[Previous] [Next] [Title]

CHAPTER 2. Aims and Scope of Data Protection Laws


2.1. Introduction

This part of the thesis surveys the content of legal (and some non-legal) instruments on data protection on both international and domestic planes. The presentation here is aimed at fleshing out the short description of data protection laws' distinguishing features given in Chapter 1 (section 1.1. At the same time, it should be stressed that my intention in this Part is not to provide an exhaustive analysis of data protection laws; rather, it is to sketch these laws' central, primarily formal characteristics so as to create a platform for closer analysis of their rationale, logic and limits in the remainder of the thesis.

Part I leaves largely unexamined the now considerable number of data protection instruments that are of sectoral application only.[129] This is because their basic principles are broadly similar to, and largely derived from, the principles set down in the generally applicable instruments. Also left unexamined are the rules governing national data protection laws' territorial reach and concomitant choice-of-law problems. I skip over these rules as issues of jurisdiction and choice of law are marginal to the focus of the thesis.[130]

This chapter surveys the aims and ambits of data protection laws, using three international instruments on data protection as primary points of reference (see section 2.2). It looks first at data protection laws' respective aims (section 2.3), then at their respective ambits (section 2.4).

2.2. Primary Points of Reference

The emergence of data protection laws is recent. The first pieces of legislation in the field were not enacted until the early 1970s. At present, however, a large range of legal and quasi-legal instruments on data protection are to be found. There are now well over twenty countries which have enacted data protection statutes at national or federal level, and the number of such countries is steadily growing. Various legal instruments on data protection have also been introduced at the inter- and supranational plane and at provincial and municipal levels.

To describe, even briefly, each of these instruments one after the other would make for an exceedingly long exegesis. It would also be tedious since, as shown further on, these instruments are broadly similar on a large number of points. Hence, three international data protection instruments are used as primary points of reference in this chapter and the other chapters in Part I. These instruments are:

1. the CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter termed "CoE Convention"),[131] adopted by the CoE Committee of Ministers on 28.1.1981;

2. the EC Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (hereinafter termed "EC Directive"),[132] adopted by the European Parliament and the Council on 24.10.1995; and

3. the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (hereinafter termed "OECD Guidelines"),[133] adopted by the OECD Council on 23.9.1980.

These instruments are focused upon for two main reasons. First, the instruments contain relatively clear distillations of the basic principles of data protection which are present (though not always obvious) in domestic data protection laws. Secondly, they serve as influential models for national and international initiatives on data protection.

Of these instruments, the EC Directive is the most comprehensive and complex. It is also likely to constitute the most important point of departure for new data protection initiatives, both in and outside the EU. Member states of the EU were given until 24.10.1998 to bring their respective legal systems into conformity with the provisions of the Directive (see Art 32(1) of the latter).[134] Although the Directive's scope is delimited in several respects,[135] its general thrust is to establish a set of rules capable of broad application and impact. The Directive and later EC legislation on data protection also apply to the processing of personal data by the Community's own institutions as of 1.1.1999.[136] If - as is likely - the Directive is incorporated into the 1992 Agreement on the European Economic Area (EEA), then states that are not members of the EU but party to the EEA Agreement (ie, Norway, Iceland and Liechtenstein) will also become legally bound to bring their respective laws into conformity with the Directive.[137] In addition, the Directive is likely to exercise some political and legal influence over other countries outside the EU, not least because Art 25(1) of the Directive prohibits the transfer of personal data to these countries if they do not provide "adequate" levels of data protection.[138] Accordingly, in the following, the Directive is treated in considerably more detail than the other international instruments.

Despite the Directive's adoption, the CoE Convention and OECD Guidelines are still important to study at the present time because they have influenced, and/or embody, the basic principles of most countries' current data protection laws, along with the EC Directive itself.[139] The Convention is the hereto sole international treaty dealing specifically with data protection. It entered into force on 1.10.1985. As of 23.4.1999, it had been ratified by 20 CoE member states, the latest being Hungary, which ratified on 8.10.1997.[140] The Convention is potentially open for ratification by states that are not members of the CoE (Art 23); concomitantly, it is also envisaged to be potentially more than an agreement between European states.[141] As yet, though, it has not been ratified by any non-member state.

Interestingly, several proposals have been made that the EC itself ratify the Convention.[142] The legal viability of these proposals is doubtful as accession pursuant to Art 23 of the Convention seems only open for states proper.[143] The competence of the EC to accede to such a treaty is also in doubt, particularly after the European Court of Justice (ECJ) recently held that the EC does not have the competence to accede to the European Convention on Human Rights on the basis of Art 308 (formerly 235) of the EC Treaty.[144] However, the impact of this ruling on consideration of the legal viability of the Community acceding to the CoE Convention is lessened by the fact that the institutional framework set up by that Convention, along with its institutional implications for the Community, are extremely modest in comparison with the framework established by the ECHR. In any case, with the data protection Directive in place and preparedness on the part of EC institutions to apply its principles to their own data-processing activities,[145] there is now reduced need for Community accession to the CoE Convention.

As for the OECD Guidelines, despite the fact that they are not legally binding on OECD member states,[146] they have been highly influential on the enactment and content of data protection legislation in non-European jurisdictions, particularly Japan, Australia, New Zealand and Hong Kong. For example, the Preamble to Australia's federal Privacy Act lists the Guidelines and the accompanying OECD Council Recommendation as part of the reasons for the passing of the Act. Similarly, the Preamble to New Zealand's Privacy Act of 1993 states that the Act is to "promote and protect individual privacy in general accordance with the Recommendation [of the OECD Council] ...". In North America, the Guidelines have been formally endorsed by numerous companies and trade associations.[147] They have additionally constituted the basis for the first comprehensive set of data protection standards to be developed by a national standards association: the Model Code for the Protection of Personal Information, adopted by the Canadian Standards Association (CSA) in March 1996.[148]

Some account is also taken in this and the following chapters of a fourth international data protection instrument: the United Nations' (UN) Guidelines Concerning Computerized Personal Data Files (hereinafter termed "UN Guidelines"),[149] adopted by the UN General Assembly on 14.12.1990. The Guidelines have their roots in, ia, a 1968 resolution of the General Assembly inviting the UN Secretary-General to examine the impact of technological developments on human rights, including consideration of individuals' right to privacy "in the light of advances in recording and other techniques".[150] The resulting study by the Secretary-General led to, ia, the publication of a report in 1976 urging states to adopt data protection legislation covering computerized personal data systems in the public and private sectors, and listing minimum standards for such legislation.[151]

The basic intention of the Guidelines is to encourage those UN member states that do not have data protection legislation in place, to take steps to enact such legislation, based on the Guideline's principles. The Guidelines are also aimed at encouraging governmental and non-governmental international organisations to process personal data in a responsible, fair and privacy-friendly manner. The Guidelines are not legally binding. Furthermore, they seem to have had little practical effect relative to the other three international instruments on data protection canvassed in this chapter. Indeed, it is my impression that the Guidelines tend to be overlooked in much data protection discourse, at least in Scandinavia.[152] This is unfortunate as their adoption demonstrates that concern for data protection can no longer be assumed to be confined to the Western democracies of the so-called First World. Moreover, as shown further on, the UN Guidelines do not merely repeat what is set out in other international instruments on data protection but supplement some of these instruments in several respects.

When considering both the descriptive and prescriptive character of the above instruments with respect to domestic data protection laws, two related points need to be kept in mind. First, all of the above instruments give the states to which they are adressed a significant amount of leeway in terms of how their rules are to be implemented in national legislation. This is obviously the case with the two sets of Guidelines since neither are legally binding. But also the two other instruments allow for flexibility. As Simitis points out, the CoE wanted its data protection Convention to be a catalyst and guide for states' legislative initiatives rather than to short-circuit these initiatives by providing a completed package of directly applicable, material rules.[153] Thus, the CoE Convention is not intended to be self-executing. Article 4(1) of the Convention simply obliges contracting states to incorporate the Convention's principles into their domestic legislation; "individual rights cannot be derived from it".[154] It should also be noted that the Convention does not establish a body to enforce its implementation. Moreover, it allows for derogations on significant points (see, eg, Arts 3, 6 and 9, described further below). This seriously hampers its ability to harmonise the data protection regimes of the contracting states.[155]

Similarly, in accordance with the principle of subsidiarity, EU member states have been allowed a margin for manoeuvre in implementing the Directive. This follows partly from the status of the Directive qua directive (as opposed to regulation).[156] Directives are legally binding only in terms of result; how the result is to be reached is up to the member states to determine. In practice, though, the amount of such discretion is dependant on each directive's objective and level of detail.[157] Regarding the data protection Directive, its aim of bringing about harmonisation of national data protection regimes[158] should narrow the amount of discretion accorded member states in terms of how it is to be implemented. Nevertheless, key provisions in the Directive expressly provide states a considerable margin for manoeuvre.[159] As a result of this margin, recital 9 recognises that "disparities could arise in the implementation of the Directive".[160] This is despite the assumption that the Directive's implementation will bring about an "approximation" of national laws resulting in "equivalent" levels of data protection across the member states.[161]

The second point is that many of the provisions in the international data protection instruments are diffuse, with little authoritative guidance on how they are to be interpreted. The contents of the EC Directive have yet to be analysed by the ECJ, while the other instruments lack judicial bodies for their interpretation and enforcement. It is also worth noting that case law of the European Commission of Human Rights (ECommHR) and European Court of Human Rights (ECtHR) has scarcely touched specifically upon the provisions of the CoE Convention, though breaches of the Convention's core principles could in some cases constitute interference with the "right to respect for private life" provided under Art 8 of the ECHR.[162]

Only the OECD Guidelines and CoE Convention have been issued with explanatory memoranda, but both are thin at numerous points. Moreover, the memorandum ("Explanatory Report") for the Convention is prefaced with a disclaimer stating that "[t]he report does not constitute an instrument providing an authoritative interpretation of the text of the Convention, though it might be of such nature as to facilitate the understanding of the provisions contained therein". Thus, caution needs to be exercised when using the Explanatory Report to resolve ambiguities in the Convention's text.

The same applies when attempting to resolve such ambiguities through recourse to the various sectoral recommendations on data protection which have been adopted by the CoE Committee of Ministers in the wake of the Convention. This is not to say, however, that these recommendations are without any relevance for interpreting the Convention. One of their express aims is to provide guidance on how to apply the Convention's provisions in specific contexts. In providing such guidance, they aim also to take account of technological developments. They are drafted by experts in the field, with participation from all CoE member states. While implementation of the recommendations is not legally required, member states tend to attribute considerable authority to their provisions.[163] Accordingly, the recommendations may be considered as having more than marginal weight when resolving ambiguities in the text of the Convention. Nevertheless, they can hardly be said to have an absolute determinative weight; they are just one of several relevant interpretative factors.

Also relevant are, of course, the basic principles of treaty interpretation set down in Arts 31-33 of the 1969 Vienna Convention on the Law of Treaties. The central principle here is that "[a] treaty shall be interpreted in good faith in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in the light of its object and purpose" (Art 31(1)).

While these principles are not formally binding on the ECJ when it interprets EC legal instruments, contextual and purposive methods of interpretation do play a key role in the Court's jurisprudence. In practice, it is not uncommon for the ECJ to place most weight on what it sees as provisions' object and purpose, giving relatively little attention to the literal meaning of the words used[164] or to the drafters' actual intentions as found in the travaux préparatoires.165 Hence, if called upon to interpret the EC Directive, the Court is likely to devote most energy to ascertaining the Directive's policy thrust and then reading the Directive in the light of this. The Court may have regard to the recitals in this process. As for the Directive's travaux préparatoires, despite the Court's minor use of such documents generally, these can be taken into account insofar as they help to clarify textual ambiguity that the recitals otherwise are unable to resolve conclusively,[166] and insofar as they are publicly accessible. In light of the latter criterion, the Court is unlikely to place weight on the unpublished Council minutes relating to the adoption of the Common Position on the Directive (hereinafter termed "Council minutes"), despite the inclusion in these minutes of declarations by various member states, together with the Commission and Council, on how they respectively understand particular provisions of the Common Position. It should be noted, though, that an edited version of the minutes has been made publicly available in Sweden. This version is in Swedish and in a format whereby declarations of member states other than Sweden are anonymised. A Danish version of the declarations disclosed in Sweden has since been published by Peter Blume.[167] To my knowledge, an English version has not been made publicly available.

2.3. Aims

Data protection laws typically express as one of their primary aims the safeguarding of individual persons' right to privacy. The main object of the CoE Convention, for example, is set out in Art 1 as follows:

to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").

Article 1(1) of the EC Directive is formulated similarly:

In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.

On a national plane, the objects clauses and/or titles of the data protection laws (both past and present) of several European countries expressly point to privacy as a fundamental value to be protected by the laws.[168] The privacy protection rationale also figures prominently in the data protection laws of non-European countries. For instance, Australian, Canadian, New Zealand and United States' data protection statutes enacted at the federal/national level all bear the titles "Privacy Act" and set down the safeguarding of privacy as one of their basic objects.[169]

However, many European data protection statutes (both past and present) make no explicit reference to the safeguarding of privacy. Of these, some refer instead to other related concepts, such as protection of "personality",[170] or protection of "personal integrity".[171]

Other statutes, though, do not contain objects clauses formally specifying a particular abstract interest or value which they are intended to serve. This is the case, for instance, with the national data protection statutes of Norway, Denmark, Iceland and the United Kingdom.[172] It is also the case with Sweden's first data protection statute, the Data Act of 11.5.1973.[173] Nevertheless, references to such interests or values emerge in other provisions of some of the Scandinavian countries' data protection laws,[174] and/or in some of the preparatory works to these laws.[175]

It is apparent from the above that the objects clauses of data protection laws frequently point to other values than just privacy. At the same time, these values are often left relatively unspecified. Article 1 of the CoE Convention, for instance, refers merely to "rights and fundamental freedoms". Article 1(1) of the EC Directive is pitched at a similar level of generality. Such a broad formulation of goals not only provides data protection laws with an extremely large register of values upon which their formal rationale may be grounded, it also serves to strengthen their normative links with the corpus of human rights law. Somewhat paradoxically, though, such broad goal formulation might also belie uncertainty as to exactly which values data protection laws are to serve, other than privacy. A closer analysis of such values is undertaken in Part II.

Arguably the broadest and boldest expression of basic objects at national level is found in s 1 of France's Law of 6.1.1978 Regarding Data Processing, Files and Individual Liberties.176 This provision reads:

Data processing shall be at the service of every citizen. It shall develop in the context of international co-operation. It shall infringe neither human identity, nor the rights of man, nor privacy, nor individual or public liberties.

Another relatively comprehensive objects clause has been s 1 of Finland's Personal Data Registers Act of 30.4.1987.[177] This sets out the Act's purposes as being "... to protect the privacy, interests and rights of the person, to ensure the security of the State and to maintain good data file practice ...". Especially noteworthy here is the reference to protecting not just the interests of individuals but also those of the State. Such references are rare. Indeed, the reference to State interests has been dropped from the objects clause of the new Finnish Personal Data Act[178] which entered into force 1.6.1999 and replaces the 1987 Act.

Express concern for safeguarding interests directly connected with the State is also found in some of the data protection Acts of the German Länder. These Acts aim at, ia, preserving State order based on the principle of separation of powers. For example, s 1(2) of the Hessian Data Protection Act of 11.11.1986[179] sets down as one of its purposes

to safeguard the constitutional structure of the state, in particular the relationship between the constitutional organs of the Land and those of local government, based on the principle of separation of powers, against all risks entailed by automatic data processing.

This declaration is followed up by provisions aimed at maintaining a so-called "Informationsgleichgewicht" ("informational equilibrium")[180] between the legislature and other State organs in Hesse.[181] Similar provisions are found in the data protection statutes of Rhineland-Palatinate, Berlin, Lower Saxony and, to a lesser extent, Thuringia.[182]

A major formal aim of international data protection instruments is to stimulate the creation of adequate national data protection regimes and to prevent divergencies between them. Thus, Art 1 of the CoE Convention ("... to secure in the territory of each Party for every individual, whatever his nationality or residence ...": see above), together with the Convention's Preamble ("Considering that the aim of the Council of Europe is to achieve greater unity between its members...") indicate that the Convention is intended to harmonise contracting states' respective data protection regimes so that processing of personal data is subject to basically the same rules in all countries concerned.[183] This harmonisation is not only to strengthen data protection and thereby the right "to respect for private life" pursuant to Art 8 of the ECHR, but, somewhat paradoxically, to ensure also the free flow of personal data across national borders and thereby safeguard the right in Art 10 of the ECHR "to receive and impart information and ideas without interference by public authority and regardless of frontiers".[184] The latter concern is actualised by the existence in many countries' data protection laws of rules providing for the restriction of data flow to countries without equivalent levels of data protection.[185]

Similar concerns are manifest in both the OECD and UN Guidelines.[186] However, the concern of the OECD Guidelines in maintaining transborder data flows is specifically linked not so much to a human right in freedom of expression but to the factors of "economic and social development".[187] This is in contrast to the CoE Convention and UN Guidelines.[188]

Factors related to economic and social development also figure centrally in the aims of the EC Directive. The Directive's recitals (especially recitals 3, 5 & 7) register a concern to promote realisation of the EU's internal market, in which goods, persons, services, capital and, concomitantly, personal data are able to flow freely between member states. However, the need to ensure free flow of personal data is not rooted exclusively in commercial considerations; the pan-EU ambit of government administration also plays a role.[189]

In furtherance of the concern to promote realisation of the internal market, the main function of the Directive is to secure, pursuant to Art 95 (formerly 100a) of the EC Treaty,[190] harmonisation of member states' respective data protection laws. Thus, it is assumed in recitals 8 and 9 that implementation of the Directive will lead to an "approximation" of national laws, resulting in "equivalent" levels of data protection across the EU.[191] With implicit reference to Art 12(3)(a) of the CoE Convention,[192] recital 9 states that the achievement of such equivalency will make it legally impossible for member states to restrict the free flow of personal data to other member states "on grounds relating to protection of the rights and freedoms of individuals, and in particular the right to privacy".[193]

At the same time, though, the recitals emphasise the importance of protecting basic human rights, notably that of privacy, in the face of technological and economic developments.[194] Indeed, the Directive is amongst the first Directives to expressly accord a prominent place to the protection of human rights. As such, it reflects and reinforces the gradual incorporation of law and doctrine on human rights, particularly as embodied in the ECHR, into the EU legal system.[195] Also noteworthy here is that the Directive strives to bring about a "high" level of data protection across the EU.[196] Accordingly, it would be wrong to see the Directive as attempting merely to constitute the "lowest common denominator" of rules found in member states' pre-existing laws. Concomitantly, particularly in view of recitals 9 and 10, the Directive leaves open the possibility for member states to establish or maintain a higher level of data protection than the Directive seeks to establish, as long as this does not derogate from any of the Directive's mandatory requirements.

2.4. Ambit

2.4.1. Coverage with regard to type of data

Data protection laws' regulatory focus is centred upon "personal" data or information. Article 2(a) of the CoE Convention defines "personal data" as "any information relating to an identified or identifiable individual". Exactly the same definition is given in para 1(b) of the OECD Guidelines.[197] A similar but more comprehensive definition is provided by Art 2(a) of the EC Directive which defines "personal data" as

any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Broadly similar definitions of "personal data" or "personal information" are found in domestic data protection legislation.[198]

One can read into these definitions two cumulative conditions for data or information to be "personal": first, the data must relate to or concern a person; secondly, the data must facilitate the identification of such a person. Regarding the first condition, however, there is usually no requirement that the data relate to a particular (eg, private, intimate) sphere of a person's activity.[199] Hence, in most cases, it may not be appropriate to talk of two separate (though cumulative) conditions for making data "personal". It may be argued that the first condition can be embraced by the second, in the sense that information will normally relate to, or concern, a person if it facilitates that person's identification. In other words, the basic criterion appearing in these definitions would seem to be that of identifiability; ie, the potential of information to enable identification of a person. Such a focus makes the definitions capable in theory of embracing a great deal of data, including geographical and environmental data, which prima facie have little direct relationship to a particular person.[200]

At the same time as this capability has obvious benefits from a data protection perspective, it threatens the semantic viability of the notion of "personal data/information" and incurs a practical-regulatory risk that data protection laws will overreach themselves. Thus, in some jurisdictions, attempts have been made to delimit this capability. For example, Ulrich Dammann claims that, as a general rule in German data protection law, data over, say, material goods are "personal" only insofar as the data identify the goods and are able to relate them to the "life context" of a particular person.[201] A broadly similar, though perhaps more restrictive, line has been taken by Australia's federal Privacy Commissioner.[202] As Dammann makes clear, such delimitations are not fixed along abstract logical or semantic lines; rather, they are reached pragmatically.[203] Alternatively, the UK Data Protection Act 1984 has only applied to the processing of personal data when the processing occurs "by reference to the data subject" (s 1(7)).[204] The UK Data Protection Tribunal has read the latter phrase as excluding from the purview of the Act processing operations in which the data subject is not intended to be in focus.[205] There is, however, no corresponding phrase into which this delimitation can be read on the face of the new UK Act of 1998 - at least with regard to automated processing;[206] the same can be said with respect to the EC Directive along with the other data protection laws I have perused.

Usually, data must be capable of being linked to a particular individual person if they are to be regarded as "personal" pursuant to data protection laws. Thus, data which are linked to an aggregate of persons and which do not allow for these persons' individuation will normally fall outside the ambit of such laws. There are, however, some exceptions. The data protection laws of a handful of countries expressly extend to data on collective entities, such as private corporations, partnerships and, in some cases, groups that otherwise do not have legal identities separate from those of their members.[207] But, again, data on such entities are only covered insofar as they permit the entities' individuation. At the same time, there is some uncertainty and variation from jurisdiction to jurisdiction in terms of how stringent the requirement of individuation is applied. This issue is elaborated upon in Part III (Chapter 10, section 10.4) as it is of particular importance in working out the extent to which information relating primarily to a collective entity (eg, private corporation) may also be treated as relating to an individual person and thus fall within the ambit of those data protection laws that expressly safeguard data on individuals only. The issue is also taken up in Part IV (Chapter 18, section 18.2) in connection with analysis of the extent to which data protection laws may regulate data linked primarily to machine addresses.

Five further issues are of relevance in determining what is "personal information" pursuant to data protection laws. First of all, what exactly is meant by the concept of identification? Secondly, how easily or practicably must a person be identified from information in order for the latter to be regarded as "personal"? Thirdly, who is the legally relevant agent of identification (ie, the person who is to carry out identification)? Fourthly, to what extent must the link between a set of data and a person be objectively valid? Fifthly, to what extent is the use of auxiliary information permitted in the identification process? Is information "personal" if it allows a person to be identified only in combination with other (auxiliary) information? These issues are elaborated upon in Chapter 10 (section 10.4) and Chapter 18 (section 18.2) for the same reasons as are given with respect to the individuation issue above.

2.4.2. Coverage with regard to type of data processing

Data protection laws typically regulate all or most stages of the data-processing cycle, including registration, storage, retrieval and dissemination of personal data. Thus, Art 2(b) of the EC Directive broadly defines "processing" as

any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

The concept of "processing" used in the CoE Convention is a little narrower: it does not cover collection of data, nor data processing carried out by entirely manual (non-automated) means.[208] However, Art 3 allows contracting states to apply the rules laid down in the Convention to data processed manually. Moreover, some of the Convention's provisions, notably Art 5(a),[209] pertain directly to the collection of data.

Some national data protection laws focus mainly on the registration, as opposed to collection, of personal data. This is the case, for instance, with Norway's Act.[210] It should be noted, though, that the Norwegian Data Inspectorate is expressly empowered to issue rules on the collection ("innsamling") of data that are to be included in a register licensed by the Inspectorate (see s 11(2)(1)). The focus of Norway's Act on the registration of data is part and parcel of a more general focus on the creation and use of personal data registers; ie, files, records and the like in which "personal information is systematically stored so that information concerning an individual person may be retrieved" (s 1(2)). This focus on registers is shared by some other data protection instruments, including the CoE Convention and UN Guidelines.[211] Also the first draft of the EC Directive was centred primarily on creation and use of "personal data files".[212]

This regulatory focus on registers and files is typical for data protection instruments drafted in the 1970s and early 1980s. It reflects a belief from those times that systematically structured collections of personal data pose the principal risks for data subjects' interests in privacy, integrity and the like.[213] It further reflects the character of computerised data processing which predominated in that period - personal computers and distributed computer networks were then in their infancy. To some extent, such a focus is also symptomatic of a concern to delimit the ambit of data protection laws so as to prevent regulatory overreaching and collision with other laws.[214]

The regulatory focus of the EC Directive as finally adopted is on the "processing" of personal data regardless (almost) of the way in which the data are organised. This is also the case with the OECD Guidelines, along with recently enacted national data protection laws.[215] Indeed, it is probable that future laws will largely dispense with the register/file concept, partly in order to avoid their marginalisation in a world of distributed computer networks,[216] and partly in order to conform with the EC Directive. The move is not only sensible in view of technological developments; it also makes for increased flexibility of the laws' application. It enhances, for example, their ability to embrace forms of data processing, such as video surveillance, which can fit uncomfortably within the register/file concept. Further, it allows for easier avoidance of complex and arbitrary line-drawing exercises in evaluating what constitutes a register and where the boundaries between one register and other registers should be fixed.

Nevertheless, the register/file concept has not been totally ditched by the Directive; it lives on with respect to manually processed data. Pursuant to the Directive, purely manual data processing is to be regulated insofar as the data form or are intended to form part of a "filing system" (Art 3(1)). By "filing system" is meant "any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis" (Art 2(c)). As this definition suggests, retainment of the register/file concept here is, in essence, a consequence of a concern (noted in section 2.4.1) to limit the application of data protection laws to data that can be linked to a particular person without great difficulty,[217] as it is in relation to this sort of data the risk to data protection interests primarily lies.[218] But retainment is also symptomatic of a concern to prevent data protection laws from overreaching themselves in a practical, regulatory sense.[219]

Otherwise, the provisions of the Directive are largely technology-neutral. This is in contrast to the CoE Convention and UN Guidelines which cover automated data-processing practices to the almost total exclusion of manual (non-automated) processing.[220] The data protection legislation of a large number of countries, such as Austria, Ireland, Japan, Luxembourg, Sweden and the UK, also cover, or initially covered, automated data-processing practices only. This focus on automation is symptomatic of a belief that it is the increasing usage of computers, particularly for decision-making purposes, which represents the main threat to data protection interests.[221]

However, due to the requirements of the EC Directive, data protection laws will increasingly extend to both manual and computerised processing of personal data. This broadening of focus is partly grounded on a desire to prevent the circumvention of laws that govern automated processing only.[222] It is also partly grounded on the realisation that manually processed data can have significant implications for the privacy, autonomy and integrity interests of data subjects - indeed, often the most sensitive personal data (eg, on persons' mental and physical health) are to be found in manual record systems. And it is partly technology-induced insofar as data in modern information systems tend to be processed using a mixture of automated, semi-automated and manual techniques, the line between which can often be difficult to draw.[223] This does not mean that manual and automated techniques will be uniformly regulated in all respects. The EC Directive allows for some discrimination here. For instance, Art 18 of the Directive does not require national data protection authorities to be notified of purely manual data-processing operations.[224]

2.4.3. Coverage with regard to public and private sectors

All of the international data protection instruments are intended to apply to the processing of personal data in both the public and private sectors. Not surprisingly, a majority of national data protection laws have a similar ambit. In some of these laws, however, there is differentiated regulation for each sector,[225] with the processing practices of public sector bodies typically being subjected to more stringent regulation than those of private sector bodies.[226] Such differentiation is expected to diminish considerably in the future national legislation of EU member states, given its absence from the EC Directive.

A handful of countries - Australia, Canada, USA, Japan and the Republic of Korea (South Korea) - have national/federal data protection laws which, with minor exceptions,[227] regulate the data-processing activities of national/federal government agencies only. Constitutional limitations on the legislative powers of the federal governments partly account for the restricted ambit of these laws, but other factors are often more significant. In the USA, for example, there is a general distrust of State dirigism, accompanied by scepticism towards legislative regulation of the private sector except where there are proven to exist flagrant imbalances of power between private parties which cannot be corrected otherwise than by legislative intervention.[228] In the field of privacy/data protection, this scepticism has resulted in the eschewal of "omnibus" legislative solutions in favour of ad hoc enactment of sectoral laws dealing with, in the words of Joel Reidenberg, "narrowly identified" problems.[229] The coverage these laws offer with respect to processing of personal data by private sector bodies remains haphazard and incomplete.[230]

Much the same can be said of the coverage currently offered by equivalent legislative regimes for data protection with respect to the Australian and Canadian private sectors.[231] In Quebec, though, a comprehensive, "European-style" data protection regime has been established pursuant to the enactment in 1993 of the Act on Protection of Personal Information in the Private Sector. There is also a proposal in Canada for the introduction in the near future of federal data protection legislation giving comprehensive coverage of the private sector.[232]

In Australia, the policy direction of the federal government with respect to introducing similar legislation has been peripatetic. In March 1997, the government reversed its earlier support for the enactment of such legislation, on the grounds that extensive regulation of the private sector would result in overly burdensome compliance costs for Australian business.[233] The government then decided to extend coverage of the federal Privacy Act to private companies that are contracted to process personal data under outsourcing agreements with federal government agencies.[234] In December 1998, the government again warmed to the enactment of comprehensive legislation, declaring that it would establish a "light touch" legislative regime based on industry codes of practice.[235] Victoria also appears intent on introducing data protection legislation covering both the state government and private sectors.[236] Setting an important precedent in this regard is the recent enactment by the Australian Capital Territory of its Health Records (Privacy and Access) Act 1997 which regulates both public and private sector processing of personal health information.

With the adoption of the EC Directive and the resultant threat that EU countries will prevent, pursuant to Art 25 of the Directive, transfers of personal data to countries without "adequate" levels of data protection,[237] there is now greater legal (and economic) pressure on countries like the USA, Canada, Japan and Australia to enact comprehensive data protection laws to regulate the private sector. At the same time, one should not overlook the possibility of one or more of the latter countries' governments (particularly that of the USA) thumbing their noses at the EU in defiance of the "adequacy" criterion laid down in the Directive.[238] The extent to which this might occur is likely to depend on how stringently and consistently the "adequacy" criterion is applied, together with the extent to which implementation of Art 25 (and Art 26) is found to conflict with the 1994 General Agreement on Trade in Services.239 Other factors might also prove significant, not least the extent to which business enterprises in, say, the USA tire of having to cope with the patchy, sometimes uncertain and inconsistent legal regimes for data protection in that country.

Finally, it should be emphasised that data protection laws covering the private and/or public sectors rarely regulate all processing of personal data. For example, exemptions from the laws in their entirety or from their central provisions are often made with respect to data-processing operations of national security services,[240] data-processing operations of the mass media for journalistic purposes,[241] and/or data processing for purely personal or domestic purposes.[242]

[129] See, eg, Directive 97/66/EC of the European Parliament and of the Council of 15.12.1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (OJ No L 024, 30.01.1998, 1; also available at URL <http://europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html> (last visited 30.5.1999)) - hereinafter termed "EC Directive on telecommunications privacy"; the code of practice issued by the International Labour Organisation (ILO) on protection of workers' personal data - ILO, Protection of Workers' Personal Data (Geneva: ILO, 1997); and the various sectoral recommendations of the Council of Europe (CoE) some of which are listed in part B of the Bibliography.

[130] For more detailed analysis of these issues, see, ia, R Ellger, Der Datenschutz im grenzüberschreitende Datenverkehr: eine rechtsvergleichende und kollisions-rechtliche Untersuchung (Baden-Baden: Nomos Verlagsgesellschaft, 1990), chapt IV; A C M Nugter, Transborder Flow of Personal Data within the EC (Deventer & Boston: Kluwer Law and Taxation Publishers, 1990), chapt VII; and M Bergmann, Grenzüberschreitende Datenschutz (Baden-Baden: Nomos Verlagsgesellschaft, 1985), chapt 7.

[131] ETS No 108 (also available at URL <http://www.coe.fr/eng/legaltxt/108e.htm> (last visited 31.5.1999)).

[132] Directive 95/46/EC (OJ No L 281, 23.11.1995, 31; also available at URL <http:// europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html> (last visited 31.5.1999)).

[133] Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Paris: OECD, 1980; also available via URL <http://www.oecd.org/dsti/sti/it/ secur/index.htm> (last visited 31.5.1999)).

[134] Some types of data processing, however, do not have to be regulated in conformity with the Directive until after this date. Data processing already underway at the time when a member state adopts new legislation to comply with the Directive, need not be subject to this legislation until 24.10.2001 (Art 32(2)). With respect to personal data already held in manual filing systems at the time the new legislation is adopted, the processing of such data need not be brought into conformity with Arts 6-8 in the Directive until 24.10.2007, though this is not to prevent data subjects from exercising their rights set down in other provisions of the Directive, with respect to such data (Art 32(2)). The processing of data kept solely for the purpose of historical research need never be brought into conformity with Arts 6-8 of the Directive, as long as "suitable safeguards" are in place (Art 32(3).

[135] Most importantly, the Directive does not apply to data processing carried out as part of activities falling beyond the ambit of EC law - eg, "processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law" (Art 3(2)). This delimitation is reinforced in Art 13(1) which permits member states to restrict the scope of some of the central rights and obligations laid down by the Directive insofar as the restriction is necessary to safeguard, ia, "national security", "defence", "public security" or "the prevention, investigation, detection and prosecution of criminal offences ...": see further Chapter 18 (section 18.4.6). Moreover, none of the Directive applies to data processing by a natural person "in the course of a purely personal or household activity" (Art 3(2)): see further section 2.4.3 below.

[136] See Art 286(1) of the 1957 Treaty establishing the European Community (hereinafter termed "EC Treaty"). By 1.1.1999, the Council is supposed to have set up an independent agency to monitor application of this legislation to EC institutions: see Art 286(2) of the EC Treaty. Note that references to EC Treaty provisions here and in subsequent parts of the thesis are in line with the changes introduced by the 1997 Treaty of Amsterdam amending the Treaty on European Union, the Treaties establishing the European Communities and certain related Acts.

[137] Note, though, that despite not being incorporated into the EEA Agreement, the Directive has constituted a major point of departure for recent work on changing Norway's data protection legislation: see Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, espec 18-20; Ot prp 92 (1998-99), Om lov om behandling av personopplysninger (personopplysningsloven), espec 15. Moreover, the proposals for new Norwegian legislation have been drafted with an aim of satisfying the Directive's requirements: see generally NOU 1997:19, Part II; Ot prp 92 (1998-99), Chapt 2.

[138] See further Chapter 4 (section 4.5).

[139] Regarding the latter, see, eg, recital 11 of the Directive which states that the data protection principles in the Directive "give substance to and amplify" the principles of the Convention.

[140] See URL <http://www.coe.fr/tablconv/108t.htm> (last visited 30.5.1999). Norway ratified the Convention on 20.2.1984. Somewhat surprisingly, the Convention has never been approved by the Norwegian Parliament (Stortinget) pursuant to Art 26 of the Norwegian Constitution (Grunnlov) of 1814. Article 26 states, ia, that treaties concerning matters "of special importance", or treaties requiring, pursuant to the Constitution, a Parliamentary resolution or the enactment of a new law, will only become binding on Norway upon approval by the Parliament. The Norwegian Ministry of Justice has been of the opinion that the Convention does not belong to either of these treaty categories: see the Ministry's letter of 26.5.1983 (ref 1625/83E KC/uwg) to the Norwegian Ministry for Foreign Affairs. However, some of the Convention's core principles (particularly that of purpose specification - explained in Chapter 3 (section 3.4)) are reflected only weakly in the provisions of Norway's PDRA. These principles tend, nevertheless, to figure prominently in the practice of the Norwegian Data Inspectorate pursuant to the PDRA, and are otherwise relatively visible in the main regulations to the Act. See further Chapter 18 (section 18.4.7); see also infra n 255.

[141] Hence, the Convention is not entitled "European Convention": see Explanatory Report on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter "Explanatory Report")(Strasbourg: CoE, 1981), para 24.

[142] See, eg, European Parliament Resolution of 9.3.1982 on the protection of the rights of the individual in the face of technical developments in data processing, OJ No C 87, 5.4.1982, 41, para 16; and Recommendation for a Council Decision on the opening of negotiations with a view to the accession of the European Communities to the Council of Europe Convention for the protection of individuals with regard to the automatic processing of personal data (COM(90) 314 final - SYN 288, 13.9.1990, 110-112).

[143] See, eg, F Henke, Die Datenschutzkonvention des Europarates (Frankfurt am Main/Bern/New York: Peter Lang, 1986), 66 and references cited therein.

[144] Opinion 2/94 of 28.3.1996, reported in, ia, [1996] ECR I-1759. According to the Court, "[a]ccession to the Convention [ECHR] would ... entail a substantial change in the present Community system for the protection of human rights in that it would entail the entry of the Community into a distinct international institutional system as well as integration of all the provisions of the Convention into the Community legal order. Such a modification ... with equally fundamental institutional implications for the Community and for the Member States would be of constitutional significance and would therefore be such as to go beyond the scope of Article 235 [now 308]": ibid, paras 34 & 35.

[145] See supra n 136 and accompanying text.

[146] The Recommendation of 23.9.1980 issued by the OECD Council in tandem with the Guidelines' adoption states simply that member states are to take account of the Guidelines when developing domestic legislation on privacy and data protection.

[147] See, eg, R M Gellman, "Fragmented, Incomplete, and Discontinuous: The Failure of Federal Privacy Regulatory Proposals and Institutions" (1993) VI Software LJ, 199, 230. Gellman notes, though, evidence suggesting that few of these corporations have actually put into practice policies implementing the Guidelines: ibid, 232-233.

[148] CSA, Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (Rexdale, Ontario: CSA, 1996; also available via URL <http://www.csa.ca/product_ services/index_info.html> (last visited 30.5.1999)).

[149] Doc E/CN.4/1990/72, 20.2.1990; also available at URL <http://europa.eu.int/comm/ dg15/en/media/dataprot/inter/un.htm> (last visited 30.5.1999)).

[150] UN General Assembly Resolution 2450 of 19.12.1968 (Doc E/CN.4/1025).

[151] See Points for Possible Inclusion in Draft International Standards for the Protection of the Rights of the Individual against Threats Arising from the Use of Computerized Personal Data Systems (Doc E/CN.4/1233); cf Doc E/CN.4/1116 dealing with surveillance technology more generally. For further information on the background to the Guidelines, see J Michael, Privacy and Human Rights. An International and Comparative Study, with Special Reference to Developments in Information Technology (Paris/Aldershot: UNESCO/Dartmouth Publishing Company, 1994), 21-26; Ellger, supra n 130, 564-573; Simitis, supra n 102, para 148.

[152] A case in point is Peter Blume's standard Danish work on data protection: see P Blume, Personregistrering (Denmark: Akademisk forlag, 1996, 3rd ed). The book makes no mention of the UN Guidelines despite containing a relatively large chapter (chapter 4) on international data protection instruments. Another case in point is the recent tome produced by Sweden's Data Act Committee (Datalagskommittén): see Integritet - Offentlighet - Informationsteknik, SOU 1997:39. Again, no reference is made to the UN Guidelines in this report despite analysis of other international data protection instruments in its chapters 3 and 4.

[153] S Simitis, "Datenschutz und Europäischer Gemeinschaft" (1990) 6 RDV, 3, 9-10. More generally, see Henke, supra n 143, 57-60.

[154] Paragraph 38 of the Convention's Explanatory Report; see also para 60 ("In keeping with the non self-executing character of the convention ..."). Cf Rainer Schweizer's argument that substantial elements of the Convention (particularly in Arts 5 & 8) can and should be treated as self-executing, given the fact that they are formulated sufficiently clearly to function as directly applicable rights and duties, and given the objects clause in Art 1: see R Schweizer, "Europäisches Datenschutzrecht - Was zu tun bleibt" (1989) DuD, 542, 543. The argument has much to commend it de lege ferenda but in the light of Art 4(1) and what is contained in the Convention's Explanatory Report, its validity de lege lata is doubtful.

[155] On this point, see generally Nugter, supra n 130, chapt VIII. Nugter's case study shows that, as of 1990, the Convention had failed to establish more than a minimal, formal equivalence between the national data protection laws in the UK, Federal Republic of Germany, Netherlands and France.

[156] On the status of directives and regulations, see generally T C Hartley, The Foundations of European Community Law (Oxford: Clarendon Press, 1998, 4th ed), 196ff.

[157] Ibid, 204-205 and references cited therein.

[158] See espec recital 8. See further section 2.3.

[159] See particularly Art 5 which provides that "Member States shall, within the limits of the provisions of [Chapt II] determine more precisely the circumstances in which the processing of personal data is lawful". See also recital 9. Examples of points in Chapt II of the Directive where member states are given an obvious margin for manoeuvre are Arts 7(f), 8(4), 10, 11, 13 and 14(a). The provisions are described in Chapters 3 and 18. Simitis appropriately characterises the Directive's regulatory approach in terms of "diversity built on a common floor of standards": S Simitis, "The EU Directive on Data Protection and the Globalization of the Processing of Personal Data", summary of paper presented at conference, "Visions for Privacy in the 21st Century: A Search for Solutions", held in Victoria, British Columbia, Canada, 9-11 May 1996.

[160] It might be more accurate to describe such disparities as not merely a possibility but a probability. See, eg, Simitis, supra n 11, 449 ("Experience has shown that the primary interest of the Member States is not to achieve new, union-wide principles, but rather to preserve their own, familiar rules. A harmonization of the regulatory regimes is, therefore, perfectly tolerable to a Member State as long as it amounts to a reproduction of the State's specific national approach").

[161] Recital 9; see further section 2.3.

[162] Some of the language used in the CoE Convention (see espec Art 1 of the CoE Convention, set out in section 2.3), as well as some of the case law developed by the ECtHR and ECommHR (see L A Bygrave, "Data Protection Pursuant to the Right to Privacy in Human Rights Treaties" (1998) 6 Int J of Law and Information Technology, 247, 254ff; reproduced in Appendix 2) give solid grounds for treating the main principles of the CoE Convention as a detailed enumeration of the protection provided by Art 8 of the ECHR. At the same time, in light of the case law on Art 8, one cannot be certain that all breaches of the CoE Convention's core principles would necessarily be regarded by the Strasbourg organs as breaches of the ECHR. This point is especially relevant with respect to the data-processing practices of private, as opposed to state, bodies: see Bygrave, ibid, 257-259.

[163] The authority of the Recommendations is reflected, ia, in the fact that when they are adopted, individual member states frequently issue reservations on points of contention. Note that the recommendations are also highly influential on the policies and practices of national data protection authorities.

[164] This proportioning of emphasis is due partly to the multilingual nature of EC legal instruments. Thus, the Directive has been issued in the various working languages of the EU, with each version being equally authentic. This means that one cannot look to one single version of the Directive in the event of interpretative difficulties. In the following, I use the English version of the Directive as a point of departure for analysis, but take into account also French, German, Danish and Swedish versions as the need arises.

165 See generally Hartley, supra n 156, 77ff and references cited therein. See also F Arnesen, Introduksjon til rettskildelæren i EF (Oslo: Universitetsforlaget, 1995, 3rd ed), 14, 25ff.

[166] Arnesen, supra n 165, 14, 44-46.

[167] See Blume, supra n 152, 430ff.

[168] See, eg, Art 2 of Belgium's Act of 8.12.1992 Concerning the Protection of Personal Privacy in Relation to the Processing of Personal Data (Wet van 8 December 1992 tot bescherming van de persoonlijke levensfeer ten opzichte van de verwerkung van persoonsgegevens / Loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel); and Art 2 of Portugal's Act no 67/98 of 26.10.1998 on the Protection of Personal Data (Lei no 67/98 de 26 de Outubro 1998, da Proteccão de Dados Pessoais).

[169] See the preambles to the Australian and New Zealand Acts, s 2 of the Canadian Privacy Act of 1982, and s 2(b) of the US Privacy Act.

[170] See Art 1 of Switzerland's Federal Law of 19.6.1992 on the Protection of Data (Loi fédérale du 19 juin 1992 sur la protection des données / Bundesgesetz vom 19 Juni 1992 über den Datenschutz). Cf Art 1(1) of Germany's Federal Data Protection Act (stipulating the purpose of the Act as safeguarding individuals from interference with their "personality rights").

[171] See s 1 of Sweden's Personal Data Act of 1998.

[172] For Norway, see the PDRA. For Denmark, see the Private Registers Act of 8.6.1978 (Lov nr 293 af 8 juni 1978 om private registre mv) and the Public Authorities' Registers Act of 8.6.1978 (Lov nr 294 af 8 juni 1978 om offentlige myndigheders registre). For Iceland, see the Protection of Personal Records Act, No 121 of 28.12.1989 (Lög nr 121 28 desember 1989 um skráningu og medferd persónuuppl_singa. For the UK, see both the Data Protection Act of 1984 and the Data Protection Act of 1998. Note, however, that the Bill for a new Norwegian data protection law (Lov om behandling av personopplysninger) which is intended to replace the PDRA, contains an objects clause: see Ot prp 92 (1998-99), 138; see also Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, 164. See further Chapter 6 (section 6.2.3). By contrast, Denmark's proposed new data protection law (Lov om behandling af personoplysninger) omits such a clause: see the Bill introduced into Parliament by the Justice Minister on 8.10.1998 (Lovforslag nr L 44: Forslag til lov om behandling af personoplysninger). Note that the status of the latter Bill is currrently uncertain after having failed to gain majority support in the Parliament in June 1999.

[173] Datalagen (SFS 1973:289).

[174] See, eg, s 2(3) of Denmark's Private Registers Act (allowing the Danish data protection authority to set down conditions for the use of certain registers "in order to protect the privacy of registered parties"), and s 3 of Sweden's Data Act of 1973 (stipulating that personal files shall only be established if these do not unduly encroach upon the "personal integrity" of registered persons).

[175] In relation to Norway's PDRA, see, eg, Innst O 47 (1977-78), 1 ("gjennom en personvernlov ønsker man å beskytte enkeltindividet mot skadevirkninger av ... [elektronisk databehandling] og verne om den personlige integritet"). Regarding the Danish legislation, see, eg, Delbetænkning om offentlige registre, Bet nr 767 (Copenhagen: Statens trykningskontor, 1976), 13 ("datalovgivnings formål er at beskytte den enkelte borgers integritet mod edb-brug").

176 Loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés.

[177] Henkilörekisterilaki / Personregisterlag (FFS 471/87), now largely repealed.

[178] Henkilötietolaki / Personuppgiftslag (FFS 523/99); Swedish version available via URL <http://www.om.fi/1077.htm> (last visited 4.6.1999). The primary reason for the change is to emphasise that the central aim of the new legislation is protection of personal integrity: see Part I of the Detaljmotivering (detailed explanatory memorandum) for Regeringens proposition (Government Bill) 96/1998, available via URL <http://www.eduskunta.fi/> (visited 2.10.1998).

[179] Hessisches Datenschutzgesetz vom 11 November 1986.

[180] See, eg, Simitis, supra n 102, para 17.

[181] See ss 24(2), 38 & 39.

[182] For Rhineland-Palatinate, see Landesdatenschutzgesetz vom 5 Juli 1994, ss 1(2), 24(6) & 34. For Berlin, see Gesetz zum Schutz personbezogener Daten in der Berliner Verwaltung vom 17 Dezember 1990, ss 1(1)(2), 20 & 24(3). For Lower Saxony, see Datenschutzgesetz vom 17 Juni 1993, ss 1(2), 7(3) & 22(2). For Thuringia, see Datenschutzgesetz vom 29 Oktober 1991, s 40(5). Similar provisions were also included in Bremen's first data protection legislation (Gesetz zum Schutz vor Misbrauch personbezogener Daten bei der Datenverarbeitung vom 19 Dezember 1977), but have since been taken out: see now Bremisches Datenschutzgesetz, version of 27.5.1995.

[183] See too the Convention's Explanatory Report, para 21.

[184] See the Convention's Preamble. See further Art 12 of the Convention, described in Chapter 4 (section 4.5).

[185] See further Chapter 4 (section 4.5).

[186] See paras 17-18 of the OECD Guidelines and Principle 9 of the UN Guidelines each of which seek to minimise restrictions on transborder data flows along broadly similar lines to the CoE Convention. See further Chapter 4 (section 4.5).

[187] See the preamble to the OECD Council Recommendation of 23.9.1980 concerning the Guidelines.

[188] Work on the UN Guidelines appears to have been inspired mainly by a concern to protect and strengthen human rights in the face of technological advances; purely economic concerns seem to have played a relatively minor role. See generally the materials cited supra n 151.

[189] See recital 5 (noting, ia, that "national authorities in the various Member States are being called upon by virtue of Community law to collaborate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State within the context of the area without internal frontiers as constituted by the Internal Market").

[190] See the first clause of the Directive's preamble.

[191] The Danish version of the two recitals uses the term "ensartet" for "equivalent". Cf the French, German and Swedish versions which use the terms "équivalent", "gleichwertig" and "likvärdig" respectively. In my opinion, the Danish term is somewhat misleading: "ensartet" ("uniform") connotes a higher degree of similarity than equivalency.

[192] In essence, this provision allows state parties to the Convention to restrict, for the purposes of privacy protection, flows of personal data to other state parties when the latter do not provide "equivalent" protection for the data concerned. See further Chapters 4 (section 4.5) and 11 (section 11.3.3).

[193] See further the prohibition on such restrictions in Art 1(2), set out in Chapter 4 (section 4.5).

[194] See, eg, recitals 2, 3, 10 & 11.

[195] For overviews of this process of incorporation, see, eg, H K Nielsen, "The Protection of Fundamental Rights in the Law of the EU" (1994) 63 NJoIL, 213-243; T Ojanen, "An Outline of Human Rights in Community Law", in F Sejersted (ed), Nordisk forvaltningsrett i møte med EF-retten (Oslo: Universitetsforlaget, 1996), 61-73; and P Craig & G de Búrca, EU Law: Text, Cases, and Materials (Oxford: Oxford University Press, 1998, 2nd ed), chapt 7.

[196] See recital 10 ("Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Fundamental Rights and Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community"). Note also recital 11 (stating that the Directive's data protection principles not only "give substance to" but also "amplify" the principles of the CoE Convention) and recital 9 (providing that member states "shall strive to improve the protection currently provided by their legislation"). Also of some relevance here is the Directive's basic regulatory premise, which is that the processing of personal data is prohibited unless it satisfies specified conditions: see Arts 7-8 set out in Chapter 18 (section 18.4.3).

[197] Cf the UN Guidelines which surprisingly omit to define their key terms, such as "personal data" and "personal data file". It is safe to assume, though, that these terms are to be defined in much the same way as in the other main international data protection instruments.

[198] See, eg, s 6(1) of Australia's federal Privacy Act and s 3(1) of the German Federal Data Protection Act.

[199] An exception is s 1(1) of the Danish Private Registers Act which provides that the Act applies to manual (non-computerised) registration of personal data only insofar as registration is "systematic" and the data are of a "private or financial" nature or relate to "any personal matter that may reasonably be demanded to be withheld from the general public". Accordingly, the Act does not apply, for instance, to manual registers containing only persons' names, addresses and the like: see Blume, supra n 152, 32 and references cited therein. These qualifications on personal data can be contrasted with, say, the qualifications in s 3(1) of Germany's Federal Data Protection Act ("personal data" defined as "any information" about a person's "personal or material circumstances"). The latter qualifications are intended to make clear that all data which say something about a person are covered by the Act: see U Dammann, "SS 3", in Simitis et al, supra n 102, paras 7-8.

[200] For examples, see J Bing, "From footprints to electronic trails: Some current issues of data protection policy", in Proceedings of the 17th International Conference on Data Protection, Copenhagen 1995 (Copenhagen: Registertilsynet/Data Protection Agency, 1995), 3. On the ability of German data protection law to cover certain data concerned directly with the natural environment, see, eg, J Taeger, "Umweltschutz und Datenschutz" (1991) CR, 681, 685-686; B Raum, "Umweltschutz und Schutz personenbezogener Daten" (1993) CR, 162, 164-165.

[201] Dammann, supra n 199, para 57 ("In der Regel wird man nur solche Angaben über eine Sache als Personenbezogenes Datum des Eigentümers, Besitzers usw. ansehen können, die die Sache identifizieren und sie in dem nach dem jeweiligen Lebenszusammenhang zur Beschreibung der Sachbeziehung notwendigen Umfang charakterisieren"). Cf the apparently less restrictive line of Taeger, supra n 200, 686 ("Jede Information, die in irgendeiner Weise einen Personenbezug hat, fällt zunächst in den Anwendungsbereich des Datenschutzrechts").

[202] According to David Thorp (Senior Advisor to the Privacy Commissioner, and Director of the Commissioner's Privacy Complaints and Enquiries Unit), in a personal interview of 16.12.1997. As an example, Thorp mentioned a case from 1992/93 (archive reference not found) in which basic information about an old house (its structure, number of rooms, type of garden, name, suburban location - but not its street address or the identity of its current owner) which was registered in a Heritage Listing, was held by the Commissioner not to constitute personal information pursuant to the Privacy Act even though the information could be linked to a particular person (ie, the house owner).

[203] Dammann, supra n 199, para 57 ("Die Abrenzung kann nicht abstrakt nach logischen und semantischen Kriterien erfolgen, sondern muss pragmatisch orientiert sein").

[204] The term "data subject" being defined as "an individual who is the subject of personal data" (s 1(4)).

[205] Equifax Europe Ltd v The Data Protection Registrar (1991) Case DA/90 25/49/7, para 49. According to the Tribunal, "using the Land Registry's computer to change the boundaries of a plot of land, or perhaps to extract a copy of a restrictive covenant, would in no way concern the individual identity or attributes of a data subject, and need not attract the control over processing": id. The Tribunal contrasts such a processing operation with a situation in which "the object of the exercise is to learn something about the individual [data subject], not about the land": ibid, para 50.

[206] It might be possible to read in some such limitation with respect to non-automated (manual) processing of data: see the definition of "relevant filing system" in s 1(1) of the 1998 Act ("any set of information relating to individuals to the extent that ... the set is structured, either by reference to individuals or by reference to criteria relating to individuals ..."). The definition of "personal data filing system" in Art 2(c) of the EC Directive is more open-ended ("any structured set of personal data which are accessible according to specific criteria ..."), though this open-endedness is undercut by recital 27 in the Directive's preamble which states that "the content of a filing system must be structured according to specific criteria relating to individuals ...".

[207] See further Part III (espec Chapter 10).

[208] See Art 2(c) along with para 31 of the Convention's Explanatory Report.

[209] Set out in Chapter 3 (section 3.2).

[210] See also comments by the Norwegian Ministry of Justice in Ot prp 2 (1977-78), Om lov om personregistre mm, 69 & 96. On confusion over what should be regarded as collection of information and what should be regarded as a register/file pursuant to the PDRA, see, eg, the decision handed down on 14.1.1993 by the Hedmark District Court concerning the alleged creation of a so-called "traitors register" ("landssvikregister"). Extracts of the decision are set out in (1993) 36 Lov & Data, 2.

[211] See, eg, Arts 7-8 of the Convention and Principles 3, 4 and 7 of the UN Guidelines, set out in Chapter 3.

[212] See Proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data (COM(90) 314 final - SYN 287, 13.9.1990, 21ff).

[213] See, eg, Ot prp 2 (1977-78), 69 ("Som hovedregel antar [Justis-]departementet at det bare er når personopplysninger er tatt inn i registre at det er behov for særlige lovregler for å sikre personvernet").

[214] See, eg, ibid, 22 ("Noen generell regulering spesielt for personopplysninger ville antakelig være vanskelig å koordinere med de reglene som gjelder for forvaltningens saksbehandling generelt").

[215] See, eg, Hungary's Act No LXIII of 27.10.1992 on the Protection of Personal Data and on the Publicity of Data of Public Interest (1992 evi LXIII torveny a szemelyes adatok vedelmerol es a kozerdeku adatok nyilvanossagarol); and Italy's Law no 675 of 31.12.1996 on Protection of Individuals and Other Subjects with Regard to Processing of Personal Data (Legge 31 dicembre 1996, n. 675 - Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali).

[216] In the words of an expert committee on data protection appointed by the CoE: "It may be ... that the notion of a file, as used in the [CoE] Convention, suggests centralised storage and processing and is not in keeping with the new reality of distributed processing and networks which allow data to be dispersed and yet linked up at will through the possibility of computer-to-computer, or terminal-to-terminal, dialogue": New Technologies: A Challenge for Privacy Protection? (Strasbourg: CoE, 1989), 32. Note, nevertheless, para 30 of the CoE Convention's Explanatory Report which makes clear that the notion of "file" in the Convention "covers not only data files consisting of compact sets of data, but also sets of data which are geographically distributed and are brought together via computer links for purposes of processing".

[217] As noted above in section 2.4.1, recital 27 qualifies the notion of accessibility in Art 2(c) with the adjective "easy"; ie in order to fall within the scope of the Directive, the filing system "must be structured according to specific criteria relating to individuals allowing easy access to the personal data". See also recital 15.

[218] On the latter point, see, ia, the Explanatory Memorandum to the Amended Proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (COM(92) 422 final - SYN 287, 15.10.1992), 10.

[219] Id.

[220] Cf the OECD Guidelines which apply to both manual and automated processing of personal data. Both the CoE Convention and UN Guidelines, however, provide for the optional extension of their principles to cover non-automated data files: see Art 3(2)(c) of the Convention and para 10 of the UN Guidelines.

[221] See, eg, para 1 of the CoE Convention's Explanatory Report.

[222] See, eg, recital 27 of the EC Directive.

[223] A point duly noted in, ia, para 35 of the OECD Guidelines' Explanatory Memorandum.

[224] See further Chapter 4 (section 4.3). Note, though, that Art 18(5) gives EU member states the option of stipulating such a requirement.

[225] Cf Denmark which has gone so far as to regulate each sector with separate Acts; ie, the Public Authorities' Registers Act and the Private Registers Act. However, the Bill for a new Danish law on data protection largely dispenses with such differentiated regulation: see the Bill introduced into Parliament by the Justice Minister on 8.10.1998 (Lovforslag nr L 44: Forslag til lov om behandling af personoplysninger). As commented supra n 172, the status of this Bill is currently unclear as it failed to gain majority support in the Parliament in June 1999. It is extremely doubtful, though, that the Bill will be changed in order to preserve the present degree of regulatory differentiation between the public and private sectors.

[226] See, eg, s 15 of the French data protection law of 1978 which subjects automatic processing of personal data by public sector bodies to prior authorisation by the country's data protection authority, unless the processing is already authorised by law. In contrast, private bodies may undertake automated processing of personal data simply upon notifying the authority of the basic details of their processing plans (s 16). Cf s 17 which provides for a simplified notification procedure for both public and private bodies in the case of "the most common types" of data processing "which manifestly do not infringe upon privacy or liberties".

[227] Eg, Australia's federal Privacy Act regulates the processing of personal data by credit-reporting agencies (Part IIIA), along with private sector organisations' use of Tax File Numbers (ie, unique personal identifiers developed primarily for the purpose of administering income taxation).

[228] See further J H Yurow, "National Perspectives on Data Protection" (1983) 6 TDR, no 6, 337-339; and Schwartz & Reidenberg, supra n 62, 6ff.

[229] J R Reidenberg, "Privacy in the Information Economy: A Fortress or Frontier for Individual Rights?" (1992) 44 Federal Communications LJ, 195, 201.

[230] For detailed analysis of these laws, see Schwartz & Reidenberg, supra n 62, chapts 9-14.

[231] On the state of relevant Australian law, see generally G Hughes, Data Protection in Australia (Sydney: Law Book Co. Ltd., 1991), espec chapts 2, 6 & 7. For an overview of the Canadian situation, see I Lawson, Privacy and Free Enterprise: The Legal Protection of Personal Information in the Private Sector (Ottawa: Public Interest Advocacy Centre, 1992); C J Bennett, "Rules of the road and level playing-fields: the politics of data protection in Canada's private sector" (1996) 62 Int Rev of Administrative Sciences, 479, 480-482.

[232] A Bill (the Personal Information Protection and Electronic Documents Bill) providing for such coverage was introduced into the federal Parliament on 1.10.1998.

[233] See generally G Greenleaf, "Commonwealth abandons privacy - for now" (1997) 4 PLPR, 1-5; M Jackson, "Data Protection Regulation in Australia after 1988" (1997) 5 Int J of Law and Information Technology, 158, 190-191. The government's attitude is difficult to square with evidence from New Zealand (see B Slane, "Banking privacy, compliance costs and the private sector" (1997) 4 PLPR, 7-10) indicating that compliance costs would probably be marginal in the event of comprehensive private sector regulation. Note too results of a 1997 survey carried out by Price Waterhouse of 130 of Australia's largest companies which found 75 percent of the survey respondents claiming that the introduction of data protection legislation in the Australian private sector would not involve major or costly changes to their present business practices: see "Price Waterhouse Privacy Survey 1997" (1997) 4 PLPR, 22, 26-27.

[234] See further N Waters, "Privacy and outsourcing - the Privacy Amendment Bill 1998" (1998) 4 PLPR, 181ff.

[235] Press release 223/98 of 16.12.1998 entitled "Government to strengthen privacy protection".

[236] See the Data Protection Bill issued by the Victorian state government in November 1998 (available via URL <http://www.mmv.vic.gov.au> (last visited 30.5.1999)). Note that New South Wales (NSW) and South Australia have long had in place "Privacy Committees" with mandates extending beyond typical data protection concerns to cover all violations of personal privacy in both the private and public sectors. These Committees function essentially in the manner of ombudsmen; they can investigate complaints etc, but have no legal power to enforce their recommendations. For an overview, see Hughes, supra n 231, 150-157. Queensland had a similar Committee which ceased operation in the early 1990s pursuant to a sunset clause in the Privacy Committee Act 1984 (Qld). On 1.12.1998, NSW enacted new data protection legislation - the Privacy and Personal Information Act 1998 - covering the bulk of the state's public sector though not the private sector.

[237] See further Chapter 4 (section 4.5).

[238] Witness the ongoing dispute between the USA and EU on how to comply with the "adequacy" criterion. For a brief summary of the struggle, see, eg, "US and EU lock horns over privacy protection" International Herald Tribune, 28.5.1999, 1, 6.

239 For (US) discussion of this possible conflict, see P P Swire & R E Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Washington, DC: Brookings Institution Press, 1998), 188ff.

[240] See, eg, Art 3(3) of the Belgian data protection law of 1992. With respect to the Norwegian PDRA, see the regulations of 21.12.1979 (Forskrift om personregistre mm og om delegasjon av myndighet 21 desember 1979 nr 7), point IV. The EC Directive will not necessarily have any impact on the scope of these sorts of exemptions as it does not apply to data processing carried out as part of activities relating to "public security, defence, State security (including the economic well-being of the State where such processing relates to State security matters) and the activities of the State in areas of criminal law" (Art 3(2)).

[241] See, eg, s 2(1)(b) of the Netherlands' Act of 28.12.1988 providing rules for the protection of privacy in connection with personal data files (Wet van 28 december 1988, houdende regels ter bescherming van de persoonlijke levenssfeer in verband met persoonregistraties) and ss 2(4)-(7) of Denmark's Private Registers Act. Article 9 of the EC Directive requires EU member states to lay down exemptions from the central provisions of the Directive with respect to data processing "carried out solely for journalistic purposes or the purpose of artistic or literary expression", insofar as is "necessary to reconcile the right to privacy with the rules governing freedom of expression". Thus, according to recital 17, the Directive's principles "are to apply in a restricted manner" to "the processing of sound and image data carried out for purposes of journalism or ... purposes of literary or artistic expression ... in particular in the audiovisual field". For brief consideration of the impact of Art 9 on profiling practices, see Chapter 18 (section 18.4.6).

[242] See, eg, Art 3(2) of the EC Directive which exempts coverage of data processing "by a natural person in the course of a purely personal or household activity". Cf declaration 9 of the Council minutes in which the Commission and Council infer that the phrase, "purely personal or household activity", should not be taken to embrace an individual's communication of personal data to an indeterminate circle of persons: see Blume, supra n 152, 432.


[Previous] [Next] [Title]