Legal identity and data protection in modern societies

October 25, 2023
City landscape with digital imagery

As states roll out legal identity systems, it's crucial to implement robust protection laws that address the unique challenges.

Photo: Shutterstock

In an increasingly interconnected digital age, the very essence of legal identity plays a pivotal role in how we navigate societal structures and access basic rights and services. At the heart of this lies the concept of legal identity - a recognized and validated assertion of one's personal existence within the legal framework of a country. Just as vital is the overarching responsibility to protect the data that substantiates this identity. Data breaches, unauthorized access, and misuse can have dire consequences, not just technologically but also socio-economically and politically. In a new report UNDP and the Centre for Communication Governance at National Law University Delhi delve into the crucial nature of legal identity, why it is a linchpin in modern society, and the paramount importance of ensuring robust data protection for legal identity systems to safeguard everyone’s rights and freedoms.

Several international instruments such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, affirm every person's right to a legal identity. Target 16.9 of the Sustainable Development Goals seeks to "provide legal identity for all, including birth registration, by 2030”. Legal identity ensures that individuals are recognized by the law and can avail themselves of rights and benefits available to them, to improve public policy, and to ensure better welfare services. 

Granting legal identity requires extensive personal data; names, birth dates, gender, and demographic information like residential addresses. Countries such as Estonia, Mexico, India, and Iceland have adopted advanced digital technologies, often incorporating biometric data such as fingerprints and iris scans. As governments build digital public infrastructures with digital legal identity as the foundation, inter-institutional data sharing grows. While these boost efficiency and service convenience, they also introduce challenges. They can increase privacy risks, elevating the threat of data breaches and unwarranted surveillance.

One of the primary mechanisms to mitigate privacy risks is to institute robust data privacy laws. 

As states roll out legal identity systems, it's crucial to implement robust protection laws that address the unique challenges. UNDP and the Centre for Communication Governance at National Law University Delhi recently co-authored Drafting Data Protection Legislation: A Study of Regional Frameworks. This is designed to equip countries with the necessary tools and context to draft privacy-protecting domestic data protection legislation. Drawing from global and regional regulations, academic insights, and domestic laws, the report offers a detailed overview of essential data protection principles and encourages governments to consider the following aspects:

  • Definitions of key terms: Personal data and its sub-categories, can help clarify the scope of applicability of a data protection framework and reduce ambiguity in interpretation. An inclusive definition of ‘personal data’ may ensure more comprehensive protection under the relevant framework.
  • Data protection principles: The core concepts underpinning all data protection frameworks have been developed over many decades. They place the individual at the centre of data protection and cover all stages of the life cycle of data, from before it is collected, to how it is used and stored. These principles are meant to hold those collecting and processing data accountable for their use of data, and to ensure that data processing takes place in a privacy-preserving manner.
  • Rights of data subjects: Rights are a core component of data protection frameworks because they empower data subjects to take control of their data and allow them to obtain redressal for privacy harms. Some rights are essential - for example, allowing individuals to confirm whether a data controller has collected and processed data relating to them. Other rights empower data subjects to take necessary actions once data has been processed such as rectifying information or restricting data processing in certain circumstances. 
  • Children’s data: Children may be particularly vulnerable to risks from both governmental and private use of their personal data, particularly as education and other services increasingly shift online. It is important to consider age of consent requirements, age verification methods, and varying levels of cognitive development, differing cultural contexts and socio-economic backgrounds in framing regulations that protect children’s data.
  • Cross-border data flows: States and businesses often have a legitimate need to share data across national borders for economic and logistical purposes. This must be balanced with the protection of privacy and data security of the data of their citizens. It is important for frameworks to consider how to institute accountability mechanisms to ensure that those processing and using the data are accountable.
  • The regulatory and enforcement structure: The enforcement of any data protection legislation depends in large measure on its regulatory structure. Though there are likely to be differences in the design based on national and local requirements, frameworks must ensure that regulators are able to function independently and are transparent and accountable. They also should be empowered to take appropriate action when there is non-compliance.
  • Exemptions: While many frameworks commonly provide states with exemptions from data protection obligations for specific reasons like national security or law and order, it's vital that these exemptions adhere to set standards. They should align with international human rights norms and be narrowly defined, ensuring they're proportional to their goals.

We've crafted this guide as a comprehensive tool on data protection, catering to practitioners within international organizations and Member States to civil societies, academics, and beyond. We hope to create robust frameworks that safeguard privacy and other human rights while supporting social and policy goals. As the digital age unfolds, our hope is that this guide serves as both a reference and a foundation for those at the forefront of safeguarding our digital futures and our rights to a legal identity.