Privacy Law and Policy Reporter
Lee A Bygrave
In this day and age, when alternative dispute resolution (ADR) is all the rage, it seems rather quaint to pose the question opening the title of this article. Indeed, one might well invite ridicule were the question to be voiced in any way that bespeaks a wistful yearning for judges. For these days, the courts are often viewed as cumbersome, bumbling behemoths that should be bypassed for ostensibly faster, cheaper, more flexible and more sector specific systems of adjudication. So, in answer to the above question, many acolytes of ADR would reply, ‘Who cares where all the judges are? And good riddance to them too if they’re not around!’.
In this article, I want ultimately to reflect on the propriety of such a reply. On the way to doing so, it is necessary to first elaborate on just where the judges are and have been in the context of data protection law.
As a starting point, we find that in many countries, court involvement in interpreting and applying data protection statutes has been minor, if not marginal. There seem to be few judicial decisions in which the interpretation of such legislation figures centrally. This is not a unique feature of data protection law but it is certainly striking.
In Norway, for example, there has only been one instance — over a period of two decades — in which an appeal from a decision of the country’s data protection authority, the Data Inspectorate, has been treated by the courts. Apart from that case, only one other notable example exists of judicial commentary on Norway’s main piece of data protection law, the Personal Data Registers Act (PDRA) of 1978. In neither case can the court decisions be characterised as ground-breaking or even significantly helpful for interpretation and application of the PDRA.
Such a state of affairs is not unique to Norway. In Australia, there has not been a single case of a court directly interpreting aspects of the Privacy Act 1988 (Cth). In Denmark, there have only been three cases in which a court has handled an appeal stemming from a decision of the country’s data protection authority. In the UK, only a handful of court decisions have arisen which address the proper application of the 1984 or 1998 Data Protection Act.
There are exceptions to this pattern. For example, application of the US federal Privacy Act of 1974 has given rise to relatively extensive court litigation. This is not surprising given the absence in the US of an independent data protection authority and the weakness of alternative oversight bodies. At the same time, the courts’ ability to influence the way in which US federal government agencies implement the provisions of the Privacy Act has been severely restricted. The range of remedies given to courts pursuant to the Act is narrow. A federal court can only issue enforcement orders relating to the exercise of a person’s rights to access and rectify information relating to him or herself. A court can also order relief for damages in limited situations, but it cannot otherwise order agencies to change their data processing practices. This effectively marginalises the role of the US judiciary when it comes to ensuring implementation of large swathes of the Privacy Act provisions.
Why have courts often taken a backseat in the interpretation and application of data protection laws? There are several factors here. One important factor has to do with the existence and regulatory strategies of data protection authorities. In dealing with complaints, these authorities often put weight on conciliation rather than confrontation, and this approach tends to head off court litigation.
Another important factor is that, in some countries, appeals from decisions of data protection authorities or complaints which authorities fail to resolve do not go directly to ordinary courts for adjudication but to other quasi-judicial bodies first. Examples of such bodies are the Complaints Review Tribunal in New Zealand and the Data Protection Tribunal in the UK. Appeals from these bodies to the courts can only be on a question of law (as opposed to fact). In some other countries, appeals from decisions of the data protection authorities have been handled first by an ordinary government department, with the possibility of further appeal to the courts being restricted to questions of law. This has been the case in Norway where appeals from the Data Inspectorate have usually gone to the Ministry of Justice.
There are also jurisdictions where the possibility for court appeal from the decisions of the national data protection authority has been largely eliminated. This is the case, for example, under Australia’s federal Privacy Act with respect to determinations by the Privacy Commissioner of complaints against federal government agencies. Insofar as the Act regulates the activities of other bodies, provision is made under s 55 for the Federal Court to institute hearings de novo of complaints with respect to such activities, though only in the context of enforcing complaint determinations by the Commissioner. Enactment of the Privacy Amendment (Private Sector) Bill 2000 (Cth) is unlikely to result in significantly increased court involvement in interpretation and application of the Act, as the Bill does not provide for a direct right of appeal to the courts (or any quasi-judicial body) from decisions of either the Privacy Commissioner or any of the complaint bodies to be set up under envisaged sectoral codes of practice.
A range of other factors also play a role in reducing court involvement. For instance, in many countries, courts have a long and well known tradition of refusing to overturn decisions of administrative agencies when the matter in dispute turns on the exercise of the agency’s discretionary powers. The extent of such powers is often considerable under data protection laws. Of course, to a significant extent, innovative and enterprising courts can work their way past the barriers to judicial review which are posed by the exercise of broad administrative discretion. Courts can also sometimes work their way around similar barriers posed by the question of fact/question of law distinction. Nevertheless, courts are often reluctant to push against the outer boundaries of their review powers. This reluctance is not necessarily just due to a belief that pushing against these boundaries is legally improper; sometimes it is due also to the courts already being burdened by large caseloads.
Finally, there are factors that arguably relate more to the broad cultural characteristics of a particular jurisdiction than to strictly legal matters. For instance, the corporate cultures of some countries — Norway is a pertinent example here — are relatively unlitigious and unaggressive in exploiting or testing legal rights and obligations. In other words, these cultures lack a corporate push to carry appeals up through the administrative/legal hierarchy.
Nevertheless, courts in some countries have played a significant role in steering the direction of data protection laws. The most notable case is the landmark decision of 15 December 1983 by the German Federal Constitutional Court. This ruling struck down parts of the federal Census Act for lack of data protection guarantees. In the process, the Court found a right to ‘informational self-determination’ pursuant to arts 1(1) and 2(1) of the Federal Republic’s Grund-gesetz. The decision helped stimulate efforts to revise and strengthen Germany’s federal data protection legislation.
At an international level, we should not overlook the case law of the European Court of Human Rights (ECtHR) pursuant to art 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) of 1950. Over the last 15 years or so, and with increasing intensity, the ECtHR has helped make plain and clear where the principal formal normative underpinnings of European data protection laws lie — they lie in the field of human rights, more specifically in the ambit of the right to respect for private life stipulated in art 8 of the ECHR. In this way, the Court has helped influence the way we conceptualise data protection laws, at least within a trans-European context. However, the Court has also helped to highlight the close relationship between traditional rule of law doctrines and the central principles of data protection laws. For example, the principles of purpose specification, transparency and information quality which we find in most data protection laws can and should be seen as promoting the certainty and foreseeability of data processing outcomes and thereby reducing arbitrariness.
At the same time, the case law of the ECtHR has helped to show that the provisions of art 8 of the ECHR can function as an important data protection instrument in their own right. It is questionable, though, just how much art 8 — and similar provisions in other international human rights treaties — add to the more specific data protection instruments. The case law pursuant to art 8 touching upon data protection is now relatively extensive. In that case law, the Strasbourg Court has inched towards a recognition of various data protection guarantees in art 8. Nevertheless, the Court has made few references to the requirements found in the laws dealing specifically with data protection.
Further, while the data protection case law on art 8 is considerable, it is also somewhat confusing. The confusion arises largely because of the frequent failure by the ECtHR to indicate exactly which elements of the contested data processing practices have constituted an interference with respect to art 8(1). Too often the Court has failed to make clear exactly which element of the contested data processing practice has interfered with the right under art 8(1); too often has there been a concomitant failure to describe the threatened interest.
Moreover, much of the case law concerns data processing in a rather special context (that is, secret surveillance activities by police or intelligence agencies), while virtually none of it deals with private entities’ data processing practices. Indeed, the issue of whether or not art 8 provides protection against the data processing activities of private bodies has still not been conclusively determined by the ECtHR. While it is extremely doubtful that the Court would refuse to construe art 8 as providing some measure of protection against the data processing activities of private bodies, the exact extent of such protection to be afforded is uncertain.
The case law of the ECtHR pursuant to art 8 will probably continue to have most direct impact on the data processing practices of police and state intelligence agencies. This is particularly because the practices of these agencies formally fall outside the scope of the EC Directive on data protection. The important practical contribution of the ECtHR in this respect will continue to be elaboration on the procedural safeguards for individuals with respect to data processing by such agencies. We already see that these elaborations are having an effect on mainstream data protection discourse. For instance, the Data Protection Working Party established pursuant to art 29 of the EC Directive on data protection makes extensive reference to art 8 case law in its Recommendation 2/99 on the respect of privacy in the context of interception of telecommunications, adopted on 3 May 1999.
We should not underestimate the impact of case law more generally on the development of data protection law. Case law stretching across a broad range of fields — from judicial review of government decision-making to defamation to duties of confidence to trespass to copyright — has fertilised the ground for planting the seeds of law on data protection. It has also provided some of these seeds.
It would be wrong, though, to characterise courts as uniformly interested in, or enthusiastic about, protecting the basic interests promoted by data protection law. Contrast, for example, the reluctance of courts in the UK and Australia to develop or recognise a specific right of privacy under common law with the eagerness of US courts to embrace such a right.
This difference in judicial attitudes — and the possible reasons for the difference — make up one of the most fascinating aspects of the ‘prehistory’ of data protection law. A large variety of claims abound as to why these differences emerged. I shall not dwell on these claims here; suffice to note that even though these differences surfaced during the prehistory of data protection law, they are still bound to have an impact on judicial decision-making today and in the future. It will be interesting to see, for example, how English judges’ traditional dislike for concepts like privacy which are nebulous, potentially far reaching and difficult to box neatly, will carry over to their decision-making on the privacy right that is in the process of being incorporated, along with the rest of the European Convention on Human Rights, into English law.
The other point we should take with us in relation to the attitudes of English and Australian courts is that they helped create a need for data protection legislation. The steadfast refusal of these courts to develop a specific right of privacy under common law, together with their concomitant steadfast adherence to the doctrine of parliamentary supremacy, resulted in an ad hoc, interstitial protection of informational privacy under Anglo-Australian common law. This helped create, in turn, a need for relatively comprehensive data protection legislation in both jurisdictions. Parallels to this dynamic can arguably be found also in other jurisdictions — such as the Netherlands — where courts were slow or sporadic in protecting privacy interests.
All of the judicial activity outlined above still does not discount the fact that courts have generally been on the sideline when it comes to interpreting and applying laws dealing specifically with data protection. The question that we now must raise is whether this sidelining of the judiciary has any problematic consequences.
Lee A Bygrave, Research Fellow, Norwegian Research Centre for Computers and Law.In the second part of this article in PLPR 7(2), Dr Bygrave will discuss ‘Problematic consequences of marginalising the judiciary’ and ‘The EC Directive to the rescue?’.