Privacy Law and Policy Reporter
Dag Wies Schartum
Looking back on the 1970s and the first years of data protection authorities, it is hard to tell if computers were seen as a threat in themselves to the protection of personal data, or if it was certain uses of computers and personal data filing systems that constituted the problem. In either case, 30 years ago it was still acceptable to argue against computerisation, because many people did not regard computers as necessary. Now, only the very naive or refractory would think of removing the computer systems that surround us everyday. Today’s question is not whether or not computers should be employed but, rather, how this can be done with a minimum of negative effects. Moreover, there is probably now a much more positive view than before on information technology (IT) and its potential to facilitate a rethink about how we shape our societies, such as how we distribute welfare.
In a considerable proportion of our societies, the use of computers has moved from being a novelty to being a matter of course. Given this, data protection authorities should be ‘IT-pushers’ and active users of IT. What may happen if they use IT for all it is worth? Moreover, what are the possible effects if we develop computerised tools to help people request the rights that they have according to data protection legislation? I do not have a research basis for clear answers. However, the Data Protection Directive and the new Scandinavian data protection Acts form a basis for posing certain questions and advancing small scenarios concerning the future application of information tech-nology within this field.
In the amended European data protection legislation, individual rights are strengthened, with the underlying assumption that people will play an active part in the struggle to achieve an acceptable level of data protection. However, giving people legal rights does not in itself guarantee an improved situation. Authorities need to ask how and to what extent data subjects may be assisted to maintain their data protection interests, for example by exercising their statutory rights to access information.
In a recent discussion of the Norwegian Act regarding access to government-held information, two main lines of action have been identified. Not surprisingly, there has been a discussion about how to improve openness through statutory amendments. But more relevant here are the possibilities of increasing the efficiency of already existing access rights accorded by legislation, through the use of information technology. The idea is that legislation may be sufficient even if the practices of legislation deviate from political objectives. What may be insufficient are the organisational and practical arrangements for citizens necessary to realise the potential of existing legislation. Viewed in this way, an important question concerning implementation of the Data Protection Directive is whether or not sufficient facilitating measures accompany the new data protection laws; that is, are technological and other measures available to make it comparatively simple to exercise statutory rights? In any case, there is obviously a rather vast gulf between the ‘anonymous’ formal rights in a statute book and ‘materialised rights’, for example, a publicly available computerised tool accessible via the internet.
In Norway, the Section for Information Technology and Administrative Systems (SITAS) at the University of Oslo has taken the initiative in developing a free internet based program in order to make efficient use of some of the core access rights of the Personal Information Act. The development is carried out in collaboration with the Data Inspectorate. The program will both be available from the data protection web site of SITAS (<http://www.personvern.uio.no/>, provisionally only in Norwegian>) and the site of the Norwegian Data Inspectorate. The planned functions are threefold:
The functions concerning legal information services are probably the most interesting part of the access routine. Here, legal information is organised in three layers. On the first layer, access rights are explained in a brief, simplified, brochure-like way. Users who chose to investigate the second layer will be introduced to a number of problem-oriented issues, formulated as questions and answers. For example, one of the questions concerns the extent of the access rights. The corresponding answers contain brief ‘theoretical’ explanations concerning each piece of information covered by the access right. Furthermore, each answer is accompanied by an example, that is, a description of practical situations that may help to understand the theoretical explanation. On the two first layers, users are not faced with the actual text of the Personal Information Act. Pointers are, however, established from each of the answers on the second layer to a third layer where that specific part of the Act which forms the basis for the answers is made available. Initially, only the relevant fragment of text are shown, but the user may easily display the relevant text fragment in the context of the total text of the Personal Information Act.
The access tool is developed for the general public. The legal information services may, however, be particularly suitable as an educational tool for colleges and universities. Given the three levels of the information and the consequent choices between different depths of legal analysis, the tool may show to be suitable even for students in disciplines other than the law. Plans already exist to use the access system in the education of computer science and public administration students. Due to the fact that everybody has the right to access certain information, it is reasonable to expect that other organisations — non-government groups and the media in particular — may find the access system useful for improved insight into the general access rights contained in the new legislation.
The effects of the planned access system will be known in the future. However, let us for one second suppose that it will contribute to a considerable rise in the number of access requests. If so, we realise that such computerised tools may give influence to groups outside government who are interested in the performance of rights rather than their formal aspects. The actual effects of important fragments of the novel European data protection regimes are, in other words, only partly dependent on government actions, and may easily be influenced by non-govenrment organisations and popular movements.
Of course, it is not new that actors outside government influence the implementation of laws. What is new, however, is that this influence could be obtained through simple means, for example, merely by writing small internet based programs like the one described above. Here computer-assisted exercise of access rights is of core significance. Access routines may be even more powerful in combination with other, similar rights promoting computer tools, such as tools to help people claim erasure of personal data concerning themselves. A possible example could be that a popular consumer movement calls for a boycott of e-commerce actors and their European partners whose levels of data protection do not comply with the EU Directive. Failure to give access to the information prescribed in the Directive may be a valuable indication of the relevant e-commerce website’s non-compliance with the Directive. Moreover, even access to information showing transport of personal data from a European company to businesses in the United States or Australia may be a sufficient basis for action.
To what extent may computerised access tools create problems for the controllers and data protection authorities? The number of access requests to controllers in normal situations will probably be low and create very few problems. In special situations — for example, if news bulletins create massive interest in the contents of government or private insurance databases — such access tools may obviously create inconvenience for controllers. Access tools may also be used by action groups not to pursue access rights, but as ‘sabotage’, in reaction to businesses or governments who have started to collect certain types of sensitive information. However, whether or not these possibilities will actually create ‘power to the people’, is quite another question. A more realistic expectation may be that it will contribute to greater awareness among controllers and stimulate discussions.
Today, an increasing proportion of public agencies apply computer systems beyond systems for word processing, filing, accounts and so on. Systems are developed to match different sources of information, carry out information analyses, establish profiles to determine the probable need for information, and for control. Should data protection authorities refrain from employing such technology and instead chose the role of a pedestrian on the information highway? Will data protection authorities be associated with Big Brother, or will they even develop into one, if the execution of their powers is made more efficient by means of computerised systems? Such fears existed in the Norwegian expert committee that prepared the Personal Information Act. The concerns resulted in rather prudent views regarding how the Data Inspectorate ought to employ information and communication technology.
It could be claimed that data protection authorities have the choice of strengthening their position as an authority with real powers and influence, or turning into a mere symbol. The rationale behind such an assertion is the fact that modern processing of personal data is widespread in society, and such processing is often — controlled by complex and opaque computer programs that interact with other programs through computer networks. Some of the effects on data protection of this processing may be studied without technological tools (although many are hidden). However, causes of and solutions to the related data protection problems often require technological skills and tools. Thus, as the processing of personal data becomes increasingly advanced, authorities must develop strategies that enable them to reveal inconsistencies between legal requirements and actual processing of personal data. This not only requires acquisition of technological knowledge and skills among the staff, but also a capability to deal with a high number of controllers of personal data processing. Such a capability requires a certain level of computerised case processing by the data protection authorities.
A ‘moment of truth’ for the data inspectorates may come when approval is given for advanced and wide-ranging use of computer systems by them in order to cope with technological developments and make the enforcement of the Act more efficient. Effective use of computer tools may move data inspectorates to infringe the very principles that they expect others to follow. What should the limits of control be, and to what extent should there be restrictions on the processing of personal data and other data that are integral parts of the inspectorate’s exercise of government powers?
The fact that enforcement of data protection legislation may create data protection problems is in one sense no more surprising than the fact that exercise of government powers generally creates such problems. On the other hand, it may be natural to expect (or hope!) that data inspectorates lay more emphasis on living up to data protection legislation and principles than others. However, unless they dare to challenge traditional thinking about how they should exercise their powers, data protection authorities might run the risk of preventing themselves from establishing a control regime that is in proportion to the threats. In other words, a data protection authority that emphasises data protection to a larger extent than that which follows from the data protection legislation, and thus refrains from making full use of technological tools, runs the danger of developing into a weak authority.
The other possibility is, of course, that data inspectorates make full use of information technology as a control measure, without being extra-cautious about the risk of infringing the ‘ideals’ of data protection. In which case, the question is ‘who is inspecting the inspector’; that is, who will see to it that data protection authorities apply methods and tools in accordance with data protection legislation? Will they evaluate their own notifications (cf. art. 18) and handle their own licences (art. 20)? A general challenge is the possibility that extensive and intensive use of information and communication technology by data inspectorates may make them too powerful. Unlike most institutions in society, they may find themselves in a situation where they are only subject to judicial control. But what kind of assurance is that in a field where it has been established that courts of justice play a very modest role? (see Lee A Bygrave ‘Where have all the judges gone?’ (2000) 7 PLPR 15).
In Norway (and I believe in many other countries), the legislative process contains standard evaluations of (costly) administrative effects of new statutes. We lack a systematic approach to the question of what it takes to realise the potential of new laws. In this small article I have discussed the use of IT to make data protection laws more effective, and I have pointed to some possible effects of privacy enhancing computer tools in the hands of the data subject and data protection authorities. These few sketches of computer applications in the field of data protection are put together in order to emphasise that the significance of these new laws will vary greatly according to the level of computer support available. If we consider all the possibilities of assisting data protection authorities, data subjects and controllers of personal data processing by means of information technology, it may be claimed that the effects of data protection laws will be much stronger than what could be foreseen in 1995 when the Data Protection Directive was adopted. However, this is certainly no automatic development: data inspectorates may still choose to collect their information on paper documents that pile up on their desks, data subject may still have to struggle in order to compose and dispatch a request for access to information, and controllers may choose to comply with their duty to inform data subjects by writing to them individually.
If information technology is not put into service for the advancement of data protection interests, it is this author’s defeatist belief that data protection laws will gradually be dismissed as excessive and bureaucratic; and the same will happen if information technology is used to make the data protection authorities too powerful and uncompromising in their pursuit of improved data protection. If technology is used in a balanced way by data protection authorities, and in innovative and helpful ways in relation to data subjects and controllers, then the position of data protection will be considerably strengthened.
Dag Wiese Schartum is a researcher in the Section for Information Technology and Administrative Systems, University of Oslo, Norway.