos-aepd.
414 Google v Spain, [35] – [38] https://privacylibrary.ccgnlud.org/case/spain-sl-vs-agencia-espaola-de-proteccin-de-datos-aepd.
415 GDPR, recitals 65-66.
416 OAS Principles with Annotations, Principle 8, page 20.
417 Google v Spain, [88] https://privacylibrary.ccgnlud.org/case/spain-sl-vs-agencia-espaola-de-proteccin-de-datos-aepd.
418 GC v CNIL, [53, 66, 76, 77] https://privacylibrary.ccgnlud.org/case/gc-af-bh-ed-vs-commission-nationale-de-linformatique-et-des-
liberts-cnil. See also Google v Spain, [81, 99] https://privacylibrary.ccgnlud.org/case/spain-sl-vs-agencia-espaola-de-proteccin-de-
datos-aepd.
 91 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

criminal proceedings brought against data subjects 5.4.1.3 Threats to access to information
in responding to requests for de-referencing such
under the right to be forgotten
information against factors such as the seriousness
of the offence, the public’s interest in the information,
While the right to be forgotten can provide for the
and the amount of time that has elapsed since the
effective enforcement of a data subject’s privacy
offence. Search engines would have to nevertheless
rights, especially online, it can also have certain
reorder search results, such that “the overall picture
implications for the rights to free speech and access
it gives the internet user reflects the current legal
to information. Most of the concerns about this right
position“, meaning, in particular, that web pages with
stem from its ability to impede access to information
information on the updated legal status (such as
and that this, in turn, has the potential to lead to the
acquittal, conviction, appeal, etc) must appear in first
withholding of critical information. There are also
on in search results. 419
concerns that this right could lead to the removal of
sources of factual information and thereby threaten
National authorities in other jurisdictions such as
deliberation in the public sphere, which is essential to
India, South Africa, and Canada have contemplated
democratic governance.423
including versions of this right in their domestic
legislation.420 It has sometimes been explored as a
In addition, there are concerns that the GDPR’s
right to be provided by state actors, or the judiciary,
conception of the right to be forgotten places
instead of by data controllers. For instance, India’s
undue responsibility on search engines to make
draft Data Protection Bill, 2021 requires regulatory
assessments on permitted speech and raises other
officers appointed under the legislation to assess
practical difficulties.424 An alternative aimed at
data subject requests to exercise this right.421 In many
addressing this concern is reflected in India’s Data
jurisdictions, petitioners have also approached courts
Protection Bill, 2021. It requires data subjects to
seeking personal information to be removed. Courts
approach adjudicating officers appointed under the
have also referenced the right to be forgotten in
data protection legislation to exercise this right. These
providing remedies, even when a specific right has
officers are required to account for considerations
not been provided by legislation.422
laid down in the Bill, and are also required to have
special knowledge of or professional experience in

419 GC v CNIL, [77-78] https://privacylibrary.ccgnlud.org/case/gc-af-bh-ed-vs-commission-nationale-de-linformatique-et-des-liberts-

cnil.
420 See for instance considerations in Canada: Law Library of Congress (US) Global Legal Research Directorate, Laws on erasure of
online information : Canada, France, European Union, Germany, Israel, Japan, New Zealand, Norway, Portugal, Russia, Spain, United
Kingdom ( 2017) 33-35. Indian Personal Data Protection Bill 2019, clause 20 (Indian DP Bill). See South African Protection of Personal
Information Act 2013, s 5.
421 Indian Data Protection Bill 2021, clause 20 (Indian DP Bill). This draft Personal Data Protection Bill, 2019 has been withdrawn, and
the government is expected to present a new bill that aligns with a “comprehensive legal framework” on the digital ecosystem. See
Soumyarendra Barik, ‘Govt withdraws data protection Bill to bring revamped, refreshed regulation’, The Indian Express, 5 August
2022, https://indianexpress.com/article/india/government-withdraws-data-protection-bill-8068257/.
422 See for instance in Turkey, where the right was recognised in the context of restricting the publication of the name of a survivor of sexual
assault in a criminal law book: Deris, ‘Turkey: The Supreme Court Decision on the Right to be Forgotten’ (mondaq.com, 12 November
2019) https://www.mondaq.com/advicecentre/content/3110/The-Supreme-Court-Decision-on-the-Right-to-be-Forgotten; India: On
varying approaches taken by High Courts in the context of restricting information relating to lawsuits online – Amber Sinha, ‘Right
to be Forgotten: A Tale of Two Judgements’ (cis-india.org, 7 April 2017) https://cis-india.org/internet-governance/blog/right-to-be-
forgotten-a-tale-of-two-judgments; Subhranshu Rout @ Gugul v. State of Odisha BLAPL No 4592 of 2020; Zulfiqar Ahman Khan v
Quintillion Business Media [2019] (175) DRJ 660, [8]-[9]. See also, Lydia Suzanne Thomas, ‘Information in public domain is like
toothpaste, can’t get it back once it is out of the tube: Orissa High Court calls for right to be forgotten’ (barandbench.com, 24 November
2020) https://www.barandbench.com/news/litigation/orissa-high-court-calls-for-debate-on-right-to-be-forgotten.
423 Access Now, ‘Access Now Position Paper: Understanding the “Right to Be Forgotten” Globally’ (2016); See Case C-507/17 Google
v CNIL [2019] ECLI:EU:C:2019:15 https://privacylibrary.ccgnlud.org/case/gc-af-bh-ed-vs-commission-nationale-de-linformatique-
et-des-liberts-cnil; Alexander Tsesis, ‘“Data Subjects” Privacy Rights: Regulation of Personal Data Retention and Erasure’ [2019] 90
University of Colorado Law Review 593, 620 and621.
424 James Ball, ‘“Right to be forgotten” ruling creates a quagmire for Google et al’ (theguardian.com, 13 May 2014) https://www.theguardian.
com/commentisfree/2014/may/13/right-to-be-forgotten-ruling-quagmire-google. See also Jeffery Rosen, ‘The Right to Be Forgotten’
[2012] 64 Stan L Rev Online 88 https://www.stanfordlawreview.org/online/privacy-paradox-the-right-to-be-forgotten/.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 92

areas relating to law and policy as prescribed by the The OAS Principles note that the right to data
state,425 and they could therefore be better placed portability is subject to ongoing discussion amongst
to make such assessments. Although such a model OAS Member States, most of whom agree that data
may address some concerns, the implementation of subjects must be able to avail themselves of this right
the right to be forgotten would depend on whether when personal data is processed digitally or through
the adjudicating officers are able to function automated means. They note that this right must not
independently, especially when the exercise of this have negative impacts on the rights and freedoms
right relates to governmental actors or actions. of others, and that it would not be justified when it
involves information inferred, derived, or created
5.4.1.4 Exemptions to the right to be through processing or analysis conducted by the
forgotten relevant data controller.430

The GDPR limits the right to erasure in certain

contexts, such as to exercise the right to free speech
and information, compliance with a legal obligation,
public interest, archiving, research, and related
purposes, or for actions relating to legal claims.426

5.4.2 Right to data portability

The GDPR provides data subjects with the right to
obtain the personal data they have provided to a data
controller and transmit it to another data controller.
This right only applies to personal data provided by the
relevant data subject, where the controller carries out
the data processing by automated means, and where
the processing is based on the data subject’s consent
or is necessary for the performance of a contract.427
This right can support the fostering of interoperability
and competition in the context of digital platforms,
whereby consolidation of market power among a
few platforms is a significant concern.428 However,
this right would not be applicable to processing,
necessary for tasks carried out in public interest, or in
exercise of official authority vested in a controller.429
Therefore, most state action would be exempt from
this right.

425 Indian DP Bill 2021, clauses 20, 63(3).

426 GDPR, art 17(3).
427 GDPR, art 20.
428 See Article 29 Data Protection Working Party, ‘Guidelines on the right to data portability’ (2016), pp3-4. See generally Paul De Hert et
al, ‘The right to data portability in the GDPR: Towards user-centric interoperability of digital services’ [2018] 34(2) Computer Law &
Security Review 193.
429 GDPR, art 20(3) and 20(4).
430 OAS Principles with Annotations, Principle 8, page 20.
 93 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

5.5 The rights to object and to restrict processing

A right that is related to the rights to restriction on (ii) processing for legitimate interests pursued by
processing and erasure, but is nevertheless separate the controllers or third parties, except where these
and distinct is the right to object to processing.431 interests are overridden by the rights and freedoms
The right to object prevents further processing for of the data subject;433 and (c) direct marketing and
one or more specified purposes. The right to restrict individual profiling related to such marketing.434
processing is usually a temporary measure taken
when the data controller is contemplating requests According to the GDPR, Convention 108+, and OAS
by the data subject to rectify or objections to use of Principles, personal data must no longer be used
personal information. when the data subject objects to processing for the
purpose of marketing. Other frameworks provide data
5.5.1 The right to object subjects the right to object as well, and it can usually
be exercised on legitimate grounds as it relates to a
The GDPR, OAS Principles, Convention 108+, AU data subject.435
Convention, and the HIPCAR Privacy Framework
provide data subjects the right to object.432 Of these, all The UK Information Commissioner’s Office clarifies
frameworks other than the HIPCAR Privacy Framework with respect to the GDPR that the data subject can
specifically provide that data subjects may object to object to all the personal data that a controller is
data processing for marketing purposes. Though processing about them, or only some information,
the right is framed broadly, allowing data subjects to or only information relating to a certain purpose that
object to object to data processing by controllers, it a controller is processing information for. If a data
generally applies to processing undertaken on the subject objects to processing and a data controller
basis of factors other than consent (for example, in does not have valid grounds to refuse it, it will be
public interest or for direct marketing). Where the required to stop processing that data.436 As with the
data processing is based on consent, data subjects right to restrict processing, the actions to be taken
are typically able to withdraw their consent. by the data controller would depend on how it is
processing the data in question. The AU Convention
The GDPR allows the data subject to object to the specifically provides the right to be informed
controller processing personal data concerning them before the personal data relating to a data subject
which is based on specific grounds: (i) processing is disclosed to third parties for the first time or used
necessary for performing a task in the public interest on their behalf for marketing, and to object to such
or exercising official authority vested in the controller; disclosure or use.437

431 Explanatory Report –Convention 108+ [78].

432 GDPR, art 21; OAS Principles with Annotations, Principle 8, page 20; Convention 108+, art 9(1)(d); AU Convention, art 18; HIPCAR
Model Legislative Text, s 9(2).
433 This can range from the data controller’s own interests to that of third parties, commercial interests, and larger societal benefits,
as long as they override the individual’s interests. See UK Information Commissioner’s Office, ‘Right to Object’ https://ico.org.uk/
for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
legitimate-interests/#ib2.
434 GDPR, art 21.
435 GDPR, art 21; Explanatory Report –Convention 108+ [79]; OAS Principles with Annotations, Principle 8, page 20. See also UK
Information Commissioner’s Office, ‘Right to Object’ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-
the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/#ib4; Convention 108+, art 91(1)(d) and [79]; AU
Convention, art 18; HIPCAR Model Legislative Text, s 9(2).
436 UK Information Commissioner’s Office, ‘Right to Object’ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-
general-data-protection-regulation-gdpr/individual-rights/right-to-object/.
437 AU Convention, art 18.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 94

5.5.1.1 Exemptions to the right to object

The GDPR and Convention 108+ detail specific

exemptions to the right to object. The right would not
be available when the data controller demonstrates
legitimate grounds for the processing which override
the rights and interests of the data subject. The
legitimate grounds could include factors such as the
establishment of legal claims and public safety, which
would have to be demonstrated on a case-to-case
basis.438 Convention 108+ also highlights that the right
to object could be limited through a law, such as to
investigate or prosecute criminal offences. The data
subject could nevertheless obtain similar reliefs by
challenging the lawfulness of the processing itself, or
withdrawing consent for processing, or revoking the
contract on which the processing is based. However,
in such cases, the data subject would have to
assume the consequences of such actions, including
potentially compensating the controller.439

5.5.2 The right to restrict processing

The GDPR is the only framework that provides for
this right, and it allows the data subject to require the
controller to restrict the processing of their personal
data in some circumstances. Usually, this would be
temporary, and apply in some situations, such as
when the data subject contests the accuracy of
personal data or exercises the right to object, and the
controller considers the request, and other specified
circumstances.440

438 Convention 108+, art 9(1)(d); GDPR, art 21; See also the UK ICO’s discussion on what would constitute ‘legitimate interests’ at
UK Information Commissioner’s Office, ‘Legitimate interests’ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-
the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/#ib2; Explanatory Report –Convention
108+ [78].
439 Explanatory Report –Convention 108+ [80].
440 GDPR, art 18.
 95 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

5.6 The right against automated decision-making and profiling

The GDPR, Convention 108+, and AU Convention

provide data subjects with the right to not be subject
to a decision based solely on automated processing,
including profiling, which would produce legal effects
or significantly affect them. The GDPR provides
examples of what such significant effects could be,
such as the automatic refusal of an online credit
application, or e-recruiting practices undertaken
without human intervention.441
“Automated decisions involve
Automated decisions involve decisions made by
decisions made by automated automated means without human involvement,
such as recruitment tests that use pre-programmed
means without human algorithms and criteria to test aptitude.442 In the GDPR
involvement.... ” and Convention 108+, automated decision-making
also specifically includes profiling, which is automated
processing that evaluates personal aspects relating
to a data subject, such as their economic situation,
performance at work, health, location, etc.443 This
right also allows data subjects to challenge the
decision arrived at by such a process and offer their
own points of view and arguments.444

441 GDPR, art 22 and recital 71; Convention 108+, art 9(1)(a); AU Convention, art 14(5).
442 Information Commissioner’s Office, ‘Rights related to automated decision making including profiling’ (ico.org.uk) https://ico.org.uk/
for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-
to-automated-decision-making-including-profiling/.
443 GDPR, arts 4(4) and 22; Convention 108+, art 9(1)(a). See also Article 29 Data Protection Working Party, ‘Guidelines on Automated
individual decision-making and Profiling for the purposes of Regulation 2016/679’ (2018).
444 The GDPR and Convention 108+ specifically allows data subjects to challenge the decisions arrived at in this manner and offering their
own views. Explanatory Report - Convention 108+, paras 75-77; GDPR, recital 71. The AU does not specifically allow for this – see AU
Convention, art 14(5).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 96

to receiving social or financial benefits.449 While the

5.6.1 Framework overview of the right right against automated decision-making seeks to
against automated decision-making increase accountability and safeguard data subject
and profiling rights, the extent to which this occurs will depend on
how it is implemented. More generally, concerns have
The Convention 108+ framework specifies that also been raised about the technical difficulties with
the right to challenge decisions arrived at through exercising this right (such as explaining the workings
automated decision-making processes must include of complex “black box” machine learning systems) in
the opportunity to point out inaccuracies in personal terms of how they will vary based on the interpretation
data before it is used, the irrelevance of the profile of the provision,450 though there is some guidance on
being used to the data subject’s particular case, or how this provision would apply.451
any other factors that would have an impact on the
eventual decision. It also equips data subjects with 5.6.1.1 Exemptions to the right against
the right to know the reasoning behind the decisions automated decision-making and profiling
arrived at through automated processes, and the
consequences of such reasoning.445 This is so that The GDPR and Convention 108+ limit a data subject’s
the data subject is able to meaningfully exercise other ability to exercise the right against automated
rights and make use of safeguards, such as the right decision-making, if the processing is authorised by a
to object or complain to the relevant data protection law which lays down suitable safeguards to protect
authority. the rights and interests of data subjects.452 The GDPR
details some of the safeguards meant to protect
The GDPR also specifies that decisions based solely data subjects in that it specifies that even when such
on automated processing cannot be based on processing is allowed by law, the safeguards provided
special categories of personal data, such as data must include: (i) providing specific information on
revealing racial or ethnic origin, religious beliefs, or the automated processing and decision to the data
biometric information).446 However, this restriction subject and the right to obtain human intervention;
would not apply if the data subject explicitly consents (ii) to express their views to the controller on the
to the processing and is not prevented by law decision arrived at by the automated processing;
from providing such consent, or it is necessary for (iii) obtain an explanation of the decision that has
substantial public interest and based on a law with been arrived at, and (iv) to challenge the decision
adequate safeguards.447 It also requires controllers arrived at through automated decision-making.453 It
to undertake data protection impact assessments also specifies that such measures must not concern
(DPIAs) in case of “a systematic and extensive children, and requires controllers to implement
evaluation of personal aspects relating to natural relevant measures to ensure that inaccuracies in data
persons” based on automated processing, and where are corrected and risk of errors are minimised, data is
personal data is processed for special categories of secured to account for potential risks to the rights of
data.448 data subjects, and that discriminatory effects to data
subjects on the basis of special categories of data are
While this right applies to private entities and actions prevented.
taken by them, it can be especially important in the
context of state action, especially when it pertains

445 Convention 108+, art 9(1)(c); Explanatory Report – Convention 108+, [75, 77].
446 GDPR, art 9(1).
447 GDPR, art 22(4).
448 GDPR, art 35(3).
449 Explanatory Report – Convention 108+, paras 75, 77.
450 For example, see Sandra Wachter, Brent Mittelstadt, and Chris Russell, ‘Counterfactual Explanations Without Opening the Black Box:
Automated Decisions and the GDPR’ [2018] 31(2) Harv J of Law and Tech 841, 860-861, 873-874, 876-877, and 880-881.
451 UK Information Commissioner’s Office, ‘What else do we need to consider if Article 22 applies?’ https://ico.org.uk/for-organisations/
guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/automated-decision-making-and-profiling/what-
else-do-we-need-to-consider-if-article-22-applies/; Explanatory Report – Convention 108+, para 77.
452 Explanatory Report – Convention 108+, [75]; GDPR, art 22.
453 GDPR, recital 71.
 97 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

Box 5.1: The Law Enforcement Directive

The Law Enforcement Directive (‘LED’) is legislation passed alongside the GDPR that
deals with the processing of personal data for ‘law enforcement purposes’ (which falls
outside the scope of the GDPR).454 It covers processing by “competent bodies” for
“the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, including the safeguarding against and the prevention
of threats to public security”.455 In this context, a ‘competent body’ would include not
only public authorities, but also any other bodies entrusted by law to exercise public
authority for the purposes specified above.456 The LED provides rights to data subjects
and contains obligations for competent bodies. It also prohibits automated decision
making unless authorised by laws with appropriate safeguards, and prohibits profiling
that results in discrimination on the basis of special categories of personal data such
as religious beliefs, genetic data, biometric information, etc.457 The LED also contains
provisions relating to cross-border data transfers (as explored in Chapter 8 on the
Regulation of Cross-Border Data Flows.)

5.7 The right to delegate (or for third-party to exercise) rights

The HIPCAR Privacy Framework specifically allows representatives being able to make some decisions
third parties to exercise rights on behalf of the data on behalf of data subjects, and for information related
subject in certain circumstances, such as where the to minors provided to the government. The OAS
data subject is a minor, in the case of death, under a Principles also allow third parties to exercise the right
power of attorney, or by the data subject’s guardian.458 of access on behalf of a data subject – for instance,
Although additional details are not provided, this parents on behalf of minor children.459
could be relevant in the context of legal heirs or

454 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data [Law Enforcement
Directive], available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016L0680.
455 Art 1, Law Enforcement Directive.
456 Art 3(7), Law Enforcement Directive.
457 Art 11(1-3), Law Enforcement Directive.

458 HIPCAR Model Legislative Text, s 25.

459 OAS Principles with Annotations, Principle 8, page 18.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 98

5.8 Whistle-blower protection

Interestingly, the HIPCAR Privacy Framework also

contains a provision that protects whistle-blowers.
While this is not a data-subject right per se, it is aimed
at holding employers accountable. This provision
specifies that employers, including public authorities,
“shall not dismiss, suspend, demote, discipline,
harass or otherwise disadvantage an employee
or deny that employee a benefit” because the
employee undertook actions relating to preventing
or notifying contraventions of the framework.460
Provisions aimed at protecting whistle-blowers can
help increase accountability and ensure the effective
implementation of data protection frameworks.

460 HIPCAR Model Legislative Text, s 78.

 99 CHAPTER 5: MEASURES FOR TRANSPARENCY AND ACCOUNTABILITY

5.9 General exceptions to rights of data subjects

While some specific limitations to data subject

rights have been discussed through the chapter, all
5.9.1 Disclosure of exemptions to the
Identified Regional Frameworks also contain general rights of data subjects
exceptions to the rights of data subjects and the
obligations of data controllers. These exemptions Some frameworks specifically require states to
are usually only applicable pursuant to laws which disclose any restrictions to the rights of data subjects,
specify adequate safeguards and are required for which are essential to maintain transparency and
purposes such as national security and protecting accountability. The OECD Guidelines require that
freedom of expression. The exceptions vary based exceptions to the guidelines should be as few as
on the framework in question, and some are broader possible and be made known to the public, and
than others. Importantly, such restrictions must be requires Member States to limit exceptions to those
provided by law and proportional to the aims sought necessary in a democratic society.463 Similarly, the
to be achieved. These elements have been discussed APEC Privacy Framework requires all exceptions to be
in detail in Chapter 7 (Government Access). limited and proportional to the intended objectives,
and be disclosed publicly or be in accordance with
The HIPCAR Privacy Framework and the law.464
Commonwealth PPI Bill contain additional exemptions.
The HIPCAR Privacy Framework exempts compliance The OAS Principles specifically require national
with controller obligations and data subject rights authorities to publicly disclose any exceptions
under the framework processing for discharging made to the Principles, and stress the importance
functions relating to regulatory activities pursuant to of narrowly tailoring such exceptions and balancing
law, to the extent that the application of the framework competing interests.465
would likely prejudice the discharge of its functions. It
also exempts compliance with controller obligations
and data subject rights under the framework data
processing for publication of journalistic, literary,
or artistic material, where the controller believes it
would be in the public interest especially as regards
the freedom of expression, and that compliance
with the framework would be incompatible with
the relevant purpose. The Data Commissioner is
allowed to establish codes of conduct in this regard,
to balance the rights protected under the framework
with the freedom of expression.461 Similarly, the
Commonwealth PPI Bill also exempts processing for
solely journalistic, artistic, or literary purposes.462

461 HIPCAR Model Legislative Text, ss 36, 37.

462 Commonwealth PPI Bill, s 5(2)(c).
463 OECD Privacy Guidelines 2013, para 4; Original Explanatory Memorandum OECD Guidelines, 53 and 54.
464 APEC Privacy Framework, para 18.
465 OAS Principles with Annotations, Principle 12, page 27.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 100

Key considerations

◊ The rights of data subjects are an essential

part of data protection frameworks and
enable data subjects to operationalise
various aspects of the right to privacy. The
right of data subjects to access information
that a controller has on them serves as
the basis for all other rights, and is closely
linked to the principles of transparency
and accountability. The right to rectification “ The rights of data subjects
can serve to reduce exclusions and bias,
especially where personal data processing are an essential part of
is the basis of public and financial services.
◊ Similarly, the right against automated data protection frameworks
decision-making enables data subjects to
contest unfair or exclusionary decisions
and enable data subjects to
made purely on the basis of automated
processing. The right to object can also help
operationalise various aspects
prevent harm to data subjects by enabling of the right to privacy.... ”
them to prevent controllers from processing
their data, especially where it relates to
direct marketing or where they are being
subject to substantial harm as a result of the
processing.
◊ The right to be forgotten can enable
individuals to overcome stigma and
judgment arising from past experiences, but
must be balanced against very real threats
to the access to information and the right to
speech.
◊ The right to data portability provides data
subjects with more control over their
data and can enable interoperability and
increased competition. The rights to restrict
processing, to delegate the exercise of
rights, and provisions such as whistle-blower
protections serve to enable data subjects to
effectively exercise the other rights available
to them.
101 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

CHAPTER 6

SPECIAL
PROTECTIONS FOR
CHILDREN’S DATA
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 102

6.1 Introduction

This chapter will discuss important factors that should be considered in international
debates on data protection and privacy regulation while exploring the existing and potential
harms that children face online. Based on international, regional, and domestic frameworks,
this chapter will also analyse certain policy themes and recommendations on how to better
address the protection of children’s privacy embedded within the United Nations Convention
on the Rights of the Child (CRC).

Even prior to the global COVID-19 pandemic, way open for potential harm. This can be largely
innovative technologies offered several benefits attributed to children’s lack of agency over their
for both adults and children. As the world grappled personal data, as well as technology that is typically
with containing and managing the deadly pandemic, not designed considering children’s rights and their
however, the virtual environment has gained varied developmental levels. Therefore, concerns
significant attention as it features a ‘new normal’. This relating to the use of children's personal data as
has been characterised by a surge of information flows well as the protection of their privacy are unique and
coupled with an increased reliance on technology and require special attention.468
digital tools to carry out day-to-day activities, such as
working-from-home, e-learning, and tele-health.466 Given that both the state and private organisations
Despite the internet being a powerful tool that has collect the personal data of children, often in the
facilitated various aspects of human life during these absence of adequate data protection frameworks
unprecedented times, it has also exposed adults and legal safeguards tailored to children, this gives
and children to new, unknown challenges. This is rise to privacy risks and related harms. For example,
especially true from the perspective of informational schools across Russia have now installed cameras to
privacy, data protection, and online safety.467 monitor children on campus, and identify strangers
who attempt to enter school grounds, in an effort
While many of these challenges over protection to decrease the crime rates prevalent in Russian
of data have largely been discussed in the context schools.469 Similarly, government-funded schools
of adults, such technologies also have adverse in India's capital city, Delhi, have installed facial
repercussions on the lives of children and leave the recognition technologies as well as closed circuit

466 Yan Xiao and Ziyang Fan, '10 technology trends to watch in the COVID-19 pandemic' (World Economic Forum, 27 April 2020)
https://www.weforum.org/agenda/2020/04/10-technology-trends-coronavirus-covid19-pandemic-robotics-telehealth/.
467 Steven Vosloo, Melanie Penagos and Linda Raftree, 'COVID-19 and children's digital privacy' (UNICEF, 7 April 2020) https://www.
unicef.org/globalinsight/stories/covid-19-and-childrens-digital-privacy.
468 Andrew Young, Stuart Campo and Stefaan G. Verhulst, 'Responsible Data For Children' (UNICEF 2019) p 2 https://rd4c.org/assets/
rd4c-synthesis-report.pdf.
469 Matthew Luxmoore, ‘Yes, Big Brother IS Watching: Russian Schools Getting Surveillance Systems Called ‘Orwell’’, (Radio Free Europe/
Radio Liberty, 17 June 2020) https://www.rferl.org/a/russian-schools-getting-surveillance-systems-called-orwell-/30676184.html.
103 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

television cameras to ensure the safety of students.470 As mentioned earlier, reliance on technological tools
has grown as a result of the pandemic. These tools have
In the context of government-to-citizen services, the been used to combat the effects of the pandemic and
use of ICT has increased multi-fold over the years. address public health concerns, causing an increase
The 2020 UN E-Government Development Index in the collection of personal data of both adults and
indicates that about 80% of the 193 UN Member children. Measures that gained attention and use
States currently provide digital services for youth, during the COVID-19 pandemic such as contact
women, older people, persons with disabilities, tracing, for instance, have allowed for the interactions
migrants, and those living in poverty.471 E-government of children to be monitored and collected.476 In light
services are also being made available to children to of the use of such technological solutions to address
improve accessibility to resources such as education, challenges brought by the pandemic, UNICEF’s
social services, and health care. Such services are Responsible Data for Children initiative highlights
largely provided by governments to children through that further harms can arise out of the identification
the digitisation of their identities. of children’s data. Special considerations for the
protection of children's personal information,
Ghana, for example, has recently introduced the however, has not received sufficient attention from
Ghana Digital Card, through which citizens aged 15 states throughout the ongoing pandemic.
and over will have a digital legal identity certification
that allows them to access public and commercial A few existing legal frameworks such as the GDPR
services.472 In the Philippines, the registration process do afford protections to children's data. These
indicates that children below the age of 5 can receive frameworks also provide exceptions to processing of
a PhilID upon registration, where their demographic personal data during a public health crisis. This may
information, biometric data and photograph are partly explain the lack of adequate focus on children's
collected.473 India, similarly allows for children below personal information during the pandemic.477 These
the age of 5 to receive an Aadhaar number. There is circumstances, nonetheless, continue to highlight
no collection of biometrics, however, until the age of the existing need for effective consideration of the
5; demographic information and a facial photograph is protection of children's data within data protection
collected at the time of enrolment.474 While instituting frameworks.
identification management for children in order to
access digital services is intended to create a more In the absence of legal and regulatory frameworks that
inclusive system for integration and governance, specifically carve out safeguards for the protection
countries worldwide have faced several challenges in of children's personal data, their right to privacy may
ensuring the protection of children’s data within such be at risk owing to unchecked data collection and
systems.475 processing practices.

470 Rina Chandran, 'Fears for children's privacy as Delhi schools install facial recognition', (Reuters, 2 March 2021,) https://www.
reuters.com/article/us-india-tech-facialrecognition-trfn/fears-for-childrens-privacy-as-delhi-schools-install-facial-recognition-
idUSKBN2AU0P5.
471 United Nations Department of Economic and Social Affairs, ‘E-Government Survey’ (United Nations Department of Economic
and Social Affairs, 10 July 2020) p xxv https://www.un.org/development/desa/publications/publication/2020-united-nations-e-
government-survey.
472 Ghana National Identification Authority, ‘Synopsis of the National Identification System Project’ (29 May 2018) https://nia.gov.
gh/2018/05/29/synopsis-of-the-national-identification-system-project/.
473 'Frequently Asked Questions' (Philippine Identification System, 2021) https://www.philsys.gov.ph/faq/.
474 ‘FAQs: Enrolling Children' (Unique Identification Authority of India, 2021) https://uidai.gov.in/contact-support/have-any-
question/299-faqs/enrolment-update/enrolling-children.html.
475 Zoë Pelter and others, 'Government Digital Services And Children: Pathways To Digital Transformation' (UNICEF 2021) p 13-15
https://www.unicef.org/globalinsight/media/1481/file/UNICEF-Global-Insight_e-gov-services-rapid-analysis-2021.pdf.
476 Steven Vosloo, Melanie Penagos and Linda Raftree, 'COVID-19 and children's digital privacy' https://www.unicef.org/globalinsight/
stories/covid-19-and-childrens-digital-privacy.
477 Linda Raftree, Emma Day and Jasmina Byrne, 'COVID-19: A Spotlight On Child Data Governance Gaps' (UNICEF 2020) p 2 https://
www.unicef.org/globalinsight/media/1111/file/UNICEF-Global-Insight-data-governance-covid-issue-brief-2020.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 104

As education moves online, the growth of education

technology, or ‘edtech’, in schools has similarly
resulted in increased rates of collection, sharing, and
storage of children’s personal data. Such information
includes names, home addresses, and email IDs
that has, in turn, enabled intrusive surveillance or
the collection of information on children without
parental consent.478 Though the COVID-19 pandemic
calls for emergency measures to ensure continuity in
learning for children, governments, parents, schools,
and teachers must keep the data protection rights
of children at the forefront while planning online
pedagogy. Such pedagogy must not only be inclusive
but also least intrusive in context of data collection
and privacy of children.

478 Hye Jung Han, ‘As Schools Close Over Coronavirus, Protect Kids' Privacy in Online Learning’ (Human Rights Watch, 2020) https://
www.hrw.org/news/2020/03/27/schools-close-over-coronavirus-protect-kids-privacy-online-learning.
105 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

6.2 Current international and regional regulatory frameworks on

children’s data

Child rights, including their right to privacy, are from the minor when the law requires a minor’s
recognised widely by international frameworks such consent without requiring parental/guardian
as Article 16 of the United Nations Convention on the representation. 482
While a 2018 resolution by the
Rights of the Child.479 Article 16 enshrines a child’s Council of Europe advised Member States to protect
right to freedom from arbitrary interference with their children in the digital environment from monitoring
privacy and further provides that children have the and surveillance carried out by state authorities and/
right to the protection of the law against any such or private sector entities, these recommendations
interference. All the rights enshrined in the CRC are yet to be effectively implemented.483 In 2021, the
are interdependent and indivisible, and are to be United Nations Committee on the Rights of the Child
implemented in accordance with six guiding principles, also released a general comment on children's rights
namely: non-discrimination; the best interests of in the digital environment.484
the child; the right to survival and development; the
right to be heard; the right to access; and the right to
education and digital literacy.480

When the right to privacy is extended to the digital

realm, incorporating these principles within data
protection legal and regulatory frameworks, both
regional and national, must consider a child rights-
based approach. This must safeguard their privacy,
mitigate risks such as discrimination, and act in their
best interests. At the same time, such a framework
should also uphold children’s participatory and
emancipatory rights that are necessary for them to
develop autonomy.481

Among the many international and regional legal and

regulatory frameworks governing privacy and data
protection, only the GDPR and the recently revised
OAS Principles provide for child-specific consent
in the digital context. In 2021, the annotations to
the OAS Principles have been updated to include
requirements that a data controller must obtain
authorisation from a guardian or parent or directly

479 Convention on the Rights of the Child (adopted 20 November 189 UNGA Res 44/25, entered into force 2 September 1990) 1577 UNTS
3, art 16.
480 CRC, art 28, art 17, art 12, art 6, art 3, art 2; Jonathan Todres and Shani M. King, The Oxford Handbook of Children's Right Law (OUP
2020).
481 Soo Jee Lee, 'A Child's Voice Vs. A Parent's Control: Resolving A Tension Between The Convention On Rights Of The Child And U.S.
Law' (2017) 117 Columbia Law Review.
482 OAS Principles with Annotations, Principle 2, p 10
483 Council of Europe, ‘Recommendation CM/Rec (2018)7 of the Committee of Ministers to member States on Guidelines to respect,
protect and fulfil the rights of the child in the digital environment’ (Committee of Ministers, 1321st meeting of the Ministers' Deputies,
4 July 2018) CM/Rec (2018)7 https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016808b79f7.
484 General comment No. 25 (2021) on children’s rights in relation to the digital environment (2 March 2021) CRC/C/GC/25.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 106

6.3 Factors and risks involved in protecting children’s personal

data and online privacy

In addition to risks such as cyberbullying, sexual consent. This protection ensures both the autonomy
exploitation and trafficking, and promotion of self- of a child to make informed decisions about their
harm, emerging issues such as surveillance, identity online activities and to shield them from any possible
fraud, and breaches of information security have harms and threats found online.488
made children vulnerable and susceptible to threats
online.485 Such threats not only infringe on children’s This may not be the best approach for children,
right to privacy, but also endanger their experiences owing to their vulnerability and lack of technical
online. In light of these risks and threats that pose new sophistication to assess any invasion to their
challenges to policymakers, parents, and children, personal data or privacy (please refer to Chapter 3
the following section discusses various factors that on Data Protection Principles for more information
should be considered while protecting children’s on the scope of consent obtained from users under
personal data and their online privacy. international and regional frameworks).

6.3.1 Age of digital consent for Many existing frameworks have imposed specific
age thresholds for children’s digital consent in order
children to limit the collection and processing of their data
and protect the child’s right to privacy. For example,
Several surveys have indicated a growth in the the GDPR’s Article 8 states that each Member State
percentage of children as well as adolescents should set its own digital age of consent between
and young people who go online to pursue 13 and 16, which refers to the age at which young
various activities, including but not limited to people may sign up for online services such as social
instant messaging, gaming, e-learning, hobbies, media without needing the explicit consent of their
entertainment, and downloading music.486 Children parent or guardian. Similarly, the Children’s Online
not only access the internet to reap the benefits of Privacy Protection Act (COPPA), which took effect
digital products and services, but also to participate in the United States in 2000, sets the age of digital
in online activities that include content creation and consent at 13, and specifically lists the requirements
media consumption. Most data protection frameworks and conditions to be complied with by data
allow data controllers and processors to collect, controllers.489 Singapore’s Personal Data Protection
process and use personal data of users or individuals Act does not contain specific provisions with regards
through consent-based privacy management tools.487 to children’s data. The Personal Data Protection
Commission, however, provides some guiding
International and regional frameworks impose an ‘age commentary. It observes that organisations, while
of digital consent’, which is the minimum age a user determining if a minor can consent, should consider if
must be to provide consent before organisations can they have “sufficient understanding of the nature and
collect, process and store their data without parental

485 ‘PISA 2015 Results (Volume III): Students’ Well-being' (OECD 2017) https://www.oecd-ilibrary.org/education/pisa-2015-results-
volume-iii_9789264273856-en; General comment No. 25 (2021) on children’s rights in relation to the digital environment (2 March
2021) CRC/C/GC/25, paragraph 16, page 3.
486 ‘‘Being Young in Europe Today - Digital World’ (Eurostat: Statistics Explained, 2020) https://ec.europa.eu/eurostat/statistics-explained/
index.php?title=Being_young_in_Europe_today_-_digital_world#A_digital_age_divide.
487 APEC Privacy Framework, Part III, principle V, para 26; ASEAN DP Framework, principle 6(a); Commonwealth PPI, s 8; GDPR, art
7; HIPCAR Model Legislative Text, s 9(1); OECD Guidelines, Part 2, principle 7; OAS Principles with Annotations, principle 2, p 1.
488 Liliana Pasquale and others, 'Digital Age Of Consent And Age Verification: Can They Protect Children?' [2020] IEEE Software (Early
Access) https://ieeexplore.ieee.org/document/9295422.
489 Children's Online Privacy Protection Act of 1998, 15 USC 6501–6505 (COPPA), 16 CFR Part 312.
107 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

consequences of giving consent.”490 Recognising

that some organisations already consider an age
threshold of 13 as sufficient to require consent, the
Commission states that, as a “practical rule of thumb”,
it would similarly consider that a minor of 13 years has
reached a consenting age.

Such thresholds have been imposed by drawing

upon traditional age of consent models for various
activities, such as entering into contracts, having
sexual relations, and undergoing medical procedures.
For example, in India, laws dealing with juvenile
justice, evidence, and labour define child differently
based on their age and maturity.491 However, India’s
proposed data protection legislation imposes a
blanket age threshold of 18 years for consent similar
to the Indian Contract Act, 1872, which considers a
minor to be any person below the age of 18 years, and understanding and experiences evolve to better
subsequently declares all contracts entered into by understand the digital ecosystem. However, not
minors as non-enforceable.492 With regard to India’s all children behave and adapt in the same way.495
Aadhaar (biometric-based digital ID programme), a Children across various ages require different and
child’s enrolment for Aadhaar can only be done with specific online support, protection, and freedoms.
parental consent, and the legal framework has been Although differences in the age of children are likely
amended to give minors the choice to opt out within to determine the degree of vulnerability or risk and
six months of turning 18 years of age.493 resilience to online harms, the continued adoption
of consent-based mechanisms by international and
Indonesia, like India, defines a child differently within regional frameworks are proving to be inadequate.
its laws and regulations, depending on the purposes For instance, critics of the GDPR have raised several
involved. For example, child welfare laws establish concerns relating to the consent mechanism for
that an individual is deemed to be a child when under children under existing regulation, on the grounds
the age of 21. Meanwhile, the law defines a child as that parental consent may not be sufficient to protect
under the age of 18 for human rights and juvenile children in a digital world.496 Additionally, studies
delinquency purposes.494 conducted by different organisations and regulatory
bodies prescribe different ages for consent, thereby
Experts agree that as children get older, their creating confusion and lack of uniformity.497 Without

490 Personal Data Protection Commission, 'Advisory Guidelines On The Personal Data Protection Act For Selected Topics' (Personal Data
Protection Commission Singapore 2021) p 53-54.
491 Child Labour (Prohibition and Regulation) Act, 1986, s. 2(ii); Indian Evidence Act, 1872, s. 118; Juvenile Justice (Care and Protection
of Children) Act, 2015, s. 15.
492 India, Indian Contract Act, 1972, s. 11; Report of the Joint Committee on the Personal Data Protection Bill, 2019, s 57(2)(d) available
at https://prsindia.org/files/bills_acts/bills_parliament/2019/Joint_Committee_on_the_Personal_Data_Protection_Bill_2019.pdf.
493 Justice KS Puttaswamy v Union of India (2019) 1 SCC 1 https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-and-ors-vs-
union-of-india-uoi-and-ors; India, Aadhaar And Other Laws (Amendment) Act, 2019, s 5.
494 Riduansyah and others, 'Children’s Rights Conflict with The Law in The Time of The COVID-19 Pandemic' (2021) 10 International
Journal of Criminology and Sociology 1156 https://ns1.6thsigmahosting.com/pms/index.php/ijcs/article/view/8107.
495 Sonia Livingstone, Mariya Stoilova and Rishita Nandagiri, 'Children’s Data And Privacy Online: Growing Up In A Digital Age' (LSE
Media and Communications 2018) p 7 <https://www.lse.ac.uk/media-and-communications/assets/documents/research/projects/
childrens-privacy-online/Evidence-review-final.pdf>.
496 Vicki Shotbolt, 'Is Parental Consent The Way Forward, Or Is The GDPR The End Of Young People's Freedom To Roam Digitally?'
<https://blogs.lse.ac.uk/medialse/2016/12/13/is-parental-consent-the-way-forward-or-is-the-gdpr-the-end-of-young-peoples-
freedom-to-roam-digitally/>; Milda Macenaite and Eleni Kosta, 'Consent For Processing Children's Personal Data In The EU:
Following In US Footsteps?' (2017) 26 Information and Communications Technology Law 159, 160 <https://www.tandfonline.com/
doi/citedby/10.1080/13600834.2017.1321096?scroll=top&needAccess=true>.
497 Sonia Livingstone and Kjartan Ólafsson, 'Children's commercial media literacy: new evidence relevant to UK policy decisions
regarding the GDPR’ <https://blogs.lse.ac.uk/medialse/2017/01/26/childrens-commercial-media-literacy-new-evidence-relevant-to-
uk-policy-decisions-regarding-the-gdpr/>.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 108

protection principles, such as data minimisation,

purpose limitation, data adequacy and relevance.
Requiring more data for verification to ‘protect’
children increases the quantity of data collected
and goes against the principle of data minimisation.
Eventually, this may not result in serving the privacy
interests of children.500

At the same time, regulatory frameworks, such

as the UK ICO’s Gillick competence test,501 have
acknowledged the evolving capacities of children
who are capable of exercising agency over their
online decisions.502 A recent UNICEF Innocenti study
demonstrates that while most older children know how
to manage online privacy settings, only a few younger
children report that they can do so. Therefore, setting
an ‘appropriate age’ for digital consent must factor
a clear understanding and agreement on the varying in the impact of emerging technologies on children’s
ages of consent, an irregular prescription of such cyber cognitive development. It must also take into
ages may add to data controllers’ legal risks and account whether they have adequate digital skills to
compliance burdens. understand the consequences of sharing their data,
and are capable of exercising any digital rights arising
Furthermore, obtaining and enforcing the requirement from the misuse of any such data.503 While the UN
of providing ‘meaningful’ consent from children that defines a child as, “every human being below the
is explicit, free, and specific is challenging for data age of 18 years, unless, under the law applicable to
controllers.498 Though some data controllers have the child, majority is attained earlier,”504 it would be
created alternative versions of their products and helpful to assess media literacy levels, legal traditions,
services for children with limited features (such as and cultural contexts of children residing in different
YouTube Kids or Netflix Kids), there remains a risk geographical regions to determine a suitable digital
that children will misrepresent their age in order to age of consent to better protect them according to
use versions of such products and services originally their diverse backgrounds. Although ‘age appropriate’
designed for adults, which would make them more can protect a child when customised, it may not be
vulnerable to privacy threats and security breaches.499 sufficient to protect a cohort of children of the same
For consent verification mechanisms to be effective age who show varied intellectual and emotional
and easy, they should comply with the main data development. Therefore, such inequity in developing

498 Milda Macenaite and Eleni Kosta, ', Consent For Processing Children's Personal Data In The EU: Following In US
Footsteps?' (2017) 26 Information and Communications Technology Law 159, 160 <https://www.tandfonline.com/doi/
citedby/10.1080/13600834.2017.1321096?scroll=top&needAccess=true>.
499 Mary Aiken, The Cyber Effect: An Expert in Cyber Psychology Explains How Technology Is Shaping Our Children, Our Behavior, and
Our Vales - and What We Can Do About It, (Penguin Random House 2017); danah boyd and others, 'Why parents help their children
lie to Facebook about age: Unintended consequences of the 'Children's Online Privacy Protection Act', (Berkman Klein Center, 2011)
<https://journals.uic.edu/ojs/index.php/fm/article/view/3850/3075>.
500 OHCHR, ‘Report of the Special Rapporteur on the Right to Privacy’ (2021) UN Doc A/HRC/46/37 https://undocs.org/A/HRC/46/37;
Lina Jasmontaite and Paul De Hert, 'The EU, Children Under 13 Years, And Parental Consent: A Human Rights Analysis Of New, Age-
Based Bright-Line For The Protection Of Children On The Internet' (2015) 5 International Data Privacy Law 20-33 https://academic.
oup.com/idpl/article-abstract/5/1/20/2863826.
501 'What Is Valid Consent?' (Information Commissioner's Office, 2021) https://ico.org.uk/for-organisations/guide-to-data-protection/
guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent.
502 General comment No. 25 (2021) on children’s rights in relation to the digital environment (2 March 2021) CRC/C/GC/25, paragraph
71, page 12.
503 Jasmina Byrne and others, 'Global Kids Online: Research Synthesis 2015-2016' (UNICEF, Office of Research–Innocenti and The
London School of Economics and Political Science 2016) http://eprints.lse.ac.uk/67965/7/Global%20Kids%20Online_Synthesis%20
report_2016.pdf.
504 CRC, art 1.
109 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

age appropriate measures for a child groups could these participatory or emancipatory rights include
potentially constrain development of children’s children’s right to online decision-making and
personality, the autonomous exercise of their rights, freedom of expression, requiring parental consent
and possibly also be discriminatory.505 could be construed as contradictory to the CRC
principles, which are based on the best interests of
6.3.2 The role of parental consent the child and their evolving capacities, participation,
and right to self-determination.511 It is worth noting that
As indicated above, policymakers have sometimes there are some legal and regulatory frameworks that
prescribed obtaining parental consent on behalf allow children to provide consent when they attain
of children accessing the internet. This is due to a specific age. However, these frameworks may not
children’s lack of knowledge and understanding adequately consider the sociological, psychological,
to make informed decisions for themselves.506 and other relevant factors when determining their
Many frameworks, including the GDPR, the OAS understanding of the digital space. At the same time,
Principles, Malaysia’s Personal Data Protection Act determining the age at which specific protections
2010, Ghana’s Data Protection Act, COPPA, as well for children should be lowered, based on their
as India’s proposed data protection legislation507 level of maturity, is a challenge, as some children at
require parental consent for children within specific a particular age may not yet be competent to take
age groups to use digital products and services. responsibility for their online decisions.
Such parental consent has been required not
only to empower children when they participate Further, parental consent does not eliminate the
in digital transactions and content consumption to privacy risks that both parents and children might
ensure decisions are made in the child’s interest, not be cognisant of or further those risks they may
but also to protect them from any potential harm.508 continue to face. A 2016 World Health Organization
The requirement for parental consent is based (WHO) report regarding online food advertisements
on the premise that parents possess the maturity, targeting children concluded that parents were
experience, and capacity for judgment that children unaware of both the profiling techniques used to
lack when making difficult decisions, and that they target children, and the related risks.512 In addition,
will act in the best interests of their offspring.509 while parental consent may to some extent protect
However, the conflict between protective rights and children from data processing undertaken by private
children’s participatory or emancipatory rights can companies and the state and promise operational
be seen in most child rights’ laws,510 and can also ease, it does not factor in any threats to children’s
be broadened to include the right to privacy. Since privacy by parents. Furthermore, adults may not

505 'The Case For Better Governance Of Children’s Data: A Manifesto' (UNICEF 2021) https://www.unicef.org/globalinsight/media/1741/
file/UNICEF%20Global%20Insight%20Data%20Governance%20Manifesto.pdf; Information Commissioner's Office, 'Age
Appropriate Design: A Code Of Practice For Online Services' (2020).https://ico.org.uk/media/about-the-ico/consultations/2614762/
age-appropriate-design-code-for-public-consultation.pdf.
506 ‘Children and the UK GDPR’ (Information Commissioner’s Office) https://ico.org.uk/for-organisations/guide-to-data-protection/
guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/what-are-the-rules-about-an-iss-and-consent/;
General comment No. 25 (2021) on children’s rights in relation to the digital environment (2 March 2021) CRC/C/GC/25, paragraph
71, page 12.
507 India, Report of the Joint Committee on the Personal Data Protection Bill, 2019 available at https://prsindia.org/files/bills_acts/bills_
parliament/2019/Joint_Committee_on_the_Personal_Data_Protection_Bill_2019.pdf; COPPA, 15 USC 6501–6505; Ghana, Data
Protection Act, 2012; Malaysia, Personal Data Protection Act, 2010; General Data Protection Regulation (EU) 2016/679 OJ L119/1.
508 Sonia Livingstone, Mariya Stoilova and Rishita Nandagiri, 'Children’s Data And Privacy Online: Growing Up In A Digital Age'
(LSE Media and Communications 2018) https://www.lse.ac.uk/media-and-communications/assets/documents/research/projects/
childrens-privacy-online/Evidence-review-final.pdf.
509 CRC, art 3, para 1; United Nations High Commissioner for Refugees, ‘Guidelines on Determining the Best Interests of the Child’
(UNCHR, 2008) https://www.unhcr.org/4566b16b2.pdf.
510 Soo Jee Lee, 'A Child's Voice Vs. A Parent's Control: Resolving A Tension Between The Convention On Rights Of The Child And U.S.
Law' (2017) 117 Columbia Law Review..
511 CRC, art 16.
512 Dr Mimi Tatlow-Golden and others, 'Tackling food marketing to children in a digital world: trans-disciplinary perspectives' (World
Health Organization, 2016) https://www.euro.who.int/__data/assets/pdf_file/0017/322226/Tackling-food-marketing-children-
digital-world-trans-disciplinary-perspectives-en.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 110

always be able to understand the complex interactions assessments. These are to be implemented by all
between information technology and children.513 data controllers that offer online services likely to be
used by children, including social networking and
Prioritisation of parental consent and subordination applications, connected toys, video game platforms,
of children’s privacy runs contrary to well-established streaming services and educational websites. Critics
principles in international law, which state that have raised concerns, that in an attempt to distinguish
children need special legal protection, and courts children as users online, to afford specific protections,
must give primary consideration to their best interests the Children’s Code might lead to the increased
in decisions affecting their lives.514 Such protection collection of children’s personal data. This can arise in
cannot be solely contingent upon the consent, wishes trying to create the distinction, and use this to further
or behaviour of a parent who, in turn, might override child engagement.518 This would, in turn, require
children’s rights to freedom of expression and digital more restrictions on behavioural advertising and data
participation.515 processing which would require the need for higher
default privacy settings for children of younger ages.
In this regard, COPPA adopts a risk-based approach
by not requiring parental consent for commercial There is a growing need for legal and social
services that do not share children’s personal data frameworks to adequately accommodate the widely
or are not interactive. The risk-based approach here varying capacities of children over different aspects
would relate to the extent of data collection and the of their lives, and enable them to provide consent in
consequential risk to the child. For instance, services their individual capacities.519 In order to balance the
that are not interactive involve very limited collection participatory and emancipatory rights of children vis-
of children’s data to perform one-time requests a-vis their right to privacy, the presence of parental
for a specific purpose such as collecting a child’s consent, to the extent possible, may be taken into
contact information to enter into a contest.516 In such account to establish consent for limited purposes
circumstances, COPPA necessitates that information (e.g. high value transactions), and to assess potential
collected cannot be shared or even maintained after risks. It should not, however, elevate this factor above
the request is complete to protect against misuse. all others. To help in actualising this, a ‘sliding-scale’
Similarly, the UK government, in addition to compliance approach for consent could be adopted to ensure
with the GDPR and the UK’s Privacy and Electronic that children are able to access the internet as an
Communications Regulations, has taken a risk-based educational and functional tool to carry out activities
approach and set out standards of age appropriate for research or homework assistance.520 However,
design for online services in its Age-Appropriate activities that could pose a greater risk to children
Design Code of Practice (Children’s Code).517 The could require parental consent to ensure that the
Children's Code consists of technology-neutral collection of children's personal information by data
design principles and practical privacy features, such controllers is legitimate and proportional to the
as data minimisation and data protection impact purposes of use.

513 Danah boyd, ‘It's Complicated: The Social Lives of Networked Teens’ (Yale University Press, 2015)
514 Jelena Gligroijevic, 'Children's Privacy: The Role Of Parental Control And Consent' (2021) 19 Human Rights Law Review https://
academic.oup.com/hrlr/article/19/2/201/5522387?login=true.
515 'The Case For Better Governance Of Children’s Data: A Manifesto' (UNICEF 2021) https://www.unicef.org/globalinsight/media/1741/
file/UNICEF%20Global%20Insight%20Data%20Governance%20Manifesto.pdf.
516 Federal Trade Commission, ‘Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business’ (June
2017) https://www.ftc.gov/business-guidance/resources/childrens-online-privacy-protection-rule-six-step-compliance-plan-your-
business#chart.
517 Ariel Fox Johnson, ‘Reconciling the Age-Appropriate Design Code with COPPA’ (IAPP, 2021) https://iapp.org/news/a/reconciling-
the-age-appropriate-design-code-with-coppa/; Information Commissioner's Office, 'Age Appropriate Design: A Code Of Practice
For Online Services' (2020) https://ico.org.uk/media/about-the-ico/consultations/2614762/age-appropriate-design-code-for-public-
consultation.pdf .
518 Matthew Rice, ‘Age-Appropriate Design Code’ (Open Rights Group, 2018) https://www.openrightsgroup.org/publications/age-
appropriate-design-code-consultation/.
519 Gerison Lansdown, 'Can You Hear Me? The Right Of Young Children To Participate In Decisions Affecting Them' (Bernard Van Leer
Foundation 2005) https://bibalex.org/baifa/Attachment/Documents/114976.pdf.
520 Lauren A. Matecki, 'Update: COPPA Is Ineffective Legislation! Next Steps For Protecting Youth Privacy Rights In The Social Networking
Era' (2010) 5 Northwestern Journal of Law and Social Policy page 369, 400 http://scholarlycommons.law.northwestern.edu/njlsp/vol5/
iss2/7; COPPA, 16 CFR Part 312.
 111 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

Alternatively, as a substitute to requiring parental

consent in any manner, a ‘balancing test’ can be
applied whereby the degree to which data controllers
will be permitted to share a user's personal information
would relate to the user's age. Children under the
age of 13, for example, would have mandatory ‘opt-in’
policies on data collection and processing, with none
of their personal information shared without explicit
consent. Meanwhile, users over 13 would have
default ‘opt-out’ policies unless expressly refused.
Such measures could potentially protect children’s
best interests.

6.3.3 Age Verification techniques

The state’s use of biometrics and other recent
technological innovations that collect intimate
information about individual has renewed interest
to protect children who provide their personal data
online.521 Given that such information is highly sensitive,
“The state’s use of biometrics online service providers, industry associations,
and policymakers are taking steps to implement
and other recent technological measures to verify the age of children who use digital
products or services that may be potentially harmful.
innovations that collect Such verification measures include those that require
intimate information about a child to simply declare their age or submit formal
identity documents. Other measures involve relying
individual has renewed on verifying a parent’s identity to ensure purposeful
and meaningful consent is provided, or estimating
interest to protect children the age of the child through behavioural analytics or
facial scans.522
who provide their personal
Modern verification techniques increasingly rely on
data online” the collection of additional data points, some of which
have been pointed out in Chapter 1 (Introduction),
such as proof of identity through digital IDs, live
images of the individual or even the use of facial
recognition software. However, this step forward may
also run into concerns of excessive data collection
and inaccuracy, amongst other potential risks. As a
result, these concerns have necessitated stronger
data protection laws. In light of these challenges, it is
important to note that different levels of technological
complexity within verification techniques need to be
dependent on context and appropriateness of use,
a consideration that is intensified when considering
children's data. While opening a bank account,

521 OHCHR, ‘Draft Legal Instrument on Government-led Surveillance and Privacy 16 Including the Explanatory Memorandum 17 Ver
0.6’, (2018) https://www.ohchr.org/Documents/Issues/Privacy/DraftLegalInstrumentGovernmentLed.pdf.
522 Emma Day, 'Digital Age Assurance Tools and Children's Rights Online across the Globe: A Discussion Paper' (UNICEF 2021) https://
c-fam.org/wp-content/uploads/Digital-Age-Assurance-Tools-and-Childrens-Rights-Online-across-the-Globe.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 112

for example, a bank may require the provision of Given the lack of a unified legal framework or policy
different forms of identification and advanced means guidance in this regard, appropriate age verification
of verification to comply with possible know-your- strategies that may require simple self-reporting of
customer (KYC) or anti-money-laundering (AML) age and date of birth are not used by data controllers
legal requirements. Similar identification techniques, to ensure adherence with the law. Even when used if
such as verification of ID cards or the use of facial inadequate mechanisms are deployed, it may, in fact,
recognition technology, may be considered facilitate circumvention of rules.524 Age verification
excessive when providing verification to register for is rarely properly carried out in online settings, in
a social media account. Therefore, the application of comparison to offline situations, such as when a liquor
such verification systems may need to be cautiously store owner or casino manager may request patrons
considered with regards to age-verification measures to furnish proof of ID to corroborate age and identity
for children. information. With an ‘age gate’, users accessing digital
products and services are often asked to provide
While age-verification mechanisms may add an their date of birth, or otherwise state their age, before
additional layer of safety for children online, it must be entering an age-restricted site or purchasing online
recognised that they are not fool-proof, and involve products, such as alcohol or tobacco. While some
many challenges and opportunities. More importantly, controllers offering digital services take limited steps to
given that age verification requires children to furnish verify the information provided by the user, such age-
personal information, such as date of birth, the sharing gating mechanisms act as the only barrier to content
of children’s personal data online may in fact intrude or product purchases that have legal age-based
on their privacy and put them at greater risk when the restrictions or limitations. However, such mechanisms
data collection is not proportionate to the objective of may not be sufficient to safeguard against either the
such collection. illegal purchase of age-restricted goods or services
or limit exposure to age-rated advertising. The UK’s
Online verification of identity, as a result, may be Digital Economy Act, 2017, for example, requires that
difficult to undertake and prone to misuse with any commercially available pornographic material
inauthentic users presenting themselves as adults. An should not be “normally accessible to persons under
obligation could be placed on the data controller to the age of 18.”525 Nevertheless, enforcement of such
implement user identity verification based on public age-verification mechanisms may be limited.
datasets (e.g., social security number, driver’s license,
credit history, electoral roll) This could be done while In 2013, the UK’s Office of Communications (OfCom)
enabling an audit trail for any regulatory oversight fined Playboy £100,000 for not implementing
and compliance with regulations that require age adequate age-verification controls to distinguish
verification. However, the same could be challenging, between credit and debit card purchases on its
owing to a reliance on public datasets. website, which offers users pornographic content.
Given that debit cards can be issued to individuals
In some countries, the non-alignment of existing ID under age 18, website pornographic content could
issuance authorities and birth registration authorities be accessed by children and adolescents by entering
for children in rural areas has allowed for ID gaps or their debit card numbers. OfCom stated that neither
duplication, resulting in poor integration of children age self-verification nor debit card information are
within the ID system.523 Such roadblocks could valid forms of age verification, and held Playboy
potentially disable children from accessing essential liable for failing to protect children online. Playboy
digital tools and services that require age verification avoided the penalty as the payment was processed
based on existing digital and real IDs. overseas, however, which was outside OfCom’s
limited jurisdiction.526

523 Zoë Pelter and others, 'Government Digital Services And Children: Pathways To Digital Transformation' (UNICEF 2021) https://www.
unicef.org/globalinsight/media/1481/file/UNICEF-Global-Insight_e-gov-services-rapid-analysis-2021.pdf.
524 Dr Victoria Nash and others., ‘Effective age verification techniques: Lessons to be learnt from the online gambling industry’, (Oxford
Internet Institute 2012-2013) 21 https://www.oii.ox.ac.uk/research/projects/effective-age-verification-techniques.
525 United Kingdom, Digital Economy Act 2017, s 14.
526 Mark Sweney, 'Playboy Fined £100,000 For Offering Porn On Websites Accessible To Children' The Guardian (2013) https://www.
theguardian.com/media/2013/jan/16/playboy-fined-porn-accessible-children.
 113 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

As previously mentioned, children misrepresenting

their age is fairly common, with approximately 39
percent of American teenagers, according to one
study, falsifying their age in order to access restricted
content and services.527 Another EU-backed study
has shown how easy it is for children to misrepresent
their age and bypass the most popular applications
for age verification.528 As a consequence, there is
a need to incentivise users to be honest and input
their exact age. If it is determined that a user has
provided incorrect information relating to their age,
data controllers, for example, should consider means
to prevent an individual from installing an application
on a device which they have previously registered as
an underage user.

Age-verification comes with several technical,

operational, and legal challenges. Nevertheless,
verifying a user’s age and identity does foster trust
that children are protected online from age-restricted
products, services or content that may be harmful to
them.529 It also provides a safer online environment
where the freedom of speech and expression of a
child can be supported.

527 Mary Madden and others, 'Teens, Social Media, and Privacy' (Pew Research Center, 2013) https://www.pewresearch.org/
internet/2013/05/21/teens-social-media-and-privacy/.
528 Liliana Pasquale and others, 'Digital Age Of Consent And Age Verification: Can They Protect Children?' [2020] IEEE Software (Early
Access) https://ieeexplore.ieee.org/document/9295422.
529 Emma Day, 'Digital Age Assurance Tools and Children's Rights Online across the Globe: A Discussion Paper' (UNICEF 2021) https://
c-fam.org/wp-content/uploads/Digital-Age-Assurance-Tools-and-Childrens-Rights-Online-across-the-Globe.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 114

Key considerations

While researchers and policymakers have studied different ages, living in diverse cultural contexts and
the impact of emerging technologies on adults, from varying socioeconomic backgrounds. This is
there is limited research analysing how children and especially important when developing regulations
adolescents interact with new technologies. Literature that target children’s privacy management and that
on how to empower children in the digital world is also determines the exact accountability of data controllers
scarce. To address this gap of knowledge, and better who process children’s personal information. In light
understand existing challenges, it is critical to bring on of the growing online presence of children, through
board experts from diverse fields, including sociology, the following mechanisms, children’s data protection
psychology, technology, law, and communications. within legal frameworks can receive greater attention:
The focus of such an approach should account for
the cognitive vulnerabilities of young children of

of more personal data than required to provide a

6.4.1 The importance of data service to a child.532 To operationalise this provision,
minimisation data controllers and processors could be required
to differentiate between each individual element of
As more countries and regions adopt new privacy their services in order to determine which personal
and data protection frameworks in tune with evolving information may be required for a child to access
technologies, high standards of privacy by design a required service. Data controllers should further
and default are required of data controllers.530 These ensure that mechanisms implemented facilitate the
requirements can ensure maximum compliance, empowerment of children online. This can be done
privacy protection, and data security by collecting only by offering them the right tools to exercise their data
the data that is required for the said product, service, protection rights, such as: checking the accuracy of
or content.531 Specific measures for data minimisation data shared or requesting the deletion of existing
can be similarly considered in approaching children’s data; and informing them in a transparent manner
data. By default, such frameworks should mandate about potential risks or harm resulting from data
limited collection and use of personal data of children collection and processing.533 A general comment
by data controllers and processors to the extent that by the United Nations Committee on Right of the
such data is essential for the provision of the service. Child specifies that information provided to parents/
Any use of personal data that is intrusive should be caregivers and children related to data storage and
specifically and individually ‘opted in’ by the child processing must be done in a child friendly manner
or parent as applicable. For example, Standard 7 and in accessible formats.534
of the UK’s Children’s Code prohibits the collection

530 General comment No. 25 (2021) on children’s rights in relation to the digital environment (2 March 2021) CRC/C/GC/25, paragraph
70, page 12.
531 Pedro Hartung, ‘The children’s rights-by-design standard for data use by tech companies’ (UNICEF, 2020) https://www.unicef.org/
globalinsight/media/1286/file/%20UNICEF-Global-Insight-DataGov-data-use-brief-2020.pdf.
532 Information Commissioner’s Office, ‘Age Appropriate Design: A Code Of Practice For Online Services’ (2020).https://ico.org.uk/
media/about-the-ico/consultations/2614762/age-appropriate-design-code-for-public-consultation.pdf.
533 Council of Europe, ‘Recommendation CM/Rec (2018)7 of the Committee of Ministers to member States on Guidelines to respect,
protect and fulfil the rights of the child in the digital environment’ (Committee of Ministers, 1321st meeting of the Ministers’ Deputies,
4 July 2018) CM/Rec (2018)7 https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016808b79f7.
534 General comment No. 25 (2021) on children’s rights in relation to the digital environment (2 March 2021) CRC/C/GC/25, paragraph
72, page 12.
115 CHAPTER 6: SPECIAL PROTECTIONS FOR CHILDREN’S DATA

child. This means that a combination of methods of

6.4.2 Beyond age verification verification appropriate to this risk must be employed,
such as requiring a user to declare their age followed
Some websites and applications, such as those
by an automated age verification method using online
selling alcohol, require users to input their date of
behaviour – behavioural data from previous use,
birth to verify their current age or ask for parental
could be one of the ways to confirm the declaration.
verification of such information. Legal frameworks,
Furthermore, mechanisms to deter child users from
therefore, should necessitate that every user explicitly
installing an app on a device on which they have
opts-in and verifies their age to access age-restricted
previously misrepresented their age can be one of
products, services or content and to afford children a
the measures to verify the age of users of applications
basic level of protection.
that may negatively impact users below certain age
groups.
The UK Government’s Communications Headquarters,
along with the Department for Digital, Culture, Media
and Sport, studied the challenges involved in verifying
children’s online access and discovered the value
of assessing the age of children beyond purely age
verification measures.535 It observed that the current
approach to age verification is simply to distinguish
between adult and children instead of categorising
age groups depending on their online needs.
This process termed as ‘age assurance’ involves
understanding potential risks a platform poses and
establishing the likelihood of risk to a child accessing
“Legal frameworks, therefore,
the platform. It then applies the appropriate methods should necessitate that every
of verification proportionate to the degree of risk
involved. user explicitly opts-in and
It suggests several different methods to 'assure a verifies their age to access
child's age' online, which is dependent on the degree
of confidence and certainty that the platform has age-restricted products,
in the accuracy of the age provided by the user.
This confidence is closely linked to the risk that the
services or content”
platform poses to the child. The methods listed, such
as: a simple age declaration; confirmation of age from
a digital parent (where parental responsibilities are
extended to other relevant individuals online), peer
group or official sources; or authentication from a
trusted online provider. These methods can be used
individually or in combination with each other on a
case-by-case basis.536

For example, it is necessary for the platform to have a

moderate degree of confidence in the accuracy of the
user’s age in a situation where a platform recognises
that there is some degree of risk that it poses to a

535 'VoCO (Verification Of Children Online) Phase 2 Report' (GCHQ, DCMS and the United Kingdom Home Office 2020) p 12, 13 https://
assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/934131/November_VoCO_report_V4__
pdf.pdf.
536 'VoCO (Verification Of Children Online) Phase 2 Report' (GCHQ, DCMS and the United Kingdom Home Office 2020) p 18 https://
assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/934131/November_VoCO_report_V4__
pdf.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 116

6.4.3 Developing digital literacy

As more children and adolescents access online
services, there is a growing need to equip them with
the knowledge, resources, and tools that will assist
them in understanding and assessing the potential
risk or harm that digital products, services, and
content may cause. The APEC Privacy Framework
suggests that if organisations afford children with
the option to consent to the collection and use of
their data, information that is provided regarding the
exercising of such choice must be done in a manner
that is easily understandable and age appropriate.537
In 2020, a Convention 108 Consultative Committee
introduced guidelines on Children’s Data Protection
in an Education Setting with recommendations aimed
at legislators, policy makers, and data controllers
to better protect and support children's rights with
regards to the use of educational technology.538 For
instance, the Guidelines point out that the deletion of
profiles and history should be easy to carry out at the
end of a session.

Additionally, government agendas should include

the promotion of digital literacy among children,
adolescents, teachers, and parents. In 2014, the Czech
Republic proposed a Digital Education Strategy aimed
at ensuring: non-discriminatory access to digital
educational resources; conditions for development
of digital skills in students and teachers; the
reinforcement of educational infrastructure, and; the
encouragement of the integration and understanding
of digital technologies into schools.539

537 APEC Privacy Framework. Section V, para 26, page 15

538 Consultative Committee on Convention 108, ‘Guidelines on Children's Data Protection in an Education Setting’ (2020) https://rm.coe.
int/t-pd-2019-6bisrev5-eng-guidelines-education-setting-plenary-clean-2790/1680a07f2b; Lisa Archbold and others, 'Children’s
Privacy In Lockdown: Intersections Between Privacy, Participation And Protection Rights In A Pandemic' (2021) 3 Law, Technology
and Humans 28 https://lthj.qut.edu.au/article/view/1803.
539 Ministry of Education, Youth and Sports, 'The Digital Education Strategy Until 2020' (Prague 2014) https://www.msmt.cz/vzdelavani/
skolstvi-v-cr/strategie-digitalniho-vzdelavani-do-roku-2020?lang=1.
117 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

CHAPTER 7

DATA PROCESSING
AND ACCESS BY
GOVERNMENTS
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 118

7.1 Introduction

Governments have long accessed data and carried out lawful surveillance for the purposes
of detecting and preventing crime and maintaining public order. These goals have broadly
been interpreted and accepted as legitimate aims on the basis of which states may access and
use personal data, subject to certain safeguards.540 Methods of surveillance have continued
to evolve as technologies and communication systems advance and range from physical
tracking and spying, to intercepting and opening telegrams. In the digital age, far more
sophisticated systems for data surveillance have been created.541

Reasons for data collection and access have been It is no longer debateable that governments have a
expanding beyond the traditional objectives of law clear and compelling need to collect and process
enforcement and national security. Governments personal data.543 This access, however, together with
have increasingly begun to collect citizens data on the permissive legislative and regulatory frameworks for
grounds that they wish to improve and render more surveillance increases the scope for privacy violations
efficient the delivery of public services. For instance, of citizens. As a measure to protect the privacy
the national digital identification programmes of of citizens, data protection laws should take into
Kenya, India, Estonia, and Spain were built with account data protection principles when regulating
the goal of better assisting the targeted delivery of the collection, access, and use of personal data by
services.542 governments and their agencies.

540 Jeffrey L Vagle, Being Watched- – Legal Challenges To Government Surveillance (New York University Press 2017); United Nations
Human Rights Council, 'The Right To Privacy In The Digital Age: Report Of The Office Of The United Nations High Commissioner
For Human Rights' UN Doc A/HRC/27/37 (2014). https://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/
Documents/A.HRC.27.37_en.pdf.
541 ‘The Evolution Of Spy Tools' (Forbes, 2006) https://www.forbes.com/2006/04/15/intelligence-spying-gadgets_cx_lh_06slate_0418tools.
html?sh=6cc700ee65c0; Malone v United Kingdom (1984) 7 EHRR 14; United Nations General Assembly, 'The Right To Privacy In
The Digital Age' UN Doc A/RES/68/167 (2013) https://undocs.org/A/RES/68/167.
542 The Aadhaar database has been upheld as constitutional in Puttaswamy v UOI, AIR 2017 SC 4161 https://privacylibrary.ccgnlud.
org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors; See Hudma Namba FAQs 1 and 2, Huduma Namba, ‘Frequently Asked
Questions’ https://www.hudumanamba.go.ke/faqs/; e-Estonia, ‘e-Identity’ https://e-estonia.com/solutions/e-identity/id-card/; ‘Spain’s
Digital Private Individual Certificate’ https://www.sede.fnmt.gob.es/en/certificados/persona-fisica.
543 Jason M. Weinstein, William L. Drake and Nicholas P. Silverman, 'Privacy Vs. Public Safety: Prosecuting And Defending Criminal
Cases In The Post-Snowden Era' (2015) 52 American Criminal Law Review 729.
119 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

While there are variations in how language is used

in the major human rights conventions, the corpus
of international human rights law (including the
jurisprudence of the UN Human Rights Committee,
the ECtHR, the European Court of Justice (ECJ), the
Inter-American Court of Human Rights (IACHR), and
the African Court on Human and Peoples’ Rights
(African Court) generally recognises and reconciles
the apparent tension between legitimate state
interests and privacy, by requiring that governmental
access to personal data meets certain standards.544
Given that such access to personal data constitutes
a prima facie limitation of the right to privacy, it must
conform to the requirements that can be distilled from
this body of jurisprudence.

This chapter details the safeguards that are

applicable to governmental access to personal data,
and proceeds as follows:

• First principles of governmental access to

personal data under international human
rights law (section 7.2); Restrictions to the
right to privacy and related rights must be: (i)
provided for by law; (ii) not be arbitrary; (iii)
pursue a legitimate aim; and (iv) be necessary
and proportional to achieving such legitimate
aim.
• Exemptions that governments can
legitimately claim from data protection
obligations (section 7.3); Typically, frameworks
allow exemptions for: (i) national security and
investigation of crimes; (ii) regulatory functions;
and (iii) broader exemptions, subject to
adequate data security safeguards.

544 UN Human Rights Council, 'The Right To Privacy In The Digital Age: Report of the Office of the United Nations High Commissioner for
Human Rights' UN Doc A/HRC/27/37 (2014) https://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.
HRC.27.37_en.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 120

7.2 Government access to personal data and the first principles of

international human rights law

Under international human rights law, restrictions on The laws must also specify the circumstances in
the right to privacy and related rights, including the which interferences by states are allowed, besides
right to freedom of expression and association, must: authorisation procedures, limits on data retention and
storage, as well as oversight procedures over such
• be provided for by “law”;545 state access.549
• not be “arbitrary”;546
• pursue a “legitimate aim”;547 and 7.2.1 Restrictions on the right to
• the restriction must be “necessary” and
“proportional” to achieving such legitimate privacy and related rights must be
aim.548 provided for by law
Lawful restrictions on the right to privacy and related Any measure allowing government agencies access
rights are required to comply with all the factors to personal data must have a legal basis or be
described above. In the context of government access provided for in a law. This includes laws in their formal
to personal data, measures allowing access must be sense, such as national legislation, regulations,
authorised by law. Such laws must ensure that the rules, ordinances, and judicial decisions, as well as
collection, access, and use of communications data other state instruments that are of a binding nature,
by the state are carried out only pursuant to specific such as government schemes, policies, etc.550 Data
legitimate objectives. protection legislation often excludes data access for
regulatory purposes, law enforcement, or national
security purposes from adherence with its provisions.

545 Para 3 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect
of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation (1988) para 3 https://www.refworld.
org/docid/453883f922.html; UN Human Rights Council, 'The Right To Privacy In The Digital Age: Report Of The Office Of The
United Nations High Commissioner For Human Rights’' UN Doc A/HRC/27/37 (2014) https://www.ohchr.org/EN/HRBodies/HRC/
RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf.
546 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of
Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation (1988) para 4 https://www.refworld.org/
docid/453883f922.html; UN Human Rights Council, 'The Right To Privacy In The Digital Age: Report Of The Office Of The United
Nations High Commissioner For Human Rights’' UN Doc A/HRC/27/37 (2014) https://www.ohchr.org/EN/HRBodies/HRC/
RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf.
547 6. UN Human Rights Committee (HRC), General comment no. 31 [80], The nature of the general legal obligation imposed on States
Parties to the Covenant (2004) CCPR/C/21/Rev.1/Add.13, para 36 <https://www.refworld.org/docid/478b26ae2.html>; UN Human
Rights Council, 'The Right To Privacy In The Digital Age: Report Of The Office Of The United Nations High Commissioner For Human
Rights’' UN Doc A/HRC/27/37 (2014) https://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.
HRC.27.37_en.pdf accessed 13 December 2021.
548 UN Human Rights Committee (HRC), General comment no. 31 [80], The nature of the general legal obligation imposed on States
Parties to the Covenant (2004) CCPR/C/21/Rev.1/Add.13, para 6 https://www.refworld.org/docid/478b26ae2.html; UN Human Rights
Council, 'The Right To Privacy In The Digital Age: Report Of The Office Of The United Nations High Commissioner For Human
Rights’' UN Doc A/HRC/27/37 (2014) https://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.
HRC.27.37_en.pdf.
549 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy,
Family, Home and Correspondence, and Protection of Honour and Reputation (1988) https://www.refworld.org/docid/453883f922.
html; UN Human Rights Council, 'The Right To Privacy In The Digital Age: Report Of The Office Of The United Nations High
Commissioner For Human Rights’ UN Doc A/HRC/27/37 (2014). https://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/
Session27/Documents/A.HRC.27.37_en.pdf.
550 Manfred Nowak, U.N. Covenant On Civil And Political Rights: CCPR Commentary (1993) 382.
121 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Government access may be authorised under

separate laws that may provide for adequate
safeguards against possible abuse.551 The mere
enactment of a law authorising surveillance, however,
would not satisfy the requirement of legality. The
requirement to be provided for ‘by law’ also implies
that such laws should be accessible and sufficiently
precise to lay persons to allow them to regulate their
conduct accordingly, and predictable enough to
enable them to foresee the consequences of their
conduct.552

“The requirement to be For instance, when dealing with the handling of

personal information by the Romanian intelligence
provided for ‘by law’ also services in Rotaru v Romania, the ECtHR ruled that
the national law did not clearly define the type of
implies that such laws should information that could be processed, the categories of
individuals who could be surveilled, the circumstances
be accessible and sufficiently under which the surveillance would occur, or the
procedure to be followed.553 Importantly, while secret
precise to lay persons to allow rules or legislation do not satisfy this requirement of
clarity or predictability, the ECtHR has also noted that
them to regulate their conduct in the context of covert surveillance, it is enough if the
accordingly, and predictable national law contains adequate indications as to the
circumstances and conditions for surveillance.554
enough to enable them to With specific regard to secret rules, the creation of
foresee the consequences of a ‘surveillance database’ was found in Shimovolos v
Russia to be in violation of ECHR’s right to privacy
their conduct.” because it was governed by a ministerial order that
was not published or made available to the public.
Additionally, the ECtHR ruled that the ministerial order
did not have sufficient clarity regarding the domestic
authorities’ powers to collect and store personal
information in the database, and that the interference
was therefore not “in accordance with the law.”555

551 I. S. Rubinstein, G. T. Nojeim and R. D. Lee, 'Systematic Government Access To Personal Data: A Comparative Analysis' (2014) 4
International Data Privacy Law.
552 UN Human Rights Committee, General Comment no. 34: Article 19, Freedoms of opinion and expression (12 September 2011) http://
www2.ohchr.org/english/bodies/hrc/docs/gc34.pdf .
553 Rotaru v. Romania, (2000) ECHR 192 https://privacylibrary.ccgnlud.org/case/rotaru-vs-romania.
554 Silver and others v. the United Kingdom, (1983) 5 EHRR 347, paras. 85-86; Malone v United Kingdom (1984) 7 EHRR 14 para. 67.
555 Shimovolos v. Russia, (2011) ECHR 987.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 122

7.2.1.1 Framework overview of the 7.2.2 Restrictions on the right to

requirement for restrictions on the right to privacy and related rights must not be
privacy and related rights to be provided for
arbitrary
by law
Even if government access is provided for under law,
The exemption from data protection obligations restrictions on the right to privacy and related rights
under the frameworks are typically required to be would contravene the principles of international
based on clear and accessible laws. Convention 108+, human rights law if they are arbitrary. According to
the APEC Privacy Framework, the OECD Guidelines the UN Human Rights Committee, the requirement
and the OAS Principles all acknowledge that against “arbitrary interference” is meant to guarantee
exemptions from data protection obligations should that even interference provided for by law should
be authorised by law and accessible to the public.556 be in accordance with the aims and objectives
The OAS Principles also require such laws to include sought to be achieved by such interference, and be
the right of data subjects to be informed about any reasonable.558 The requirement of non-arbitrariness
restrictions to the application of the principles, unless and legality also means that the law should
it would be incompatible with the purposes of such sufficiently lay down procedures for oversight and
restrictions. They also note some of the details that accountability.559 For instance, in Benedik v. Slovenia,
any laws restricting the application of the principles the ECtHR found that a law used by the police to
should have, including the categories of data, scope collect subscriber information that did not have any
of restrictions, and possible risks to the rights and independent supervision mechanisms did not offer
freedom of data subjects, among others.557 sufficient safeguards against abuse. It also concluded
that interference with the right to respect private life
was not in accordance with the law, as required by
Article 8 of the ECHR.560

556 Convention 108+, art. 11(1); APEC Privacy Framework, Part I, para 18; OECD Guidelines, Chapter 1, Part 1, para 4; and OAS
Principles with Annotations, Principle 12, p 27.
557 OAS Principles with Annotations, Principle 12, p 27.
558 UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy,
Family, Home and Correspondence, and Protection of Honour and Reputation, (8 April 1988) para 4 https://www.refworld.org/
docid/453883f922.html.
559 In Benedik v Slovenia, the ECtHR found that the law used by the police to obtain metadata on a subscriber without his consent, did
not have any independent supervision of the use of these police powers, Benedik v. Slovenia, Application No 62357/14, 130.
560 Benedik v. Slovenia, Application No 62357/14, 130.
123 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Box 7.1: The ECtHR’s Minimum Standards for Surveillance

Legislation561
• The offences and activities in relation to which surveillance may be ordered
must be spelled out in a clear and precise manner.
• The law must clearly indicate which categories of people may be subjected to
surveillance.
• There must be strict time limits on surveillance operations.
• Strict procedures must be in place for ordering the examination, use, and storage
of the data obtained through surveillance.
• The law must lay down the precautions to be taken when communicating
collected data to third parties.
• There must be strict rules on the destruction or erasure of surveillance data to
prevent surveillance from remaining hidden after the fact.
• The bodies responsible for supervising the use of surveillance powers must be
independent and responsible to, and be appointed by, the legislature rather
than the executive.

561 Klass and Others v. Germany, Liberty and Others v. the United Kingdom, Application No 58243/00, 1 July 2008 and Rotaru v. Romania,
no. 28341/95,[GC], 4 May 2000 concerning surveillance carried out by the intelligence agencies https://privacylibrary.ccgnlud.org/
case/rotaru-vs-romania; Electronic Frontier Foundation and Article 19, 'Necessary & Proportionate, International Principles On
The Application Of Human Rights Law To Communications Surveillance Background And Supporting International Legal Analysis'
(2014) p 17 https://www.ohchr.org/sites/default/files/Documents/Issues/Privacy/ElectronicFrontierFoundation.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 124

Although all Identified Regional Frameworks (except

7.2.3 Legitimate aims for restrictions the AU Convention) include ‘national security’
on the right to privacy and other as grounds for exemption from data protection
rights: national security and the obligations, none of them define the term. The AU
Convention uses the term ‘state security’, but also
prevention and investigation of does not define it.565 Furthermore, the APEC Privacy
crimes Framework, the ASEAN DP Framework, the OAS
Principles and the OECD Guidelines also recognise
International human rights instruments, including the national sovereignty as grounds for exemption.566
ICCPR and the ECHR, also provide that restrictions on Justifications such as public safety, public security
human rights, such as government access to personal and public policy are also found in the frameworks.567
data, must pursue a legitimate aim. The legitimate
aims in these instruments are typically broadly Despite attempts being made in various contexts,
phrased, such as national security, public safety, as there is no universally accepted definition of
well as the prevention and investigation of crime.562 ‘national security’ or the related grounds described
These are also found in data protection frameworks, above, either within UN jurisprudence or among
and they exempt states and their agencies from other international organisations. According to
compliance with data protection obligations. As the Johannesburg Principles on National Security,
will be shown in subsequent sections, the body of Freedom of Expression and Access to Information
jurisprudence from these instruments can be helpful (Johannesburg Principles), restrictive measures that
in interpreting the corresponding exemptions in data purportedly aim to protect national security have to
protection frameworks. For instance, the Explanatory “protect a country's existence or its territorial integrity
Report to Article 11 of Convention 108+ states that the against the use or threat of force, or its capacity to
notion of ‘national security’ should be “interpreted on respond to the use or threat of force, whether from an
the basis of the relevant case law of the European external source, such as a military threat, or an internal
Court of Human Rights.”563 source, such as incitement to violent overthrow of the
government.”568 Measures that only seek to protect
7.2.3.1 National security a government from exposure of wrongdoing, or
conceal information about the functioning of its public
With an increase in major ongoing international institutions, or entrench a particular ideology, or
terrorist threats, the focus of security policies, suppress industrial unrest, are specifically disavowed
throughout much of the world, has shifted from an ex as being unrelated to national security.
post facto approach (punishment after the act) to a
preventative one that seeks to avoid the incidence
of security-related crimes. This forms the background
and context to revelations of a few years ago when
extensive surveillance programmes by intelligence
agencies the world over were justified on the grounds
of national security.564

562 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols
Nos. 11 and 14, 4 November 1950, ETS 5 (ECHR), art. 8(2). https://www.echr.coe.int/documents/convention_eng.pdf.
563 Explanatory Report to Convention 108+, Para 92, p 26.
564 Arianna Vedaschi, 'Privacy And Data Protection Versus National Security In Transnational Flights: The EU–Canada PNR Agreement'
(2018) 8 International Data Privacy Law 124-139; UN Human Rights Council, 'The Right To Privacy In The Digital Age: Report Of
The Office Of The United Nations High Commissioner For Human Rights’' UN Doc A/HRC/27/37 (2014). https://www.ohchr.org/EN/
HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf.
565 Art. 9(1)(d), AU Convention, art 19 (1) (d)
566 APEC Privacy Framework, para 18; ASEAN DP Framework, para 4(b); OAS Principles with Annotations, Principle 12; OECD
Guidelines, Chapter 1, Part 1, para 4.
567 APEC Privacy Framework, Part I, para 18; ASEAN DP Framework, para 4;. AU Convention, Art. 9 (1) (d); HIPCAR Model Legislative
Text, s 35; OECD Guidelines, Chapter 1, Part 1, para 4.
568 The Johannesburg Principles on National Security, Freedom of Expression and Access to Information (1996), Principle 2(a), art 19
125 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Similarly, the Siracusa Principles on the Limitation conditions stipulate that interference should be in
and Derogation Provisions in the ICCPR (Siracusa accordance with the law and justified by legitimate
Principles) that elaborate the grounds for ICCPR aims, and that they must be necessary in a democratic
limitations, provide that national security can be society.572
invoked to justify measures restricting human rights
“only when they are taken to protect the existence Common threads can be identified from case law,
of the nation or its territorial integrity or political however, to gain a better sense of how the legitimate
independence.” The Siracusa Principles also stipulate aim of national security is usually applied in the
that national security cannot be invoked to impose context of the right to privacy and government access
limitations in cases of isolated incidents of law and to personal data. For instance, storing personal data
order.569 in a secret police register for the purpose of vetting
appointees to sensitive posts in public service was
Reference to international human rights case law accepted by the ECtHR as appropriately justified
shows that contestations between national security by the need for ‘national security.’573 Similarly,
and impacted rights, such as the right to privacy, are surveillance of a person in connection with terrorist
dealt with on a case-by-case basis.570 Indeed, some activity was also viewed as suitably serving the
case law suggests that an exhaustive definition may interests of national security.574
not be possible. In Esbester v The United Kingdom,
the European Commission on Human Rights (now 7.2.3.2 Law enforcement purposes
decommissioned) dismissed the complaint by the
plaintiff who argued that his privacy had been violated Collection of data for law enforcement purposes also
because secret files on his life had been maintained constitutes an interference with the right to privacy,
by special police forces, and that the term ‘national and hence must be based on a clear, accessible
security’ had too wide an ambit. The Commission law that pursues a legitimate aim, and is limited to
ruled that the plaintiff’s rights were not violated in measures that are necessary and proportionate to
this case, and that as long as there were sufficient achieve that purpose.575 Law enforcement purposes
safeguards along with the measures restricting the vis-à-vis access to personal data commonly
rights of the individual, a “comprehensive definition of include the “prevention, investigation, detection or
the notion…..of national security” was not required.571 prosecution of criminal offences, or the execution
of criminal penalties, including the safeguarding
In line with this view, the ECtHR’s case law has against the prevention of threats to public security.”576
focused on the conditions with which measures Personal data may usually be accessed by law
pertaining to national security must comply in order enforcement agencies for any of these purposes.
for interferences with the right to privacy and data Relevant agencies for law enforcement include
protection be justified. In the context of the ECHR’s police, criminal courts, and other public or statutory
Article 8 right to respect for one’s private life, these bodies whose functions are relevant for the purposes

569 The Siracusa Principles on Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights, American
Association for the International Commission of Jurists (1985), paras 29-30
570 Malone v United Kingdom (1984) 7 EHRR 14; Toonen v Australia, Communication No. 488/1992, (1994) UN Doc CCPR/
C/50/D/488/1992; Peck v United Kingdom (2003) 36 EHRR 41; Antonius Cornelis Van Hulst v Netherlands Communication No.
903/1999, U.N. Doc. CCPR/C/82/D/903/1999 (2004); S and Marper v United Kingdom (2008) ECHR 1581 https://privacylibrary.
ccgnlud.org/case/s-and-marper-vs-united-kingdom?searchuniqueid=566305; Tristán Donoso v Panamá (2009 IHRL 3064 (IACHR
2009); Escher v Brazil IACHR (ser. C) No. 200/2009; Fontevecchia and D’amico v. Argentina Am. Ct. H.R. (ser. C) No. 238/2011
https://privacylibrary.ccgnlud.org/case/fontevecchia-and-damico-vs-argentina?searchuniqueid=345563; G v Australia (2017), CCPR/
C/119/D/2171/2012.
571 Esbester v. The United Kingdom, European Commission of Human Rights, Application No. 18601/91.
572 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols
Nos. 11 and 14, 4 November 1950, ETS 5, art. 8
573 Leander v. Sweden, IHRL 69 (ECHR 1987), 49.
574 Uzun v. Germany, Application No. 35623/05, (ECHR 2010),77.
575 Council of Europe, 'Practical Guide On The Use Of Personal Data In The Police Sector' T-PD(2018)01 (Directorate General of
Human Rights and Rule of Law 2018) 3 https://rm.coe.int/t-pd-201-01-practical-guide-on-the-use-of-personal-data-in-the-police-
/16807927d5.
576 UK Data Protection Act 2018 (c. 12),s 31.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 126

of law enforcement specified above and include

revenue authorities among others.

Case law in Europe provides additional detail on the

meaning of the broadly worded ‘law enforcement’
justification as a legitimate aim to restrict the right “Collection of data for law
to privacy and other rights. In Uzun v Germany, the
ECtHR ruled that surveillance of the applicant via enforcement purposes also
GPS did not violate the applicant’s right to respect
for private life because the applicant was being
constitutes an interference
investigated in connection with terrorist bombings. with the right to privacy,
The surveillance was therefore pursuant to the
legitimate aims of preventing crime and protecting and hence must be based on
national security and public safety.577 Ben Faiza v
France is another example of what could constitute a clear, accessible law that
a justification for law enforcement purposes. In this
case, the applicant’s call records had been obtained pursues a legitimate aim, and
to triangulate his location pursuant to an investigation
concerning the import of drugs, criminal conspiracy,
is limited to measures that are
and money laundering. The ECtHR ruled that the
measure was justified since it was aimed at pursuing
necessary and proportionate
a drug-trafficking operation.578 to achieve that purpose”
Just as data controllers and processors are
accountable when collecting and processing personal
data, so are law enforcement agencies. The CoE’s
Practical Guide on Use of Personal Data in the Police
Sector recommends that personal data collected
at the early stages of the investigation should not
continue to be processed if it is found no longer
relevant. Police should also regularly ask themselves
if collecting data is necessary for a particular
investigation or task. An individual’s data should
only be processed when there is a link between the
person whose data is processed and the purpose
of processing (for example, for the investigation or
offence). This link should always be demonstrable.579

577 Uzun v. Germany, Application No. 35623/05, (ECHR 2010)

578 Ben Faiza v. France, Application no. 31446/12, (ECHR 2018), para 59.
579 Council of Europe, 'Practical Guide On The Use Of Personal Data In The Police Sector' T-PD(2018)01 (Directorate General of
Human Rights and Rule of Law 2018) 3 https://rm.coe.int/t-pd-201-01-practical-guide-on-the-use-of-personal-data-in-the-police-
/16807927d5.
127 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Box 7.2: Germany’s High Threshold for Legitimate Aim(s)

In 2008, the German Federal Constitutional Court invalidated several provisions of the
North-Rhine Westphalian Act on the Protection of the Constitution which authorised
the government to conduct online surveillance of IT infrastructure such as personal
computers. The Court ruled that to qualify as legitimate grounds for surveillance,
there would have to be factual evidence of “a concrete threat to an important legally-
protected interest,” such as a threat to the “life, limb or liberty of a person” or to “public
goods, the endangering of which threatens the very bases or existence of the state, or
the fundamental prerequisites of human existence.”580

Human Rights Committee, the ‘necessity’ requirement

7.2.4 Restrictions on the right to is met when, in addition to serving legitimate aims, the
privacy and related rights must be interference is essential to achieving those aims.581 It
necessary and proportionate to the states that the interference must not just serve the
legitimate aims, but also be necessary to protect
legitimate aim pursued them. The restrictive measures must conform to the
principle of proportionality, and must be:
National authorities and policymakers have a
range of measures and instruments to achieve a
• “appropriate” to protect the legitimate aims;
given objective. When choosing which measure or
• the “least intrusive instrument which might
instrument to employ, any negative impact on rights,
achieve the desired result”; and
including the right to privacy, has to be considered.
• “proportionate to the interest” sought to be
This is why restrictions or interference with the right to
protected.582
privacy have to be necessary, as well as proportional
to the legitimate aim pursued. According to the UN

580 BVerfG, Judgment of the First Senate of 27 February 2008 - 1 BvR 370/07 -,1-333, http://www.bverfg.de/e/rs20080227_1bvr037007en.
html.

581 UN Human Rights Committee (HRC), CCPR General Comment No. 27: Article 12 (Freedom of Movement), 2 November
1999, CCPR/C/21/Rev.1/Add.9, 223 – 227, 11 – 16 https://www.refworld.org/pdfid/45139c394.pdf.
582 UN Human Rights Committee (HRC), CCPR General Comment No. 27: Article 12 (Freedom of Movement), (1999) CCPR/C/21/
Rev.1/Add.9, 223–227, 11 – 16 https://www.refworld.org/pdfid/45139c394.pdf. Although these comments are made in the context of
the freedom of movement, they are applicable to the right to privacy under Art. 17 of the ICCPR. See UN Special Rapporteur on the
Promotion and Protection of Human Rights and Fundamental Freedoms While Countering Terrorism, A/HRC/13/37, (28 December
2009), para. 11 http://www2.ohchr.org/english/issues/terrorism/rap porteur/docs/A_HRC_13_37_AEV.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 128

Notably, the principle of necessity is interspersed surveillance;

throughout data protection law. For instance, data • surveillance itself was conditional of a warrant;
minimisation, an important principle of data protection, • the warrant had to sufficiently specify
is based on the understanding that only the necessary categories of persons and the personal data
amount of data, and not more information, should that could undergo surveillance, and;
be collected to achieve a given legitimate objective. • the warrant had an expiry date after which it
The necessity and proportionality tests that currently would have to be renewed.587
apply to personal data protection originally evolved
in the context of the right to privacy.583 The ECtHR’s The ECtHR also noted that obtaining and renewing
case law is helpful in understanding this evolution. the warrant was conditional on showing that it was
In Klass v Germany, the ECtHR accepted that necessary and that there were sufficient oversight
legislation authorising surveillance was necessary procedures to prevent abuse.588
in a democratic society’ in the interests of national
security and/or preventing crime. At the same time, This test for necessity and proportionality has been
it ruled that the provisions of such legislation and adopted in varying forms by several jurisdictions
surveillance measures had to be strictly necessary to across the world. In 2017, the Indian Supreme
safeguard democratic institutions.584 Court, while clarifying that the Indian Constitution
guaranteed a right to privacy to Indian citizens, ruled
Subsequently, in Weber and Saravia v Germany, the that measures interfering with this constitutional right
ECtHR reiterated that surveillance measures could would have to pass the proportionality test. The Court,
be necessary for the protection of national security, via a plurality opinion, ruled that there has to be a
and that national authorities enjoyed a margin of “rational nexus between the objects…and the means
appreciation in choosing which measures to employ to achieve them.”589 Although the understanding and
that best suited the objectives.585 However, the application of this test continues to evolve within
Court ruled that such measures could only exist with India’s national context, the proportionality test has
sufficient and adequate guarantees against abuse, now become a standard feature of privacy and data
the assessment of which depended on factors such protection law.590
as the “nature, scope and duration of the possible
measures, the grounds required for ordering them, The European Data Protection Supervisor (EDPS), an
the authorities competent to authorise, carry out and independent authority meant to ensure and monitor
supervise them, and the kind of remedy provided by the consistent enforcement of data protection rules
the national law.”586 within EU institutions, bodies, and agencies, has issued
guidance explaining the substance of necessity and
In Kennedy v United Kingdom, while examining the proportionality tests. As per the toolkit issued by the
proportionality of the UK’s Regulation of Investigatory EDPS, the general approach is to ascertain whether
Powers Act which authorised surveillance, the ECtHR a measure is actually necessary before proceeding
noted that: to whether it is proportional. It should be noted that
the toolkit also recognises a certain overlap between
• citizens had adequate indication as to the necessity and proportionality.591
circumstances in which they could undergo

583 Opinion of the Art. 29 Working Party, 27.02.2014, p. 3-4. The Art. 29 Working Party has noted that the right to privacy under Art. 8
of the European Convention of Human Rights has a clear link with the right to personal data protection under Art. 7 of the European
Charter of Fundamental Rights.
584 Klass v Federal Republic of Germany, IHRL 19 (ECHR 1978), 42, 48.
585 Weber and Saravia v. Germany, Application no. 54934/00, (ECHR 2006), 106.
586 Weber and Saravia v. Germany, Application no. 54934/00, (ECHR 2006), 106.
587 Kennedy v United Kingdom [2010] ECHR 682 (18 May 2010), 159 – 169.
588 Kennedy v United Kingdom [2010] ECHR 682 (18 May 2010), 159 – 169.
589 Justice KS Puttaswamy v UOI, AIR 2017 SC 4161, J. Chandrachud https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-
vs-union-of-india-ors.
590 Justice KS Puttaswamy v UOI, AIR 2017 SC 4161 <https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-
india-ors>; Justice KS Puttaswamy v Union of India (2019) 1 SCC 1 < https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-
and-ors-vs-union-of-india-uoi-and-ors>; India, The Draft Personal Data Protection Bill, 2019 currently being reviewed by a
parliamentary committee available at <http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf> accessed 13
December 2021..
591 European Data Protection Supervisor, 'Assessing The Necessity Of Measures That Limit The Fundamental Right To The Protection Of
Personal Data: A Toolkit' (EDPS 2017) 5-6 https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf.
129 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Box 7.3: The EDPS Checklist for ‘Necessity’ and

‘Proportionality’ Assessment of Legislative Measures592
The Office of the EDPS has formulated a helpful checklist to determine whether a
proposed legislative measure satisfies the necessity and proportionality requirements.

When assessing necessity, the following steps may be followed:

Step 1 – Is there a factual description of the measure and its purpose?

Step 2 – Does the proposed measure/data processing limit any particular right under
data protection law or otherwise?
Step 3 – Are the objectives of the measure defined?
Step 4 – Is the proposed measure effective and the least intrusive?

To assess proportionality, the following steps may be followed -

Step 1 – Advantages: Is the objective legitimate? Does the proposed measure achieve
the objective and if yes, to what extent?
Step 2 – Disadvantages: What is the scope, the extent and the gravity of limitation on
the rights under data protection law? Furthermore, what is the scope, the extent and
the gravity of limitation on the rights to privacy?
Step 3 – Do the advantages outweigh the disadvantages?
Step 4 – If the disadvantages outweigh the advantages, what safeguards could make
the advantages outweigh the disadvantages?

Jurisdictions such as Jamaica have also adopted tests The first step called for the law to be enacted with
of necessity and proportionality when assessing the a proper purpose whereas the second step includes
constitutional validity of national identity databases three components, which require that: (i) the measure
that collect personal data, including biometric data. must be carefully designed to achieve the objective;
In its ruling on challenges to the implementation of (ii) the means must violate the right as little as possible;
the National Integrated Identity Management System and (iii) there must be proportionality between the
(NIIMS) or the Huduma Namba digital database, the measure and the effect, i.e., the benefit must be
High Court of Kenya recalled Canadian jurisprudence greater than the harm to the right. In the end, Kenya’s
and ruled that assessing proportionality was a two- High Court ruled that the country’s NIIMS, as at that
step test. time designed, did not satisfy the proportionality
test.593

592 European Data Protection Supervisor, 'Assessing The Necessity Of Measures That Limit The Fundamental Right To The Protection Of
Personal Data: A Toolkit' (EDPS 2017) 5-6 https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf.
593 Nubian Human Rights Forum and Ors. v The Hon. Attorney General and Ors., Petition 56, 58, and 59 of 2019 (Consolidated), (2020) eKLR,
915, 922 https://privacylibrary.ccgnlud.org/case/nubian-rights-forum-2-ors-vs-attorney-general-6-ors?searchuniqueid=130591.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 130

7.2.4.1 Framework overview of necessity and nor proportionality are specifically mentioned, their
essence is incorporated to some extent.
proportionality requirements
The APEC Privacy Framework acknowledges
Several of the Identified Regional Frameworks that restrictive measures should account for their
have incorporated these principles. According to impact on rights,600 but does not otherwise refer to
Convention 108+, exceptions to compliance with data necessity nor proportionality. The OECD Guidelines
protection obligations and protection of the rights of also only state that “exceptions to the Guidelines
data subjects include those on the grounds of national on the grounds of national sovereignty, national
security and prevention and investigation of crimes, security, public safety and public policy should be
but should be provided by law only to the extent as few as possible”601 without any reference to the
that they constitute “necessary and proportionate twin principles of necessity and proportionality. The
measure(s) in a democratic society” to fulfil such ASEAN DP Framework and AU Convention appear to
aims.594 Although Convention 108+ additionally uses grant broad powers to national authorities to access
the term ‘proportionate’, the language is notably data without explicitly limiting them by applying the
reminiscent of the language used in the exception to principles of necessity and proportionality.602
the right to privacy of the ECHR’s Article 8.595
7.2.4.2 Proportionality under other national
The Commonwealth Privacy Bill also incorporates
and international instruments
the necessity principle when allowing compliance
exemptions for data protection obligations for the
The principle of proportionality is also recognised in
purposes of preventing and detecting crime, or which
some African State constitutions under their Bill of
are in the interests of national security.596 The GDPR
Rights’ limitation clauses. This is particularly true for
specifically requires restrictions on these grounds
those states that have developed their legal systems
to be “necessary and proportionate measures in a
based on common law principles. The proportionality
democratic society.”597 Similarly, the HIPCAR Privacy
principle is applied to assess the constitutionality
Framework acknowledges that measures based on
of certain acts, conduct or measures that limit the
these exemptions should be ‘necessary.’598
fundamental rights of individuals, including the right
to privacy that is recognised as a constitutional right
The OAS Principles provide that derogations or
in several African jurisdictions.603 The African Court,
exceptions to data protection principles should “only
however, is yet to pronounce judgments relating to
be implemented after the most careful consideration
the proportionality principle in the context of privacy.
of the importance of protecting individual privacy,
dignity and honour.” National authorities should
balance “the need for the data in limited circumstances
and due respect for the privacy interests of
individuals.”599 Despite the fact that neither necessity

594 Convention 108+, art 11(3)

595 Whereas Art. 8(1) of the ECHR guarantees the right to respect for privacy and family life, Art. 8(2) allows for interferences where
they are “in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the
economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection
of the rights and freedoms of others.”
596 Commonwealth Privacy Bill, s 10 (c)(f)
597 GDPR, art 13 and recital 19.
598 Explanatory Notes to the HIPCAR Model Legislative Text, s 35, para 52.
599 OAS Principles with Annotations, Principle 12, p 26,
600 APEC Privacy Framework, Part I, para 18 (Nonetheless, Economies should take into consideration the impact of these activities upon
the rights, responsibilities and legitimate interests of individuals and organizations.)
601 OECD Guidelines ‘ para 4
602 ASEAN Data Protection Framework para 4(b); AU Convention, art. 9(1)(d).
603 These include Zimbabwe, South Africa, Namibia, Botswana, Zambia, Nigeria, Liberia, Cote d’Ivoire, Kenya, Guinea, Gambia,
Senegal, Togo, Niger, Benin, Guinea-Bissau, Ghana, Tanzania, Uganda, Ethiopia, Rwanda, Somalia, Lesotho, and Burundi. See Media
Defence, ‘Scope and the Right to Privacy’, Module 4: Privacy and Security Online, available at https://www.mediadefence.org/ereader/
publications/advanced-modules-on-digital-rights-and-freedom-of-expression-online/module-4-privacy-and-security-online/scope-
and-the-right-to-privacy/#footnote--3; see also George Barrie, 'The Application Of The Doctrine Of Proportionality In South African
Courts’' [2013] 28 African Journal of Public Law 40 https://journals.co.za/doi/abs/10.10520/EJC153152.
 131 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Based on the UNHRC, ECHR and ECJ jurisprudence,

as well as the body of modern data protection
laws, it is evident that the test of necessity and
proportionality has become a cornerstone of data
protection.604 At the international and regional levels,
the UNHRC,605 acting as the interpretative body on
the ICCPR and the ECHR, has consistently ruled that
privacy-intrusive measures by governments should
be necessary and proportional.606 The IACHR has
also ruled in a series of decisions that restrictions
on privacy must comply with principles of legality,
necessity and proportionality.607 Although not with
respect to privacy, the African Court has also held
that interferences with human rights have to be such
as provided by law and are necessary.608

While formulations of the test may vary, the

fundamental requirements of specificity, being
rationally connected to the purpose and only imposing
the least intrusive measure remain the same across
jurisdictions.

604 Ilian Mitrou and Maria Karyda, '‘EU΄S Data Protection Reform And The Right To Be Forgotten - A Legal Response To A Technological
Challenge?' [2012] 5th International Conference of Information Law and Ethics 3 https://papers.ssrn.com/sol3/papers.cfm?abstract_
id=2165245.
605 Toonen v Australia (1994) CCPR/C/WG/44/D/488/1992; Antonius Cornelis Van Hulst v Netherlands (2004) CCPR/C/82/D/903/1999;
G v Australia (2017), CCPR/C/119/D/2171/2012.
606 S and Marper v United Kingdom (2008) Application nos. 30562/04 and 30566/04 https://privacylibrary.ccgnlud.org/case/s-and-
marper-vs-united-kingdom?searchuniqueid=652088; Peck v United Kingdom (2003) 36 EHRR 4; Malone v United Kingdom (1984)
ECHR 10.
607 Fontevecchia and D’amico v. Argentina Am. Ct. H.R. (ser. C) No. 238/2011 https://privacylibrary.ccgnlud.org/case/fontevecchia-and-
damico-vs-argentina?searchuniqueid=345563; Tristán Donoso v Panamá IHRL 3064 (IACHR 2009); Escher v Brazil IACHR (ser. C)
No. 200/2009.
608 Tanganyika Law Society and the Legal and Human Rights Centre v. Tanzania, Application No. 011/2011; Rev. Christopher R. Mtikila
v. Tanzania Application No. 009/2011.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 132

Box 7.4: Bulk Data Collection and Retention is Permissible

Only with Suitable Safeguards
In Digital Rights Ireland v Minister for Communications, Marine and Natural Resources,
the European Data Retention Directive was held invalid by the ECJ. The directive
required all internet service providers (ISPs) and telecommunications service providers
operating in Europe to collect and retain a subscriber's incoming and outgoing phone
numbers, IP addresses, location data, and other key telecom and internet traffic data
for a period of six months to two years.

According to the ECJ, the “retention of data for the purpose of possible access to
them by the competent national authorities directly and specifically affects private life.”
Since such collection and retention would constitute the processing of personal data,
they would have to satisfy data protection requirements. Although the objective of
the Directive to fight serious crime was legitimate, the ECJ ruled that it was still not
proportional because among other reasons:

• It required the collection of data of all persons regardless of whether their

conduct had a link with a serious crime;
• There was no requirement for the data itself to be relevant to any serious
crime, i.e. the data collected did not have to be specific to a particular time or
geographical location;
• The Directive did not lay down any objective criterion to determine access to the
collected data by national authorities. There were no substantive or procedural
conditions for such access. For instance, it did not state that access must be
strictly restricted to prevention and detection of precisely defined serious
offences;
• Access by national authorities was not made dependent on a prior review by a
court or independent administrative body;
• The data was retained for a period between 6 and 24 months, but there was no
distinction made between the categories of data to be retained on the basis of
their usefulness for the objectives being pursued.
• The Directive also did not require the mandatory destruction of the data at the
end of the data retention period.

The ECJ ruled that the Directive was invalid since it did not contain sufficient safeguards
and was not in accordance with the principle of proportionality.
133 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

In 2018, the ECtHR considered the question of bulk interception and whether mass
surveillance and intelligence sharing violate international law. The question in Big
Brother Watch and Others v The United Kingdom609 revolved around, inter alia, the bulk
interception of communications by the Government Communications Headquarters
(“GCHQ”), being one of the United Kingdom intelligence services under the TEMPORA
programme. The programme intercepted data from nearly all fibre-optic cables
carrying communications in and out of the UK. Finding the bulk interception unlawful
and incompatible with the conditions necessary for a democratic society, the ECtHR
emphasised the distinctions between targeted and bulk interception. It set down six
minimum safeguards to be set out in laws enabling interception to avoid abuses of
power. These were:610

• the nature of offences which may give rise to an interception order;

• a definition of the categories of people who could have their communications
intercepted;
• a limit on the duration of interception;
• the procedure to be followed for examining, using and storing the data obtained;
• the precautions to be taken when communicating the data to other parties;
• the circumstances in which intercepted data may or must be erased or destroyed.

The Court acknowledged that some of the safeguards described above are not
readily applicable to mass surveillance regimes, but nevertheless noted the need
for robust substantive protection to be developed for such regimes as well, informed
by safeguards developed for targeted interception measures. The Court found that
bulk interception, as a preventive rather than reactive measure, is unable to meet the
conditions of “necessity” and “foreseeability.” It stated “…when a State is operating
such a [bulk interception] regime, domestic law should contain detailed rules on when
the authorities may resort to such measures. In particular, domestic law should set out
with sufficient clarity the grounds upon which bulk interception might be authorised
and the circumstances in which an individual’s communications might be intercepted.”
In the absence of these conditions, the ECtHR held that any bulk interception law
would fall foul of Article 8 of the ECHR, which protects an individual’s right to respect
for their private and family life. However, the Court also noted that mass surveillance
and intelligence sharing in the context of collaboration with the NSA’s PRISM and
Upstream programs were not prima facie violative of international law.

609 Big Brother Watch and Others v. The United Kingdom, (2015) Applications nos. 58170/13, 62322/14 and 24960/15) https://hudoc.
echr.coe.int/fre#{%22itemid%22:[%22001-210077%22]}.
610 Big Brother Watch and Others v. The United Kingdom, (2015) Applications nos. 58170/13, 62322/14 and 24960/15), 335.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 134

Box 7.5: Data transfers from the European Union to the

United States
In Schrems I, the ECJ adjudicated on the transfer and storage of the personal data of
European citizens in the US. The Court invalidated the European Commission’s earlier
decision that upheld the adequacy of the US ‘Safe Harbour’ system. This system which
allowed the transfer of data of EU citizens to US firms that complied with safe harbour
principles. The Court found that the Safe Harbour framework did not offer equivalent
protection to that in the EU. It also found that interference with fundamental rights
under the Safe Harbour framework was not limited to what was strictly necessary for
the purposes sought to be achieved. This was since it authorised the storage of all
the personal data of all the persons whose data were transferred from the EU to the
US without any differentiation, limitation or exception in the objectives pursued. That
there was no objective criterion laid down for determining the limits of the access
of public authorities to the data and of their subsequent use was also a contributing
factor to the Court’s finding.611

Subsequently, the ECJ’s 2020 Schrems II612 decision examined data transfers out
of the EU in greater detail. It examined the EU-US Privacy Shield, which was a legal
instrument regulating the exchange of personal data between the EU and the US for
commercial purposes. More than 5000 companies relied on the EU-US Privacy Shield
to conduct trans-Atlantic trade. The Court found that the Shield was invalidated due to
concerns of surveillance carried out by US law enforcement and government agencies.
The case arose in the context of the European Commission’s Standard Contractual
Clauses (SCCs) permitting personal data transfers to the US among other jurisdictions.
Max Schrems, the petitioner, argued that Facebook’s transfers of personal data to
its US headquarters could be accessed by US intelligence agencies, which, in the
absence of adequate safeguards, would contravene both the GDPR and EU laws. The
Court found that US law did not permit data subjects to exercise their rights before
US courts and authorities. This lack of safeguards was critical to the ECJ’s decision.
Schrems II requires companies themselves to verify that reciprocal safeguards exist
in countries to which personal data of European citizens are transferred. Despite the
onerous increase in their responsibilities, the Court held that the mere presence of
SCCs was insufficient to ensure protection to personal data whether they are in transit
or transferred to a non-EU State.

611 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, (2015) Case C-311/18 [‘Schrems I’].
612 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, (2020) Case C-311/18 ['Schrems II’].
135 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

7.3 Exemptions governments can legitimately claim from data

protection obligations

Exemptions granted to governments from adhering to In addition to national security, another justification
data protection regulations are typically correlated to that is commonly invoked for government access
the “legitimate aims” of an act that constitutes a prima across the data protection frameworks is the
facie restriction of the right to privacy or private life. prevention, investigation, and prosecution of crimes.
It is to be noted, however, that such exemptions are As explained in section 7.2.3 above, law enforcement
tempered by the need to conform to the requirements agencies often seek or require access to personal
of necessity and proportionality, laid down in a long data to investigate serious crimes and offences
series of cases in regional courts, particularly the ranging from money laundering to terrorist bombings.
several courts in the EU. This can take the form of accessing data which can
often be sensitive, such as fingerprint and DNA
7.3.1 National security, and profiles, vehicle registrations, CCTV surveillance,
criminal records, etc.
investigation of crimes
Convention 108+, the Commonwealth Privacy Bill,
As discussed above, all regional data protection HIPCAR Privacy Framework, the OAS Principles, the
frameworks with the exception of the AU Convention AU Convention and the GDPR exempt compliance
include national security as a reason to exempt states with certain data protection provisions on the basis of
from data protection obligations. investigation and prosecution of criminal offences.613

613 Convention 108+, art 11(1)(a); Commonwealth PPI Bill. s 8, 10, 11; s 35 Explanatory Notes to the HIPCAR Model Legislative Text, s
35; OAS Principles with Annotations, Principle 12, page 26; APEC Privacy Framework, para 18; AU Convention, Articles 14(2)(e) and
(i); GDPR, art. 23; Recourse is within a specific directive, i.e., Directive (EU) 2016/680 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the
purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of Criminal Penalties.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 136

This justification is, however, absent in the APEC

Privacy Framework and the ASEAN DP Framework,
7.3.3 Data protection obligations that
which incorporate exemptions related to ‘public the state is exempt from
policy’ and ‘public safety.’614 The OAS Principles also
note that states may exempt compliance with the The exemptions provided for government agencies
principles for “essential public policy prerogatives.”615 vary. However, most of the regional frameworks
have identified specific obligations that government
agencies are exempt from in cases where grounds
7.3.2 Regulatory functions such as national security, law enforcement and public
safety are invoked.
Exemptions from complying with data protection
rights and obligations for regulatory compliance In Convention 108+, Article 11 provides that the
are also found in some legal instruments, such as obligations of fair processing, purpose limitation, data
the OAS Principles, the HIPCAR Privacy Framework minimization and data accuracy, breach notification,
and the GDPR.616 The HIPCAR Privacy Framework transparency, and data subjects’ rights, including the
exempts data controllers from their obligations rights to confirmation, access, rectification, erasure
under the framework and suspends data subjects’ and remedy do not have to be complied with for
rights where personal data is processed pursuant the protection of national security, defence, public
to “regulatory functions required of any law.” These safety or law enforcement.620 Additionally, Article 11(3)
functions include protecting members of the public also provides further exemptions on the grounds of
against financial loss due to dishonesty, malpractice, national security and defence. These exemptions
and similar factors, and securing the health and safety include the preclusion of the Convention Committee
of persons at work.617 The GDPR, rather broadly, from evaluating the effectiveness of the measures
provides exemptions for “monitoring, inspection or taken to implement the Convention, not having to
regulatory function(s) connected…to the exercise of provide all relevant information to the supervisory
official authority” in cases pertaining to: (i) national authority in case of cross-border transfers, or having
security, defence and public security; (ii) prevention, to demonstrate effective safeguards in cases of cross-
investigation, detection or prosecution of criminal border transfers. The AU Convention’s prohibition
offences; (iii) other important objectives of general on disclosure of sensitive personal data through the
public interest of the Union or a Member State, and; collection and processing of data revealing racial
(iv) breaches of ethics in a regulated profession.618 and ethnic origin, sex life, genetic information, etc.,
These grounds can be invoked to limit the scope does not apply where a judicial procedure or criminal
of the rights of data subjects, as well as exempt investigation is instituted.621
controllers and processors from compliance with
data protection principles. However, necessity and Under the Commonwealth Privacy Bill, the national
proportionality requirements still apply.619 security and law enforcement justifications exempt
public authorities from compliance with transparency
provisions. As a result of this, the public authorities
need not inform the individuals concerned of the
purposes of data collection, nor the legal basis
for such collection and the intended recipients of

614 ASEAN DP Framework, para 4, APEC Privacy Framework, Part I, para 18.
615 OAS Principles with Annotations, Principle 12, p 26,
616 OAS Principles with Annotations, Principle 12, p 26. It simply acknowledges that national authorities can invoke ‘regulatory compliance’
as a ground for exemption without specifying the content of the ground or the measures that could be exempted; CARICOM HIPCAR
Model Legislative Texts, s 36 - Exemptions apply to compliance with obligations of data controllers and the rights of data subjects
GDPR, art. 23(h).
617 HIPCAR Model Legislative Texts, s 36.
618 GDPR, art 23(h)
619 GDPR, art 23(h).
620 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, (1981) OJ 108, art 11(1)(a).
621 AU Convention, art 14 (2)(c)
137 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

the collected data.622 Under the framework, public Unlike the above frameworks that limit exemptions
authorities are required to not share any personal to specific data protection obligations and rights,
information it holds with any other individual or some regional frameworks completely exempt the
agency. However, it is exempted from this obligation application of their provisions for grounds related to
on various grounds, including for national security national security and public safety. The APEC Privacy
and law enforcement purposes.623 Although sharing Framework provides that the APEC information privacy
of personal data across government agencies can principles do not apply when government measures
increase efficiency and effectiveness of government are invoked to protect national sovereignty, national
services, it also increases risks to data security, due to security, public safety, and public policy.628 The APEC
the sharing of access to data resources and the use Commentary, while recognising the importance of
of personal data for uses different from the purpose state respect for privacy, notes that obligations under
for which it may have been initially collected. the APEC Framework are not meant to impede lawful
government actions when used for these purposes.629
In this context, the ECtHR held the measures
prescribed in the United Kingdom’s Regulation The ASEAN DP Framework allows for a broad
of Investigatory Powers Act, 2000 (RIPA) to be exemption from its provisions, stating that the
sufficiently robust. These measures required that framework would not apply to measures adopted by
personal data could be shared under the Act and states to “exempt any areas, persons or sectors from
should be limited to the minimum necessary for the the application of the principles,” as well as for matters
specified purposes.624 The RIPA required, in this relating to national sovereignty, national security,
context, that the following criteria should be kept to public safety, public policy and “all government
the minimum: (i) the number of persons to whom the activities deemed suitable to be exempted”.630 The
material or data was disclosed or made available; OECD Guidelines simply provide that exceptions on
(ii) the extent to which the material or data was the grounds of national sovereignty, national security
disclosed or made available; (iii) the extent to which and public policy should be as few as possible and
the material or data was copied, and; (iv) the number should be made known to the public.631
of copies that were made.625 Disclosure to persons
who were not vetted and did not fall under the “need-
to-know” basis is prohibited.626

According to Article 23, the GDPR provides that

on the grounds of national security, defence, and
public security, EU Member States can restrict by
way of a legislative measure the scope of the rights
of data subjects and data controller and processor
obligations. The operation of data protection
principles, to the extent that they correspond to the
rights and obligations provided under the GDPR
can also be restricted on these grounds. These
obligations are also exempt for “important objectives
of general public interest,” including public health.627

622 Section 8(3)(d)(v), Model Privacy Bill, s 8(3)(d)

623 Model Privacy Bill, s 11(1).
624 Big Brother Watch and Others v. The United Kingdom, (2015) Applications nos. 58170/13, 62322/14 and 24960/15), 392.
625 Big Brother Watch and Others v. The United Kingdom, (2015) Applications nos. 58170/13, 62322/14 and 24960/15),392.
626 UK Home Office, 'INTERCEPTION OF COMMUNICATIONS, Code Of Practice' Pursuant to Schedule 7 to the Investigatory
Powers Act 2016) (2018) https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715480/
Interception_of_Communications_Code_of_Practice.pdf.
627 GDPR, art 23(1)(e).
628 APEC Privacy Framework, Part I, para 18.
629 APEC Privacy Framework, Part I, para 18.
630 ASEAN DP Framework, para 4.
631 OECD Guidelines, Chapter 1, Part 1, para 4.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 138

In the HIPCAR Privacy Framework, data controllers

can be exempt from complying with any provisions
in the framework through an order published in the
gazette in the interest of national security. Controllers
who are public authorities are also exempt from
compliance with rights and obligations under the
framework, for data processing that is required for the
prevention or detection of crime and other specified
reasons. Similarly, personal data that is processed
for discharging regulatory functions based on written
laws are also exempted from these requirements.632

Notably, none of the frameworks exempt government

bodies or public agencies from the obligation to
impose adequate security safeguards for data that
is collected and stored. These include technical and
organisational measures to ensure the confidentiality,
integrity, and availability of personal data, such as the
maintenance of adequate network security, putting in
place authorisation and authentication measures, as
well as providing device security. The OAS Principles
also require that Member States refrain from
requesting personal data collected by humanitarian “States must take care to
organisations, noting that such data collection could
be detrimental to humanitarian operations and the narrowly define exemptions
safety of the beneficiaries of such aid.633 from data protection laws
in their domestic legislation,
and limit actions that can be
undertaken pursuant to such
exemptions”

632 HIPCAR Model Legislative Texts, ss 35 and 36.

633 OAS Principles with Annotations, Principle 12, p 26.
139 CHAPTER 7: DATA PROCESSING AND ACCESS BY GOVERNMENTS

Key considerations

◊ Government access and collection of data ◊ Frameworks studied in this report and
is sometimes necessary to pursue aims national legislation typically exempt states
such as investigating crimes and upholding and their agencies from compliance with
national security. To protect individuals data protection laws for reasons such as
against risks to the right to privacy, however, national security, the investigation of crimes,
data protection laws provide adequate and the performance of regulatory functions.
safeguards and regulate the collection and The obligations that states are exempted
use of personal data by governments in from vary, though the frameworks do not
accordance with data protection principles. exempt states from the requirement to
◊ International and national jurisprudence impose adequate data security safeguards.
generally requires that restrictions on the ◊ States must take care to narrowly define
right to privacy must be provided by law, not exemptions from data protection laws in
be arbitrary, pursue a legitimate aim, and their domestic legislation, and limit actions
be necessary and proportional to achieving that can be undertaken pursuant to such
a legitimate aim. International as well as exemptions. The exemptions must also
domestic instruments and case law provide be set out in the relevant legislation and
guidance on what each of these factors be easily accessible, in order to hold
would entail. government agencies accountable for the
use of personal data and protect democratic
freedoms.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 140
141 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

CHAPTER 8

REGULATION OF
CROSS-BORDER FLOWS
OF DATA 634

634 Restricted to aspects of cross-border data transfers that are typical to data protection frameworks and not issues like
data sharing for criminal investigation.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 142

8.1 Introduction

Regulation of cross-border flow of personal data has emerged as a critical aspect to consider
within contemporary data protection legislation. At its core, this regulation reflects a constant
tension between the need for seamless internet data flows and governments’ ‘legitimate
need’ to protect citizen’s privacy and prevent data misuse.

This tension has resulted in several legislative and transfer requirements.

policy proposals around the world. With more than
200 countries either having adopted or proposing Furthermore, the diversity of laws and evolving
to adopt regulations pertaining to cross-border policies on cross-border data flows has also given
transfer of personal data,635 such laws either restrict rise to concerns about potential fragmentation of
international transfer of personal data through the internet and global data processing activity.637
‘’conditional data flow regimes’’ or create frameworks Explicit enactments by several countries of partial
which impose additional obligations on data or exclusive personal data ‘localisation’ has been
controllers to localise personal data.636 Additionally, identified as being prejudicial to global business
these laws impose obligations on data controllers models contingent on data transfer, thus affecting
to follow certain safeguards to ensure that personal investments and growth of the digital economy.638 A
data transferred abroad is secure and protects the policy paper by the European Centre for International
privacy of the data subject. Economic Policy (ECIPE), highlights that such
localisation requirements by proposed or enacted
The chapter holistically highlights a possible legislation could reduce GDP by 0.4 percent in the EU
distinction emerging between data localisation and Korea, 0.2 percent in Brazil, 0.1 percent in India. If
policies and more traditional principles underlying applied to all sectors of the economy, it projects that
the regulation of personal data flowing across the EU and Korea would see a decline of 1.1 percent in
borders in regions such as the EU. Data localisation GDP and 0.8 percent in Brazil and India.639
creates an obligation on data controllers to store
or host personal data, either partially or exclusively, This chapter highlights some of the key objectives
within domestic borders. While regulatory triggers for provisions that regulate cross-border data flows
for data localisation are often contextual and unique in proposed or existing legal frameworks. It discusses
to regional or national needs, a general criticism has features of the Identified Regional Frameworks to
gained significant momentum in global discourse that showcase aspects taken into consideration while
such models create cumbersome or unfeasible data regulating such flows of data.

635 F. Casalini and J. López González, ‘Trade and Cross-Border Data Flows’ (2019) OECD Trade Policy
Papers 220/2019, OECD Publishing, Paris https://www.oecd-ilibrary.org/docserver/b2023a47-en.
pdf?expires=1635245466&id=id&accname=guest&checksum=22994166573CFAE848538C8DF256BF0D.
636 Nigel Cory, ‘Cross-border data flows: Where are the barriers, and what do they cost?’ (Information Technology and Innovation
Foundation, 1 May 2017) https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-
cost; Martina F. Ferracane, ‘Restrictions on Cross-Border data flows: a taxonomy’ (2017) EPICE Working Paper 1/2017 https://ecipe.
org/wp-content/uploads/2017/11/Restrictions-on-cross-border-data-flows-a-taxonomy-final1.pdf.
637 UNCTAD, ‘Data protection regulations and international data flows: Implications for trade and development’ (2016), 32 https://
unctad.org/system/files/official-document/dtlstict2016d1_en.pdf.
638 Coalition for Cross-border Data Flows, (July 2014) https://aicasia.org/wp-content/uploads/2017/06/Data-Resource-Paper-July-3-1.
pdf.
639 European Centre for International Economic Policy, ‘The Costs of Data Localization: Friendly Fire on Economic Recovery’ (2014)
https://ecipe.org/wp-content/uploads/2014/12/OCC32014__1.pdf.
143 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

8.2 Regulatory objectives and origins of cross-border data flows

There are several regulatory objectives that underpin Academics and experts have criticised some of
legislative proposals pertaining to cross-border flows the abovementioned regulatory objectives and
of data. Key among these is the need to ensure advocated for cross-border data flow models
that the country to which personal data is being which are interoperable, adaptive to evolving data
transferred to provides a reasonable or comparable processing technology, and enable global digital
level of privacy protection and data security.640 These trade.644 It is often argued that data decentralisation
regulatory objectives emanate from the need to across national or regional borders is necessary to
preserve fundamental rights and freedoms enjoyed not only promote innovation, but also to enhance
by data subjects in the country of origin. In other cybersecurity.645 This is especially important to avoid
cases, such objectives presumably serve to prioritise risks of data stores becoming an attractive target for
business or commercial interests to ensure seamless potential security breaches.646 Furthermore, smooth
access to data in order to meet business and service and seamless cross-border data flows are critical to
needs.641 Advocates of laws furthering cross border digital trade, communication, research, and service
data flows argue that regulated transfers are likely delivery across sectors such as finance, health, and
to promote innovation and foster trade by domestic education. This seamlessness of data flows is a
or homegrown businesses and data controllers.642 vital component of business models for corporate
Lastly, emerging regulations regarding international entities across the world647 and several calls have
data transfer or localisation also seek to battle anti- been made to create frameworks that promote or
competitive practices by big tech corporations and negotiate interoperability among regional privacy
address concerns associated with national security frameworks.648
and digital foreign interference.643

640 GDPR, Recital 101.

641 Christopher Kuner, ‘Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future’ (2011),
OECD Digital Economy Paper 187/2011, page 7 http://www.kuner.com/my-publications-and-writing/untitled/kuner-oecd-tbdf-
paper.pdf.
642 Coalition for Cross-border Data Flows, July (2014) page 2 https://aicasia.org/wp-content/uploads/2017/06/Data-Resource-Paper-
July-3-1.pdf.
643 Idris Ademuyiwa and Adedeji Adeniran, ‘Assessing Digitalization and Data Governance Issues in Africa’ (2020), CIGI Papers 244/2020,
page 7 https://www.cigionline.org/sites/default/files/documents/no244_0.pdf.
644 Nigel Cory and Luke Dascoli, ‘How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address
Them’ (Information Technology and Innovation Foundation, 19 July 2021) page 18 https://www2.itif.org/2021-data-localization.pdf;
The UNDP Global Centre for Technology, Innovation and Sustainable Developme, 'Enabling Cross-Border Data Flow: ASEAN and
Beyond', page 14 https://www.undp.org/sites/g/files/zskgke326/files/migration/sgtechcentre/Cross-border_data_flows_complete_
report_UNDP.pdf.
645 BSA, ‘Cross Border Data Flows’ (2017) https://www.bsa.org/files/policy-filings/BSA_2017CrossBorderDataFlows.pdf.
646 Anupam Chander, Uyen P. Le, ‘Breaking the Web: Data Localization vs. the Global Internet’ (2014).
Emory Law Journal, Forthcoming, UC Davis Legal Studies Research Paper No. 378, Page 32 https://papers.ssrn.com/sol3/papers.
cfm?abstract_id=2407858.
647 BSA, ‘Cross Border Data Flows’ (2017) https://www.bsa.org/files/policy-filings/BSA_2017Cross BorderDataFlows.pdf.
648 Idris Ademuyiwa and Adedeji Adeniran, ‘Assessing Digitalization and Data Governance Issues in Africa’ (2020), CIGI Papers 244/2020,
page 7 https://www.cigionline.org/sites/default/files/documents/no244_0.pdf;
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 144

One of the first regulatory formulations with regards

to cross border data flows can be identified in the
1980 OECD Guidelines, which was subsequently
updated in 2013. The OECD Guidelines define
‘transborder flows of personal data’ as ‘movements’
of personal data across ‘national borders.’649 The
Guidelines acknowledge that Member States
should avoid restricting flows of personal data if the
receiving country adheres to the OECD Guidelines,
or if sufficient safeguards exist to ensure a continuing
level of protection.650 A similar principle allowing
free cross-border flows to a country offering
‘comparable safeguards’ for privacy protection was
also recognised by the United Nations General
Assembly in its 1990 Guidelines for the Regulation
of Computerized Personal Data Files.651 In Europe,
the regulatory origins on cross-border data flows are
found in the 1981 Council of Europe’s Convention
for the Protection of Individuals with regard(s) to
Automatic Processing of Personal Data, otherwise
known as Convention 108.652 As the first binding
international instrument pertaining to data protection
and the regulation of transborder personal data
flows, Convention 108 laid down certain principles
and derogations for transborder data flows among
parties to the Convention. This legal instrument was
modernised in 2018 with the amended instrument
referred to as Convention 108+, which directs
states against placing a blanket prohibition on the
transborder flow of personal data for the purposes of
protecting personal data.653 Parties to the Convention
are permitted to derogate in specific instances, such
as when there is a risk that a transfer (to treaty-parties,
or from another treaty-party to a non-Party) would
circumvent the Convention’s provisions.654

649 Organisation for Economic Co-Operation and Development, 'The OECD Privacy Framework' (2013), Chapter 1, Part 1, para 1(e)
www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.
650 OECD Guidelines, Chapter 1, Part 4, para 17.
651 UN General Assembly, ‘Guidelines for the Regulation of Computerized Personal Data Files’ (14 December 1990) https://www.
refworld.org/docid/3ddcafaac.html.
652 Council of Europe, ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ (1981) ETS
108 https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108;
653 Convention 108+, art 14; While Convention 108 is binding, Convention 108+ which an amending protocol is not binding; Protocol
amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (final dated 18 May
2018) CETS No. 223 https://rm.coe.int/16808ac918.
654 Convention 108+, art 14(1).
145 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

The need to balance privacy protections with The following sections examine some notable
seamless data flows has been explicitly recognised by features of the Identified Regional Frameworks, with
binding and non-binding privacy clauses in regional regards to the regulation of cross-border personal
and international instruments which underscore data transfers, and also identify evolving global
the responsibility to ensure reasonable restrictions practice for same.
while maintaining seamless data flows. For instance,
the OECD Guidelines acknowledge that restrictions
may be imposed, but such restrictions should not
be disproportionate to the risks presented.655 Some
regional frameworks, such as the GDPR, have
retained a similar approach656 while expanding the
duties and obligations of Member States and data
controllers, and have adopted a ‘layered approach’ to
international data transfers. This involves examining “...no single framework is likely
if the third country affords an adequate level of
protection, and if not, the data exporter takes it upon
to provide a complete solution
themselves to provide the necessary safeguards to to address the challenges of
ensure protection in the third country.657 Similarly, the
APEC Privacy Framework, while making an explicit cross-border data flows and
recognition of the need to protect data subject
interests during cross-border flows of data, warns that ‘incremental answers’
against the imposition of “unnecessary barriers to
information flows.”658 will continue to evolve
These principles are also echoed in existing and
through global dialogue”
emerging privacy frameworks across the globe and are
included in most Identified Regional Frameworks.659
Furthermore, while some instruments, such as the
APEC Privacy Framework, have been considered
less stringent than the EU model due to their
voluntary nature, scholars have argued that no single
framework is likely to provide a complete solution to
address the challenges of cross-border data flows
and that ‘incremental answers’ will continue to evolve
through global dialogue.660

655 OECD Guidelines, Chapter 1, Part 1, para 18.

656 Paul Schwartz, ‘The EU-US Privacy Collision: A Turn to Institutions and Procedures’ (2013) 126 HLR http://cdn.harvardlawreview.
org/wp-content/uploads/pdfs/vol126_schwartz.pdf.
657 Art 29 Working Party, ‘Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995’
(2005) WP 114, 9 https://www.datatilsynet.dk/media/7876/ wp114_en.pdf.
658 APEC Privacy Framework, para 36, part iv.
659 African Union’s Convention on Cyber Security and Personal Data Protection (‘AU Convention’), the HIPCAR Model Policy Guidelines
and Legislative Text (‘HIPCAR Privacy Framework’), the APEC Privacy Framework, the ASEAN Framework on Personal Data
Protection (‘ASEAN DP Framework’), and the Organisation of American States’ Principles on Privacy and Personal Data Protection
(‘OAS Principles’)
660 Clare Sullivan, 'EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data
transfers and protection of personal data in the IoT era' (2019) 35 CLSR 4 https://www.sciencedirect.com/science/article/abs/pii/
S026736491930038X; Graham Greenleaf, Asian Data Privacy Laws: Trade and Human Rights Perspectives (OUP 2014), 4; Christopher
Kuner, ‘Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future’ (2011), OECD Digital
Economy Paper 187/2011 http://www.kuner.com/my-publications-and-writing/untitled/kuner-oecd-tbdf-paper.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 146

8.3 Adequacy and conditions for transfer permitting cross-border

data flows

third country refers to a country outside the European

8.3.1 Adequacy within Identified Economic Area (EEA). The European Commission,
Regional Frameworks in such cases, may decide that the third country
or territory (or certain sectors in that country) or an
Transfer of personal data to another country or international organisation “ensures an adequate level
territory is often subject to the prevailing laws and of protection.”665 When considering particular sectors
protections afforded by the destination country or in determining adequacy levels, the implementing act
by those followed by the data controller responsible may specify sectoral application of the act.666
for the transfer. The existence of an adequate level
of data protection as a prerequisite for cross-border Similarly, adequacy (in the case of the AU Convention)
flows can be found in the ASEAN DP Framework, can be understood as an “adequate level of
HIPCAR Privacy Framework, AU Convention, and protection of the privacy, freedoms and fundamental
the GDPR.661 In these regional and other national662 rights” for data subjects.667 The OAS Principles also
frameworks, personal data transfers should be outline a framework for the international transfer
made on the basis of a subjective decision - by the of personal data. According to the OAS Principles,
relevant authority such as a Data Commissioner - on personal data can be transferred internationally if the
reciprocity, adequacy or the existence of ‘comparable data controller is responsible for ensuring that the
safeguards’ associated with data protection.663 information is protected. They also provide that the
destination state should offer a degree of personal
The adequacy principle rooted in the 1995 EU Data data protection which is in accordance with the
Protection Directive, and currently embedded in standards set out in the Principles, if the personal data
the GDPR, has significantly influenced the EU’s data is being transferred internationally.668 Thus, the OAS
protection regime and global privacy frameworks.664 Principles also echo the adequacy principle located
While these terms and phrases such as reciprocity in other instruments. The ASEAN Privacy Framework
and adequacy have not been explicitly defined outlines two conditions for the international transfer of
in law, they involve assessing certain elements personal data. The ‘organisation’ transferring the data
that determine the existence of a comparable or should either obtain the consent of the data subject
a reasonable level of data protection in the third for a transfer, or ensure that the receiving organisation
country, territory, or international organisation where protects the personal data in accordance with the
personal data is being transferred to. In this context, a principles of the ASEAN Privacy Framework.669

661 GDPR, art 45; African Union Convention on Cyber Security and Personal Data Protection (27 June 2014), art 14 https://au.int/
sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.
pdf; HIPCAR, Model Legislative Text, s 7(h) http://caricom.org/documents/16583-privacy_and_data_protection_mpg.pdf; ASEAN
Telecommunications and Information Technology Ministers Meeting, ‘Framework On Personal Data Protection’ (16 November 2016),
Principle 6(f) https://asean.org/wp-content/uploads/2012/05/10-ASEAN-Framework-on-PDP.pdf.
662 International Conference of Data Protection and Privacy Commissioners (5 November 2009), chapter 15 https://globalprivacyassembly.
org/wp-content/uploads/2015/02/The-Madrid-Resolution.pdf; The Data Protection Bill, 2021 (India), The Privacy Amendment Act
(Australia), The Personal Information Protection and Electronic Documents Act (Canada)
663 HIPCAR Model Legislative Text, s 19; AU Convention, art 10(6)(k); Internet Society and the Commission of the African Union,
‘Personal Data Protection Guidelines for Africa’ (9 May 2018) https://www.internetsociety.org/wp-content/uploads/2018/05/
AUCPrivacyGuidelines_2018508_EN.pdf.
664 UNCTAD, ‘Data protection regulations and international data flows: Implications for trade and development’ (2016), page 32 https://
unctad.org/system/files/official-document/dtlstict2016d1_en.pdf.
665 GDPR, art 45(1).
666 GDPR, art 45(3)
667 AU Convention, art 14(6)(a).
668 OAS Principles with Annotations, principle 11, page 23, 24.
669 ASEAN DP Framework, principle 6(f).
147 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

It can be observed that regional frameworks such as

the GDPR and the AU Convention have adequacy
standards for personal data transfer outside the
region or to non-member/participating countries
that are higher than standards for transfer within the
region the framework applies to. Models such as the
GDPR provide for specific and contextual adequacy
assessments for nations, regions, international
organisations, or other specific sectors. Furthermore,
all the regional frameworks examined for the purpose
of this chapter designate national or regional
regulatory bodies or data protection regulators
to authorise and govern cross-border personal
data transfers. For instance, regulators such as the
National Data Protection Authorities (AU Convention)
or Data Commissioners (HIPCAR Privacy Framework)
are responsible for managing authorisations
pertaining to cross-border personal data transfer.670
In the case of the GDPR, the European Commission
is tasked with the responsibility of making such
assessments pursuant to Article 45. Both frameworks
also incorporate respect for fundamental rights and
freedoms into adequacy assessments.671
functional supervisory authority, and; (iv) international
8.3.2 Factors determining adequacy agreements or commitments adopted by the country
or international organisation, including ‘legally
Regional frameworks provide an exhaustive list of binding conventions or instruments’ or ‘multilateral
factors to be considered by relevant authorities or regional systems’ associated with personal data
when making an assessment for adequacy. For protection.673
instance, the HIPCAR Privacy Framework provides
that to make an adequacy assessment for a receiving
country, authorities shall examine factors such as the
8.3.3 Transparency, consultation, and
‘nature of data,’ the countries or jurisdictions involved monitoring of adequacy assessments
in the personal data transfer, the nature, purpose, and
duration of processing, and the existence of ‘security Laws like the GDPR envisage adequacy assessments
measures’ for the transfer.672 to be dynamic and are subject to periodic monitoring.
Once a decision on adequacy has been made by the
The GDPR’s Article 45 outlines key considerations European Commission, the implementing instrument
that the European Commission needs to follow must provide for a “mechanism for periodic review.”
when making an adequacy assessment. These Such reviews should take into account ‘relevant’
are as follows: (i) the existing legislative framework developments in the third country or international
and rule of law in the receiving country; (ii) the organisation. Furthermore, the Commission is also
existence of “data protection rules, professional required to regularly monitor any developments
rules and security measures, including rules for the in the country or organisation which may affect the
onward transfer of personal data to another third adequacy decision.674
country;” (iii) the existence of an independent and

670 AU Convention, art 12(2)(k); HIPCAR Model Legislative Text, s 19(3); GDPR, art 45(1).
671 AU Convention, art 14(6)(a); GDPR art 45(2)(a).
672 HIPCAR Model Legislative Text, s 19(2).
673 GDPR, art 45(2)(a), (b), (c); Rule of law is also a factor for consideration for adequacy in the HIPCAR Privacy Framework, HIPCAR
Model Legislative Text, s 19(2).
674 GDPR, art 45(3), (4); GDPR Recital 106.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 148

Regional Frameworks. However, these and existing

and evolving national frameworks have been
explored below to further understand standards for
transparency, monitoring, and decision-making for
cross-border data flows.

8.3.4 Deemed adequacy – The

development of the EU-US ‘Privacy
Shield’
Most regional frameworks have incorporated varying
standards of adequacy to assess cross-border data
flows. So far, existing GDPR practice lays down
an exhaustive standard to carry out adequacy
assessments for non-EU countries, international
organisations and other sectors. However, the GDPR
permits specific and contextual transfers in cases when
a nation is not deemed adequate for the purpose of
blanket transfers without safeguards. Consequently,
in the absence of adequacy requirements, certain
industries may proceed with international transfer of
personal data through a self-certification mechanism
which is deemed adequate.
In the context of making decisions on adequacy, the
GDPR also lays down critical transparency obligations
The EU-US Privacy Shield, which is no longer in
for the European Commission, such as the publication,
effect, is an important illustration of this mechanism.
on its website, of ‘whitelisted’ third countries, sectors,
Initially preceded by the ‘Safe Harbour’, personal
or international organisations. When considering
data transfers from the EU to the US were permitted
adequacy levels for particular sectors especially, the
pursuant to safeguards adhered to by American
GDPR states that an implementing act may specify
private organisations and data controllers.677 The Safe
the extent to which adequacy requirements relate to
Harbour was imposed to ensure that personal data
a sector.675 The Commission is also obliged to provide
processed by organisations in the United States and
details on sectors or entities which fail to satisfy the
the European Union remained protected. It outlined
adequacy requirements. In instances where the
seven compliance principles for companies which
Commission is of the opinion that an adequate level
consisted of notice, choice, onward transfer, security,
of protection is “no longer ensured,” it shall consult
data integrity, access and enforcement.678 However,
the concerned entities in order to address the
this arrangement was declared invalid in 2015 by
situation.676
the ECJ as a result of the Schrems v Data Protection
Commissioner case (Schrems I).679 The court noted
A similar transparency standard for cross border data
that a self-certification system might adhere to
flows has not been encoded in the other Identified
an adequate level of protection in accordance

675 GDPR, art 45(3)

676 GDPR, art 45(6); art 45(8), (6); European Commission, ‘Adequacy Decisions: How the EU determines if a non-EU country has an
adequate level of data protection’ https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/
adequacy-decisions_en.
677 Pankaj Maru, ‘From Safe Harbour to Privacy Shield to GDPR: the journey of data protection laws’ (The Economics Times, 26 May,
2018) https://cio.economictimes.indiatimes.com/news/government-policy/from-safe-harbour-to-privacy-shield-to-gdpr-the-
journey-of-data-protection-laws/64327558.
678 Federal Trade Commission, ‘Enforcement of the US-EU and US-Swiss Safe Harbor Frameworks’ https://www.ftc.gov/tips-advice/
business-center/guidance/federal-trade-commission-enforcement-us-eu-us-swiss-safe-harbor.
679 Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] EU:C:2015:650 https://privacylibrary.ccgnlud.org/case/
maximillian-schrems-vs-data-protection-commission.
149 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

with a third country's domestic law. However, the the US can also be made under certain circumstances
'reliability' of such a system should fundamentally be such as data subject consent or contractual
based on the existence of "effective detection and performance as provided for in the GDPR’s Article
supervision mechanisms” in the destination country. 49, which is applicable in cases where no adequacy
Such mechanisms would have to identify and punish decision is made for that country.684 The European
infringements of rules relating to the right to privacy Commission revised SCCs shortly after Schrems
and personal data protection.680 II, dividing the instruments into two categories of
use. One is for use between data controllers and
The European Commission subsequently assessed processors within the EEA, and the other for transfers
the limitations and safeguards available in US laws to third countries.685 In March 2022, the European
which led to the replacement of the Safe Harbour Commission and the United States agreed in principle
with the Privacy Shield. The Privacy Shield Principles on a new Trans-Atlantic Data Privacy Framework that
were issued by the US Department of Commerce addresses concerns raised in Schrems II.686
to “foster, promote, and develop” international
commerce and ensure the protection of EU data
subjects. Among other things, the Privacy Shield
Principles put in place stronger obligations related
to the self-certification mechanisms for companies
and mandatory cooperation with Data Protection
Authorities when processing certain categories of
data. Redress mechanisms for non-compliance were
also introduced.681

The ECJ, however, on July 16 2020, in Data Protection

Commissioner v Facebook Ireland and Maximillian
Schrems682 (Schrems II), invalidated the Privacy Shield
while reviewing the Privacy Shield and standard
contractual clause (SCCs) arrangements between
the EU and US. This was due to critical gaps in US
law that permitted surveillance agencies to access
EU data subjects’ information for national security
investigations. The ECJ, however, noted that Standard
Contractual Clauses could be used as an alternative
data transfer mechanism to ensure compliance.
However, data controllers who intend to use SCCs
to transfer data are legally required to carry out an
assessment of whether US law provides adequate
protections which should be in accordance with EU
law. If they cannot guarantee compliance with the
SCCs, they cannot use it. In such circumstances,
data controllers will have to identify supplementary
measures to ensure compliance.683 Data transfers to

680 Schrems I, para 81.

681 EU-US Privacy Shield Framework Principles, section III, principle 6 https://www.privacyshield.gov/EU-US-Framework; European
Parliamentary Research Service (EPRS), ‘From Safe Harbour to Privacy Shield’ https://www.europarl.europa.eu/RegData/etudes/
IDAN/2017/595892/EPRS_IDA(2017)595892_EN.pdf.
682 Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems [2020] ECLI:EU:C:2020:559.
683 Schrems II, para 133.
684 Schrems II, para 201, 202.
685 European Commission, ‘Standard Contractual Clauses (SCC)’ (4 June 2021) https://ec.europa.eu/info/law/law-topic/data-protection/
international-dimension-data-protection/standard-contractual-clauses-scc_en.
686 European Commission, ‘European Commission and United States Joint Statements on Trans-Atlantic Data Privacy Framework’ (25
March 2022) https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 150

8.4 Oblications on data controllers and accountability

safeguards have emerged as accepted global best

8.4.1 Appropriate safeguards and practice for organisational transfer of personal data
organisational responsibility across borders. They may be useful in ensuring
accountable and protected transfers of personal data
In the absence of a decision on adequacy, personal by data controllers and processors.
data may be transferred to another country subject to
certain safeguards and obligations. 8.4.1.1 Standard Contractual Clauses
The GDPR outlines certain ‘appropriate safeguards’ In the absence of a decision on adequacy or the
for such transfers to take place, and further obligates existence of a comparable framework for data
data controllers to ensure that ‘enforceable data protection, the European Commission can, through
subject rights’ and ‘effective legal remedies’ are instruments such as the GDPR, recognise SCCs
present.687 According to the GDPR, these safeguards which contain adequate safeguards and protections
can be in the form of legally binding instruments only for personal data to be transferred internationally.
between public authorities or bodies within the EEA These are model clauses on data security and
to those in third countries/international organisations; privacy protection that are approved by the
these safeguards do not include transfers involving European Commission and can be incorporated and
any private entity.688 They can also include Binding implemented by data controllers or processors. The
Corporate Rules (BCRs) and Standard Data Protection European Commission has issued modernised SCCs
Clauses (SDCs).689 Other safeguards include approved for transfer of data to data controllers and processers
codes of conduct with “binding and enforceable established outside the EU/EEA that reflect the GDPR
commitments of the controller or processer in the and the implications of Schrems II.692
third country to apply appropriate safeguards.”690
Alternatively, an approved certification mechanism
8.4.1.2 Binding Corporate Rules - Obligations
along with a commitment to comply with appropriate
safeguards which protect data subject rights, can also for multi-national corporations
act as a safeguard.691 In such instances, the GDPR
stipulates that specific permissions from ‘supervisory According to the GDPR, a BCR refers to ‘’personal
authorities’ are not required. data protection policies’’ which are implemented
by data controllers or processors “established on
The following subsections explore two key GDPR the territory of a Member State” for situations which
safeguards, namely the Standard Contractual Clauses entail personal data transfers to data controllers or
associated with data protection, and the Binding processors in one or more countries, but within a
Corporate Rules. While similar arrangements cannot “group of undertakings, or group of enterprises
be immediately identified in other frameworks, these engaged in joint economic activity.”693 BCRs are
approved by national supervisory authorities based

687 GDPR, art 46; GDPR, Recital 108.

688 EDPB, ‘ Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between
EEA and non-EEA public authorities and bodies’ (18 January 2020) https://edpb.europa.eu/sites/default/files/consultation/edpb_
guidelines_202002_art46guidelines_internationaltransferspublicbodies_v1.pdf.
689 GDPR, art 46(2)(a), (b); GDPR, Recital 109
690 GDPR, art 46(2)(e), in accordance with the provisions laid down in GDPR, art 40.
691 GDPR, art 46(2)(f), in accordance with the provisions laid down in GDPR, art 42.
692 European Commission, ‘Standard contractual clauses for data transfers between EU and non-EU countries’ https://ec.europa.eu/info/
law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
693 GDPR, art 4(20); GDPR, Recital 110.
151 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

on certain conditions laid down in the GDPR.694 CBPRs provide a flexible and voluntary framework for
APEC Member States to adopt a minimum standard
Such BCRs should;695 for data protection, which includes enforceable
• contain necessary information and disclosures standards, risk-based protections, and consumer
associated with the data transfer; friendly grievance redressal mechanisms.699
• identify the data controllers or processors and
the group of undertakings or enterprises;
• describe the nature and extent of data
protection principles being complied with;
• include complaint procedures;
• provide mechanisms for “reporting and
recording changes to the rules.”

Furthermore, the law imposes a duty on the European

Commission to formulate appropriate procedures
for BCR associated information exchange between
data controllers and processors and the concerned
supervisory authorities.

The above-mentioned safeguards outlined in

regional frameworks such as the GDPR provide a
glimpse of binding security safeguards that must be
implemented by data controllers and organisations.
There also exist alternative non-binding models of
accountability and data security outlined in some
of the other Regional Identified Frameworks. The
ASEAN Digital Governance Framework contains
Model Contractual Clauses for Cross Border Data
Flows which are a voluntary standard of terms and
conditions that may be included in binding legal
agreements between parties. While the clauses
are designed for the purpose of transfers within
the ASEAN region, the framework provides parties
the flexibility to use these clauses with appropriate
modifications based on their own discretion.696

The OAS Principles, for instance, require that

obligations of a data controller should be recognised
through appropriate agreements, contractual
provisions or even within technical and organisational
security safeguards.697 The APEC Cross-Border
Privacy Rules (CBPRs) are an excellent illustration of
a ‘government-backed’ privacy certification.698 The

694 GDPR, art 47(1).

695 GDPR, art 47(2)(a), (b), (d), (i), (k)
696 ASEAN Digital Governance Framework, Model Contractual Clauses for Cross Border Data Flows, page 4 https://asean.org/wp-
content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf.
697 OAS Principles with Annotations, Principle 11, page 26.
698 ‘What is Cross-Border Privacy Rules System?’ (APEC, 15 April 2019) https://www.apec.org/About-Us/About-APEC/Fact-Sheets/
What-is-the-Cross-Border-Privacy-Rules-System.
699 Andrei Gribakov, ‘Cross-Border Privacy Rules in Asia: An Overview’ (Lawfare, 3 January 2019) https://www.lawfareblog.com/cross-
border-privacy-rules-asia-overview#:~:text=Thus%2C%20the%20CBPR%20system%20is,data%20flows%20across%20national%20
borders.&text=However%2C%20because%20the%20CBPR%20system,that%20set%20a%20stricter%20standards.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 152

8.5 Derogations, exceptions, and specific grounds for transfer in

place of adequacy

There are certain exceptions or circumstances in

which adequacy requirements may be bypassed
8.5.1 Consent of data subject
when transferring personal data to another country or
In some circumstances, the cross-border transfer of
organisation. Varying standards of these exceptions
personal data is permitted when consent is provided
may be found in the Identified Regional Frameworks
by the data subject. For instance, according to the
such as the GDPR, the OAS Principles, the HIPCAR
GDPR, personal data may be transferred to a third
Privacy Framework, the ASEAN DP Framework, and the
country or an international organisation in the absence
AU Convention. The existence of such derogations or
of an adequacy decision or appropriate safeguards, if
exceptions may appear to be opportunities to bypass
the data subject “explicitly consents to the proposed
critical adequacy assessments or compliance with
transfer.”701 However, a data subject’s mere consent
extensive safeguards and make it “substantially easy”
is not the only criteria that facilitates a data transfer
for data controllers to transfer data to third countries.
to take place in such situations. The GDPR stipulates
However, these exceptions do not, by themselves,
that such consent would be considered meaningful
absolve data controllers of the responsibility to
only if the data subject has been “informed of the
protect the personal data being transferred. Instead,
possible risks of such transfers.”702
they provide flexibility for data controllers in situations
where transfer is essential to serve the interests of the
The GDPR standards of consent for personal data
data subject or to support important public interest
transfer have evolved considerably when compared
objectives. An explanation for allowing certain
to the EU’s Data Protection Directive. The GDPR
conditions to exist may come from efforts to facilitate
now provides for explicit consent and reflects a
efficient international data transfers for trade and
significant deviation from the EU Data Protection
business activity. For example, circumstances where
Directive’s requirement for a relatively lower standard
data transfers might be necessary to fulfil contractual
of unambiguous consent.703 It should be pointed out
agreements. In several instances, such derogations
that the GDPR states that consent as a condition
or additional grounds are to be narrowly interpreted
for personal data transfer shall not be applicable
to ensure that the “exception does not become the
to activities carried out by public authorities “in the
rule.”700
exercise of their public power.”704
The following sections explore common derogations
Meanwhile, the HIPCAR Privacy Framework also
and exceptions in the Identified Regional Frameworks.
outlines data subject’s consent as grounds for
a limited form of transfer of personal data in the
absence of adequacy. It allows for such a transfer to
take place if the Data Commissioner determines that
it can be done in a manner that would limit the breach
of the data subject’s rights.705

700 Article 29 Working Party, ‘Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995’
(2005) WP 114, 7, cited in Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (2018), EDPB https://edpb.
europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf; Additional Protocol to Convention 108 on the
control authorities and crossborder flows of data (2001) ETS 181, art 2(2)(a) http://conventions.coe.int/Treaty/EN/Reports/Html/181.
htm.
701 GDPR, art 49(1)(a); GDPR, art 46.
702 GDPR, art 49(1)(a); EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’ (4 May 2020) https://edpb.europa.eu/sites/
default/files/files/file1/edpb_guidelines_202005_consent_en.pdf.
703 GDPR, art 49(1)(a); Article 29 Working Party, ‘Opinion 15/2011 on the definition of consent’ (13 July 2011) https://ec.europa.eu/
justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf;
704 GDPR, art 49(3).
705 HIPCAR Model Legislative Text, s 19(4), page 25.
153 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

the GDPR also states that matters of public interest

8.5.2 Contractual necessity should be laid down in EU law or Member State law
as applicable to the data controller.710
In instances where a receiving country’s laws
are deemed to be inadequate for the purpose of
Similarly, the OAS Principles also include an equivalent
personal data protection, transfers may be permitted
consideration where transfers of personal data are
if it is necessary to process such data to comply with
not restricted between humanitarian organisations
a contract, or if the pre-contractual arrangements
and entities that provide humanitarian services. This
requested by the data subject compel data controllers
is based on the reasoning that these organisations
or exporters to adhere to baseline norms of data
might need to engage in such transfers to safeguard
protection. The test of necessity and ensuring that
the vital interests of data subjects or for the purposes
data transfers are “occasional” are key safeguards for
of public interest.711
this derogation that data exporters need to include in
their assessments of data transfers. For instance, the
The GDPR’s ‘vital interest’ condition accounts for
GDPR allows for contractual necessity to be invoked as
public health outbreaks or emerging health situations
grounds for the transfer of personal data if a decision
whereby the health or life of the data subject may
on adequacy has not been made or if appropriate
be at risk. Contemporary data protection laws take
safeguards provided for in Article 46 (transfers
into account circumstances that make it practically
subject to appropriate safeguards) are not present. In
unfeasible to obtain an adequacy assessment in a
such cases, personal data may be transferred if it is
timely manner. In such cases, the “imminent risk of
“necessary for the performance of a contract between
serious harm” outweighs privacy concerns. Such
the data subject and the data controller” or for the
a derogation may also be enforced during natural
implementation of ‘pre-contractual measures’ which
disasters when the transfer of personal data is
may take place at the data subject’s request.706 It
necessary for ‘’rescue and retrieval operations’’712
also stipulates that personal data may be transferred
or pandemics or public health outbreaks when the
if it is necessary for the conclusion or performance
cross-border flow of personal data is critical for health
of a contract “concluded in the interest of the data
and safety responses.
subject between the controller and another natural
legal person.”707 None of these provisions, however,
For instance, the COVID-19 pandemic has prompted
are applicable to activities carried out by officials “in
nations and private entities to develop contact-tracing
the exercise of a public power.”708
applications, formulate plans for vaccine research,
and gather data for effective medical and social
8.5.3 Transfer necessary for public responses. In some cases, data protection regulators
or vital interest or carried out by a have issued advisories and clarifications on data
protection frameworks to ensure seamless data
public authority flow while also protecting the rights and interests of
the data subjects involved. EU Agencies have been
Personal data may be transferred internationally if a
playing an active role in this context. Recognising the
data subject’s life is at risk, where a data subject is
physically or legally incapable of providing consent,
or where a significant public interest objective
has been invoked. The GDPR explicitly states that
personal data may be transferred to a third country
or an international organisation if it is necessary for
“important reasons of public interest.”709 However,

706 GDPR, art 49(1)(b).

707 GDPR, art 49(3).
708 GDPR, art 49(1)(d).
709 GDPR, art 49(1)(d)
710 GDPR, art 49(1)(4)
711 OAS Principles with Annotations, Principle 11, page 24.
712 EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’ (2018) https://edpb.europa.eu/sites/edpb/files/
files/file1/edpb_guidelines_2_2018_derogations_en.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 154

need for measures to combat the COVID-19 pandemic 8.5.4.3 Transfers in pursuance of a
as a public interest objective, the EU issued guidelines
compelling legitimate interest
for data transfers when ‘strictly necessary.’713 In 2020,
the European Commission also set up an inter-
The GDPR also contains a residuary provision that
operability gateway service linking national contact-
permits transfer of personal data in the absence of
tracing applications across the EU to safely exchange
an adequacy decision or appropriate safeguards
information between the applications based on a
in instances where the transfer is necessary for the
decentralised architecture.714 As part of this initiative,
purpose of a ‘compelling legitimate interest,’ and which
Member States involved adopted a toolbox with
does not offend the rights and freedoms enjoyed
guidance for such contact tracing mobile applications
by the data subject.717 In this scenario, a compelling
which necessitate that these applications are privacy
legitimate interest would include situations when
preserving.
transfer is necessary for the performance of a contract,
to support important public interest objectives and to
8.5.4 Additional considerations and protect the data subject’s vital interests.718 In addition,
grounds for transfer such a transfer is only permitted when it is not
repetitive and is associated with a limited number of
8.5.4.1 Restricted and redacted transfers data subjects.719

According to the HIPCAR Privacy Framework, a The residual clause also places an obligation
restricted data transfer may be permitted by the on the data controller to ensure the presence of
Data Commissioner when the receiving country sufficient safeguards to protect the personal data
does not have adequate or comparable levels of for such transfers, to provide necessary information
data protection to limit the breach of a data subject’s to the ‘supervisory authority’, as well as to the data
rights if the data subject consents to such transfer, subject.720 The GDPR also states that in situations
and if critical aspects of the information are suitably when an adequacy decision has not been made, EU
redacted or removed.715 or Member State laws may for important reasons of
public interest, outline restrictions for the transfer
of certain categories of personal data and that the
8.5.4.2 Transfers in exercise or defence of
European Commission be notified of these legal
legal claims provisions.721
The GDPR permits cross-border flow of personal data
in the exercise or defence of legal claims’ and when
transfers are made from a “register which according
to European Union or Member State law is intended
to provide information to the public.” Additional
safeguards are provided for in the law for the transfer
of data in such situations.716

713 EDPB, ‘Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context
of the COVID-19 outbreak’ (2020) page 8, 12 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_
healthdatascientificresearchcovid19_en.pdf; https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_letter_out2020-0030_mep_
duris_covid19_en.pdf.
714 EU interoperability gateway goes live, first contact tracing and warning apps linked to the system’ (19 October 2020) https://ec.europa.
eu/commission/presscorner/detail/en/ip_20_1904.
715 HIPCAR Model Legislative Text, s 19(4).
716 GDPR, art 49(1)(e), (g) and art 49(2).
717 GDPR, art 49(4); GDPR, art 49(1)(2).
718 GDPR, art 49(1)(b), (d), (f).
719 GDPR, art 49(1)(2).
720 GDPR, art 49(1)(2), art 49(6).
721 GDPR, art 49(5).
155 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

8.6 Non-compliance, sanctions and penalties

Some of the Identified Regional Frameworks outline in Articles 44-49. In the case of an ‘undertaking’ the
specific offences and penalties for violations of the fine should for an entity represent as much as “4%
norms regulating cross-border information transfers. of the total worldwide annual turnover.”723 Specific
For instance, the HIPCAR Privacy Framework frameworks for offences and penalties for violating
stipulates that transferring personal information provisions of cross-border flows can also be located
without proper authorisation is a criminal offence in domestic legislation.724
and can attractimprisonment or a penalty.722 The
GDPR also includes penalties that subject an entity
to “administrative fines up to 20,000,000 Euro” for
violating the cross-border data flow provisions included

722 HIPCAR, Model Legislative Text, s 74.

723 GDPR, art 83 (5).
724 Report of the Joint Committee on the Personal Data Protection Bill, 2019, s 57(2)(d) available at https://prsindia.org/files/bills_
acts/bills_parliament/2019/Joint_Committee_on_the_Personal_Data_Protection_Bill_2019.pdf; Alexander Gurkov, Personal Data
Protection in Russia (2021) The Palgrave Handbook of Digital Russia Studies, section 6.3.3; Rogier Creemers and Graham Webster,
'Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021' (DigiChina Stanford
University, 20 August 2021) https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-
republic-of-china-effective-nov-1-2021/.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 156

Box 8.1 - Data Transfer Mechanisms for Law Enforcement

For cross-border crimes, the transfer and sharing of personal data of individuals under
investigation is critical to ensure efficient investigations.725 One of the ways in which
such data has traditionally been shared is through Mutual Legal Assistance Treaties
(MLATs), which are treaties or agreements between two or more countries that allow
for law enforcement to cooperate, collect, and transfer information from one country
to another in order to assist with the investigation of criminals.726 In cases where
there are no MLATs, the traditional method of Letter of Request can be made by a
court of law of one country to another.727 The G8 24/7 Cybercrime Network, which
includes 80 countries, attempts to supplement and enhance these traditional methods
of data sharing. This network allows for the preservation of electronic evidence by
participating countries, as well as the sharing of information through MLATs or Letters
of Request.728 The GDPR’s Article 48 recognises these methods, but provides that an
international transfer of personal data as requested by the courts or administrative
authorities of a third country can only take place through international agreements like
MLATs between the ‘requesting third country’ and the concerned EU Member State.

725 Peter Swire and Justin D Hemmings, 'Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa
Waiver Program' (2016) 71 NYU Ann Surv Am L 687.
726 ICC Commission, ‘Using Mutual Legal Assistance Treaties (MLATs) To Improve Cross-Border Lawful Intercept Procedures’ (2012)
Document No. 373/512 https://www.icc-portugal.com/images/publicacoes/documentos_gratuitos/Economia_Digital/ICC_policy_
statement_on_Using_Mutual_Legal_Assistance_Treaties_(MLATs)_To_Improve_Cross-Border_Lawful_Intercept_Procedures_
(2012).pdf.
727 Philip F. Sutherland, ‘The Use of the Letter of Request (Or Letter Rogatory) for the Purpose of Obtaining Evidence for Proceedings in
England and Abroad’ (1982) 31 The International and Comparative Law Quarterly 784 https://annualsurveyofamericanlaw.org/wp-
content/uploads/2017/04/71-4_swirehemmings.pdf.
728 Organization of American States, ‘The G8 24/7 Network of Contact Points Protocol Statement’ http://www.oas.org/juridico/english/
cyb_pry_g8_network.pdf.
157 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

One of the concerns around traditional instruments such as MLATs is that they are time
consuming and may impede critical law enforcement activity. Moreover, the request
for data sharing may also be rejected.729 For this reason, many countries are opting
for laws and policies that facilitate the direct and efficient cross-border sharing of
personal data for law enforcement purposes, such as the Clarifying Lawful Overseas
Use of Data (CLOUD) Act in the United States.730

In Europe, the EU Law Enforcement Directive (LED) consists of legislation that deals with
the protection and free movement of personal data that is used for the investigation,
detection or prosecution of criminal offences between relevant European authorities.
The LED also provides that personal data must be processed only for the purposes
mentioned in the directive, and in a manner that ensures security and confidentiality of
the personal data.731 In addition, it also provides for the rights of the data subject, such
as access to the information that is being processed.732 The GDPR and LED function
in a complementary fashion to each other. While the GDPR provides for general rules
regarding the protection and free movement of personal data, the LED focuses on the
processing and movement of personal data for the purpose of criminal investigations
and prosecution.733

729 Smriti Parsheera and Prateek Jha, ‘Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options?’ (2020)
Carnegie Endowment For International Peace https://carnegieendowment.org/files/ParsheeraJha_DataAccess.pdf.
730 18 US Code § 2523 https://www.govinfo.gov/content/pkg/USCODE-2019-title18/pdf/USCODE-2019-title18-partI-chap119-sec2523.
pdf.
731 Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities
for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,
and on the free movement of such data [2016] OJ L 119., art 1 and art 4.
732 EU Law Enforcement Directive, art 14-18.
733 Mark Leiser and Bart Custers, 'The Law Enforcement Directive: Conceptual Challenges of EU Directive 2016/680' (2019) 5 Eur Data
Prot L Rev 367.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 158

Box 8.2 – The impact of data localisation on data transfers

Data localisation has emerged as a key priority for several national jurisdictions with
over 62 countries considering substantive legislation or planning upcoming policies.734
It essentially involves the development of regulations or policies that obliges data
controllers to physically store personal data within the territorial boundaries of that
country. Data localisation restricts the transfer of data to third countries and these
restrictions can be unconditional or conditional. Unconditional restriction means that
there is a restriction in terms of the transfer of all data outside the country irrespective
of the sector. This can be seen in China and Russia, where no data can be transferred
outside the country.735 While conditional restrictions limit the transfer of data based
on the level of data protection in the third country, there can also be restrictions on
data transfers in some sectors. For instance, personal electronic health sector data, in
Australia, cannot be held or transferred to other countries.736 Other countries (such as
Vietnam) ensure that all forms of their citizen’s personal data are stored locally. Turkey
has introduced an unconditional restriction on the financial sector to not transfer
payments’ data.737

734 Nigel Cory and Luke Dascoli, ‘How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address
Them’ (Information Technology and Innovation Foundation, 19 July 2021) page 18 https://www2.itif.org/2021-data-localization.pdf.
735 Scott Livingston, Graham Greenleaf, ‘Data Localisation in China and Other APEC Jurisdictions’ (2016) 143 Privacy Laws and Business
International Report, 22-26 [2017] UNSWLRS 11 http://www5.austlii.edu.au/au/journals/UNSWLRS/2017/11.pdf.
736 Personally Controlled Electronic Health Record Act 2012, s 77
737 Arindrajit Basu, Elonnai Hickok, and Aditya Singh Chawla. ‘The Localisation Gambit Unpacking Policy Measures for Sovereign
Control of Data in India’ (2019) The Centre for Internet and Society, India https://cis-india.org/internet-governance/resources/the-
localisation-gambit.pdf.
159 CHAPTER 8: REGULATION OF CROSS-BORDER FLOWS OF DATA

Countries that have advocated for stringent data localisation norms often cite factors
associated with national security and citizen’s protection as key regulatory objectives.
It is argued, for instance, that local storage of personal data ensures better access for
the purpose of domestic law enforcement.738 However, it has also been contended
that strengthening and making more efficient MLATs and other international
agreements (such as the Council of Europe’s Convention on Cybercrime) will support
law enforcement without hampering the nature of the internet.739

Many countries exhibit a preference for localisation norms owing to concerns regarding
foreign surveillance.740 Concerns associated with protecting national security and
preventing cybercrime and data breaches are also additional factors which have
brought about specific localisation policies in several jurisdictions.741

Some of the arguments cited in favour of data localisation, such as enhanced

cybersecurity, have been refuted by scholars, experts and civil society.742 There is a
general concern that state policies on data localisation will significantly transform the
nature of the internet and unfairly restrict cross border data flows, thereby hampering
digital trade.743 Furthermore, the collection and storage of personal data within the
country may, in fact, result in a scenario where consolidated data stores become an
easy target for data security breaches or domestic surveillance.744 Lastly, strict data
localisation norms would significantly increase compliance costs for data controllers.745

738 Han-Wei Liu, ‘Data Localization and Digital Trade Barriers: ASEAN in Megaregionalism’ in Pasha L Hsieh and Bryan Mercurio,
ASEAN Law in the New Regional Economic Order: Global Trends and Shifting Paradigms (Cambridge University Press 2019)
739 Anupam Chander, Uyen P. Le, ‘Data Nationalism’ (2015) 64(3) Emory Law Journal https://scholarlycommons.law.emory.edu/cgi/
viewcontent.cgi?article=1154&context=elj.
740 Jonah Hill, ‘The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business
Leaders’ (2014) The Hague Institute for Global Justice, Conference on the Future of Cyber Governance http://dx.doi.org/10.2139/
ssrn.2430275.
741 Dennis Broeders, ‘Aligning the international protection of ‘the public core of the internet’ with state sovereignty and national security’
(2017) 2(3) Journal of Cyber Policy 366 https://www.tandfonline.com/doi/abs/10.1080/23738871.2017.1403640.
742 Daniel Castro, ‘The False Promise of Data Nationalism’ (2013) Info Tech and Innovation Foundation (December 2013)
The Information Technology and Innovation Foundation http://www2.itif.org/2013-false-promise-data-nationalism.pdf?_
ga=2.78495325.87137249.1616122463-1857304164.1613993804.
743 Neha Mishra, ‘Data Localization Laws in a Digital World: Data Protection or Data Protectionism?’ (2016) The Public Sphere, NUS
Centre for International Law Research Paper 19/05, 142 https://psj.lse.ac.uk/articles/45/galley/44/download/.
744 Tatevik Sargsyan, ‘Data localization and the role of infrastructure for surveillance, privacy, and security.’ (2016) 10 <International
Journal of Communication https://ijoc.org/index.php/ijoc/article/viewFile/3854/1648; Anupam Chander, Uyen P. Le, ‘Breaking the
Web: Data Localization vs. the Global Internet’ (2014).
Emory Law Journal, Forthcoming, UC Davis Legal Studies Research Paper No. 378, Page 32 https://papers.ssrn.com/sol3/papers.
cfm?abstract_id=2407858.
745 Dan Svantesson, ‘Data localisation trends and challenges: Considerations for the review of the Privacy Guidelines’ (2020) OECD
Digital Economy Papers 301/2020 https://doi.org/10.1787/7fbaed62-en.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 160

Key Considerations

◊ Whether a state provides adequate levels ◊ Frameworks should also include provisions
of data protection is critical in determining for adequate and proportional penalties
whether it can engage in data flows. Various for non-compliance and for domestic
legal instruments provide for differing enforcement measures in the law.
standards to assess adequacy criteria. It ◊ A broader concern to take into consideration
is vital, however, that such assessments is that both geographical and organisational
be made by independent authorities in a norms for cross-border data flows need to co-
manner that is transparent, consultative, and exist. For instance, an adequacy requirement
reasonable. between countries is a geographical
◊ In the absence of adequacy, there are standard. Meanwhile, accountability, as set
obligations of data protection that may be out by the APEC Privacy framework and
placed on data controllers by necessitating through instruments such as SCCs and
certain safeguards. These may take the BCR, constitutes more of an organisational
form of instruments, such as contractual approach that is context specific.
clauses that contain protections for personal ◊ It is also important that accountability
data or even certification mechanisms that measures of supervisory authorities/
place such protection commitments on data regulators, as well as data controllers,
controllers. take into consideration the actions
◊ Sufficient flexibility within frameworks should and practices of the receiving country/
be provided. However, these derogations organisation. This means ensuring that
should be narrowly crafted with adequate once personal information has been
protections. This is in order to ensure fair collected by an organisation, they continue
use and to allow for suitable changes and to be accountable, for instance, through
allowances for context specific transfers by contractual clauses or rules to protect that
using derogations which include consent, data even if it moves from one jurisdiction
contractual or public interest necessity. to another.
161 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

CHAPTER 9

STRUCTURE OF
REGULATORY
AUTHORITIES,
OFFENCES AND
PENALTIES
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 162

9.1 Introduction

Regulatory bodies play an important role in enforcing data protection laws and regulation.
They are central to ensuring the implementation of data protection and security standards
and penalising actions that harm data subjects.746 They are typically designed to act as
independent governmental bodies,747 and are either set up expressly for data protection
purposes, or are required to oversee and enforce data protection in addition to other existing
responsibilities.748

They may have adjudicatory powers and can be and Privacy Bills (Commonwealth Bills) and HIPCAR
tasked with a host of other obligations. These Privacy Framework, for instance, allow the relevant
powers may include the effective implementation Minister (assigned responsibility for information/
and enforcement of relevant legislation, protection public administration) to develop regulations to
of data subjects’ rights, subordinate rulemaking, and enforce the frameworks and prescribe necessary
advising the state or public bodies on regulatory measures, subject to approval by Parliament.750
frameworks and issues relating to data protection.749
Rulemaking powers can also be shared with the
executive in some cases. The Commonwealth PPI

746 E.g. Graham Greenleaf, Asian Data Privacy Laws: Trade andHuman Rights Perspective (1st edn, OUP 2014), 3-4.
747 However, independence in practice can be difficult to achieve. See Philip Schütz, ‘Comparing formal independence of data protection
authorities in selected EU Member States’ (4th Biennial ECPR Standing Group for Regulatory Governance Conference, Karlsruhe,
2012).
748 States need not necessarily set up new regulatory bodies for this purpose. For e.g., the UK’s Information Commissioner’s Office,
which is charged with implementing data protection regulation in addition to other functions, has been in existence since 1984. The
Information Commissioner’s Office deals with information rights and covers a wide range of legislation, such as those relating to data
protection, freedom of information, electronic communications, etc. See ‘History of the ICO’ (ICO) https://ico.org.uk/about-the-ico/
our-information/history-of-the-ico/> accessed 19 October 2021; see also ‘Legislations we cover’ (ICO) https://ico.org.uk/about-the-
ico/what-we-do/legislation-we-cover/.
749 The GDPR, for instance, requires States to set up independent public authorities to monitor and supervise the application of data
protection law and provides various investigative and corrective powers to the authorities. See ‘What are Data Protection Authorities
(DPAs) and how do I contact them?’ (European Commission) https://ec.europa.eu/info/law/law-topic/data-protection/reform/
rights-citizens/redress/what-are-data-protection-authorities-dpas-and-how-do-i-contact-them_en; in contrast, the US does not
have a specific federal data protection authority, but the Federal Trade Commission is authorised to enforce privacy regulations in
specific areas. State attorney generals and sector-specific regulators can also issue and enforce some privacy legislation. See ‘Protecting
Consumer Privacy and Security’ (Federal Trade Commission) https://www.ftc.gov/news-events/media-resources/protecting-
consumer-privacy-security> accessed 19 October 2021.
750 Commonwealth Privacy Bill, Part V, s 38; Commonwealth PPI Bill, s 44; HIPCAR Model Legislative Text, s 80.
163 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

Each of the Identified Regional Frameworks provides

a varying level of detail about the regulatory structure
and the supervisory or enforcement authority in
charge of implementing obligations under the
frameworks (Regulator). This is because some
frameworks provide states with more leeway than
others to design the structure and define the roles
of Regulators in their domestic contexts. The OECD
Guidelines, the APEC Privacy Framework, and the
OAS Principles, for instance, provide very limited
guidance on the Regulator and regulatory structure
(Please refer to Box 1). The ASEAN DP Framework,
meanwhile, does not contain any details about the
regulatory structure or the Regulator. The APEC
Privacy Framework, however, applies to most ASEAN
countries.751

Frameworks that provide more detailed guidance on

the regulatory structure and Regulator are the GDPR,
Convention 108+, the AU Convention, the HIPCAR
Privacy Framework, and the Commonwealth PPI
and Privacy Bills (Specified Frameworks). Under the
Commonwealth Bills, the Commonwealth Privacy Bill
creates the office of the Privacy Commissioner, which
is also applicable to the Commonwealth PPI Bill.
For this reason, references to the Privacy Bill in this
chapter will generally also include the PPI Bill unless
otherwise indicated.

This chapter proceeds as follows:

• Effective Regulatory Design (section

9.2) – Independence, transparency and
accountability, inter-sectoral coordination
• Structure of the Regulator (section 9.3)
a. Composition, appointment, and qualifications
of the Regulator and its officers/members
b. Funding and resources
c. Immunity and confidentiality
• Functions and Powers of the Regulator (section
9.4)
• Penalties, remedies, and appeals (section 9.5)

751 This would be a non-binding, voluntary commitment. See ‘ASEAN Member States’ (ASEAN) https://asean.org/about-asean/member-
states/; see also ‘What is Asia-Pacific Economic Cooperation?’ (APEC) https://www.apec.org/about-us/about-apec.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 164

Box 9.1: Data Protection Regional Frameworks with

limited guidance
Of the Identified Frameworks, those that provide limited guidance usually do so with
the understanding that detailed national implementation would vary based on different
legal systems and traditions, and that states are able to formulate the most appropriate
implementation mechanism based on their domestic legal systems. However, they
also include some limited recommendations. For instance, the OECD Guidelines
require states to establish enforcement authorities “with the governance, resources,
and technical expertise necessary to exercise their powers effectively and to make
decisions on an objective, impartial, and consistent basis,” and provide for adequate
sanctions and remedies in case of non-compliance with laws protecting privacy. They
also allow states to set up specific supervisory bodies or rely on existing facilities and
bodies.752

Similarly, the APEC Privacy Framework specifies that it is intended to be implemented

in a flexible manner which can include various methods, such as the involvement
of central data protection authorities, multi-agency enforcement bodies, a network
of designated industry bodies, or a combination of these systems. It highlights the
importance of educating and informing data subjects and controllers about domestic
privacy protections, of cooperation and dialogue between public and private sectors,
and of considering private sector opinions in developing privacy protections. It states
that privacy protections should include an array of remedies for violations based on
the domestic legal system and the extent of potential harm due to the violations.
States must also periodically provide information to the APEC about relevant updates
with regards to the domestic framework’s implementation in the state.753

752 OECD Guidelines, Chapter 1, Part 5, paras 19(c) and 19(f), p 62.
753 APEC Privacy Framework, Part iv, para 37, Part v, para 48, Part vi, Part vii, and Part viii, para 55.
165 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

The OAS Principles require that its Member States establish “independent and
sufficiently funded supervisory bodies” to monitor and promote personal data
protection.754 They also require Member States to provide the resources, funding, and
technical expertise necessary for the authorities to effectively perform their duties.755
The OAS Principles note that the authorities can be set up at the national, regional, or
municipal levels based on a country’s domestic legal and administrative structure. They
specify that there is no uniform implementation approach in the region.756 Interestingly,
the Principles also state that the authorities’ regulatory mandates may differ and that
responsibility may be shared between regulatory bodies and private entities that are
required to comply with specific obligations.

They also require that domestic law provides supervisory authorities with the ability
to cooperate with each other, as well as with other relevant domestic stakeholders.
Member States are also required to create reasonable means for data subjects to
exercise their rights, encourage and support self-regulation for controllers and
processors, and provide for adequate sanctions and remedies to protect the rights of
data subjects and penalise noncompliance.757

754 OAS Principles with Annotations, Principle 13, p 27.

755 OAS Principles with Annotations, Principle 13, p 27.
756 OAS Principles with Annotations, “Data Protection Authority”, p 6, and Principle 13, p 27.
757 OAS Principles with Annotations, Principle 13, p 27.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 166

9.2 Effective Regulatory Design

There are multiple factors that contribute to the Bill notes the importance of ensuring independence
creation of a robust regulator. Some depend on the when providing for a Commissioner.761
regulation’s subject matter (such as having clarity on
the role of the regulator, regulatory objectives, and Several elements can contribute to ensuring the
functions) and on domestic legal and administrative regulator’s independence, such as the composition of
frameworks. The effective implementation of members, the process and manner of appointments
regulatory goals also generally depends on regulatory and dismissal, the process for establishing
independence, transparency, and accountability - whether there are conflicts of interest, adequate
and especially in the context of data protection, inter- and transparent funding, and immunity from legal
sectoral coordination. These are briefly introduced action, many of which have been covered by the
below and explored in more detail through the rest frameworks. Independent operation, funding and
of this chapter. resource allocation and immunity from legal actions
are elements that most of the Specified Frameworks
9.2.1 Independence include provisions for.

Regulatory independence from the executive is 9.2.2 Transparency and accountability

a critical factor in the effectiveness of the data
protection regime, since the state is one of the A lack of oversight mechanisms over the regulator
largest collectors and processors of personal data. may make it easier for them to exercise their powers
Establishing an independent regulator can provide in arbitrary ways, misuse funds, undertake cursory
greater confidence for those that are regulated, and, investigations and ignore due process requirements.762
for data subjects, that decisions are made fairly. An Consequently, independence of the regulator should
independent regulator is especially important in cases ideally be combined with effective accountability
when both government and non-government bodies mechanisms for the regulator to comply with to guard
are subject to the same framework.758 Although against abuse. Some of these measures can include
providing for independence through legislation is regulatory reviews and reporting requirements. The
not sufficient to guarantee independence, it is an GDPR specifically states that the independence of
important first step.759 the supervisory authorities does not mean that they
are exempt from control or monitoring mechanisms
The Specified Frameworks all recognise the in relation to their financial expenditures or judicial
importance of regulatory independence. The GDPR, review.763 Additionally, as per the GDPR, the exercise
Convention 108+, AU Convention, and the HIPCAR of the regulator’s powers are subject to appropriate
Privacy Framework specifically require that Regulators safeguards as set out in domestic law.764
function independently and prohibit them from taking
external instructions.760 While it does not include a
separate provision for this, the Commonwealth Privacy

758 OECD Guidelines, p 47-48.

759 Mark Thatcher, ‘Regulation after delegation: independent regulatory agencies in Europe’ (2002) Journal of European Public Policy
954; Fabrizio Gilardi and Martino Maggetti, ‘The Independence of Regulatory Authorities’ in David Levi-Faur (ed), The Handbook on
The Politics of Regulation (Elgar Publishing, 2013)
760 GDPR, arts 52(1) and 52(2); Convention 108+, art 15(5); AU Convention, art 11(7); HIPCAR Model Legislative Text, s 54.
761 Commonwealth Privacy Bill, p 3.
762 Christel Koop and Chris Hanretty, ‘Political Independence, Accountability, and the Quality of Regulatory Decision-Making’ (2018) 51
Comparative Political Studies 38, p 9-10.
763 GDPR, recital 118.
764 GDPR, art 58(4).
167 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

Reporting requirements are the most common

method used to promote transparency and
accountability of the Regulator in the Specified
Frameworks. Reporting can increase credibility of
the Regulator and detect early signs of emerging
vulnerabilities.765 Nevertheless, research suggests
that unless it is tailored to specific contexts, some
reporting measures, such as the requirements to
produce annual plans and reports could lead to
increased costs, workloads, and bureaucracy without
necessarily improving the regulator’s functioning.766

Similarly, it is also important to design for the

regulator’s accountability to multiple stakeholders,
such as to the legislature, regulated entities and
to the larger public.767 An oversight body such as a
management board that offers diverse expertise and
transparency could also be beneficial in this regard.768
The regulator would be responsible for regulatory
decision-making, and the oversight body would be
responsible for oversight, scrutiny, and guidance of
the regulator’s operations.

9.2.3 Inter-sectoral coordination

Inter-sectoral coordination is especially important
in the context of data protection because of the
wide range of applications of personal data that
range from healthcare to finance to public service
delivery. Mandating cooperation mechanisms and
engagement in regulation-making, especially through
tools such as Memoranda of Understanding, can be
particularly useful in this context.769

765 Malavika Raghavan, Beni Chugh and Nishanth Kumar, ‘Effective Enforcement of a Data Protection: A Model for Risk-Based
Supervision Using Responsive Regulatory Tools’, 18 (Dvara Research, 1 November 2019) https://www.dvara.com/research/wp-
content/uploads/2019/12/Effective-Enforcement-of-a-Data-Protection-Regime.pdf.
766 Christel Koop and Chris Hanretty, 'Political Independence, Accountability, And The Quality Of Regulatory Decision-Making' (2018)
51 Comparative Political Studies.
767 See ‘OECD best practices for regulatory policy’ ch 4 (OECD iLibrary) https://read.oecd-ilibrary.org/governance/the-governance-of-
regulators/chapter-4-accountability-and-transparency_9789264209015-9-en#page1.
768 Malavika Raghavan, Beni Chugh and Nishanth Kumar, ‘Effective Enforcement of a Data Protection: A Model for Risk-Based
Supervision Using Responsive Regulatory Tools’, 17-18 (Dvara Research, 1 November 2019) https://www.dvara.com/research/wp-
content/uploads/2019/12/Effective-Enforcement-of-a-Data-Protection-Regime.pdf.
769 Dvara Research, ‘Comments to the Ministry of Electronics and Information Technology (MeitY) on the draft Personal Data Protection
Bill 2018, dated 27 July 2018, submitted by the Committee of Experts on a Data Protection Framework for India’, 67 (Dvara Research,
2018) https://www.dvara.com/blog/wp-content/uploads/2018/10/Response-to-draft-Personal-Data-Protection-Bill_DvaraResearch.
pdf; see also Malavika Raghavan, Beni Chugh and Nishanth Kumar, ‘Effective Enforcement of a Data Protection: A Model for Risk-
Based Supervision Using Responsive Regulatory Tools’, 17-18 (Dvara Research, 1 Nov 2019) https://www.dvara.com/research/wp-
content/uploads/2019/12/Effective-Enforcement-of-a-Data-Protection-Regime.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 168

9.3 Structure of the Regulator

Box 9.2: Data protection regulatory models

Different jurisdictions have adopted various regulatory models for data protection.
Some states have a more traditional regulator similar to what is found in the GDPR,
in terms of a public authority specifically tasked with monitoring and enforcing the
relevant data protection legislation. This type of model exists in countries such as
Ireland, South Africa and in India’s proposed data protection legislation.770 Some
countries have regulators who oversee data protection and related matters, such as
access to information. For instance, South Africa’s Information Regulator is tasked with
functions under both the Protection of Personal Information Act, and the Promotion
of Access to Information Act.771 Australia’s Information Commissioner similarly has
functions relating to privacy, freedom of information, and government information
policy.772

770 ‘Who are we?’ (Data Protection Commission) https://www.dataprotection.ie/en/who-we-are; Protection of Personal Information Act,
2019, s 39 https://popia.co.za/section-39-establishment-of-information-regulator/; The Personal Data Protection Bill, 2019 (India)
http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf. See also, Report of the Joint Committee on the
Personal Data Protection Bill, 2019 available at https://prsindia.org/files/bills_acts/bills_parliament/2019/Joint_Committee_on_the_
Personal_Data_Protection_Bill_2019.pdf.
771 The Protection of Personal Information Act, 2013, s 39 (South Africa) https://www.justice.gov.za/inforeg/about.html.
772 ‘About us’ (OAIC) https://www.oaic.gov.au/about-us/; ‘What we do’ (OAIC) https://www.oaic.gov.au/about-us/what-we-do/.
169 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

An ombudsperson model is also one that has been explored. An ombudsperson is

usually a public official appointed by the government and operates independently. For
example, the Commonwealth PPI Bill makes it possible for the Privacy Commissioner
recommended in the framework to be replaced by an alternate official, such as an
ombudsperson.773 Finland’s supervisory authority is the Data Protection Ombudsman,
who is an autonomous and independent authority appointed by the government.774
The Data Protection Ombudsman and deputy ombudsmen form the Sanctions Board
which is responsible for imposing administrative penalties. The Expert Board is an
independent body of experts operating in connection with the Ombudsman and is
tasked with issuing statements on significant data protection questions.775

Another model consists of mandating existing regulators with data protection

obligations. This type of system is intended for countries where there is no state-level
data protection legislation or specific regulator. This is the case in the United States.
It has several sector and state-specific data protection laws offering varying levels
of protection, but it does not have a single national-level data protection authority.
However, the Federal Trade Commission uses its jurisdiction over commercial entities
to protect consumers’ personal information, especially in the context of unfair and
deceptive trade practices.776 State Attorneys General usually have similar enforcement
authority under consumer protection laws to prevent unfair and deceptive business
practices.777

773 Summary of provisions of the Commonwealth PPI Bill, p 3.

774 Finnish Data Protection Act; ‘Office of the Data Protection Ombudsman’, s 8 https://tietosuoja.fi/en/office-of-the-data-protection-
ombudsman.
775 Finnish Data Protection Act; ‘Office of the Data Protection Ombudsman’, s 12 and s 24 https://tietosuoja.fi/en/office-of-the-data-
protection-ombudsman.
776 ‘Protecting Consumer Privacy and Security’ (Federal Trade Commission) https://www.ftc.gov/news-events/media-resources/
protecting-consumer-privacy-security; ‘Privacy and Security Enforcement’ (Federal Trade Commission) https://www.ftc.gov/news-
events/media-resources/protecting-consumer-privacy/privacy-security-enforcement.
777 See for eg Carolyn Carter, ‘Consumer Protection in the States – a 50-State report on unfair and deceptive Acts and Practices Statues’,
16 (National Consumer Law Center Inc February 2009) https://www.nclc.org/images/pdf/udap/report_50_states.pdf.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 170

The composition, qualifications, and appointment functions, but includes it only on an optional basis
processes implicate the independence of the which allows states to designate an existing officer to
Regulators and are important to the overall functioning perform functions relating to data protection.782
and enforcement of the frameworks. They form part
of the indicators that are used to assess the formal Other instruments discuss other aspects of the form
independence of regulators, which traditionally and number of regulatory bodies. Convention 108+
examine whether the independence of regulators and HIPCAR Privacy Framework, for instance, note
is stated in law, and also evaluate the regulator’s that the relevant Regulator may consist of a single
financial and organisational independence, and the commissioner or collegiate or other body, as long as it
functions that have been delegated to it.778 Formal has certain powers and is able to effectively discharge
independence assessments are related to, but may its duties.783 The GDPR and Convention 108+ allow
be different from, de facto independence, which for the establishment of one or more independent
relates to the extent of effective autonomy the public supervisory authorities to oversee their
regulator can utilise in practice. This would depend implementation.784 Convention 108+ states that it may
on a variety of factors such as the rule of law, the also be useful to institute authorities whose ambit is
perceived legitimacy of regulatory bodies, and the limited to data protection in specific sectors, such as
political climate.779 health, electronic communication, etc.785 Having a
multi-member regulatory body can serve to increase
9.3.1 Composition independence since multiple members are less likely
to be susceptible to influence than a single decision-
The Specified Frameworks give states varying maker, and can increase diversity and bring multiple
levels of discretion in determining the Regulator’s perspectives and varied experience to the decision-
structure so that a model is found that works making process.786
best in a particular domestic scenario. Having an
independent regulatory body specialising in data
protection can be helpful since both governmental
and non-governmental entities are regulated under
the same framework.780 The AU Convention does
not prescribe any conditions for the composition of
the National Protection Authorities and only requires
that states establish an administrative authority in
charge of protecting personal data.781 In comparison,
the Commonwealth Privacy Bill creates the office of
the Privacy Commissioner with specified powers and

778 Fabrizio Gilardi and Martino Maggetti, ‘The independence of regulatory authorities’ in David Levi-Faur (ed), The Handbook on The
Politics of Regulation (Edward Elgar Publishing 2013), pp 202 -203.
779 Fabrizio Gilardi and Martino Maggetti, ‘The independence of regulatory authorities’ in David Levi-Faur (ed), The Handbook on The
Politics Of Regulation (Edward Elgar Publishing 2013), p 204; Chris Hanretty and Christel Koop, ‘Shall the Law Set Them Free? The
Formal and Actual Independence of Regulatory Agencies’ (2013) 7 Regulation and Governance, pp 195, 197-199.
780 ‘The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy’ (OECD iLibrary) 49 https://www.oecd-ilibrary.
org/governance/the-governance-of-regulators_9789264209015-en.
781 AU Convention, arts 11(1) and 11(3).
782 Commonwealth Privacy Bill, Part, p 3, which allows States that may not be able to create a separate office for this purpose to
designate an existing officer to perform critical functions relating to privacy protection. It specifies that the officer must have adequate
independence, and that the functioning of the framework would not be jeopardised.
783 Explanatory Report to the Convention 108+, paras 117 and 119, p 28-29; HIPCAR Model Legislative Text, ss 48(1),48(3), 39 and
Explanatory Notes to HIPCAR Model Legislative Text, para 68.
784 GDPR, art 51(1), recital 117; Convention 108+ art 15(1), Explanatory Report to the Convention 108+, para 118, p 30; Additional
Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding
supervisory authorities and transborder data flows art 1(1); ‘Treaty office’ (Council of Europe Portal) https://rm.coe.int/1680080626.
785 Convention 108+, art 15(1), Explanatory Report to the Convention 108+, para 118, p 29.
786 ‘The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy’ (OECD iLibrary) 70-71 https://www.oecd-
ilibrary.org/governance/the-governance-of-regulators_978926420901s5-en.
 171 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

Unlike other frameworks, the European Union also head of state, in consultation with the Prime Minister
has a cross-national body to oversee data protection. and the Leader of the Opposition.790 It is not clear
The European Data Protection Board (EDPB), set whether consultation means agreement and how any
up under the GDPR and comprising representatives disagreements are to be addressed. Similarly, the
of the EU national data protection authorities, is an Commonwealth Privacy Bill provides that the Privacy
independent body responsible for ensuring the Commissioner must be appointed by the President
GDPR’s consistent application throughout the EU. It or other head of state on the recommendation of the
is tasked with providing general guidance on data Minister,791 and must be subject to the terms specified
protection laws, advising the European Commission in the instrument of appointment.792
and national supervisory authorities, settling disputes
between national supervisory authorities, as well as
promoting cooperation between the authorities.787 9.3.3 Qualifications, disqualifications,
tenure, removal/dismissal, and
9.3.2 Appointment confidentiality
Having a transparent appointment processes for the 9.3.3.1 Qualifications
Regulator’s members can play an important role in
increasing both actual and perceived independence, Requiring prior experience or expertise in data
and has become one of the most frequently used protection and related areas could equip the Regulator
metrics to assess formal independence.788 with the necessary tools to effectively perform its
duties. The GDPR sets out broad qualifications for
The GDPR, HIPCAR Privacy Framework, and members of supervisory authorities, requiring them
Commonwealth Privacy Bill provide for some to have the qualifications, experience, and skills,
appointment procedures while the AU Convention particularly in personal data protection to perform
and Convention 108+ leave it to the discretion of their duties and functions. It also requires states to
relevant states. provide by law specific qualifications and eligibility
criteria for members’ appointment.793 The other
The GDPR requires supervisory authorities to Specified Frameworks do not provide qualifications
be appointed by a transparent procedure which or eligibility criteria, but detail disqualifications for the
involves the parliament, government, head of state, relevant Regulators.794
or an independent body entrusted with making the
appointment according to the law. States must also 9.3.3.2 Disqualifications
have laws that provide for the establishment of the
supervisory authority, and which must include details Disqualifications from membership from regulatory
relating to the engagement of its members.789 This bodies are usually meant to prevent conflicts of
can encourage formal independence and increase interest and undue influence. The GDPR does not
transparency and accountability. specify disqualifications but requires members
of supervisory authorities to refrain from actions
Although the HIPCAR Privacy Framework does incompatible with their duties and from engaging
not contain much detail, it specifies that the Data in “incompatible occupations” during their term of
Commissioner must be appointed by a country’s office.795 The requirement to not engage in other

787 See GDPR recital 72, arts 40-42, and Chapter VII on cooperation and consistency. See also ‘Who are we’ (European Data Protection
Board) https://edpb.europa.eu/about-edpb/about-edpb/who-we-are_en.
788 OECD, Being an Independent Regulator (OECD Publishing 2016) 38-42.
789 GDPR, arts 53(1) and 54(1).
790 HIPCAR Model Legislative Text, s 48.
791 Commonwealth Privacy Bill, Part I, s 4 specifies that ““Minister” means the Minister who has been assigned responsibility for
[information/public administration] under the Constitution.”
792 Commonwealth Privacy Bill, Part III, ss 16 and 20.
793 GDPR, arts 53(2) and 54(1)(b).
794 HIPCAR Model Legislative Text, s 48; Commonwealth Privacy Bill, Part III, s 18; AU Convention, art 11(6).
795 GDPR, arts 54(1)(b) and 52(3).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 172

occupations during their mandate is also reflected 9.3.3.4 Dismissal/removal/vacancy

in the HIPCAR Privacy Framework and the AU
Convention.796 Explicit removal and dismissal procedures that are
limited to serious misbehaviour and involve non-
The HIPCAR Privacy Framework, the Commonwealth executive arms of government, such as the legislature
Privacy Bill and the AU Convention also contain more or judiciary, is critical for greater transparency
specific disqualifications, such as membership in and accountability.802 The GDPR, HIPCAR Privacy
the executive or judiciary, bankruptcy, or conviction Framework, and Commonwealth Privacy Bill specify
of certain offences involving dishonesty or moral that members can only be dismissed for just cause,
turpitude.797 The AU Convention additionally bars those such as when there is serious misconduct or if they
engaged as business executives or owning shares in no longer fulfil the conditions required to perform
businesses in the information and communication their duties.803 The HIPCAR Privacy Framework
technologies sector.798 The Commonwealth Privacy also allows the executive to appoint a temporary
Bill requires the Privacy Commissioner to be a full-time commissioner in certain circumstances, provided the
official who cannot be employed in any other capacity existing Commissioner, who is being replaced, makes
during their term of office. They are also thereafter a written request to the effect that it is necessary
ineligible for appointment in public service.799 that a temporary commissioner be appointed.804
Meanwhile, Convention 108+ and AU Convention do
9.3.3.3 Term not discuss the removal or dismissal of the Regulator.

Requiring fixed terms for the Regulator’s members, 9.3.3.5 Funding and resources
specified in law, can prevent arbitrary dismissals and
reappointments and serve to maintain independence. Having adequate funding can significantly impact
The HIPCAR Privacy Framework and Commonwealth regulatory functioning and independence, and is
Privacy Bill specify that the term of appointment for key to attracting and retaining competent, qualified
the Commissioner should be for five years and that members. In addition to the source of funding,
Commissioners are eligible for reappointment at autonomy in managing funds is integral to the
the end of their term.800 The GDPR sets a minimum regulator being able to carry out its mandate and act
term of four years and leaves the determination of independently.805 This includes being able to appoint
reappointment to states.801 Convention 108+ and the its own staff. For example, the ECJ found supervisory
AU Convention do not discuss the length of term authorities to be not completely independent when
appointments of the Regulator or of its members. the staff was supplied by the state and the state
had to be informed of the work undertaken by the
authority at all times.806

796 HIPCAR Model Legislative Text, s. 48; AU Convention, art 11(6).

797 HIPCAR Model Legislative Text, s 48; Commonwealth Privacy Bill, Part III, s. 18; AU Convention art 11(6).
798 AU Convention, art 11(6).
799 Commonwealth Privacy Bill, Part III, s 19.
800 HIPCAR Model Legislative Text, s 50(1); Commonwealth Privacy Bill, Part III, s17(1).
801 GDPR art 54(d), 54(e).
802 The OECD Guidelines, 29.
803 GDPR art 53(4); HIPCAR Model Legislative Text, s 50(3); Commonwealth Privacy Bill, Part III, ss 17 and 18(2).
804 See HIPCAR Model Legislative Text, s 48(5,6).
805 ‘The Governance of Regulators, Being an Independent Regulator’ (OECD iLibrary) 71 https://read.oecd-ilibrary.org/governance/
being-an-independent-regulator_9789264255401-en; ‘The Governance of Regulators, Creating a Culture of Independence, Practical
Guidance against Undue Influence’ (OECD iLibrary) 14-15 https://read.oecd-ilibrary.org/governance/creating-a-culture-of-
independence_9789264274198-en.
806 C-614/10 European Commission v Republic of Austria [2012] OJ L281/31. In this case, the Federal Chancellery of Austria supplied
the supervisory authority with its workforce and the latter was required to inform the former about its work at all times. The ECJ found
the supervisory authority to not be completely independent.
 173 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

All the Specified Frameworks require that states

provide the necessary resources and funding for
the Regulators to effectively perform their duties
and to be able to appoint their own staff without
interference.807 The GDPR and HIPCAR Privacy
Framework also highlight that the staff must be under
the Regulator’s control.808 The GDPR, HIPCAR Privacy
Framework, and Commonwealth Privacy Bill provide
“All the Specified Frameworks requirements regarding the sources of funding for the
activities of the Regulators (for example, by having
require that states provide separate public annual budgets for the regulators) to
enable them to function independently despite the
the necessary resources and fact that they are generally financed by the state.809

funding for the Regulators to 9.3.3.6 Immunity and confidentiality

effectively perform their duties The Commonwealth Privacy Bill, HIPCAR Privacy
and to be able to appoint Framework, and AU Convention provide immunity to
the Regulator and its staff from legal liability for actions
their own staff without undertaken in good faith and in the performance
of their duties or exercise of their powers.810 This is
interference.” generally intended to maintain the independence
of the Regulator. All Specified Frameworks also
include some form of confidentiality requirement
for Regulators.811 The GDPR, Convention 108+, and
Commonwealth Bills specify that they apply to the
Regulator, as well as to any staff and officers and
are applicable during the term of engagement and
thereafter.

807 Convention 108+ art 15(6); AU Convention art 11(8); Commonwealth Privacy Bill, Part III, s 22.
808 GDPR, arts 52(4) and 52(5); HIPCAR Model Legislative Text, s 48(3).
809 HIPCAR Model Legislative Text, s 51. The explanatory text to s 51 (in para 75) details the intention behind the provision; GDPR art
52(6), recital 120, Commonwealth Privacy Bill, Part III, s 22.
810 HIPCAR Model Legislative Text, s 52 and Explanatory Notes, para 76; Commonwealth Privacy Bill, Part IV, s 34, Commonwealth PPI
Bill, s 41; AU Convention, art 11(7)(a).
811 AU Convention, art 11(5)(a); HIPCAR Model Legislative Text, s 56(1), 56(2); Commonwealth Privacy Bill, Part, Part IV ss 32 and 33;
Commonwealth PPI Bill, ss 39 and 40; GDPR art 54(2); Convention 108+ art 15(8).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 174

9.4 Functions and Powers of the Regulator

The Regulator is usually tasked with a wide range of of privacy, personal data processing is subject to
responsibilities, such as monitoring and enforcing controllers declaring their processing activities before
relevant legislation, providing information to the National Protection Authority.815 Some categories
data subjects, handling complaints, conducting of data processing, such as those relating to genetic
investigations, authorising certain forms of information and health, biometric data, data involving
processing, accrediting bodies and/or approving the national identity number or any other identifier,
contractual clauses or monitoring arrangements, as would require prior authorisation from the authority
well as maintaining relevant records. Regulators are before processing.816
given an array of powers that enable them to fulfil
their assigned responsibilities. The Regulator’s duties The GDPR requires prior authorisation by law to
and powers can be explained as follows: undertake certain kinds of data processing. In such
cases, supervisory authorities may consult with
9.4.1 Monitoring and prior controllers and authorise processing for a task carried
out in the public interest, for example when it relates
authorisation to social protection or public health.817
Regulators are usually required to monitor and
enforce relevant data protection legislation,812 and can 9.4.2 Complaints, investigations, and
also be required to monitor developments that have enforcement
an impact on the protection of personal data.813 This
can help identify potential violations and support the Investigating violations and enforcing compliance
initiation of pro-active enforcement actions. The AU are some of the Regulators’ core functions and they
Convention requires the National Protection Authority are key to protecting the rights of data subjects.
to ensure that information and communication All Specified Frameworks require Regulators to
technologies do not constitute a threat to public handle complaints by data subjects or organisations
freedoms and the private life of citizens.814 and inform them of the investigations’ progress
or outcomes.818 They are also required to play a
The AU Convention also requires controllers to proactive role in investigations. The HIPCAR Privacy
declare data processing activities to the Regulator, Framework requires Data Commissioners to “exercise
and obtain prior authorisation for some certain kinds control on all data processing activities”, either of their
of processing activities. Other than for specifically own accord or at the request of a data subject, and
exempted data processing categories and processing to verify whether it is carried out in accordance with
activities which are unlikely to constitute a breach the framework.819 According to the Commonwealth

812 HIPCAR Model Legislative Text, ss 55(a) and 55(l); Commonwealth Privacy Bill, Part III, s 21(a); GDPR, art 57(1)(a); AU Convention
11(1)(b); Commonwealth Privacy Bill, Part II, s 21(a) (also applicable to Commonwealth PPI Bill, s 32(2)).
813 HIPCAR Model Legislative Text, s 55(n); GDPR 57(1)(i). The GDPR specifically mentions the development of information and
communication technologies and commercial practices in this context, and HIPCAR-CARICOM the data processing and information
technology. See GDPR 57(1)(i); HIPCAR Model Legislative Text, s 55(n).
814 AU Convention, art 12(2).
815 AU Convention, arts 10(2) and 10 (3). For exemptions, see art 9(2), art 10(1), art 10(4), and art 10(5).
816 AU Convention, art 10(4).
817 GDPR art 58(3)(c).
818 Convention 108+ art 15(4); AU Convention, art 12(2)(a) and 12(2)(e); HIPCAR Model Legislative Text, s 55(e); Commonwealth
Privacy Bill, Part II, ss 21(c) and 21(g); GDPR 57(1)(f). The GDPR also requires data subjects to be informed of whether further
investigation of coordination with another supervisory authority is required.
819 HIPCAR Model Legislative Text, s 55(c), (d).
175 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

Bills, Privacy Commissioners must inquire into any Commissioners must initiate a complaint when
matters or developments if the privacy of individuals they believe that there are reasonable grounds to
is being, or is likely to be, infringed upon.820 The GDPR investigate.826 However, for data subjects, not being
also requires supervisory authorities to conduct able to approach Commissioners to investigate public
investigations with regards to the GDPR’s application, bodies’ access refusals or applications to correct
including on the basis of information received by information can significantly impair their rights. As
another supervisory authority or public authority.821 discussed in Chapter 5 (Rights of Data Subjects), the
rights to access and rectification are foundational
In a somewhat related and unique provision, the AU rights and the inability of individuals to exercise
Convention requires National Protection Authorities these rights against public authorities can impact the
to “speedily [inform] judicial authorities of certain delivery of public benefits and services.
types of offences that have come to their attention”,
but it is unclear what these offences would involve.822 Frameworks also provide for Regulators to
investigate specific reports of violations. This can
9.4.2.1 Complaints and investigations be either upon receipt of a complaint or at the
Regulators’ own initiative.827 The HIPCAR Privacy
The AU Convention, Convention 108+, and the HIPCAR Framework requires the Commissioner to investigate
Privacy Framework contain broad provisions providing complaints unless it is of the opinion that it is
Regulators with general powers of investigation and frivolous or vexatious. The Commissioner must also
enforcement, such as “entertaining claims, petitions notify data subjects of decisions with regards to
and complaints regarding the processing of personal their complaints and of their right to appeal.828 The
data and informing the authors of the results thereof,” HIPCAR Privacy Framework and the Commonwealth
“powers of investigation and intervention”, or the Bills also specify that Commissioners must notify the
power to undertake all activities that are necessary or relevant processor or controller of their intention to
connected to carrying out their duties.823 investigate data processing undertaken by them,
and of the substance of the complaint, before
The Commonwealth Bills provide differing rights in commencing the investigation.829 In this context, the
respect to public authorities and private organisations. GDPR, Convention 108+, and AU Convention require
For public authorities, Privacy Commissioners are Regulators to cooperate and coordinate with other
required to receive and investigate complaints regulators to ensure the consistent application of the
regarding the collection, retention, or disposal of relevant framework.830 Regulators also have other
personal information and the use or disclosure of investigative powers which are explored below.
personal information.824 For private organisations,
Privacy Commissioners must additionally receive
and investigate complaints regarding the refusal
of an organisation to grant access to information
to data subjects, and the refusal of applications to
correct their personal information.825 In both cases,

820 Commonwealth Privacy Bill, Part II, s 21(d). See also Commonwealth PPI Bill, s 32(2).
821 GDPR, art 57(1)(h).
822 AU Convention, art 12(2)(f).
823 AU Convention, art 12(2)(e); Convention 108+, art 15(2)(a); Explanatory Report to the Convention 108+, para 120, p 29; HIPCAR
Model Legislative Text, s 57.
824 Commonwealth Privacy Bill, Part IV, s 23(1).
825 Commonwealth PPI Bill, s 29(1).
826 Commonwealth Privacy Bill, Part IV, s 23(3); Commonwealth PPI BIll,29(3).
827 See Commonwealth Privacy Bill, Part IV, s 23; Commonwealth PPI Bill, s 29. With private bodies, they can additionally investigate
refusals to grant access to or correct personal information. See also Commonwealth PPI Bill, ss 29(1)(c) and 29(1)(d); HIPCAR Model
Legislative Text, s 62(1).
828 HIPCAR Model Legislative Text, s 62(2).
829 HIPCAR Model Legislative Text, s 64; Commonwealth Privacy Bill, Part IV, s 25; Commonwealth PPI Bill, s 31.
830 GDPR, art 57(1)(g); AU Convention, arts 12(1) and 12(2)(m); HIPCAR Model Legislative Text, s 55(k); Convention 108+, arts
16,17,22, and ch VI.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 176

Audits

The GDPR allows supervisory authorities to carry

out investigations in the form of data protection
audits and reviews of previously issued data
protection certifications, and to also notify controllers
and processors of alleged infringements of the
framework.831 Measures such as audits, impact
assessments, and prior authorisations/consultations
can serve to prevent violations of the framework
and reduce the number of complaints and post-facto
investigations.

The AU Convention states that the National Protection

Authority is responsible for “undertaking the audit
of all processed personal data, through its officials
or sworn officials.”832 It is unclear, however, what
specifically the audits involve. The Commonwealth “Most Specified Frameworks
Bills contain a somewhat related provision allowing
Privacy Commissioners to periodically carry out
provide Regulators with the
investigations with respect to personal information
controlled by public or private entities.833 This is to
power to obtain the necessary
ensure compliance with their obligations under the information to conduct their
frameworks.
investigations..”
Access to information and procedural powers

Most Specified Frameworks provide Regulators

with the power to obtain the necessary information
to conduct their investigations. This is essential for
regulators to be able to effectively investigate potential
contraventions. The Commonwealth Bills provide
quasi-judicial powers to Privacy Commissioners in
carrying out investigations, ranging from summoning
and enforcing the appearance of persons before
them, to compelling or receiving evidence, to
entering premises and obtaining copies and extracts
of records. They allow Commissioners to determine
the procedure to be followed in discharging any of
their duties or performing any of their functions.834
Likewise, the AU Convention and Commonwealth
Bills allow the relevant Regulators to determine
the procedure to be followed in discharging their
duties.835

831 GDPR, arts 58(1)(b), 58(1)(c), and 58(1)(d).

832 AU Convention, art 12(2)(g).
833 Commonwealth Privacy Bill, Part IV, s 30; Commonwealth PPI Bill, s 37.
834 Commonwealth Privacy Bill, Part IV, ss 26 and 28; Commonwealth PPI Bill, ss 32 and 34.
835 AU Convention, art 11(5)(b); Commonwealth Privacy Bill, Part IV, s 26; Commonwealth PPI Bill, s 32.
177 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

The GDPR and HIPCAR Privacy Framework provide attention of judicial authorities and commence or
specific powers to Regulators in the context of access engage in legal proceedings in order to enforce the
to information and equipment for performing their framework.840 When an investigation reveals that
functions. The GDPR allows supervisory authorities an offence may have been committed under the
to order data controllers and data processors to framework, the HIPCAR Privacy Framework requires
provide any information and access to all information the Data Commissioner to refer the matter to the
and personal data required to perform their tasks. Police Commissioner for further action.841
Controllers and processors are also required to
provide access to any premises and equipment in The HIPCAR Privacy Framework and Commonwealth
accordance with domestic law.836 Bills also specify that investigations of complaints
under the framework must be conducted in
Similarly, the HIPCAR Privacy Framework allows the private. Concerned parties must be provided with
Data Commissioner to require persons to provide the opportunity to make representations to the
access to personal data and related information.837 Commissioner, but no one is entitled to be present
It also allows the Commissioner to delegate any when the representations are made, or to have
of its investigative and enforcement powers to access to or comment on representations made to
any authorised officer that it designates for that the Commissioner by the other parties.842
purpose.838
9.4.3 Advising governments and other
Where public authorities disclose personal
information pursuant to the Commonwealth Privacy stakeholders, and approving codes of
Bill, it specifies that an assertion that a disclosure was conduct
made in good faith constitutes an absolute response
in civil or criminal proceedings against such public 9.4.3.1 Advisory functions
authorities.839 Although this is restricted only to
information disclosure, the lack of accountability on Advising governments
such “good faith” actions could impair data subject
rights. Regulators are given advisory functions under each
of the Specified Frameworks, and usually to improve
Reporting requirements and confidentiality of or design legislative and administrative measures.843
investigation This can involve requiring the government to consult
the Regulator on proposals to introduce measures
Most Specified Frameworks provide that the that relate to personal data processing, or providing
Regulator works with judicial and other authorities opinions or information on general legislative or
to enforce the relevant framework. For example, the administrative measures, or other actions that might
GDPR, Convention 108+, and AU Convention give improve privacy protections.844 Convention 108+ and
Regulators the power to bring infringements to the

836 GDPR, arts 58(1)(a), 58(1)(e), and 58(1)(f).

837 HIPCAR Model Legislative Text, s 58 (1), 58(2). The information is to be requested through a written information notice, which must
specify (a) the time for compliance, which is to not be less than 30 days; and (b) that the person to whom the notice is addressed has
the right of appeal within 30 days, see s 59. It also specifies that other laws restricting or prohibiting disclosure of information would
not prevent persons from disclosing necessary information to the Commissioner, unless the information is necessary to safeguard
national security or relates to privileged proceedings in Court, see s 58 (3), 58(4).
838 It does not specify who an ‘authorised officer’ would be or any guidelines for how police officers would be chosen, but notes that this
power is provided to ensure operational and organizational practicality. HIPCAR Model Legislative Text, s 53.
839 Commonwealth Privacy Bill, Part V, s 37.
840 GDPR, art 58(5); Convention 108+, art 15(2)(d); AU Convention, art 12(2)(f). This is framed as a requirement under the AU.
841 HIPCAR Model Legislative Text, s 71.
842 HIPCAR Model Legislative Text, s 70, also see s 44 (commissioner may hold enquiries in private); Commonwealth Privacy Bill, Part
IV, s 27, Commonwealth PPI Bill, s 33.
843 GDPR, art 57(1)(c); AU Convention, art 12(2)(l); HIPCAR Model Legislative Text, s 55(i); Commonwealth Privacy Bill, Part III, s
21(k) (and Commonwealth PPI Bill, s 32(2)).
844 Convention 108+, art 15(3); Commonwealth Privacy Bill, Part III, ss 21(k) and 21(l) (and Commonwealth PPI Bill, because of s 32(2));
HIPCAR Model Legislative Text, s 55(j); also see Commonwealth Privacy Bill, Part III, ss 21(h) and 21(i).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 178

GDPR empower supervisory authorities to provide protection or public health.848

opinions to the national parliament, government,
other institution or body, or the public, on any issue Under the AU Convention, the National Protection
relating to personal data protection either on request Authorities are required to advise those engaged in
or at their own initiative.845 These measures can personal data processing or carrying out tests and
serve as a means to ensure that data protection experiments likely to result in data processing.849 The
considerations are taken into account when framing Commonwealth Bills contain a broader requirement
regulations or measures in specific sectors and can for the Privacy Commissioner to provide advice on
encourage inter-sectoral cooperation. obligations and the framework’s general operational
mandate to public and private entities that process
The role of regulatory authorities has been highlighted personal data.850 All Specified Frameworks also
during the COVID-19 pandemic. It has required the require Regulators to promote public awareness
processing of different types of data, such as those by informing data subjects of their rights under the
related to health and location information. There has relevant data protection laws.851
been ambiguity on the extent of permissible data
processing. Many domestic regulators and the EDPB 9.4.3.2 Codes of conduct
have issued guidance and advisories on related issues
over the course of the pandemic and have provided The GDPR and HIPCAR Privacy Framework provide
some clarity to data subjects, controllers and other for the creation of codes of conduct meant to guide
stakeholders as to how data protection legislation those processing personal data. This can provide
should apply in unforeseen circumstances.846 clarity for processors and controllers and assist them
in complying with data protection requirements.
Advising controllers
The HIPCAR Privacy Framework provides for the
Regulators can be required to guide and advise creation of both mandatory and voluntary codes to
controllers to ensure that they comply with relevant promote the application of the privacy principles
data protection frameworks. For instance, the GDPR outlined in the framework.852 The Commissioner is
provides supervisory authorities with the power to also required to guide their development, promote
advise controllers before they undertake processing awareness, approve codes, and undertake related
in the case when a data protection impact assessment actions as necessary.853 Under the GDPR, supervisory
indicates a high risk to the data subjects’ rights and authorities must encourage codes of conduct
freedoms.847 States can also require controllers to intended to contribute to the proper application of
consult with, and obtain prior authorisation from, the framework, and account for specific features of
supervisory authorities in the performance of tasks various sectors and the needs of micro, small, and
in the public interest, such as relating to social

845 GDPR, art 58(3)(b); Explanatory Report to the Convention 108+, para 126, p 30. The Explanatory Report specifies that only general
measures are meant to be covered by this consultative power.
846 See eg ‘Statement by the EDPB chair on data processing in the context of the COVID-19 outbreak’ (EDPB) https://edpb.europa.
eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_hu; also see EDPB guidelines on
the use of location data and contact tracing tools in the context of the COVID-19 pandemic: ‘Statement by the EDPB Chair on the
processing of personal data in the context of the COVID-19 outbreak’ (EDPB) https://edpb.europa.eu/news/news/2020/statement-
edpb-chair-processing-personal-data-context-covid-19-outbreak_hu; also see the UK Information Commissioner’s Data Protection
and Coronavirus Information Hub: ‘Data protection and coronavirus information hub’ (ICO.) https://ico.org.uk/global/data-
protection-and-coronavirus-information-hub/; New Zealand’s Privacy Commissioner’s guidance on privacy and COVID-19: ‘Privacy
and COVID-19’ (Privacy Commissioner) https://www.privacy.org.nz/resources-2/privacy-and-covid-19/.
847 GDPR, art 58(3)(a).
848 GDPR, art 36(3).
849 AU Convention, art 12(2)(j).
850 Commonwealth Privacy Bill, Part III, s 21(b); also applicable to private organizations under the Commonwealth PPI Bill, owing to s
32(2).
851 GDPR, art 57(1)(b) (see also recitals 13a1,132); AU Convention art 11(2), 12(2)(b); Convention 108+, art 15(2)(e)(ii); HIPCAR Model
Legislative Text, ss 55(g) and 55(h); Commonwealth Privacy Bill, Part III, s 21(e) (also Commonwealth PPI Bill, because of s 32(2)).
852 HIPCAR Model Legislative Text, ss 20 and 21.
853 HIPCAR Model Legislative Text, s 55(m), see also s 21(1), 21(2).
179 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

medium-sized enterprises.854 Convention 108+ does

not specifically provide for codes of conduct, but
nevertheless notes that domestic law may be usefully
reinforced by voluntary measures, such as codes of
good practice or professional conduct.855

9.4.4 Impact assessments, certification

and accreditation, and standard
contractual clauses
Some Identified Regional Frameworks also
provide for impact assessments, certification and
accreditation mechanisms, and adoption of standard
contractual clauses. For instance, as discussed in
Chapter 4 (Transparency and Accountability), the
GDPR, HIPCAR Privacy Framework, and Convention
108+ provide for impact assessments. The GDPR also
has provisions on standard contractual clauses and
binding corporate rules applicable in the context of
data transfers to other countries as mentioned in
Chapter 8 (Regulation of Cross-Border Data Flows).
It also provides for certification and accreditation
mechanisms which can be used to demonstrate
compliance with the framework.856
The HIPCAR Privacy Framework and the
Commonwealth Bills additionally contain research
9.4.5 Record-keeping, research, and and reporting requirements.860 This can encourage
reporting the development of expertise, provide information
on regulatory focus areas, and highlight important
Record-keeping and reporting requirements can data protection issues. Research is generally to
increase transparency and provide a basis to be undertaken in areas relating to information
assess regulatory performance. The GDPR requires technology and data processing. The HIPCAR Privacy
supervisory authorities to keep records of framework Framework requires that Regulators include results
violations and resultant corrective measures.857 of research and monitoring on developments in data
Although only the GDPR contains this specific processing and information technology, if any, in their
requirement, all the Specified Frameworks require annual report to parliament.861
Regulators to submit periodic activity reports to the
national parliament, the general public, or other The framework also requires Data Commissioners
relevant authorities.858 The reporting details and the to publish at least annually an index of personal
entities to which reports must be submitted vary information held by public authorities. This publication
across countries.859 should include a summary of specific activities,

854 GDPR, arts 40(1), 40(2), and 57(1)(m).

855 Explanatory Report to the Convention 108+, para 33, p 19.
856 GDPR, art 42(1). See also GDPR arts 42(2), 57(1)(n), 57(1)(p), 57(1)(q). See for reviewing certifications and accreditations, GDPR,
arts 42(7),57(1)(o); art 43.
857 GDPR, art 57(1)(u).
858 GDPR, art 59; Convention 108+ art 15(7); AU Convention, art 12(2)(o) HIPCAR Model Legislative Text, s 72; Commonwealth
Privacy Bill, Part IV, s 31; Commonwealth PPI Bill, s 38.
859 GDPR, art 59; Convention 108+, art 15(7); AU Convention, art 12(2)(o); HIPCAR Model Legislative Text, s 72; Commonwealth
Privacy Bill, s 31 and Commonwealth PPI Bill, s 38.
860 Commonwealth Privacy Bill, Part III, s 21(i,), 21(j), 21(n); HIPCAR Model Legislative Text, s 55(n).
861 HIPCAR Model Legislative Text, s 55(n).
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 180

“Record-keeping and
reporting requirements can
increase transparency and
provide a basis to assess
such as privacy impact assessments conducted by
regulatory performance. ”
Ministries, information systems under their control
and other related information.862 This acts as a
governmental transparency tool and can serve to
increase accountability.

Interestingly, the HIPCAR Privacy Framework also

requires that Data Commissioners create and maintain
a register of data controllers.863 The AU Convention
contains a similar requirement whereby the National
Protection Authorities are responsible for updating a
processed personal data directory that is accessible
to the public.864 However, it does not specify the
details that such a directory should contain.

9.4.6 Residuary functions

The GDPR, HIPCAR Privacy Framework, and
Commonwealth Bills all have provisions that enable
Regulators to perform other unspecified necessary
functions. This is typically included to provide
flexibility for Regulators in the context of evolving
technological innovations and their impact on data
protection.865

862 HIPCAR Model Legislative Text, s 33.

863 HIPCAR Model Legislative Text, s 55(b).
864 AU Convention, art 12(2)(i).
865 GDPR, art 57(1)(v); Commonwealth Privacy Bill, Part III, ss 21(o) and 21(p); HIPCAR Model Legislative Text, s 55(p) and 55(q).
181 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

9.5 Penalties, remedies, and appeals

The enforcement mechanisms available to Regulators out by law, including judicial remedy and due
and the penalties that they are empowered to impose process.870 It also states that the Regulator’s legally
can significantly impact the level of compliance with binding measures must be in writing, be clear and
the relevant regulatory framework. While there are unambiguous, provide reasons, contain details of the
multiple approaches to regulatory enforcement and Regulator issuing the measure, and refer to the right
the level of punitive actions that may be chosen,866 of an effective remedy.871
having a range of enforcement tools can equip
regulators in ensuring effective enforcement. It is The HIPCAR Privacy Framework also notes the
especially important for regulators to be able to importance of independence where data controllers
hold the state and its agencies liable for violations may be public or quasi-public sector organisations
in order to keep them accountable and to develop over which the executive can exercise administrative
public trust in the regulator. Moreover, informal oversight. It enables the Data Commissioner to report
influence from the executive and other parties over to the Minister on the status of privacy protection by
regulatory bodies can be difficult to detect and the private sector, and to the parliament on the status
make it extremely challenging to hold them liable for of privacy protection measures by the public sector.872
regulatory breaches. Designing for and ensuring the
independence of the regulators, both structurally and 9.5.1 Penalties
by increasing transparency in decision-making and
providing reasoned decisions, is therefore paramount All the Specified Frameworks other than the
to ensure that regulators can meaningfully sanction Commonwealth Bills allow Regulators to impose a
the state and other stakeholders when required.867 variety of sanctions. Depending on the framework and
the relevant facts, these range from administrative
Publishing guides and manuals detailing the policies fines and sanctions to temporary and permanent
and procedures to be used in enforcement can bans regarding the processing of personal data.
also increase transparency and accountability for
enforcement proceedings.868 In addition to providing The Commonwealth Bills are unique in this regard
information to the public on the processes and and allow the Privacy Commissioner to only submit
considerations involved in regulatory action, it can recommendations to controllers. If the Privacy
help create regulatory certainty and reduce deviation Commissioner finds non-compliance in the course
from best practices.869 In this context, the GDPR of periodic investigations to check compliance, they
specifies that the powers of supervisory authorities must provide a report to the relevant controller with
must be subject to appropriate safeguards set

866 Malavika Raghavan, Beni Chugh and Nishanth Kumar, ‘Effective Enforcement of a Data Protection: A Model for Risk-Based
Supervision Using Responsive Regulatory Tools’, 18 (Dvara Research, 1 November 2019) https://www.dvara.com/research/wp-
content/uploads/2019/12/Effective-Enforcement-of-a-Data-Protection-Regime.pdf.
867 ‘OECD best practices for regulatory policy’ ch 2 (OECD iLibrary), p54 https://read.oecd-ilibrary.org/governance/the-governance-of-
regulators/chapter-4-accountability-and-transparency_9789264209015-9-en#page1.
868 See the discussion on the requirement for agencies in the UK and US to publish Enforcement Manuals which are meant to provide
information on the agencies’ processes and enforcement powers in Trishee Goyal and Renuka Sane, ‘Towards Better Enforcement
by Regulatory Agencies’ (2020) Data Governance Network Working Paper 14, 27 https://datagovernance.org/report/towards-better-
enforcement-by-regulatory-agencies.
869 Trishee Goyal and Renuka Sane, ‘Towards Better Enforcement by Regulatory Agencies’ (2020) Data Governance Network Working
Paper 14, 20 https://datagovernance.org/report/towards-better-enforcement-by-regulatory-agencies.
870 GDPR, art 58(4).
871 GDPR, recital 129. This would include a judicial review in the State that the supervisory authority that adopted the decision.
872 Explanatory Report to HIPCAR Model Legislative Text, para 71.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 182

findings and recommendations. These documents would be determined and the circumstances under
may also be included in the annual reports that the which they may be exempt from liability.877 Convention
Commissioner is required to submit to parliament. 108+ also specifies that compensation may be
The complainant is entitled to seek judicial review considered where applicable.878
if private organisations or state entities decide not
to implement the recommendations of the Privacy The GDPR provides that data subjects have the right
Commissioner.873 However, the Commissioner’s to mandate certain non-profit organisations to file
ability to enforce the regulatory framework is complaints and receive compensation on their behalf.
extremely limited if they are not given the power to States may also provide by law that such organisations
impose penalties, beyond issuing recommendations independently have the right to lodge complaints
and including findings in reports to the parliament. with the supervisory authority if it considers that data
subjects’ rights have been infringed.879 Overall, these
9.5.2 Warnings, fines, and measures can make it easier for data subjects to
exercise their rights.
compensation
The sanctions that the other Specified Frameworks 9.5.3 Directions
provide for are explored below.
The GDPR, Convention 108+, HIPCAR Privacy
Warnings and fines Framework and the AU Convention provide Regulators
with powers to direct a range of actions, such as
The GDPR, Convention 108+ and the AU Convention rectification or erasure of relevant personal data,
specifically provide Regulators the power to impose communicating these actions to the data subjects,
sanctions and fines.874 Moreover, Convention 108+ and ordering temporary or permanent processing
specifies that authorities must, at a minimum, be bans. These can prevent continuing violations of the
provided with the power to issue decisions with frameworks and help protect data subjects’ rights.
respect to the regulatory framework’s violations.875
This could involve imposing administrative sanctions, Directing compliance
including fines. If a domestic legal system does
not allow the supervisory authority to impose The GDPR allows supervisory authorities to order
administrative sanctions, they could be applied in controllers or processors to bring their processing
such a manner that the Regulator recommends the operations into compliance with the regulatory
sanctions which are then imposed by courts.876 It framework and to comply with data subject requests
should be noted that the sanctions imposed would to exercise their rights, as well as to communicate
have to be effective, proportionate, and dissuasive. breaches of personal data to data subjects.880 The
HIPCAR Privacy Framework provides for the use of
Compensation enforcement notices as a tool for Data Commissioners
to exercise their powers. When the Commissioner is
The GDPR and Convention 108+ discuss compensation. of the opinion that a data controller has contravened
The GDPR, however, is the only framework that or is contravening provisions of the framework, they
specifically provides that pursuance of compensation may serve an enforcement notice requiring the
is a right held by the data subject. It also specifies controllers to take specified steps within specified
how the liability of various controllers and processors timelines so that the violation is rectified.881

873 Commonwealth Privacy Bill, Part IV, s 29 and 30; Commonwealth PPI Bill, s 36 and 37.
874 GDPR, arts 58(2)(a), 58(2)(b), and 58(2)(i); AU Convention, arts 12(2)(h), 12(3), and 12(4).
875 Convention 108+, art 15(2)(c), Explanatory Report to the Convention 108+, para 119, p 29.
876 Explanatory Report to the Convention 108+, para 119, p 29.
877 GDPR, art 82.
878 Explanatory Report to the Convention 108+,para 100, p 27.
879 GDPR, art 80. These organisations must be constituted in accordance with law, have statutory objectives that are in the public interest,
and be active in the field of protection of data subjects’ rights.
880 GDPR, arts 58(2)(c), 58(2)(d), and 58(2)(e).
881 HIPCAR Model Legislative Text, s 67; s 68 specifies the details that such notices must contain and the actions that it can require the
controller to undertake.
183 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

Rectification, erasure and processing restrictions

9.5.4 Criminal sanctions
Under the GDPR, supervisory authorities can order
Criminal sanctions are specifically provided for in
rectification, erasure, or the restriction of personal
only a few frameworks. The AU Convention requires
data processing. They may also notify the recipients
states to impose criminal penalties for a wide range
of the personal data (such as third-party processors)
of actions from breaches and attacks on computer
of such actions.882 They are also empowered to
systems to facilitating access to or producing
impose temporary or permanent limitations, including
prohibited content.887 It requires states to take the
bans on processing, and may withdraw previously
necessary regulatory and legislative measures to
issues certifications to controllers and processors.
impose criminal penalties for offences delineated
In addition, they may order the suspension of data
in the framework.888 Based on the nature of the
flows to recipients in third countries or international
offences, the HIPCAR Privacy Framework provides
organisations.883
for fines, imprisonment or for both as punishment
for violations of the framework.889 It is also the only
The AU Convention provides that in emergencies
instrument that prescribes similar penalties for data
where the processing or use of personal data
subjects who make requests to access or correct
results in a contravention of fundamental rights
personal data under “false pretences”.890 The GDPR
and freedoms or where a controller fails to comply
holds that states should be able to institute rules on
with official warning letter, the National Protection
criminal penalties for violations.891
Authorities may undertake certain actions, such as
ordering the temporary or permanent discontinuation
Convention 108+ does not contain many details
of processing, or blocking certain types of data from
and provides discretion to states, but notes that
being processed.884
interventions depending on domestic law can take
different forms, such as rectification or deletion of
In addition to other measures, the HIPCAR Privacy
inaccurate data, issuing opinions as well as acting
Framework allows for enforcement notices that can
against non-compliant controllers. It also allows states
require the data controller to rectify or delete relevant
to determine the nature of judicial and non-judicial
data, or supplement the personal data with statements
sanctions, whether they are civil, administrative,
related to the issue for which the notice was issued,
or criminal actions. It requires the sanctions to be
as approved by the Regulator.885 Separately, when
effective, proportionate, and dissuasive and also
the Commissioner requests information during an
provides that financial compensation may also be
investigation, but cannot obtain enough information
considered where applicable.892
to assess whether processing is lawful, they may
prohibit the controller from processing information in
any way other than storage.886

882 GDPR, art 58(2)(g).

883 GDPR, arts 58(2)(f), 58(2)(h), 58(2)(i) and 58(2)(j). They can also order the relevant certification body to withdraw certifications or
not issue them if the requirements for certification are no longer met.
884 AU Convention, art 12(5).
885 HIPCAR Model Legislative Text, s 68(2).
886 HIPCAR Model Legislative Text, s 61.
887 AU Convention, arts 29-31.
888 AU Convention, arts 29(3)(2), 31(1),
889 See HIPCAR Model Legislative Text, Part VIII. This ranges from refusal to comply with the Commissioner’s requests for information
or providing false or misleading information (s 60), breach of confidentiality obligations by the Commissioner or her staff or agents
(s 56), controllers’ failure to comply with enforcement notices (s 69), performing any of the functions of a controller without being
entered into the register maintained by the Commissioner (s 73); see also HIPCAR Model Legislative Text, Explanatory Notes, p 59,
discussion on gradation based on the nature of offences.
890 HIPCAR Model Legislative Text, s 76.
891 GDPR, recital 149.
892 Explanatory Report to the Convention 108+, paras 100 and 121, pp 27 and 29.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 184

Convention 108+, the GDPR, and the HIPCAR Privacy

Framework also contain a more general provision
9.5.6 Appeals
allowing states to impose appropriate sanctions for
Other than under the Commonwealth Bills, data
contravention of the relevant framework.
subjects can appeal Regulators’ decisions, usually
before the courts under the Specified Frameworks.898
9.5.5 Remedies When receiving a complaint, the HIPCAR Privacy
Framework also allows the Data Commissioner to
Data subjects can generally approach the Regulator authorise a mediator to investigate the appeal and try
and courts for remedy. Under each of the Specified to arrive at a settlement.899
Frameworks, data subjects can complain to the
Regulator about data controllers’ or processors’ use
of their personal data and other related actions.893
The GDPR provides data subjects the right to lodge a
complaint with the supervisory authority and clarifies
that it is without prejudice to other administrative and
non-judicial remedies that are available to them.894

The GDPR also specifies that data subjects have the

right to a judicial remedy if they consider that their
rights under data protection legislation have been
infringed upon by processors or controllers, or if
the relevant supervisory authority does not handle
a complaint or fails to inform them about the status
of a complaint within three months after filing.895
Convention 108+ also notes the importance of data
subjects to seek judicial remedy, regardless of
whether the supervisory authority intervenes on their
behalf in court to enforce their rights.896

More generally, Convention 108+ highlights the

importance of specifying data subjects’ rights,
the obligations of controllers and corresponding
sanctions and remedies in guaranteeing effective
data protection. It specifies that it is left to each state
to determine the nature of remedies but requires
non-judicial remedies to be made available to data
subjects. It also notes that financial compensation
to affected data subjects for material as well as non-
material damages could be considered.897

893 GDPR, arts 77,78,79 HIPCAR Model Legislative Text, p 62; AU Convention, art 12(2)(e); Commonwealth Privacy Bill, Part IV, s 23;
Commonwealth PPI Bill, s 29.
894 GDPR, art 77(1).
895 GDPR, arts 78 and 79.
896 Explanatory Report to the Convention 108+, para 133, p 30.
897 Explanatory Report to the Convention 108+, paras 99 and 100, pp 26-27.
898 AU Convention, art 12(6); Convention 108+, art 15(9), and Explanatory Report to the Convention 108+, para 124, p 29; GDPR, art
78; HIPCAR Model Legislative, ss 47 and 81.
899 HIPCAR Model Legislative Text, s 42.
185 CHAPTER 9: STRUCTURE OF REGULATORY AUTHORITIES, OFFENCES AND PENALTIES

Key considerations

◊ The Identified Regional Frameworks provide

varying levels of detail about the regulatory
structure applicable to data protection.
Nevertheless, the general approach is to
establish a supervisory authority that is
responsible for enforcing the data protection
legislation and related functions. The
functions and powers of Regulators range
from the monitoring and enforcement of
the data protection framework, authorising
data processing, and providing information
to handling complaints relating to data
protection and conducting investigations.
◊ Regardless of the specific structure, it is
essential for Regulators to be designed to
be autonomous, and have the resources to
function effectively so that they can operate
independently and transparently. The
composition of regulators, access to funding
and resources, and the appointment,
dismissal, qualifications/ disqualifications
and tenure of its members, are some factors
that impact the independence of regulators.
◊ Furthermore, regulators should be
accountable to multiple stakeholders, and
should be able to effectively coordinate
with public authorities, regulators and
private organisations, as well as with other
supervisory authorities. They should also be
empowered to impose penalties and hold
both state and private actors accountable
for noncompliance with data protection
laws.
UNDP GUIDE - DRAFTING DATA PROTECTION LEGISLATION: A STUDY OF REGIONAL FRAMEWORKS 186