Authored By: Amaechi Kamsiyochukwu Eileen Ngoma
Afebabalola University
Introduction
In the rapidly evolving digital landscape, the intersection of technology and privacy law has become increasingly significant. The proliferation of personal data collection, storage, and processing by both public and private entities has given rise to new legal challenges and frameworks. This article examines the evolution of data privacy law, its current landscape, and the implications for individuals and organizations, referencing relevant statutes, case law, and academic commentary using the OSCOLA style.
Historical Context of Data Privacy Law
The concept of privacy has ancient roots, but legal recognition of a right to privacy emerged more tangibly in the late nineteenth century. Samuel D Warren and Louis D Brandeis’s seminal article, “The Right to Privacy,” is widely cited as the genesis of privacy law in the United States.[1] The authors argued for the protection of “the right to be let alone,” which laid the groundwork for privacy jurisprudence.[2]Over time, courts recognised privacy torts, and legislatures began enacting statutes to address emerging threats, from wiretapping to unauthorised disclosure of personal information.[3]
Modern Data Privacy Statutes
The United States
Unlike some jurisdictions, the US lacks a comprehensive federal privacy law. Instead, it relies on a sectoral approach, with statutes such as the Health Insurance Portability and Accountability Act (HIPAA)[4] and the Gramm-Leach-Bliley Act (GLBA)[5]safeguarding health and financial information, respectively. The most robust state-level law is the California Consumer Privacy Act of 2018 (CCPA),[6]later amended by the California Privacy Rights Act (CPRA). The CCPA grants California residents extensive rights regarding their personal information, including the right to know, delete, and opt out of the sale of personal data.[7]
European Union
The European Union has developed a comprehensive privacy regime, most notably through the General Data Protection Regulation (GDPR), which became effective in May 2018.[8] The GDPR applies to any entity processing the personal data of EU residents, regardless of where the entity is located.[9] Key features include requirements for lawful processing, data minimisation, purpose limitation, transparency, data subject rights, and substantial penalties for non-compliance.[10]
Global Developments
Other jurisdictions have enacted their own data protection laws, influenced by both the US sectoral model and the EU’s comprehensive approach.[11] Examples include Brazil’s Lei Geral de Proteção de Dados (LGPD)[12] and the Personal Data Protection Act (PDPA) of Singapore.[13]These developments underscore a global trend toward greater regulation and harmonisation.
Judicial Interpretation and Enforcement
- Landmark Cases
Courts have played a pivotal role in shaping the contours of privacy law. In Katz v United States,[14] the Supreme Court held that the Fourth Amendment protects people, not places, establishing the “reasonable expectation of privacy” test. More recently, Carpenter v United States extended this protection to cell phone location data, requiring law enforcement to obtain a warrant for such information.[15]
- Regulatory Enforcement
Regulatory bodies have vigorously enforced data privacy laws, imposing significant fines on violators. For instance, in 2021 the Luxembourg National Commission for Data Protection fined Amazon €746 million for alleged GDPR violations.[16] US regulatory agencies, such as the Federal Trade Commission (FTC), have also brought actions against companies for unfair or deceptive practices regarding consumer privacy.[17]
- The Challenges of Emerging Technologies
The expansion of artificial intelligence (AI), the Internet of Things (IoT), and big data analytics present new challenges for data privacy law. AI systems often require large datasets, raising concerns about transparency, bias, and informed consent.[18] IoT devices collect vast amounts of personal data, often without meaningful user awareness or consent.[19] Legal frameworks are struggling to keep pace with these innovations, prompting calls for new legislation and regulatory approaches.[20]
Data Privacy and Individual Rights
Consent and Control
Central to modern privacy law is the principle of consent. Under the GDPR, consent must be “freely given, specific, informed and unambiguous.”[21] The CCPA similarly requires businesses to provide notice and obtain affirmative authorisation before selling personal data.[22] However, critics argue that “privacy notices” are often obtuse and that users face “consent fatigue,” undermining the meaningful exercise of rights.[23]
The Right to Be Forgotten
A significant innovation under the GDPR is the right to erasure, or “right to be forgotten.”[24]This right allows individuals to request the deletion of their personal data under certain conditions. US law does not recognise a comparable right, though some state laws offer limited deletion rights.[25]
The Future of Data Privacy Law
Looking ahead, it is clear that data privacy law will continue to evolve. In the US, proposals such as the American Data Privacy and Protection Act (ADPPA)[26] signal a possible move toward a comprehensive federal privacy framework. Internationally, efforts to harmonise legal standards will be crucial, particularly as cross-border data flows become more prevalent.
The rise of biometric data, facial recognition technologies, and predictive analytics will further test the boundaries of privacy rights and regulatory regimes. Policymakers, courts, and stakeholders must balance the benefits of technological innovation with the imperative to safeguard individual autonomy and dignity.[27]
Conclusion
Data privacy law stands at a critical juncture: it must meet the challenges of technological progress while upholding fundamental rights. As digital ecosystems expand, legal frameworks must adapt through legislation, regulation, and judicial interpretation to ensure that privacy remains a protected and enforceable value in the information age.
Reference(S)
[1] Samuel D Warren and Louis D Brandeis, “The Right to Privacy” (1890) 4 Harvard Law Review 193.
[2] ibid 195.
[3] E Bloustein, “Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser” (1964) 39 NYULR 962.
[4] Health Insurance Portability and Accountability Act of 1996, Pub L No 104-191, 110 Stat 1936.
[5] Gramm-Leach-Bliley Act of 1999, Pub L No 106-102, 113 Stat 1338.
[6] California Consumer Privacy Act 2018 (Cal Civ Code §§ 1798.100 et seq).
[7] CCPA § 1798.120 (as amended by the California Privacy Rights Act 2020, Proposition 24).
[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1.
[9] GDPR, art 3.
[10] GDPR, arts 5–6, 12–23, 83.
[11]Graham Greenleaf, “Global Data Privacy Laws 2023: Despite Progress, Still a Patchwork” (2023) 173 Privacy Laws & Business International Report.
[12] Lei Geral de Proteção de Dados Pessoais (Law No. 13,709/2018).
[13] Personal Data Protection Act 2012.
[14] Katz v United States 389 US 347 (1967).
[15] Carpenter v United States 138 S Ct 2206 (2018).
[16] CNPD, Decision on Amazon Europe Core S.à.r.l., (Luxembourg National Commission for Data Protection, 2021).
[17] Federal Trade Commission v Facebook, Inc., Case No. 19-cv-2184 (DC Cir 2019); see FTC, “Privacy and Security Enforcement” (FTC, 2022).
[18] Lilian Edwards, “Artificial Intelligence and Privacy” in R Brownsword et al (eds), The Oxford Handbook of Law, Regulation and Technology (OUP 2017).
[19] Paul De Hert and others, “The Internet of Things and Privacy: The Case for Transparency and User Control” (2018) 34 Computer Law & Security Review 72.
[20] Woodrow Hartzog, “The Public Information Fallacy” (2020) 99 Boston University Law Review 459.
[21] GDPR, art 4(11).
[22]CCPA § 1798.120(c).
[23] Solove, Daniel J, “Privacy Self-Management and the Consent Dilemma” (2013) 126 Harvard Law Review 1880.
[24] GDPR, art 17.
[25] California Civil Code § 1798.105.
[26] American Data Privacy and Protection Act, HR 8152, 117th Cong (2022).
[27] Lee Bygrave, “Data Protection Law: Approaching Its Rationale, Logic and Limits” (OUP 2014) 305.
