The Sketchy Pathway of Data Protection: How to Navigate It

Preamble

Graham is a disturbed man surfing the internet for the best remedy to his bedwetting problem. Due to how embarrassing he feels his problem is, he tries to clean his track by erasing his browsing history and browser’s cache believing his footprint would be erased.

Then his new girlfriend asks for his PC to make a search and realizes that on every page she opens, there is an advert for bedwetting solutions. It is obvious that Graham must be a bedwetter who must have searched for solutions, hence, the targeted ads.

So she inquires, innocently, but that just happened to be the most embarrassing day for poor Graham.

Just like Graham, anyone and everyone can be a victim of a lack of data privacy. It may not likely be an embarrassing situation like Graham, but due to data vulnerability, your security can be threatened if there is a data hack, leak, or theft.

Presently, users' data are collected, stored, and used without their express consent. Using these data, their identities, preferences, habits, and activities are tracked, analyzed, and sold for profit or power. This can bring undue exposure of data to bad actors in the system.

This is more like a dystopian nightmare and a reality for many people around the world. Despite the existence of various data protection and privacy laws in different countries and regions, there is still a huge gap between the legal frameworks and the actual practices of data processing.

In this article, I will explore some of the challenges and controversies surrounding data protection laws and actual data usage, and what can be done to protect users’ rights and interests in the digital age

Introduction

Before delving into the issues surrounding data protection laws, let’s understand in a nutshell what data protection is. Data protection is the safeguarding of data and sensitive/personal information from abuse, tampering, damage, and/or loss.

It involves the relationship between the collection and dissemination of data, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data.

Data protection is important because data is a valuable asset for businesses and individuals, hence, it needs to be safeguarded from unauthorized access, misuse, or theft.

Data protection laws, on the other hand, are laws that control how people, businesses, and governments gather, use, keep, and exchange personal data. These laws are crucial for preserving user rights, privacy, and personal information.

Considering the intricacies of data and how it affects the security and well-being of users, it is necessary to discuss the situation surrounding data protection laws across the world, including their complexities, controversies, interferences, disputes, and overall interfaces, to grasp the hazy trail of data protection regulations.

The Limitations & Debates Regarding Data Protection Laws

Around the world, there are many disagreements over data privacy and protection. These can be linked to several difficult circumstances, including but not limited to:

• Frequent collation and processing of enormous volumes of personal data without the knowledge or agreement of the data subjects because of the unexpected and rapid expansion of data-driven technologies like artificial intelligence, biometrics, blockchain, and cloud computing. For data privacy and security, this creates new risks and possibilities.

• The conflict of data protection regulations with other laws or actors that assert a greater public interest or need. This has placed a stiffer huddle on the implementation of data protection laws and regulations across different strata of our society. There has been a frantic search for a middle ground by Regulators and other players involved. However, the intricacies of the matter make it very hard to find the perfect fit. Let’s consider the following case studies:

  
  

  • The Chinese Personal Information Privacy Law (PIPL), which happens to be the first comprehensive data privacy law in China, went into effect in 2021. However, it was heavily criticized for creating a sketchy data protection law by imposing strict obligations and restrictions on foreign data controllers and processors while there were extensive exceptions and exemptions permitted for domestic data processing activities relating to national security, public interest, and others.

    
    

  • The EU-US Privacy Shield was a framework for transatlantic data transfers that was rejected by the European Union's Court of Justice in 2020. This framework was challenged on the basis that it did not adequately safeguard EU data subjects from US surveillance laws and practices. In the proceedings, the court found that US national security and public interest requirements could override the privacy rights of EU data subjects and that they lacked access to appropriate legal remedies. Another bias.

    
    

• Limitation on the resources, powers, authority, and tactics of the data protection agencies and regulators, in terms of their breath, depth, and influence. These limitations exert a significant impact on their efficiency in implementing the laws, fines, penalties, remedies, and other enforcement measures.

• Weak or antiquated data protection legislation in several countries usually results in enterprises or companies complying with the law less or not at all. For example, UNCTAD reported that only 137 of 194 nations have laws for the protection of data and privacy in place as of 2020.

  
  

  Only 61% and 57%, respectively, of the nations in Africa and Asia have adopted data regulation, with lesser measures being made to enforce compliance. Nigeria is a case study with little or no adherence to data privacy laws by organizations.

  
  

  Another example can be seen in the United States where 47 states were found to have weak or nonexistent customer data privacy regulations, according to a survey by Security™, only three states—California, Maine, and Nevada—have established laws granting citizens some control over their online personal data, and/or establishing a set of guidelines for commercial corporations collecting such data.

• Possible conflicts due to the imbalance of data privacy with other vested interests or values, including those of public health, national security, police enforcement, business interests, economic progress, or creativity. Cases include:

  
  

  • The ePrivacy Directive which stipulates a special set of privacy regulations to harmonize the processing of personal data by the telecommunications sector, may be in contradiction with the GDPR which applies to all sectors, including the telecoms industry.

    
    

  • The conflicts between the California Consumer Privacy Act (CCPA), a comprehensive data protection statute that gives Californians a variety of rights regarding their personal data, and other local, state, or federal regulations that govern certain industries or activities.

    
    

    The Health Insurance Portability and Accountability Act (HIPAA), which controls the security and privacy of health information, and the Gramm-Leach-Bliley Act (GLBA), which supervises the financial services sector, are two examples of legislation that the CCPA clashes with.

The Potential Impact of the Challenges on Data Subjects

The challenges listed above can have substantial and detrimental effects on the rights and interests of data subjects. The following are a few potential effects or consequences:

• Loss of independence and control over personal data.

• Privacy and dignity violation.

• Exposure to different risks and consequences, including discrimination, fraud, and identity theft.

• Absence of appropriate redress procedures or remedies.

• Decreased faith and confidence in data processing agents and actions

Recommendation for Improving Data Protection Laws and Practices

Due to the intricacies of data, data protection laws must be streamlined in that same fashion to cater to the various scenarios that may pop up. There must be provisions in the law to address when and how the laws apply to various categories of personal data, data controllers, data processors, and data subjects.

The relevant authorities may take some of the following recommendations into consideration in order to have a seamless data protection pathway:

1. Increase the collaboration and coordination between data protection authorities at all levels—national, regional, and international—to guarantee the consistent and efficient implementation of data protection laws and to make cross-border data transfers under suitable protections possible.

   
   

2. Increase the knowledge and understanding of the dangers and rewards of data use, as well as the rights and responsibilities that come with it, among data controllers, processors, and subjects. For them to adhere to data protection rules and adopt good practices, this may include offering advice, training, resources, or other tools.

   
   

3. Foster a culture of privacy by design and by default, which entails incorporating data protection principles into the creation and management of goods, services, procedures, or systems that deal with personal data. This is to guarantee that personal data is gathered, processed, and utilized in a way that is legal, fair, and transparent while respecting the choices and preferences of data subjects, it may be necessary to take technological and organizational steps.

   
   

4. Approve and implement comprehensive and standardized data protection rules that adhere to global norms and standards. A notable example is the  EU General Data Protection Regulation (GDPR) which is the primary data protection statute in the European Union (EU).

Last Words

Finally, data protection regulations are critical for ensuring users’ privacy and dignity in the digital era. They have a number of difficulties and dangers, nevertheless, which might jeopardize their reliability and legality.

Adopting a holistic and contextual approach that considers not only the legal provisions and principles but also the practical implications and consequences for all stakeholders involved in data processing activities is crucial in addressing the issue of actual data usage and the hazy pathways of data protection laws.

To guarantee that data protection laws are applied consistently and effectively across all territories and jurisdictions, it is important to follow clear and consistent data protection legal paths that represent the principles and values of data protection law.