Data protection and privacy laws

As described in Section III. Privacy & Security, data protection requires a holistic approach to system design that incorporates a combination of legal, administrative, and technical safeguards. To begin, ID systems should be underpinned by legal frameworks that safeguard individual data, privacy, and user rights. Many countries have adopted general data protection and privacy laws that apply not only to the ID system, but to other government or private-sector activities that involve the processing of personal data. In accordance with international standards on privacy and data protection (see Box 8), these laws typically have broad provisions and principles specific to the collection, storage and use of personal information, including:

  • Purpose limitation. The collection and use of personal data should be limited to purposes: (1) which are stated in law and thus can be known (at least in theory) to the individual at the time of the data collection; or (2) for which the individual has given consent.

  • Proportionality and minimization. The data collected must be proportionate to the purpose of the ID system in order to avoid unnecessary data collection and “function creep,” both of which can create privacy risks. This is often articulated as requiring that only the “minimum necessary” data—including transaction metadata—should be collected to fulfil the intended purpose.

  • Lawfulness. The collection and use of personal data should be done on a lawful basis, e.g., involving consent, contractual necessity, compliance with legal obligation, protection of vital interests, public interest and/or legitimate interest.

  • Fairness and transparency. The collection and use of personal data should be done fairly and transparently.

  • Accuracy. Personal data should be accurate and up-to-date, and inaccuracies should be expediently corrected.

  • Storage limitations. Personal data—including transaction metadata—should not be kept longer than is necessary for the purposes for which it is collected and processed. With respect to transaction metadata, people can be given an option for how long such data are retained.

  • Privacy-enhancing technologies (PETs). Requirements to use technologies that protect privacy (e.g., the tokenization of unique identity numbers) by eliminating or reducing the collection of personal data, preventing unnecessary or undesired processing of personal data, and facilitating compliance with data protection rules.

  • Accountability. The processing of personal data in accordance with the above principles should be monitored by an appropriate, independent oversight authority, and by data subjects themselves.

In general, personal information should be lawfully obtained (usually through freely given consent) for a specific purpose, and not be used for unauthorized surveillance or profiling by governments or third parties or used for unconnected purposes without consent (unless otherwise required under the law). Finally, users should have certain rights over data about them, including the ability to obtain and correct erroneous data about them, and to have mechanisms to seek redress to secure these rights.

The sections below describe some particular data protection safeguards in relation to institutional oversight, data security, data sharing, cross-border data transfers, and user consent.

Box 8. EU General Data Protection Regulation (GPDR)

In terms of existing frameworks, the European Union’s (EU) 2016 General Data Protection Regulation (GDPR) is the most recent example of comprehensive regulation of data protection and privacy, setting a new threshold for international good practices. Building upon existing principles (e.g., the OECD Privacy Principles), it has become an important reference point for global work in this area. Article 5 of the GDPR, enshrines the core principles described above, requiring that personal data collection, storage, and use be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject;

  • collected for specified, explicit and legitimate purposes;

  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • accurate and, where necessary, kept up to date;

  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and

  • processed in a manner that ensures appropriate security of the personal data.

In addition, EU Member States are required to provide for a supervisory authority to monitor the application of the regulation (Article 51(1)). However, many Member States had previously established their own supervisory authorities under the EU Data Protection Directive (Directive 95/46/EU); the incumbent EU data protection regime.

Some of the newer rights and duties it introduced when the GDPR took force in 2018 remain the subject of debate in policy circles, and a number of legal questions remain about their application in practice. However, the framework’s key principles largely have their origins in earlier European law and are not new or specific to Europe or the GDPR. They are reflected in one form or another in many national data protection and privacy laws outside Europe, largely due to general recognition of their merit.

Source: Adapted from the ID Enabling Environment Assessment (IDEEA).

Institutional oversight

Data protection and privacy in general, and with respect to ID systems, are often subject to the oversight of an independent supervisory or regulatory authority to ensure compliance with privacy and data protection law, including protecting individuals’ rights. The supervisory authority might be a single government official, ombudsman or a body with several members. Genuine independence of such an authority is a key factor, with independence being measured by structural factors such as the composition of the authority, the method of appointment of members, the power and timeframe for exercising oversight functions, the allocation of sufficient resources and the ability to make meaningful decisions without external interference (e.g., see Recital 117 of the GDPR).

The supervisory authority may handle public complaints, even though every individual whose data is collected may have recourse to an external binding legal process and ultimately the courts at least on matters of law. In terms of remedies, the authority may have the power to oblige the ID system to rectify, delete or destroy inaccurate or illegally collected data.

Specifically, the Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108, CoE 2018)—which was recently updated as Convention 108+—indicates that the powers and duties of such an authority may include:

  • duties to monitor, investigate and enforce compliance with individual privacy and data protection rights;

  • duties to monitor developments and their impact on individual privacy and data protection rights;

  • powers to receive complaints and conduct investigations of potential violations of individual privacy and data protection rights;

  • powers to issue decisions on violations of such rights and order remedial action or meaningful sanctions;

  • duties to promote public awareness of the rights of individuals and the responsibilities of those entities holding and processing personal data; and

  • a duty to give specific attention to the data protection rights of children and other vulnerable individuals.

The CoE has further suggested that a supervisory authority might also have other powers and duties, such as:

  • issuing opinions prior to the implementation of data processing operations;

  • advising on legislative or administrative measures;

  • recommending codes of conduct or referring cases to national parliaments or other state institutions;

  • issuing regular reports, publishing opinions and other public communications to keep the public informed about their rights and obligations and about data protection issues in general.

Box 9. Examples of data privacy and protection oversight agencies

The Estonian Data Protection Inspectorate, founded in 1999, is a supervisory authority, empowered by the Data Protection Act, Public Information Act and Electronic Communication Act. The inspectorate’s mandate is to protect the following right enshrined under the Estonian Constitution:

  • right to obtain information about the activities of public authorities;

  • right to inviolability of private and family life in the use of personal data; and

  • right to access data gathered in regard to yourself

In South Africa, the Protection of Personal Information Act 4 of 2013 established the Information Regulator, an independent body subject only to the Constitution and to the law. This body is appointed by the President on the recommendation of the National Assembly, after nomination by a committee composed of members of all the political parties represented in the National Assembly. It is ultimately accountable to the National Assembly. It has a broad range of supervisory functions, including a duty to: conduct public education, monitor and enforce compliance with the law, consult stakeholders and mediate between opposing parties, handle individual complaints, conduct relevant research, issue codes of conduct and guidelines, and facilitate cross-border cooperation. Among its monitoring functions are the periodic assessment and monitoring of public and private bodies engaged in processing of personal data and monitoring the use of unique identifiers of data subjects. Note that as of August 2018, the Act has not yet been brought fully into force.

In the Philippines, the Data Privacy Act of 2012 established the independent National Privacy Commission. The Commission, which is attached to the Department of Information and Communications Technology, is headed by a Privacy Commissioner who is assisted by two Deputy Privacy Commissioners (one responsible for Data Processing Systems and one responsible for Policies and Planning). All three Privacy Commissioners must be expert in the field of information technology and data privacy, and all are appointed by the President for three-year terms and are eligible for reappointment for a second term of office. The Commission has its own secretariat. The Commission’s many duties include monitoring compliance with the data privacy law; receiving and investigating complaints; regularly publishing a guide to all laws relating to data protection; reviewing and approving privacy codes voluntarily adopted by personal information controllers; providing opinions on the data privacy implications of proposed national or local statutes, regulations or procedures; and coordinating with data privacy regulators in other countries (See Philippines Data Privacy Act of 2012, Chapter II.)

In the United Kingdom, the Data Protection Act 1984 introduced the role of Information Commissioner (previously, the Data Protection Registrar) although the powers granted to the Information Commissioner increased in scope under the Data Protection Act 1998 and most recently, the Data Protection Act 2018. The Information Commissioner is an independent official appointed by the Crown and operates the UK Information Commissioner’s Office (ICO). The ICO is sponsored by the Department for Digital, Culture, Media and Sport (DCMS) and ultimately reports to Parliament. It is an independent regulatory body which seeks to monitor, investigate and enforce all applicable data protection and privacy legislation in the UK (including Scotland, to a limited extent).

Source: Adapted from ID Enabling Environment Assessment (IDEEA) and Privacy by Design: Current Practices in Estonia, India, and Austria

Data security

Personal information should be stored and processed securely and protected against unauthorized or unlawful processing, loss, theft, destruction, or damage. This principle becomes increasingly important for digital ID systems given the threat of cyberattacks. Typical measures to ensure data security that may be mandated under the legal framework—some of which are discussed in more detail under Section III. Privacy & Security—include:

  • Encryption of personal data

  • Anonymization of personal data

  • Pseudonymization of personal data

  • Confidentiality of data and systems that use or generate personal data

  • Integrity of data and systems that use or generate personal data

  • Ability to restore data and systems that use or generate personal data after a physical or technical incident

  • Ongoing tests, assessments and evaluation of security of systems that use or generate personal data

Many international standards also impose a duty on data controllers to notify data subjects of significant data breaches affecting their personal data. In addition, countries may have laws designed to identify and mitigate cyberthreats, as well as legislation that penalizes unauthorized access, use or alteration of data (see section on Cybersecurity, below). Finally, legal frameworks should include sufficient penalties for unauthorized access, use or alteration to personal data by data administrators and third parties, including the criminalization of:

  • Unauthorized access to ID systems or other databases holding personal data

  • Unauthorized monitoring/surveillance of ID systems or other databases holding personal data or unauthorized use of personal data

  • Unauthorized alteration of data collected or stored as part of ID systems or other databases holding personal data

  • Unauthorized interference with ID systems or other databases holding personal data

Box 10. Examples of security breach notification laws

The EU’s GDPR requires notification to the supervisory authority of any personal data breach “without undue delay and, where feasible,” within 72 hours of becoming aware of it unless the incident “is unlikely to result in a risk to the rights and freedoms of natural persons.” The notification must detail certain information about the breach including the categories and approximate number of data subjects concerned and the likely consequences of the breach (Article 33). Similarly, subject to some exceptions, notification to the individual data subjects affected must take place “without undue delay” if the breach “is likely to result in a high risk to the rights and freedoms of natural persons” and such notification shall have at least the same information that needs to be notified to the supervisory authority (article 34).

Almost every state in the United States has a breach notification statute, typically requiring private or governmental entities to notify individuals of security breaches involving personally identifiable data and setting out what constitutes a security breach, notice requirements (such as timing and method), and exemptions (such as for encrypted information).

In South Africa, the Protection of Personal Information Act 4 of 2013 (most of which was not yet in force as of August 2018) requires the Information Regulator, the national supervisory authority, to notify the data subjects of breaches as soon as reasonably possible after their discovery of the compromise – taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach including. The Information Regulator may direct the responsible party to publicize information about the security breach if this would protect individuals who may be affected (South Africa Protection of Personal Information Act 4 of 2013, section 22).

Source: Adapted from the ID Enabling Environment Assessment (IDEEA).

Data sharing

Because the linkage of information across databases intensifies privacy and data protection concerns, legal frameworks can mitigate risks by stipulating all the purposes for which personal data in an ID system is shared, by both government and non-government entities. In addition, public entities may be limited to obtaining specific information justified by their functions (i.e., the “need-to-know” principle).

Potential benefits of information sharing include:

  • convenience for both government and citizen;

  • better government service delivery;

  • seamless service transfer when data subjects change address;

  • improved risk management;

  • cost savings as duplication of effort is eliminated; and

  • improved efficiency through more effective use of data (see, e.g., Perrin et al. 2015)

However, information-sharing between government agencies, if not well-regulated, can turn into a “back door” which allows circumvention of individual privacy and data protection safeguards. Comprehensive population databases, like those established as part of ID systems, are a tempting resource for law enforcement authorities, particularly when they contain biometrics. Particular concerns arise in relation to collection of DNA information which, like other biometric data, may be used not only for the purposes of identifying an individual, but also as evidence in the process of investigating whether he or she has committed a crime.

This type of information sharing can take place even without the technological compatibility of interoperability. For example, police could contact ID officials and ask them to pull the record of a particular individual and share information such as fingerprints, facial image, address or names of family members.

Policymakers and courts have struggled with striking the appropriate balance between protecting the privacy of registrants and supporting criminal investigations. One approach to such matters could be to apply the same rules that apply to other forms of searches and seizures in the country in question, such as a requirement that a warrant be obtained. This may be beneficial where a balance between personal privacy and public interest has already been struck in this regard. For further discussion and citations on this issue in scholarly work and the media, see the IDEEA tool).

Box 11. Examples of data sharing arrangements

Article 4(2) of the EU 2016 Police and Criminal Justice Data Protection Directive 2016/680 requires that personal data collected for some other purpose—which could be for an ID system or for civil registration—can be processed by the same or another controller for crime-related purposes only in so far as: (a) there is legal authorization for this and (b) such processing is necessary and proportionate to the purpose for which the personal data was collected. (See, e.g., The Council of the EU, Data Protection in Law Enforcement)

In India, the Aadhaar Act 2016 provides for the disclosure of information, excluding “core biometric information,” pursuant to an appropriate court order, which can be made only after the Unique Identification Authority of India (UIDAI) has been given an opportunity to give input on the disclosure. It also provides for the disclosure of information, including core biometric information, “in the interest of national security” on the direction of government officers above a certain rank, where this has been authorized by an order of the central government and reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government in the Department of Legal Affairs and the Department of Electronics and Information Technology.

In Australia, the federal Privacy Act 1988 (as amended) contains as one of its “Privacy Principles” the rule that personal information about an individual collected for a particular purpose must not be used or disclosed for another purpose without the individual’s consent. However, there is an exception for situations where the use or disclosure is “reasonably necessary” for the enforcement related activities conducted by or on behalf of an enforcement body – which includes use or disclosure by police for prevention, detection, investigation, prosecution or punishment of criminal offences – as well as an exception for uses and disclosures authorized by law or by court order. Use for enforcement related activities must be noted in writing as a mechanism to promote accountability. (See also Privacy Act reforms – implications for enforcement functions)

Source: Adapted from the ID Enabling Environment Assessment (IDEEA).

Cross-border data transfers

The security of personal data transferred across national borders has been one of the drivers for international consensus on the fundamental principles for the protection of personal data. For example, the principle articulated in the OECD Privacy Framework (OECD 2013) regarding transborder flows of personal data is that a data controller “remains accountable for personal data under its control without regard to the location of the data” (adopted in 1980 and revised in 2013, Article 17).

However, due to uncertainty regarding data protection standards in foreign countries, many countries limit extraterritorial transfer of personal data. Such transfers may be permitted in certain circumstances or when the data protection standards in a third country are deemed adequate. This is particularly sensitive in the case of personal data for national ID systems, civil registration, and voter registration systems. In addition to transferring data across borders, legal frameworks may also include arrangements for regional or international interoperability or mutual recognition of their ID systems.

Box 12. GPDR limits on data transfers

The EU’s GDPR limits transfers of personal data outside the European Economic Area except in certain circumstances. Such transfers are allowed if the European Commission issues a decision determining that the receiving country “ensures an adequate level of protection” (Article 45). Such a decision requires a comprehensive assessment of the country’s data protection framework, including protections applicable to personal data and oversight and redress mechanisms. Adequacy decisions have been adopted with respect to 12 countries, including Canada (commercial organizations), Israel, Switzerland and the United States (limited to the Privacy Shield framework).

In July 2018, the EU and Japan agreed to recognize each other’s data protection system as equivalent, and the European Commission began the process of formally issuing an adequacy decision. Similarly, the United Kingdom is seeking to obtain an adequacy decision from the European Commission to apply upon the UK’s exit from the European Union (Brexit). Transfers to non-EU countries are also permitted in other circumstances, such as if the transferor has provided “appropriate safeguards” which may be established through several means including a legally binding agreement between public authorities, certain contractual clauses (e.g. the EU Commission’s Model Clauses) or the existence of an approved and enforceable code of conduct, among others (GDPR Article 46).

Source: Adapted from the ID Enabling Environment Assessment (IDEEA).