Personal data protection: legal framework review of the United Nations, European Union and DR Congo

Gaby KABUE 
Managing Partner

 

Abstract

Personal data protection is at the heart of contemporary, economic, political and legal issues and debates. It is the subject of numerous discussions which mobilize a great diversity of institutional and private actors, as well as civil society.1 Indeed, thanks to the exponential development of the Internet and new technologies, every minute data floats in cyberspace, from the sanctuary of mankind, where more than 5 billion smartphones 2 in circulation today, and several items connected. Every single day, Google processes more than 24 petabytes of data, or 24 million billion bytes.3 The collection and processing of personal data is now part of daily life for consumers, as it has become a major commercial and economic issue for professionals. However there are several abuses and  failures.Various cyber attacks endanger the data of millions of users and undoubtedly tarnish the reputation of companies.5 Faced with this issue, all countries around the world are adapting to the challenge of data protection6 through the adoption of specific legislation.  At European level, the General Data Protection Regulation (GDPR) represents the most advanced legal data protection system in the world.7 The United States has federal legislation aiming the  personal data protection on certain areas.8    In addition, California voted in June 2018 its own law called “Consumer Privacy Act”.9   At the African level, only 25 out of 54 countries on the continent have personal data protection laws, and only 9 of them have data protection authorities.10   In the Democratic Republic of Congo, the review of the existing legal texts reveals the lack of a specific legislation on personal data protection. Watching the legislative progress recorded in this field by other countries around the world, it is important to draw up a legal framework  review of the United Nations, European Union and DR Congo on the personal data protection.

Keywords: Internet, personal data, privacy,  draft law, GDPR, telecommunications.

 

 

 

I. Legal regime for personal data protection

The right to the personal data protection is closely linked to the right to respect for private life. Both aim to protect similar values, namely the autonomy and human dignity of individuals, by granting them a private life sphere in which they can freely develop their personality, think and form opinions.11     In addition, information likely to be considered as invading « private life » may also fall under the status of « personal data. »12      Both constitute a fundamental human right. Indeed, the protection of personal data and the private life of individuals must be protected against all attacks that may affect them, in particular those relating to personal information.13 

II. International legal framework of the United Nations

It should be noted that the United Nations framework does not recognize the personal data protection as a fundamental right, although the right to privacy is a fundamental right which has long been consecrated in the international legal order.      Among the United Nations legal instruments which consecrates the right to private life are the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, Resolution 68/167 on the right to privacy in the digital age, etc.

a) Universal Declaration of Human Rights

On 10 December 1948, the 58 member states constituting the General Assembly of the United Nations adopted the Universal Declaration of Human Rights (UDHR).14 It is a major global instrument15 which consecrates the fundamental human rights, their respect and their recognition by law.

It focuses on the inalienable respect for these fundamental rights in all nations. Although this is not legally binding declaration, the UDHR occupies a special place as a founder Act of international human rights law and has influenced the development of other human rights instruments in Europe.16

The right to the protection of the private life of individual against the interference of third parties, in particular of the State, was introduced for the first time into article 12 of the UDHR which stipulates: « No one shall be the object arbitrary interference with his private life, family, home or correspondence, or attacks on his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. »

 b) International Covenant on Civil and Political Rights

On 16 December 1966, the United Nations General Assembly adopted the Resolution 2200 A (XXI) called the International Covenant on Civil and Political Rights (ICCPR). This text entered into force on 23 March 1976.17

It constitutes a relevant commitment of States to promote human rights. Furthermore, article 6 of this Covenant stipulates: « The right to life is inherent in the human person. This right must be protected by law. No one can be arbitrarily deprived of life ». In addition, article 17 states: « No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. »

The ICCPR is international treaty by which its 169 Contracting Parties are committed to respect and guarantee the exercise of civil human rights, including respect for private life.

c) Resolution 68/167 on the right to privacy in the digital age

On 18 December 2013, the General Assembly adopted Resolution 68/167 on the right to private life in the digital age, in which it expressed its deep concern about the negative impact that surveillance and interception of communications on human rights.18

It reaffirms the right to private life, according to which no one shall be subjected to arbitrary or unlawful interference with his private life, family, home or correspondence and the right to the protection of the law against such interference, defined by article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights.19

It invites the States to respect and protect the right to privacy, particularly in the context of digital communication.

III. The legal framework of the European Union

The current European legislation has laid down fundamental milestones for the personal data protection of Union citizens.20 Indeed, the General Data Protection Regulations (GDPR) is a new legal framework for the personal data protection.

Before addressing the essential provisions of the GDPR, it is important to review the legal instruments relating to the protection of personal data which preceded the GDPR.

a) European Convention on Human Rights

The European Council has adopted the European Convention on Human Rights (ECHR) on November 4, 1950 in Rome, a year after it was founded.

The ECHR entered into force on September 3, 1953, after 10 states had ratified it.21 However, the right to personal data protection is one of the rights protected by Article 8 of the ECHR, which guarantees the right to respect for privacy and family life, the home and correspondence, and sets out the conditions in which restrictions on this right are permitted.22

There can be no interference by a public authority in the exercise of this right unless it is prescribed by law and constitutes a measure which, in a democratic society, is necessary for national security, public safety, the economic well-being of the country, the defense of order and the prevention of criminal offenses, the protection of health or morals, or the protection of the rights and freedoms of others.23

b) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108)

Convention No. 108 was opened for signature on 28 January 1981 in Strasbourg, on the occasion of the third part of the 32nd session of the Consultative Assembly.24 On the date of the recommendation adoption , 44 European Council member States have ratified it, others have signed it and prepared its ratification.25

Convention No. 108 was, and remains today, the only legally binding international instrument in the field of data protection, with a universal vocation because the Committee of Ministers has affirmed its willingness to examine applications for membership from States which are not members of the European Council.26

It defines « personal data » as: any information concerning an identified or identifiable natural person (data subject). The preamble to Convention No. 108 sets out the need to promote the fundamental values ​​on privacy and personal data protection worldwide, thereby promoting the free flow of information between peoples.27

It recalls that the right to the personal data protection must be considered with regard to its role in society and that it must be reconciled with other human rights and fundamental freedoms, including freedom of expression .

The Convention is currently being updated. The works officially started during the celebrations of the 30th anniversary of the opening for signature of Convention 108, celebrations which took place within the framework of the 6th data protection day, on January 28, 2011 in Brussels.

The main lines of the Convention modernization focused in particular: « the guarantee to all individuals, whatever their nationality or residence, of the right to the personal data protection in order to ensure respect for their other rights and fundamental freedoms, including his right to privacy with regard to the processing of his data.28

c) Charter of Fundamental Rights of the European Union

The Charter of Fundamental Rights of the European Union (EU) has been proclaimed in Nice European Council on7 December 2000. 29

The Lisbon Treaty gives it binding legal force for the Member States,30 and any citizen can rely on it. in the event of non respect of these rights by European law. It integrates a range of civil, political, economic and social rights of European citizens of the member states.

However, the Charter provides: « Everyone has the right to respect for his private and family life, his home and his communications. »31 ; it also consecrated the right to the personal data protection.32 Article 8, paragraph 2, of the Charter states that: « this data must be processed fairly, for specified purposes and on the basis consent of subject  concerned or under other legitimate reasons provided  y law. Everyone has the right to access and obtain rectification of the data collected concerning them. »

d) Treaty on the Functioning of the European Union

The Treaty on the Functioning of the European Union (TFEU) is one of the two fundamental treaties of the political institutions in the European Union. It guarantees the right to protect personal data. 33

Indeed, the article 16 of TFEU also consecrated this right, and provides that it is the responsibility  of the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, to adopt the rules relating to the protection of persons with regard to the processing of their personal data and the free movement of their data.34

This Treaty provision also creates a legal basis, making the EU competent to legislate on data protection matters. This is an important development as the EU rules on data protection.

e) General Data Protection Regulation (GDPR)

The General Data Protection Regulation, known as GDPR, of April 27, 2016, applicable since May 25, 2018 by all member countries of the European Union (EU) sets out a new principle of data protection. 35

e) General Data Protection Regulation (GDPR)

 The General Data Protection Regulation, known as GDPR, of April 27, 2016, applicable since May 25, 2018 by all member countries of the European Union (EU) sets out a new principle of data protection. 35

It should be noted that the GDPR came to repeal36 Directive 95/46 /EC37 which was the main EU legal instrument in the field of data protection in the period from 1995 to May 2018.

The GDPR is an ambitious reform of law on the personal data protection, taking into account the various issues that underlie the processing of such data.38

It applies to the processing of personal data (personal information) that the Regulation defines as « any information relating to identified or identifiable natural person » who is called the data subject. It establishes a range of rules for whole the EU. It also creates a coherent framework of rules applicable to data protection across the EU as well as legal security environment.

IV. The Congolese legal framework

 In the DRC the specific law on the personal data protection remains a challenge.

Indeed, the country is characterized by the lack of a specific law on the protection of personal data.39 Unlike other African countries40, there are no standards on the law of personal databases comparable to European standards including an “IT authority and freedoms”, nor of essential principles: databases data specialty , legality of stored information, right to oblivion, right to access and rectification, etc.41

However, there are sectoral legal texts which address the legal aspects on personal data protection. As long as  personal data protection right is closely linked to the respect for private life right, there are also legal texts which establish the right to respect for private life.

a) Constitution

 The Constitution of the Democratic Republic of the Congo, modified by law No. 11/002 of January 20, 2011 revising certain articles of the Constitution of the Democratic Republic of the Congo of February 18,2006, establishes the State of law, democracy and reaffirms the attachment to human rights and fundamental freedoms as proclaimed by international legal instruments.42 Among the fundamental rights is the right to respect for the private life of citizens.

Article 34 of the Constitution provides: « Everyone has the right to respect for his private life and the secrecy of correspondence, telecommunications or any other form of communication. This right may be infringed only in the cases provided by law ». In addition, article 29 stipulates that: « The home can not be violated, no visit or search may be carried out there except in the forms and under the conditions provided by law. »

It should be noted that when the Congolese lawmaker consecrates the fundamental principle of the right to respect for private life, he aims to protect the rights of citizens with regard to data or information which is personal to them.

Moreover, the DRC constitution protects this right to life by making use of ratified international texts, which have primacy over national law (art. 215 constitution). The DRC is a signatory to the International Covenant on Civil and Political Rights, Article 17 of which reiterates the provisions of the Universal Declaration of Human Rights relating to the protection that the law must provide against arbitrary interference. in private life, family, home or correspondence, attacks on the honor and reputation of individuals.

b) The framework law on Telecom

The 2002 framework law on telecom contains some provisions on the personal data protection which apply in the telecom sector.

According to this law, data protection is one of the reasons for imposing conditions relating to the establishment and/or operation of telecommunications networks or the provision of telecommunications services. It provides that data protection may include « the personal data protection, the confidentiality of information transmitted or stored and the protection of private life ».43

The secrecy of communication is guaranteed by article 52 of the 2002 framework law. Under this provision, the secrecy of correspondence transmitted by telecommunications is guaranteed by law. This secrecy may be breached only by the public authority, only in cases of necessity of public interest provided  by law and within the limits fixed by it. Despite what precedes, the frame law of 2002 suffers from the insufficiencies of the provisions which can ensure the protection of the private life of the human person and his personal data in the face of several dangers resulting from the exponential explosion, information and communication technologies.

c) The draft law on telecom and ICT

The draft on telecom  and ICT which is elaborated to stand in 2002 framework law, adopted by parliament in its September 2018 session, but returned by the President of the Republic for the second revision in 2019 44 consecrates the personal data protection.

This draft law consecrates the legal definition of « personal data » into the congolese legal arsenal. According to definition provided, personal data « is any information relating to natural person identified or identifiable directly or indirectly, by reference to identification number or to one or more elements, specific to his physical, physiological, genetic identity, psychic, cultural, social or economic » 45

It guarantees the consumer right of electronic communications services. From this legal point of view, all consumers of electronic communications services have the right to the protection of personal data (art. 97). It protects the confidentiality of personal data of electronic communications services consumers. It provides that any processing of data of nature is only carried out with the consent of the data subject or on request from the officer of the public prosecutor (art. 131).

The collection, recording, processing, storage and transmission of personal data is carried out with the authorization of the user concerned or of the competent public authority (art. 132 paragraph 1).

It prohibits the collection and processing of personal data relating to racial, ethnic or regional origin, parentage, political opinions, religious or philosophical beliefs, union membership, sex life, genetic data or more generally those relating to the health of the person concerned (art.132 paragraph 2).

Without offense to the payment of damages to the victim, any violation of the secrecy of correspondence or any manipulation without prior authorization, personal data is punished by the law in matters on violation of correspondence.

d) The law on the exercise of press freedom

The law on freedom of press promulgated in 1966 which applies to the professional of the press, to the press companies and to all other natural or legal persons concerned, in one or other way, by written or audiovisual messages46 protects private life.

It guarantees everyone the right to freedom and expression without any obstacle, whatever the material used but in compliance with the respect of the law, public order, the rights of others and morality.47

 Any writing or message is likely to be used by the press on condition that it does not undermine public order, and moral, or the honor and dignity of individuals.48

 It establishes the right of reply in all cases where charges are liable to damage the honor or reputation of person, disseminated in the context of an audiovisual communication activity.49

Needless to say that the law on freedom of press establishes press offenses, that is to say any offense committed by the written and audiovisual press.50 Therefore, the violation of private life through press crimes is punished by the sanctions provided for by law.

e) The Criminal Code

The decree of June 30, 1940 on the Criminal Code punishes offenses against private life. These are attacks on individual liberty and the inviolability of the home (section 5 of Criminal Code); attacks on the inviolability of the secrecy of letters (section 6 of Criminal Code); disclosure of professional secrecy (section 7 of  Criminal Code).

In the Democratic Republic of Congo, the victim private life offense including personal data may, depending on the case, have recourse either to civil procedure51, to criminal procedure52 or even to administrative procedure.53

Ultimately, the Congolese legal framework suffers from the lack of specific law on personal data protection. It is imperative to provide the country with a specific law like other African and European countries in order to protect the rights of individuals with regard to the processing of personal data.   Such a law should clearly define the key principles of loyalty, lawfulnessof the collection, the relevance and accuracy of data, the proportionality, the storage duration of personal data and ultimately the purpose of data collected (a purpose must be determined, legitimate and explicit). In addition, determine the processing of data that can only relate to personal data that meet the predetermined conditions.

References

1 B. JUANALS, Personal data protection and ICT at the hart of globalization and society issues: distributed control mechanisms, ICT & society, [online] available on :   http://journals.openedition.org/ticetsociete/1475 ; DOI : 10.4000/ticetsociete.1475 (consulted on May 9, 2020).

2 https://www.clubic.com/pro/actualite-850479-smartphones-monde-repartition-inegale.html (consulted on May 9, 2020).

3 GIGREF, Economy of personal data; : the challenges of ethical business, Paris, October 2015, p.1.

4 https://www.quechoisir.org/nos-combats-donnees-personnelles-nos-combats-et-conseils-pour-les-proteger-n63115/(consulted on May 9, 2020).

5 B. JANVIER, « Personal data protection: review of the past year and outlook for 2019  » [online] available on: https://www.lepetitjuriste.fr/protection-de-donnees-personnelles-bilan-de-lannee-ecoulee-et-perspective-pour-lannee-2019/(consulted on May 9, 2020).

6 PARLIAMENTARY ASSEMBLY OF FRANCOPHONIE, Report on Personal data protection legislation French countries in the world, Abidjan, July, 2019.

7 https://alphalyr.fr/blog/le-rgdp-comment-bien-vous-preparer/(consulted on May 9, 2020).

8 W-J. MAXWELL, Personal data protection in the United States: 130 convergences and divergences with the European approach, Cloud computing, Society for Comparative Legislation, 2013, p.72.

9 L. MEDIAVILLA, Law on personal data protection: la Californie open the doors in the USA, [online] available: https://www.lesechos.fr/tech-medias/hightech/loi-sur-les-donnees-personnelles-la-californie-ouvre-le-bal-aux-etats-unis-1160009 (consulted on May 9, 2020).

10 G. KABUE KAYOMBO, Comparative electronic money law: mobile banking and financial services in digital transformation, Europe, USA, Africa, DR Congo, Kinshasa, 2020, p.191, publication in progress.

11 European Union Agency for Fundamental Rights and Council of Europe, Handbook of European data protection law, Luxembourg, 2019, p.21.

12 E. DESIREUX, Privacy and data protection – Protection law and « right to oblivion » face to freedom of expression [online] available on : https://www.cairn.info/revue-les-nouveaux-cahiers-du-conseil-constitutionnel-2015-3-page-21.htm (consulted in May 9, 2020).

13 M. KETTANI, Legal regime for personal data protection, DLA PIPER, 2017, p.1.

14  European Union Agency for Fundamental Rights and Council of Europe, Luxembourg, 2019, p.24.

15 https://www.coe.int/fr/web/compass/legal-protection-of-human-rights (consulté le 22 mai 2020).

16 European Union Agency for Fundamental Rights and Council of Europe, Ibidem, p.24

17 https://www.coe.int/fr/web/compass/the-international-covenant-on-civil-and-political-rights (consulted on May 23, 2020).

18 https://www.ohchr.org/FR/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx (consulted on May 23, 2020).

19 UN, General Assembly, Resolution on the Right to Privacy in the Digital Age, A/RES/68/167, New York, December 18, 2013, p.2/3.
20 L. FANY, Personal data protection and privacy on social media in the European Union, Dissertation presented as part of Master 1, University of Paris 3 Sorbonne Nouvelle, Paris, 2012

21 https://www.humanrights.ch/fr/droits-humains-internationaux/conseil-europe/cedh/ (consulté le 23 mai 2020)

22 European Council, European Convention on Human Rights, STCE No.005, 1950, p.4.

23  European Council, Op.cit., p.4.

24 European Council, Explanatory report to the Convention for the protection of individuals with regard to automatic processing of personal data, Strasbourg, 28 January 1981, p.1.
25European Council, Recommendation CM / REC (2010) 13 and explanatory memorandum: protection of individuals with regard to automatic processing of personal data in the context of profiling, Council of Europe editions, November 2011 , p.21.

26 See, Explanatory Report to Convention No. 108, paragraph 15 (ISBN 978-92-871-0442-7.

27 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), Strasbourg, p.7.

28 European Council , Modernization of the European Council for Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

29 https://www.vie-publique.fr/fiches/20322-pourquoi-une-charte-des-droits-fondamentaux (consulted on May 23, 2020)

30 https://europaforum.public.lu/fr/comprendre-europe/dossier-lisbonne/019-droits/index.html (consulted on May 23, 2020)

31 Article 7, Charter of Fundamental Rights of the European Union (2016/C 202/02), OJEU, C 202/395, June 7, 2016.

32 Article 8, Charter of Fundamental Rights of the European Union.

33 Article 16, Treaty on the functioning of the European union, OJEU, C 115/47, May 9, 2008.

34 M. KARAMANLI, Communication on the legislative package relating to the protection of individuals with regard to the processing of personal data (COM (2012) 11 final – E 7055 and COM (2012) 10 – E 7054)

35 Livre Blanc, General Data Protection Regulation, 25 October 2017, p.2

36 Article 94, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the directive 95/46 /CE (general data protection regulation), OJEU, n ° L 119/1, May 4, 2016.

37 Directive 95/46/ EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJEU, n ° L 281, May 23, 1995.

38 E. CRUYSMANS, European directive 95/46 / ce n’est plus, vive RGDP, «News», p.108.

39 See, “Overview of the current legal frameworks for the personal data protection in Africa”, ITU Regional Workshop on Human Capacity Building, Abuja, 2018

40 It should be noted that increasingly African countries are adopting legislation with “European compatible” standards: Tunisia, Morocco, Senegal, Burkina Faso, Gabon…

41 D. BROUWERS, L. LHERIAU, F. KALALA, B. MOPONGO, J. NDAMBU, W. LIBOIS, Final report on the protection of consumers of financial services in the Democratic Republic of Congo: diagnostic study, Central Bank of Congo, Kinshasa, 2013, p.57.

42 See, Constitution of the DRC, modified by law No. 11/002 of January 20, 2011 revising certain articles of the constitution of the Democratic Republic of Congo of February 18, 2006, OJ, special No., February 2011.

43  Article 4, point 13, framework law No.013/2002 of October 16, 2002 on telecommunications in the Democratic Republic of Congo, OJ, special No., January 2003, p.30.

44 National Digital Plan-Horizon of 2025, Kinshasa, September 2019, p.39.

45 Draft law on Telecom and ICT

46 E. LAMBERT ODINGA ODINGA, “Respect for privacy and the information highway in the Democratic Republic of Congo“, Lex Electronica, Vol.6, n ° 2, Hiver / Winter, 2001. 

47 Article 8, Law No. 96-002 of June 22, 1966 laying down the procedures for the exercise of the press, OJ, special No., August 2001, p. 11.

48 Article 10, Law No. 96-002.
49 Article 67, law No. 96-002.
50Article 74, law No. 96-002.
51 Decree of 3/30/1960 on the Code of Civil Procedure
52 Decree of 6/8/1959 on the Code of Criminal Procedure
53 Civil procedure is mainly applied before the administrative section of the Courts of Appeal
54 T. DEVERGRANNE, The principle of loyalty and lawfulness of data collection [online], available: https://www.donneespersonnelles.fr/le-principe-de-loyaute-et-de-liceite-de-la -collecte-des-dates (Consulted on August 15, 2019).

Download the PDF format of this article by clicking here