You are here:
AustLII >>
Databases >>
University of New South Wales Faculty of Law Research Series >>
2011 >>
[2011] UNSWLRS 50
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Author Info
| Download
| Help
Kierkegaard, Sylvia; Waters, Nigel; Greenleaf, Graham; Bygrave, Lee A.; Lloyd, Ian; Saxby, Stephen --- "30 years on: The review of the Council of Europe Data Protection Convention 108" [2011] UNSWLRS 50
Last Updated: 15 December 2011
30 years on: The review of the Council of Europe Data Protection Convention
108
Sylvia Kierkegaard (a), Nigel Waters (b), Graham Greenleaf (c), Lee A. Bygrave
(d), Ian Lloyd (e), Steve Saxby
(f)[1]
This paper is available for download at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1972647
Citation
This article was published in (2011) Computer Law
and Security Review (CLSR) 27: 223-231. This paper may also be referenced as
[2011] UNSWLRS 50.
Abstract
The Council of Europe celebrates in 2011 the 30th
Anniversary of its Data Protection Convention (usually referred to as Convention
108) which has served as the backbone of international law in over 40 European
countries and has influenced policy and legislation
far beyond Europe. It is the
only legally binding international treaty dealing with privacy and data
protection. With new data protection
challenges arising regularly, the Council
is revising Convention 108 to attempt to meet and overcome these challenges.
This paper
was a joint submission by its authors on behalf of Computer Law and
Security Review (CLSR), the International Association of IT Lawyers
(IAITL) and
ILAWS, University of Southampton, in response to the Expert Committee’s
public consultation on the Convention.
Some of the main submissions made are:
- The Convention
should remain a simple, concise and technologically neutral instrument, while at
the same time recognising and addressing
some new characteristics of the present
and future technological environment.
- It would not be
helpful to try to define the right to privacy in a data protection Convention.
It would be helpful to include “collection”
in the definition of
automatic processing so that all of the principles apply, where relevant, to
collection. Both the proportionality
principle (which should apply to all
operations carried out on the data) and the data minimisation principle (which
aims at limiting
the collection of personal data to a strict minimum or even to
cease personal data collection when possible) are significant principles
which
could valuably be added, and we strongly support their inclusion.
- A right to be
forgotten in respect of online data (that is, people should be able to give
informed consent to every site or service
that processes their data, and they
should also have the right to ask for all of their data to be deleted).
- The concept of
consent, if it is used, it needs to be expressly defined as meaning free,
voluntary, informed and revocable at any
time, and not bundled with other
consents.
- Compatibility
(of secondary uses) is a subjective concept, and would be better expressed as
“uses or disclosures” which
are within the reasonable expectations
of the data subject (to which a “reasonable person” test would be
applied).
- Full application
of privacy principles to the behaviour of private individuals would be onerous
and oppressive e threatening other
important freedoms and rights, but some
controls and restrictions are justified. This is best handled by a broad
statement of privacy
protection in the ECHR and similar human rights
instruments, at the international level.
- A right for data
subjects to be informed of data breaches affecting them that meet specified
threshold criteria should stand alone
as a separate principle.
- There would be
no need for separate principles or rules for traffic or location data if
personal data is defined as expressly including
any information which enables or
facilitates communication with a person on an individualised basis, whether or
not it meets the
current definition of personal data.
- There should be
an obligation to demonstrate that measures have been taken to ensure full
respect for data protection rules, but “accountability”
cannot be
and must not become an alternative to data export restrictions.
- Allowance for
anonymity should be made a basic data protection principle in itself, with
pseudonymity as the first fall-back option
when anonymity cannot be achieved for
legal or technical reasons.
- One particular
task of a supervisory authority that needs to be spelled out is the obligation
to account for their performance of
their complaint investigation obligations,
including by reporting to the public, on objectively determined criteria, of
cases investigated
(anonymised to the extent necessary to protect privacy but
not otherwise), and by statistics including those on outcomes and remedies.
- It remains
appropriate to require an adequate level of protection as a condition of
cross-border transfer.
[1] (a) President International
Association of IT Lawyers, Visiting Professor, University of Southampton, United
Kingdom; (b) Visiting
Fellow, University of New South Wales, Law Faculty and
formerly Deputy Commonwealth Privacy Commissioner, Australia; (c) Professor
of
Law & Information Systems, University of New South Wales (UNSW),
Co-Director, Australasian Legal Information Institute (AustLII);
(d) Associate
Professor, Department of Private Law, University of Oslo; (e) Senior Research
Fellow, ILAWS, University of Southampton;
(f) Professor of Law, Faculty of
Business and Law, University of Southampton.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLRS/2011/50.html