Personal data processing is at the core of almost every activity throughout the world, in both the public and private sector. Besides its lucrative side, it has been proving itself as a powerful tool to influence opinions and behaviours for very different purposes, such as political gains. Global computer networks, notably the Internet, have given this phenomenon the power to ignore national frontiers and to grow exponentially. It is now evident that the processing of personal data may not only have an impact on the specific individual to whom the data refers, but also have an impact on a much broader scale, creating tendencies, forming movements, overthrowing Governments, or influencing election results. This inevitably entails new risks, from the perspective of individual privacy, but also other fundamental rights, such as the right not to be discriminated against, fair competition between commercial enterprises and the proper functioning of democratic institutions.
This multifaceted nature of personal data and the increasing awareness of its importance has determined a much-needed comparative research. Such is the purpose of this book. The research was initially prepared for the XXth General Congress of the International Academy of Comparative Law in Fukuoka, Japan (22-28 July 2018), where its preliminary conclusions were first presented, and resulted in the publication entitled Data Protection in the Internet, included in the Ius Comparatum – Global Studies in Comparative Law book series (GSCL, volume 38).
The book is the result of a research centered on the legal framework of personal data protection, in a comparative perspective, at a national level, in the context of computer networks. If it is true that the Internet has no borders, the regulation of data protection is still – with the notable exception of the European Union – essentially the product of national or even private initiatives. The book identifies and explains the different national approaches to data protection – the legal regulation of the collection, storage, transmission and use of information concerning identified or identifiable individuals –, addresses the particularities of the processing of personal data for certain specific purposes, such as criminal investigations and national security, and the specificities of processing through electronic means, identifies differences in national approaches and determines the extent to which they could be harmonised in the foreseeable future.
The making of
The project to conduct a research on data protection in the Internet from a comparative law perspective was initiated in September of 2016. It covered 16 countries, in four continents. The analysis of the national legislation and regulation on this particular topic was further complemented with an overview of international and regional legal frameworks. At the international level, the project looked into the role of the United Nations in coordinating efforts to reach a common ground on the protection of personal data. At the regional level, the European Union legal framework on personal data was also included, given the position of the General Data Protection Regulation as a normative instrument with the potential to influence other jurisdictions around the globe, and specifically designed to address the impact of electronic means in the processing of personal data. Additionally, taking into consideration the economic impact of cross-border flows of personal data, and the relevance of trade law in regulating these movements, the research also comprises an analysis to data protection in international trade law.
For each of the legal frameworks covered – national, regional and international – a detailed report was prepared. Once all the reports were concluded, a general report was prepared, summarising the main tendencies and national approaches, notably those that separate the comprehensive and detailed protective rules adopted in Europe since the 1995 Directive on the processing of personal data from the more fragmented and liberal attitude of American courts and legislators in this respect. In total, the project comprises twenty reports, including the general report.
Methodology
In the last quarter of 2016, the coordinators of the project, based principally at the Law School of the University of Lisbon, outlined the main phases of the work which had to be developed in the following years, drafting a document to serve as a brief guide to the rapporteurs around the world in the process of preparing their rapports. That document, together with a very detailed questionnaire and a work plan, specifying the deadlines for each milestone, were submitted to the rapporteurs in December 2016.
Since 2017, the focus was on preparing the reports, with a particular concern on ensuring their continued update throughout the process. This was especially relevant to the European Union Member States rapporteurs, given the fact that, during that period of time, the General Data Protection Regulation had already entered into force but wasn’t yet totally applicable. It became applicable from 25 May 2018 onwards and, in the interim, all Member States adapted their legislation to that new framework. The reports sought to reflect those developments. In order to achieve that, the project’s deadline was extended to cover the entire year of 2018 and part of 2019, inasmuch as many of the laws that complemented the General Data Protection Regulation in the Member States comprised in the project were approved by that year. As it was quite perceptible, this European legal instrument also had an impact in many other regions of the world and, as a result, a major reform of data protection laws came into motion on a global scale, affecting many of the countries included in the project.
As the national, international or regional reports were updated, the general report also had to be adapted, by incorporating the developments introduced in the former. Nevertheless, the initial main tendencies and different approaches at a national level, deeply rooted in the historical origins of some of the central concepts, remained essentially unchanged.
The outcome
The research has concluded that the approaches to data protection in the Internet differ widely, particularly between the two major Western legal traditions – the Civil and the Common Law ones – in what concerns its sources, contents, remedies and scope of application. Although initiatives such as the General Data Protection Regulation have demonstrated an outstanding capacity to bring about change at an international level, leading other countries to follow some of its rules and, to a certain degree, achieve some harmonisation, there are still different perceptions on key concepts. A change in legislation in this topic has to be supported by a change in the way societies and individuals understand their private sphere. The research concluded that the main different approaches are deeply rooted in divergent conceptions of the respective roles of private ordering, the protection of individuals’ fundamental rights and the preservation of national security in a market economy.
Posted by Professor Sofia de Vasconcelos Casimiro (Lisbon) and Professor Dario Moura Vicente (Lisbon)
Picture Credits: Telmo Miller (Professor Dário Moura Vicente) and Andreia Peixoto (Professor Sofia de Vasconcelos Casimiro)
British Association of Comparative Law 