India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

Data protection: why it matters and how to protect it

Leer la versión en español.

Updated in January 2022

Have you ever filed taxes or made a phone call? Do you own a smartphone? Have you ever used the internet? Do you have a social media account or wear a fitness tracker?

If you answered yes to any of these questions, you have been sharing your personal information, either online or off, with private or public entities — including some that you may never have heard of.

Sharing data may bring benefits, and it has often also become necessary for us to do everyday tasks and engage with other people in today’s society. But it is not without risks. Your personal data reveals a lot about you, your thoughts, and your life. These data can easily be exploited to harm you, and that’s especially dangerous for vulnerable individuals and communities, such as journalists, activists, human rights defenders, and members of oppressed and marginalized groups. That is why these data must be strictly protected.

In the European Union, data protection is a fundamental right, and the General Data Protection Regulation (GDPR) is the framework for protecting that right. It is not without flaws, but it represents a very positive framework for users, enabling Europeans to take back control of their personal information. Even as the law’s enforcement is proving challenging, other countries are looking to the GDPR as they develop or implement their own laws to protect data.

Access Now has been deeply involved in the process of crafting the GDPR, and we have developed a policy guide, built on that experience, to assist those seeking to develop comprehensive data protection frameworks meet their obligations under international human rights law. Creating a Data Protection Framework: A Do’s and Don’ts Guide for Lawmakers shares lessons from the process and outcome of the GDPR negotiations, as well as flagging issues for the implementation of a data protection framework.

Following is information on the meaning and purpose of data protection, and why we need laws to protect it.

What is data protection?

Personal data is any information relating to you, whether it relates to your private, professional, or public life. In the online environment, where vast amounts of personal data are shared and transferred around the globe instantaneously, it is increasingly difficult for people to maintain control of their personal information. This is where data protection comes in.

Data protection refers to the practices, safeguards, and binding rules put in place to protect your personal information and ensure that you remain in control of it. In short, you should be able to decide whether or not you want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.

Governments also have a security interest in ensuring the protection of personal data. In 2015, criminals stole 21.5 million records from the US Office of Personnel Management that contained the highly sensitive personal data of federal employees and their family members. This type of attack is happening more frequently across the globe, and countries must take action to better protect individuals’ information.

Why do we need data protection laws?

There are two main reasons that governments should pursue comprehensive data protection frameworks:

  • Laws need to be updated to address today’s reality. Ever since the internet was created, people have been sharing more and more of their personal information online. In many countries, privacy rules exist and remain important to help protect people’s information and human rights, but they are not adapted to suit the challenges of today’s connected world.
  • Corporate co- and self-regulation is not working to protect our data. Around the world, companies and other entities that collect people’s data have long advocated for regulation of privacy and data protection not through binding frameworks but rather through self- or co-regulation mechanisms that offer them greater flexibility. However, despite several attempts, we have yet to see examples of non-binding regimes that are positive for users’ rights (or, indeed, for business as a whole).

If you are a lawmaker or a citizen contributing to domestic discourse on data protection, please have a look at our guidelines to make sure you are equipped with the right tools for the creation of a positive framework protecting users’ data and information.

Together, we can build strong and concrete safeguards for the right to protection of personal data.