Journal of Information, Law and Technology
The Citizens’ Data Protection
Peter Blume
This is a Refereed Article published on 27 February 1998.
Citation: Blume P, 'The Citizens’ Data Protection’, Refereed Article, 1998 (1) The Journal of Information, Law and Technology JILT). <
Abstract:
The purpose of this article is to discuss in which way data protection rules should be drafted in order to give the interests of data subjects primary importance. Basic general problems as the difficulty in assessing what data subjects view as private and whether data subject consent should be sufficient to legitimize data processing are considered. Examples are taken from Danish law and cover matching, the purpose limitation principle and direct marketing. Both the public and the private sector are included in the considerations.
Key words: data protection, EU directive, citizen’s rights.
1. The Problems
The start point of data protection is the desire to shield the citizen. Its purpose is to ensure that personal data are not processed in ways which make it likely that personal integrity and privacy will be infringed or invaded. Seen from the perspective of the citizen, data protection law is accordingly very important. It can promote a satisfactory balance of legal rights in the information society and thereby ensuring that such a society becomes acceptable viewed from the perspective of the individual citizen. In many of the general information society blueprints, agendas etc., privacy is emphasized. It is well known that modern information technology potentially can reduce the private sphere of citizens and that this risk has to be avoided in order to ensure that the new society corresponds with democratic traditions and values. However, this assumption is not necessarily stated in the plans for the sake of citizens but maybe more with the purpose of ensuring that modern technology will be used to its full potential. An active policy and awareness by and on behalf of citizens is constantly a necessity. A main problem in this respect concerns what forms of regulation actually benefits citizens and how their interests can be determined.
From this perspective it is appropriate to consider whether the interests of citizens are satisfied in the data protection law we know today. This is in particular appropriate as EU directive 95/46 requires to be implemented in the member countries before October 24 this year. It is unlikely that further major changes in European data protection law will occur for some years after the transposition.
In some ways it could seem unnecessary to consider such questions. As data protection is in the interest of the citizen this regulation must as a starting point be acceptable. As is well-known life is not that simple. There are many opposing interests that are active within this field and it is a constant battle to ensure that these interests are balanced and that those of citizens are sufficiently protected. In this respect it is well-known that the interests of citizens are often taken for granted and that legal policy discussions often focus on the modifications of privacy with the consequence that the resulting legal regulation does not always provide the ideal protection. This is due to the fact that data users/controllers are better represented in the policy discourse than data subjects, who in some senses have no natural representatives.
It is this situation that creates opposition and pressure against data protection that can be observed in most countries. A satisfactory balance of interests can accordingly be very difficult to maintain. This general problem is included in this article taking its starting point in different specific data protection issues leading to some concluding general observations. The article does not merely confront data subjects and controllers but also takes a closer look at the data subject trying to determine what his interests are, whether they are common or individual and whether the data subject is able to manage his own rights. These considerations demonstrate the complexity of the regulatory situation.
Before embarking on this journey it is appropriate to take a further look at the opposing interests this time with emphasis on the controllers. Both in the private and the public sector there is a huge interest in utilizing personal data. This is to some extent not a new phenomenon but it can, however, also be seen as a natural consequence of the information society. It is evident that many authorities and corporations cannot function without access to personal data. With this background it can be assumed that there is a societal need for personal data. To what extent this exists however has to be assessed case by case. It should not be taken for granted and sound reasons must sustain the interest in using personal data.
The starting point taken here is that personal data belongs to the data subject but that there can be situations in both public and private sectors where it is necessary that others use these data. It then depends on the underlying reasons under what conditions this can be allowed. This test should always be carried out not just with respect to the general rules but also in the concrete application of the rules. This is particularly important as data protection rules often are legal standards with no evident legal meaning. They have to be interpreted and often only acquire their real meaning in practice.
2. The Public Sector
In principle, public authorities in democratic societies act on behalf of the citizens. Although the notion of privacy is in many ways linked to the citizen-state relationship, it is a natural presumption that public authorities can process personal data as this is necessary for the tasks they have to perform under statute. It is however well-known that the authorities can easily infringe privacy and that in all administrative systems there is an urge to collect, store and use data, an urge which must be curtailed by legal regulation. This is one of the functions of traditional administrative law and extends to data protection law.
It is often very difficult to determine the extent of legal limitations and in the following sections one of the most complex and important questions in this respect will be discussed. This concerns the diffusion of data within the public sector, which includes both ordinary disclosures and matchings. The following analysis is based on developments within the public sector in Denmark, but similar problems exist in all developed countries. It should however be mentioned that Denmark is probably the country in the world with most registers containing personal data in the public sector. This is mainly due to the complexity of administration of the Danish social welfare state with its expansive and detailed legislation. In this respect it should be noticed that each time a new right is instigated in social law it is made legitimate to process new kinds of personal data.
The extensive collection of personal data makes it natural to consider how these can be utilized on a broader scale. Traditionally the different registers have been linked to individual authorities each one having their specific tasks. Disclosure of data to another authority or with the purpose of being used for another kind of task has required authority in the Data Protection Act or another statute. Matching is treated in the same way as other forms of disclosures. The starting point has been that disclosure should only take place in few cases and that it was fundamental that usage of the data be determined by the purpose of the file. This fundamental structure is now threatened by technological developments such as networks and personal computers. The possibilities of diffusion have largely increased and this coincides with the aforementioned administrative urge to use information. These developments encourage a policy of free sharing of personal data within public authorities.
It is interesting to note that it is often argued that such a situation will be beneficial for citizens. There are two reasons for this point of view. First that citizens will only have to provide the same information once to the public administration.[1] The nuisance of having to answer the same questions from different authorities is avoided. This means a better service. Secondly free diffusion will mean that administration becomes more cost-efficient and thereby cheaper implying that taxes can be reduced.
These arguments are interesting because they aim at confronting the interest of privacy with other interests of the individual. They might show that it is not easy to determine what is in the interest of the individual. In particular the tax argument is interesting as it puts focus on the collective interest of individuals. It should in this respect be maintained that privacy is linked to the single individual. It is an essential characteristic that this right is individualistic and it should as a starting point not be subjected to collective interests. Such arguments can be relevant but not with respect to the assessment of the individual´s interest. In other words in an actual case the considerations of administrative efficiency must be placed on the other side of the balance when a data protection regulation is drafted. It should however be mentioned that there are situations where individuals do not have the same interest or where this is ambiguous. Examples are given below. Here it is not always possible to regulate in a way that suits everyone. This does not however mean that the collective interest overrides that of the individual.
More generally it can be observed that the idea of free diffusion of data in the public sector is one of the most feared when seen from a data protection perspective. It would mean that the state (central and local government) was one big entity and that it in many ways will become non-transparent in relation to how personal data are being processed. This observation means that such a development must be opposed and it is likely that this will be one of the most important legal policy issues in the future. In this connection it should be added that this issue cannot be fully resolved by way of statutory rules and accordingly will involve a day to day legal policy struggle.
Closely connected to this is the fundamental purpose limitation principle, now stated in article 6 (1b) of the EU directive. This well-known principle cannot in general be defined precisely by a legal draftsman and is dependent on practice. The developments described above can be viewed as an attack on this principle which, from the viewpoint of citizens, is essential as constituting the key to transparency. An important task for data protection law is to consider how to ensure that the requirement for purpose specification is taken seriously and actually does provide the necessary transparency for citizens. The difficulties are that the consequences of the principle are dependent on practice and the attitude of the national supervisory authority. It is this authority that can promote the interests of citizens by a firm policy towards authorities who want to use broad purposes when collecting data thereby gaining freedom of processing. The supervisory authority does not have an easy position as whilst as it will have to make decisions that will be strongly opposed, it normally does not have sufficient powers to apply in the public sector. It is accordingly important closely to monitor the practice of the authority and also to support the efforts it is making. Such open and broad support can strengthen the position of the authority and thereby sustain the purpose limitation principle.
This is in other words an example of a citizen oriented principle that can only function if it is constantly upheld and defended. This is in many ways typical for many data protection principles. It is not sufficient that they are stated in statute law. This is just the beginning of the protection. This observation is particularly important as it focuses on the intentions of legislators. It must always be evaluated whether their intention merely is to make fine sounding law or whether they truly want their provisions carried out. This should not be taken for granted and there is always a risk that the principles become dead letter law. It must be recognized that it in many cases will be difficult for the supervisory authority and the courts to prevent this situation.
With respect to the public sector it is important to notice the social dimension of data protection law. It is interesting to consider which citizens are being protected by data protection law in this sector. The answer is from the outset fairly simple. It is the citizens that have information processed. Apart from certain areas such as taxation, it is interesting to notice that it is primarily underprivileged parts of the population whose data are processed by public authorities. It could be argued that, seen from this perspective, data protection becomes part of social law.
From this observation follows that the protected citizens are characterized by being unable to defend their own rights. It is well-known that they have difficulties in communicating with the authorities and that they often fear such communication. In particular they have difficulties in understanding and using official language. Many citizens are communicative ‘have nots’. An example might be a request for access where the weak citizen will feel that he troubles the authority and consequently will not file such a request. This is in particular evident when the civil servant receiving the access request is the same person who decides whether the citizen should be granted social benefits.
More generally it can be assumed that the many rights that are given to citizens cannot in practice be used by many individuals. This is a disturbing observation. It is tempting to conclude that these rights cannot be dependent on the initiative of the individual citizen. This, of course, challenges a basic assumption within data protection law which makes data subject consent the primary condition of data processing. It seems logical that processing of data can take place when the citizen unambiguously consents as the rules actually protects the citizen. However this line of thought presupposes that the citizen is both informed and can freely decide whether he wants to give his consent.
If this is not the case, the notion of consent will often be an illusion and this makes it necessary to make processing dependent on other conditions. In current Danish law sensitive data can only be processed when this is necessary[2] and it is accordingly not sufficient to have consent. Unfortunately this will probably be changed due to the EU directive in which article 8 makes consent a sufficient condition unless otherwise stated in national law. With this in mind it becomes an important policy issue how to ensure that true consent is actually given (see also article 2b). This seems to be very difficult as it is not possible to monitor all processing situations. It is also a complication that consent does not have to be in writing although even this would not fully solve the problem. The main requirement must be the provision of information to the data subjects. In this it should be emphasized that a data subject is never obliged to give his consent and that this should only be given in a defined way in order to limit the amount of data that can be processed. There is little cause for optimism with respect to the effect of such information. It must be accepted that in practice there will be many cases where data are processed in reality against the will of the data subject.
This disturbing fact should not lead to the conclusion that there is no need for data protection law. It must be assumed and in most cases it will be correct that public authorities aim at complying with the law which means that personal data are more secure than they would be without this regulation. The main message is that formal data protection law is not the final word in the fight for privacy in the public sector, it is just the starting point.
3. The Private Sector
Many of the general observations made in the previous section also apply to data protection in the private sector. In particular it is always important not to be impressed by the drafting of the formal rules. The main questions arise in practice. From a general point of view the private sector is interesting because the main theme concerns protection of citizens´ privacy in relation to other citizens and organisations of citizens, including corporations. This can be seen as a totally different ball game and it has often been discussed whether the state should intervene in this relationship. Today it is recognized in Europe that such intervention is necessary but it is still possible to view the specific issues differently from those in the public sector. In particular it must be observed that promotion of pr2ivacy often implies a limitation of the freedom of others. This simple consequence must always be considered when the actual regulation is drafted.
In this connection the question of costs should also be mentioned. It is often argued that data protection is expensive and that this in itself means that an ideal regulation is unwanted. Even though costs often are exaggerated the argument has some substance. It focuses on whether the individual owns his data and others therefore have to pay a price for using them or whether ownership must be seen as limited in some way. In many countries current law can be seen as a combination of these two assumptions. The data subject cannot in many cases prevent processing of his data but the controller has a duty to provide access and in some situations certain kinds of information. It could be a general starting point that private enterprise needs to be able to use personal information and that this in many cases must be accepted for societal reasons but that this information must also be seen as a commodity that has to be paid for thereby resulting in general costs. It can of course always be discussed how high this price should be but this is mainly a practical issue. As indicated above the costs are normally in reality quite modest.