Data protection and privacy through the lens of cultural relativism

In Europe, as highlighted in Cahier IP No. 8, the right to data protection has been built in the continuity of the right to privacy, and more particularly around individual rights and the notion of informational self-determination. This approach has allowed the construction of a common standard, the General Data Protection Regulation (GDPR), from different national contexts and legal traditions, thus meeting one of the challenges of European integration. The challenge of establishing a common standard at the international level is made all the more difficult by the strong cultural differences. In the field of data protection, what are the socio-cultural factors affecting the dynamics of convergence? Are there common notions and values on which to build such a standard? 

Is data protection a component of privacy or an autonomous right? 

 To understand the relationship(s) to data protection, it is necessary to go back to the source of its conception: privacy, recognized as a fundamental right since the Universal Declaration of Human Rights in 1948. An international consensus seems to be emerging on this relationship between the right to privacy and the right to data protection, which is seen as one of its components. This conceptual connection is reflected in the legal derivation of data protection from the right to privacy. The action of the Indian Supreme Court, in its Puttaswamy v. Union of India judgment of 24 August 2017 is a leading example of this practice. When asked about the existence of a constitutional right to privacy, the Indian court recognized the existence of such a right, and recognized as an integral part of that right "informational privacy", calling on the government to put in place "a robust data protection framework". Similarly, the European Court of Human Rights recognized in 1997, in its judgment in Z v. Finland (§ 95), the fundamental role of the protection of personal data in the protection of private life, guaranteed in Article 8 of the Convention. 

This relationship has been more generally established through the inclusion of data protection in privacy laws and through the inclusion of privacy in the title of many data protection laws. The 1980 OECD and APEC data protection guidelines are both called the Privacy Principles, and Uganda's 2019 Data Protection and Privacy Act is another example of this pattern. Every now and then, the concepts even merge under the term of "data privacy", as in the case of the 2012 Data Privacy Act in the Philippines. 

While not all states have privacy at the forefront of their data protection laws, the link is also maintained and transcribed in the recitals of texts following the example of the RGPD. For example, in Pakistan, the Data Protection Bill 2019 reaffirms the special focus on privacy. 

The only exception here is the dissociation of these two rights in the Charter of Fundamental Rights of the European Union. Adopted in 2008, this text autonomously enshrines in its Article 8 the right to protection of personal data as a fundamental right. And for good reason, as early as 2007, in the Bavarian Lager judgment, the Court of Justice of the European Union stated that "not all personal data are by their very nature capable of violating the privacy of the data subject" (§119). Nevertheless, within the European Union itself, this dichotomy is subject to debate. Some, including Mélanie Clément-Fontaine, see data protection as a complement to the right to privacy, guaranteeing its protection in the digitalized society. Outside the EU, this distinction raises doubts and questions. Chawki Gaddes, President of the National Institute for Data Protection (INPDP), attested in an interview with the LINC on 8 June 2021 to the great confusion among the Tunisian population regarding the concepts of privacy and personal data. Data protection is perceived as a component of privacy, with vague contours and imprecise content. 

In 2013, in his Opinion in the case of Digital Rights Ireland and Others before the Court of Justice of the European Union (§65), Advocate General Cruz Villalon distinguished between personal data and 'more than personal data', qualitatively falling within the scope of the privacy and intimacy of individuals. Whether or not data protection goes beyond the boundaries of the right to privacy, there is now a consensus that the protection of certain data, these "more than personal data", is essential to the protection of privacy.

"Privacy is not for me, it's for those rich women"  

If we go back further to the source of data protection, which is the respect for privacy in a large majority of countries, the question arises as to the universality of the search for privacy and the meaning attached to it. 
It is clear that privacy is far from being a universally accepted concept. On the contrary, in many societies, the term's equivalents have long been negatively connoted. In China, as Lü Yoa-Huai, a professor at Suzhou University of Science and Technology, pointed out, the term yinsi (隐私) primarily refers to a shameful secret. In a very similar way, in Thailand, the concept of privacy is associated with "losing face," i.e., one's respectability, according to Krisana Kitiyadisai, a member of the faculty of science at Chulalongkorn University. 

Nevertheless, these two authors noted in 2005 a revaluation of private life in Chinese and Thai societies. This evolution is part of a deeper dynamic of questioning the Asian cultural specificity embodied by the 1990s concept of Asian values. In the context of a global questioning of the family model and the growth of individualism, this concept, which is centred on a strong tradition of collectivity and reverence for elders, appears more and more as a formal rejection of Europe and its associated values rather than as a reality experienced and shared by the whole continent. 

The latter notion, individualism, is one of the keys to the rise of data protection around the world. Whether it is Professor Alex Makulilo of the Open University of Tanzania, in the case of the African continent, or Kinfe Micheal Yilma of Addis Ababa University, in the specific case of Ethiopia, both researchers recognize the influence of sociological factors, and in particular the relationship between the community and the individual, in the degree of interest accorded to private life. Both also point to the role of political and economic conditions. For example, when individuals are forced to share their living space with a large number of people, their expectations of privacy decrease. Conversely, in more affluent households, where an individual has his or her own room, his or her own personal space, a greater attention to privacy, and to data protection, may develop. The study conducted by Nithya Sambasivan, a researcher at Google India, on the relationship between Indian, Pakistani and Bangladeshi women and privacy, supports this observation. Privacy is perceived as contrary to the values of the less affluent, but this does not prevent the development of lesser, but existing, privacy protection strategies. The study shows variations in the acceptance of the monitoring of their activities by their relatives (according to social situation and level of education) but the existence in all cases of practices to maintain privacy. This is despite the recurrence of statements by women from the least affluent backgrounds interviewed such as: "Privacy is like that, it is against our values".

If we put the development of the notion of private life in Europe into perspective, we observe very similar evolutions with, first of all, the emergence of a family privacy, followed by a private within the private: that of the individual. This trajectory, described in the Cahier IP n°8 (p8), invites us to go beyond the traditional opposition between the individualistic West and non-Western cultures, favouring the collective. All the more so since in France, as Dominique Pasquier testified in an interview with the LINC, "in the working classes, private life is less a matter for the individual than for the family group".

Drawing the boundaries of acceptability: variations on the concept of privacy 

One would be too quick to conclude that data protection, in its European form, is the "sense of history", an inevitable future for developing states, whose relationship to privacy and data protection will become more homogenous with economic growth. 
This would deny the permanence of differences in societies of equivalent economic development, differences that are rooted in structuring social conceptions. Such differences in perception may influence the interpretation of norms and the accepted limitations on the right to privacy. 

From the atom to the bond: multifaceted conceptions of the individual and its autonomy

The differences in the conception of the individual and his relationship to the rest of society are particularly fundamental in this respect. In Europe, they have constituted a point of convergence and the basis of standards. Nevertheless, the notion of the individual is not uniform at the international level. The vision of the individual as autonomous from the rest of society, an individual-atom, is opposed in particular by the Japanese conception of the individual as an interrelational space. 

In Japan, according to Bregham Dalgliesh, a professor at the University of Tokyo and associate researcher at the Institut des Mines-Télécom, the subject exists only in aidagara, i.e. the extracorporeal space between two people. In this concept, an individual's private life has no meaning, as it exists only in relation to others, whether another individual or a group. This does not mean, however, that it is impossible to recognize a private sphere. As Bregham Dalgliesh points out, this sphere is materialized at other, more collective levels: private life can be relational, for example that of a family as a whole. This understanding of the individual modulates the limits placed on data protection. The case study by Makoto Nakada and Takanori Tamura, researchers at the University of Tsukuba, on the interpretation of the homicide of a family in Tutiura, Japan, and in particular its treatment in the press, sheds light on the impact that such differences may have on the relationship to privacy as a whole. The level of detail in the article, which includes photographs of the family, a map of their house and interviews with neighbours and relatives, reflects what the authors consider to be the specificity of the Japanese relationship to others, which is at odds with the Western perspective. Indeed, the information and personal data are considered essential for understanding the meaning of homicide, both for individuals and for society. 

Such conceptual differences are not always perceptible or transcribed in the translations of laws.  These translations, which are almost systematic and often converge towards English, can therefore create a false impression of conceptual homogeneity and hide divergent interpretations (see Article 2). 

The social contract and entrepreneurial culture

The specificities of national history play a major role in the scope of application, the degree of limitation of recourse to the right to data protection, and the structuring of this right. Indeed, there is not one right but many rights to data protection: access, rectification, deletion, portability, etc. The range includes many nuances and these vary according to local issues. 

For example, in an interview with the LINC on June 16, 2021, Omer Tene, Vice President of the International Association of Privacy Professionals and Senior Fellow at the Future of Privacy Forum, explained the low priority given to data protection in Israel by two factors. On the one hand, the Israeli security situation leads to a prioritization of the exploitation of personal data for security purposes over their protection. Such a clause exists in many texts, but it is interpreted or codified more or less broadly depending on the context. As a result, Edward Snowden's revelations about the National Security Agency's wiretapping in the United States did not send shockwaves in Israel similar to those that swept through Europe, according to Omer Tene. 

On the other hand, the digital economy is the engine of Israeli growth, fostering a high degree of public confidence in companies, where in some countries they are highly distrusted and thus more controlled. 
Conversely, in China, private sector companies are under increasing scrutiny. State-owned enterprises were included in the 2021 law, but the state and its agencies remain firmly outside the scope of data protection laws. This is the specificity of the Chinese model. Simone Pieranni, a journalist and author of the book Red Mirror, The Future is Written in China, described it in the following terms: "The difference between the American model is that in our world, data is managed by companies that use it for private purposes, whereas in China, it is the state that holds the information of citizens". This gap in the perception of the government, which is the primary target of data protection laws in many countries including France, is particularly tangible in the development of social credit systems in China. Regularly denounced in the Western media as a form of state surveillance, this project is presented nationally as a tool for restoring trust and sincerity in Chinese society, according to Chris Fei Shen, associate professor at the City University of Hong Kong. 

These last examples illustrate the barriers to the homogenisation of data protection law (see Article 2). How can the different national priorities be articulated, and how can international data transfers make up with data protection, when conception of individual rights are not the same everywhere?