(a) Personal Data
Due to the sensitivity of information involved in communications activities, most telecommunications legislation contains provisions regarding the privacy and confidentiality of user information. However, the ICT environment has greatly facilitated the global transmission of personal information, and it has become much easier to collect and share private information through the Internet. As a result, many countries have enacted data protection legislation to protect individuals’ privacy rights by restricting the manner in which personal information is used in the private and public sectors.1 Some countries, such as Australia, have also undertaken efforts to harmonize privacy provisions in telecommunications legislation and in other related legislation to ensure a consistent standard of privacy protection. In 2005, the Australian Privacy Commissioner conducted a review of the Privacy Act in light of the developments in private sector industries, and issued recommendations to improve the private sector provisions in the Privacy Act.2 With regard to telecommunications, the Office of the Privacy Commissioner (OPC) recommended that the Telecommunications Act and the Privacy Act be amended to provide consistency and to clarify what constitutes authorized uses and disclosures under each Act, and to ensure that the Privacy Act cannot be used to lower the standard of privacy protection provided by the Telecommunications Act.
In the EU’s Data Protection Directive3 and Privacy Directive,4 privacy in the processing of personal data and the confidentiality of communications are recognized as fundamental rights that should be protected. The Privacy Directive requires member states to harmonize and ensure an equivalent level of protection of the right to privacy with respect to personal data in the electronic communication sector.5 Pursuant to this, the Data Protection Directive prohibits the transfer of personal information to any country that does not have adequate privacy laws.6 As a result, EU member states have implemented legislation that prohibits the transfer of personal information from the EU to third countries unless such countries have adequate privacy protection in their laws.
To date, a majority of countries around the world have enacted laws relating to data protection (See Figure 4-C). Often, the protection of personal data is not encompassed in a single law but is covered by a variety of laws depending on the type of information that is being protected. In the United States, for example, legislation has passed regarding medical records (The Standards for Privacy of Individually Identifiable Health Information, or “HIPAA Privacy Rule”),7 credit reports (Fair Credit Reporting Act),8 and immigration and citizenship information (USA Patriot Act).9 Similarly, in Argentina, the protection of personal data is regulated by different legal instruments, namely the Argentine Constitution, the Personal Data Protection Act, Decree No. 1558, and the Data Retention Law, Law No. 25.873, which was incorporated into the Telecommunications Law. In New Zealand, data protection legislation is contained in a number of laws, including the Telecommunications Information Privacy Code 200310 and the Privacy Act 1993.11
Figure 4-C: Data Protection Laws Worldwide
Source: Privacy International, Global Map of Data Protection.12
(b) Data Retention
Another factor that has shaped the policy on the use of communications data with regards to privacy of information is the concern with national security after the events of September 11th, 2001, in the United States, and the recent terrorist attacks in Spain and in England. One example of the current debate surrounding the use of communications data for national security purposes is the initiative on data retention rules. Some laws, such as the EU Data Retention Directive13, require communications service providers to retain all data created by their users for a prescribed period of time, while other countries, such as the United States, require communications service providers to store specific sub-sets of data for a more limited amount of time for specific purposes. The issue of data retention is hotly opposed by operators and service providers because of the resources required to comply. In Argentina, the Data Retention Law was promulgated in February 2004 and mandated a 10 year data retention period.14 However, due to opposition by ISPs, who would bear the burden and costs of retaining the data, and civil liberties groups regarding the long retention period, the government suspended the application of the law in 2005.15
ENDNOTES
1 Christopher Millar, Communications Privacy, in Telecommunications Law and Regulation, (Jan Walden and John Angel eds., 2005), at 381.
2 See the Privacy Commissioner’s report into the operation of the private sector provisions of the Privacy Act 1988. Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005, available at http://www.privacy.gov.au/act/review/revreport.pdf.
3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Data Protection Directive).
4 Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications).
5 Id., Article 1.
6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Data Protection Directive), Chapter IV.
7 45 C.F.R. Parts 160 and 164, 14 August 2002.
8 Fair Credit Reporting Act, Pub. L. No. 91-508 (1970), amended by PL 104-208 (1996).
9 H.R. 3162, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act of 2001), Pub. L. No. 107-56.
10 Telecommunications Information Privacy Code 2003, 2 May 2003.
11 Privacy Act 1993, Law No. 28, 17 May 1993.
12 See http://www.privacyinternational.org/survey/dpmap.jpg.
13 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (EU Data Retention Directive), available at http://www.ispai.ie/DR%20as%20published%20OJ%2013-04-06.pdf.
14 Argentina Data Retention Law 2004, Law No. 25.873, 6 February 2004.
15 Decree 357/2005 suspending Law No. 25.873, 22 April 2005.