JILT 1998 (1) - Peter Blume
The Citizens' Data Protection
Peter Blume
Peter.Blume@jur.ku.dk
Contents
Abstract |
|
1. | The Problems |
2. | The Public Sector |
3. | The Private Sector |
4. | Conclusions |
This is a Refereed Article published on 27 February 1998.
Citation: Blume P, 'The Citizens' Data Protection', 1998 (1) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/infosoc/98_1blum/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1998_1/blume/>
Abstract:
The purpose of this article is to discuss in which way data protection rules should be drafted in order to give the interests of data subjects primary importance. Basic general problems as the difficulty in assessing what data subjects view as private and whether data subject consent should be sufficient to legitimize data processing are considered. Examples are taken from Danish law and cover matching, the purpose limitation principle and direct marketing. Both the public and the private sector are included in the considerations.
Key words: data protection - EU directive - citizen`s rights.
1. The Problems
The start point of data protection is the desire to shield the citizen. Its purpose is to ensure that personal data are not processed in ways which make it likely that personal integrity and privacy will be infringed or invaded. Seen from the perspective of the citizen, data protection law is accordingly very important. It can promote a satisfactory balance of legal rights in the information society and thereby ensuring that such a society becomes acceptable viewed from the perspective of the individual citizen. In many of the general information society blueprints, agendas etc., privacy is emphasized. It is well known that modern information technology potentially can reduce the private sphere of citizens and that this risk has to be avoided in order to ensure that the new society corresponds with democratic traditions and values. However, this assumption is not necessarily stated in the plans for the sake of citizens but maybe more with the purpose of ensuring that modern technology will be used to its full potential. An active policy and awareness by and on behalf of citizens is constantly a necessity. A main problem in this respect concerns what forms of regulation actually benefits citizens and how their interests can be determined.
From this perspective it is appropriate to consider whether the interests of citizens are satisfied in the data protection law we know today. This is in particular appropriate as EU directive 95/46 requires to be implemented in the member countries before October 24 this year. It is unlikely that further major changes in European data protection law will occur for some years after the transposition.
In some ways it could seem unnecessary to consider such questions. As data protection is in the interest of the citizen this regulation must as a starting point be acceptable. As is well-known life is not that simple. There are many opposing interests that are active within this field and it is a constant battle to ensure that these interests are balanced and that those of citizens are sufficiently protected. In this respect it is well-known that the interests of citizens are often taken for granted and that legal policy discussions often focus on the modifications of privacy with the consequence that the resulting legal regulation does not always provide the ideal protection. This is due to the fact that data users/controllers are better represented in the policy discourse than data subjects, who in some senses have no natural representatives.
It is this situation that creates opposition and pressure against data protection that can be observed in most countries. A satisfactory balance of interests can accordingly be very difficult to maintain. This general problem is included in this article taking its starting point in different specific data protection issues leading to some concluding general observations. The article does not merely confront data subjects and controllers but also takes a closer look at the data subject trying to determine what his interests are, whether they are common or individual and whether the data subject is able to manage his own rights. These considerations demonstrate the complexity of the regulatory situation.
Before embarking on this journey it is appropriate to take a further look at the opposing interests this time with emphasis on the controllers. Both in the private and the public sector there is a huge interest in utilizing personal data. This is to some extent not a new phenomenon but it can, however, also be seen as a natural consequence of the information society. It is evident that many authorities and corporations cannot function without access to personal data. With this background it can be assumed that there is a societal need for personal data. To what extent this exists however has to be assessed case by case. It should not be taken for granted and sound reasons must sustain the interest in using personal data.
The starting point taken here is that personal data belongs to the data subject but that there can be situations in both public and private sectors where it is necessary that others use these data. It then depends on the underlying reasons under what conditions this can be allowed. This test should always be carried out not just with respect to the general rules but also in the concrete application of the rules. This is particularly important as data protection rules often are legal standards with no evident legal meaning. They have to be interpreted and often only acquire their real meaning in practice.
2. The Public Sector
In principle, public authorities in democratic societies act on behalf of the citizens. Although the notion of privacy is in many ways linked to the citizen-state relationship, it is a natural presumption that public authorities can process personal data as this is necessary for the tasks they have to perform under statute. It is however well-known that the authorities can easily infringe privacy and that in all administrative systems there is an urge to collect, store and use data, an urge which must be curtailed by legal regulation. This is one of the functions of traditional administrative law and extends to data protection law.
It is often very difficult to determine the extent of legal limitations and in the following sections one of the most complex and important questions in this respect will be discussed. This concerns the diffusion of data within the public sector, which includes both ordinary disclosures and matchings. The following analysis is based on developments within the public sector in Denmark, but similar problems exist in all developed countries. It should however be mentioned that Denmark is probably the country in the world with most registers containing personal data in the public sector. This is mainly due to the complexity of administration of the Danish social welfare state with its expansive and detailed legislation. In this respect it should be noticed that each time a new right is instigated in social law it is made legitimate to process new kinds of personal data.
The extensive collection of personal data makes it natural to consider how these can be utilized on a broader scale. Traditionally the different registers have been linked to individual authorities each one having their specific tasks. Disclosure of data to another authority or with the purpose of being used for another kind of task has required authority in the Data Protection Act or another statute. Matching is treated in the same way as other forms of disclosures. The starting point has been that disclosure should only take place in few cases and that it was fundamental that usage of the data be determined by the purpose of the file. This fundamental structure is now threatened by technological developments such as networks and personal computers. The possibilities of diffusion have largely increased and this coincides with the aforementioned administrative urge to use information. These developments encourage a policy of free sharing of personal data within public authorities.
It is interesting to note that it is often argued that such a situation will be beneficial for citizens. There are two reasons for this point of view. First that citizens will only have to provide the same information once to the public administration.[1] The nuisance of having to answer the same questions from different authorities is avoided. This means a better service. Secondly free diffusion will mean that administration becomes more cost-efficient and thereby cheaper implying that taxes can be reduced.
These arguments are interesting because they aim at confronting the interest of privacy with other interests of the individual. They might show that it is not easy to determine what is in the interest of the individual. In particular the tax argument is interesting as it puts focus on the collective interest of individuals. It should in this respect be maintained that privacy is linked to the single individual. It is an essential characteristic that this right is individualistic and it should as a starting point not be subjected to collective interests. Such arguments can be relevant but not with respect to the assessment of the individual's interest. In other words in an actual case the considerations of administrative efficiency must be placed on the other side of the balance when a data protection regulation is drafted. It should however be mentioned that there are situations where individuals do not have the same interest or where this is ambiguous. Examples are given below. Here it is not always possible to regulate in a way that suits everyone. This does not however mean that the collective interest overrides that of the individual.
More generally it can be observed that the idea of free diffusion of data in the public sector is one of the most feared when seen from a data protection perspective. It would mean that the state (central and local government) was one big entity and that it in many ways will become non-transparent in relation to how personal data are being processed. This observation means that such a development must be opposed and it is likely that this will be one of the most important legal policy issues in the future. In this connection it should be added that this issue cannot be fully resolved by way of statutory rules and accordingly will involve a day to day legal policy struggle.
Closely connected to this is the fundamental purpose limitation principle, now stated in article 6 (1b) of the EU directive. This well-known principle cannot in general be defined precisely by a legal draftsman and is dependent on practice. The developments described above can be viewed as an attack on this principle which, from the viewpoint of citizens, is essential as constituting the key to transparency. An important task for data protection law is to consider how to ensure that the requirement for purpose specification is taken seriously and actually does provide the necessary transparency for citizens. The difficulties are that the consequences of the principle are dependent on practice and the attitude of the national supervisory authority. It is this authority that can promote the interests of citizens by a firm policy towards authorities who want to use broad purposes when collecting data thereby gaining freedom of processing. The supervisory authority does not have an easy position as whilst as it will have to make decisions that will be strongly opposed, it normally does not have sufficient powers to apply in the public sector. It is accordingly important closely to monitor the practice of the authority and also to support the efforts it is making. Such open and broad support can strengthen the position of the authority and thereby sustain the purpose limitation principle.
This is in other words an example of a citizen oriented principle that can only function if it is constantly upheld and defended. This is in many ways typical for many data protection principles. It is not sufficient that they are stated in statute law. This is just the beginning of the protection. This observation is particularly important as it focuses on the intentions of legislators. It must always be evaluated whether their intention merely is to make fine sounding law or whether they truly want their provisions carried out. This should not be taken for granted and there is always a risk that the principles become dead letter law. It must be recognized that it in many cases will be difficult for the supervisory authority and the courts to prevent this situation.
With respect to the public sector it is important to notice the social dimension of data protection law. It is interesting to consider which citizens are being protected by data protection law in this sector. The answer is from the outset fairly simple. It is the citizens that have information processed. Apart from certain areas such as taxation, it is interesting to notice that it is primarily underprivileged parts of the population whose data are processed by public authorities. It could be argued that, seen from this perspective, data protection becomes part of social law.
From this observation follows that the protected citizens are characterized by being unable to defend their own rights. It is well-known that they have difficulties in communicating with the authorities and that they often fear such communication. In particular they have difficulties in understanding and using official language. Many citizens are communicative `have nots'. An example might be a request for access where the weak citizen will feel that he troubles the authority and consequently will not file such a request. This is in particular evident when the civil servant receiving the access request is the same person who decides whether the citizen should be granted social benefits.
More generally it can be assumed that the many rights that are given to citizens cannot in practice be used by many individuals. This is a disturbing observation. It is tempting to conclude that these rights cannot be dependent on the initiative of the individual citizen. This, of course, challenges a basic assumption within data protection law which makes data subject consent the primary condition of data processing. It seems logical that processing of data can take place when the citizen unambiguously consents as the rules actually protects the citizen. However this line of thought presupposes that the citizen is both informed and can freely decide whether he wants to give his consent.
If this is not the case, the notion of consent will often be an illusion and this makes it necessary to make processing dependent on other conditions. In current Danish law sensitive data can only be processed when this is necessary[2] and it is accordingly not sufficient to have consent. Unfortunately this will probably be changed due to the EU directive in which article 8 makes consent a sufficient condition unless otherwise stated in national law. With this in mind it becomes an important policy issue how to ensure that true consent is actually given (see also article 2b). This seems to be very difficult as it is not possible to monitor all processing situations. It is also a complication that consent does not have to be in writing although even this would not fully solve the problem. The main requirement must be the provision of information to the data subjects. In this it should be emphasized that a data subject is never obliged to give his consent and that this should only be given in a defined way in order to limit the amount of data that can be processed. There is little cause for optimism with respect to the effect of such information. It must be accepted that in practice there will be many cases where data are processed in reality against the will of the data subject.
This disturbing fact should not lead to the conclusion that there is no need for data protection law. It must be assumed and in most cases it will be correct that public authorities aim at complying with the law which means that personal data are more secure than they would be without this regulation. The main message is that formal data protection law is not the final word in the fight for privacy in the public sector, it is just the starting point.
3. The Private Sector
Many of the general observations made in the previous section also apply to data protection in the private sector. In particular it is always important not to be impressed by the drafting of the formal rules. The main questions arise in practice. From a general point of view the private sector is interesting because the main theme concerns protection of citizens' privacy in relation to other citizens and organisations of citizens, including corporations. This can be seen as a totally different ball game and it has often been discussed whether the state should intervene in this relationship. Today it is recognized in Europe that such intervention is necessary but it is still possible to view the specific issues differently from those in the public sector. In particular it must be observed that promotion of pr2ivacy often implies a limitation of the freedom of others. This simple consequence must always be considered when the actual regulation is drafted.
In this connection the question of costs should also be mentioned. It is often argued that data protection is expensive and that this in itself means that an ideal regulation is unwanted. Even though costs often are exaggerated the argument has some substance. It focuses on whether the individual owns his data and others therefore have to pay a price for using them or whether ownership must be seen as limited in some way. In many countries current law can be seen as a combination of these two assumptions. The data subject cannot in many cases prevent processing of his data but the controller has a duty to provide access and in some situations certain kinds of information. It could be a general starting point that private enterprise needs to be able to use personal information and that this in many cases must be accepted for societal reasons but that this information must also be seen as a commodity that has to be paid for thereby resulting in general costs. It can of course always be discussed how high this price should be but this is mainly a practical issue. As indicated above the costs are normally in reality quite modest.
Before taking a look at some specific issues it can be concluded that personal data can be processed in the private sector but that this presupposes that certain conditions are fulfilled in order to ensure privacy protection. In general the individual citizen has a right to privacy in the private sector and this right is just as strong as in the public sector. This is from the outset well accepted in Western Europe but less so in countries such as the USA. Globally it is still a task to promote this point of view.
One of the most controversial uses of personal data is for the purpose of direct marketing. This is an application that is suitable to illustrate many of the general problems facing data protection in the private sector. It is also somewhat complicated because it includes another field of law, consumer protection. First of all it must be considered whether direct marketing can infringe privacy? This is not an easy question to answer. Such marketing can take place in many forms, e.g. mailed advertisements, phone calls, fax, e-mails. How these methods should be assessed is mainly a consumer question but it seems a reasonable starting point that it is only in those situations where the consumer and the marketing firm are in direct contact that privacy can be invaded. It is fairly easy to regulate those situations and it is not in this respect that the data protection issues are at stake.
There can be certain kinds of marketing that in themselves infringe personal integrity. These are cases where the promoted message is sensitive, e.g. pornographic material. It seems to be a simple rule to state that marketing that can indicate sensitive data must only take place with explicit consent from the data subject.[3] Leaving these special situations aside it is still doubtful whether the normal kinds of marketing are privacy infringing. It could be argued that the receiver of such marketing can ignore it, and the fact that personal data has been used to sustain the marketing activity has no consequences for the data subject. It seems from the outset clear that all data subjects do not view this situation in the same way. Some people view marketing as an infringement, some people welcome the information, and again others do not care. If data protection should be based on the opinion of citizens it would be impossible to make a regulation.
This is an observation that has general interest. In many cases privacy is an individualistic notion and except for a small inner core there are huge differences as to what is seen as private information and which purposes are viewed as potentially dangerous. This must be seen as a complication for a legal regulation that aims at protecting the individual. It is not possible to declare a stalemate, and it must be decided whether the fact that some people view a particular procedure, e.g. marketing, as infringing should mean that it has to be curtailed. This must in most cases be the result but the stated conditions for processing must then depend on an assessment of how many are opposed to the actual processing.
In the case of marketing this approach can favour a fairly lenient approach. The main division within legal policy is between an opt out and an opt in solution and it seems clear that opt out, i.e. the data subject has a right to demand not to have his data used for marketing purposes, is the solution that best fits the divided feelings towards marketing (see now article 14 of the directive). It should be added that such a regulation faces similar problems as mentioned in the previous section. Not all data subjects will be able to use this right but on the other hand there will seldom be a situation where the data subject does not feel free to do so. There is no dependency towards the firms that wish to market their products.
Another interesting case concerns use of data in credit reporting. It is interesting to notice that the EU directive does not include specific rules in this respect but this is probably due to the fact that the Commission is considering a special directive. The general directive does of course apply but there are many specific issues that have to be dealt with in statutory law which is also the case in many countries, including Denmark. Credit reporting is interesting because personal data are being processed for a purpose which in many cases is against the interests of the data subject. Credit reporting can lead to rejection of credit and this is of course an unwanted situation seen from the perspective of the data subject. Credit reporting illustrates a situation where the collective interest overrides the interests of the individual. The economic system is based on credit being given and it is evident that creditors need a certain amount of assurance in order to be willing to provide credit. It must accordingly be accepted that personal data can be processed for this purpose and that this cannot presuppose consent from the data subject.
With this background, the regulatory problem is to determine the conditions of processing in order to ensure that privacy is protected. As an example it can be mentioned that it follows from article 8 of the directive that national law can provide that sensitive data cannot be processed regardless of whether such data would be relevant with respect to credit reporting. It is not the purpose here to discuss or assess the detailed regulation of data processing in credit reporting. It is sufficient to emphasize that 6in the private, as in the public sector, there are situations where data protection cannot solely be based on the interests of the individual data subject.
In the following paragraphs I will discuss a special problem, which is regulated in Danish law. It concerns recording of the numbers of phone calls made from corporations. As a starting point this falls within the normal powers of the employer who has an interest in controlling that phones are not used for private purposes. However such recordings can be viewed as an intrusion in the privacy of the employees who are being surveyed. For this reason Danish law prohibits automatic recording of the full number called from a corporation. It is likely that this rule will be upheld in the new legislation that implements the EU directive.[4]
This example illustrates the well-known situation where two private interests are in conflict. It is a good example of how the data protection interest can be given priority and that it is possible to ensure some forms of privacy through exact rules. Furthermore it should be noticed that the individual data subject does not have to do anything to be protected. In the work environment it is clear that it will be an illusion to base a regulation on consent etc. as the employee will not in reality be free to make a decision. As previously indicated it will in many cases be best that data protection does not solely depend on the decision of the data subject. This will not ensure sufficient protection.
4. Conclusions
Privacy is in many ways a personal matter. Data protection aims at protecting individuals but it is uncertain to what extent they want this protection and whether they are able to ensure that it works in practice. There is no doubt that there is a core of information that is private but there are also many issues which are uncertain. Accordingly it is not easy to design a system of data protection that both meets the needs of data subjects and can function in practice. It is necessary to make assumptions and to make general decisions on the level of protection. As there are strong arguments for the possibility of data processing, a policy that favours the interests of data subjects faces difficulties. This is especially the case as there are no clear representatives for data subjects who can argue their case.
There is of course no reason for despair as there are well developed rules today and as privacy is high on the legal policy agenda for the information society. However, it must be recognized that many of the rules rest on quicksand and that this uncertainty in the long run can undermine the protection. There is no obvious solution to these problems. It does not seem likely that data subject surveys etc will be able to solve the problems. They can provide indications of the attitudes but hardly a basis for regulation.
The conclusion is that the interests of data subjects have to be defended by the supervisory authorities and privacy advocates (academics etc.). This has to be done on the general assumption that privacy and data protection is in the interest of the average citizen and in the long run sustains an acceptable society.
Footnotes
[1] In the Danish report Info-society 2000 (Copenhagen 1994) it is stated as a principle that 'Information which has already been submitted by citizens and companies to a public institution, and which can be transferred electronically, shall not be requested by another public institution again'. (33)
[2] Section 9 (2) in the Public Registers' Act (consolidated no 654 of 20. September 1991).
[3] This also follows from article 8 (2) of the EU-directive. The opt out model in article 14 (b) presupposes that the data can be processed lawfully.
[4] In the Danish report Info-society 2000 (Copenhagen 1994) it is stated as a principle that 'Information which has already been submitted by citizens and companies to a public institution, and which can be transferred electronically, shall not be requested by another public institution again'. (33)