National Academies Press: OpenBook

Engaging Privacy and Information Technology in a Digital Age (2007)

Chapter: Appendix B International Perspectives on Privacy

« Previous: Appendix A A Short History of Surveillance and Privacy in the United States
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

B
International Perspectives on Privacy

This appendix presents a global overview of how various countries, regions, and cultures address privacy-related concerns about the processing of personal information. It outlines the principal similarities and differences among various national and regional regulatory measures for addressing these concerns. Comparison is made not only of regulatory strategies but also of various national, regional, and cultural conceptualizations of the ideals and rationale of privacy protection.1

B.1
CONCEPTUALIZATIONS OF PRIVACY AND RELATED INTERESTS

As noted in Chapters 2, 4, and 5 of this report, there has long been interest in the United States in privacy, and “privacy” is a frequently used concept in public, academic, and judicial discourse.2 The concept has been especially prominent in discussion in the United States about the implications of the computerized processing of personal data. When this discussion took off in the 1960s, privacy was invoked as a key term for summing

1

Much of the information on international conceptions of the rationale for privacy protection presented in this appendix is based on the work of Lee Bygrave. See, for example, L.A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague/London/New York, 2002 (hereinafter cited as Bygrave, Data Protection Law, 2002). A full bibliography is available at http://folk.uio.no/lee/cv.

2

See, generally, Priscilla Regan, Legislating Privacy, University of North Carolina Press, 1995 (hereinafter cited as Regan, Legislating Privacy, 1995).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

up the congeries of fears raised by the (mis)use of computers.3 However, privacy has not been the only term invoked in this context. A variety of other, partly overlapping concepts have also been invoked—particularly those of “freedom,” “liberty,” and “autonomy.”4

The U.S. debate, particularly in the 1960s and early 1970s, about the privacy-related threats posed by computers exercised considerable influence on debates in other countries. As Hondius writes, “[a]lmost every issue that arose in Europe was also an issue in the United States, but at an earlier time and on a more dramatic scale.”5 Naturally, the salience of the privacy concept in U.S. discourse helped to ensure its prominence in the debate elsewhere. This is most evident in discourse in other English-speaking countries6 and in international forums where English is a working language.7 Yet also in countries in which English is

3

See, for example, Alan F. Westin, Privacy and Freedom, Atheneum, New York, 1967. In this pioneering work that prompted global privacy movements in many democratic nations in the 1970s, Dr. Alan Westin, Professor of Public Law at Columbia University, defined privacy as the claim of individuals, groups, and institutions to determine for themselves when, how, and to what extent information about them is communicated to others. See also Arthur R. Miller, The Assault on Privacy: Computers, Data Banks, and Dossiers, University of Michigan Press, Ann Arbor, 1971 (hereinafter cited as Miller, The Assault on Privacy, 1971).

4

The title of Westin’s seminal work Privacy and Freedom (1967) is a case in point. Indeed, as pointed out further below, “privacy” in this context has tended to be conceived essentially as a form of autonomy—that is, as one’s ability to control the flow of information about oneself.

5

Frits W. Hondius, Emerging Data Protection in Europe, North Holland Publishing, Amsterdam, 1975, p. 6 (hereinafter cited as Hondius, Emerging Data Protection in Europe, 1975). Even in more recent times, discourse in the United States often takes up such issues before they are discussed elsewhere. For example, systematic discussion about the impact of digital rights management systems (earlier termed “electronic copyright management systems”) on privacy interests occurred first in the United States: see particularly, Julie Cohen, “A Right to Read Anonymously: A Closer Look at ‘Copyright Management’ in Cyberspace,” Conn. L. Rev. 28:981, 1996, available at http://www.law.georgetown.edu/faculty/jec/read_anonymously.pdf. Similar discussion did not occur in Europe until a couple of years later—the first instance being L.A. Bygrave and K.J. Koelman, “Privacy, Data Protection and Copyright: Their Interaction in the Context of Electronic Copyright Management Systems,” Institute for Information Law, Amsterdam, 1998; later published in P.B. Hugenholtz, ed., Copyright and Electronic Commerce, Kluwer Law International, The Hague/London/Boston, 2000, pp. 59-124.

6

See, for example, United Kingdom, Committee on Privacy (Younger Committee), Report of the Committee on Privacy, Cm. 5012, Her Majesty’s Stationery Office, London, 1972; Canada, Department of Communications and Department of Justice, Privacy and Computers: A Report of a Task Force, Information Canada, Ottawa, 1972; Australian Law Reform Commission, Privacy, Report No. 22, Australian Government Publishing Service (AGPS), Canberra, 1983; and W.L. Morison, Report on the Law of Privacy to the Standing Committee of Commonwealth and State Attorneys-General, Report No. 170/1973, AGPS, Canberra, 1973.

7

As is evident, for example, in the titles of the early Council of Europe resolutions dealing with information technology threats. See Council of Europe Resolution (73)22 on the

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

not the main language, much of the same discourse has been framed, at least initially, around concepts roughly equating with or embracing the notion of privacy—for instance, “la vie privée” (French),8 “die Privatsphäre” (German),9 and “privatlivets fred” (Danish/Norwegian).10

Nevertheless, the field of law and policy that emerged from the early discussions in Europe on the privacy-related threats posed by information technology (IT) has increasingly been described using a nomenclature that avoids explicit reference to privacy or closely related terms. This nomenclature is “data protection,” deriving from the German term “Datenschutz.”11 While the nomenclature is problematic in several respects—not least because it fails to indicate the central interests served by the norms to which it is meant to apply12—it has gained broad popularity in Europe13 and to a lesser extent elsewhere.14 Its use, though, is being increasingly supplemented by the term “data privacy.”15 Arguably, the latter nomenclature is more appropriate, as it better communicates the central interest(s) at stake and provides a bridge for synthesizing North American and European policy discussions.

At the same time, various countries and regions display terminological idiosyncrasies that partly reflect differing jurisprudential backgrounds for the discussions concerned. In Western Europe, the discussion has often drawn on jurisprudence developed there on legal protection of personal-

Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Private Sector, adopted Sept. 26, 1973; and Council of Europe Resolution (74)29 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector, adopted Sept. 24, 1974.

8

See, for example, G. Messadié, La fin de la vie privée, Calmann-Lévy, Paris, 1974.

9

See, for example, the 1970 proposal by the (West) German Interparliamentary Working Committee for a “Law for the protection of privacy against misuse of database information,” described in H.P. Bull, Data Protection or the Fear of the Computer, Piper, Munich, 1984, p. 85.

10

See, for example, Denmark, Registerudvalget [Register Committee], Delbetænkning om private registre [Report on Private Data Registers], No. 687, Statens Trykningskontor, Copenhagen, 1973.

11

For more on the origins of “Datenschutz,” see Simitis, Kommentar zum Bundesdatenschutzgesetz, 2003, pp. 3-4.

12

Moreover, it tends to misleadingly connote, in U.S. circles, concern for the security of data and information or maintenance of intellectual property rights; see P.M. Schwartz and J.R. Reidenberg, Data Privacy Law: A Study of United States Data Protection, Michie Law Publishers, Charlottesville, Va., 1996, p. 5 (hereinafter cited as Schwartz and Reidenberg, Data Privacy Law, 1996).

13

See generally, Hondius, Emerging Data Protection in Europe, 1975; and Bygrave, Data Protection Law, 2002.

14

See, for example, G.L. Hughes and M. Jackson, Hughes on Data Protection in Australia, 2nd Ed., Law Book Co. Ltd., Sydney, 2001.

15

See, for example, Schwartz and Reidenberg, Data Privacy Law, 1996; and C. Kuner, European Data Privacy Law and Online Business, Oxford University Press, Oxford, 2003 (hereinafter cited as Kuner, European Data Privacy Law and Online Business, 2003).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

ity. Thus, the concepts of “Persönlichkeitsrecht” (personality right) and “Persönlichkeitschutz” (personality protection) figure centrally in German and Swiss discourse.16 Norwegian discourse revolves around the concept of “personvern” (protection of person[ality]),17 while Swedish discourse focuses on “integritetsskydd” (protection of [personal] integrity).18 By contrast, Latin American discourse in the field tends to revolve around the concept of “habeas data” (roughly meaning “you should have the data”). This concept derives from due process doctrine based on the writ of habeas corpus.19

Many of the above-mentioned concepts are prone to definitional instability. The most famous case in point relates to definitions of “privacy.” Debates in the United States over the most appropriate definitions of privacy20 have counterparts in other countries centering on similar concepts.21 Some of the non-U.S. debate concerns whether privacy as such is best characterized as a state/condition, or a claim, or a right. That issue aside, the debate reveals four principal ways of defining privacy.22 One set of definitions is in terms of noninterference,23 another in terms of limited accessibility.24 A third set of definitions conceives of privacy as informa-

16

See, for example, Germany’s Federal Data Protection Act of 1990 (Bundesdatenschutzgesetz—Gesetz zum Fortentwicklung der Datenverarbeitung und des Datenschutzes vom 20. Dezember 1990 (as amended in 2001) §1(1)), stipulating the purpose of the act as protection of the individual from interference with his/her “personality right” (Persönlichkeitsrecht); and Switzerland’s Federal Law on Data Protection of 1992 (Loi fédérale du 19. Juin 1992 sur la protection des données/Bundesgesetz vom 19. Juni 1992 über den Datenschutz), Article 1, stating the object of the act as, inter alia, “protection of personality” (Schutz der Persönlichkeit).

17

See Bygrave, Data Protection Law, 2002, pp. 138-143 and references cited therein.

18

See Bygrave, Data Protection Law, 2002, pp. 126-129 and references cited therein.

19

See further, A. Guadamuz, “Habeas Data vs. the European Data Protection Directive,” Journal of Information, Law and Technology, 2001; and Fried, rapporteur, Organization of American States (OAS), Inter-American Juridical Committee, 2000, p. 107 et seq.

20

For overviews, see Chapter 2 of Julie C. Inness, Privacy, Intimacy, and Isolation, Oxford University Press, New York, 1992; and Chapters 2 and 3 of J. DeCew, In Pursuit of Privacy: Law, Ethics, and the Rise of Technology, Cornell University Press, Ithaca, N.Y., 1997.

21

See, e.g., En ny datalag [A New Data Law], Statens Offentlige Utredningar [State Official Reports], No. 10, pp. 150-161, 1993 (documenting difficulties experienced in Swedish data privacy discourse with respect to arriving at a precise definition of “personlig integritet”).

22

See generally Bygrave, Data Protection Law, 2002, pp. 128-129.

23

See especially Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review IV (December 15, No. 5):195, 205, 1890 (arguing that the right to privacy in Anglo-American law is part and parcel of a right “to be let alone”).

24

See, for example, R. Gavison, “Privacy and the Limits of Law,” Yale Law Journal 89:428-436, 1980, claiming that privacy is a condition of “limited accessibility” consisting of three elements: “secrecy” (“the extent to which we are known to others”), “solitude” (“the extent to which others have physical access to us”), and “anonymity” (“the extent to which we are the subject of others’ attention”).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

tion control.25 A fourth set of definitions incorporates various elements of the other three sets but links privacy exclusively to intimate or sensitive aspects of persons’ lives.26

Definitions of privacy in terms of information control tend to be most popular in discourse dealing directly with law and policy on data privacy,27 both in the United States and elsewhere. In Europe, though, the notion is not always linked directly to the privacy concept; it is either linked to related concepts, such as “personal integrity” (in the case of, e.g., Swedish discourse),28 or it stands alone. The most significant instance of the latter is the German notion of “information self-determination” (informationelle Selbstbestimmung), which in itself forms the content of a constitutional right deriving from a landmark decision in 1983 by the German Federal Constitutional Court (Bundesverfassungsgericht).29 The notion and the right to which it attaches have had considerable impact on development of data privacy law and policy in Germany30 and, to a lesser extent, other European countries.

Despite the general popularity of notions of information control and information self-determination, these have usually not been viewed in terms of a person “owning” information about him-/herself, such that he/she should be entitled to, for example, royalties for the use of that information by others. Concomitantly, property rights doctrines have rarely been championed as providing a desirable basis for data privacy rules.31 The relatively few proponents of a property rights approach have

25

See, for example, Westin, Privacy and Freedom, 1967, p. 7 (“Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”).

26

See, for example, Inness, Privacy, Intimacy, and Isolation, 1992, p. 140 (defining privacy as “the state of possessing control over a realm of intimate decisions, which includes decisions about intimate access, intimate information, and intimate actions”).

27

See generally Bygrave, Data Protection Law, 2002, p. 130, and references cited therein.

28

See, for example, En ny datalag [A New Data Law], Statens Offentlige Utredningar [State Official Reports], No. 10, p. 159, 1993 (noting that the concept of “personlig integritet” embraces information control).

29

Decision of December 15, 1983, BverfGE (Entscheidungen des Bundesverfassungsgerichts), Vol. 65, p. 1 et seq. For an English translation, see Human Rights Law Journal 5:94 et seq., 1984.

30

Cf. S. Simitis, “Auf dem Weg zu einem neuen Datenschutzkonzept,” pp. 714 ff. in Datenschutz und Datensicherheit, 2000 (detailing the slow and incomplete implementation of the principles inherent in the right).

31

Opposition to a property rights approach is expressed in, inter alia, Miller, The Assault on Privacy, 1971, p. 211 ff.; Hondius, Emerging Data Protection in Europe, 1975, pp. 103-105; S. Simitis, “Reviewing Privacy in an Information Society,” University of Pennsylvania Law Review 135:707, 718, 735-736, 1987 (hereinafter cited as Simitis, “Reviewing Privacy in an Information Society,” 1987); K. Wilson, Technologies of Control: The New Interactive Media for the Home, University of Wisconsin Press, Madison, 1988, pp. 91-94; R. Wacks, Personal Information:

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

tended to come from the United States,32 although sporadic advocacy of such an approach also occurs elsewhere.33

B.2
CONCEPTUALIZATIONS OF THE VALUES SERVED BY PRIVACY

In the United States, the discourse on privacy and privacy rights tends to focus only on the benefits that these have for individuals qua individuals. These benefits are typically cast in terms of securing (or helping to secure) individuality, autonomy, dignity, emotional release, self-evaluation, and interpersonal relationships of love, friendship, and trust.34 They are, in the words of Westin, largely about “achieving individual goals of self-realization.”35 The converse of this focus is that privacy and privacy rights are often seen as essentially in tension with the needs of wider “society.”36 This view carries sometimes over into claims that privacy rights can be detrimental to societal needs.37

Casting the value of privacy in strictly individualistic terms appears to be a common trait in the equivalent discourse in many other countries.38 However, the grip of this paradigm varies from country to country

Privacy and the Law, Clarendon Press, Oxford, 1989, p. 49; Y. Poullet, “Data Protection Between Property and Liberties—A Civil Law Approach,” pp. 161-181 in H.W.K. Kaspersen and A. Oskamp, eds., Amongst Friends in Computers and Law: A Collection of Essays in Remembrance of Guy Vandenberghe, Kluwer Law and Taxation Publishers, Deventer/Boston, 1990; J. Litman, “Information Privacy/Information Property,” Stanford Law Review 52:1283-1313, 2000; and Bygrave, Data Protection Law, 2002, p. 121.

32

See, most notably, Westin, Privacy and Freedom, 1967, pp. 324-325; K.C. Laudon, “Markets and Privacy,” Communications of the Association for Computing Machinery 39:92-104, 1996; J. Rule and L. Hunter, “Towards Property Rights in Personal Data,” pp. 168-181 in C.J. Bennett and R. Grant, eds., Visions of Privacy: Policy Choices for the Digital Age, University of Toronto Press, Toronto, 1999; and L. Lessig, Code and Other Laws of Cyberspace, Basic Books, New York, 1999, pp. 159-163.

33

See, for example, P. Blume, “New Technologies and Human Rights: Data Protection, Privacy and the Information Society,” Paper No. 67, Institute of Legal Science, Section B, University of Copenhagen, 1998.

34

See generally, Bygrave, Data Protection Law, 2002, pp. 133-134 and references cited therein.

35

Westin, Privacy and Freedom, 1967, p. 39.

36

See generally, Regan, Legislating Privacy, 1995, Chapters 2 and 8 and references cited therein.

37

As exemplified in R.A. Posner, “The Right to Privacy,” Georgia Law Review 12:393-422, 1978 (criticizing privacy rights from an economic perspective); and A. Etzioni, The Limits of Privacy, Basic Books, New York, 1999 (criticizing privacy rights from a communitarian perspective).

38

See generally, C.J. Bennett and C.D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate, Aldershot, 2003, Chapter 1 (hereinafter cited as Bennett and Raab, The Governance of Privacy, 2003).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

and culture to culture. The variation is well exemplified when comparing the jurisprudence of the German Federal Constitutional Court with that of U.S. courts. The former emphasizes that the value of data privacy norms lies to a large degree in their ability to secure the necessary conditions for active citizen participation in public life; in other words, to secure a flourishing democracy.39 This perspective is underdeveloped in U.S. jurisprudence.40

One also finds increasing recognition in academic discourse on both sides of the Atlantic that data privacy norms are valuable not simply for individual persons but for the maintenance of societal civility, pluralism, and democracy.41

A related development is increasing academic recognition that data privacy laws serve a multiplicity of interests, which in some cases extend well beyond traditional conceptualizations of privacy.42 This insight is perhaps furthest developed in Norwegian discourse, which has elaborated relatively sophisticated models of the various interests promoted

39

See, especially, the decision of December 15, 1983, BverfGE (Entscheidungen des Bundesverfassungsgerichts), Vol. 65, p. 1 et seq. For an English translation, see Human Rights Law Journal 5:94 et seq., 1984.

40

See further, the comparative analyses in P.M. Schwartz, “The Computer in German and American Constitutional Law: Towards an American Right of Informational Self-Determination,” American Journal of Comparative Law 37:675-701, 1989; P.M. Schwartz, “Privacy and Participation: Personal Information and Public Sector Regulation in the United States,” Iowa Law Review 80:553-618, 1995; and B.R. Ruiz, Privacy in Telecommunications: A European and an American Approach, Kluwer Law International, The Hague/London/Boston, 1997.

41

See, for example, S. Simitis, “Auf dem Weg zu einem neuen Datenschutzrecht” [On the Road to a New Data Protection Law], Informatica e diritto 3:97-116, 1984; Simitis, “Reviewing Privacy in an Information Society,” 1987; R.C. Post, “The Social Foundations of Privacy: Community and Self in the Common Law,” California Law Review 77:957-1010, 1989; R. Gavison, “Too Early for a Requiem: Warren and Brandeis Were Right on Privacy vs. Free Speech,” South Carolina Law Review 43:437-471, 1992; Regan, Legislating Privacy, 1995; B.R. Ruiz, Privacy in Telecommunications: A European and an American Law Approach, Kluwer Law International, The Hague/London/New York, 1997); P.M. Schwartz, “Privacy and Democracy in Cyberspace,” Vanderbilt Law Review 52:1609-1702, 1999; Bygrave, Data Protection Law, 2002; and Bennett and Raab, The Governance of Privacy, 2003.

42

See, for example, O. Mallmann, Zielfunktionen des Datenschutzes: Schutz der Privatsphäre, korrekte Information; mit einer Studie zum Datenschutz im Bereich von Kreditinformationssystemen [Goal Functions of Data Protection: Protection of Privacy, Correct Information; with a Study of Data Protection in the Area of Credit Information Systems], Alfred Metzner Verlag, Frankfurt am Main, 1977; H. Burkert, “Data-Protection Legislation and the Modernization of Public Administration,” International Review of Administrative Sciences 62:557-567, 1996; L.A. Bygrave, “Where Have All the Judges Gone? Reflections on Judicial Involvement in Developing Data Protection Law,” pp. 113-125 in P. Wahlgren, ed., IT och juristutbildning, Nordisk årsbok i rättsinformatik, 2000, Jure AB Stockholm, 2001; also published in Privacy Law and Policy Reporter 7:11-14, 33-36, 2000; and Bygrave, Data Protection Law, 2002, Chapter 7.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

by data privacy laws.43 These interests include ensuring adequate quality of personal information, “citizen-friendly” administration, proportionality of control, and rule of law. In Norway, the insight that data-privacy laws are concerned with more than safeguarding privacy extends beyond the academic community and into regulatory bodies. Indeed, Norway’s principal legislation on data privacy contains an objects clause specifically referring to the need for “adequate quality of personal information” (tilstrekkelig kvalitet på personopplysninger) in addition to the needs for privacy and personal integrity.44

The equivalent laws of some other European countries also contain objects clauses embracing more than privacy. The broadest—if not boldest—expression of aims is found in the French legislation: “Data processing shall be at the service of every citizen. It shall develop in the context of international co-operation. It shall infringe neither human identity, nor the rights of man, nor privacy, nor individual or public liberties.”45

Also noteworthy is the express concern in the data privacy legislation of several German Länder for maintaining state order based on the principle of separation of powers, and, concomitantly, for ensuring so-called information equilibrium (Informationsgleichgewicht) between the legislature and other state organs. This “equilibrium” refers principally to a situation in which the legislature is able to get access to information (personal and/or nonpersonal) that is available to the executive.46

At the same time, however, considerable uncertainty still seems to reign in many countries about exactly which interests and values are promoted by data privacy laws. This is reflected partly in academic discourse,47 partly in the absence in some laws of objects clauses formally

43

See generally, Bygrave, Data Protection Law, 2002, p. 137 et seq. and references cited therein.

44

See Norway’s Personal Data Act of 2000 (Lov om behandling av personopplysninger av 14. april 2000 nr. 31), §1(2).

45

See France’s Act Regarding Data Processing, Files and Individual Liberties of 1978 (Loi no. 78-17 du 6. janvier 1978 relative à l’informatique, aux fichiers et aux libertés), §1.

46

See further, Bygrave, Data Protection Law, 2002, p. 39; S. Simitis, ed., Kommentar zum Bundesdatenschutzgesetz [Commentary on the Federal Data Protection Act] 5th ed., Nomos Verlagsgesellschaft, Baden-Baden, 2003, p. 11.

47

See, for example, D. Korff, “Study on the Protection of the Rights and Interests of Legal Persons with Regard to the Processing of Personal Data Relating to Such Persons,” final report to E.C. Commission, October 1998, available at http://europa.eu.int/comm/internal_market/en/dataprot/studies/legalen.htm (accessed Oct. 10, 2003), p. 42 (“[t]here is a lack of clarity, of focus, over the very nature, aims and objects of data protection in the [European Union] Member States which is, not surprisingly, reflected in the international data protection instruments”); and B.W. Napier, “International Data Protection Standards and British Experience,” Informatica e diritto, Nos. 1-2, pp. 83-100, 1992, p. 85, hereinafter cited as Napier, “International Data Protection Standards and British Experience,” 1992) (claiming that, in Britain, “the conceptual basis for data protection laws remains unclear”).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

specifying particular interests or values that the legislation is intended to serve,48 and partly in the vague way in which existing objects clauses are often formulated.49

B.3
SOCIETAL AND CULTURAL SUPPORT FOR PRIVACY: A COMPARISON

This section addresses the issue of whether some nations and cultures are more supportive of privacy than others are. It also addresses the factors that might contribute to such differences.

Making accurate comparisons of the degree to which given countries or cultures respect privacy is fraught with difficulty,50 which is partly due to the paucity of systematically collected empirical data51 and partly to the fact that concern for privacy within each country or culture is often uneven. In the United Kingdom (U.K.), for example, proposals to introduce multipurpose personal identification number (PIN) schemes similar to those in Scandinavia52 have generally been treated with a great deal of antipathy, yet video surveillance of public places in the United Kingdom53 seems to be considerably more extensive than that in Scandinavian countries.

48

See, for example, the U.K. Data Protection Act of 1998 and Denmark’s Personal Data Act of 2000 (Lov nr. 429 af 31. maj 2000 om behandling af personoplysninger).

49

See, for example, Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (European Treaty Series No. 108; adopted January 28, 1981), Article 1 (specifying goals as protection of “rights and fundamental freedoms, and in particular … right to privacy”).

50

This difficulty obviously carries over into comparative assessment of various countries’ legal regimes for privacy protection. See, for example, C.D. Raab and C.J. Bennett, “Taking the Measure of Privacy: Can Data Protection Be Evaluated?” International Review of Administrative Sciences 62:535-556, 1996. Equally problematic is the accurate comparison of privacy levels across historical periods. Yet another issue, over which relatively little has been written, concerns discrepancies between various classes of persons within a given society in terms of the respective levels of privacy that they typically enjoy. For further discussion, see generally, Bennett and Raab, The Governance of Privacy, 2003, Chapter 2.

51

As Bennett and Raab (The Governance of Privacy, 2003, p. 15) remark, “[U]nfortunately, we have little systematic cross-national survey evidence about attitudes to privacy with which to investigate the nature and influence of wider cultural attributes. Much of th[e] argumentation tends, therefore, to invoke anecdotes or cultural stereotypes: ‘the Englishman’s home is his castle,’ and so on.”

52

Further on the Scandinavian PIN schemes, see, for example, A.S. Lunde, J. Huebner, S. Lettenstrom, S. Lundeborg, and L. Thygesen, The Person-Number Systems of Sweden, Norway, Denmark and Israel, U.S. Department of Health and Human Services, Vital and Health Statistics, Series 2, No. 84, DHHS Publication No. (PHS) 80-1358, 1980; also available at http://www.cdc.gov/nchs/data/series/sr_02/sr02_084.pdf (accessed Oct. 4, 2003).

53

For more on this surveillance, see, for example, S. Davies, “Surveillance on the Streets,” Privacy Law and Policy Reporter 2:24-26, 1995; Der Spiegel, July 5, 1999, pp. 122-124; and A.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

It is clear that levels of privacy across nations and cultures and across broad historical periods are in constant flux. Moreover, the ways in which human beings create, safeguard, and enhance their respective states of privacy and the extent to which they exhibit a desire for privacy vary from culture to culture according to a complex array of factors.54 At the same time, the desire for some level of privacy appears to be a panhuman trait. Even in societies in which apparently little opportunity exists for physical or spatial solitude, human beings seem to adopt various strategies for cultivating other forms of social distance.55

To the extent that a panhuman need for privacy exists, it appears to be rooted not so much in physiological or biological as in social factors. According to Moore, the need for privacy is, in essence, socially created. Moore’s seminal study indicates that an extensive, highly developed concern for privacy is only possible in a relatively complex society with a strongly felt division between a domestic private realm and public sphere—“privacy is minimal where technology and social organization are minimal.”56

However, technological and organizational factors are not the sole determinants of privacy levels. Also determinative are ideological factors. Central among these are attitudes to the value of private life,57 attitudes

Webb, “Spy Cameras vs. Villains in Britain,” United Press International, March 8, 2002, available at http://www.upi.com/view.cfm?StoryID=08032002-020813-4448r (accessed Nov. 6, 2003).

54

See further, B. Moore, Privacy: Studies in Social and Cultural History, M.E. Sharpe, Publishers, Armonk, N.Y., 1984 (hereinafter cited as Moore, Privacy, 1984); J.M. Roberts and T. Gregor, “Privacy: A Cultural View,” pp. 199-225 in J.R. Pennock and J.W. Chapman, eds., Privacy: Nomos XIII, Atherton Press, New York, 1971; I. Altman, “Privacy Regulation: Culturally Universal or Culturally Specific?,” Journal of Social Issues 33:66-84, 1977; Westin, Privacy and Freedom, 1967; and Flaherty, Privacy in Colonial New England, University Press of Virginia, Charlottesville, 1972 (hereinafter cited as Flaherty, Privacy in Colonial New England, 1972).

55

See, for example, Moore’s study (Privacy, 1984) of the Siriono Indians in Bolivia; Flaherty’s study (Privacy in Colonial New England, 1972) of colonial society in New England; and R. Lunheim and G. Sindre, “Privacy and Computing: A Cultural Perspective,” pp. 25-40 in R. Sizer, L. Yngström, H. Kaspersen, and S. Fischer-Hübner, eds., Security and Control of Information Technology in Society, North-Holland, Amsterdam, 1993, a study of a village society in Rajasthan, North-West India (hereinafter cited as Lunheim and Sindre, “Privacy and Computing,” 1993).

56

Moore, Privacy, 1984, p. 276. Cf., inter alia, Lunheim and Sindre, “Privacy and Computing,” 1993, p. 28 (“privacy is a cultural construct encountered in virtually every society of some economic complexity”); Raes, 1989, p. 78 (noting that privacy today “is as much a result of modern technology as technology is a threat to the private lives of citizens”). For a particularly incisive sociological analysis of historical changes in levels and types of privacy, see Shils, 1975, Chapter 18.

57

See, for example, H. Arendt, The Human Condition, University of Chicago Press, 1958, p. 38 (noting that, in ancient Athenian culture, the private sphere was often regarded as a domain of “privation”). See also Moore, Privacy, 1984, p. 120 et seq. Moore, however, dis-

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

to the worth of persons as individuals,58 and sensitivity to human beings’ non-economic and emotional needs.59 Concern for privacy tends to be high in societies espousing liberal ideals, particularly those of Mill, Locke, Constant, and Madison. As Lukes notes, privacy in the sense of a “sphere of thought and action that should be free from ‘public’ interference” constitutes “perhaps the central idea of liberalism.”60

The liberal affection for privacy is amply demonstrated in the development of legal regimes for privacy protection. These regimes are most comprehensive in Western liberal democracies. By contrast, such regimes are underdeveloped in most African and Asian nations. It is tempting to view this situation as symptomatic of a propensity in African and Asian cultures to place primary value on securing the interests and loyalties of the group at the expense of the individual. However, care must be taken not to pigeonhole countries and cultures in static categories, and provision for privacy rights is increasingly on the legislative agenda of some African and Asian countries.

It is also important to note that the United States—often portrayed as the citadel of liberal ideals—has not seen fit to protect privacy as extensively as some other nations have, notably Canada and the member states of the European Union (E.U.). Consider, for example, the absence of comprehensive legislation on data privacy regulating the U.S. private sector and the lack of an independent agency (a data protection authority or a privacy commissioner) to specifically oversee the regulation of data privacy matters.61 Thus, within the Western liberal democratic “camp,”

cerns growing enthusiasm and respect for private life among Athenians over the course of the 4th century B.C.; see Moore, Privacy, pp. 128-133.

58

See, for example, M. Ethan Katsh, The Electronic Media and the Transformation of the Law, Oxford University Press, New York, 1989, p. 192 (“Part of the reason there was less privacy and less concern with privacy in earlier times is that the individual, the principal beneficiary of a right to privacy, did not have the same status in the ancient world as in the modern era”). See further, F.D. Schoeman, Privacy and Social Freedom, Cambridge University Press, Cambridge, 1992, Chapters 6 and 7 (describing factors behind the emergence of individualism and a concomitant concern for privacy in Western societies).

59

See, for example, S. Strömholm, Right of Privacy and Rights of the Personality: A Comparative Survey, P.A. Norstedt and Söners Förlag, Stockholm, 1967, pp. 19-20 (viewing the development of legal rights to privacy as part and parcel of a “humanization” of Western law; i.e., a trend toward greater legal sensitivity to the nonpecuniary interests of human beings).

60

Lukes, 1973, p. 62. Cf. Bennett and Raab, The Governance of Privacy, 2003, pp. 22-23 (“the political theory of privacy, in both the US and Europe, has largely operated within a liberal paradigm”).

61

See also Section B.4.2. For more on the differences between U.S. and European regulatory approaches in the data privacy field, see, for example, A. Charlesworth, “Clash of the Data Titans? US and EU Data Privacy Regulation,” European Public Law 6(2):253-274, 2000; J.R. Reidenberg, “Resolving Conflicting International Data Privacy Rules in Cyberspace,” Stanford Law Review 52:1315-1371, 2000; J.B. Ritter, B.S. Hayes, and H.L. Judy, “Emerging

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

considerable variation exists in legal regimes and readiness for safeguarding privacy.62

A variation in legal regimes need not reflect differences in the support for privacy in various nations. For example, the variation might be due, at least in part, to differences in the extent to which persons in respective countries can take for granted that others will respect their privacy (independently of legal norms).63 In other words, it can be attributable to differences in perceptions of the degree to which privacy is or will be threatened. For instance, the comprehensive, bureaucratic nature of data privacy regulation in Europe64 undoubtedly reflects traumas from relatively recent, firsthand experience there of totalitarian oppression.65 This heritage imparts both gravity and anxiety to European regulatory policy. Conversely, in North America and Australia, for example, the paucity of firsthand domestic experience of totalitarian oppression tends to make these countries’ regulatory policy in the field relatively lax.

Variation between the privacy regimes of Western states can also be symptomatic of differences in perceptions of the degree to which interests that compete with privacy, such as public safety and national security, warrant protection at the expense of privacy interests. In other words, the variation can be symptomatic of differing perceptions of the need for

Trends in International Privacy Law,” Emory International Law Review 15:87-155, 2001; and D.H. Flaherty, Protecting Privacy in Surveillance Societies, University of North Carolina Press, Chapel Hill/London, 1989 (hereinafter cited as Flaherty, Protecting Privacy in Surveillance Societies, 1989).

62

See, generally, Section B.4.

63

It is claimed, for instance, that this difference accounts for the lack of judicial support in the United Kingdom for a tort of breach of privacy, in contrast to the willingness of U.S. courts to develop such a tort: see, e.g., J. Martin and A.R.D. Norman, The Computerized Society, Englewood Cliffs, N.J., 1970, p. 468. However, other explanations have also been advanced for the nondevelopment of a right to privacy in English common law: see, e.g., Napier, “International Data Protection Standards and British Experience,” 1992, p. 85 (emphasizing the “narrow-mindedness” of English judges). For further detail on the divergent paths taken by English and American courts in developing a specific right of privacy under common law, see, inter alia, L. Brittan, “The Right of Privacy in England and the United States,” Tulane Law Review 37:235-268, 1963; G. Dworkin, “Privacy and the Law,” p. 113 et seq. in J.B. Young, ed., Privacy, Wiley, Chichester, 1978. In a decision of October 16, 2003, the House of Lords unanimously held that a tort of invasion of privacy is not part of English law, thus dealing a serious if not fatal blow to the development of a separate privacy tort under U.K. common law: see Wainwright v. Home Office [2003] U.K.H.L. 53, especially paragraphs 30-35, available at http://www.bailii.org/uk/cases/UKHL/2003/53.html (accessed Nov. 5, 2003). For an overview of other recent U.K. case law on privacy, see R. Jay and A. Hamilton, Data Protection: Law and Practice, Sweet and Maxwell, London: 2003, pp. 56-69.

64

See further, Section B.4.2.

65

See also K.S. Selmer, “Elektronisk databehandling og rettssamfunnet” [Electronic Data Processing and Legal Society], pp. 41-53 in Forhandlingene ved Det 30. nordiske juristmøtet, Oslo 15.–17. august 1984, Part II, Oslo, 1984.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

surveillance and control measures. This is seen most clearly in the impact on U.S. regulatory policy of the terrorist attacks of September 11, 2001. In the wake of those attacks, the United States has been more willing to place limitations on privacy rights.66

Yet other factors can play a role too. For instance, U.S. and, to a lesser extent, Australian eschewal of omnibus data privacy legislation for the private sector is due partly to a distrust of a strong state role in influencing the economy, combined with skepticism toward legally regulating the private sector except where flagrant imbalances of power are proven to exist between private parties—imbalances that cannot be corrected except by legislative intervention.67

The above differences aside, concern and support for privacy on the part of the general public seem to be broadly similar across the Western world.68 There is abundant evidence from public opinion surveys that these levels of concern and support are relatively high,69 at least in the

66

See generally, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003: An International Survey of Privacy Laws and Developments, EPIC/PI, Washington, D.C., 2003.

67

With respect to U.S. attitudes, see, e.g., Schwartz and Reidenberg, Data Privacy Law, 1996, p. 6 et seq.; and J.H. Yurow, “National Perspectives on Data Protection,” Transnational Data Report 6(6):337-339, 1983. For further analysis of the causes of divergence between Western countries’ respective regimes for data privacy, see generally, C.J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States, Cornell University Press, Ithaca, N.Y., 1992, Chapter 6 (hereinafter cited as Bennett, Regulating Privacy, 1992).

68

As Bennett notes, “In nature and extent, the public concern for privacy is more striking for its cross-national similarities rather than for its differences” (Bennett, Regulating Privacy, 1992, p. 43). It is, nevertheless, noteworthy that Germans seem often to take data privacy issues a great deal more seriously than other nationalities do. A remarkable case in point is the high response rate of German-based organizations and individuals to a pan-European Union questionnaire issued by the Commission of the European Communities in 2002 regarding certain data privacy issues. Respondents registering Germany as their place of residence accounted for approximately 40 percent of the total number of respondents for each questionnaire. See http://europa.eu.int/comm/internal_market/en/dataprot/ law-report/docs/consultation-controllers_en.pdf (accessed Nov. 4, 2003); and http://europa.eu.int/comm/internal_market/en/ dataprot/lawreport/docs/consultation-citizens_en.pdf (accessed Nov. 4, 2003).

69

See generally Bygrave, Data Protection Law, 2002, p. 110 and references cited therein; and Bennett and Raab, The Governance of Privacy, 2003, pp. 56-65 and references cited therein. The survey material referenced there derives mainly from the United States, Canada, Australia, Norway, Denmark, and the United Kingdom. Survey material from Hungary seems largely to fit with the findings from the other countries: see I. Székely, “New Rights and Old Concerns: Information Privacy in Public Opinion and in the Press in Hungary,” Informatization and the Public Sector 2:99-113, 1994 . Note, though, that surveys of public attitudes to privacy can suffer from methodological weaknesses that make it unwise to rely on their results as wholly accurate indications of public thinking: see further, for example, William H. Dutton and Robert G. Meadow, “A Tolerance for Surveillance: American Public Opinion Concerning

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

abstract.70 The concern for privacy is often accompanied by considerable pessimism over existing levels of privacy, along with a lack of trust that organizations will not misuse personal information.71 Privacy concern tends to cut across a broad range of political leanings (within liberal democratic ideology),72 although there are occasional indications of statistically significant variation in attitudes to privacy issues based on party or political attachments.73 In terms of the roles played by other demographic variables, such as age, sex, and income level, results appear to vary a great deal from country to country and survey to survey.74

The survey evidence points toward increasing public sensitivity to the potential misuse of personal information. Certainly, one finds, for example, concrete instances in which items of information that previously were routinely publicized are now subject to relatively stringent requirements of confidentiality.75 Perhaps more interesting, however, is whether indications exist of an opposite development—that is, an increasing acclimatization of people to situations in which they are required to divulge personal information and a concomitant adjustment of what they

Privacy and Civil Liberties,” pp. 147-170 in Karen B. Levitan, ed., Government Infostructures, Greenwood Press, Westport, Conn., 1987.

70

Privacy concerns tend often to be of second-order significance for the public, with problems such as public safety, unemployment, and financial security being ranked as more important: see Bygrave, Data Protection Law, 2002, p. 110 and references cited therein.

71

Bygrave, Data Protection Law, 2002, p. 111 and references cited therein.

72

See further, Bennett, Regulating Privacy, 1992, especially p. 147.

73

See, for example, H. Becker,“Bürger in der modernen Informationsgesellschaft” [Citizens in the Modern Information Society], pp. 343-490 in Informationsgesellschaft oder Überwachungsstaat, Hessendienst der Staatskanzlei, Wiesbaden, 1984; pp. 415-416 cite survey results from (West) Germany showing that supporters of the Green Party (Die Grünen) were more likely to view data privacy as important than were supporters of the more conservative political parties.

74

Compare, for example, I. Székely, “New Rights and Old Concerns: Information Privacy in Public Opinion and in the Press in Hungary,” Informatization and the Public Sector 2:99-113, 1994 (Hungarian survey results appear to show that demographic variables play little role in determining public attitudes to privacy issues), with Australian Federal Privacy Commissioner, Community Attitudes to Privacy, Information Paper 3, Australian Government Publishing Service, Canberra, 1995 (demographic variables play a significant role in Australian survey results). Compare also, e.g., the latter study (privacy of personal information found to be more important to high-income than low-income earners) with L. Harris and Associates in association with A.F. Westin, Harris-Equifax Health Information Privacy Survey 1993, Equifax, Atlanta, Ga., 1994, p. 15 (low-income earners express higher concern about privacy than high-income groups, except in relation to medical privacy issues).

75

See, for example, H. Torgersen, “Forskning og personvern” [Research and Privacy], pp. 223-239 in R.D. Blekeli and K.S. Selmer, eds., Data og personvern, Universitetsforlaget, Oslo, 1977; p. 237 notes that, in Norway, the quantity and detail of information publicly disclosed in connection with student matriculation were far greater in the 1960s than in the mid-1970s and onward.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

perceive as problematic for their privacy. Unfortunately, there seems to be little survey evidence addressing this point.

Nevertheless, it is pertinent to note that public concern for privacy has rarely resulted in mass political movements with privacy protection per se high on their agenda.76 In most Western countries and even more so on the international plane, the actual formulation of law and policy on data privacy has typically been the project of a small elite.77

It is tempting to draw a parallel between this state of affairs and the way in which privacy concerns were articulated and politically pushed in the 19th century, at least in the United States and Germany. The movement for the legal recognition of privacy rights in those countries and at that time had largely genteel, elitist traits. It was, as Westin observes, “essentially a protest by spokesmen for patrician values against the rise of the political and cultural values of ‘mass society.’”78 This would be, however, an inaccurate (and unfair) characterization of the modern “data privacy elite.” The agenda of the latter is strongly democratic and egalitarian; it is much more concerned about the welfare of the citoyen (citizen) than simply about that of the bourgeois. And it self-consciously draws much of its power from the privacy concerns of the general public.79

B.4
REGULATORY POLICY ON PROTECTION OF PRIVACY AND PERSONAL INFORMATION (DATA PRIVACY)

A number of legal instruments exist at both international and national levels that deal directly with data privacy.80 In addition, some instruments

76

See generally, Bennett, Regulating Privacy, 1992, pp. 146, 243.

77

Bennett, Regulating Privacy, 1992, p. 127 et seq.

78

Westin, Privacy and Freedom, 1967, pp. 348-349. See further, James Barron, “Warren and Brandeis, The Right to Privacy (1890): Demystifying a Landmark Citation,” Suffolk U.L. Rev. 13:875, 1979; and D.W. Howe, “Victorian Culture in America,” pp. 3-28 in D.W. Howe, ed., Victorian America, University of Pennsylvania Press, Philadelphia, 1976. For a similar critique with respect to the ideological and class roots of German “Persönlichkeitsrecht,” seePersönlichkeitsrecht,” see,” see P. Schwerdtner, Das Persönlichkeitsrecht in der deutschen Zivilordnung, J. Schweitzer Verlag, Berlin, 1977, especially pp. 7, 85, and 92.

79

See also Bennett, Regulating Privacy, 1992, p. 129.

80

At the risk of stating the obvious: to describe these instruments as dealing directly with “data privacy” is to indicate that they specifically regulate all or most stages in the processing of personal data—i.e., data that relate to, and facilitate identification of, an individual, physical/natural person (or, sometimes, collective entity)—with a principal formal aim of safeguarding the privacy and/or related interests of that person. The main rules applied to the processing of such data embody a set of largely procedural, “fair information” principles stipulating, e.g., the manner and purposes of data processing, measures to ensure adequate quality of the data, and measures to ensure transparency of the processing in relation to the person to whom the data relate (“data subject”). For more detail, see generally, Bygrave, Data Protection Law, 2002, particularly Chapters 1, 3, 5, 18, and 19.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

are not legally binding in a formal sense but are nevertheless highly influential in the development of regulatory policy with respect to privacy.

The legal systems of many, if not most, countries contain a variety of rules that embody elements of the basic principles typically found in data privacy instruments or that can otherwise promote these principles’ realization, albeit in incidental, ad hoc ways.81 However, what is primarily of interest in the following overview is the degree to which countries have adopted rule sets that are directly concerned with promoting data privacy. Also of primary interest is the degree to which countries provide for the establishment of independent agencies (hereinafter termed “data privacy agencies”) specifically charged with overseeing the implementation and/or further development of these rule sets.

B.4.1
International Instruments

The formal normative basis for data privacy laws derives mainly from catalogues of fundamental human rights set out in certain multilateral instruments, notably the Universal Declaration of Human Rights (UDHR)82 and the International Covenant on Civil and Political Rights (ICCPR),83 along with the main regional human rights treaties, such as the European Convention on Human Rights and Fundamental Freedoms (ECHR)84 and the American Convention on Human Rights (ACHR).85 All of these instruments—with the exception of the African Charter on Human and People’s Rights86—expressly recognize privacy as a fundamental human right.87 Not all human rights catalogues from outside the Western, liberal-democratic sphere repeat the African Charter’s omission of privacy. For example, the Cairo Declaration on Human Rights in Islam88 expressly recognizes a right to privacy for individuals (see the Declaration’s Article 18[b]-[c]).

The right to privacy in these instruments is closely linked to the ideals and principles of data privacy laws, although other human rights, such as

81

Rules concerning computer security, breach of confidence, defamation, and intellectual property are examples.

82

United Nations (UN) General Assembly Resolution 217 A (III) of Dec. 10, 1948.

83

UN General Assembly Resolution 2200A (XXI) of Dec. 16, 1966; in force March 23, 1976.

84

European Treaty Series No. 5; opened for signature Nov. 4, 1950; in force Sept. 3, 1953.

85

OAS Treaty Series No. 36; adopted Nov. 22, 1969; in force July 18, 1978.

86

OAU Doc. CAB/LEG/67/3 rev. 5; adopted June 27, 1981; in force Oct. 21, 1986.

87

See Universal Declaration of Human Rights (UDHR), Article 12; International Covenant on Civil and Political Rights (ICCPR), Article 17; European Court of Human Rights (ECHR), Article 8; American Convention on Human Rights (ACHR), Article 11. See also Article V of the American Declaration of the Rights and Duties of Man (OAS Resolution XXX; adopted 1948).

88

Adopted Aug. 5, 1990 (UN Doc. A/45/421/5/21797, p. 199).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

freedom from discrimination and freedom of expression, are relevant, too. The special importance of the right to privacy in this context is reflected in the fact that data privacy laws frequently single out protection of that right as central to their formal rationale.89 It is also reflected in case law developed pursuant to ICCPR Article 17 and ECHR Article 8: both provisions have been authoritatively construed as requiring national implementation of the basic principles of data privacy laws.90 Indeed, these provisions function, in effect, as data privacy instruments in themselves. However, case law has yet to apply them in ways that add significantly to the principles already found in other data privacy laws, and in some respects the protection that they are currently held to offer falls short of the protection afforded by many of the latter instruments.91

In terms of other international legal instruments, there does not exist a truly global convention or treaty dealing specifically with data privacy. Calls for such an instrument are occasionally made, although there are no concrete plans underway to draft one. The closest to such an instrument is the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (hereinafter termed the “CoE Convention”).92 While this is a European instrument, it is envisaged to be potentially more than an agreement between European states, as it

89

See, for example, Article 1 of the Council of Europe Convention on data privacy (note 49 above), Article 2 of Belgium’s 1992 Act Concerning the Protection of Personal Privacy in Relation to the Processing of Personal Data (Wet van 8. December 1992 tot bescherming van de persoonlijke levensfeer ten opzichte van de verwerkung van persoonsgegevens/Loi du 8. décembre 1992 relative à la protection de la vie privée à l’égard des traitements de données à caractère personnel); and the preamble to (and title of) Australia’s federal Privacy Act of 1988.

90

In relation to Article 17 of the ICCPR, see General Comment 16 issued by the Human Rights Committee on March 23, 1988 (UN Doc. A/43/40, pp. 180-183), paragraphs 7 and 10. In relation to Article 8 of the ECHR, see the judgments of the European Court of Human Rights in, e.g., Klass v. Germany (1978), Series A of the Publications of the European Court of Human Rights (“A”), 28; Malone v. United Kingdom (1984), A 82; Leander v. Sweden (1987), A 116; Gaskin v. United Kingdom (1989), A 160; Kruslin v. France (1990), A 176-A; Niemitz v. Germany (1992), A 251-B; Amann v. Switzerland (2000), Reports of Judgments and Decisions of the European Court of Human Rights 2000-I. See further, L.A. Bygrave, “Data Protection Pursuant to the Right to Privacy in Human Rights Treaties,” International Journal of Law and Information Technology 6:247-284, 1998.

91

For instance, the right of persons to gain access to information kept about them by others is more limited under Article 8 of the ECHR than it usually is under ordinary data privacy laws. Further, uncertainty surrounds the degree to which Article 8 may be applied in cases involving data-processing practices of the private sector. See further, L.A. Bygrave, “Data Protection Pursuant to the Right to Privacy in Human Rights Treaties,” 1998.

92

European Treaty Series No. 108; adopted Jan. 28, 1981; in force Oct. 1, 1985. Further on the CoE Convention, see, for example, F. Henke, Die Datenschutzkonvention des Europarates [The Data Protection Convention of the Council of Europe], Peter Lang, Frankfurt am Main/ Bern/New York, 1986; and Bygrave, Data Protection Law, 2002, especially p. 32.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

is open to ratification by states not belonging to the Council of Europe (see Article 23 of the CoE Convention). However, it has yet to be ratified by a nonmember state.93

Within the European Union, several directives on data privacy have been adopted, the first and most important of which is Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (hereinafter termed the “E.U. Directive”).94 This instrument is binding on E.U. member states. It is also binding on nonmember states (Norway, Iceland, and Liechtenstein) that are party to the 1992 Agreement on the European Economic Area (EEA). It is further binding on the 10, largely East European states (Slovak Republic, Czech Republic, Malta, Poland, Hungary, Lithuania, Latvia, Estonia, Slovenia, and Cyprus) that became full-fledged members of the Union on May 1, 2004. In other words, the directive is primarily a European instrument for European states. Nevertheless, it exercises considerable influence over other countries, not least because it prohibits (with some qualifications) the transfer of personal data to those countries unless they provide “adequate” levels of data privacy (see Articles 25-26 of the E.U. Directive).95 As shown below, many non-European countries are passing legislation in order to meet this adequacy criterion at least partly.96

93

Note, though, that the European Union, or, more accurately, European Communities, has signaled a wish to accede to the CoE Convention. Amendments to the convention were adopted on June 15, 1999, in order to permit accession by the European Communities, but they are not yet in force. See further, Bygrave, Data Protection Law, 2002, p. 32.

94

Adopted Oct. 24, 1995, Official Journal of the European Communities (O.J.), L 281, Nov. 23, 1995, p. 31 et seq. Two sectoral directives on data privacy have also been adopted. The first of these was Directive 97/66/EC of Dec. 15, 1997, concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (O.J. L 24, Jan. 30, 1998, p. 1 et seq.). This has now been replaced by Directive 2002/58/EC of July 12, 2002, concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (O.J. L 201, July 31, 2002, p. 37 et seq.). Further on the general directive, see, for instance, D.I. Bainbridge, EC Data Protection Directive, Butterworths, London/ Dublin/Edinburgh, 1996; S. Simitis, “From the Market to the Polis: The EU Directive on the Protection of Personal Data,” Iowa Law Review 80:445-469, 1995; U. Damman and S. Simitis, EG-Datenschutzrichtlinie: Kommentar [E.C. Directive on Data Protection: Commentary] Nomos Verlagsgesellschaft, Baden-Baden, 1997; and Bygrave, Data Protection Law, 2002.

95

See further, e.g., P.M. Schwartz, “European Data Protection Law and Restrictions on International Data Flows,” Iowa Law Review 80:471-496, 1995, especially p. 483 et seq.; European Union, Data Protection Working Party, “Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive,” working document adopted July 24, 1998, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/1998/wp12_en.pdf (accessed Oct. 11, 2003); C. Kuner, European Data Privacy Law and Online Business, Oxford University Press, Oxford, 2003, Chapter 4; and Bennett and Raab, The Governance of Privacy, 2003, pp. 81-85.

96

Further on this influence: P.P. Swire and R.E. Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, Brookings Institution Press,

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

Furthermore, the E.U. Directive stipulates that the data privacy law of an E.U. state may apply outside the European Union in certain circumstances, most notably if a data controller,97 based outside the European Union, utilizes “equipment” located in the state to process personal data for purposes other than merely transmitting the data through that state (see E.U. Directive Article 4[1][c]).98 All of these provisions give an impression that the European Union, in effect, is legislating for the world.99

Apart from the above legal instruments, there exist numerous international and regional instruments on data privacy that take the form of guidelines, recommendations, or codes of practice. Although “soft law” only, some of them carry a great deal of political and/or commercial weight; accordingly, they exercise considerable influence on the development of data privacy law. For advanced industrial states generally, the most significant of these instruments are the 1980 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (hereinafter termed “OECD Guidelines”), adopted by the Organisation for Economic Co-operation and Development (OECD).100 The OECD Guidelines contain a set of data privacy principles similar to those stipulated in the CoE Convention. These guidelines have been very influential in the drafting of data privacy laws and standards in non-European jurisdictions

Washington, D.C., 1998; G. Shaffer, “Globalization and Social Protection: The Impact of E.U. and International Rules in Ratcheting Up of U.S. Privacy Standards,” Yale Journal of International Law 25:1-88, 2000; and N. Waters, “The European Influence on Privacy Law and Practice,” Privacy Law and Policy Reporter 9:150-155, 2003.

97

A “data controller” is a person or organization that determines the purposes and means of processing personal data: see E.U. Directive, Article 2(d).

98

See further, L.A. Bygrave, “Determining Applicable Law Pursuant to European Data Protection Legislation,” Computer Law and Security Report 16:252-257, 2000; Kuner, European Data Privacy Law and Online Business, 2003, Chapter 3; and A. Charlesworth, “Information Privacy Law in the European Union: E Pluribus Unum or Ex Uno Plures?,” Hastings Law Journal 54:931-969, 2003.

99

Equally, they nourish accusations of “regulatory overreaching.” See particularly the criticism of Article 4(1)(c) in Bygrave, “Determining Applicable Law Pursuant to European Data Protection Legislation,” 2000. See also the more general criticism (from U.S. and Australian quarters) in A. Lukas, “Safe Harbor or Stormy Waters? Living with the EU Data Protection Directive,” Trade Policy Analysis Paper No. 16, Cato Institute, Washington, D.C., Oct. 30, 2001; P. Ford, “Implementing the EC Directive on Data Protection—An Outside Perspective,” Privacy Law and Policy Reporter 9:141-149, 2003.

100

Adopted by OECD Council on Sept. 23, 1980 (OECD Doc. C(80)58/FINAL). For further discussion of the Guidelines, see P. Seipel, “Transborder Flows of Personal Data: Reflections on the OECD Guidelines,” Transnational Data Report 4:32-44, 1981. The OECD has issued other guidelines also relating, albeit more indirectly, to data privacy: see Guidelines for the Security of Information Systems (adopted Nov. 26, 1992)—now replaced by Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (adopted July 25, 2002); Guidelines for Cryptography Policy (adopted March 27, 1997); and Guidelines for Consumer Protection in the Context of Electronic Commerce (adopted Dec. 9, 1999).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

such as Australia, New Zealand, and Canada.101 They have also been formally endorsed—but not necessarily implemented—by numerous companies and trade associations in the United States.102 Furthermore, they constitute an important point of departure for the ongoing efforts by the Asia-Pacific Economic Cooperation (APEC) to draft a set of common data privacy principles for jurisdictions in the Asia-Pacific region.103

Of potentially broader reach are the United Nations (UN) Guidelines Concerning Computerized Personal Data Files (hereinafter termed “UN Guidelines”), adopted in 1990.104 The UN Guidelines are intended to encourage the enactment of data privacy laws in UN member states lacking such legislation. These guidelines are also aimed at encouraging international organizations—both governmental and nongovernmental—to process personal data in a responsible, fair, and “privacy-friendly” manner. However, the UN Guidelines seem to have had little practical effect relative to the OECD Guidelines and the other instruments canvassed above.105 Nevertheless, their adoption underlines the reality that data privacy is not simply a “First World,” Western concern. Moreover, in several respects, the principles in the UN Guidelines go farther than some of the other international instruments.106

Note should also be taken of the numerous recommendations and codes that are of sectoral application only. The CoE Convention, for

101

Reference to the OECD Guidelines is made in the preambles to both Australia’s federal Privacy Act of 1988 and New Zealand’s Privacy Act of 1993. Further on the OECD Guidelines’ importance for Australian policy, see Ford, “Implementing the EC Directive on Data Protection—An Outside Perspective,” 2003. In Canada, the OECD Guidelines formed the basis for the Canadian Standards Association’s Model Code for the Protection of Personal Information (CAN/CSA-Q830-96), adopted in March 1996. The Model Code has been incorporated into Canadian legislation as Schedule 1 to the Personal Information Protection and Electronic Documents Act of 2000.

102

See, for example, R.M. Gellman, “Fragmented, Incomplete, and Discontinuous: The Failure of Federal Privacy Regulatory Proposals and Institutions,” Software Law Journal 6:199-238, 1993.

103

See generally, the documentation collated at http://www.apecsec.org.sg/apec/documents_reports/electronic_commerce_steering_group/2003.html (accessed Nov. 8, 2003). See also G. Greenleaf, “Australia’s APEC Privacy Initiative: The Pros and Cons of ‘OECD Lite,’” Privacy Law and Policy Reporter 10:1-6, 2003; G. Greenleaf, “APEC Privacy Principles Version 2: Not Quite So Lite, and NZ Wants OECD Full Strength,” Privacy Law and Policy Reporter 10:45-48, 2003. Further on APEC generally, see http://www.apecsec.org.sg (accessed Nov. 2, 2003).

104

On the background to the OECD Guidelines, see, for instance, J. Michael, Privacy and Human Rights: An International and Comparative Study, with Special Reference to Developments in Information Technology, UNESCO/Dartmouth Publishing Company, Paris/Aldershot, 1994, pp. 21-26.

105

This is partly reflected in the fact that they are frequently overlooked in data privacy discourse, at least in Scandinavia; see Bygrave, Data Protection Law, 2002, p. 33 and references cited therein.

106

For details, see Bygrave, Data Protection Law, 2002, pp. 73, 350.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

instance, has issued a large range of sector-specific recommendations to supplement and extend the rules in its convention on data privacy. These recommendations cover, inter alia, the police sector,107 employment,108 research and statistics,109 and telecommunications.110 Another noteworthy instance is the code of practice issued by the International Labor Organization (ILO) on data privacy in the workplace.111

The principal international instruments dealing specifically with data privacy tend to be aimed at encouraging not just the enactment of national rules but also the harmonization of these rules. In turn, the harmonization objective has several rationales, some of which are concerned not so much with enhancing data privacy as with facilitating the flow of personal data across national borders in order to maintain international commerce, freedom of expression, and intergovernment cooperation.112 The latter concerns arise because many national data privacy laws—mainly European—have long operated with rules providing for restrictions of data flow to countries not offering levels of data privacy similar to those of the “exporting” jurisdiction.113

While the practical effect of such rules on actual transborder data flow tends to have been negligible for the most part,114 the potential impact of these rules has caused much consternation, particularly for business interests. Concern to minimize this impact in order to safeguard trade is most prominent in the OECD Guidelines and E.U. Directive.115 The

107

Recommendation No. R (87) 15 Regulating the Use of Personal Data in the Police Sector, adopted Sept. 17, 1987.

108

Recommendation No. R (89) 2 on the Protection of Personal Data Used for Employment Purposes, adopted Jan. 18, 1989.

109

Recommendation No. R (83) 10 on the Protection of Personal Data Used for Scientific Research and Statistics, adopted Sept. 23, 1983, and Recommendation No. R (97) 18 on the Protection of Personal Data Collected and Processed for Statistical Purposes, adopted Sept. 30, 1997.

110

Recommendation No. R (95) 4 on the Protection of Personal Data in the Area of Telecommunications Services, with Particular Reference to Telephone Services, adopted Feb. 7, 1995.

111

Protection of Workers’ Personal Data, I.L.O., Geneva, 1997.

112

See generally, Bygrave, Data Protection Law, 2002, p. 40, and references cited therein.

113

See further, inter alia, A.C.M. Nugter, Transborder Flow of Personal Data Within the EC, Kluwer Law and Taxation Publishers, Deventer/Boston, 1990; R. Ellger, Der Datenschutz im grenzüberschreitende Datenverkehr: Eine rechtsvergleichende und kollisionsrechtliche Untersuchung [Data Protection with Respect to Cross-Border Data Traffic: A Comparative Law and Conflict-of-Laws Study], Nomos Verlagsgesellschaft, Baden-Baden, 1990 (hereinafter cited as Ellger, Der Datenschutz im grenzüberschreitende Datenverkehr, 1990); and Schwartz, “European Data Protection Law and Restrictions on International Data Flows,” 1995.

114

See, for example, the extensive survey in Ellger, Der Datenschutz im grenzüberschreitende Datenverkehr, 1990.

115

See Bygrave, Data Protection Law, 2002, p. 40 and references cited therein.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

latter goes the farthest in securing transborder data flow by prohibiting E.U. member states from instituting privacy-related restrictions on data transfer to other member states (see E.U. Directive, Article 1[2]). This prohibition is primarily grounded in the need to facilitate realization of the European Union’s internal market.116 At the same time, however, the E.U. Directive goes the farthest of the international instruments in restricting transborder data flow, through its qualified prohibition of data transfer to non-E.U. states that fail to provide “adequate” levels of data privacy (E.U. Directive Article 25).

The adequacy criterion could be regarded as evidence that economic protectionism forms part of the E.U. Directive’s agenda—that is, it reflects a desire to protect European industry from foreign competition. Allegations of economic protectionism have been directed at earlier European data privacy regimes,117 but little solid evidence exists to support them.118 While there is perhaps more evidence linking the origins of the E.U. Directive to protectionist concerns, the linkage is still tenuous.119 Considerably more-solid grounds exist for viewing the adequacy criterion as prima facie indication that the directive is seriously concerned with safeguarding privacy interests and rights. This concern is also manifest in the preamble to the directive,120 in recent case law from the European Court of Justice,121 and increasingly in the E.U. legal system generally. Particularly noteworthy is the growing recognition in the European Union that the protection of data privacy is in itself (i.e., separate from the broader right to privacy) a basic human right.122

Despite their harmonizing objectives, the international instruments tend to leave countries a significant degree of leeway in the development

116

See particularly Recitals 3, 5, and 7 in the preamble to the E.U. Directive.

117

See, e.g., K.R. Pinegar, “Privacy Protection Acts: Privacy Protectionism or Economic Protectionism?” International Business Lawyer 12:183-188, 1984; R.P. McGuire, “The Information Age: An Introduction to Transborder Data Flow,” Jurimetrics Journal 20:1-7, 1979-1980; J.M. Eger, “Emerging Restrictions on Transborder Data Flow: Privacy Protection or Non-Tariff Trade Barriers,” Law and Policy in International Business 10:1055-1103, 1978.

118

See the discussion in Bygrave, Data Protection Law, 2002, pp. 114-115 and references cited therein.

119

See the discussion in Bygrave, Data Protection Law, 2002, pp. 114-115 and references cited therein.

120

See particularly, Recitals 2, 3, 10, and 11.

121

See judgment of May 20, 2003, in Joined Cases C-465/00, C-138/01, and C-139/01, Österreichischer Rundfunk and Others [2003] ECR I-0000, particularly paragraph 71 et seq.

122

See Charter of Fundamental Rights of the European Union, adopted Dec. 7, 2000 (O.J. C 364, Dec. 18, 2000, p. 1 et seq.), Article 8 (providing for a right to protection of personal data) and Article 7 (providing for the right to respect for private and family life). See also the right to protection of personal data in Article 50 of the draft treaty establishing a constitution for Europe (Conv. 850/03, Brussels, July 18, 2003; available at http://european-convention.eu.int/docs/Treaty/cv00850.en03.pdf, accessed Oct. 25, 2003).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

of their respective data privacy regimes. This is especially the case with the “soft law” instruments, but the legally binding instruments also allow for considerable national flexibility. The CoE Convention is not intended to be self-executing, and it permits derogations on significant points.123 The E.U. Directive has more prescriptive bite than its counterparts, but it is still aimed only at facilitating an “approximation” as opposed to the complete uniformity of national laws (see particularly Recital 9 in its preamble). Accordingly, it leaves E.U. member states considerable margin for maneuver.124

Of all of the instruments canvassed above, the E.U. Directive has become the leading trendsetter and benchmark for data privacy around the world. Not only is it shaping national data protection regimes, it is also shaping international instruments. For example, the CoE Convention has recently been supplemented by a protocol containing rules that essentially duplicate the rules in the E.U. Directive dealing respectively with the flow of personal data to nonmember states and with the competence of national data privacy authorities.125 Outside Europe, clear traces of the E.U. Directive are to be found in the draft Guidelines on the Protection of Personal Information and Privacy drawn up by the Asia Pacific Telecommunity (APT)126 and in the draft Asia-Pacific Privacy Charter drawn up by the Asia-Pacific Privacy Charter Council (APPCC).127

Nevertheless, the leadership status of the E.U. Directive could face a serious challenge in the Asia-Pacific region if APEC is able to agree on a common set of data privacy principles for its 21 member states. There are indications that the principles are likely to be inspired more by the OECD Guidelines than by the E.U. Directive, and at the same time they are likely to be less privacy-protective than the directive and possibly than the guidelines.128 Work on the principles signals a readiness among

123

See P. Henke, Die Datenschutzkonvention des Europarates, 1986, especially pp. 57-60; and Bygrave, Data Protection Law, 2002, p. 34.

124

See further, Bygrave, Data Protection Law, 2002, p. 34 and references cited therein. See also Section 4.6.

125

Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) regarding supervisory authorities and transborder data flows (adopted May 23, 2001; not yet in force).

126

Draft of September 2003; on file with author but not publicly available. Further on the APT, see http://www.aptsec.org (accessed Oct. 26, 2003).

127

See Version 1.0 of the charter, dated Sept. 3, 2003; on file with author but not publicly available. For more on the APPCC and its work, see G. Greenleaf, “The Asia-Pacific Privacy Charter Council: A Regional ‘Civil Society’ Initiative,” Privacy Law and Policy Reporter 10:49-50, 2003; and the APPCC home page at http://www.austlii.edu.au/au/special/cyberlpc/appcc (accessed Oct. 25, 2003).

128

See G. Greenleaf, “Australia’s APEC Privacy Initiative: The Pros and Cons of ‘OECD Lite’,” Privacy Law and Policy Reporter 10:1-6, 2003. Cf. G. Greenleaf, “APEC Privacy Prin-

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

many of the APEC states to forge their own approach to data privacy without necessarily conforming to European norms. This approach would appear to foster data privacy regimes less because of concern to protect basic human rights than over concern to engender consumer confidence in business.129

B.4.2
National Instruments

Well over 30 countries have enacted data privacy laws, and their number is growing steadily.130 Most of these countries are European. Indeed, Europe is home to the oldest, most comprehensive, and most bureaucratically cumbersome data privacy laws at both national and provincial levels. Moreover, as shown above, Europe—through its supranational institutions—is also a springboard for the most ambitious and extensive international initiatives in the field.

Common points of departure for national data privacy regimes in Europe are as follows:

  • Coverage of both public and private sectors;

  • Coverage of both automated and manual systems for processing personal data, largely irrespective of how the data are structured;

  • Application of broad definitions of “personal data”;

  • Application of extensive sets of procedural principles, some of which are rarely found in data privacy regimes elsewhere;131

  • More stringent regulation of certain categories of sensitive data (e.g., data relating to philosophical beliefs, sexual preferences, ethnic origins);

ciples Version 2: Not Quite So Lite, and NZ Wants OECD Full Strength,” Privacy Law and Policy Reporter 10:45-48, 2003 (noting that more recent drafts of the principles have been strengthened, though certainly not to the level of the E.U. Directive).

129

See R. Tang, “Personal Data Privacy: The Asian Agenda,” speech given at 25th International Conference of Data Protection and Privacy Commissioners, Sydney, Sept. 10, 2003; available at http://www.privacyconference2003.org/program.asp#psa (accessed Oct. 10, 2003).

130

See generally, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, Electronic Privacy Information Center and Privacy International, Washington, D.C., 2003, which gives a fairly up-to-date overview of the state of data privacy regimes in more than 50 countries. A complementary, though less comprehensive, overview is given in M. Henry, ed., International Privacy, Publicity and Personality Laws, Butterworths, London, 2001.

131

An example of a principle that is unique to European laws concerns fully automated profiling. The principle is that fully automated assessments of a person’s character should not form the sole basis of decisions that impinge on the person’s interests. The principle is embodied in Article 15 of the E.U. Directive: see further, Bygrave, Data Protection Law, 2002, pp. 319-328.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
  • Restrictions on the transborder flow of personal data;

  • Establishment of independent data privacy agencies with broad discretionary powers to oversee the implementation and development of data privacy rules;

  • Channeling of privacy complaints to these agencies rather than to the courts;

  • Extensive subjection of data processing to the notification and/or licensing requirements administered by the data privacy agencies;

  • Extensive use of “opt-in” requirements for valid consent by data subjects; and

  • Little use of industry-developed codes of practice.132

The majority of these characteristics were originally typical for data privacy laws in West European countries. Owing largely to the E.U. Directive, they are now also typical for the laws of most East European countries. Nevertheless, it is important to note that each country has its own unique mix of rules;133 concomitantly, a good deal of variation exists in the degree to which each country shares the above-listed traits.134 For example, the Netherlands has always made relatively extensive use of

132

See further, for example, Bygrave, Data Protection Law, 2002, especially Chapters 2 through 4, and Kuner, European Data Privacy Law and Online Business, 2003. For older accounts, see, for example, Hondius, Emerging Data Protection in Europe, 1975; and H. Burkert, “Institutions of Data Protection—An Attempt at a Functional Explanation of European National Data Protection Laws,” Computer/Law Journal 3:167-188, 1981-1982.

133

For in-depth treatment of, e.g., U.K. law, see R. Jay and A. Hamilton, Data Protection: Law and Practice, Sweet and Maxwell, London, 2003; of German law, see S. Simitis, Kommentar zum Bundesdatenschutzgesetz [Commentary on the Alliance Data Protection Law], 2003; of Italian law, see G. Buttarelli, Banche dati e tutela della riservatezza: La privacy nella Società dell’Informazione [Data Banks and the Protection of Confidentiality: The Privacy of Information in Society], Giuffrè Editore, Milan, 1997; of Swiss law, see U. Maurer and N.P. Vogt., eds., Kommentar zum Schweizerischen Datenschutzgesetz [Commentary on the Swiss Data Protection Act], Helbing and Lichtenhahn, Basel/Frankfurt am Main, 1995. For overviews of the data privacy laws of Denmark, Finland, Norway, and Sweden, see P. Blume, ed., Nordic Data Protection, DJØF Publishing, Copenhagen, 2001. Otherwise, see the more detailed analyses of Danish law in P. Blume, Personoplysningsloven [The Personal Data Act], Greens§Jura, Denmark, 2000; and K.K. Nielsen and H. Waaben, Lov om behandling af personoplysninger—med kommentarer [Act on Processing of Personal Data—with Commentary], Jurist-g Økonomforbundets Forlag, Copenhagen, 2001; of Norwegian law in M. Wiik Johansen, K.-B. Kaspersen, and Å.M. Bergseng Skullerud, Personopplysningsloven. Kommentarutgave [Personal Data Act. Commentary Edition], Universitetsforlaget, Oslo, 2001; of Swedish law in S. Öman and H.-O. Lindblom, Personuppgiftslagen: En kommentar [Personal Data Act: A Commentary], Norstedts Juridik, Stockholm, 2001. English translations of the principal data privacy laws of all current E.U. member states are collated in S. Simitis, U. Dammann, and M. Körner, eds., Data Protection in the European Community: The Statutory Provisions, Nomos Verlagsgesellschaft, Baden-Baden, 1992 (looseleaf, continually updated).

134

See further, Korff, 2002.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

industry-based codes of practice, and the E.U. Directive itself encourages greater use of such codes (see E.U. Directive, Article 27). Moreover, data privacy regimes in each country are far from static. For example, Swedish legislation originally operated with relatively extensive licensing and notification requirements; now it has dispensed entirely with a licensing scheme and cut back notification requirements to a minimum. There is movement too at a broader European level. For instance, while West European data privacy regimes have traditionally relied heavily on paternalistic control mechanisms,135 they now show greater readiness to rely more on citizen action, supplemented by greater readiness to embrace market mechanisms for the regulation of data processing. This notwithstanding, European jurisdictions (in contrast to, say, the United States) generally still maintain a relatively non-negotiable legislative baseline for the private sector.

Across the Atlantic, Canada comes closest of the North American countries to embracing the European approach. There is now federal legislation in place in Canada to ensure the comprehensive protection of data privacy in relation to both the public and private sectors.136 Some Canadian provinces have already enacted data privacy legislation in relation to provincial and local government agencies and/or the private sector.137 Data privacy agencies exist at both federal and provincial levels. The Commission of the European Communities (hereinafter termed “European Commission”) has formally ruled that, in general, Canada offers “adequate” protection for data privacy pursuant to Article 25 of the E.U. Directive.138

By contrast, the U.S. legal regime for data privacy is much more atomized. While there is fairly comprehensive legislation dealing with federal government agencies,139 omnibus legislative solutions are eschewed with respect to the private sector. Legal protection of data privacy in relation

135

That is, control exercised by government bodies (primarily data privacy agencies) on behalf and supposedly in the best interests of citizens (data subjects).

136

See Privacy Act of 1982; Personal Information Protection and Electronic Documents Act of 2000.

137

See, for example, Quebec’s Act on Protection of Personal Information in the Private Sector of 1993.

138

Decision 2002/2/EC of 20.12.2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (O.J. L 2, Jan. 4, 2002, p. 13 et seq.).

139

Most notably the Privacy Act of 1974 (P.L. 93-579) and the Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503). Note also the limited protection of data privacy afforded under the Constitution as construed by the Supreme Court: see especially Whalen v. Roe, 429 U.S. 589 (1977). See further, for instance, Schwartz and Reidenberg, Data Privacy Law, 1996, Chapter 4.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

to the latter takes the form of ad hoc, narrowly circumscribed, sector-specific legislation, combined with recourse to litigation based on the tort of invasion-of-privacy and/or breach-of-trade-practices legislation.140 European-style data privacy agencies do not exist in the United States. At the same time, however, a “safe harbor” agreement has been concluded between the United States and the European Union allowing for the flow of personal data from the European Union to U.S.-based companies that voluntarily agree to abide by a set of “fair information” principles based loosely on the E.U. Directive. The scheme, which so far has attracted approximately 400 companies,141 has been held by the European Commission to satisfy the E.U. Directive’s adequacy test in Article 25.142

In South America, Argentina has come the farthest in developing a comprehensive legal regime for data privacy. It enacted legislation in 2000143 modeled on the E.U. Directive and equivalent Spanish legislation and formally based on the right of habeas data provided in its Constitution (Article 43).144 The European Commission has formally ruled that Argentina satisfies the adequacy criterion of the E.U. Directive.145 Other South American countries, such as Brazil and Chile, also provide constitutional protections for privacy rights and habeas data, but otherwise their legislation on data privacy is relatively scant. They lack also data privacy agencies.146

In the Asia-Pacific region, there exist a handful of relatively comprehensive legislative regimes on data privacy—most notably those in

140

See generally, the overview in Schwartz and Reidenberg, Data Privacy Law, 1996, especially Chapters 9 through 14.

141

See http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (accessed Nov. 6, 2003).

142

Decision 2000/520/EC of July 26, 2000, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce (O.J. L 215, Aug. 25, 2000, p. 7 et seq.).

143

Law for the Protection of Personal Data of 2000.

144

See further Electronic Privacy Information Center and Privacy International, Privacy and Human Rights, 2003, pp. 132-139 (hereinafter cited as Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003). The right of habeas data is, in general, designed to protect the image, privacy, honor, information self-determination, and freedom of information of a person. Enforcement of the right is provided by granting an individual the right to petition a court to find out what information is being held or to request the correction, updating, or destruction of the personal information being held.

145

Decision C (2003) 1731 of June 30, 2003, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina (O.J. L 168, July 5, 2003).

146

See further, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, pp. 167-171, 195-197.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

Australia, New Zealand, Hong Kong, Korea, and Japan.147 Most of these jurisdictions—but not Japan—have also established data privacy agencies. New Zealand has been the fastest and perhaps most ambitious of these jurisdictions in the data privacy field; it was the first to enact data privacy legislation spanning the public and private sectors.148 Australian, Korean, and Japanese legislation in the field was initially limited largely to regulating the data-processing activities of government agencies,149 but it has recently been extended to cover the private sector as well.150 However, some of these extensions still leave large gaps in private sector coverage.151 Other aspects of the laws in question also diverge from the E.U. model(s).152 Not surprisingly, none of the countries concerned has yet been formally recognized by the European Commission as offering adequate protection pursuant to the E.U. Directive.

Data privacy regimes in other Asia-Pacific jurisdictions tend to be rather patchy in coverage and enforcement levels. Thailand, for instance,

147

Further on Australian law, see, e.g., G.L. Hughes and M. Jackson, Hughes on Data Protection in Australia, 2001; on New Zealand law, see E. Longworth and T. McBride, The Privacy Act: A Guide, GP Publications, Wellington, 1994 (hereinafter cited as Longworth and McBride, The Privacy Act, 1994); and P. Roth, Privacy Law and Practice, Butterworths/LexisNexis, Wellington, 1994 (looseleaf, regularly updated) (hereinafter cited as Roth, Privacy Law and Practice, 1994); on Hong Kong law, see M. Berthold and R. Wacks, Hong Kong Data Privacy Law: Territorial Regulation in a Borderless World, 2nd Edition, Sweet and Maxwell, Asia, 2003; on Korean law, see C.B. Yi and K.J. Ok, “Korea’s Personal Information Protection Laws,” Privacy Law and Policy Reporter 9:172-179, 2003; and H.-B. Chung, “Anti-Spam Regulations in Korea,” Privacy Law and Policy Reporter 10:15-19, 2003; on Japanese law, see D. Case and Y. Ogiwara, “Japan’s New Personal Information Protection Law,” Privacy Law and Policy Reporter 10:77-79, 2003.

148

See Privacy Act of 1993. Further on the act, see Longworth and McBride, The Privacy Act, 1994; and Roth, Privacy Law and Practice, 1994.

149

For Australia, see Privacy Act of 1988; for Japan, see Act for Protection of Computer-Processed Personal Data Held by Administrative Organs of 1988; for Korea, see Act on Protection of Personal Information Maintained by Public Agencies of 1994.

150

For Australia, see Privacy Amendment (Private Sector) Act of 2000; for Japan, see Privacy Law of 2003; for Korea, see Act on Promotion of Information and Communications Network Utilization and Information Protection … of 1999. Note, too, that several of the Australian states have enacted data privacy laws covering their respective government agencies and, to a lesser extent, the health sector. See, for example, Victoria’s Information Privacy Act of 2000 and Health Records Act of 2001.

151

For example, with a few exceptions, the Australian legislation does not apply to “small business operators,” that is, businesses with an annual turnover of AUD$3 million or less (see federal Privacy Act, Sections 6C1, 6D, 6DA, and 6E). Another major gap is that the legislation does not cover the processing of data by employers about their present and past employees (as long as the processing is directly related to the employment relationship) (Section 7B(3)).

152

The Japanese laws, for example, do not formally operate with a distinction between sensitive and nonsensitive data, and they make relatively extensive use of “opt-out” consent mechanisms.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

has inserted data privacy rules covering the government sector in legislation dealing primarily with freedom of government information.153 Singapore has so far decided to establish a data privacy regime based on voluntary, self-regulatory schemes that are linked with its national trust mark program.154 The primary catalyst for the schemes seems to be commercial concerns.155 The People’s Republic of China lacks any credible data privacy regime. Some legal rules have been adopted that potentially provide indirect protection for data privacy,156 but their operational potential is rendered nugatory by a political culture that traditionally shows scant respect for personal privacy.157 Moreover, there is little, if any, sign that China is ready to adopt more effective data privacy rules in order to meet E.U. adequacy standards. By contrast, India is reported to be considering the enactment of a data privacy law modeled on the E.U. Directive largely owing to a fear that its burgeoning outsourcing industry will flounder without such legislation in place.158

Legal regimes for data privacy are least developed in the African countries, taken as a whole. As noted above, the African Charter on Human and People’s Rights of 1981 omits mentioning a right to privacy in its catalog of basic human rights. Moreover, none of the African countries has enacted comprehensive data privacy laws.

Nevertheless, some countries display increasing interest in legislating on data privacy. This interest is partly due to the obligations imposed by ICCPR Article 17. It is also probably due partly to a desire to meet the adequacy requirements of E.U. Directive Articles 25 and 26. In some cases, stimulus is also provided by recent firsthand experience of mass oppression. The Republic of South Africa has come farthest along the path to establishing a comprehensive legal regime on data privacy. Express provision for a right to privacy is made in Section 14 of the South African Bill of Rights set out in Chapter 2 of its Constitution of 1996. Also included (in Section 32) is a broad right of access to information held in both the public and private sectors. Freedom-of-information legislation

153

See Official Information Act of 1997, described in C. Opassiriwit, “Thailand: A Case Study in the Interrelationship Between Freedom of Information and Privacy,” Privacy Law and Policy Reporter 9:91-95, 2002.

154

See Model Data Protection Code for the Private Sector of 2002; Industry Content Code of 2002.

155

For criticism of the schemes, see G. Greenleaf, “Singapore Takes the Softest Privacy Options,” Privacy Law and Policy Reporter 8:169-173, 2002.

156

See further, Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, pp. 197-200.

157

Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, pp. 200-210.

158

See A. Pedersen, “India Plans EU-Style Data Law,” Privacy Laws and Business, May/June, No. 68, pp. 1, 3, 2003.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

based on the latter right was enacted in 2002,159 and work is proceeding on a bill for separate data privacy legislation.160 Kenya is also drafting a new constitution containing rights similar to those in the South African Constitution.161

B.4.3
Relative Impact of Regulatory Regimes

A comparative evaluation of the impact of the various regulatory regimes canvassed above is both complex and beset by numerous potential pitfalls. The complexity of the task arises partly from the multiple facets of impact measurement: impact needs to be evaluated in terms of economy (i.e., the cost of setting up the regime), efficiency (i.e., the cost of the regime measured against its practical results), effectiveness (i.e., the extent to which the practical results of the regime fulfill its ultimate aims), and equity (i.e., the extent to which the regime extends protection equitably across social groups).162

Further complicating matters is that each country’s data privacy regime consists of more than formal legal rules. While the latter, together with formal oversight mechanisms, are important constituents of a data privacy regime, they are supplemented by a complex array of other instruments and institutions—information systems, industry codes, standards, and so on—that concurrently influence the practical impact of the legal rules. The functioning of a data privacy regime (including, of course, the extent to which “law in books” equates with “law in practice”) will also be shaped by a myriad of relatively informal customs and attitudes that prevail in the country concerned—for example, the extent to which the country’s administrative and corporate cultures are imbued with a respect for authority or respect for “fair information” principles.163 It goes without saying that many of these factors can be easily overlooked or misconstrued. Their existence means, for instance, that it cannot be assumed that a data privacy agency with strong formal powers will necessarily have

159

See I. Currie and J. Klaaren, The Promotion of Access to Information Act Commentary, Siber Ink, South Africa, 2002, pp. 11, 18 (hereinafter cited as Currie and Klaaren, The Promotion of Access to Information Act, 2002). A unique feature of the legislation is that it provides, as a point of departure, for freedom-of-information rights not just in relation to information held by government agencies but also information held in the private sector.

160

See Currie and Klaaren, The Promotion of Access to Information Act, 2002. See also Electronic Privacy Information Center and Privacy International, Privacy and Human Rights 2003, 2003, p. 450.

161

See Sections 14 (right of privacy) and 47 (rights of information access and rectification) of the Draft Bill for the Constitution of the Republic of Kenya (version of Sept. 27, 2002).

162

This classification of criteria is based on Bennett and Raab, The Governance of Privacy, 2003, p. 193 et seq.

163

See generally, Flaherty, Protecting Privacy in Surveillance Societies, 1989.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

greater success in fulfilling its objectives than that achieved by an agency with weaker formal powers.164

Yet another complicating element is that the regulatory approach of many data privacy agencies can obscure their positive achievements. Agencies frequently prefer to resolve conflict in a relatively quiet way, through “backroom” negotiation rather than by publicly striking out with the threatened use of punitive sanctions.165 Further, agencies are often equally concerned, if not more so, about curbing an unrealized potential for privacy-invasive activity as about providing a remedy after such activity occurs. Measuring the impact of anticipatory forms of control can be more difficult than for reactive, ex post facto control forms.166

These problems notwithstanding, a large degree of consensus exists among experts in the field regarding the relative strengths of certain data privacy regimes. Part of this consensus is a view that the U.S. data privacy regime is weaker in fundamental respects than the equivalent regimes in many other countries, particularly those in Europe, which have had some influence in restricting certain data-processing practices and raising awareness of the importance of privacy safeguards.167 For example, one conclusion of a comparative study of the data privacy regimes of Germany, the United Kingdom, Sweden, Canada, and the United States is that “the United States carries out data protection differently than other countries, and on the whole does it less well.”168 The major reasons for this finding are the lack of a U.S. federal data privacy agency, together with the paucity of comprehensive data privacy legislation covering the U.S. private sector. While the finding stems from the late 1980s, it is still pertinent and is supported by more recent analyses.169 A basic premise of all these analyses is that the gaps in the U.S. regime are not adequately

164

Again, see Flaherty, Protecting Privacy in Surveillance Societies, 1989. Note particularly Flaherty’s finding that the German Federal Data Protection Commissioner (Bundesdatenschutzbeauftragter)—which has only advisory powers—had, at least up until the late 1980s, a more profound impact on the federal public sector in (West) Germany than Sweden’s Data Inspection Board (Datainspektionen)—which can issue legally binding orders—had on the Swedish public sector (Flaherty, Protecting Privacy in Surveillance Societies, 1989, p. 26).

165

Flaherty, Protecting Privacy in Surveillance Societies, 1989.

166

For further discussion on the difficulties of comparative assessment of data privacy regimes, see Bennett and Raab, The Governance of Privacy, 2003, Chapter 9; C.D. Raab and C.J. Bennett, “Taking the Measure of Privacy: Can Data Protection Be Evaluated?,” International Review of Administrative Sciences 62:535-56, 1996.

167

See, for example, Bygrave, Data Protection Law, 2002, Chapter 18 and examples cited therein; see also Flaherty, Protecting Privacy in Surveillance Societies, 1989, particularly Part 1.

168

Flaherty, Protecting Privacy in Surveillance Societies, 1989, p. 305.

169

The most extensive being Schwartz and Reidenberg, Data Privacy Law, 1996—see especially their conclusions at pp. 379-396.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

filled by other measures, such as industry self-regulation and recourse to the courts.170

By contrast, the German data privacy regime is often viewed as one of the most successful.171 It has a comprehensive, well-established legislative platform with a firm constitutional footing. One such feature is a legal requirement that organizations appoint internal privacy officers.172 Another such feature is the regime’s extensive encouragement of “systemic data protection” (Systemdatenschutz): that is, integration of data privacy concerns in the design and development of information systems architecture.173

German privacy legislation is backed up by comparatively effective oversight and enforcement mechanisms. The effectiveness of these mechanisms appears to be the result of a combination of factors, most notably the seriousness with which Germans generally take data privacy issues; the relatively conformist, legalistic nature of German administrative and corporate cultures; and the strong, persuasive personalities of the individuals who have been appointed data privacy commissioners, together with the considerable talents of their staff.174

All this said, the data privacy regime in Germany does have weak points. One weakness is the Federal Data Protection Commissioner’s lack of authority to issue legally binding orders—a feature that is arguably at odds with the thrust of Directive 95/46/EC. Another, more significant, weakness is the sheer mass of rules on data privacy; the regulatory framework is so dense as to be confusing, nontransparent, and unwieldy.175 These weaknesses mean that, despite its relative success, the German regime still falls short of meeting its policy objectives.

Data privacy regimes in most other, if not all, jurisdictions display a

170

See, for example, D.A. Anderson, “The Failure of American Privacy Law,” pp. 139-167 in B.S. Markesinis, ed., Protecting Privacy, Oxford University Press, Oxford, 1999.

171

See, e.g., Flaherty, Protecting Privacy in Surveillance Societies, 1989, especially pp. 21-22.

172

See Federal Data Protection Act, Sections 4f-4g.

173

See particularly, Federal Data Protection Act, Sections 3a, 9; Federal Teleservices Data Protection Act of 1997 (Gesetz über den Datenschutz bei Telediensten vom 22. juli 1997) (as amended in 2001). For further discussion, see Bygrave, Data Protection Law, 2002, particularly pp. 346, 371.

174

See generally, Flaherty, Protecting Privacy in Surveillance Societies, 1989, Part 1.

175

See generally, A. Rossnagel, A. Pfitzmann, and H. Garstka, Modernisierung des Datenschutzrechts [Modernization of Data Protection Law], report for the German Federal Ministry of the Interior (Bundesministerium des Innern), September 2001, available at http://www.bmi.bund.de/downloadde/11659/Download.pdf (accessed Aug. 20, 2003). See also, e.g., S. Simitis,“Das Volkzählungsurteil oder der lange Weg zur Informationsaskese—(BVerfGE 65, 1)” [The Census Judgment or the Long Road to Information Asceticism], Kritische Vierteljahresschrift für Gesetzgebung und Rechtswissenschaft 83:359-375, 2000 (highlighting gaps between legal principle and practice in the data privacy field).

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

similar shortfall. European regimes in general are a case in point. There is sporadic evidence that many of these do not outperform the U.S. regime in all respects even if they are, on paper at least, far more comprehensive and stringent than their U.S. counterpart.176 More significantly, the European Commission has recently found that while the E.U. Directive (95/46/EC) has created a “high level” of data privacy in Europe, implementation of the directive is afflicted by major problems. Not only has national transposition of the directive often been slow,177 there appear to be—even after transposition—low levels of enforcement, compliance, and awareness with respect to the national regimes. Data privacy agencies in Europe are found, in general, to be underresourced, leading in turn to the underresourcing of enforcement efforts. Concomitantly, the commission finds that compliance by data controllers is “very patchy,” while data subjects apparently have “low” awareness of their data-protection rights. Moreover, there remain differences between the various national laws that run counter to the harmonizing objective of the E.U. Directive.178 Particularly problematic from an international perspective is that E.U. member states’ respective implementation of Articles 25 and 26 in the E.U. Directive is found to be very broadly divergent; indeed, in many cases, it is inconsistent with the directive. Further, the commission finds that a substantial amount of transborder data flow is not being subjected to regulation at all.

Finally, account should be taken of several strands of criticism of data privacy regimes generally. One line of criticism concerns the regimes’ underdevelopment of a systemic focus—as manifested, for instance, in the paucity of direct legislative encouragement for privacy-enhancing technologies.179 Another line of criticism relates to marginalization of the

176

For example, a survey in 2000 of privacy policies posted on U.S.- and E.U.-based Internet sites that sell goods or services to consumers found the policies on the E.U. sites to be no better than the policies on U.S. sites; indeed, some of the latter sites displayed the best policies. See K. Scribbins, Privacy@net: An International Comparative Study of Consumer Privacy on the Internet, Consumers International, 2001, available at http://www.consumersinternational.org/document_store/Doc30.pdf (accessed Oct. 20, 2003). See, too, results of a more recent survey published in April 2003 by World IT Lawyers. This survey canvassed 420 commercial Web sites across seven countries (France, Germany, the Netherlands, Portugal, Switzerland, Spain, and the United Kingdom) and found that approximately half of these sites did not display a privacy policy; see ZDNet UK, “UK Web Sites Fare Badly on Consumer Rights,” April 30, 2003, available at http://news.zdnet.co.uk/business/0,39020645,2134138,00.htm (accessed Oct. 29, 2003).

177

Several E.U. member states have been tardy in transposing the E.U. Directive into national law, the principal ones being France, Ireland, Luxembourg, and Germany. Further on implementation status, see http://europa.eu.int/comm/internal_market/privacy/law/implementation_en.htm (accessed Oct. 25, 2003).

178

See also Charlesworth, “Information Privacy Law in the European Union,” 2003.

179

See especially Bygrave, Data Protection Law, 2002, Part IV.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

judiciary; in many countries, the courts have played little, if any, direct role in developing and enforcing data privacy norms. This situation not only results in a scarcity of authoritative guidance on the proper interpretation of the relevant legislation, but it contributes to the marginalization of data privacy as a field of law.180

Still another line of criticism is that data privacy regimes so far have tended to operate with largely procedural rules that do not seriously challenge established patterns of information use but seek merely to make such use more efficient, fair, and palatable for the general public. In this view, legislators’ motives for enacting data privacy laws are increasingly concerned with engendering public acceptance for new information systems, particularly in the area of electronic commerce. Concomitantly, it is argued that the regimes are incapable of substantially curbing the growth of mass surveillance and control.181

180

See especially Bygrave, “Where Have All the Judges Gone?,” 2001.

181

See especially J. Rule, D. McAdam, L. Stearns, and D. Uglow, The Politics of Privacy: Planning for Personal Data Systems as Powerful Technologies, Elsevier, New York, 1980; see also Flaherty, Protecting Privacy in Surveillance Societies, 1989.

Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 366
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 367
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 368
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 369
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 370
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 371
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 372
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 373
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 374
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 375
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 376
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 377
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 378
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 379
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 380
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 381
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 382
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 383
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 384
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 385
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 386
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 387
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 388
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 389
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 390
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 391
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 392
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 393
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 394
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 395
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 396
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 397
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 398
Suggested Citation:"Appendix B International Perspectives on Privacy." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 399
Next: Appendix C Biographies »
Engaging Privacy and Information Technology in a Digital Age Get This Book
×
Buy Hardback | $59.95 Buy Ebook | $47.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Privacy is a growing concern in the United States and around the world. The spread of the Internet and the seemingly boundaryless options for collecting, saving, sharing, and comparing information trigger consumer worries. Online practices of business and government agencies may present new ways to compromise privacy, and e-commerce and technologies that make a wide range of personal information available to anyone with a Web browser only begin to hint at the possibilities for inappropriate or unwarranted intrusion into our personal lives. Engaging Privacy and Information Technology in a Digital Age presents a comprehensive and multidisciplinary examination of privacy in the information age. It explores such important concepts as how the threats to privacy evolving, how can privacy be protected and how society can balance the interests of individuals, businesses and government in ways that promote privacy reasonably and effectively? This book seeks to raise awareness of the web of connectedness among the actions one takes and the privacy policies that are enacted, and provides a variety of tools and concepts with which debates over privacy can be more fruitfully engaged. Engaging Privacy and Information Technology in a Digital Age focuses on three major components affecting notions, perceptions, and expectations of privacy: technological change, societal shifts, and circumstantial discontinuities. This book will be of special interest to anyone interested in understanding why privacy issues are often so intractable.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!