Main

Data protection law - An Introduction

Handbook

Resources

About the author

Legal notice
Privacy statement
Copyright information

edit SideBar

Main /
Globalization
 Recent Changes
Printable View
Page History
Edit Page

3.3. Globalization: international documents of data protection

1. The need for harmonizing national legislations occurred inevitably after the adoption of the first data protection acts, in order to ensure that these national legislations are not boundaries to the transborder flow of personal data.

As a first development in globalization of data protection, the Organization for Economic Cooperation and Development (OECD) formulated its data protection guidelines in 1980 (OEDC Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”).63 The special importance of the OECD guidelines lies in the fact that the United States is a member of the organization, and for that reason – contrary to the EC convention and the EU directive – the OECD directives might be understood as the common denominator between Europe and the United States. The primary aim of the OECD-guidelines is – as it is stated in the preamble – to avoid the creation of unjustified data protection obstacles to the development of economic relations and the transborder flow of data.

It is a progressive attribute of the guidelines that they apply not only to the automated management of data, but all data management “which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties.”

2. The recommendations of the guidelines concerning data processing in public and private sector include the following principles:64

– Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

– Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and up-to-date.

– Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection, and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes, and as are specified on each occasion of change of purpose.

– Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified above, except with the consent of the data subject; or by the authority of law.

– Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, modification etc.

– Openness Principle: This should be the general policy of practices and policies with respect to personal data. Means of establishing the existence and nature of personal data should be readily available, as well as the main purposes of their use, and the identity and usual residence of the data controller.

– Individual Participation Principle: An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; to have communicated to him data relating to him (within a reasonable time; at a charge, if any, that is not excessive; in a form that is readily intelligible to him); to be able to challenge the denial of his request; and to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

– Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.

The Guidelines also deal with the issue of transborder flow of personal data: member states may limit the flow of specific data regulated by data protection norms, with regard to the nature of the data concerned as well as the fact that the other member state is not providing an “equivalent protection” of these data.

3. The Council of Europe’s adoption of the 1981 Convention for Data Protection (Convention For the Protection of Individuals with Regard to Automatic Processing of Personal Data) was the next step. The scope of the Convention applies to “personal data files” and “automatic processing of personal data” in the public and private sectors; but any state may declare that it will also apply the convention “to personal data files which are not processed automatically”.65

In Article 5 on the quality of data, similarly to the OECD Guidelines, the CE convention states the following:

“Personal data undergoing automatic processing shall be a) obtained and processed fairly and lawfully; b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes; c) adequate, relevant and not excessive in relation to the purposes for which they are stored; d) accurate and, where necessary, kept up to date; e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.”

The Convention includes the provision on the prohibition of processing special categories of data according to the main rule, obligations concerning data security, and – again based on the model of OECD Guidelines – regulations concerning the rights of the subject concerned. The provisions of the Convention concerning data transfer shall “apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.” Transborder flow of data cannot be prohibited or bound to special license by either of the parties. A Party shall not, for the sole purpose of the protection of privacy, prohibit the transborder flows of personal data to the territory of another Party or make it subject to special authorization. Nevertheless, each Party shall be entitled to derogate from the provisions “for certain categories of personal data or of personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection,” or “when the transfer is made from its territory to the territory of a Non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.”

4. Following the adoption of the EC convention, the European Commission took the view that the Convention would solve the problem of harmonization in the EU: In 1981 a recommendation was put forward which encouraged member states to adopt the convention.66 The reluctance towards legislation was not without any reason: when the Commission finally noticed the undesirable divergence of national legislations, and initiated the development of the directive in 1990, it became clear that member states were strongly divided concerning the question of data protection regulations: Great Britain was explicitly against data protection regulations at the union level.67 Still, the directive was finally adopted in 1995, and member states had to implement its provisions by 1998.

5. The directive is based on Article 100a of the Treaty establishing the European Community; it is a harmonization measure which serves the goal included in Article 14 (single internal market). Its aim, however, is double, as it is reflected by its title as well: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. This double objective appears also in the preamble and Article 1 of the Directive (the title of the latter is “Object of the Directive”):

“(1) In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. (2) Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.”

The need for the regulations of the Directive was brought about by the differences among the national data protection regulations and the consequent obstacles to the creation of a single internal market: some people have concluded from this that the primary objective of the directive was to ensure the free flow of data among member states and to create a unified level of protection.68 Paradoxically, however, the unified level of protection must be created in a way that it does not effect a “higher” level of protection than required by the Directive: this is addressed by point 10 of the preamble, according to which “[w]hereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community”. This is supported by a further development: Article 8 of the Charter of Fundamental Rights of 2000 acknowledged the right to the protection of personal data as a fundamental right,69 and – together with the Charter itself – it soon became part of the ill-fated Constitution of the European Union.

The question of the equality of objectives or the primacy of the objective of harmonization is of great practical interest in evaluating national data protection rights, for example the Hungarian one. Several regulations of the Hungarian law impose stricter requirements on data controllers compared to the level required by the Directive. Is the harmonization objective fulfilled this way? Is the member state violating the directive if it sets stricter data protection regulations compared to the ones stipulated by the Directive? The European Court of Justice faced this question already in 2003 in the Lindqvist-case,70 and its answer was that the measures of member states have to comply both with the measure of the Directive and the objective of free flow of data, but “nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.” The divergences of the Hungarian regulation from the Directive can either be justified by one of the derogation possibilities, or they apply to cases that do not come under the ruling of the Directive: thus in general it might be said that the Hungarian regulations – in the light of the Lindqvist-decision – comply with the provisions of the Directive. It should be noted that the in Lindqvist-case the Commission held an opinion according to which a member state cannot provide a higher level of protection to personal data than the one included in the Directive, and cannot determine a wider scope of effects concerning these provisions. The differing interpretation of the Court of Justice in my view endangers the success of approximation of laws in the field of data protection.

6. Regarding the stipulations of the Directive it can be said that they frequently build upon the solutions of earlier documents (primarily the ones included in the EC Convention), but in certain cases go beyond these frameworks (for example with the regulation of automated individual decisions).71 The Directive shall apply to “the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.” It is a novelty that the regulation, apart from the requirements that had appeared already in the OECD Guidelines and the EC Convention concerning “data quality” (fair and lawful data processing; specified purpose; legitimate purpose etc.) sets the “criteria for making data processing legitimate.” This means that the Directive specifies items of cases when the national legislation of a Member State renders personal data processing (including special data) possible. The Directive regulates in detail the right to receive information and right of access, and ensures the data subject a right to object in specified cases. A new element in the regulations is that it sets an obligation for the data controller to notify (prior checking, registering) the supervisory authority about data processing, sets the frameworks for the measures of the supervisory authority, and also includes requirements for judicial remedy and sanctions. Another novelty is the concept of the “adequate level of protection” regulating transfer of data to third countries. A more complicated system is introduced instead of the previous mechanism of the “equivalent” level of protection: the control of the “adequacy” of the level of protection includes several factors, and the Commission is given a role in it as well.72

7. The international impact of the Directive was significant: The Union influenced the data protection legislation of New Zealand and Hong Kong, while the 1993 data protection regulation of Quebec regarding private sphere data controllers was based on the early draft of the EC Directive, and was drafted with the objective to protect Quebec’s business from the possible blockage of data transfers from Europe due to EU regulations, which would have caused business disadvantages.73 The impact of the European regulations is noteworthy in South America as well, where, apart from (and instead of) specific protection appearing from the beginning of the 1980s (the “Habeas Data”) with narrower focus compared to the requirements of the Directive, data protection acts following the European model appeared – and regarding the adequacy of the level of protection in Argentina a Commission decision has already been passed.74 The adoption of the directive stimulated Canadian data protection efforts as well.75 The idea of convergence concerning the regulation of privacy protection appeared in literature:76 according to this concept in the 1990s the characteristics of the dominant technology and the global flow of data on the one hand, and the adoption of the directive on the other lead to a situation where states around the world started to follow a similar data protection policy (policy harmonization), with one significant exception, that of the United States.77

8. In Bennett’s view the frequently asserted argument of the American party during the 1970s and 1980s, according to which data protection legislation was a feature of the continental tradition, and the “Anglo-American system dictated a less regulatory regime that placed more responsibility on the individual citizen to demonstrate damage and make a claim through the courts” has lost a lot of its strength after the data protection acts of the United Kingdom and New Zealand were passed in 1984 and 1993 respectively.78 Data protection in the public sphere in the United States is regulated by the 1974 Privacy Act, and equivalent statutes exist at state level. The regulation of the private sphere, however, is “an incomplete patchwork of federal and state provisions that oblige organizations to adhere to fair information practices”, and there is no oversight agency either.79 After lengthy negotiations the European Union has accepted the level of protection provided by the United States as adequate only conditionally (concerning data processing within the framework of the so-called Safe Harbour privacy-principles). Thus, the legal practice regarding privacy discussed above – that has taken over the role of general personal right – and the self-regulation technologies popular in the United States that are frequently built upon technologies protecting privacy (discussed below) do not offer an adequate level of protection according to the European opinion. According to the Article 29 Working Party set up according to the data protection directive of the EU

“Privacy and data protection in the United States is found in a complex fabric of sectoral regulation, at both federal and state level, combined with industry self-regulation. Considerable efforts have been made during recent months to improve the credibility and enforceability of industry self-regulation, particularly in the context of the Internet and electronic commerce. Nevertheless, the Working Party takes the view that the current patchwork of narrowly-focused sectoral laws and voluntary self-regulation cannot at present be relied upon to provide adequate protection in all cases for personal data transferred from the European Union.”80

9. After lengthy talks about the “adequate” level of protection, during which the above quotation was formulated, the EU Commission and the representatives of the United States came to an agreement in 2000. According to the agreement a program was launched with the assistance of the Department of Trade of the USA, in which American businesses that agree to comply with the requirements of the EU Directive are be recognized by the EU as if they were within the territory of a state capable of providing an “adequate” level of protection for data transfer. The agreement within the EU and the United States on this issue is the so-called Safe Harbour Agreement. The Union accepts the provided level of protection as “adequate” in case of organizations that join the program; the organization joining the program has to comply with the requirements of set principles (Safe Harbour Principles); the compliance with the requirements is supervised by the American authorities (according to the main rule bythe Federal Trade Commission).

10. Through the concept of the “adequate level of protection” the Directive could, in many people’s opinion, make a more direct effect on international data protection regulations – this idea is supported by the above examples as well. At the same time one should not disregard those developments which together form an opposite tendency: in the war against terrorism following the 9/11 attacks, by now it is rather the United States that is exporting its data protection policy to Europe. This policy is focused primarily on decreasing the level of privacy protection, so that it would not hinder the war against terrorism. Five European states have decided to issue passports with biometric identifiers after the United States announced its plans to introduce an obligatory visa system towards countries that do not plan to introduce this new type of document.81 The Hungarian data commissioner also formed an opinion concerning the data services of airplane passengers traveling to the United States – when the destination is a state not offering an adequate level of protection according to the main rule –, and later the Union declared that the level of protection regarding data transferred this way is adequate. The alleged extraterritorial effect of the Directive is replaced by a real and opposite influence. The crisis of data protection, however, did not begin with 9/11.82

3.4. Crisis?

Page last modified on January 10, 2007, at 12:16 AM
Copyright © András Jóri 2006-2007 (unless otherwise stated). All rights reserved. Theme by Theron Parlin - wiki