Privacy Law and Policy Reporter
Court of Appeal (United Kingdom) 21 December 1999
Source Informatics Ltd are in the business of supplying information to pharmaceutical manufacturers about doctors’ prescribing habits. The information allows the pharmaceutical companies to more effectively target their marketing to doctors. Source proposed a system by which pharmacists would electronically transmit data contained in prescription forms, but excluding any information that would identify the patients, to Source. Source would then enter the information into their database. The English Department of Health, in a policy document issued in July 1997, expressed the view that this process would breach the pharmacists’ duty of confidence to their patients. Source commenced proceedings seeking declarations that the Department’s policy was erroneous in law and that ‘disclosure by doctors or pharmacists to a third party of anonymous information, that is information from which the identity of patients may not be determined, does not constitute a breach of confidentiality’.
In May 1999 Latham J, the trial judge, held that ‘what is proposed will result in a clear breach of confidence unless the patient gives consent, which is not part of the proposal at present’ (R v Department of Health ex parte Source Informatics Ltd, Latham J, QBD 28 May 1999). Source appealed.
Held (per Simon Brown LJ, Schiemann and Aldous LJJ concurring):
The reasoning in this judgment can obviously be applied to other data mining proposals. In particular, the observation that the anonymisation of data per se is unlikely to breach any obligation of confidence or duty imposed by data protection laws is important. For example, the Privacy Act prohibits credit providers from ‘using’ personal information derived from credit reports for a number of defined purposes, the primary one being the assessment of applications for credit. If the Court’s reasoning is applied it is unlikely that the processing of a credit report to anonymise the data contained in it will be a prohibited ‘use’. Similarly, other data protection laws implementing the so called ‘finality’ principle (that information collected for one purpose only be used or disclosed for another purpose in a limited number of situations) are not likely to be breached by the process of anonymising the data. Once anonymised, it appears likely that the data can be used for any purpose. Of course, the most likely purposes will be demographic and market research, the results of which will be commercially valuable.
Patrick Gunning, Senior Associate, Mallesons Stephen Jaques, Sydney.
Reno v Condon
(98-1464) US Supreme Court, 12 January 2000
The Driver’s Privacy Protection Act of 1994 (DPPA), 18 USC § 2721-2725 (see <http://www4.law.cornell.edu/uscode/18/2721.html>), regulates the disclosure of personal information contained in the records of state motor vehicle departments (DMVs), which may include telephone numbers, photographs, medical information, social security numbers and other personal information. When enacting the law, Congress found that many States sold this personal information to individuals and businesses, generating significant revenue. The information was often subsequently on-sold.
The DPPA prohibited the States from disclosing such personal information unless the disclosures fell within a number of statutory exceptions, or unless the driver consented to the release of the data. The law originally allowed a State to imply such consent from a driver’s failure to elect to block such disclosure when obtaining or renewing a licence, but in 1999 Congress changed this ‘opt-out’ requirement to an ‘opt-in’ requirement of affirmative consent to disclose.
South Carolina’s law allowed anyone to obtain DMV information, for a fee, provided they stated they would not use the information for telephone solicitation. South Carolina (via Attorney General Condon) argued in the Supreme Court that the DPPA was unconstitutional.
The Supreme Court unanimously upheld the Federal Government’s contention that the DPPA was a proper exercise of Congress’ authority to regulate interstate commerce under the commerce clause. Personal information is a ‘thin[g] in interstate commerce’ and its sale or release in interstate commerce is therefore a proper subject of Congressional regulation.
The Court held that the DPPA did not violate the principle of federalism contained in the Tenth Amendment. The DPPA ‘did not commandeer the State legislative process by requiring a state legislature to enact a particular kind of law’, but instead ‘regulates the States as owners of databases’.
The Court did not address South Carolina’s argument that the DPPA was unconstitutional because Congress may only regulate the States by ‘generally applicable’ laws, laws that apply to individuals as well as States. It did not need to do so, it noted, because the DPPA did in fact regulate all those involved in the sale (and resale) of DMV information, including private individuals into whose hands the information came.
As with Los Angeles Police Department v United Reporting Publishing Corp (see 6 PLPR 71), decided in December 1999, this decision of the US Supreme Court shows that it is possible for US Federal and State laws to provide effective protection to privacy without being held to be unconstitutional on First Amendment or other grounds (the Tenth Amendment in this case). A general information privacy law covering the private sector (such as is currently before the Hawaii legislature — see elsewhere in this issue) would have many more hurdles to jump, but cases such as these are useful indicators. It is interesting to note that the DPPA prohibited resale or redisclosure by private individuals.
Jim Dempsey, Counsel at the Centre for Democracy and Technology considers the decision significant:
The Supreme Court recognises that there is a market in personal information, and it has strongly affirmed Congress’ authority to regulate that market to protect privacy. If Congress can establish privacy rules to regulate personal information in state government databases, it can surely regulate commercial databases.
Graham Greenleaf, General Editor.
The European Commission decided on 11 January 2000 to take France, Luxembourg, the Netherlands, Germany and Ireland to the European Court of Justice for failure to amend their respective laws to implement all of the provisions of the EU privacy Directive. This is the third formal stage of infringement proceedings under Article 226 of the EC Treaty.
The DG XV website <http://europa.eu.int/comm/dg15/en/media/dataprot/news/2k-10.htm> explains that individuals may also have remedies for their State’s failure to act:
In those Member States where the implementing legislation is not yet in place, individuals are entitled to invoke some of the directive’s provisions before national courts, in accordance with the case law of the Court of Justice (Marleasing case, C-106/89, 13.11.90). In addition, individuals suffering damage as a result of a Member State’s failure to implement the directive are in some cases entitled to seek compensation before national courts, under the terms of the Court of Justice’s case law in the Francovich case (C-6/90 and C-9/90, 19.11.91).
It would be politically very difficult for the EU to insist that countries outside the EU have ‘adequate’ privacy laws (see article in this issue) if the EU’s own member states are not in full compliance with the Directive.
Graham Greenleaf, General Editor.