06 August 2013

Overseas Privacy Frameworks

Two interesting articles by Graham Greenleaf -

'Indonesia's Data Protection Regulation 2012: A Brief Code with Data Breach Notification' in (2013)  122 Privacy Laws & Business International Report 24 (with Sinta Dewi) comments that
 Indonesia is usually ignored in discussions of data protection, but as an Asian democracy with a population of over 250 million (exceeded only by China and India) and a fast-developing economy with 6.2 % economic growth in 2012, its position is important to data privacy in Asia. Although it is the largest ASEAN state, it has moved slowly to provide comprehensive legal protection for personal information, and is now lagging behind its ASEAN neighbours, Singapore, Malaysia and the Philippines, all of which now have data protection laws covering much of their private sectors (and the public sector, in the case of the Philippines).
Although Indonesia has not yet gone down the path of comprehensive legislation, it has in late 2012 enacted a Regulation under its 2008 law on electronic transactions (previously dormant in relation to data protection but active in some areas such as cybercrime), adding more data protection elements, and a data breach notification requirement. This article analyses these new developments, and concludes that Article 15 of the Regulation, coupled with Article 26 of the 2008 law, and various other provisions in the Regulation, provides between them most of the elements of a brief data protection code, enforceable through court actions. However, there have as yet been no actions to enforce these rights, and Indonesia does not have a data protection authority or other enforcement body to do so.
The article also discusses the ongoing moves within various Ministries to develop a full data protection law, and various reasons for this in different Ministries, and the constitutional cases on telecommunications interception which have decided that there is an implied constitutional right of privacy, which may affect both the government’s obligations to enact data protection laws, and the interpretation of any laws so enacted.
'Uruguay Starts Convention 108's Global Journey with Accession: Toward a Global Privacy Treaty?' in the same journal at 20 comments
The Council of Europe has started in Uruguay data protection Convention 108’s long march toward becoming the world’s only data privacy treaty. On 12 April 2013 it announced that Uruguay's accession to Convention 108 (and to its Additional Protocol) was complete, and will enter into force in respect of Uruguay on 1 August 2013, making it the 45th state to become a party to the convention, and the first non-European party. Morocco has also been invited to accede.
This article analyses how much we know – and still do not know – about the accession process following the Uruguay accession, and the steps taken so far in the Morocco accession. It concludes that fourteen implications can be drawn to date, while the accession process is still evolving. Some problems are inherent in the lack of a complete fit between the Convention and its Additional Protocol, and ambiguities inherent in Article 23 dealing with non-European accessions. But no obviously faulty decisions have yet been made which would lower the standards of the Convention, and thus endanger its future.