[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

The Evolution of Data Protection

Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology. The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. The genesis of modern legislation in this area can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978).[38]

Two crucial international instruments evolved from these laws. The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data[39] and the Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data[40] set out specific rules covering the handling of electronic data. These rules describe personal information as data that are afforded protection at every step from collection to storage and dissemination.

The expression of data protection in various declarations and laws varies. All require that personal information must be:

• obtained fairly and lawfully;

• used only for the original specified purpose;

• adequate, relevant and not excessive to purpose;

• accurate and up to date;

• accessible to the subject;

• kept secure; and

• destroyed after its purpose is completed.

These two agreements have had a profound effect on the enactment of laws around the world. Nearly thirty countries have signed the CoE convention and several others are planning to do so shortly. The OECD guidelines have also been widely used in national legislation, even outside the OECD member countries.

Rationales for Adopting Comprehensive Laws

There are three major reasons for the movement towards comprehensive privacy and data protection laws. Many countries are adopting these laws for one or more reasons.

To remedy past injustices. Many countries, especially in Central Europe, South America and South Africa, are adopting laws to remedy privacy violations that occurred under previous authoritarian regimes.

To promote electronic commerce. Many countries, especially in Asia, have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions. These countries recognize consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules.

To ensure laws are consistent with Pan-European laws. Most countries in Central and Eastern Europe are adopting new laws based on the Council of Europe Convention No. 108 and the EU Data Protection Directive. Many of these countries hope to join the European Union in the near future. Countries in other regions are adopting new laws or updating older laws to ensure that trade will not be affected by the requirements of the European Union Directive.

The European Union Data Protection Directives

In 1995, the European Union enacted the Data Protection Directive in order to harmonize member states' laws in providing consistent levels of protections for citizens and ensuring the free flow of personal data within the European Union. The directive sets a baseline common level of privacy that not only reinforces current data protection law, but also establishes a range of new rights. It applies to the processing of personal information in electronic and manual files.[41]

A key concept in the European data protection model is "enforceability." Data subjects have rights established in explicit rules. Every European Union country has a data protection commissioner or agency that enforces the rules. It is expected that the countries with which Europe does business will need to provide a similar level of oversight.

The basic principles established by the Directive are: the right to know where the data originated; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from being sent direct marketing material. The Directive contains strengthened protections over the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs. In the future, the commercial and government use of such information will generally require "explicit and unambiguous" consent of the data subject.

The 1995 Directive imposes an obligation on member states to ensure that the personal information relating to European citizens has the same level of protection when it is exported to, and processed in, countries outside the European Union. This requirement has resulted in growing pressure outside Europe for the passage of privacy laws. Those countries that refuse to adopt adequate privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data.

In 1997, the European Union supplemented the 1995 directive by introducing the Telecommunications Privacy Directive.[42] This directive established specific protections covering telephone, digital television, mobile networks and other telecommunications systems. It imposed wide-ranging obligations on carriers and service providers to ensure the privacy of users' communications, including Internet-related activities. It covered areas that, until then, had fallen between the cracks of data protection laws. Access to billing data was severely restricted, as was marketing activity. Caller ID technology was required to incorporate an option for per-line blocking of number transmission. Information collected in the delivery of a communication was required to be purged once the call was completed.

In July 2000, the European Commission issued a proposal for a new directive on privacy in the electronic communications sector. The proposal was introduced as a part of a larger package of telecommunications directives aimed at strengthening competition within the European electronic communications markets. As originally proposed, the new directive would have strengthened privacy rights for individuals by extending the protections that were already in place for telecommunications to a broader, more technology-neutral category of "electronic communications." During the process, however, the Council of Ministers began to push for the inclusion of data retention provisions, requiring Internet Service Providers and telecommunications operators to store logs of all telephone calls, e-mails, faxes, and Internet activity for law enforcement purposes. These proposals were strongly opposed by most members of the Parliament. In July 2001, the European Parliament's Civil Liberties Committee approved the draft directive without data retention, stating:

The Civil Liberties Committee (LIBE Committee) expressed itself in favour of a strict regulation of law enforcement authorities' access to personal data of citizens, such as communication traffic and location data. This decision is fundamental because in this way the EP blocks European Union States' efforts underway in the Council to put their citizens under generalised and pervasive surveillance, following the Echelon model.

Following the events of September 11, however, the political climate changed and the Parliament came under increasing pressure from member states to adopt the Council's proposal for data retention. The United Kingdom and the Netherlands, in particular, questioned whether the proposed privacy rules still struck "the right balance between privacy and the needs of the law enforcement agencies in the light of the battle against terrorism."[43] The Parliament stood firm and up to a few weeks before the final vote on May 30, 2002, the majority of the Members of Parliament opposed any form of data retention. Finally, after much pressure by the European Council and European Union governments, and well organized lobbying by two Spanish MEPs,[44] the two main political parties (PPE and PSE, the center-left and center-right parties) reached a deal to vote in favor of the Council's position.

On June 25, 2002 the European Union Council adopted the Privacy and Electronic Communications Directive as voted in the Parliament.[45] Under the terms of the new Directive, member states may now pass laws mandating the retention of the traffic and location data of all communications taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication device. Such requirements can be implemented for purposes varying from national security to the prevention, investigation and prosecution of criminal offences.

On March 15, 2006 the European Union Council adopted a Directive on Mandatory Retention of Communications Traffic Data, which requires Member States to require communications providers to retain communications data for a period of between 6 months and 2 years. Member States have until September 16, 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available. Sixteen of the 27 member states of the EU have declared that they will delay the implementation of data retention of Internet traffic data for the additional period.[46] Implementation of the Data Retention Directive continues to be controversial.

In other areas, the Privacy and Electronic Communications Directive had a more favorable outcome. For example, it adds new definitions and protections for "calls," "communications," "traffic data" and "location data" in order to enhance the consumer's right to privacy and control in all kinds of data processing. These new provisions ensure the protection of all information ("traffic") transmitted across the Internet, prohibit unsolicited commercial marketing by e-mail ("spam") without consent, and protect mobile phone users from precise location tracking and surveillance. The directive also gives subscribers to all electronic communications services (such as GSM and e-mail) the right to choose whether they are listed in a public directory.

The APEC privacy initiative

The 21 APEC economies (Asia-Pacific Economic Cooperation) commenced development in 2003 of an Asia-Pacific privacy standard, and in 2004 may develop a procedure for handling data export limitation issues.[47] This may become the most significant international privacy initiative since the European Union's Data Protection Directive of the mid-1990s. In February 2003, Australia put forward a proposal for the development of APEC Privacy Principles, using the 20-year old OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)[48] as a starting point.[49] A Privacy Sub Group was set up comprising Australia, Canada, China, Hong Kong, Japan, Korea, Malaysia, New Zealand, Thailand and the United States. In March 2004, Version 9 of the APEC Privacy Principles was released as a public consultation draft.[50] APEC Ministers endorsed the APEC Privacy Framework in November 2004. Implementation mechanisms, including mechanisms relating to trans-border data flows are now under consideration but no drafts have yet been made public.

The positive side of the APEC privacy initiative is that it has the potential to encourage the development of stronger privacy laws in those APEC economies that at present provide little privacy protection (the majority), and to help find a regional balance between the protection of privacy and the economic benefits of trade involving personal data. The negative side is that it also presents considerable potential dangers to long-term regional privacy protection if it becomes a means by which the APEC economies accept a second-rate standard. Globally, a high APEC standard could be a means of resolving international data export issues, but low APEC standards could entrench a privacy confrontation between Europe and the Asia-Pacific. The history to date of the APEC initiative shows that the dangers are as great as the potential benefits, but a valuable outcome for privacy protection is still possible.

Criticisms of the APEC Principles emphasize that they do not even meet the 20 year-old OECD standard, whereas they should include some significant strengthening where the OECD guidelines are now too weak.[51] The Australian Privacy Foundation (APF) and the Asia-Pacific Privacy Charter Council (APPCC)[52] have both identified[53]several key weaknesses.[54]

The Privacy Sub-group is also considering draft Implementation Mechanisms, which in the early drafts (Version 3) have major weaknesses in comparison with prior international privacy instruments.[55] These initial proposals raise doubts as to whether the APEC process will be able to adequately protect human rights across the Asia-Pacific.

Iberoamerican Data Protection

Regional privacy issues are also under consideration in Latin America. In 2007, at a seminar held in Columbia, representatives of twelve Latin American countries, in addition to Spain and Portugal, stressed the need to implement harmonised measures for the protection of personal data that would enable the free flow of information, thus facilitating trade. Different data protection levels in Latin American and Europe represent an obstacle to economic activities that require a constant flow of information, and particularly because very few Latin American countries have legislation in this area. The basic guidelines and principles of data protection that are traditionally used in international agreements in the area, such as the principles relating to the purpose and quality of the data, and the data subjects’ rights of access, correction, cancellation and opposition, were established and it was agreed that they would be transposed into national law.[56]

[38] An excellent analysis of these laws is found in David Flaherty, Protecting Privacy in Surveillance Societies (University of North Carolina Press 1989).

[39] ETS No. 108, Strasbourg, 1981, available at <http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm>.
[40] OECD, Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data" (1981), available at <http://www.oecd.org/document/18/0,3343,en_2649_201185_1815186_1_1_1_1,00.html>.

[41] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML>.

[42] Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (Directive), available at <http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31997L0066&model=guichett>.

[43] Jelle van Buuren, "Telecommunication Council Wants New Investigation Into Privacy Rules," Heise Online, October 17, 2001.
[44] Respectively, MEPs Ana Palacio Vallelersundi and Elena Paciotti, members of the PPE (European Peoples' Party/Christian Democrats) and PSE (Social Democrats) political parties.

[45] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT>.

[46] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:NOT>.

[47] For information on APEC and its 21 member economies, see the APEC Secretariat home page <http://www.apecsec.org.sg/>.
[48] OECD, Paris, 1980 <http://www1.oecd.org/publications/e-book/9302011E.PDF>.
[49] These documents can be obtained at <http://www.apecsec.org.sg/> in the directory Publications / Publications and Library / E-Commerce.
[50] <http://www.export.gov/apececommerce/privacy/consultation-draft.pdf>. See generally <http://www.export.gov/apececommerce/>.

[51] See the series of articles by Graham Greenleaf at <http://www.bakercyberlawcentre.org/appcc/> which trace these criticisms through successive versions of the APEC principles.
[52] The APPCC is a regional expert group formed in 2003 to develop independent standards for privacy protection in the Asia-Pacific region, in order to influence the enactment of privacy laws and international agreements in the region in accordance with those standards. See <http://www.bakercyberlawcentre.org/appcc/>.
[53] See <http://www.privacy.org.au/Papers/APEC0403.html> (APF) and <http://www.bakercyberlawcentre.org/appcc/APEC_APPCCsub.htm> (APPCC).
[54] The categories of "national exceptions" are open-ended, and should at least be identified in general terms; there are ineffective controls on the scope of any particular "national exception;" notice is not clearly required to be given to individuals from whom information is collected; collection is not limited to the minimum information necessary for purpose; secondary uses are allowed for "compatible" purposes, a very weak test; the elevation of "choice" (or consent) to a separate Principle facilitates the commodification of privacy; "commercial proprietary" reasons should not be an exception to access and correction; "Maximising Benefits" should not become a Principle; the OECD Principles of Purpose Specification, Openness and Data Export Limitation are missing and their content should be reinstated; at least an additional Deletion Principle should be added for a minimum set of Principles.

[55] National implementation by legislation is not required, with economies allowed to choose what implementation options are sufficient to give effect to the substance of the Principles. There is no identification of the circumstances in which personal data export restrictions may be legitimate (contra OECD). The strongest method of assessment of national non-compliance under consideration is "self-assessment by economies coupled with peer review."

[56] Dataprotectionreview.eu, “Spanish Data Protection Agency: Representatives of different institutions establish guidelines for the regulation of data protection in Iberoamerica,” June 25, 2007, <http://www.dataprotectionreview.eu/>.