Balancing National Security and Data Privacy: A Key Regulatory Challenge in Cyberspace
Published: March 4th, 2018
Balancing national security needs with individual data privacy rights remains a core dilemma at the forefront of rule of law concerns in cyberspace. Recent regulatory initiatives on the part of two major jurisdictions to address the privacy of individuals’ personal data in cyberspace – the European Union and China – serve as a reminder that this is a critical issue in cyberspace governance and that the stakes are high for getting the balance right. A third key jurisdiction, the United States, may be ripe for reform of its data protection regime in the wake of multiple data breaches in 2017 of unprecedented scope that resulted in major financial and reputational losses:[2] these included the Equifax breach, in which nearly half of US citizens’ personal data was compromised.[3]
Data privacy rights represent a special form of respect for the human right to privacy.[4] An individual’s right to have his or her personal data – name, telephone number, address, health, physical location, financial information, and other such identifiers[5] – protected from use by others without his or her consent is derived from the general right of the individual to privacy. This right has been codified at the international level, inter alia by the Universal Declaration of Human Rights,[6] the International Covenant on Civil and Political Rights (ICCPR),[7] the European Convention for the Protection of Human Rights and Fundamental Freedoms, and several other regional human rights treaties.[8] With the advent of the internet and intensive use of the internet by nearly half of the world’s population, the exponential increase in transborder data flows has led many countries to the conclusion that the “…general reference to the right to privacy was no longer considered sufficient to protect individual rights.”[9] Moreover, national and regional jurisdictions interpret and apply data privacy rights in different ways. Thus, in the cyberspace context, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations[10] notes that international human rights law applies to cyber-related activities of a state as a matter of lex lata,[11] and that individuals enjoy the same international human rights (such as privacy) with respect to cyber-related activities that they otherwise enjoy.[12] Yet the Manual emphasizes that the regional and national contexts in which these rights are realized must be considered is especially relevant in the cyber context[13] – a central challenge in the enforcement of data protection norms, for example, across jurisdictions.
Thus, data protection regimes on both the international and domestic planes are currently evolving in this new cyberspace context and aiming to balance national security, defense, public welfare and similar “public security” considerations with the protection of personal data privacy in the context of the global, trans-jurisdictional nature of the flow of personal data.[14]
Two recent examples of domestic regulation, both promulgated in 2016, have adopted models that exhibit an interesting combination of converging modalities and diverging regulatory approaches.[15] The EU’s General Data Protection Regulation (GDPR)[16] and China’s Cybersecurity Law (CCL)[17] both undertook this challenging regulatory task in the current dynamic cyberspace environment. Each regulatory initiative includes updated and explicit data protection regimes that share many similarities regarding the definition of protected personal data, requirement of data subject consent for data use, notification of data breaches, the right to rectification of erroneous data and other safeguards and modalities. On the other hand, the approaches of EU and Chinese regulators to carve out exemptions for security and law enforcement requirements reflect fundamentally different concepts of how this balancing should be implemented.
Setting aside important disparities in both the nature of governance and the understanding of the rule of law in these two regimes,[18] a key point distinguishes between their regulatory strategies: the degree of administrative and constitutional constraints on carve outs for public security considerations.[19] Both data protection regimes permit exemptions from the protection of data subject privacy rights in order to allow governmental authorities to collect personal data that otherwise enjoys a protected status. Yet while the GDPR incorporates within its “exemptions regime” a specific set of constraints setting out the permissible constitutional and administrative law limitations on the fundamental right of individual data privacy (inter alia – necessity, proportionality and fairness), the CCL lacks specific and transparent provisions setting out such limitations on those constraints that are intrinsic to the regulation itself.
This is a significant distinction at the level of rule of law safeguards. The 2011 Report of the UN Human Rights Council’s Special Rapporteur on the right to freedom of opinion and expression, emphasized the criticality of such constraints with regarded to individual internet privacy:
[T]he right to privacy can be subject to restrictions or limitations under certain exceptional circumstances. This may include State surveillance measures for the purposes of administration of criminal justice, prevention of crime, or combating terrorism. However, such interference is permissible only if the criteria for permissible limitations under international human rights law are met. Hence, there must be a law that clearly outlines the conditions whereby individuals’ right to privacy can be restricted under exceptional circumstances. Furthermore, measures encroaching upon this right must be taken on the basis of a specific decision by a State authority expressly empowered by law to do so…for the purpose of protecting the rights of others –for example, to secure evidence to prevent the commission of a crime –and must respect the principle of proportionality.[20] (emphases added)
In line with the Special Rapporteur’s view, an optimal regulatory balance between the protection of personal data and national security considerations will permit necessary and proportional exceptions to the protection regime. Criteria for swaying the balance away from individual privacy rights will be included in a transparent way within the statutory regime, so that judicial review of national security and other exceptions is feasible and available to data subjects who want to contest carve outs. In our view, both the GDPR and the CCL fall short of the ideal, in our view, although to different degrees.
Nonetheless, these two 2016 initiatives serve to push forward the important regulatory project of protection of data subject rights in a significant way, through the adoption of clear modalities and processes for data protection on an ongoing basis. Although a full engagement on the part of the EU, China and other jurisdictions with the dilemma of balancing data privacy with public security awaits, this common achievement strengthens guarantees for individual data privacy, and the chances for more robust and transparent balancing mechanisms in the long term.
[1] The funding for relevant research has been generously granted by the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center.
[2] Council of Econ. Advisers, The Cost of Malicious Cyber Activity to the US Economy (2018).
[3] Nuala O’Connor, Council on For. Rel., Reforming the US Approach to Data Protection and Privacy (2018), https://www.cfr.org/report/reforming-us-approach-data-protection.See also Consumer Privacy Protection Act of 2017, H.R. 4081, 115th Cong. (2017).
[4] See Christopher Kuner, Transborder Data Flows and Data Privacy Law (2013); Lee Andrew Bygrave, Data Privacy Law: An International Perspective (2014); and Lee A. Bygrave, Data Protection Pursuant to the Right to Privacy in Human Rights Treaties, 6 Int'l J.L. & Info. Tech. 247, 284 (1998).
[5] While definitions of protected personal data vary from jurisdiction to jurisdiction, they generally include any piece of information that can conclusively identify the individual independently or by readily-available cross-referencing. See GDPR art. 4 and CCL art. 76.5, infra notes 16 and 17.
[6] G.A. Res. 217 (III) A, Universal Declaration of Human Rights, art. 12 (Dec. 10, 1948).
[7] International Covenant on Civil and Political Rights art. 17, Dec. 16, 1966, 999 U.N.T.S. 171.
[8] See, i.e., European Convention for the Protection of Human Rights and Fundamental Freedoms, Council of Europe, art. 8, Sept. 3, 1953, 213 U.N.T.S. 221; American Convention on Human Rights art. 11, Nov. 22, 1969, 1144 U.N.T.S. 144; ASEAN Human Rights Declaration, art. 21, Nov. 18, 2012; League of Arab States, Arab Charter on Human Rights, September 15, 1994, art. 17, https://docs.google.com/viewer?url=http%3A%2F%2Fwww.humanrights.se%2Fwp-... League of Arab States, Arab Convention on Combating Information Technology Offences, art. 14, file:///C:/Users/house/Desktop/hu%20conference%20article/ASEAN-Human-Rights-Declaration.pdf.
[9] Paul de Hert and Vagelis Papakonstantinou, Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency? 9 ISJLP 271 (2013).
[10] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2d ed. 2017).
[11] Id. at 182.
[12] Id. at 187-192.
[13] Id. at 180.
[14] Bygrave, Data protection pursuant to the right to privacy in human rights treaties, supra note 4.
[15] Samm Sacks, New China Data Privacy Standard Looks More Far-Reaching than GDPR, CSIS Critical Questions, January 29, 2017, https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more....
[16] Council Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119/1) [hereinafter GDPR].
[17] Cybersecurity Law (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 7, 2016, effective June 1, 2017) (China) [hereinafter CCL]; Cybersecurity Law, Nov. 16, 2016, http://www.chinalawtranslate.com/bilingual-2016-cybersecurity-law/?lang=en (unofficial English translation).
[18] See Hao Yeli, A Three-Perspective Theory of Cyber Sovereignty, 7 Prism, no. 2, 2018, http://cco.ndu.edu/PRISM-7-2/Article/1401954/a-three-perspective-theory-...
[19] The analysis focuses on the “law on the books” rather than de facto implementation. See the treatment of the “law in the books v. law in practice” issue in the context of personal data protection in Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 STAN. L. REV. 247, 295 (2011).
[20] Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, U.N. Doc. A/HRC/17/27 (May 16, 2011) at 15.