Main

Data protection law - An Introduction

Handbook

Resources

About the author

Legal notice
Privacy statement
Copyright information

edit SideBar

Main /
Dataprotection
 Recent Changes
Printable View
Page History
Edit Page

2. The notion of data protection

1. The notion of data protection (Datenschutz) became widespread beginning with the 1970s, signifying a new type of protection compared to earlier personality rights. This new protection, according to data protection regulations, applies to (usually) natural persons not only regarding specified types of data (portrait, sound recording), and it is usually not restricted to “sensitive” data, nor does it have to be matched with the consequences of data abuse. By way of introduction it seems useful to come up with a proposition for the definition of data protection, to specify the term as understood within the scope of the present study, as well as the relation of the term to other notions that are often used as synonyms of data protection.30

2. The concept of data protection is often treated as part of privacy protection, or quite as its contrary, opposing it, as a specifically European (legal) solution to a problem which contributed to the appearance of the “right for private life” in American constitutional law. In my view several – legal and extra-legal – tools, methods of privacy protection may be distinguished, and the notion itself may be applied to a far wider category of phenomena than data protection – data protection might be understood only within the framework of privacy protection as a legal tool of privacy protection, born within a given social and technical context. We should also not disregard the fact that the notion of privacy is used today in a much broader sense in American legal thinking – as I have referred to it above, as a result of the development it has gone through since the end of last century, by now it can be interpreted as the equivalent of general personality right.

This protection existed already before the appearance of data protection: privacy protection was provided by extra-legal, natural boundaries, or the extra-legal system of social norms. Following the appearance of data protection these tools may be (and are) applied continually. Data protection as a specific legal protection appeared as a result of the weakening or disappearance of some natural boundaries that earler ensured the protection of privacy. In recent years, however, parallel modes of privacy protection have regained their earlier significance –this phenomenon might be understood as the crisis of data protection. On the one hand, this crisis is prompting efforts to renew data protection as legal protection, on the other hand it widens data protection regulations, because the size of other (mostly technological) measures and tools serving privacy protection is increasing (on this issue see below the part on data security).

Data protection, thus, may be interpreted within privacy protection according to the following:
a) data protection in all cases means the legal protection of an individual’s privacy31, which
b) appeared in Europe as an answer to the dangers of electronic data processing which were becoming widespread via the electronic revolution, beginning with the 1970s, and
c) the content of the legal protection provided by it has changed significantly since its appearance several times, and is still changing presently.

3. The right of informational self-determination is “the right of the individual to have a basic decision over the rendition and use of his personal data.”32 In literature data protection is very frequently identified with rules ensuring the right of informational self-determination.33 I disagree with this view – as I argue below, when discussing the history of data protection, the concept of the right of informational self-determination is a much later development compared to the appearance of data protection (namely the appearance of the legal protection realized through the regulation of processing specific, personal data of individuals), and its appearance can be linked first of all to the Census Decision of the German Constitutional Court of 1983.

Data protection cannot be identified with the right of informational self-determination, since the early data protection laws did not ensure an individual any disposal over his personal data. Although the appearance of the right of informational autonomy is a significant milestone in the history of data protection, it is still wrong to claim that the development of data protection cannot go beyond the basic principles of the right of informational self-determination. There is a view according to which data protection based on the right of informational autonomy is undergoing a crisis, and that the latest generation of data protection regulations is based on the right of informational self-determination only nominally.34 Thus, data protection includes all regulations that, via the regulation of the treatment of an individual’s personal data, aim at the protection of these data, irrespectively of whether this regulation ensures the right of informational self-determination of an individual or not.

4. While data protection is a tool of privacy protection, and as such, is aimed necessarily at the individual, the object of data security is data themselves. Data security means the protection of the integrity and confidentiality of data, irrespective of the information content and legal qualification of data.35

Data security is served by technical and organizational measures, which might be stipulated both by legal and extra legal norms. Data security regulations are applied by several legal norms, such an example is the legal formulation of data security regulations concerning qualified data (secrets of state and intelligence).

There is a complex network of connections between data protection and data security. The two most important elements of this network are the following:


a) In the different phases of its development, data protection regulations – although to a variable extent – usually contain data security rules serving data protection (which give specifications of the technical, organizational or other measures that are to be followed by the addressee of the norm when treating personal data). Therefore, regarding personal data, data security is the object of data protection regulations.


b) It is a new development that among the tools of privacy protection the role of data security technologies is increasing. With the development of computer technology, modern data processing technologies are available at a low price, almost for everyone. At the same time the appearance of international computer networks opened the road for globalization of data processing as well. In this situation data protection regulations of the 1970s require a necessary reform, and their role in the protection of privacy might decrease in the future. The effective protection of privacy in an open network environment might be provided primarily by technological tools (for example with the so-called “strong” encryption). These tools do not offer legal protection, but in several cases they become objects of legal regulation themselves – exactly because their use has become widespread in the protection of privacy, or because of the consequences of such use. (The use of “strong” encryption, for example, might hinder legitimate data collection carried out for reasons of national security or criminal investigation. In such cases the legislator might have to intervene in order to strike a balance between the interest of national security on the one hand, and the protection of privacy on the other.) Still, such regulation cannot be considered as legal regulation of data protection, although it is relevant regarding privacy, since it can hinder or facilitate the use of technologies enhancing privacy.

Apart from technologies enhancing data protection there are such that serve specifically privacy protection: these are privacy enhancing technologies, PETs. Privacy enhancing technologies may be technologies enhancing data security as well, but the aim of these solutions is not a general protection of data content, but the protection of privacy with technological and organizational solutions. The notion of privacy enhancing technologies in this article follows the definition of Burkert, according to which the phrase “refers to technical and organizational concepts that aim at protecting personal identity”.36

The legal framework of the technological protection of privacy is frequently influenced by legal regulation of tools and methods which cannot be considered exclusively privacy enhancing technologies (such is, for example, “strong” encryption which might be used for encrypting any data content).

5. Freedom of Information (FOI) means that the so-called data of public interest (which are defined differently in different national legislations), namely data in possession of goverment bodies or bodies carrying out pubic tasks, qualify as public data, as data available to everybody, with the exception of specific instances. Data protection and freedom of information, the legal regulation of data concerning individuals and the efforts targeting the public availability of government data have been linked historically. The first generation data protection norms, as it will be presented below, were not aimed directly at regulating personal data processing, but rather at a state regulation of technological applications. The excessive size of databases available to the government and the systems capable of processing the data in an effective way were threatening not only the privacy of the individual, but the traditional division of power as well: there was a need for creating a new, “informational division of power.”37 Some first generation norms made the mass of data compiled by the administration available to legislation (and bodies of local representatives).38 The regulation of data protection and freedom of information is regulated within a single act in an increasing number if states, taking into account their relatedness, thus creating an overall “regulation of information”.39

6. Based on the above, the notion of data protection in the present study is understood in a general way, according to which it is a legal protection which aims at the protection of the privacy of individuals via regulating the processing of data that may be associated with them (personal data), while the collection of legislative provisions regarding such regulations are considered as data protection law.

7. The right to data protection, especially in Hungary, is treated in literature frequently as the right of access to data of public interest, that is, as the twin-right of freedom of information: data protection and the freedom of information are the two basic "information rights".40 In Hungary the common codification of data protection rights and the right of the freedom of information was successful, and the competence of several other European data protection commissioners now includes enforcement-related issues concerning the right of the freedom of information.41

According to another understanding, apart from the legislation concerning data protection and the freedom of information, norms regulating other issues, for example the so-called “secrecy right” (the rules of managing qualified data, i.e. state secrets and official secrets), legal regulations concerning electronic documents and provisions concerning data security together would form “data management” law or “information management” law.42 The object of the legislation concerning information management is not personal data, but rather data (information) independent of the data carrier, the management of which is regulated by the given areas of legislation for specified reasons (protection of privacy, interest of national security etc.). The advantage of this concept is that the individual data controllers face a coherent network of norms applying to different objects of regulations, which would facilitate law enforcement. It is no accident that the Hungarian data protection act was defined as “Information Act” at the outset of its codification,43 and that the idea of “information regulation” had appeared in legal thinking already at that time.44 The regulation of data protection and freedom of information appears within the same act, and secrecy right (regulation of state secrets and official secrets) is also connected to this legislation: the commissioner for data protection has a specific authority of secrecy control, while the data protection law serves as background law for the law on state secrets and official secrets etc. Data protection law, therefore, can also be regarded as a sub-branch of “information regulation,” covering not only the protection of personal data and the publicity of data of public interest.

3. The development of data protection law

Page last modified on January 08, 2007, at 01:42 AM
Copyright © András Jóri 2006-2007 (unless otherwise stated). All rights reserved. Theme by Theron Parlin - wiki