Most countries have adopted different models reflecting the varying degree of approaches to the protection of individuals with regard to the processing of personal data, the circulation and exchange of such data, and the individual's privacy. Depending on the data's origin or the legal status of the data subject (e.g. citizen, resident or foreigner) or the scope of application of regulation, a model can (or not) apply to an organization.
The current models in the personal data protection (or data privacy, based on the English common law, such as Australian and New Zealand regimens) are:
- Comprehensive model
- Co-regulatory model
- Sectoral model
- Self-regulatory model
Comprehensive model
The comprehensive model is based on an omnibus approach that provides an overarching statute to protect personal data, irrespective of the sector, industry or type of data, and with a data protection authority (or commissioner or ombudsman) to monitor and enforce the application of the regulation. The best examples for this approach are the EU and Latin American countries.
The co-regulatory model combines both legislation and self-regulatory instruments in support of the regulation. It means that government and industry share responsibility for drafting and enforcing regulation. The best examples for this approach are Canada and Australia.
Sectoral model
The sectoral model is based on an approach that aims to set data protection or data privacy rules applicable to specific issues, taking account the features of each industry (e.g. financial or health services, credit reports, etc.) or the type of data collected. The different regulatory agencies are responsible for the implementation and enforcement of regulations within its sector, for instance, the Consumer Financial Protection Bureau or the U.S. Department of Health and Human Services. The best example for this approach is the U.S.
Self-regulatory model
The self-regulatory model is a binding system by which participating organizations feel compelled to comply with guidelines or codes of practice set by third parties, such as the Singapore Code of Advertising Practice or the Children’s Advertising Review Unit guidelines. This model is non-legislative. However, its compliance is compulsory. In addition, the self-regulatory model is administered and monitored by non-governmental associations or bodies representing categories of organizations.
Practically speaking, there are common traits of all models in the protection of the fundamental right to privacy and personal data. Similarities include to comply with fair information principles, offer legal remedies to individuals to ensure their rights, define parameters for the processing of personal data, require organizations to post notices specifying the categories of personal information collected, categories of information sharing partners, and the effective date of the policy.
Nevertheless, in many contexts, the models have created a tension in practice for data controllers and data processors operating around the world. For instance, a health company doing business in the U.S. and the EU has to comply with both the obligations under the Health Insurance Portability and Accountability Act and the General Data Protection Regulation.
In another example, usually opt-out is used to request for consent to process personal data in the U.S., while opt-in is the regime that is used under European and Canadian data protection rules.
The divergence between the different models creates legal uncertainty not only for data controllers or data processors but also for individuals, who are subjects to diverse guarantees for the protection of their data from one country to another, in particular when the data navigates in more than one online environment around the world.
There's not a mechanism of harmonization today. Nor an agreement on a baseline data protection and data privacy law to ensure the basic rights to which all individuals are considered entitled. Therefore, the alienation of all data protection models on a hybrid approach would allow for spaces of convergence and commonalities between comprehensive laws, sectoral regulations and codes of practices into a global context of data protection and data privacy.
Several reasons support the argument to adopt a hybrid model in the protection of personal data and data privacy, which include, but are not limited to:
- Finding consensus and dialogue between governments worldwide, authorities, industries, data controllers, data processors and individuals.
- Providing interoperability amongst regulations applicable to personal data and data privacy, avoiding overlapping and contradictory protections.
- Allowing for coordinated efforts to identify solutions to matters of common concern.
- Establishing a basic framework of definitions, principles, responsibilities, rights, dispute-resolution mechanisms, liability and penalties, if necessary. This would also include the concept of an adequate level of protection for personal data to transfer data under the accountability principle.
- Ensuring a coherent set of requirements with regard to the consent, the use of personal data of children and sensitive data, the rights of individuals, security breach response and notification, the data protection officer (or chief privacy officer), and in some cases specific security and technology measures, e.g. encryption methods.
- Simplifying some responsibilities for data controllers and data processors to allow them to implement regulations and policies according to their features, but ensuring a level of protection of individuals.
- Compressing in one toolbox a broad range of instruments that supplement the framework, such as codes of conduct or best practices, personal data (or data privacy) impact assessments, personal data breach impact assessments, data protection standards, along with data protection by design and by default, certifications, seals and trust-marks, among others.
- Providing safeguards for the transfer of personal data to third countries or international organizations under the accountability principle, without prejudice to any intervention of the authority in accordance with its tasks and powers to determine the level of protection provided by both the exporter and importer of such data.
- Allowing a personal data-breach management under a standardized and uniform manner, particularly when the event affects individuals located in different countries (see Uber, Equifax, Yahoo cases).
- The monitoring of compliance of framework to be carried out by industry associations or trade bodies representing groups of data controllers and data processors, with an appropriate level of knowledge in: data privacy and data protection regulations, the processing of personal data, dispute-resolution mechanisms and the features of the business of its members.
- Establishing an association or body that handles individual complaints about infringements of minor breach of the framework’s provisions. This would ensure that the authorities are able to focus their resources on breaches that present risks or high risks to the rights and freedoms of individuals.
- Allowing that an individual may, after receiving a decision taken by a leading association or body, apply to the authority for an investigation in respect of any matter in respect of which the complaint was made, or that is referred to in the decision.
- Reusing the expertise gained and compliance programs implemented by the data controller or data processors in other regions.
- Reducing costs and administrative burdens caused by having to comply with different regimes and deal with different authorities.
- Flexibility and adaptability to accompany the introduction of new technologies.
Consequently, a hybrid model is a necessity for organizations, data protection officers and individuals nowadays. Nonetheless, it is important to stress that the adoption of this model clearly depends largely on the political will of governments, in particular the U.S. and the EU. This is perhaps not surprising given the influence of the European model and American model in the thinking about establishing data protection and privacy regimens in the world, especially because Europe is currently exporting its model to its trade partners, with other data protection or data privacy approaches.
photo credit: harry_nl Düsseldorf: Yvel Toyota via photopin