Privacy Law and Policy Reporter
Lee A Bygrave
In the first part of this article in PLPR vol 7(1), Dr Bygrave considered the extent of judicial involvement in the development of data protection law around the world.
The paucity of court decisions touching directly on data protection laws hampers our ability to arrive at firm conclusions on the proper interpretation of such legislation. This ability is already hampered by the diffuse formulation of many of these laws’ provisions, a difficulty frequently compounded by sparse and/or nebulous commentary in the preparatory works and explanatory memoranda for the laws.
In particular, there is an urgent need for rulings by the European Court of Justice on the EC Directive on data protection. The Directive is intended to steer the legislative strategies of a large number of countries, yet many of its provisions are difficult to comprehend. Some national case law is starting to emerge which touches on how to properly construe certain provisions of the Directive but, to my knowledge, this hardly amounts to more than a trickle. A lonely example is the case of R v Department of Health; ex parte Source Informatics Ltd, decided by the UK Court of Appeal on 21 December 1999. Among other things, the Court had to consider if the action of anonymising sensitive data fell within the Directive’s definition of data ‘processing’, such that the anonymisation process itself has to meet the conditions laid down in art 8 of the Directive. Taking a purposive approach, the Court sensibly held that the Directive does not set limitations on anonymisation of data in this way. Again, though, this decision is hardly groundbreaking.
Also of concern is that the marginalisation of courts contributes to a marginalisation of data protection law. It is my impression that data protection laws figure little in the consciousness of most lawyers. I do not think this is because lawyers generally believe that little money is to be gained from expertise in the field relative to other legal areas; I think it has more to do with the scarcity of case law of the type with which lawyers are most comfortable. The scarcity of such case law helps give data protection law a dull if not ‘poor cousin’ status relative to the apparently more glamorous and litigation intensive areas of law like defamation, trade secrets and the like. This poor cousin status means, in turn, that data protection laws are poorly understood by the majority of lawyers and citizens (further reinforcing their poor cousin status). It could be argued that this status also detracts from the general authority of, and respect for, data protection law in the community. I am uncertain if this argument has any merit but it is worth keeping in mind.
What is more problematic is that the marginalisation of courts reduces their ability to function as a corrective to the development of data protection law and policy. To some extent, data protection authorities and data protection advocates generally constitute a club. It is quite a cosy club, even though tensions do exist (for example, between some of the advocates on the one hand and the data protection authorities on the other). In such a situation, there is a great risk that the members of this club will develop rather narrow mindsets. There is also a risk that they will start assuming too much. Courts, which are normally outside the data protection club, can provide a useful corrective here.
This point is well illustrated by the House of Lords’ decision in the case of R v Brown. The case turned on the issue of whether or not a person who simply gains access to personal data by calling those data onto a computer screen and viewing them ‘uses’ the data within the meaning of s 5(2)(b) of the UK Data Protection Act 1984. Section 5(2)(b) prohibits the ‘use’ of personal data for certain purposes. The term ‘use’ is not defined in the Act. By a three to two majority, the House of Lords found that accessing data as described above does not involve ‘use’ of the data within the meaning of s 5(2)(b). The Brown decision took many in the data protection club by surprise. The view of the court majority in the case was looked upon by some with a mixture of exasperation and ridicule. The important aspect of the Brown decision was that it demonstrated the need for statutory definitions of terms that are apparently obvious in their meaning. In other words, we cannot take for granted that everyone outside the data protection club — most importantly, the vast mass of data controllers and data subjects — will understand commonly used terms in data protection legislation in the same way as the club members do. The Brown decision highlights, in turn, the need for more guidance from legislators on the ambit of data protection laws.
The extent to which we should be concerned about the lack of court involvement depends also on the extent to which data protection authorities and any administrative appeals bodies act in a manner upholding the ideals of the rule of law (that is, ideals to ensure legal certainty and foreseeability and to counter decisional arbitrariness). I do not have any large empirical base from which to draw firm conclusions about the complaints handling procedures of agencies in this respect. I can say, though, that when it comes to the practices of the data protection authority with which I am most familiar — those of the Norwegian Data Inspectorate — I have found very little evidence of inconsistency in the development and application of data protection policy. The most glaring instances of inconsistency I have found stem from the appeal decisions of the Ministry of Justice but, again, these instances are few and far between.
Regarding the detail and clarity of reasoning in the agencies’ decisions, again I have found this to be usually satisfactory.
As for bias in the agencies’ decision- making, I have found very few cases where the Inspectorate’s interpretation of the law has been obviously biased towards furthering the cause of data protection at the expense of other factors that deserve equal or greater weight in law. We should keep in mind, though, that the risk of unlawful bias is considerable, as is the risk of the wider community believing that such bias exists.
The main sticking point concerns the ease of public access to the agencies’ decisions. The annual reports of the Data Inspectorate often fail to give a clear and full description of the reasoning adopted by the Inspectorate (or by the Ministry of Justice if the case has been appealed). It was not until the appearance of my book, Personvern i praksis, in 1997 that the general public in Norway was able to gain relatively easy access to a complete, systematic and indexed collation of appeal cases that had gone from the Data Inspectorate to the Ministry of Justice. This was some 15 years after the Personal Data Registers Act entered into force!
The Data Inspectorate is not the only sinner in this context. Data protection authorities in many other jurisdictions are just as bad, and in some cases worse. Particularly problematic is public accessibility to the reasoning of the Australian federal Privacy Commissioner. Under the federal Privacy Act, the Privacy Commissioner is only required to give a written statement of reasons when making formal Determinations of complaints pursuant to s 52. To my knowledge, only two such Determinations have been made. As for the other complaints, all we find are brief summaries of selected cases in the Commissioner’s annual reports. Usually these summaries contain little detail about the legal interpretations involved. Enactment of the Privacy Amendment (Private Sector) Bill 2000 is unlikely to remedy this situation. Indeed, the situation will probably be exacerbated by the fact that the Bill allows for the setting up of a collection of industry code bodies, each of which will be able to make binding decisions against which there will be very limited possibilities for appeal. The Bill fails to require that complaint bodies established under the various codes publish reasons for their formal decisions or publish details about matters that have been mediated more informally.
The problem of lack of public access to authoritative interpretations by data protection authorities is not directly a problem about the role of the courts. Rather, it is about the weakening of the ability of both data subjects and data controllers to predict what data processing behaviour is in compliance with the legislation. It is about diminishment of the guidance potential of data protection laws. Further, the problem means data protection authorities are operating, paradoxically, somewhat like the ‘black boxes’ they are meant to help unlock. It is a problem that is exacerbated when the data protection authority is given relatively broad discretionary powers, and further exacerbated when — as will likely be the case in, say, Australia — there is a profusion of bodies developing their own (and possibly inconsistent) versions of data protection law pursuant to sectoral codes of practice.
This problem could be resolved simply by data protection authorities (and sectoral code bodies) putting in place decision reporting systems that are more extensive and include more decisional detail. In the age of the internet, the problem should be able to be fixed quite easily. An exemplary model in this respect is the website of the Information and Privacy Commissioner of British Columbia.
At the same time, this strategy does not fix all problems. For example, the Australian experience outlined above highlights the danger of conciliatory strategies of data protection authorities hampering development of data protection laws by heading off actions that could have ended up before an appeals tribunal or court and resulted in the clarification of points of ambiguous law.
The role of the judiciary in enforcing national data protection laws and otherwise handling complaints pursuant to such laws is touched upon at several points in the 1995 EC Directive on data protection. The relevant provisions are arts 22 and 28. Article 22 states:
Without prejudice to any administrative remedy for which provision may be made ... prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question [emphasis added].
Article 28(3) states, inter alia, that ‘[d]ecisions by the supervisory authority [data protection authority] which give rise to complaints may be appealed against through the courts’.
It is clear that art 22 does not require EU Member States to permit individuals to go directly to the courts for breach of data protection rights (effectively bypassing the national data protection authorities) but leaves it open for Member States to allow direct access to the courts. Less clear is whether the reference to ‘rights’ also embraces those provisions in the Directive that are formulated as duties or obligations on data controllers. Given that breach of a duty or obligation is likely to result in infringement of a data subject’s general right to privacy (a right that is indirectly, if not directly, guaranteed by the Directive), and given that the Directive aims at ensuring a ‘high’ level of data protection, the question is probably to be answered in the affirmative.
Ambiguity also inheres in art 28(3): does the provision require Member States to permit court appeals on both questions of law and questions of fact, or are Member States able to restrict appeals to questions of law only? As the term ‘complaints’ is not qualified in any way, art 28(3) appears to encourage, if not require, a broad right of appeal, but EU/EC legislators would probably be exceeding their legal competence if the provision were to require changes to present domestic rules that limit judicial review of administrative decisions to questions of law.
As for the issue of public access to the reasoning of data protection authorities, this is broached in art 28(4)-(5). Article 28(4) requires a data protection authority to inform a claimant of the ‘outcome’ of the claim, though does not, on its face, require the authority to communicate to the claimant (or to anyone else) reasons for the outcome. The latter requirement, however, would most likely follow from general rules of administrative procedure in each jurisdiction (though only in relation to the claimant as party to case proceedings). Regarding information to the general public (and not simply a claimant), art 28(5) requires a data protection authority to publish ‘a report on its activities at regular intervals’. Unfortun-ately, however, there is no stipulation here or elsewhere in the Directive dealing specifically with access by the general public to legal interpretations held by an authority (or other administrative complaints resolution body).
In sum, it is commendable that the Directive encourages court involvement in applying data protection law. It is also commendable that the Directive broaches the issue of public access to the findings and activities of data protection authorities. Nevertheless, it would have been desirable that the Directive devoted more attention to both issues and in a manner that places greater pressure on data protection authorities to provide the public with detailed guidance on their reasoning. At the same time, it is understandable that the drafters of the Directive did not elaborate further on these points, given the principle of subsidiarity and the risk of overstepping their legal competence.
To conclude, I am not arguing that courts should relieve data protection authorities of their complaint handling tasks. There are good grounds for keeping data protection authorities as the primary mediators of disputes. The authorities are staffed by experts in the field. As experts, these people tend to be savvy not just with the relevant legal rules but also the broader technological and organisational developments that spark disputes in the field. Further, data protection authorities will normally be more accessible than courts. The pursuit of remedies through courts tends to be too expensive and drawn out for the majority of people. At the same time, data protection authorities will tend to be able to engineer compromises in a more conciliatory, less destructive manner than court litigation usually can.
Still, I firmly believe that we should care where the judges are. I believe equally firmly that if the judges are not around in the field of data protection law, or not around often enough, then this absence is problematic. It is problematic because it increases the risk of compromising basic rule of law ideals. And it is problematic because an absence or scarcity of judicial opinion inevitably impoverishes law and policy on data protection. If the judges are not around to a significant degree, we should either make sure that they can come around more easily in the future, or ensure that there are bodies to effectively emulate their role.
In the latter regard, the UK experience with its Data Protection Tribunal serves as a positive model. The Tribunal appears to have acted in a balanced, neutral manner with an attention to legal detail that should characterise the standards of decision-making by the ordinary courts. The UK Data Protection Commissioner (formerly Registrar) has actively used the Tribunal to resolve problems of interpretation of the data protection legislation, particularly with regard to the rule that personal data shall be processed ‘fairly’. In doing so, the Commissioner has acted on behalf of the interests of the wider community of citizens as data subjects and data controllers in knowing how to behave pursuant to the Act.
Lee A Bygrave, Research Fellow, Norwegian Research Centre for Computers and Law.