Data protection law - An Introduction
1. The formulation of the right of informational self-determination is a gigantic step in the history of data protection, but it is not the last step. In Germany the decision caused a shock in administration, which was followed by legislative dumping. In Bäumler’s opinion during sectorial legislation – which applied primarily to the amendment of regulations concerning criminal investigation and national security work – the administration managed to reach a situation in which the adopted acts “acknowledged” the existence of the already functioning information systems; the legal regulation of the status quo was successful without significant compromises.83 Bäumler’s summary of the years following the 1983 Census Decision of the German Constitutional Court is very intriguing:
“But while data protection... was winning one battle after the other, the forecasts that seemed strange at the top of the ‘census-euphoria’ became increasingly justified, according to which data protection is heading towards the deepest crisis in its history. [...]The content-related questions of data protection were gradually replaced by questions concerning the legal basis [questions that may be posed comfortably, but are rather uncomfortable to the party that is supposed to answer them]. It was easy to achieve success during the time when the legal bases were missing everywhere. But in the long run the price has proven to be too high: by stubbornly insisting on the missing legal bases, data protectors managed to prevent efforts that were most reasonable in their intent. However, as soon as the legal basis was there, a number of citizens were surprised to see the position of the administration ensured perfectly even in cases which seemed strikingly unacceptable to them from a legal point of view. While data protectors hindered everything and citizens were facing the ineffectiveness of data protection, the image and authority of data protection was damaged in this paradoxical situation, and has not recovered still.”
Data protection based on the informational self-determination proved to be a “toothless paper tiger,” the toy of the upper-middle class.84 Mayer-Schönberger describes vividly the situation where the most important legal basis for the control of personal data is the individual’s consent, which citizens can give due to their right to informational self-determination – this consent is usually given to the data controllers who are economically superior and in a better bargaining position, so in reality data protection does not function as a mechanism protecting privacy. The majority “…routinely and unknowingly contracted away their right to informational self-determination as part and parcel of a business deal, in which the right itself was not even a ‘bargaining chip’ during negotiations. But, since consent of the data subject had to be sufficient ground to permit information processing if one takes seriously the right to self-determination, such contractual devaluations of data protection were legally valid …” The right to informational self-determination in these circumstances “remained largely a privilege of minorities, who could economically and socially afford to exercise their rights, while the intended large-scale self-determined shaping of one’s own informational image remained a political rhetoric”.85
2. It is therefore possible that the situation is no better than in the United States? Schwartz examines the alternatives that appeared in the United States concerning privacy-protection connected to data processing on the internet. These solutions are offered by the market, industrial self-regulation as well as legal regulation. In Schwartz’s opinion industrial self-regulation is the most popular, but he personally argues for the necessity of legal regulation.86 The reason for that is that the “guarantees” of privacy protection offered by the marketplace actually do not exist in cyberspace (either). Schwartz claims that the majority of data subjects is unaware of the possible uses of their personal data and the market value of these data, thus they cannot enter a negotiation when their consent regarding the use of data is at stake, thus the agreements made this way reflect the interest of data controllers (“knowledge gap”). The other reason concerns the circumstances of granting consent – since in most cases it does not based on sufficient information (in other words the consent is not “informed”), and in many cases voluntariness is also questionable (for example when the operator prescribes that accepting the data protection policy is a condition for viewing certain web pages – “consent fallacy”), this is why market in itself cannot provide an adequate protection of privacy (in Schwartz’s system the implementation of the principle of fair information practices).87 Although it is clear that the European citizen is in a more favorable position – data controllers have to comply with several basic principles of the data protection right, such as relevance to the purpose, necessity etc.) – the basic problem, consent fallacy, remains even in case of systems based on the right of informational self-determination.
All these issues can be clearly seen while analyzing the problems concerning the enforcement of the Hungarian data protection act, which can be seen as a typical example of second generation norms. The inquiries very frequently do not go beyond a formal examination of the legal basis;88 in case of data processing based on consent, and primarily in business, the data protection authority tries to help the individual – who is defenceless against the large data processing organizations and frequently faces the worthlessness of his right to informational self-determination – with forced solutions, with complicated and sometimes incorrect interpretations of the law.
3. The effective application of the second generation norms based on the right to informational self-determination was hindered not only by the weak position of the subject against data controllers. By the 1990s the world of centralized databanks was over and the age of micro-computers connected to a network began. The international computer network, the mass application of the internet, the constant decrease in the prices of computers, the appearance of digital data carriers with increasingly larger capacities lead to a situation in which everyday life was pervaded by ubiquitous electronic data processing and storage. These changes created a radically new environment for privacy-protection.
Data protection was an appropriate tool for regulation centralized databanks. Within the new context, however, technology has in many cases got round legal regulations, and their implementation has become increasingly difficult.89 Data protection as a new and effective way of protecting privacy was past: the rigid implementation of outdated rules could only strengthen the loss of prestige described by Bäumler. New, extra-legal tools appeared for the effective protection of privacy, which themselves were subject to legal regulations.
The following two examples will be presented as illustrations of the narrowing scope of privacy within the new circumstances.
4. Company registry serves the interests of creditors, data of companies should be accessible for the security of trade, including the data of natural persons: partners, persons authorized to sign, leading office-holders or members of the supervisory board. Naturally, the persons affected in this case cannot refer to their constitutional right to prevent inspection. The inspection is usually tied to a purpose only from the company’s side, and thus it is lawful.90
In practice the possibility of electronic data processing makes the implementation of this rule very difficult. In our knowledge there is a CD-ROM database that has been created relying on the data included in the company registry; this database makes possible a so-called “overall search”: with such a method the user can search for a given phrase in all fields of the registry. It is easy to conduct a search in a way that in the end we get the list of shares of a given person. With such searches we may arrive to information that would be possible to obtain from the traditional use of business registry only for people who appointed by law. Data protection authorities could, naturally, suggest the distributors of the CD-ROMs to pay attention and leave out such search functions, but with only a slight modification of the software such options may be created individually as well. The distribution of such CDs might be banned, but with proper devices it is not too difficult to make an electronic version of the data that are published in the official journal, and thus the search is again made possible. As it can be seen, technology in this case rearranges a traditional institution – the the publicity of company registry – it limits the protection of personal data to a greater extent than necessary, and at present there seems to be no solution that could remove this non-intentional consequence of digital data processing.
5. The second example is connected to the institution of exemption known from criminal law. According to criminal law no negative legal consequences of the conviction may be imposed upon the convict.91
The idea behind the institution of exemption is that the perpetrator is given the possibility of reintegration to society, and it reflects the opinion according to which the perpetrator is capable of such reintegration. At the same time collecting actual data into a continuously updated huge and searchable database of an international computer system might make the actual functioning of the institution of exemption difficult. According to the effective criminal procedure law the court announces its decision publicly even in case the public is excluded from the trial”.92 Naturally, the local newspaper may cover the event, and the article may enter the electronic database of the newspaper, and remain retrievable for decades. Data are accumulating on the internet: although the present norm (IPv4) is gradually replaced by a new one (IPv6),93 the Internet based on the earlier norms will be so to say “assimilated” by the new one; in other words the data content of the enormous database will remain. How is it possible to avoid the situation in which the employer seeking for employees does not rely on internet browsers to filter out previous convicts? The institution of exemption may easily become empty: a highly sophisticated legal regulation is needed to guarantee the enforcement of the rights of the individual. “Oblivion” does not exist any more, the barriers of cross-checking data cease to exist. Any information that has ever been publicized on the internet may be matched with any other such information. There are already certain projects with the goal of saving regularly the entire data content of the internet, and ensuring a technology that makes searches available not only within the data content contemporary with the search, but within a given time or timeframe in the past.94 Is the solution perhaps the enforcement of norms prescribing the publishing of corrections?95 Or is the answer the right for deletion granted by data protection regulations? Not likely. The goal of exemption is granting exactly the possibility of “tabula rasa” for the convict, creating a situation in which he does not have to deal with his past, while the enforcement of the above legal tools force him to account for his deeds. In case a person concerned lived at two different places, one place at the time he committed the crime and another one where he returned after serving his term, he could count on the possibility of starting a new life at the time the institution of exemption was formulated. The scope of privacy, however, has narrowed down due to the internet, which offers a never ending presence and is available for everybody: the solution could perhaps be provided by a legal regulation making a distinction between, on the one hand, present time, temporary publicity (the publicity of a trial, or perhaps even the publicity offered by paper based media that make the fast cross-check of information difficult) and on the other forms of publicity that render eternal availability (in human standards) to information that would otherwise be forgotten.
6. Technology that permeates everything thus narrows the scope of privacy; apart from the legal protection of privacy new, technology-based methods of protection appear as well, and the second generation data protection norms require a reform: within the new circumstances their institutions in certain cases are explicitly disfunctional. An example illustrating the anachronism of these norms is the obligation to register in the data protection registry. This obligation appeared at the initial phases of data protection regulations: the obligation for registration and even applying for a license for a databank was a basic requirement at the time of large, centralized databanks. But the regulations of data protection registers changed while accommodating to the circumstances, and the regulations acknowledged an increasing number of exceptions. But the fact that data processing in an electronic environment has become a daily routine, may make even these less strict norms outdated.
According to the dominant legal practice of EU member state data protection authorities, IP addresses qualify as personal data if they can be associated with a particular natural person. If this point of view is accepted, the following question arises: based on the applicable law on data protection is there a need to register these logfiles (and we should stress here that such files are used by a high percentage of web servers, and are required for the sake of system security) in the data protection registries? In this case the legislator allocates a task on a large community of server operators, which I consider to be unfair: it is certainly reasonable to differentiate between masses of transaction data arriving within the structure of the internet on the one hand, and data that may indeed be associated with a person involved, and thus being more “sensitive data” on the other.
In the context defined by the new technology, as we can see, the scope of privacy narrows, and according to a top manager of the information industry, it has actually disappeared.96 Some provisions of the data protection laws are not put into practice, while data controllers who, in turn, massively ignore these rules, are burdened with unnecessary tasks. What is the way out? Is it new legal regulations? Is it the application of privacy enhancing technologies (PETs) that have been a popular topic in literature, but have shown no significant results? Perhaps a combination of all these tools?