The Evolution of Data Protection

Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology. The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of per-sonal information. The genesis of modern legislation in this area can be traced back

4 Privacy Protection 109 to the first data protection law in the world, which was enacted in the Land of Hesse in Germany in 1970. This was followed by national laws, enacted in Sweden (1973), the United States (1974), Germany (1977), and France (1978).

Two crucial international instruments are evolved from these laws (1) The Coun-cil of Europe’s 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data²and (2) The Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Pri-vacy and Transborder Data Flows of Personal Data.³These policies set out specific rules covering the handling of electronic data and rules that describe personal infor-mation as data that are afforded protection at every step from collection to storage and dissemination.

4.2.2.1 The European Union Data Protection Directives

In 1995, the European Union enacted the Data Protection Directive⁴to harmonize member states’ laws. The goal of the directive is to provide consistent levels of protections across Europe for citizens to ensure the free flow of personal data within the European Union. The directive sets a common baseline level of privacy that not only reinforces current data protection law but also establishes a range of new privacy rights. The directive applies to the processing of personal information in electronic, as well as paper, files.

A key concept in the European data protection model is “enforceability.” Data subjects are endowed with rights that are established in explicit rules. Every Euro-pean Union country must have a data protection commissioner, or agency, that enforces the rules. Moreover, it is expected that the countries with which Europe does business must provide a similar level of oversight.

The directive established several basic principles for European citizens. These principles include the following rights:

– The right to know where the data originated – The right to have inaccurate data rectified

– The right of recourse in the event of unlawful processing

– The right to withhold permission to use data in some circumstances

For example, individuals have the right to opt-out, free of charge, from direct mar-keting. The directive contains strengthened protections over the use of sensitive personal data relating, for example, to health, sexual orientation and endeavors, religious preference, and philosophical beliefs.

The 1995 directive imposes an obligation on member states to ensure that the personal information relating to European citizens has the same level of protection when it is exported to, and processed in, countries outside of the European Union.

2http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

3 http://www.oecd.org/document/18/0,2340,en 2649 34255 1815186 1 1 1 1,00.html

4http://www.cdt.org/privacy/eudirective/EU Directive.html

This requirement has resulted in growing pressure outside of Europe for the pas-sage of more strict, as well as internationally governed, privacy laws. Countries that refuse to adopt adequate privacy laws may find themselves unable to con-tinue certain types of information flows with Europe, particularly if they involve sensitive data.

In 1997, the European Union supplemented the 1995 directive through the introduction of the Telecommunications Privacy Directive.⁵ The 1997 directive established specific protections for emerging technologies covering telephone, dig-ital television, mobile networks, and other telecommunication systems. The 1997 directive imposed wide-ranging obligations on carriers and service providers to ensure the privacy of users’ communications, including Internet-related activities.

In July 2000, the European Commission issued a proposal for a new directive on privacy that would apply to the electronic communication sector. The proposed amendments were to strengthen privacy rights for individuals through the exten-sion of protections that were already in existence. During the process, however, the Council of Ministers pushed for the inclusion of data retention provisions that would require Internet service providers and telecommunication operators to store logs of all telephone calls, e-mails, faxes, and Internet activity for law enforcement pur-poses for up to 2 years. The goal of data retention was to assist in the prevention of terrorism and organized crime. However, the proposal for the inclusion of data retention provisions was met with varying degrees of opposition, in the fear that such collection and storage put an individual’s control over their information, and their privacy, at greater risk.

Following the events of September 11 in the United States, the political climate changed and the European Parliament was under increasing pressure from mem-ber states to adopt the Council’s proposal for data retention. It finally reached a deal in favor of the Council’s position and on 25 June 2002 the European Union Council adopted the new privacy and electronic communication directive as voted in the Parliament. Under the terms of the new directive, member states may now pass laws mandating the retention of the traffic and location data of all communi-cations taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication device. Similar data retention regulation proposals are currently under heated debate in the United States Congress.

4.2.2.2 The APEC Privacy Initiative

In 2003, the Asia–Pacific Economic Cooperation (APEC), which consists of 21 countries, commenced on the development of an Asia–Pacific privacy standard. This is one of the most significant international privacy initiatives since establishment of the European Union’s Data Protection Directive in the mid-1990s. In February 2003, Australia submitted a proposal for the development of APEC privacy principles, and

5http://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/legal/

6aiii.htm

4 Privacy Protection 111 recommended the use of the 20-year-old OECD Guidelines on the Protection of Pri-vacy and Transborder Flows of Personal Data (1980) as a starting model. A priPri-vacy subcommittee, composed of Australia, Canada, China, Hong Kong, Japan, Korea, Malaysia, New Zealand, Thailand, and the United States, was established to handle the composition of the principles. In March 2004, Version 9 of the APEC privacy principles was released as a public consultation draft.⁶

The APEC privacy initiative is notable in that it has the potential to encourage the development of stronger privacy laws in APEC countries. Currently, the APEC members provide little in the way of standardized privacy protection. The develop-ment of a common directive will help in providing a regional balance between the protection of privacy and the economic benefits of trade involving personal data.

Yet, the development of a directive has the potential negative consequences. Specif-ically, the adoption of privacy principles is dangerous to long-term regional privacy protection if it becomes a means by which the APEC economies accept a second-rate standard. At the present time, criticisms of the APEC principles emphasize that they do not satisfy, let alone strengthen, the 20-year-old OECD standards, which are now too weak in the face of the information age.

4.2.2.3 Data Havens and the Safe Harbor Arrangement

The ease with which electronic data flow transnational borders is caused for a con-cern that data protection laws could be circumvented through the transfer of personal information to third countries where the law of the country of origin does not apply.

By doing so, the data could be processed in the receiving country, sort of “data par-adises” to avoid compliance with strict privacy laws⁷without legal limitations. For this reason, most data protection laws include restrictions on the transfer of infor-mation to other countries unless inforinfor-mation protection in the receiving country is considered acceptable by the originating country. This requirement has resulted in growing pressure outside of Europe for the passage of strong international data pro-tection laws. Determination of a data haven’s system for protecting privacy is made by the European Commission based on the principle that the level of protection in the data haven must be “adequate” rather than “equivalent.” An alternative model of protection is to allow the originating country to rely on a private contract that con-tains standard data protection contractual clauses. This type of contract would bind the data processor in the data haven to respect the fair information practices such as the right to notice, consent, and access. This model would permit data proces-sors to define “adequate protection” in a context-specific manner. At the same time, however, a limitation to such a model is that data protection standards in a data haven would not be standardized, which could cause conflicting levels of privacy for transferred data.

6http://www.bakercyberlawcentre.org/appcc/

7 Note that “data havens” are instead software and computer networks (e.g.,Freenet) aimed at protecting privacy in countries where no privacy protection laws exist.

The European Commission never issued a formal opinion on the adequacy of privacy protection in the United States, although serious doubts were put forward regarding whether the United States’ sectoral and self-regulatory approaches to privacy protection provide an adequate standard as specified in the directive. The European Union commissioned two prominent United States’ law professors to investigate this matter. The result was a detailed report on the state of United States privacy protections and pointed out the many gaps in United States protection.⁸ Despite concerns, the United States government strongly lobbied the European Union, and its member countries, to rule that the United States model of data pro-tection was adequate. In 1998, the United States initiated the negotiation of a “Safe Harbor” agreement with the European Union to ensure the continued transnational flow of data.

The main premise of the Safe Harbor clause is that organizations in the United States will voluntarily self-certify to adhere to a set of privacy principles specified by the United States Department of Commerce and the Internal Market Directorate of the European Commission. The organizations in the United States would cer-tify the adequacy of their safeguards, with respect to the principles, and thus would continue to receive personal data from organizations in the European Union. On 26 July 2000, the Commission approved the agreement, but promised to reopen nego-tiations on the arrangement if the remedies available to European citizens proved to be inadequate. Privacy advocates and consumer groups both in the United States and Europe are highly critical of the European Commission’s decision to approve the Safe Harbor clause. Many believe it will fail to provide European citizens with adequate protection for their personal data. The agreement rests on a self-regulatory system whereby organizations promise not to violate their declared privacy prac-tices. Under the current model, there is little enforcement, or systematic review, of compliance. Furthermore, European citizens are not granted the opportunity to appeal data transfer, nor are they granted the right to compensation at the time of self-certification.