2 days ago
EU GDPR should merely be a guiding framework for Kuwaiti legal system
By Noura Almutairi
Since May 25, 2018, the EU General Data Protection Regulation (GDPR) has been applied across all EU member states, establishing a global benchmark. Several countries, including South Korea, Brazil, Japan, Kenya, Egypt, Indonesia and the US State of California, have enacted data privacy laws aligned with the GDPR. Unlike the EU Data Protection Directive (DPD), the GDPR aims to enhance control over personal information to safeguard fundamental rights, especially the individual's right to data protection.
The right to protect personal information is distinct from the right to privacy under the European Convention on Human Rights and Fundamental Freedoms (ECHR). The values underlying the regulation and protection of the former right are transparency, autonomy, fairness, dignity and non-discrimination. These are different from the values of reputation and honor, which underpin the individual's right to privacy in Kuwaiti society. Nonetheless, this article urges Kuwaiti lawmakers to be guided by the GDPR, as the individual's right to privacy is one of the values underpinning the protection of their personal information under the GDPR.
Some of an individual's personal information, as defined under Article 4 of the GDPR, is linked to their right to privacy, for example, their photo. In addition, most of the individual's sensitive or private information, as outlined in Article 9 of the GDPR, is linked to the individual's right to privacy or a private life under the Kuwaiti legal system. Examples of such information include genetic data and health data. Even the process of collecting an individual's non-sensitive or private information can be used to reveal hidden private data about them.
To illustrate how this point is relevant to the GDPR, it applies to private companies (as data controllers) that monitor individuals' online behavior and activities through their online identifiers or observed data, such as IP addresses, cookies and location data. A massive amount of 'dynamic personal information' is collected through such observed data and can then be analyzed predictively or using AI, which may infer private information about the Internet. As such, the GDPR protects the individual's right to privacy.
However, this article suggests that Kuwaiti decision-makers should be guided by the GDPR, rather than merely copying it, when drafting a comprehensive Data Privacy Law. The GDPR has legal loopholes and vague provisions, and it does not entirely suit Kuwait for the following reasons, as explained. Firstly, the meaning of 'personal information', which determines the material scope of the Data Privacy Law, should be interpreted broadly to cover an exponentially growing range of situations.
This article finds that identifiability is the core element required to consider data or information as personal information under the definition of personal information under Article 4 of the GDPR. Therefore, the GDPR does not cover anonymous information within its scope; however, the re-identification of an individual's data may still occur. Re-identification of an individual's data can be easily achieved, for example, through the Internet of Things (IoT), such as wearable devices like a Fitbit or an Apple Watch; the combined data, including location information, can distinguish one person from millions of others.
Therefore, this article recommends that when Kuwaiti decision-makers draft an information Data Privacy Law, they should broaden the definition of personal data to include not only identifiability but also the ability to single out an individual from a crowd, regardless of whether their identity can be confirmed. Although Recital 26 of the GDPR explicitly mentions 'single out,' there is no clear indication of whether singling out an individual without identifying them is covered under the GDPR's scope.
The GDPR also does not clarify whether inferred data falls within the scope of personal information, and the European Court of Justice's approach is inconsistent. To emphasize this point, the judgment in the case YS, M and S v Minister voor Immigratie, Integratie en Asiel clearly excludes inference data from the safeguards of Data Protection Law, while a later judgement of the case Peter Nowak v Data Protection Commissioner in 2017 attributes the status of 'personal data' to inferences. However, in the former case, the Court was clear that GDPR does not grant all rights for inference data. As such, this article recommends including inferred data within the protection or material scope, since these types of data contain hidden private information.
Secondly, Article 8 (1) of the GDPR states that the processing of minors' data (those under the age of 16, or if the law of the Union Member State sets a lower age, but not younger than 13) must be authorized by the holder of parental responsibility. This article argues that the decision maker in Kuwait, instead of ignoring this requirement, should consider the following questions before implementing the parental consent requirement under Article 8 (1):
Whether the age setting under Article 8(1) accurately reflects the concept of childhood, culture, social heritage, and the Kuwaiti legal system; Should the requirement for parental consent apply to all online service providers, or should online services that are offered directly to children be excluded? If so, what are the indicators that an online service is offered directly to children? How can it be ensured that parents give verification in cases where a parent is no longer responsible for their child, or when parents are deceased?
Thirdly, the digital privacy rights are the legal mechanisms that put an individual in a position of control over their personal information, thereby safeguarding the individual's right to privacy. However, not all the rights that regulate users under the GDPR are necessary to put Internet users in control of their data, to safeguard their right to privacy from the challenges posed in the digital age. To illustrate this point, the right to data portability, as outlined in Article 20 of the GDPR, empowers individuals to take control of their data by allowing them to retrieve it from one service and transfer it to another.
Although it offers individual control, it is not rooted in the right to privacy; rather, it stems from competition laws. The right to data portability aims to foster competition among private companies, serving a primarily economic purpose to enhance the market, which is one of the main objectives of the GDPR. Therefore, this article does not recommend that Kuwaiti lawmakers recognize data portability as a new right within a Data Privacy Law, as it is not directly related to the right to privacy.
Also, some rights under the GDPR are redundant, as they can be exercised through other rights. For instance, the right to restriction of processing under Article 18 of the GDPR is an alternative or optional right that an individual can exercise in place of other rights in some legal cases. As an alternative right, whether this right is regulated or guaranteed is less critical, since another right takes its place. To emphasize this point, if an individual's consent is not valid, instead of requesting erasure, they may request a restriction on processing.
As such, this article emphasizes that there is no need to set the right to restriction of processing, except in cases where the individual requires that right for the establishment, exercise or defense of legal claims against a company for breach of their right to privacy by misuse of their private data, in which case the plaintiff can request restriction of processing through an immediate injunction under the KCC.
NOTE: Noura Almutairi is an Assistant Professor at Kuwait University School of Law, Private Law Department, with research interests in the right to privacy, AI, the tort liability of tech companies and IP law.
