Abstract
The proliferation of ICTs and computational power in processing personal information has long been documented to expose individuals to risks of privacy violations and other fundamental rights abuses. This prompted calls, about five decades ago, for the development of legal regimes laying specific rules to follow when processing personal information, especially with the use of ICTs, in order to protect fundamental individual rights. Deliberations in this direction were undertaken at the OECD, and led to the adoption of the OECD Guidelines of Privacy Protection in September 1980 (revised in July 2013), which listed eight principles of data processing on which national and supranational regimes were expected to build personal data processing laws.
This paper attempts a comparative review on how these principles are consolidated in relevant European and African legislation: that is, between the EU’s GDPR on the one hand and the Ghana and Kenyan data protection instruments on the other. Being a more advanced legal regime in terms of data protection, the GDPR serves here as a measuring rod to examine how the basic OECD Principles are reflected in the personal data processing rights and obligations provided in the Ghana Data Protection Act of 2012 and the Kenyan Data Protection Act of 2019. The paper concludes with a general note that while the Kenyan legislation appears mostly copied from and consolidates OECD data protection principles more or less exactly like the GDPR, the Ghanaian Act offers comparatively less rigorous protection in some areas.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The Organisation for Economic Co-operation and Development is an intergovernmental economic organisation with 36 member countries, founded in 1961 to stimulate economic progress and world trade. See www.oecd.org. Accessed 14/9/2019.
- 2.
Article 1(b), OECD Revised Guidelines 2013.
- 3.
Economic Community of West African States (ECOWAS) Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS.
- 4.
African Union Convention on Cyber security and Data Protection, 2014.
- 5.
See the Working Party for Information Security and Privacy (WPISP). 2011. The evolving privacy landscape: 30 years after the OECD Privacy Guidelines. Directorate for Science, Technology and Industry—Committee for Information, Computer and Communications Policy, DSTI/ICCP/REG(2010)6/FINAL,6.4.2011. DSTI/ICCP/REG(2010)6/FINAL. P.12.
- 6.
Recommendations of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980).
- 7.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L281, 23/11/1995, 0031–0050. Retrieved from https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A31995L0046. Accessed 25th February 2020.
- 8.
Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions Safeguarding Privacy in a Connected World A European Data Protection Framework for The 21st Century COM/2012/09 Final (2012). Retrieved from https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A52012DC0009. Accessed 25th February 2020.
- 9.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058. Accessed 25th February 2020.
- 10.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0680. Accessed 25th February 2020.
- 11.
Ghana Data Protection Act 2012.
- 12.
‘Legitimate interest’ could exist when there is a relevant relationship between the data controller and data subject, like where the data subject is a client or is at the service of the data controller (Recital 47 GDPR).
- 13.
This principle founded the decision of the Ninth Circuit Court of Appeal in the famous US case of Spokeo v. Robbins, 867 F. 3d 1108 - Court of Appeals, 9th Circuit 2017. The Court found that Mr Robbins had grounds to sue an employment placement company for having, on his profile, and for not taking the necessary steps to update inaccurate information about his marital and employment status, age and educational background, which could have been the reason why he could not find a job through that company.
- 14.
Ideally, a data protection supervisory authority is an independent public authority in charge of overseeing compliance with data protection principles in a given jurisdiction. The GDPR’s Article 51 requires each EU Member state to create at least one within each territory. In Ghana, the role is fulfilled by the Data Protection Commission, created by Article 1 of the Data Protection Act. In Kenya, the 2019 Data Protection Act 2019 establishes the Office of the Data Protection Commissioner in its Article 5.
- 15.
See Paragraph 99 of the ECJ’s decision in Google Spain SL, Google Inc v Agencia Española de Protección de Datos and Mario Costeja González [2014] ECLI:EU:C:2014:317.
- 16.
European Commission, Commission Staff Working Paper SEC (2012) 72 final. Impact Assessment Accompanying the General Data Protection Regulation (2012), p. 100.
- 17.
A personal data breach is defined by Article 4(12) of the GDPR as a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
- 18.
Article 2 of the Kenyan Data Protection Act adopts exactly the same definition of a personal data breach as Article 4(12) of the GDPR.
References
Solove, D.: The new vulnerability: data security and personal information. In: Chander, A., Gelman, L., Radin, M.J. (eds.) Securing Privacy in the Internet Age. Stanford University Press (2008)
Xavier, C., Bosua, R., Maynard, S.B., Ahmad, A.: The Internet of Things (IoT) and its impact on individual privacy: an Australian perspective. Comput. Law Secur. Rev. 32(1), 4–15 (2016)
González Fuster, G.: The emergence of personal data protection as a fundamental right of the EU. LGTS, vol. 16. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05023-2
Nam, T.: What determines the acceptance of government surveillance? Examining the influence of information privacy correlates. Soc. Sci. J. 56, 530–544 (2018)
Lynskey, O.: The Foundations of EU Data Protection Law. Oxford University Press, Oxford (2015)
Bennett, C.J.: Regulating Privacy: Data Protection and Public Policy in Europe and the United States. Cornell University Press, New York (1992)
Hustinx, P.: EU data protection law: the Review of Directive 95/46/EC and the proposed General Data Protection Regulation. Collected courses of the European University Institute’s Academy of European Law, 24th Session on European Union Law, pp. 1–12 (2013)
Greenleaf, G.: Global data privacy laws 2017: 120 national data privacy laws, including Indonesia and Turkey. Privacy Laws & Business International Report, 10-13, UNSW Law Research Paper No. 45. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2993035. Accessed 11 Oct 2019
Bignami, F.: The case for tolerant constitutional patriotism: the right to privacy before the european courts. Cornell Int. Law. J. 41, 211 (2008)
De Hert, P., Gutwirth, S.: Data protection in the case law of Strasbourg and Luxemburg: constitutionalisation in action. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?. Springer, Dordrecht (2009). https://doi.org/10.1007/978-1-4020-9498-9_1
Solove, D.: The Digital Person: Technology and Privacy in the Information Age, vol. 1. NyU Press, New York (2004)
Arzt, C.: Data protection versus Fourth Amendment privacy: a new approach towards police search and seizure. Crim. Law Forum 16(3), 183–230 (2005). https://doi.org/10.1007/s10609-005-4143-9
Solove, D.: Why I Love the GDPR: 10 Reasons. https://teachprivacy.com/why-i-love-thegdpr/. Accessed 11 Oct 2019
Dagbanja, D.N.: The right to privacy and data protection in Ghana. In: Makulilo, A.B. (ed.) African Data Privacy Laws. LGTS, vol. 33, pp. 229–248. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47317-8_10
Omane Boamah, E.K.: Minister for Communications at The Launch Of The Data Protection Commission On 18th November 2014 at The International Conference Centre (Data Protection Commission). https://dataprotection.org.gh/resources/downloads/conference/10-final-speech-of-the-hon-minister-of-communications-at-the-launch-of-the-data-protection-act/file. Accessed 11 Oct 2019
Agyei-Bekoe, E.: Empirical Investigation of the Role of Privacy and Data Protection in the Implementation of Electronic Government in Ghana. A Doctoral Thesis Submitted in Partial Fulfilment of the Award of Doctor of Philosophy Faculty of Technology, Centre for Computing and Social Responsibility De Montfort University, September 2013
Makulilo, A.B., Boshe, P.: Data protection in Kenya. In: Makulilo, A.B. (ed.) African Data Privacy Laws. LGTS, vol. 33, pp. 317–335. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47317-8_15
Pangrazio, L., Selwyn, N.: Personal data literacies’: a critical literacies approach to enhancing understandings of personal digital data. New Media Soc. 21(2), 419–437 (2019)
Fuster, G.G.: Inaccuracy as a privacy-enhancing tool. Ethics Inf. Technol. 12(1), 87–95 (2010)
Wachter, S., Brent M.: A right to reasonable inferences: re-thinking data protection law in the age of big data and AI. Columbia Business Law Review (2019)
De Hert, P., Papakonstantinou, V., Wright, D., Gutwirth S.: The proposed Regulation and the construction of a principles-driven system for individual data protection. Innovation: Euro. J. Soc. Sci. Res. 26(1–2), 133–144 (2013)
Coudert, F.: Towards a new generation of CCTV networks: erosion of data protection safeguards?. Comput. Law Secur. Rev. 25(2), 145–154 (2009)
Stevens, G.M.: Data security breach notification laws. CRS Report for Congress (2012). http://dev.journalistsresource.org/wp-content/uploads/2012/04/R42475.pdf. Accessed 13 10 2019
Makulilo, Alex B.: “One size fits all”: does Europe impose its data protection regime on Africa? Datenschutz und Datensicherheit-DuD 37(7), 447–451 (2013)
Acknowledgments
This research is funded by the Erasmus Mundus program LAST-JD (Joint International Ph.D. in Law, Science and Technology) coordinated by the University of Bologna.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Alunge, R. (2020). Consolidating the Right to Data Protection in the Information Age: A Comparative Appraisal of the Adoption of the OECD (Revised) Guidelines into the EU GDPR, the Ghanaian Data Protection Act 2012 and the Kenyan Data Protection Act 2019. In: Thorn, J., Gueye, A., Hejnowicz, A. (eds) Innovations and Interdisciplinary Solutions for Underserved Areas. InterSol 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 321. Springer, Cham. https://doi.org/10.1007/978-3-030-51051-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-51051-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-51050-3
Online ISBN: 978-3-030-51051-0
eBook Packages: Computer ScienceComputer Science (R0)