As data we give to corporations while using their services draws a lot of attention nowadays and cause fear that privacy might be dead, we have decided, with a set of texts, published on a weekly basis, to point out to major trends in this area and ways in which corporations can preserve or regain their reputation.

Our goal is to enable companies insight on how to use alternative mechanism to protect personal data in their management and to point out to users the problems which can appear when their personal data is used. We got in touch with companies from the ICT sector whose good practices of managing data can be a good example for many other corporations in this field, and we paid attention on international case law to show the problems which may occur to users of the services.

If you have any questions and suggestions, we invite you to comment. We believe that in this way we can help corporations to improve the level of data protection and that users will be more aware of their data and cautious of giving it away.

We sincerely hope that after these articles and for your own good, you will realize the value of your data.

Regulatory methods of protection of human rights in digital environment: international standards of protection of personal data

In recent decades, corporations were a subject of criticism for taking part in violation of human rights. In every branch of the economy, corporations have influence on exercising of the fundamental  human rights,  either of their employees or consumers. This influence expands over multiple human rights, such as right to privacy, right to own property, right of peaceful assembly and association and freedom of expression.

Although companies make influence on their employees primarily, they also make influence on the community in which they operate. Companies themselves are aware of their significant role in the community and are focused on it mostly through programs of Corporate Social Responsibility (CSR). However, it is essential to make a difference between these initiatives and the concept of Human Rights and Business, because they, although very important, are taken selectively and are focused on specific questions, while the concept of “human rights and business” is focused on recognizing every single binding human rights standards. However, it seems that the right to privacy and protection of the personal data haven’t drawn that much of attention of the public, until the development of business models in digital age hasn’t started threatening it.

The first initiative of global importance in the human rights and business field was the UN Global Compact (2000). This voluntary Global Compact initiative isn’t legally binding, but makes a certain pressure on corporations and gathers around those corporations dedicated to complying their businesses with ten internationally accepted standards of human rights, labor relations, environment and anti-corruption. After the Global Compact initiative, UN Secretary-General’s Representative on Business and Human Rights created “Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’” Framework. The framework is based on three pillars: obligation of state to protect human rights, obligation of companies to respect human rights and access to efficient legal remedies to victims of human rights violations. If the principles are applied within the field of data protection, it can be concluded that an ICT corporation is under the risk of violating users’ right to privacy and right to protection of personal data, which can be the outcome of the exchange of data and censorship. An example of this type of violation is the case of Yahoo! Inc, which agreed to deliver the data of their users to the government of the Peoples’ Republic of China, and the data was used to locate and prosecute political dissidents, a clear violation of universal human rights. The case will be thoroughly elaborated in the following articles.

One of the first initiatives in the field of data protection was the OECD “Privacy Principles” (as an organization with a very small number of members, mostly those which were economically most developed then), adopted in 1980, and revised in 2013. Within the EU legislation, Council of the European Union adopted a Convention on the adequate protection of personal data 95/46 on the 24th October, 1995. Based on the Convention, in order to harmonize and guarantee the free movement of such data, the EU has adopted the Directive on the Protection of Individual with regard to the Processing of Personal Data and on the Free Movement of such Data. Five fundamental principles of the system of protection of personal data, according to Directive 95/46, are the following:

• processed fairly and lawfully;

• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

• adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

Therefore, data processing must be reduced to the extent that is necessary, the transparency of the processed data must be at the highest level and an efficient supervision on data processing must be established.

The EU is expected to adopt a new regulation on protection of personal data, which will be applied directly in every member state. The text of the regulation, which is being negotiated in the European Parliament, stipulates high fines for corporations which violate this regulation. The adoption of the regulation is expected in May 2014, for the election for the European Parliament will be held at the time.

On the other hand, an example of good practice of establishing the “pact” between  users and corporations, with an intermediary role of CSO’s, is the “Global Network Initiative” project (GNI). GNI tends to establish a legal framework based on internationally accepted standards which will provide responsible management in the ICT sector, give a chance to self-regulation in this field and make some space for joint exchange of ideas and experiences.

Principles on Freedom of Expression and Privacy, one of the three main documents of the Initiative, thoroughly describes the dedication of the Initiative’s members to improve freedom of expression and right to privacy. The Principles define personal data as data which can be used, alone or in group, for identifying and locating individuals (as name and surname, e-mail address or payment data) or as data which can be related with other information, directly or indirectly, that can possibly provide someone’s identity and location. According to the definition, member corporations are obliged to protect the data in every country in which they do business, in order to protect their users’ privacy, especially in the situations in which government’s rules, laws or regulations of the country are not in accordance with international principles and standards.

Principles’ Implementation Guidelines give the instructions to ICT corporations how to apply the Principles and makes a framework for collaboration between corporations, NGOs, investors and academy. Thus the Implementation Guidelines propose to corporations to:

• Narrowly interpret and implement government demands that compromise privacy.

• Seek clarification or modification from authorized officials when government demands appear overbroad, unlawful, not required by applicable law or inconsistent with international human rights laws and standards on privacy.

• Request clear communications, preferably in writing, that explains the legal basis for government demands for personal information including the name of the requesting government entity and the name, title and signature of the authorized official.

• Require that governments follow established domestic legal processes when they are seeking access to personal information.

• Adopt policies and procedures to address how the company will respond when government demands do not include a written directive or fail to adhere to established legal procedure. These policies and procedures shall include a consideration of when to challenge such government demands.

• Narrowly interpret the governmental authority’s jurisdiction to access personal information, such as limiting compliance to users within that Country.

However, corporations should have in mind that it is neither desirable nor practical to examine every single request in procedures, but develop unique criteria for opening procedures (the procedures which will positively influence protection of privacy, severity of the case and situation, costs of the procedures, the importance of the case for judicial practice or to have an insight in whether there are similar cases or not). Applying the Guidelines, corporations should also expect situations in which countries try to avoid their own procedures in acquiring data, trying to get the access to data using proxy servers and third parties.

International practice in personal data protection has set up standards and basic principles in this area and corporations should accept them in order to work in legal and responsible way and in order to preserve their reputation. The next article will give an overview of personal data protection in Serbia as well as the examples of good practice of our companies.

To be continued…