An international data protection 2000

Transcription

1 An international data protection 2000 Part 1: regulatory trends [Published in Privacy Law & Policy Reporter, 2000, volume 6, pp ] Lee A. Bygrave Introduction In the year 2000, it is timely to reflect on the general nature of data protection law. 1 While certainly not old, data protection as a field of law has now attained considerable maturity and spread. The first data protection laws were passed some three decades ago. In the course of those decades, the number of countries with such laws has burgeoned to well over twenty. Although these countries are still predominantly European (and still predominantly part of the First World), legislative concern for data protection has become increasingly global. 2 Augmenting this development is a growing body of commentary (hereinafter termed data protection discourse ), both descriptive and prescriptive, concerned specifically with the character, application and development of data protection laws. This article is the first of a series in which the central and most striking features of data protection law and, to some extent, data protection discourse are discussed in a transnational perspective. 3 To a large extent, the analysis is broad-brush. It aims to provide an overview of regulatory patterns across jurisdictions. It also aims to set out and challenge some of the conceptions that have developed over the last three decades about the character of data protection law. The article series begins with a presentation of the major regulatory trends in the field. Subsequent articles will involve canvassing a range of other issues, including the rationale and normative underpinnings for data protection law, and the issue of data protection rights for collective entities Although this will be obvious to many readers, the term data protection is used here to denote a set of measures (legal and/or non-legal) which are aimed at safeguarding persons from detriment resulting from the processing of information on them, and which embody the bulk of principles laid down in recognised data protection instruments, such as the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Paris: OECD, 1980 hereinafter termed OECD Guidelines ). In Australasia and North America, the term privacy protection tends to be employed instead, though this nomenclature is prima facie broader than what is denoted by data protection (as defined in this article). For a reasonably current, global overview of legislative activity in the field of data protection, see Global Internet Liberty Campaign, An International Survey of Privacy Laws and Practice, published October 1998, available at < This series of articles draws heavily on the author s doctoral thesis entitled Data Protection Law: Approaching Its Rationale, Logic and Limits (Faculty of Law, Oslo University, 1999). A modified version of the thesis is due to be published in late 2000.

2 Points of regulatory convergence Although data protection laws around the globe have not all been enacted for the same reasons, 4 nor had the same sort of gestation, 5 they have tended to share a great deal of common ground in terms of the principles expressed by their central rules. 6 They have also tended to share a great deal of common ground in terms of the mechanisms adopted for monitoring their application and for generating new regulatory norms. The overwhelming majority of the laws provide for the establishment of special independent bodies typically termed data protection authorities to oversee their implementation. At the same time, most of the laws take the form of so-called framework laws: instead of stipulating in casuistic fashion detailed provisions for regulating the processing of personal information, they set down rather diffusely formulated, general rules for such processing, and make specific allowance for the subsequent development of more detailed regulatory norms as the need arises. Primary responsibility for developing these norms has usually been given to the respective data protection authority. More remarkable is the apparent existence of considerable cross-jurisdictional similarities in terms of how the laws are enforced. In many jurisdictions, the enforcement of the laws seems rarely to have involved meting out penalties in the form of fines or imprisonment. Data protection authorities appear generally reluctant to punitively strike out at illegal activity with a big stick. A variety of other means of remedying recalcitrance most notably dialogue and, if necessary, public disclosure via the mass media seem to be preferred instead. 7 In other words, data protection laws have often functioned to a relatively large extent as soft law ; that is, law which works by persuasion, is enforced by shame and punished by blame. 8 A related feature is that courts have tended to play a minor, if not marginal, role in the enforcement and development of data protection laws. Indeed, there seems to be a striking paucity of judicial decisions in which the interpretation of such laws figures centrally. 9 This aggravates the already considerable interpretative difficulties caused by Compare, for instance, the predominantly economic motivations of the legislators of the Data Protection Act 1984 (UK) with the apparently more civil libertarian concerns of the architects of the equivalent French legislation of See further CJ Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca/London: Cornell University Press, 1992), pp Compare, for example, the protracted and at times stormy legislative histories of the respective data protection laws of Germany, Australia, the UK, Finland and the Netherlands with the relatively quick and smooth enactment of such laws in Scandinavia. See further Bygrave, supra note 3, pp 6 8 and references cited therein. These and the following points of regulatory convergence are elaborated upon in Bennett, supra note 4. See also Bygrave, supra note 3, especially chapts 3 4. It is beyond the scope of this article to discuss the reasons for this convergence. Bennett s work provides an excellent analysis of possible reasons. His basic conclusion is that the aetiology in this regard embraces a complex array of factors and hypotheses. My impressions here are based on perusal of the annual reports issued by the data protection authorities of Australia, Denmark, Norway, Switzerland and the UK, together with David Flaherty s description of enforcement practices in Sweden, France, Canada and the Federal Republic of Germany. See further DH Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill/London: University of North Carolina Press, 1989). E Blankenburg, The Invention of Privacy, in P Ippel, G de Heij & B Crouwers (eds), Privacy disputed (The Haag: SDU/Registratiekamer, 1995), pp 31, 39. In Norway, for example, there has only been one instance (over a period of more than 15 years) in which an appeal from a decision of the country s data protection authority has been treated by the courts. And only one other notable instance exists of judicial commentary on the Norwegian Personal Data Registers Act of Much the same situation pertains with respect to Australia and Denmark. 2

3 the diffuse formulation of many of the laws provisions and the sparse or nebulous commentary in the preparatory works and explanatory memoranda for the laws. That courts often take a backseat in the application of data protection laws is due to a multiplicity of factors. One important factor is that in dealing with complaints, data protection authorities frequently put weight on conciliation rather than confrontation, an approach which tends to head off court litigation. Another important factor is that, in some countries, appeals from decisions of data protection authorities, or complaints which authorities fail to resolve, do not go directly to ordinary courts for adjudication but to other quasi-judicial bodies first (such as the Complaints Review Tribunal in NZ and the Data Protection Tribunal in the UK). 10 Nevertheless, we should not forget that courts in some countries have played a significant role in underpinning and steering the direction of data protection law. Undoubtedly, the most notable case is the landmark decision of 15 December 1983 by the German Federal Constitutional Court (Bundesverfassungsgericht) which struck down parts of the federal Census Act (Volkzählungsgesetz) for lack of data protection guarantees and in the process found a right of informational self-determination ( informationelle Selbstbestimmung ) pursuant to Arts 1(1) and 2(1) of the Federal Republic s Basic Law (Grundgesetz). 11 Points of regulatory divergence While data protection laws expound broadly similar core principles, and share much common ground in terms of enforcement patterns, they are not as homogeneous as they appear at first glance. Numerous differences exist between them. These differences arise to a large extent in relation to the monitoring and supervisory regimes established by the laws. The basic differences here relate to the powers of data protection authorities (for example, some function essentially as ombudsmen, others are able to issue legally binding orders) and, concomitantly, the nature of the legal preconditions for processing personal data (for example, some require merely that data protection authorities be notified of processing, others require prior authorisation/licensing by the authorities). There are also significant differences in the ambit of data protection laws. Some cover data processing in both the private and public sectors, others cover processing by certain government agencies only. Some regulate both manual and automated processing methods, others regulate only the latter. Some place restrictions on the flow of personal data to foreign countries, others do not. Some provide express protection for data on collective entities, others protect data on individuals only. Some lay down extra limits on the processing of designated categories of especially sensitive data, others do not. To some extent, these differences have constituted a cleavage line between European and In Australia, on the other hand, the principal reason for lack of judicial involvement in determining the ambit of the Privacy Act 1988 (Cth) is that the Act has applied mainly to the activities of federal government agencies, which are under a duty (pursuant to s 58; compare s 55) to comply with the Privacy Commissioner s determinations of complaints against them. See 65 BverfGE (Entscheidungen des Bundesverfassungsgerichts), 1. 3

4 non-european data protection regimes, with the former offering generally more comprehensive and stringent safeguards than the latter, but the line is far from clean. 12 Points of regulatory change Moving from the oldest of the data protection instruments to the youngest, we can discern certain regulatory trends. In data protection discourse, it is popular to categorise these trends in terms of generations; that is, one differentiates between first-, second- and third-generation data protection laws. 13 Such categorisation, however, can easily result in ambiguous or misleading generalisations in which distinctions are overstated. 14 Accordingly, these categories are not employed in the following analysis. The regulatory trends are most easily discernible when we compare the international data protection instruments. However, they are also visible at a national level, particularly in the current round of reform of domestic data protection law by member states of the European Union (EU) and European Economic Area (EEA) pursuant to the 1995 European Community (EC) Directive on data protection. 15 In the first place, we can see a trend towards more detailed, discriminating provisions and requirements. In short, we can see increasing regulatory density. Part and parcel of this trend is a growing concern to lay down procedural mechanisms for enforcing compliance with data protection principles. 16 At the same time, we can see the contours of new data protection principles emerging. One such principle is that fully automated assessments of a person s character should not form the sole basis of decisions that impinge upon the person s interests. While this principle is not yet manifest in the majority of data protection laws, it will be so in the near future, on account of its embodiment in Art 15 of the EC Directive. Another such principle is that persons should be able to enter into transactions anonymously unless overriding legitimate interests exist to the contrary. Inherent in this principle is that active consideration should be given to crafting technical/organisational See generally Bygrave, supra note 3, espec chapts 3 4. Again, it is beyond the scope of this article to present in detail possible explanations for these differences. The study by Bennett (supra note 4, espec chapt 6) provides an excellent analysis of this issue. As with his examination of the reasons for policy convergence in terms of core data protection principles, Bennett finds that no one theory or hypothesis suffices to explain national divergence in terms of how these principles have been implemented: ibid, p 219. See e.g. V Mayer-Schönberger, Generational Development of Data Protection in Europe, in PE Agre & M Rotenberg (eds), Technology and Privacy: The New Landscape (Cambridge, Massachusetts: MIT Press, 1997), pp See further Bygrave, supra note 3, pp Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ No L 281, , 31) hereinafter termed EC Directive. Compare, for instance, the paucity of requirements in the 1980 OECD Guidelines and 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108 hereinafter termed CoE Convention ) regarding sanctions and the establishment and competence of national data protection authorities with the more exacting requirements on the same matter in Art 28 of the EC Directive. Compare also the simple provisions in the CoE Convention and OECD Guidelines on fair processing of personal data with the more elaborate provisions in Arts 10, 11 and 15 of the EC Directive. 4

5 solutions for ensuring transactional anonymity and/or pseudonymity. However, while this type of principle is expressly promoted in an increasing number of policy documents, it is still far from prominent in the bulk of data protection laws. 17 Nevertheless, it can reasonably be expected to influence the drafting of future laws, at least in relation to certain sectors of activity. 18 Under the influence of the Directive, we can also expect considerable expansion in the set of phenomena regulated by data protection laws, at least within the EU and EEA. Currently, the set of phenomena which all non-sectoral data protection laws regulate (with minor exceptions) is rather narrow. This set of phenomena consists of: (1) the establishment, maintenance and use by (2) government agencies other than the police and national security services, of (3) computerised registers/files, which (4) contain data on individual, physical/natural persons, but which (5) are not used solely for statistical or accounting purposes, or which (6) are not generally available to the public. 19 In the near future, the data protection legislation of EU and EEA member states will embrace: (1) fully or partly automated processing of personal data largely irrespective of the way the data are organised, along with (2) the setting up and use of manual personal data files, by (3) data controllers in both private and public sectors with the optional exception of police and national security services, even when the data or files are (4) used solely for statistical or accounting purposes, or are (5) publicly available, but not necessarily when they are (6) used solely for journalistic, artistic or literary purposes. Under the influence of the EC Directive, we can further expect the data protection legislation of EU and EEA member states to become more uniform in terms of monitoring and supervisory regimes. Data protection authorities which currently are able to issue mere recommendations will probably be given competence to issue legally binding orders; 20 notification schemes will become the rule, licensing the exception; 21 and, to a greater extent, these notification schemes will involve a duty for data controllers to inform not just data protection authorities of the basic details of their operations but also the data subjects. 22 Nevertheless, it is extremely doubtful that we will see, at least in the short term, complete or even near-complete uniformity achieved in the data protection Compare the specific requirements for transactional anonymity laid down in ss 3(4) and 4(1) of the federal German Teleservices Data Protection Act of For an overview of these provisions, see LA Bygrave, Germany s Teleservices Data Protection Act (1998) 5 Privacy Law & Policy Reporter, pp In this respect, note, for example, Victoria s Data Protection Bill 1998 which makes express provision for a principle of anonymity in its list of Information Privacy Principles. See also Principle 8 of the Australian federal Privacy Commissioner s National Principles for the Handling of Personal Information (Sydney: HREOC, 1999, revised edition). See generally Bygrave, supra note 3, chapt 3. See particularly Art 28(3) of the Directive. See Arts 18 & 20 of the Directive, together with recital 54 in the Directive s preamble. See particularly Arts of the Directive. 5

6 regimes of these states. The EC Directive has given too much reign to the principle of subsidiarity to be able to achieve such uniformity. 23 A large question mark hangs also over the ability of the Directive to bring the data protection regimes of non-european states largely in line with the EU/EEA pattern of data protection. With the threat that EU/EEA member states will prevent, pursuant to Art 25 of the EC Directive, transfers of personal data to countries without adequate levels of data protection, there is now greater legal (and economic) pressure on countries like the USA, Japan and Australia to enact laws more closely resembling the European model. But we should not overlook the possibility of one or more of these countries governments (particularly that of the USA) thumbing their noses at the EU in defiance of the adequacy criterion laid down in the Directive. The extent to which this might occur is likely to depend on how stringently and consistently the adequacy criterion is applied, 24 together with the extent to which implementation of Arts of the Directive is found to conflict with the 1994 General Agreement on Trade in Services. Other factors might also prove significant, not least the extent to which business enterprises in, say, the USA tire of having to cope with the patchy, sometimes uncertain and inconsistent legal regimes for data protection in that country. Finally, we can discern some shift in the regulatory focus of data protection laws, or, perhaps more accurately, consolidation of such shift. An important example here is the EC Directive s focus on the processing of personal data rather than the establishment and use of personal data files a focus already present in, for example, the OECD Guidelines. Another important example is the Directive s focus on manually processed data in addition to automated data processing again a focus already present in the OECD Guidelines. Yet another noteworthy example is the Directive s explicit encouragement in Art 27of the creation of sectoral codes of practice again something already anticipated by, for example, the OECD Guidelines and, more indirectly, the various data protection recommendations of the Council of Europe. This encouragement, though, is offset by a lack of consensus and certainty over exactly what sort of legal function such codes are to have vis-à-vis data protection laws within the EU. Further, there is a discernible trend away from comprehensive licensing regimes to requirements for mere notification/registration of data-processing operations. This is a development in which anticipatory, paternalistic control 25 by data protection authorities is giving way to (though is not necessarily extinguished by) more reactive control on the part of such authorities. This development is offset by enhancement (at least on paper) of the opportunities for participatory control: 26 data subjects access rights are supplemented See espec Art 5 of the Directive, together with recital 9 in the Directive s preamble. See also S Simitis, From the Market to the Polis: The EU Directive on the Protection of Personal Data (1995) 80 Iowa L Rev, pp 445, 449. See further G Greenleaf, Death of the EU Privacy Directive? Choppy waters in the Safe Harbor (2000) 6 Privacy Law & Policy Reporter, pp By paternalistic control is meant control exercised by governmental agencies (primarily data protection authorities) on behalf of, and supposedly in the best interests of, citizens (data subjects). By participatory control is meant control exercised by citizens themselves. 6

7 by more extensive notification duties for data controllers, 27 and there is greater readiness to make the consent of data subjects a prerequisite for certain kinds of data processing. 28 Certainly, this gives individuals more room to determine for themselves the manner and extent to which data on them are processed, though it does not necessarily mean that individuals will act to delimit such processing or that such processing will decrease. Moreover, data controllers will often be able to avoid the consent rule because of the existence of broadly drawn, alternative requirements for the data processing in question See particularly Arts of the EC Directive. See, for example, Arts 7 8 of the EC Directive. See, for example, Art 7(b) (f) of the EC Directive. 7