B
International Perspectives on Privacy

This appendix presents a global overview of how various countries, regions, and cultures address privacy-related concerns about the processing of personal information. It outlines the principal similarities and differences among various national and regional regulatory measures for addressing these concerns. Comparison is made not only of regulatory strategies but also of various national, regional, and cultural conceptualizations of the ideals and rationale of privacy protection.1

B.1
CONCEPTUALIZATIONS OF PRIVACY AND RELATED INTERESTS

As noted in Chapters 2, 4, and 5 of this report, there has long been interest in the United States in privacy, and “privacy” is a frequently used concept in public, academic, and judicial discourse.2 The concept has been especially prominent in discussion in the United States about the implications of the computerized processing of personal data. When this discussion took off in the 1960s, privacy was invoked as a key term for summing

1

Much of the information on international conceptions of the rationale for privacy protection presented in this appendix is based on the work of Lee Bygrave. See, for example, L.A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague/London/New York, 2002 (hereinafter cited as Bygrave, Data Protection Law, 2002). A full bibliography is available at http://folk.uio.no/lee/cv.

2

See, generally, Priscilla Regan, Legislating Privacy, University of North Carolina Press, 1995 (hereinafter cited as Regan, Legislating Privacy, 1995).



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age B International Perspectives on Privacy This appendix presents a global overview of how various countries, regions, and cultures address privacy-related concerns about the processing of personal information. It outlines the principal similarities and differences among various national and regional regulatory measures for addressing these concerns. Comparison is made not only of regulatory strategies but also of various national, regional, and cultural conceptualizations of the ideals and rationale of privacy protection.1 B.1 CONCEPTUALIZATIONS OF PRIVACY AND RELATED INTERESTS As noted in Chapters 2, 4, and 5 of this report, there has long been interest in the United States in privacy, and “privacy” is a frequently used concept in public, academic, and judicial discourse.2 The concept has been especially prominent in discussion in the United States about the implications of the computerized processing of personal data. When this discussion took off in the 1960s, privacy was invoked as a key term for summing 1 Much of the information on international conceptions of the rationale for privacy protection presented in this appendix is based on the work of Lee Bygrave. See, for example, L.A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague/London/New York, 2002 (hereinafter cited as Bygrave, Data Protection Law, 2002). A full bibliography is available at http://folk.uio.no/lee/cv. 2 See, generally, Priscilla Regan, Legislating Privacy, University of North Carolina Press, 1995 (hereinafter cited as Regan, Legislating Privacy, 1995).

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age up the congeries of fears raised by the (mis)use of computers.3 However, privacy has not been the only term invoked in this context. A variety of other, partly overlapping concepts have also been invoked—particularly those of “freedom,” “liberty,” and “autonomy.”4 The U.S. debate, particularly in the 1960s and early 1970s, about the privacy-related threats posed by computers exercised considerable influence on debates in other countries. As Hondius writes, “[a]lmost every issue that arose in Europe was also an issue in the United States, but at an earlier time and on a more dramatic scale.”5 Naturally, the salience of the privacy concept in U.S. discourse helped to ensure its prominence in the debate elsewhere. This is most evident in discourse in other English-speaking countries6 and in international forums where English is a working language.7 Yet also in countries in which English is 3 See, for example, Alan F. Westin, Privacy and Freedom, Atheneum, New York, 1967. In this pioneering work that prompted global privacy movements in many democratic nations in the 1970s, Dr. Alan Westin, Professor of Public Law at Columbia University, defined privacy as the claim of individuals, groups, and institutions to determine for themselves when, how, and to what extent information about them is communicated to others. See also Arthur R. Miller, The Assault on Privacy: Computers, Data Banks, and Dossiers, University of Michigan Press, Ann Arbor, 1971 (hereinafter cited as Miller, The Assault on Privacy, 1971). 4 The title of Westin’s seminal work Privacy and Freedom (1967) is a case in point. Indeed, as pointed out further below, “privacy” in this context has tended to be conceived essentially as a form of autonomy—that is, as one’s ability to control the flow of information about oneself. 5 Frits W. Hondius, Emerging Data Protection in Europe, North Holland Publishing, Amsterdam, 1975, p. 6 (hereinafter cited as Hondius, Emerging Data Protection in Europe, 1975). Even in more recent times, discourse in the United States often takes up such issues before they are discussed elsewhere. For example, systematic discussion about the impact of digital rights management systems (earlier termed “electronic copyright management systems”) on privacy interests occurred first in the United States: see particularly, Julie Cohen, “A Right to Read Anonymously: A Closer Look at ‘Copyright Management’ in Cyberspace,” Conn. L. Rev. 28:981, 1996, available at http://www.law.georgetown.edu/faculty/jec/read_anonymously.pdf. Similar discussion did not occur in Europe until a couple of years later—the first instance being L.A. Bygrave and K.J. Koelman, “Privacy, Data Protection and Copyright: Their Interaction in the Context of Electronic Copyright Management Systems,” Institute for Information Law, Amsterdam, 1998; later published in P.B. Hugenholtz, ed., Copyright and Electronic Commerce, Kluwer Law International, The Hague/London/Boston, 2000, pp. 59-124. 6 See, for example, United Kingdom, Committee on Privacy (Younger Committee), Report of the Committee on Privacy, Cm. 5012, Her Majesty’s Stationery Office, London, 1972; Canada, Department of Communications and Department of Justice, Privacy and Computers: A Report of a Task Force, Information Canada, Ottawa, 1972; Australian Law Reform Commission, Privacy, Report No. 22, Australian Government Publishing Service (AGPS), Canberra, 1983; and W.L. Morison, Report on the Law of Privacy to the Standing Committee of Commonwealth and State Attorneys-General, Report No. 170/1973, AGPS, Canberra, 1973. 7 As is evident, for example, in the titles of the early Council of Europe resolutions dealing with information technology threats. See Council of Europe Resolution (73)22 on the

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age not the main language, much of the same discourse has been framed, at least initially, around concepts roughly equating with or embracing the notion of privacy—for instance, “la vie privée” (French),8 “die Privatsphäre” (German),9 and “privatlivets fred” (Danish/Norwegian).10 Nevertheless, the field of law and policy that emerged from the early discussions in Europe on the privacy-related threats posed by information technology (IT) has increasingly been described using a nomenclature that avoids explicit reference to privacy or closely related terms. This nomenclature is “data protection,” deriving from the German term “Datenschutz.”11 While the nomenclature is problematic in several respects—not least because it fails to indicate the central interests served by the norms to which it is meant to apply12—it has gained broad popularity in Europe13 and to a lesser extent elsewhere.14 Its use, though, is being increasingly supplemented by the term “data privacy.”15 Arguably, the latter nomenclature is more appropriate, as it better communicates the central interest(s) at stake and provides a bridge for synthesizing North American and European policy discussions. At the same time, various countries and regions display terminological idiosyncrasies that partly reflect differing jurisprudential backgrounds for the discussions concerned. In Western Europe, the discussion has often drawn on jurisprudence developed there on legal protection of personal- Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Private Sector, adopted Sept. 26, 1973; and Council of Europe Resolution (74)29 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector, adopted Sept. 24, 1974. 8 See, for example, G. Messadié, La fin de la vie privée, Calmann-Lévy, Paris, 1974. 9 See, for example, the 1970 proposal by the (West) German Interparliamentary Working Committee for a “Law for the protection of privacy against misuse of database information,” described in H.P. Bull, Data Protection or the Fear of the Computer, Piper, Munich, 1984, p. 85. 10 See, for example, Denmark, Registerudvalget [Register Committee], Delbetænkning om private registre [Report on Private Data Registers], No. 687, Statens Trykningskontor, Copenhagen, 1973. 11 For more on the origins of “Datenschutz,” see Simitis, Kommentar zum Bundesdatenschutzgesetz, 2003, pp. 3-4. 12 Moreover, it tends to misleadingly connote, in U.S. circles, concern for the security of data and information or maintenance of intellectual property rights; see P.M. Schwartz and J.R. Reidenberg, Data Privacy Law: A Study of United States Data Protection, Michie Law Publishers, Charlottesville, Va., 1996, p. 5 (hereinafter cited as Schwartz and Reidenberg, Data Privacy Law, 1996). 13 See generally, Hondius, Emerging Data Protection in Europe, 1975; and Bygrave, Data Protection Law, 2002. 14 See, for example, G.L. Hughes and M. Jackson, Hughes on Data Protection in Australia, 2nd Ed., Law Book Co. Ltd., Sydney, 2001. 15 See, for example, Schwartz and Reidenberg, Data Privacy Law, 1996; and C. Kuner, European Data Privacy Law and Online Business, Oxford University Press, Oxford, 2003 (hereinafter cited as Kuner, European Data Privacy Law and Online Business, 2003).

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age ity. Thus, the concepts of “Persönlichkeitsrecht” (personality right) and “Persönlichkeitschutz” (personality protection) figure centrally in German and Swiss discourse.16 Norwegian discourse revolves around the concept of “personvern” (protection of person[ality]),17 while Swedish discourse focuses on “integritetsskydd” (protection of [personal] integrity).18 By contrast, Latin American discourse in the field tends to revolve around the concept of “habeas data” (roughly meaning “you should have the data”). This concept derives from due process doctrine based on the writ of habeas corpus.19 Many of the above-mentioned concepts are prone to definitional instability. The most famous case in point relates to definitions of “privacy.” Debates in the United States over the most appropriate definitions of privacy20 have counterparts in other countries centering on similar concepts.21 Some of the non-U.S. debate concerns whether privacy as such is best characterized as a state/condition, or a claim, or a right. That issue aside, the debate reveals four principal ways of defining privacy.22 One set of definitions is in terms of noninterference,23 another in terms of limited accessibility.24 A third set of definitions conceives of privacy as informa- 16 See, for example, Germany’s Federal Data Protection Act of 1990 (Bundesdatenschutzgesetz—Gesetz zum Fortentwicklung der Datenverarbeitung und des Datenschutzes vom 20. Dezember 1990 (as amended in 2001) §1(1)), stipulating the purpose of the act as protection of the individual from interference with his/her “personality right” (Persönlichkeitsrecht); and Switzerland’s Federal Law on Data Protection of 1992 (Loi fédérale du 19. Juin 1992 sur la protection des données/Bundesgesetz vom 19. Juni 1992 über den Datenschutz), Article 1, stating the object of the act as, inter alia, “protection of personality” (Schutz der Persönlichkeit). 17 See Bygrave, Data Protection Law, 2002, pp. 138-143 and references cited therein. 18 See Bygrave, Data Protection Law, 2002, pp. 126-129 and references cited therein. 19 See further, A. Guadamuz, “Habeas Data vs. the European Data Protection Directive,” Journal of Information, Law and Technology, 2001; and Fried, rapporteur, Organization of American States (OAS), Inter-American Juridical Committee, 2000, p. 107 et seq. 20 For overviews, see Chapter 2 of Julie C. Inness, Privacy, Intimacy, and Isolation, Oxford University Press, New York, 1992; and Chapters 2 and 3 of J. DeCew, In Pursuit of Privacy: Law, Ethics, and the Rise of Technology, Cornell University Press, Ithaca, N.Y., 1997. 21 See, e.g., En ny datalag [A New Data Law], Statens Offentlige Utredningar [State Official Reports], No. 10, pp. 150-161, 1993 (documenting difficulties experienced in Swedish data privacy discourse with respect to arriving at a precise definition of “personlig integritet”). 22 See generally Bygrave, Data Protection Law, 2002, pp. 128-129. 23 See especially Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review IV (December 15, No. 5):195, 205, 1890 (arguing that the right to privacy in Anglo-American law is part and parcel of a right “to be let alone”). 24 See, for example, R. Gavison, “Privacy and the Limits of Law,” Yale Law Journal 89:428-436, 1980, claiming that privacy is a condition of “limited accessibility” consisting of three elements: “secrecy” (“the extent to which we are known to others”), “solitude” (“the extent to which others have physical access to us”), and “anonymity” (“the extent to which we are the subject of others’ attention”).

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age tion control.25 A fourth set of definitions incorporates various elements of the other three sets but links privacy exclusively to intimate or sensitive aspects of persons’ lives.26 Definitions of privacy in terms of information control tend to be most popular in discourse dealing directly with law and policy on data privacy,27 both in the United States and elsewhere. In Europe, though, the notion is not always linked directly to the privacy concept; it is either linked to related concepts, such as “personal integrity” (in the case of, e.g., Swedish discourse),28 or it stands alone. The most significant instance of the latter is the German notion of “information self-determination” (informationelle Selbstbestimmung), which in itself forms the content of a constitutional right deriving from a landmark decision in 1983 by the German Federal Constitutional Court (Bundesverfassungsgericht).29 The notion and the right to which it attaches have had considerable impact on development of data privacy law and policy in Germany30 and, to a lesser extent, other European countries. Despite the general popularity of notions of information control and information self-determination, these have usually not been viewed in terms of a person “owning” information about him-/herself, such that he/she should be entitled to, for example, royalties for the use of that information by others. Concomitantly, property rights doctrines have rarely been championed as providing a desirable basis for data privacy rules.31 The relatively few proponents of a property rights approach have 25 See, for example, Westin, Privacy and Freedom, 1967, p. 7 (“Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”). 26 See, for example, Inness, Privacy, Intimacy, and Isolation, 1992, p. 140 (defining privacy as “the state of possessing control over a realm of intimate decisions, which includes decisions about intimate access, intimate information, and intimate actions”). 27 See generally Bygrave, Data Protection Law, 2002, p. 130, and references cited therein. 28 See, for example, En ny datalag [A New Data Law], Statens Offentlige Utredningar [State Official Reports], No. 10, p. 159, 1993 (noting that the concept of “personlig integritet” embraces information control). 29 Decision of December 15, 1983, BverfGE (Entscheidungen des Bundesverfassungsgerichts), Vol. 65, p. 1 et seq. For an English translation, see Human Rights Law Journal 5:94 et seq., 1984. 30 Cf. S. Simitis, “Auf dem Weg zu einem neuen Datenschutzkonzept,” pp. 714 ff. in Datenschutz und Datensicherheit, 2000 (detailing the slow and incomplete implementation of the principles inherent in the right). 31 Opposition to a property rights approach is expressed in, inter alia, Miller, The Assault on Privacy, 1971, p. 211 ff.; Hondius, Emerging Data Protection in Europe, 1975, pp. 103-105; S. Simitis, “Reviewing Privacy in an Information Society,” University of Pennsylvania Law Review 135:707, 718, 735-736, 1987 (hereinafter cited as Simitis, “Reviewing Privacy in an Information Society,” 1987); K. Wilson, Technologies of Control: The New Interactive Media for the Home, University of Wisconsin Press, Madison, 1988, pp. 91-94; R. Wacks, Personal Information:

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age tended to come from the United States,32 although sporadic advocacy of such an approach also occurs elsewhere.33 B.2 CONCEPTUALIZATIONS OF THE VALUES SERVED BY PRIVACY In the United States, the discourse on privacy and privacy rights tends to focus only on the benefits that these have for individuals qua individuals. These benefits are typically cast in terms of securing (or helping to secure) individuality, autonomy, dignity, emotional release, self-evaluation, and interpersonal relationships of love, friendship, and trust.34 They are, in the words of Westin, largely about “achieving individual goals of self-realization.”35 The converse of this focus is that privacy and privacy rights are often seen as essentially in tension with the needs of wider “society.”36 This view carries sometimes over into claims that privacy rights can be detrimental to societal needs.37 Casting the value of privacy in strictly individualistic terms appears to be a common trait in the equivalent discourse in many other countries.38 However, the grip of this paradigm varies from country to country Privacy and the Law, Clarendon Press, Oxford, 1989, p. 49; Y. Poullet, “Data Protection Between Property and Liberties—A Civil Law Approach,” pp. 161-181 in H.W.K. Kaspersen and A. Oskamp, eds., Amongst Friends in Computers and Law: A Collection of Essays in Remembrance of Guy Vandenberghe, Kluwer Law and Taxation Publishers, Deventer/Boston, 1990; J. Litman, “Information Privacy/Information Property,” Stanford Law Review 52:1283-1313, 2000; and Bygrave, Data Protection Law, 2002, p. 121. 32 See, most notably, Westin, Privacy and Freedom, 1967, pp. 324-325; K.C. Laudon, “Markets and Privacy,” Communications of the Association for Computing Machinery 39:92-104, 1996; J. Rule and L. Hunter, “Towards Property Rights in Personal Data,” pp. 168-181 in C.J. Bennett and R. Grant, eds., Visions of Privacy: Policy Choices for the Digital Age, University of Toronto Press, Toronto, 1999; and L. Lessig, Code and Other Laws of Cyberspace, Basic Books, New York, 1999, pp. 159-163. 33 See, for example, P. Blume, “New Technologies and Human Rights: Data Protection, Privacy and the Information Society,” Paper No. 67, Institute of Legal Science, Section B, University of Copenhagen, 1998. 34 See generally, Bygrave, Data Protection Law, 2002, pp. 133-134 and references cited therein. 35 Westin, Privacy and Freedom, 1967, p. 39. 36 See generally, Regan, Legislating Privacy, 1995, Chapters 2 and 8 and references cited therein. 37 As exemplified in R.A. Posner, “The Right to Privacy,” Georgia Law Review 12:393-422, 1978 (criticizing privacy rights from an economic perspective); and A. Etzioni, The Limits of Privacy, Basic Books, New York, 1999 (criticizing privacy rights from a communitarian perspective). 38 See generally, C.J. Bennett and C.D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate, Aldershot, 2003, Chapter 1 (hereinafter cited as Bennett and Raab, The Governance of Privacy, 2003).

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age and culture to culture. The variation is well exemplified when comparing the jurisprudence of the German Federal Constitutional Court with that of U.S. courts. The former emphasizes that the value of data privacy norms lies to a large degree in their ability to secure the necessary conditions for active citizen participation in public life; in other words, to secure a flourishing democracy.39 This perspective is underdeveloped in U.S. jurisprudence.40 One also finds increasing recognition in academic discourse on both sides of the Atlantic that data privacy norms are valuable not simply for individual persons but for the maintenance of societal civility, pluralism, and democracy.41 A related development is increasing academic recognition that data privacy laws serve a multiplicity of interests, which in some cases extend well beyond traditional conceptualizations of privacy.42 This insight is perhaps furthest developed in Norwegian discourse, which has elaborated relatively sophisticated models of the various interests promoted 39 See, especially, the decision of December 15, 1983, BverfGE (Entscheidungen des Bundesverfassungsgerichts), Vol. 65, p. 1 et seq. For an English translation, see Human Rights Law Journal 5:94 et seq., 1984. 40 See further, the comparative analyses in P.M. Schwartz, “The Computer in German and American Constitutional Law: Towards an American Right of Informational Self-Determination,” American Journal of Comparative Law 37:675-701, 1989; P.M. Schwartz, “Privacy and Participation: Personal Information and Public Sector Regulation in the United States,” Iowa Law Review 80:553-618, 1995; and B.R. Ruiz, Privacy in Telecommunications: A European and an American Approach, Kluwer Law International, The Hague/London/Boston, 1997. 41 See, for example, S. Simitis, “Auf dem Weg zu einem neuen Datenschutzrecht” [On the Road to a New Data Protection Law], Informatica e diritto 3:97-116, 1984; Simitis, “Reviewing Privacy in an Information Society,” 1987; R.C. Post, “The Social Foundations of Privacy: Community and Self in the Common Law,” California Law Review 77:957-1010, 1989; R. Gavison, “Too Early for a Requiem: Warren and Brandeis Were Right on Privacy vs. Free Speech,” South Carolina Law Review 43:437-471, 1992; Regan, Legislating Privacy, 1995; B.R. Ruiz, Privacy in Telecommunications: A European and an American Law Approach, Kluwer Law International, The Hague/London/New York, 1997); P.M. Schwartz, “Privacy and Democracy in Cyberspace,” Vanderbilt Law Review 52:1609-1702, 1999; Bygrave, Data Protection Law, 2002; and Bennett and Raab, The Governance of Privacy, 2003. 42 See, for example, O. Mallmann, Zielfunktionen des Datenschutzes: Schutz der Privatsphäre, korrekte Information; mit einer Studie zum Datenschutz im Bereich von Kreditinformationssystemen [Goal Functions of Data Protection: Protection of Privacy, Correct Information; with a Study of Data Protection in the Area of Credit Information Systems], Alfred Metzner Verlag, Frankfurt am Main, 1977; H. Burkert, “Data-Protection Legislation and the Modernization of Public Administration,” International Review of Administrative Sciences 62:557-567, 1996; L.A. Bygrave, “Where Have All the Judges Gone? Reflections on Judicial Involvement in Developing Data Protection Law,” pp. 113-125 in P. Wahlgren, ed., IT och juristutbildning, Nordisk årsbok i rättsinformatik, 2000, Jure AB Stockholm, 2001; also published in Privacy Law and Policy Reporter 7:11-14, 33-36, 2000; and Bygrave, Data Protection Law, 2002, Chapter 7.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age by data privacy laws.43 These interests include ensuring adequate quality of personal information, “citizen-friendly” administration, proportionality of control, and rule of law. In Norway, the insight that data-privacy laws are concerned with more than safeguarding privacy extends beyond the academic community and into regulatory bodies. Indeed, Norway’s principal legislation on data privacy contains an objects clause specifically referring to the need for “adequate quality of personal information” (tilstrekkelig kvalitet på personopplysninger) in addition to the needs for privacy and personal integrity.44 The equivalent laws of some other European countries also contain objects clauses embracing more than privacy. The broadest—if not boldest—expression of aims is found in the French legislation: “Data processing shall be at the service of every citizen. It shall develop in the context of international co-operation. It shall infringe neither human identity, nor the rights of man, nor privacy, nor individual or public liberties.”45 Also noteworthy is the express concern in the data privacy legislation of several German Länder for maintaining state order based on the principle of separation of powers, and, concomitantly, for ensuring so-called information equilibrium (Informationsgleichgewicht) between the legislature and other state organs. This “equilibrium” refers principally to a situation in which the legislature is able to get access to information (personal and/or nonpersonal) that is available to the executive.46 At the same time, however, considerable uncertainty still seems to reign in many countries about exactly which interests and values are promoted by data privacy laws. This is reflected partly in academic discourse,47 partly in the absence in some laws of objects clauses formally 43 See generally, Bygrave, Data Protection Law, 2002, p. 137 et seq. and references cited therein. 44 See Norway’s Personal Data Act of 2000 (Lov om behandling av personopplysninger av 14. april 2000 nr. 31), §1(2). 45 See France’s Act Regarding Data Processing, Files and Individual Liberties of 1978 (Loi no. 78-17 du 6. janvier 1978 relative à l’informatique, aux fichiers et aux libertés), §1. 46 See further, Bygrave, Data Protection Law, 2002, p. 39; S. Simitis, ed., Kommentar zum Bundesdatenschutzgesetz [Commentary on the Federal Data Protection Act] 5th ed., Nomos Verlagsgesellschaft, Baden-Baden, 2003, p. 11. 47 See, for example, D. Korff, “Study on the Protection of the Rights and Interests of Legal Persons with Regard to the Processing of Personal Data Relating to Such Persons,” final report to E.C. Commission, October 1998, available at http://europa.eu.int/comm/internal_market/en/dataprot/studies/legalen.htm (accessed Oct. 10, 2003), p. 42 (“[t]here is a lack of clarity, of focus, over the very nature, aims and objects of data protection in the [European Union] Member States which is, not surprisingly, reflected in the international data protection instruments”); and B.W. Napier, “International Data Protection Standards and British Experience,” Informatica e diritto, Nos. 1-2, pp. 83-100, 1992, p. 85, hereinafter cited as Napier, “International Data Protection Standards and British Experience,” 1992) (claiming that, in Britain, “the conceptual basis for data protection laws remains unclear”).

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age specifying particular interests or values that the legislation is intended to serve,48 and partly in the vague way in which existing objects clauses are often formulated.49 B.3 SOCIETAL AND CULTURAL SUPPORT FOR PRIVACY: A COMPARISON This section addresses the issue of whether some nations and cultures are more supportive of privacy than others are. It also addresses the factors that might contribute to such differences. Making accurate comparisons of the degree to which given countries or cultures respect privacy is fraught with difficulty,50 which is partly due to the paucity of systematically collected empirical data51 and partly to the fact that concern for privacy within each country or culture is often uneven. In the United Kingdom (U.K.), for example, proposals to introduce multipurpose personal identification number (PIN) schemes similar to those in Scandinavia52 have generally been treated with a great deal of antipathy, yet video surveillance of public places in the United Kingdom53 seems to be considerably more extensive than that in Scandinavian countries. 48 See, for example, the U.K. Data Protection Act of 1998 and Denmark’s Personal Data Act of 2000 (Lov nr. 429 af 31. maj 2000 om behandling af personoplysninger). 49 See, for example, Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (European Treaty Series No. 108; adopted January 28, 1981), Article 1 (specifying goals as protection of “rights and fundamental freedoms, and in particular … right to privacy”). 50 This difficulty obviously carries over into comparative assessment of various countries’ legal regimes for privacy protection. See, for example, C.D. Raab and C.J. Bennett, “Taking the Measure of Privacy: Can Data Protection Be Evaluated?” International Review of Administrative Sciences 62:535-556, 1996. Equally problematic is the accurate comparison of privacy levels across historical periods. Yet another issue, over which relatively little has been written, concerns discrepancies between various classes of persons within a given society in terms of the respective levels of privacy that they typically enjoy. For further discussion, see generally, Bennett and Raab, The Governance of Privacy, 2003, Chapter 2. 51 As Bennett and Raab (The Governance of Privacy, 2003, p. 15) remark, “[U]nfortunately, we have little systematic cross-national survey evidence about attitudes to privacy with which to investigate the nature and influence of wider cultural attributes. Much of th[e] argumentation tends, therefore, to invoke anecdotes or cultural stereotypes: ‘the Englishman’s home is his castle,’ and so on.” 52 Further on the Scandinavian PIN schemes, see, for example, A.S. Lunde, J. Huebner, S. Lettenstrom, S. Lundeborg, and L. Thygesen, The Person-Number Systems of Sweden, Norway, Denmark and Israel, U.S. Department of Health and Human Services, Vital and Health Statistics, Series 2, No. 84, DHHS Publication No. (PHS) 80-1358, 1980; also available at http://www.cdc.gov/nchs/data/series/sr_02/sr02_084.pdf (accessed Oct. 4, 2003). 53 For more on this surveillance, see, for example, S. Davies, “Surveillance on the Streets,” Privacy Law and Policy Reporter 2:24-26, 1995; Der Spiegel, July 5, 1999, pp. 122-124; and A.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age It is clear that levels of privacy across nations and cultures and across broad historical periods are in constant flux. Moreover, the ways in which human beings create, safeguard, and enhance their respective states of privacy and the extent to which they exhibit a desire for privacy vary from culture to culture according to a complex array of factors.54 At the same time, the desire for some level of privacy appears to be a panhuman trait. Even in societies in which apparently little opportunity exists for physical or spatial solitude, human beings seem to adopt various strategies for cultivating other forms of social distance.55 To the extent that a panhuman need for privacy exists, it appears to be rooted not so much in physiological or biological as in social factors. According to Moore, the need for privacy is, in essence, socially created. Moore’s seminal study indicates that an extensive, highly developed concern for privacy is only possible in a relatively complex society with a strongly felt division between a domestic private realm and public sphere—“privacy is minimal where technology and social organization are minimal.”56 However, technological and organizational factors are not the sole determinants of privacy levels. Also determinative are ideological factors. Central among these are attitudes to the value of private life,57 attitudes Webb, “Spy Cameras vs. Villains in Britain,” United Press International, March 8, 2002, available at http://www.upi.com/view.cfm?StoryID=08032002-020813-4448r (accessed Nov. 6, 2003). 54 See further, B. Moore, Privacy: Studies in Social and Cultural History, M.E. Sharpe, Publishers, Armonk, N.Y., 1984 (hereinafter cited as Moore, Privacy, 1984); J.M. Roberts and T. Gregor, “Privacy: A Cultural View,” pp. 199-225 in J.R. Pennock and J.W. Chapman, eds., Privacy: Nomos XIII, Atherton Press, New York, 1971; I. Altman, “Privacy Regulation: Culturally Universal or Culturally Specific?,” Journal of Social Issues 33:66-84, 1977; Westin, Privacy and Freedom, 1967; and Flaherty, Privacy in Colonial New England, University Press of Virginia, Charlottesville, 1972 (hereinafter cited as Flaherty, Privacy in Colonial New England, 1972). 55 See, for example, Moore’s study (Privacy, 1984) of the Siriono Indians in Bolivia; Flaherty’s study (Privacy in Colonial New England, 1972) of colonial society in New England; and R. Lunheim and G. Sindre, “Privacy and Computing: A Cultural Perspective,” pp. 25-40 in R. Sizer, L. Yngström, H. Kaspersen, and S. Fischer-Hübner, eds., Security and Control of Information Technology in Society, North-Holland, Amsterdam, 1993, a study of a village society in Rajasthan, North-West India (hereinafter cited as Lunheim and Sindre, “Privacy and Computing,” 1993). 56 Moore, Privacy, 1984, p. 276. Cf., inter alia, Lunheim and Sindre, “Privacy and Computing,” 1993, p. 28 (“privacy is a cultural construct encountered in virtually every society of some economic complexity”); Raes, 1989, p. 78 (noting that privacy today “is as much a result of modern technology as technology is a threat to the private lives of citizens”). For a particularly incisive sociological analysis of historical changes in levels and types of privacy, see Shils, 1975, Chapter 18. 57 See, for example, H. Arendt, The Human Condition, University of Chicago Press, 1958, p. 38 (noting that, in ancient Athenian culture, the private sphere was often regarded as a domain of “privation”). See also Moore, Privacy, 1984, p. 120 et seq. Moore, however, dis-

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age to the worth of persons as individuals,58 and sensitivity to human beings’ non-economic and emotional needs.59 Concern for privacy tends to be high in societies espousing liberal ideals, particularly those of Mill, Locke, Constant, and Madison. As Lukes notes, privacy in the sense of a “sphere of thought and action that should be free from ‘public’ interference” constitutes “perhaps the central idea of liberalism.”60 The liberal affection for privacy is amply demonstrated in the development of legal regimes for privacy protection. These regimes are most comprehensive in Western liberal democracies. By contrast, such regimes are underdeveloped in most African and Asian nations. It is tempting to view this situation as symptomatic of a propensity in African and Asian cultures to place primary value on securing the interests and loyalties of the group at the expense of the individual. However, care must be taken not to pigeonhole countries and cultures in static categories, and provision for privacy rights is increasingly on the legislative agenda of some African and Asian countries. It is also important to note that the United States—often portrayed as the citadel of liberal ideals—has not seen fit to protect privacy as extensively as some other nations have, notably Canada and the member states of the European Union (E.U.). Consider, for example, the absence of comprehensive legislation on data privacy regulating the U.S. private sector and the lack of an independent agency (a data protection authority or a privacy commissioner) to specifically oversee the regulation of data privacy matters.61 Thus, within the Western liberal democratic “camp,” cerns growing enthusiasm and respect for private life among Athenians over the course of the 4th century B.C.; see Moore, Privacy, pp. 128-133. 58 See, for example, M. Ethan Katsh, The Electronic Media and the Transformation of the Law, Oxford University Press, New York, 1989, p. 192 (“Part of the reason there was less privacy and less concern with privacy in earlier times is that the individual, the principal beneficiary of a right to privacy, did not have the same status in the ancient world as in the modern era”). See further, F.D. Schoeman, Privacy and Social Freedom, Cambridge University Press, Cambridge, 1992, Chapters 6 and 7 (describing factors behind the emergence of individualism and a concomitant concern for privacy in Western societies). 59 See, for example, S. Strömholm, Right of Privacy and Rights of the Personality: A Comparative Survey, P.A. Norstedt and Söners Förlag, Stockholm, 1967, pp. 19-20 (viewing the development of legal rights to privacy as part and parcel of a “humanization” of Western law; i.e., a trend toward greater legal sensitivity to the nonpecuniary interests of human beings). 60 Lukes, 1973, p. 62. Cf. Bennett and Raab, The Governance of Privacy, 2003, pp. 22-23 (“the political theory of privacy, in both the US and Europe, has largely operated within a liberal paradigm”). 61 See also Section B.4.2. For more on the differences between U.S. and European regulatory approaches in the data privacy field, see, for example, A. Charlesworth, “Clash of the Data Titans? US and EU Data Privacy Regulation,” European Public Law 6(2):253-274, 2000; J.R. Reidenberg, “Resolving Conflicting International Data Privacy Rules in Cyberspace,” Stanford Law Review 52:1315-1371, 2000; J.B. Ritter, B.S. Hayes, and H.L. Judy, “Emerging

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age many of the APEC states to forge their own approach to data privacy without necessarily conforming to European norms. This approach would appear to foster data privacy regimes less because of concern to protect basic human rights than over concern to engender consumer confidence in business.129 B.4.2 National Instruments Well over 30 countries have enacted data privacy laws, and their number is growing steadily.130 Most of these countries are European. Indeed, Europe is home to the oldest, most comprehensive, and most bureaucratically cumbersome data privacy laws at both national and provincial levels. Moreover, as shown above, Europe—through its supranational institutions—is also a springboard for the most ambitious and extensive international initiatives in the field. Common points of departure for national data privacy regimes in Europe are as follows: Coverage of both public and private sectors; Coverage of both automated and manual systems for processing personal data, largely irrespective of how the data are structured; Application of broad definitions of “personal data”; Application of extensive sets of procedural principles, some of which are rarely found in data privacy regimes elsewhere;131 More stringent regulation of certain categories of sensitive data (e.g., data relating to philosophical beliefs, sexual preferences, ethnic origins); ciples Version 2: Not Quite So Lite, and NZ Wants OECD Full Strength,” Privacy Law and Policy Reporter 10:45-48, 2003 (noting that more recent drafts of the principles have been strengthened, though certainly not to the level of the E.U. Directive). 129 See R. Tang, “Personal Data Privacy: The Asian Agenda,” speech given at 25th International Conference of Data Protection and Privacy Commissioners, Sydney, Sept. 10, 2003; available at http://www.privacyconference2003.org/program.asp#psa (accessed Oct. 10, 2003). 130 See generally, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, Electronic Privacy Information Center and Privacy International, Washington, D.C., 2003, which gives a fairly up-to-date overview of the state of data privacy regimes in more than 50 countries. A complementary, though less comprehensive, overview is given in M. Henry, ed., International Privacy, Publicity and Personality Laws, Butterworths, London, 2001. 131 An example of a principle that is unique to European laws concerns fully automated profiling. The principle is that fully automated assessments of a person’s character should not form the sole basis of decisions that impinge on the person’s interests. The principle is embodied in Article 15 of the E.U. Directive: see further, Bygrave, Data Protection Law, 2002, pp. 319-328.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age Restrictions on the transborder flow of personal data; Establishment of independent data privacy agencies with broad discretionary powers to oversee the implementation and development of data privacy rules; Channeling of privacy complaints to these agencies rather than to the courts; Extensive subjection of data processing to the notification and/or licensing requirements administered by the data privacy agencies; Extensive use of “opt-in” requirements for valid consent by data subjects; and Little use of industry-developed codes of practice.132 The majority of these characteristics were originally typical for data privacy laws in West European countries. Owing largely to the E.U. Directive, they are now also typical for the laws of most East European countries. Nevertheless, it is important to note that each country has its own unique mix of rules;133 concomitantly, a good deal of variation exists in the degree to which each country shares the above-listed traits.134 For example, the Netherlands has always made relatively extensive use of 132 See further, for example, Bygrave, Data Protection Law, 2002, especially Chapters 2 through 4, and Kuner, European Data Privacy Law and Online Business, 2003. For older accounts, see, for example, Hondius, Emerging Data Protection in Europe, 1975; and H. Burkert, “Institutions of Data Protection—An Attempt at a Functional Explanation of European National Data Protection Laws,” Computer/Law Journal 3:167-188, 1981-1982. 133 For in-depth treatment of, e.g., U.K. law, see R. Jay and A. Hamilton, Data Protection: Law and Practice, Sweet and Maxwell, London, 2003; of German law, see S. Simitis, Kommentar zum Bundesdatenschutzgesetz [Commentary on the Alliance Data Protection Law], 2003; of Italian law, see G. Buttarelli, Banche dati e tutela della riservatezza: La privacy nella Società dell’Informazione [Data Banks and the Protection of Confidentiality: The Privacy of Information in Society], Giuffrè Editore, Milan, 1997; of Swiss law, see U. Maurer and N.P. Vogt., eds., Kommentar zum Schweizerischen Datenschutzgesetz [Commentary on the Swiss Data Protection Act], Helbing and Lichtenhahn, Basel/Frankfurt am Main, 1995. For overviews of the data privacy laws of Denmark, Finland, Norway, and Sweden, see P. Blume, ed., Nordic Data Protection, DJØF Publishing, Copenhagen, 2001. Otherwise, see the more detailed analyses of Danish law in P. Blume, Personoplysningsloven [The Personal Data Act], Greens§Jura, Denmark, 2000; and K.K. Nielsen and H. Waaben, Lov om behandling af personoplysninger—med kommentarer [Act on Processing of Personal Data—with Commentary], Jurist-g Økonomforbundets Forlag, Copenhagen, 2001; of Norwegian law in M. Wiik Johansen, K.-B. Kaspersen, and Å.M. Bergseng Skullerud, Personopplysningsloven. Kommentarutgave [Personal Data Act. Commentary Edition], Universitetsforlaget, Oslo, 2001; of Swedish law in S. Öman and H.-O. Lindblom, Personuppgiftslagen: En kommentar [Personal Data Act: A Commentary], Norstedts Juridik, Stockholm, 2001. English translations of the principal data privacy laws of all current E.U. member states are collated in S. Simitis, U. Dammann, and M. Körner, eds., Data Protection in the European Community: The Statutory Provisions, Nomos Verlagsgesellschaft, Baden-Baden, 1992 (looseleaf, continually updated). 134 See further, Korff, 2002.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age industry-based codes of practice, and the E.U. Directive itself encourages greater use of such codes (see E.U. Directive, Article 27). Moreover, data privacy regimes in each country are far from static. For example, Swedish legislation originally operated with relatively extensive licensing and notification requirements; now it has dispensed entirely with a licensing scheme and cut back notification requirements to a minimum. There is movement too at a broader European level. For instance, while West European data privacy regimes have traditionally relied heavily on paternalistic control mechanisms,135 they now show greater readiness to rely more on citizen action, supplemented by greater readiness to embrace market mechanisms for the regulation of data processing. This notwithstanding, European jurisdictions (in contrast to, say, the United States) generally still maintain a relatively non-negotiable legislative baseline for the private sector. Across the Atlantic, Canada comes closest of the North American countries to embracing the European approach. There is now federal legislation in place in Canada to ensure the comprehensive protection of data privacy in relation to both the public and private sectors.136 Some Canadian provinces have already enacted data privacy legislation in relation to provincial and local government agencies and/or the private sector.137 Data privacy agencies exist at both federal and provincial levels. The Commission of the European Communities (hereinafter termed “European Commission”) has formally ruled that, in general, Canada offers “adequate” protection for data privacy pursuant to Article 25 of the E.U. Directive.138 By contrast, the U.S. legal regime for data privacy is much more atomized. While there is fairly comprehensive legislation dealing with federal government agencies,139 omnibus legislative solutions are eschewed with respect to the private sector. Legal protection of data privacy in relation 135 That is, control exercised by government bodies (primarily data privacy agencies) on behalf and supposedly in the best interests of citizens (data subjects). 136 See Privacy Act of 1982; Personal Information Protection and Electronic Documents Act of 2000. 137 See, for example, Quebec’s Act on Protection of Personal Information in the Private Sector of 1993. 138 Decision 2002/2/EC of 20.12.2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (O.J. L 2, Jan. 4, 2002, p. 13 et seq.). 139 Most notably the Privacy Act of 1974 (P.L. 93-579) and the Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503). Note also the limited protection of data privacy afforded under the Constitution as construed by the Supreme Court: see especially Whalen v. Roe, 429 U.S. 589 (1977). See further, for instance, Schwartz and Reidenberg, Data Privacy Law, 1996, Chapter 4.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age to the latter takes the form of ad hoc, narrowly circumscribed, sector-specific legislation, combined with recourse to litigation based on the tort of invasion-of-privacy and/or breach-of-trade-practices legislation.140 European-style data privacy agencies do not exist in the United States. At the same time, however, a “safe harbor” agreement has been concluded between the United States and the European Union allowing for the flow of personal data from the European Union to U.S.-based companies that voluntarily agree to abide by a set of “fair information” principles based loosely on the E.U. Directive. The scheme, which so far has attracted approximately 400 companies,141 has been held by the European Commission to satisfy the E.U. Directive’s adequacy test in Article 25.142 In South America, Argentina has come the farthest in developing a comprehensive legal regime for data privacy. It enacted legislation in 2000143 modeled on the E.U. Directive and equivalent Spanish legislation and formally based on the right of habeas data provided in its Constitution (Article 43).144 The European Commission has formally ruled that Argentina satisfies the adequacy criterion of the E.U. Directive.145 Other South American countries, such as Brazil and Chile, also provide constitutional protections for privacy rights and habeas data, but otherwise their legislation on data privacy is relatively scant. They lack also data privacy agencies.146 In the Asia-Pacific region, there exist a handful of relatively comprehensive legislative regimes on data privacy—most notably those in 140 See generally, the overview in Schwartz and Reidenberg, Data Privacy Law, 1996, especially Chapters 9 through 14. 141 See http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (accessed Nov. 6, 2003). 142 Decision 2000/520/EC of July 26, 2000, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce (O.J. L 215, Aug. 25, 2000, p. 7 et seq.). 143 Law for the Protection of Personal Data of 2000. 144 See further Electronic Privacy Information Center and Privacy International, Privacy and Human Rights, 2003, pp. 132-139 (hereinafter cited as Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003). The right of habeas data is, in general, designed to protect the image, privacy, honor, information self-determination, and freedom of information of a person. Enforcement of the right is provided by granting an individual the right to petition a court to find out what information is being held or to request the correction, updating, or destruction of the personal information being held. 145 Decision C (2003) 1731 of June 30, 2003, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina (O.J. L 168, July 5, 2003). 146 See further, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, pp. 167-171, 195-197.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age Australia, New Zealand, Hong Kong, Korea, and Japan.147 Most of these jurisdictions—but not Japan—have also established data privacy agencies. New Zealand has been the fastest and perhaps most ambitious of these jurisdictions in the data privacy field; it was the first to enact data privacy legislation spanning the public and private sectors.148 Australian, Korean, and Japanese legislation in the field was initially limited largely to regulating the data-processing activities of government agencies,149 but it has recently been extended to cover the private sector as well.150 However, some of these extensions still leave large gaps in private sector coverage.151 Other aspects of the laws in question also diverge from the E.U. model(s).152 Not surprisingly, none of the countries concerned has yet been formally recognized by the European Commission as offering adequate protection pursuant to the E.U. Directive. Data privacy regimes in other Asia-Pacific jurisdictions tend to be rather patchy in coverage and enforcement levels. Thailand, for instance, 147 Further on Australian law, see, e.g., G.L. Hughes and M. Jackson, Hughes on Data Protection in Australia, 2001; on New Zealand law, see E. Longworth and T. McBride, The Privacy Act: A Guide, GP Publications, Wellington, 1994 (hereinafter cited as Longworth and McBride, The Privacy Act, 1994); and P. Roth, Privacy Law and Practice, Butterworths/LexisNexis, Wellington, 1994 (looseleaf, regularly updated) (hereinafter cited as Roth, Privacy Law and Practice, 1994); on Hong Kong law, see M. Berthold and R. Wacks, Hong Kong Data Privacy Law: Territorial Regulation in a Borderless World, 2nd Edition, Sweet and Maxwell, Asia, 2003; on Korean law, see C.B. Yi and K.J. Ok, “Korea’s Personal Information Protection Laws,” Privacy Law and Policy Reporter 9:172-179, 2003; and H.-B. Chung, “Anti-Spam Regulations in Korea,” Privacy Law and Policy Reporter 10:15-19, 2003; on Japanese law, see D. Case and Y. Ogiwara, “Japan’s New Personal Information Protection Law,” Privacy Law and Policy Reporter 10:77-79, 2003. 148 See Privacy Act of 1993. Further on the act, see Longworth and McBride, The Privacy Act, 1994; and Roth, Privacy Law and Practice, 1994. 149 For Australia, see Privacy Act of 1988; for Japan, see Act for Protection of Computer-Processed Personal Data Held by Administrative Organs of 1988; for Korea, see Act on Protection of Personal Information Maintained by Public Agencies of 1994. 150 For Australia, see Privacy Amendment (Private Sector) Act of 2000; for Japan, see Privacy Law of 2003; for Korea, see Act on Promotion of Information and Communications Network Utilization and Information Protection … of 1999. Note, too, that several of the Australian states have enacted data privacy laws covering their respective government agencies and, to a lesser extent, the health sector. See, for example, Victoria’s Information Privacy Act of 2000 and Health Records Act of 2001. 151 For example, with a few exceptions, the Australian legislation does not apply to “small business operators,” that is, businesses with an annual turnover of AUD$3 million or less (see federal Privacy Act, Sections 6C1, 6D, 6DA, and 6E). Another major gap is that the legislation does not cover the processing of data by employers about their present and past employees (as long as the processing is directly related to the employment relationship) (Section 7B(3)). 152 The Japanese laws, for example, do not formally operate with a distinction between sensitive and nonsensitive data, and they make relatively extensive use of “opt-out” consent mechanisms.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age has inserted data privacy rules covering the government sector in legislation dealing primarily with freedom of government information.153 Singapore has so far decided to establish a data privacy regime based on voluntary, self-regulatory schemes that are linked with its national trust mark program.154 The primary catalyst for the schemes seems to be commercial concerns.155 The People’s Republic of China lacks any credible data privacy regime. Some legal rules have been adopted that potentially provide indirect protection for data privacy,156 but their operational potential is rendered nugatory by a political culture that traditionally shows scant respect for personal privacy.157 Moreover, there is little, if any, sign that China is ready to adopt more effective data privacy rules in order to meet E.U. adequacy standards. By contrast, India is reported to be considering the enactment of a data privacy law modeled on the E.U. Directive largely owing to a fear that its burgeoning outsourcing industry will flounder without such legislation in place.158 Legal regimes for data privacy are least developed in the African countries, taken as a whole. As noted above, the African Charter on Human and People’s Rights of 1981 omits mentioning a right to privacy in its catalog of basic human rights. Moreover, none of the African countries has enacted comprehensive data privacy laws. Nevertheless, some countries display increasing interest in legislating on data privacy. This interest is partly due to the obligations imposed by ICCPR Article 17. It is also probably due partly to a desire to meet the adequacy requirements of E.U. Directive Articles 25 and 26. In some cases, stimulus is also provided by recent firsthand experience of mass oppression. The Republic of South Africa has come farthest along the path to establishing a comprehensive legal regime on data privacy. Express provision for a right to privacy is made in Section 14 of the South African Bill of Rights set out in Chapter 2 of its Constitution of 1996. Also included (in Section 32) is a broad right of access to information held in both the public and private sectors. Freedom-of-information legislation 153 See Official Information Act of 1997, described in C. Opassiriwit, “Thailand: A Case Study in the Interrelationship Between Freedom of Information and Privacy,” Privacy Law and Policy Reporter 9:91-95, 2002. 154 See Model Data Protection Code for the Private Sector of 2002; Industry Content Code of 2002. 155 For criticism of the schemes, see G. Greenleaf, “Singapore Takes the Softest Privacy Options,” Privacy Law and Policy Reporter 8:169-173, 2002. 156 See further, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, pp. 197-200. 157 Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, pp. 200-210. 158 See A. Pedersen, “India Plans EU-Style Data Law,” Privacy Laws and Business, May/June, No. 68, pp. 1, 3, 2003.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age based on the latter right was enacted in 2002,159 and work is proceeding on a bill for separate data privacy legislation.160 Kenya is also drafting a new constitution containing rights similar to those in the South African Constitution.161 B.4.3 Relative Impact of Regulatory Regimes A comparative evaluation of the impact of the various regulatory regimes canvassed above is both complex and beset by numerous potential pitfalls. The complexity of the task arises partly from the multiple facets of impact measurement: impact needs to be evaluated in terms of economy (i.e., the cost of setting up the regime), efficiency (i.e., the cost of the regime measured against its practical results), effectiveness (i.e., the extent to which the practical results of the regime fulfill its ultimate aims), and equity (i.e., the extent to which the regime extends protection equitably across social groups).162 Further complicating matters is that each country’s data privacy regime consists of more than formal legal rules. While the latter, together with formal oversight mechanisms, are important constituents of a data privacy regime, they are supplemented by a complex array of other instruments and institutions—information systems, industry codes, standards, and so on—that concurrently influence the practical impact of the legal rules. The functioning of a data privacy regime (including, of course, the extent to which “law in books” equates with “law in practice”) will also be shaped by a myriad of relatively informal customs and attitudes that prevail in the country concerned—for example, the extent to which the country’s administrative and corporate cultures are imbued with a respect for authority or respect for “fair information” principles.163 It goes without saying that many of these factors can be easily overlooked or misconstrued. Their existence means, for instance, that it cannot be assumed that a data privacy agency with strong formal powers will necessarily have 159 See I. Currie and J. Klaaren, The Promotion of Access to Information Act Commentary, Siber Ink, South Africa, 2002, pp. 11, 18 (hereinafter cited as Currie and Klaaren, The Promotion of Access to Information Act, 2002). A unique feature of the legislation is that it provides, as a point of departure, for freedom-of-information rights not just in relation to information held by government agencies but also information held in the private sector. 160 See Currie and Klaaren, The Promotion of Access to Information Act, 2002. See also Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, p. 450. 161 See Sections 14 (right of privacy) and 47 (rights of information access and rectification) of the Draft Bill for the Constitution of the Republic of Kenya (version of Sept. 27, 2002). 162 This classification of criteria is based on Bennett and Raab, The Governance of Privacy, 2003, p. 193 et seq. 163 See generally, Flaherty, Protecting Privacy in Surveillance Societies, 1989.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age greater success in fulfilling its objectives than that achieved by an agency with weaker formal powers.164 Yet another complicating element is that the regulatory approach of many data privacy agencies can obscure their positive achievements. Agencies frequently prefer to resolve conflict in a relatively quiet way, through “backroom” negotiation rather than by publicly striking out with the threatened use of punitive sanctions.165 Further, agencies are often equally concerned, if not more so, about curbing an unrealized potential for privacy-invasive activity as about providing a remedy after such activity occurs. Measuring the impact of anticipatory forms of control can be more difficult than for reactive, ex post facto control forms.166 These problems notwithstanding, a large degree of consensus exists among experts in the field regarding the relative strengths of certain data privacy regimes. Part of this consensus is a view that the U.S. data privacy regime is weaker in fundamental respects than the equivalent regimes in many other countries, particularly those in Europe, which have had some influence in restricting certain data-processing practices and raising awareness of the importance of privacy safeguards.167 For example, one conclusion of a comparative study of the data privacy regimes of Germany, the United Kingdom, Sweden, Canada, and the United States is that “the United States carries out data protection differently than other countries, and on the whole does it less well.”168 The major reasons for this finding are the lack of a U.S. federal data privacy agency, together with the paucity of comprehensive data privacy legislation covering the U.S. private sector. While the finding stems from the late 1980s, it is still pertinent and is supported by more recent analyses.169 A basic premise of all these analyses is that the gaps in the U.S. regime are not adequately 164 Again, see Flaherty, Protecting Privacy in Surveillance Societies, 1989. Note particularly Flaherty’s finding that the German Federal Data Protection Commissioner (Bundesdatenschutzbeauftragter)—which has only advisory powers—had, at least up until the late 1980s, a more profound impact on the federal public sector in (West) Germany than Sweden’s Data Inspection Board (Datainspektionen)—which can issue legally binding orders—had on the Swedish public sector (Flaherty, Protecting Privacy in Surveillance Societies, 1989, p. 26). 165 Flaherty, Protecting Privacy in Surveillance Societies, 1989. 166 For further discussion on the difficulties of comparative assessment of data privacy regimes, see Bennett and Raab, The Governance of Privacy, 2003, Chapter 9; C.D. Raab and C.J. Bennett, “Taking the Measure of Privacy: Can Data Protection Be Evaluated?,” International Review of Administrative Sciences 62:535-56, 1996. 167 See, for example, Bygrave, Data Protection Law, 2002, Chapter 18 and examples cited therein; see also Flaherty, Protecting Privacy in Surveillance Societies, 1989, particularly Part 1. 168 Flaherty, Protecting Privacy in Surveillance Societies, 1989, p. 305. 169 The most extensive being Schwartz and Reidenberg, Data Privacy Law, 1996—see especially their conclusions at pp. 379-396.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age filled by other measures, such as industry self-regulation and recourse to the courts.170 By contrast, the German data privacy regime is often viewed as one of the most successful.171 It has a comprehensive, well-established legislative platform with a firm constitutional footing. One such feature is a legal requirement that organizations appoint internal privacy officers.172 Another such feature is the regime’s extensive encouragement of “systemic data protection” (Systemdatenschutz): that is, integration of data privacy concerns in the design and development of information systems architecture.173 German privacy legislation is backed up by comparatively effective oversight and enforcement mechanisms. The effectiveness of these mechanisms appears to be the result of a combination of factors, most notably the seriousness with which Germans generally take data privacy issues; the relatively conformist, legalistic nature of German administrative and corporate cultures; and the strong, persuasive personalities of the individuals who have been appointed data privacy commissioners, together with the considerable talents of their staff.174 All this said, the data privacy regime in Germany does have weak points. One weakness is the Federal Data Protection Commissioner’s lack of authority to issue legally binding orders—a feature that is arguably at odds with the thrust of Directive 95/46/EC. Another, more significant, weakness is the sheer mass of rules on data privacy; the regulatory framework is so dense as to be confusing, nontransparent, and unwieldy.175 These weaknesses mean that, despite its relative success, the German regime still falls short of meeting its policy objectives. Data privacy regimes in most other, if not all, jurisdictions display a 170 See, for example, D.A. Anderson, “The Failure of American Privacy Law,” pp. 139-167 in B.S. Markesinis, ed., Protecting Privacy, Oxford University Press, Oxford, 1999. 171 See, e.g., Flaherty, Protecting Privacy in Surveillance Societies, 1989, especially pp. 21-22. 172 See Federal Data Protection Act, Sections 4f-4g. 173 See particularly, Federal Data Protection Act, Sections 3a, 9; Federal Teleservices Data Protection Act of 1997 (Gesetz über den Datenschutz bei Telediensten vom 22. juli 1997) (as amended in 2001). For further discussion, see Bygrave, Data Protection Law, 2002, particularly pp. 346, 371. 174 See generally, Flaherty, Protecting Privacy in Surveillance Societies, 1989, Part 1. 175 See generally, A. Rossnagel, A. Pfitzmann, and H. Garstka, Modernisierung des Datenschutzrechts [Modernization of Data Protection Law], report for the German Federal Ministry of the Interior (Bundesministerium des Innern), September 2001, available at http://www.bmi.bund.de/downloadde/11659/Download.pdf (accessed Aug. 20, 2003). See also, e.g., S. Simitis,“Das Volkzählungsurteil oder der lange Weg zur Informationsaskese—(BVerfGE 65, 1)” [The Census Judgment or the Long Road to Information Asceticism], Kritische Vierteljahresschrift für Gesetzgebung und Rechtswissenschaft 83:359-375, 2000 (highlighting gaps between legal principle and practice in the data privacy field).

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age similar shortfall. European regimes in general are a case in point. There is sporadic evidence that many of these do not outperform the U.S. regime in all respects even if they are, on paper at least, far more comprehensive and stringent than their U.S. counterpart.176 More significantly, the European Commission has recently found that while the E.U. Directive (95/46/EC) has created a “high level” of data privacy in Europe, implementation of the directive is afflicted by major problems. Not only has national transposition of the directive often been slow,177 there appear to be—even after transposition—low levels of enforcement, compliance, and awareness with respect to the national regimes. Data privacy agencies in Europe are found, in general, to be underresourced, leading in turn to the underresourcing of enforcement efforts. Concomitantly, the commission finds that compliance by data controllers is “very patchy,” while data subjects apparently have “low” awareness of their data-protection rights. Moreover, there remain differences between the various national laws that run counter to the harmonizing objective of the E.U. Directive.178 Particularly problematic from an international perspective is that E.U. member states’ respective implementation of Articles 25 and 26 in the E.U. Directive is found to be very broadly divergent; indeed, in many cases, it is inconsistent with the directive. Further, the commission finds that a substantial amount of transborder data flow is not being subjected to regulation at all. Finally, account should be taken of several strands of criticism of data privacy regimes generally. One line of criticism concerns the regimes’ underdevelopment of a systemic focus—as manifested, for instance, in the paucity of direct legislative encouragement for privacy-enhancing technologies.179 Another line of criticism relates to marginalization of the 176 For example, a survey in 2000 of privacy policies posted on U.S.- and E.U.-based Internet sites that sell goods or services to consumers found the policies on the E.U. sites to be no better than the policies on U.S. sites; indeed, some of the latter sites displayed the best policies. See K. Scribbins, Privacy@net: An International Comparative Study of Consumer Privacy on the Internet, Consumers International, 2001, available at http://www.consumersinternational.org/document_store/Doc30.pdf (accessed Oct. 20, 2003). See, too, results of a more recent survey published in April 2003 by World IT Lawyers. This survey canvassed 420 commercial Web sites across seven countries (France, Germany, the Netherlands, Portugal, Switzerland, Spain, and the United Kingdom) and found that approximately half of these sites did not display a privacy policy; see ZDNet UK, “UK Web Sites Fare Badly on Consumer Rights,” April 30, 2003, available at http://news.zdnet.co.uk/business/0,39020645,2134138,00.htm (accessed Oct. 29, 2003). 177 Several E.U. member states have been tardy in transposing the E.U. Directive into national law, the principal ones being France, Ireland, Luxembourg, and Germany. Further on implementation status, see http://europa.eu.int/comm/internal_market/privacy/law/implementation_en.htm (accessed Oct. 25, 2003). 178 See also Charlesworth, “Information Privacy Law in the European Union,” 2003. 179 See especially Bygrave, Data Protection Law, 2002, Part IV.

OCR for page 366
Engaging Privacy and Information Technology in a Digital Age judiciary; in many countries, the courts have played little, if any, direct role in developing and enforcing data privacy norms. This situation not only results in a scarcity of authoritative guidance on the proper interpretation of the relevant legislation, but it contributes to the marginalization of data privacy as a field of law.180 Still another line of criticism is that data privacy regimes so far have tended to operate with largely procedural rules that do not seriously challenge established patterns of information use but seek merely to make such use more efficient, fair, and palatable for the general public. In this view, legislators’ motives for enacting data privacy laws are increasingly concerned with engendering public acceptance for new information systems, particularly in the area of electronic commerce. Concomitantly, it is argued that the regimes are incapable of substantially curbing the growth of mass surveillance and control.181 180 See especially Bygrave, “Where Have All the Judges Gone?,” 2001. 181 See especially J. Rule, D. McAdam, L. Stearns, and D. Uglow, The Politics of Privacy: Planning for Personal Data Systems as Powerful Technologies, Elsevier, New York, 1980; see also Flaherty, Protecting Privacy in Surveillance Societies, 1989.