How can the legal framework provide safeguards against the misuse of data?

A central claim of the World Bank’s 2021 World Development Report on “Data for Better Lives” is that the use of data for development purposes requires a legal framework for data governance that includes both safeguards and enablers (World Bank, 2021). Safeguards generally refer to those norms and legal frameworks that ensure and promote trust in the data governance and data management ecosystem by avoiding and limiting harm arising from the misuse of data or breaches affecting their security and integrity. Enablers generally refer to those policies, laws, regulations and standards that facilitate the use, reuse and sharing of data within and between stakeholder groups through openness, interoperability and portability.

The World Bank Report also provides several recommendations for strengthening enablers, or the policies, laws, regulations and standards that facilitate the use, reuse and sharing of data. 

• One of these is building a robust, yet flexible foundation for electronic transactions.
• Another is making data open by default and easy to access, for example by calling for open-by-default approaches to public sector data through legislation across the whole of government. Datasets to be published should be prioritized using input from end users and end users should not be charged for public intent data. 
• A third recommendation is ensuring unified data classification standards which typically entail categorizing data according to their sensitivity (such as classified, confidential or business use only). Restricted data (data that cannot be published as open data) could possibly be shared bilaterally by agreement (such as with an MoU). Alternatively, innovative mechanisms, including data pools and data sandboxes, allow data to be accessed and processed in a controlled environment.
• A fourth recommendation is promoting open licensing regimes, which can encourage holders of data-related intellectual property rights to invest in products and markets, knowing that they can control access to licensed products and receive returns on their investments.
• Finally, governments can incentivize the sharing of private sector data by promoting data sharing agreements and enhancing intellectual property rights.

The creation of an adequate legal framework for data protection is critical. Such a framework should clearly differentiate between personal data (data that identify the individual) and nonpersonal data (data that do not contain any personally identifiable information). Examples of non-personal data are the numbers of work permits issued or the numbers of foreigners refused entry to the country during a specific reference period. Examples of personal data are individual-level records of applications for work permits or persons refused entry to the country. Currently, debates around data regulation hinge on whether the data in question is personal or non-personal because of the starting premise that from a regulatory approach, personal and non-personal data should not be subjected to the same scrutiny. Because of the less sensitive nature of nonpersonal data, they can for the most part be adequately protected through intellectual property rights, allowing some balancing of interests between data protection and data reuse. 

It is important to note that the distinction between personal and nonpersonal data is becoming increasingly blurred due to the widespread mixing and processing of different data sources that may render nonpersonal data personally identifiable, or at least make it possible to identify specific social groups. At present, only personal data are covered by data protection laws, while anonymized personal data are considered nonpersonal data. Given the possibility of reidentifying data subjects by linking datasets, policymakers should consider expanding the scope of data protection legislation to protect such mixed data (World Bank, 2021). It is also important to note that while the data disaggregation is being encouraged in the line with the Sustainable Development Goals’ objective of “leaving no one behind”, disaggregation may have negative consequences for data protection if the granularity leads to the identification of small socio-demographic sub-groups.

A fundamental prerequisite for trust in data systems is cybersecurity. Achieving adequate cybersecurity calls for creating a legal framework that obliges data controllers and processors to adopt technical systems to secure data. To date, only a small minority of low- and middle-income countries have adopted adequate legal frameworks for cybersecurity. Kenya’s new Data Protection Act stands out as a good example of comprehensive cybersecurity provisions. Leading up to the adoption of the Malabo Convention in 2014, several African Regional Economic Communities adopted regulatory instruments on privacy and cybersecurity. These are ECOWAS’ Supplementary Act on Personal Data Protection within ECOWAS (2010); the ECOWAS Directive on Fighting Cybercrime (2011); the Common Market for Eastern and Southern Africa (COMESA)’s Model Cybercrime Bill (2011); the Southern African Development Community (SADC)’s Model Law on Data Protection and a Model Law on Computer Crime and Cybercrime (2012) (Ndemo et al., 2023). 

India’s 2000 Information Technology Act, as amended in 2008, provides that any body-corporate that possesses, deals or handles any “sensitive personal data” or information should maintain reasonable security practices and will be liable to pay compensation to the person in case of any negligence. It also provides for the punishment for intentionally or knowingly disclosing personal information relating to a person, that was acquired for providing a service, without the consent of the person (Indian Ministry of Law Justice and Company Affairs, 2000).

The main Brazilian law on data protection, the LGPD, was enacted in 2018 and regulates the processing of personal data in the public and private sectors. It is inspired by European General Data Protection Regulation (EU 2016/679). Although the LGPD does not have specific provisions for cybersecurity, it designates the Brazilian Data Protection Authority (the ANPD) as the entity responsible for enacting regulations related to cybersecurity. The ANPD has issued guidelines for “Onformation Security for Small Data Processing Agents” as well as “Data Breach Notification Guidelines” (Data Guidance, 2021).

Most data protection laws rely on individual consent as one lawful means of limiting how data about individuals can be collected and used. Current commercial practices often adopt a “tick the box” approach to obtaining consent, and they are more often based on incentives to limit corporate liability than on a desire to ensure that consent is “informed”. Privacy notices are often long, complex documents written by companies’ legal teams. It is, then, difficult for people to read all the disclosure documents on the websites they visit or for all the apps on their smartphones. In lower-income countries, where literacy challenges continue to affect a significant share of the population, reliance on “consent,” as traditionally applied, will continue to be problematic as more people access the internet and permit their data to be used and reused. Therefore, policymakers should work towards introducing more meaningful models of consent such as a “legitimate purpose” test or fiduciary duty requirement (World Bank, 2021).