3.7. The third generation data protection norms

1. The third generation data protection norms try to find solutions to the above challenges – up to this point with unforeseeable success; new principles (data economy), new institutions (data-protection audit) appear in literature and enter into regulations. As an answer to being pervaded with and its technologies, regulations focusing on technologies return: the goal is to frame technologies.

2. Among the third generation data-protection norms the first is the German Teledienstedatenschutzgesetz (TDDSG) of 1997. The TDDSG introduced revolutionary institutions and principles in German data protection law. The significance of these principles is proven, among others, by the fact that within a few years some of them were incorporated into the Federal Data Protection Law. Furthermore, since the adoption the TDDSG, a wide experience has been gathered on its practical application, in the wake of which certain provisions of the law were amended in 1999 and 2001.

As early as 1997, the TDDSG included the basic principle according to which the technological tool used by the telecommunications service provider has to be such that its operation does not involve processing personal data, or involves a minimum processing of personal data, furthermore, these policies have to be taken into consideration when the tools are constructed¹⁴⁰ – the Federal Data Protection Act was also included in an amendment to this provision (the so-called principle of “data economy”(Datensparsamkeit)).¹⁴¹ The essence of the data-protection audit regulated by the Federal Data Protection Act is that the manufacturers and users of the tools used for data processing go through an audit of their processes as well as their tools.¹⁴² The institution is following the example of environment-protection audit that is included in EU legislation.¹⁴³

3. Elements of the third generation data-protection norms have appeared already in Hungarian legislation, where the legislator consciously followed the examples set by TDDSG and BDSG when the act CVIII of 2001 on electronic business services and other questions concerning information society services was amended in 2003. The amended act defines the principle of data economy.¹⁴⁴ The principle of data economy is more than the basic principle defined in Article 5 (2) of the Data Protection Act, since the former requires that the data controller applies the avoidance of personal data procession if that is possible, prior to starting the actual data processing and to minimize the size of data processing to the least possible size. The requirement applies to operation as well, in other words it is violated by the data controller who sets up software or hardware configurations in a way that the operation results in an excessive amount of data processing compared to the real need for operation or to the needs of some other goal defined by law. This rule creates more favorable opportunities for the data protection authority to enhance technologies serving data protection.

Again following the example of TDDSG, another provision was included in the Hungarian legislation: the stipulation that limits the data-management possibilities of a service provider in case of monopoly, while within real market circumstances it offers the possibility for other data procession as well, unrelated to the service.¹⁴⁵ The provision excludes the abuse of consent-based data procession is case the service is unavailable from a different service provider (by the given user). The provision allows for the enforcement of the right to informational self-determination, and does not prohibit consent-based data processing.¹⁴⁶

4. Thus, the first elements of the third generation of data protection regulations have already appeared, and only time can tell whether these regulations will mean a new start or the next stop of a long lasting agony. We can hope that the withdrawal of privacy advocates is only temporary, and that privacy protection will remain effective either with the help of legal or extra-legal tools. Without an innovative renewal of data protection law “freedom will diminish in such an unnoticed way as clean water and air have.”¹⁴⁷

Bibliography