gipi logo

G L O B A L       I N T E R N E T       P O L I C Y       I N I T I A T I V E

A Joint Project of the Center for Democracy & Technology & Internews
For more up to date information, please visit the CDT website.

About GIPI Best Practices Policy Principles Funding Staff & Offices News

i s s u e   a r e a s




The International Legal Framework for Data Protection and Its Transposition to Developing and Transitional Countries (Dec. 2004) - Short paper summarizing the major international documents on data protection, with general observations for their transposition to developing and transitional countries.

Privacy protection is a critical element of consumer and user trust in the online environment and a necessary condition for the development of electronic commerce. Three international organizations have developed guidelines or rules that set forth basic consumer privacy protections:

Organisation for Economic Co-operation and Development -- Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Privacy Guidelines) (1980),,EN-document-0-nodirectorate-no-24-10255-0,00.html

Council of Europe -- Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981)
Articles 4 - 10 set out the basic principles for data protection.

European Union -- Data Protection Directive (1995)
Articles 5 - 17 spell out in somewhat more detail the basic privacy principles.

Privacy and E-Government (May 2003) - report by CDT to the United Nations Department of Economic and Social Affairs as background for the World Public Sector Report on E-Government. Surveys privacy trends internationally with a focus on data in the hands of government. Describes "best practices," including privacy officers, privacy impact assessments, privacy enhancing technologies and privacy audits.

Privacy Overview

There are two aspects to the concept of privacy:

  1. Consumer privacy - the right of individuals to control information about themselves generated or collected in the course of a commercial interaction. Referred to in Europe as "data protection."
  2. Privacy rights of the individual against the government - the individual's protection against unreasonable government intrusions on privacy, such as searches of the home or interceptions of communications.

Internet law needs to address both sets of issues.

Consumer Privacy

Consumer privacy protection in the US and Europe, as well as under the guidelines of the OECD, is based on the following principles:

  1. Notice and Consent - before the collection of data, the data subject should be provided: notice of what information is being collected and for what purpose and an opportunity to choose whether to accept the data collection and use.

    In Europe, data collection cannot proceed unless data subject has unambiguously given his consent (with exceptions).

  2. Collection Limitation - data should be collected for specified, explicit and legitimate purposes. The data collected should be adequate, relevant and not excessive in relation to the purposes for which they are collected.
  3. Use/Disclosure Limitation - data should be used only for the purpose for which it was collected and should not be used or disclosed in any way incompatible with those purposes.
  4. Retention Limitation - data should be kept in a form that permits identification of the data subject no longer than is necessary for the purposes for which the data were collected.
  5. Accuracy - the party collecting and storing data is obligated to ensure its accuracy and, where necessary, keep it up to date; every reasonable step must be taken to ensure that data which are inaccurate or incompleteare corrected or deleted
  6. Access - a data subject should have access to data about himself, in order to verify its accuracy and to determine how it is being used
  7. Security - those holding data about others must take steps to protect its confidentiality.

Privacy Protection Against The Government

The right to privacy is internationally recognized as a human right. However, most governments claim the authority to invade privacy through the following means:

These means of access to communications and stored data must be narrowly defined and subject to independent controls under strict standards. Real-time interception of communications should take place only with prior approval by a judge, issued under standards at least as strict as those for policy searches of private homes.


Technical Information About / Copyright © 2001-2005 / Privacy Policy