The trouble with Harry, in Alfred Hitchcock’s 1955 movie, is that he’s dead, and everyone seems to have a different idea of what needs to be done with his body. The trouble with European data protection law is the same. In several crucial respects, data protection law is currently a dead letter. The current legal reform will fail to revive it, since its three main objectives are based on fallacies. The first fallacy is the delusion that data protection law can give individuals control over their data, which it cannot. The second is the misconception that the reform simplifies the law, while in fact it makes compliance even more complex. The third is the assumption that data protection law should be comprehensive, which stretches data protection to the point of breaking and makes it meaningless law in the books. Unless data protection reform starts looking in other directions — going back to basics, playing other regulatory tunes on different instruments in other legal areas, and revitalising the spirit of data protection by stimulating best practices — data protection will remain dead. Or, worse perhaps, a zombie.'APEC's CBPRs in Operation for Two Years: Low Take-Up, and Credibility Issues' by Graham Greenleaf in (2014) 129 Privacy Laws & Business International Report 12 argues
APEC’s Cross-Border Privacy Rules system (CBPRs), like any other form of regulation, cannot simply be assumed to be credible and effective. In addition to its professed standards (considered in the previous article, G Greenleaf (2014) 128 PLBIR, 27-30), its operation in practice must be examined to determine whether it credibly upholds and enforces those standards. APEC’s Cross-Border Privacy Rules system (CBPRs) is not yet in full operation, but the initial operation of any institution is often a major determinant of its future path. The first two years of APEC CBPRs operation is examined in this article and found wanting.
This article shows that the APEC CBPRs processes, despite the conscientious efforts to improve them by representatives from some economies, are lacking in significant respects. The Final Reports by the APEC CBPRs Joint Operations Panel (JOP) lack sufficient independent assessment by JOP of whether an economy’s implementation of its laws will in substance deliver what is required by the APEC CBPRs requirements. The first JOP processes to appoint an AA were flawed, to an extent which should not have been acceptable to APEC member economies. Partly as a result, the first year’s operation of the only existing AA (US company, TRUSTe) has been carried out in a way which is not compliant with CBPRs requirements. This means that the renewal of that AA’s recognition is a major credibility test for JOP.'Greenleaf's 'India's Draft the Right to Privacy Bill 2014 – Will Modi's BJP Enact it?' in (2014) 129 Privacy Laws & Business International Report 21 comments
From 2011-13 there there were three significant proposals for a comprehensive data privacy law in India but none gained the endorsement of the previous government. The overwhelming victory in India’s May 2014 national elections of the Bharatiya Janata Party (BJP) may end the log-jam of legislative inactivity that characterised the last few years of the previous Congress-led government.
In February 2014 the previous Bills were joined by the draft The Right to Privacy Bill 2014, a redraft of its 2011 draft Bill by the Committee of Secretaries (CoS), the heads of seven of India’s most powerful Ministries and Departments. This draft Bill represents the current thinking of India’s bureaucracy, and the election of a new government capable of enacting legislation makes it timely to review its main provisions.
This article argues that, for residents of India (but not persons overseas), this Bill would, if enacted, provide significant protections of international standards, if they were enforced. That is a significant ‘if’, because the enforcement mechanisms in the current ‘Rules’, particularly the Cyber-Appellate Tribunal (CAT) which this Bill also relies upon, have not functioned for three years. India has no track record whatsoever of enforcing data privacy laws. It would be up to the proposed data protection authority (DPA) to change that before The Right to Privacy Act would be credible. This brief assessment is not a detailed critical appraisal of the Bill, which would no doubt reveal many points of detail on which it could be improved, but the overall structure of the Bill is sound in theory, and compares well with most data privacy laws in Asia.
A related issue is that the BJP did not have any specific election policy in relation to India’s universal ID numbering system (UID), and so is not committed to scrapping it. BJP Ministers have floated a possible merger of the National Population Register (NPR) being developed by the Registrar General of India (RGI) and the UID. Expanded use of personal identifiers such as the UID are one reason the Notes to the draft 2014 Bill say ‘a need has been felt’ for data privacy legislation. It remains a strong possibility that these two issues will be dealt with together.