Data protection law - An Introduction



About the author

Legal notice
Privacy statement
Copyright information

edit SideBar

Recent Changes
Printable View
Page History
Edit Page

3.2. The census decision and the second generation of data protection norms

1. In December of 1983 the German Federal Constitutional Court declared unconsitutional (as infringement upon the Basic Law) some provisions of the act concerning the census adopted the same year, and with this decision produced a global effect on data protection policy and law. In its famous census decision (Volkszählungsurteil) the court ruled that the "basic right warrants [...] the capacity of the individual to determine in principle the disclosure and use of his/her personal data.”55

The German Federal Constitutional Court derived the right to informational self-determination from the general personality right interpreting Art. 2 Para. 1 of the Basic Law in conjunction with Art. 1 Para. 1. The general personality right is a “mother-right”, the content of which is “not specified ultimately” in legal practice,56 but from time to time a specific right protecting the individual is established based on it. Personality right includes “the authority of the individual to decide himself, on the basis of the idea of self-determination, when and within what limits based on the principle of self-determination to determine in what information about his private life should be communicated to others and to what extent.” According to the court self-determination requires increased protection due to the development of technology. “It is endangered primarily by the fact that, contrary to former practice, there is no necessity for reaching back to manually compiled cardboard-files and documents, since data concerning the personal or material relations of a specific individual {personal data [cf. Federal Data Protection Act Art. 2 Para. 1]} can be stored without any technical restraint with the help of automatic data processing, and can be retrieved any time within seconds, regardless of the distance. Furthermore, in case of creating integrated information systems with other databases, data can be integrated into a partly or entirely complete picture of an individual, without the informed consent of the subject concerned, regarding the correctness and use of data.” The Court stated that the situation can be dangerous both to the individual’s right of self-determination and to democratic society “if one cannot with sufficient surety be aware of who knows what about them. Those who are unsure if differing attitudes and actions are ubiquitously noted and permanently stored, processed or distributed will try not to stand out with their behavior. Those who count with the possibility that their presence at a meeting or participation in a civil initiation might be registered by the authority, may perhaps abandon practicing their basic rights (Basic Law, Art. 8 Para. 9).” This explains the understanding of the Court of the right of informational self-determination as a right based on the general personality right, which “ensures the individual the right to dispose over the issuing and utilization of his personal data.”

However, the Court stated that the right to informational self-determination was not unlimited. Limitations are acceptable for reasons of compelling public interest (überwiegendes Allgemeininteresse); norms have to comply with the requirement of explicitness, thus have to be formulated in a way that citizens understand the requirements and the extent of the limitation. The goal of data management has to be specified, and data management can be required regarding data that are appropriate and needed for the purpose. As a further procedural guarantee the court’s ruling prescribes the right of information and the obligation of data deletion once the goal is reached. The decision of the Court also held that the role of independent data protection commissioners was highly important due to the complexity of automated data processing and for the sake of effective protection.Furthermore, the decision gave a detailed account of the requirements concerning data processing for statistical reasons, based on the right of informational self-determination.57

2. The decision had a profound impact both in Germany and abroad – the principles laid down in it appear in the state data protection acts the following years, as well as in the General Amendment to the German Federal Data Protection Act of 1990. The impact of the decision’s philosophy can be felt in the 1986 amendment to the Austrian data protection act, as well as in the Norwegian, Finnish, Dutch acts,58 and the 1992 Hungarian data protection act (based on a decision of the Hungarian Constitutional Court, which was phrased in the wake of the German decision).

3. The second generation data protection norms,59 according to Mayer-Schönberger are characterized by the fact that they ensure specific rights for the individual concerning the whole process of personal data processing; the legislators realized that the decision of the citizens cannot be restricted to their consent or disagreement to the automated processing of their data, since technology by this time had permeated society to an extent that disagreement would have entailed excessive costs for the individual. Typical attributes of the regulations born at that time in the field of market research are the citizen’s right of objection and the right of deletion of old information.60 Regulations became increasingly abstract and less technology-specific. The technological changes of the period – the appearance of personal computers, and their subsequent connection to networks – would have made impossible the regulation of technology. This is why the legislator, instead of regulating technology, endowed the individual with the right of informational self-determination, which, at least theoretically, would make individuals capable of defending themselves in all occasions. (Technology-specific regulations fell into the background only temporarily – the essence of third generation norms is to strengthen the possibility of enforcing the right to informational self-determination within the context of a given sector, with regard to its technological specificity.) In this period, parallel to the process of technological norms (that were formed to regulate the world of integrated and centralized databases) falling into the background, registration procedures were streamlined substantially.61 It is worthwhile to note that in Mayer-Schönberger’s opinion these acts embodied a pragmatic compromise “between fostering and controlling efficient information processing” – in other words, the required level of protection was lowered for the sake of operation already at this point.62

3.3. Globalization: International documents of data protection

Page last modified on February 02, 2007, at 12:03 AM
Copyright © András Jóri 2006-2007 (unless otherwise stated). All rights reserved. Theme by Theron Parlin - wiki