Privacy Law and Policy Reporter
Lee A Bygrave
In the year 2000, it is timely to reflect on the general nature of data protection law. While certainly not old, data protection as a field of law has now attained considerable maturity and spread. The first data protection laws were passed some three decades ago. In the course of those decades, the number of countries with such laws has burgeoned to well over 20. Although these countries are still predominantly European (and still predominantly part of the First World), legislative concern for data protection has become increasingly global. Augmenting this development is a growing body of commentary (hereinafter termed ‘data protection discourse’), both descriptive and prescriptive, concerned specifically with the character, application and development of data protection laws.
This article is the first of a series in which the central and most striking features of data protection law and, to some extent, data protection discourse are discussed in a transnational perspective. To a large extent, the analysis is broad-brush. It aims to provide an overview of regulatory patterns across jurisdictions. It also aims to set out and challenge some of the conceptions that have developed over the last three decades about the character of data protection law. The article series begins with a presentation of the major regulatory trends in the field. Subsequent articles will involve canvassing a range of other issues, including the rationale and normative underpinnings for data protection law, and the issue of data protection rights for collective entities.
Although data protection laws around the globe have not all been enacted for the same reasons, nor had the same sort of gestation, they have tended to share a great deal of common ground in terms of the principles expressed by their central rules. They have also tended to share a great deal of common ground in terms of the mechanisms adopted for monitoring their application and for generating new regulatory norms. The overwhelming majority of the laws provide for the establishment of special independent bodies — typically termed ‘data protection authorities’ — to oversee their implem-entation. At the same time, most of the laws take the form of so-called ‘framework’ laws: instead of stipulating in casuistic fashion detailed provisions for regulating the processing of personal information, they set down rather diffusely formulated general rules for such processing, and make specific allowance for the subsequent development of more detailed regulatory norms as the need arises. Primary responsibility for developing these norms has usually been given to the respective data protection authority.
More remarkable is the apparent existence of considerable cross-jurisdictional similarities in terms of how the laws are enforced. In many jurisdictions, the enforcement of the laws seems rarely to have involved meting out penalties in the form of fines or imprisonment. Data protection authorities appear generally reluctant to punitively strike out at illegal activity with a ‘big stick’. A variety of other means of remedying recalcitrance — most notably dialogue and, if necessary, public disclosure via the mass media — seem to be preferred instead. In other words, data protection laws have often functioned to a relatively large extent as ‘soft law’; that is, law which ‘works by persuasion, is enforced by shame and punished by blame’.
A related feature is that courts have tended to play a minor, if not marginal, role in the enforcement and development of data protection laws. Indeed, there seems to be a striking paucity of judicial decisions in which the interpretation of such laws figures centrally. This aggravates the already considerable interpretative difficulties caused by the diffuse formulation of many of the laws’ provisions and the sparse or nebulous commentary in the preparatory works and explanatory memoranda for the laws.
That courts often take a back seat in the application of data protection laws is due to a multiplicity of factors. One important factor is that in dealing with complaints, data protection authorities frequently put weight on conciliation rather than confrontation, an approach which tends to head off court litigation. Another important factor is that in some countries appeals from decisions of data protection authorities, or complaints which authorities fail to resolve, do not go directly to ordinary courts for adjudication but to other quasi-judicial bodies first (such as the Complaints Review Tribunal in NZ and the Data Protection Tribunal in the UK).
Nevertheless, we should not forget that courts in some countries have played a significant role in underpinning and steering the direction of data protection law. Undoubtedly, the most notable case is the landmark decision of 15 December 1983 by the German Federal Constitutional Court (Bundesverfassungsgericht) which struck down parts of the federal Census Act (Volkzäh-lungsgesetz) for lack of data protection guarantees and in the process found a right of ‘informational self-determination’ (informationelle Selbstbe-stimmung) pursuant to arts 1(1) and 2(1) of the Federal Republic’s Basic Law (Grundgesetz).
While data protection laws expound broadly similar core principles and share much common ground in terms of enforcement patterns, they are not as homogeneous as they appear at first glance. Numerous differences exist between them. These differences arise to a large extent in relation to the monitoring and supervisory regimes established by the laws. The basic differences here relate to the powers of data protection authorities (for example, some function essentially as ombudsmen, others are able to issue legally binding orders) and, concomitantly, the nature of the legal preconditions for processing personal data (for example, some require merely that data protection authorities be notified of processing, others require prior authorisation/licensing by the authorities).
There are also significant differences in the ambit of data protection laws. Some cover data processing in both the private and public sectors, others cover processing by certain government agencies only. Some regulate both manual and automated processing methods, others regulate only the latter. Some place restrictions on the flow of personal data to foreign countries, others do not. Some provide express protection for data on collective entities, others protect data on individuals only. Some lay down extra limits on the processing of designated categories of especially sensitive data, others do not. To some extent, these differences have constituted a cleavage line between European and non-European data protection regimes, with the former offering generally more comprehensive and stringent safeguards than the latter, but the line is far from clean.
Moving from the oldest of the data protection instruments to the youngest, we can discern certain regulatory trends. In data protection discourse, it is popular to categorise these trends in terms of ‘generations’; that is, one differentiates between ‘first’, ‘second’ and ‘third generation’ data protection laws. Such categorisation, however, can easily result in ambiguous or misleading generalisations in which distinctions are overstated. Accordingly, these categories are not employed in the following analysis.
The regulatory trends are most easily discernible when we compare the international data protection instruments. However, they are also visible at a national level, particularly in the current round of reform of domestic data protection law by member states of the European Union and European Economic Area (EEA) pursuant to the 1995 European Community Directive on data protection (ECDirective).
In the first place, we can see a trend towards more detailed, discriminating provisions and requirements. In short, we can see increasing regulatory density. Part and parcel of this trend is a growing concern to lay down procedural mechanisms for enforcing compliance with data protection principles.
At the same time, we can see the contours of new data protection principles emerging. One such principle is that fully automated assessments of a person should not form the sole basis of decisions that impinge upon the person’s interests. While this principle is not yet manifest in the majority of data protection laws, it will be so in the near future, on account of its embodiment in art 15 of the EC Directive.
Another such principle is that persons should be able to enter into transactions anonymously unless overriding legitimate interests exist to the contrary. Inherent in this principle is that active consideration should be given to crafting technical or organisational solutions for ensuring transactional anonymity and/or pseudonymity. However, while this type of principle is expressly promoted in an increasing number of policy documents, it is still far from prominent in the bulk of data protection laws. Nevertheless, it can reasonably be expected to influence the drafting of future laws, at least in relation to certain sectors of activity.
Under the influence of the EC Directive, we can also expect considerable expansion in the set of phenomena regulated by data protection laws, at least within the EU and EEA. Currently, the set of phenomena which all non-sectoral data protection laws regulate (with minor exceptions) is rather narrow. This set of phenomena consists of:
In the near future, the data protection legislation of EU and EEA member states will embrace:
Under the influence of the EC Directive, we can further expect the data protection legislation of EU and EEA member states to become more uniform in terms of monitoring and supervisory regimes. Data protection authorities which are currently able to issue mere recommendations will probably be given competence to issue legally binding orders; notification schemes will become the rule, licensing the exception; and, to a greater extent, these notification schemes will involve a duty for data controllers to inform not just data protection authorities of the basic details of their operations but also the data subjects. Nevertheless, it is extremely doubtful that we will see, at least in the short term, complete or even near-complete uniformity achieved in the data protection regimes of these states. The EC Directive has given too much reign to the principle of subsidiarity to be able to achieve such uniformity.
A large question mark hangs also over the ability of the EC Directive to bring the data protection regimes of non-European states largely in line with the EU/EEA pattern of data protection. With the threat that EU/EEA Member States will prevent, pursuant to art 25 of the EC Directive, transfers of personal data to countries without ‘adequate’ levels of data protection, there is now greater legal (and economic) pressure on countries like the US, Japan and Australia to enact laws more closely resembling the European model. But we should not overlook the possibility of one or more of these countries’ governments (particularly that of the US) thumbing their noses at the EU in defiance of the ‘adequacy’ criterion laid down in the Directive. The extent to which this might occur is likely to depend on how stringently and consistently the ‘adequacy’ criterion is applied, together with the extent to which implementation of arts 25–26 of the EC Directive is found to conflict with the 1994 General Agreement on Trade in Services. Other factors might also prove significant, not least the extent to which business enterprises in, say, the US tire of having to cope with the patchy, sometimes uncertain and inconsistent legal regimes for data protection in that country.
Finally, we can discern some shift in the regulatory focus of data protection laws, or, perhaps more accurately, consolidation of such shift. An important example here is the EC Directive’s focus on the processing of personal data rather than the establishment and use of personal data files — a focus already present in, for example, the OECD Guidelines. Another important example is the EC Directive’s focus on manually processed data in addition to automated data processing — again, a focus already present in the OECD Guidelines. Yet another noteworthy example is the EC Directive’s explicit encouragement in art 27 of the creation of sectoral codes of practice — again something already anticipated by, for example, the OECD Guidelines and, more indirectly, the various data protection recommendations of the Council of Europe. This encouragement, though, is offset by a lack of consensus and certainty over exactly what sort of legal function such codes are to have vis à vis data protection laws within the EU.
Further, there is a discernible trend away from comprehensive licensing regimes to requirements for mere notification or registration of data processing operations. This is a development in which anticipatory, paternalistic control by data protection authorities is giving way to (though is not necessarily extinguished by) more reactive control on the part of such authorities. This development is offset by enhancement (at least on paper) of the opportunities for participatory control:data subjects’ access rights are supplemented by more extensive notification duties for data controllers,and there is greater readiness to make the consent of data subjects a prerequisite for certain kinds of data processing.
Certainly, this gives individuals more room to determine for themselves the manner and extent to which data on them are processed, though it does not necessarily mean that individuals will act to delimit such processing or that such processing will decrease. Moreover, data controllers will often be able to avoid the consent rule because of the existence of broadly drawn, alternative requirements for the data processing in question.
Lee A Bygrave, Research Fellow, Norwegian Research Centre for Computers and Law.
Further articles in this series will be published in the following issues of PLPR.