CREATING A DATA PROTECTION FRAMEWORK: A DO’S AND DON’TS GUIDE FOR LAWMAKERS
DON’TS
Below you will find five recommendations for policy makers to follow when developing a data protection law. We advise caution on the following five elements which, if ignored, could limit the benefits of the proposed law or harm individuals’ rights.
1 DO NOT SEEK BROAD DATA PROTECTION AND PRIVACY LIMITATIONS FOR NATIONAL SECURITY Governments not only have an obligation but also a security interest in ensuring the protection of personal data, in particular when information is held by government agencies. In 2015, as the result of a cybersecurity incident in the US, 21.5 million records of federal employees and family members stored at the Office of Personnel Management were stolen.46 As these types of incidents and attacks are increasing globally, countries have must take measures to better protect individuals’ information. Despite this, governments often seek limitations to data protection and privacy rights for their own use of personal data by asking for broad exceptions. These exceptions must be prevented and limited to clearly defined, necessary, and proportionate measures that include judicial oversight and accessible remedy mechanisms. Legislation should not give governments and public entities the capacity to shield themselves from the obligation to protect users’ right to data protection. Countries have a security interest in safeguarding personal data held by government agencies.
accessnow.org
14
Experience from the GDPR negotiations
The GDPR provides a list of reasons that member states can rely on to restrict users’ rights and freedoms protected under the law, such as national security or defence.47 While it is common to find provisions allowing states to restrict rights in every piece of EU and national legislation, the language of these provisions is often purposefully vague and can potentially cover a wide range of state activities. The GDPR for instance allows for restrictions of rights for broad and undefined “other important objectives of general public interest of the Union or of a Member State”. Given the impact of such restrictions on users’ rights and freedoms, they should be clearly defined and limited in law, subjected to strict transparency and oversight criteria, and be necessary and proportionate measures in a democratic society.
2 DO NOT AUTHORISE PROCESSING OF PERSONAL DATA BASED ON THE LEGITIMATE INTEREST OF COMPANIES WITHOUT STRICT LIMITATIONS Companies often argue that they should have a right to collect and process user data, when this is their “legitimate interest”, without having to notify users. Unless such exceptions are defined as being exceptions (not the case under the GDPR or the 1995 Directive) and narrowly defined (which is better achieved in the GDPR), this should not be allowed. Otherwise, this intrinsically contradicts the objective of data protection, which is to put users in control of their information. Such attempts to limit users’ rights must be prevented. [46] Patricia Zengerle, Megan Cassella, Millions more Americans hit by government personnel data hack, Reuters, 2015. https://www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-government-personnel-data-hack-idUSKCN0PJ2M420150709 [47] See Article 23. European Union, Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
