This module is a resource for lecturers
Enforcement of privacy and data protection laws
Generally, the challenges faced by countries in adequately enforcing data protection laws, include funding issues, inability to adequately enforce these laws (e.g., human and technical resource restrictions), inadequate ICT infrastructure, and being unable or unwilling to handle cross-border requests for data (UCTAD, 2016, p. 9).
The enforcement of privacy and data protection principles and laws vary among public and private sectors between and within countries. The GDPR, for example, was implemented to harmonize and strengthen the powers of data protection authorities to ensure the effective enforcement of the law. In addition to data protection laws, to assist data protection efforts, international and regional organizations have developed and implemented data protection regulation. For instance, the Asia-Pacific Economic Cooperation (APEC) developed the Privacy Framework, which includes principles and guidelines to protect data in a manner that avoids obstacles to the flow of information between members, and the Cross-Border Privacy Rules, a voluntary self-regulatory mechanism, which prescribes data protection standards for cross-border data exchange between members. It is important to note that national data protection and privacy laws take precedence over these rules.
Did you know?
A chart highlighting the similarities and differences between the APEC Privacy Framework and the GDPR with respect to purpose, material scope, territorial scope, personal information, data controller, data processors, publicly available information, permitted member country variations (derogations), preventing harm principle, notice, collection limitation, use limitation, choice and consent, data integrity, security safeguards, access and correction, accountability, transfer of personal data to another person or country, breach definition, breach notification, and breach mitigation, was made available by the International Association of Privacy Professionals (IAPP) and can be found here.
In addition to the enforcement of these rules by an authority, technologies can enforce data protection. A case in point is privacy enhancing technology (PET). The aim of privacy enhancing technologies is to protect and preserve the privacy of individuals. For this reason, privacy enhancing technologies can be used to implement and comply with data protection laws. These technologies are primarily used to protect the confidentiality (i.e., data is protected and only authorized users can access it), and integrity of data (i.e., the data has not been modified and is what it purports to be). One example of a privacy enhancing technology is encryption. Another example is identity management, which refers to the process of authenticating users' identities, identifying associated privileges, and granting user access based on these privileges. Identity management supports the security and proportionality principles of data protection by restricting access and use of data.
Data protection laws can also be enforced through data protection by design. Article 25 of the GDPR mandates "data protection by design," whereby data controllers and data processors embed PET and other privacy measures in the design of systems and technologies. These design features require technical and organizational controls and policies to secure personal data and the provision of security measures that are designed to ensure the confidentiality, integrity, and availability (i.e., accessible on demand) of systems, networks, services, and data (e.g., access control, encryption, firewalls, and computer-use monitoring and information security policies, discussed in Module 9 on Cybersecurity and Cybercrime Prevention: Practical Applications and Measures).
Another data protection by design (or privacy by design) measure involves hiding identifying information from plain view, through anonymization and pseudonymization. Under Article 4(5) of the GDPR, "pseudonymisation" refers to "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person." Pseudonymization occurs when identifying data in a record is replaced by artificial identifiers. This is a form of data masking as it protects the confidentiality of the data to prevent the identification of the data subject. In addition to data protection by design measures, data protection by default measures can be implemented. An example of this measure is the practice of processing only the personal data which is necessary to achieve the stated aim of the processing activity (adhering to principles of data minimization and purpose limitation).