[Previous] [Next] [Title]

CHAPTER 3. Core Principles of Data Protection Laws

3.1. Introduction

This chapter provides an overview of the basic principles that data protection laws apply to the processing of personal data. These principles are summed up in terms of "fair and lawful processing" (see section 3.2), "minimality" (section 3.3), "purpose specification" (section 3.4), "information quality" (section 3.5), "data subject participation and control" (section 3.6), "disclosure limitation" (section 3.7), "information security" (section 3.8) and "sensitivity" (section 3.9).

The purpose of the chapter is to present the constituent elements of these principles, along with the main similarities and differences in their formal manifestation in the various data protection instruments. The chapter does not attempt to analyse in detail the scope and content of the principles nor the range of legal exemptions to their implementation. Such analysis is undertaken in Chapter 18 insofar as is relevant for the regulation of profiling practices.

The following principles are primarily abstractions that denote the pith and basic thrust of a set of legal rules. At the same time, it should be kept in mind that they also have a normative force of their own. This force is achieved in several ways. First, the principles (or a selection of them) have been expressly incorporated in certain data protection laws as fully-fledged legal rules in their own right (though not always using exactly the same formulations as given in this chapter). Examples of such incorporation are found throughout the following sections. Secondly, the principles function as guiding standards (in Sundby and Eckhoff's sense)[243] during interest-balancing processes carried out by, eg, data protection authorities in the exercise of their discretionary powers. Examples of such a function are found in, ia, Chapter 18 (section 18.4.7). Finally, and closely related to the latter function, the principles help to shape the drafting of new data protection laws. This is most obviously exemplified in the impact had by the OECD Guidelines (which, as shown below, contain most of the principles) on the drafting of, ia, Australian and New Zealand data protection legislation.[244]

3.2. Fair and Lawful Processing

The primary principle of data protection laws is that personal data shall be "processed fairly and lawfully".[245] This principle is "primary" because, as demonstrated in the following, it embraces and generates the other core principles of data protection laws presented below. Concomitantly, the twin criteria of fairness and lawfulness are manifest in all of these principles even if, in some instruments, they are expressly linked only to the means for collection of personal data,[246] or not specifically mentioned at all.[247]

3.3. Minimality

A second core principle of data protection laws is that the amount of personal data collected should be limited to what is necessary to achieve the purpose(s) for which the data are gathered and further processed. I sum up this principle in terms of "minimality", though it could just as well be summed up in terms of "necessity", "non-excessiveness" or "proportionality".[248]

The principle is manifest in Art 6(1)(c) of the EC Directive which provides, ia, that personal data must be "relevant and not excessive in relation to the purposes for which they are collected and/or further processed". Article 5(c) of the CoE Convention contains an almost identical requirement except that it relates to the purposes for which data are "stored". The above provision of the Directive and, to a lesser extent, that of the Convention are prima facie directed at ensuring minimality at the stage of data collection. Both instruments also contain provisions directed prima facie at ensuring minimality subsequent to that stage. These provisions require personal data to be erased or anonymised once they are no longer required for the purposes for which they have been kept.[249]

The minimality principle is also manifest in the EC Directive's basic regulatory premise, which is that the processing of personal data is prohibited unless the processing is necessary for the achievement of certain specified goals. This premise is embodied primarily in Art 7 of the Directive.[250] Article 7 makes processing of personal data conditional upon satisfaction of a series of alternative conditions. These conditions are, in summary, as follows: (a) the data subject consents to the processing; (b) the processing is necessary for concluding a contract with the data subject; (c) the data controller is legally required to carry out the processing; (d) the processing is necessary for protecting the "vital interests" of the data subject; (e) the processing is necessary for performing a task executed in the "public interest" or in exercise of official authority; or (f) the processing is carried out in pursuance of "legitimate interests" that override the conflicting interests of the data subject.

The minimality principle does not shine so clearly or broadly in all data protection instruments as it does, say, in the Directive. For instance, neither the OECD Guidelines nor UN Guidelines contain an express requirement of minimality at the stage of data collection, though such a requirement can arguably be read into the more general criterion of fairness, as set out in section 3.2 above. The OECD Guidelines also omit a specific provision on the destruction or anonymisation of personal data after a certain period. Again, though erasure or anonymisation may be required pursuant to other provisions, such as those setting out the principle of "purpose specification" (see below).[251] Many (but not all)[252] national laws make specific provision for the erasure etc of personal data once the data are no longer required.

3.4. Purpose Specification

Another core principle of data protection laws is that personal data shall be collected for specified, lawful and/or legitimate purposes and not subsequently processed in ways that are incompatible with those purposes. This norm is often termed the principle of "purpose specification".[253]

The principle is really a cluster of three principles:

1. the purposes for which data are collected shall be specified/defined;

2. these purposes shall be lawful/legitimate;

3. the purposes for which the data are further processed shall not be incompatible with the purposes for which the data are first collected.

Terminologically, the notion of "purpose specification" denotes the first-listed principle more aptly than the latter two principles. Nevertheless, the notion of purpose specification is used in this thesis to cover all three principles.

The principle is prominent in all of the main international data protection instruments.[254] It is also prominent in most (but not all)[255] of the national laws. Some laws stipulate that the purposes for which data are processed shall be "lawful".[256] Other laws, such as the Directive and Convention, stipulate that such purposes shall be "legitimate".

3.5. Information Quality

The fourth core principle of data protection laws is that personal data shall be valid with respect to what they are intended to describe, and relevant and complete with respect to the purposes for which they are (intended to be) processed. This norm is sometimes summed up as the principle of "data quality",[257] though the latter phrase is also sometimes used to embrace the norms set out above in sections 3.2-3.4 as well.[258]

Regarding the first limb of the principle (ie, that concerned with the validity of data), data protection laws use a variety of terms to describe the stipulated data quality. Article 5(d) of the CoE Convention and Art 6(1)(d) of the EC Directive state that personal data shall be "accurate and, where necessary, kept up to date".[259] The equivalent provisions of some other data protection instruments refer only to a criterion of accuracy/correctness ("Richtigkeit"),[260] while still others supplement the latter with other criteria, such as completeness.[261]

With regard to the principle's second limb, the EC Directive formulates this as a requirement that personal data are "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed" (Art 6(1)(c)).[262] Some data protection instruments refer to the criteria of relevance, accuracy and completeness but not non-excessiveness.[263]

3.6. Data Subject Participation and Control

The fifth core principle of data protection laws is that persons should be able to participate in, and have a measure of influence over, the processing of data on them by other persons or organisations. This principle embraces what para 13 of the OECD Guidelines terms the "Individual Participation Principle", though rules giving effect to it embrace more than what is laid down in that particular paragraph.

Data protection instruments rarely contain one special rule expressing this principle in the manner formulated above. Rather, the principle manifests itself more obliquely through a combination of several categories of rules. First, there are rules which aim at making persons aware of data-processing activities generally. The most important of these rules are those requiring data controllers to provide basic details of their processing of personal data to data protection authorities, coupled with a requirement that the latter store this information in a publicly accessible register. Concrete examples of these rules are provided in Chapter 4 (sections 4.2-4.3).

Secondly, and arguably of greater importance, are a category of rules which aim at, ia, making persons aware of basic details of the processing of data on themselves. This category of rules can be divided into three main sub-categories: (1) rules requiring data controllers to collect data directly from data subjects in certain circumstances; (2) rules prohibiting the processing of personal data without the consent of the data subjects; and (3) rules requiring data controllers to orient data subjects directly about certain information on their data-processing operations. Rules falling under the first sub-category are found only in a minority of data protection instruments,[264] though such rules could and should be read into the more common and general requirement that personal data be processed "fairly".[265] Regarding the second sub-category of rules, examples of these are provided further below.

As for rules belonging to the third sub-category, influential examples of these are Arts 10-11 of the EC Directive which, in summary, require data controllers to directly supply data subjects with basic information about the parameters of their data-processing operations, independently of the data subjects' use of own access rights.[266] None of the other main international data protection instruments lay down such requirements, at least directly.[267] As for national data protection laws, these have often laid down such requirements only in cases when data are collected directly from the data subject.[268] Some other national laws have required this sort of notification only in relation to particular kinds of data processing, such as credit reporting[269] and disclosure of customer data,[270] though notification in such cases has been independent of whether or not the data controller has collected the data directly from the data subject. It is expected that the current notification requirements pursuant to national laws of at least EU and EEA member states will be harmonised and expanded in accordance with the EC Directive.

Thirdly, there are rules which grant persons the right to gain access to data kept on them by other persons and organisations. For the sake of brevity, this right is described hereinafter as simply "the right of access" or "access right(s)". All data protection instruments I have seen make provision for such a right. The most influential formulation of this right is given in Art 12 of the EC Directive.[271] This provides persons with a right of access not just to data relating directly to them but also to information about the way in which the data are used, including the purposes of the processing, the recipients and sources of the data, and "the logic involved in any automated processing of data concerning [the data subject] ... at least in the case of the automated decisions referred to in Article 15(1)".[272] The right in Art 12 is similar to, but also more extensive than, the equivalent rights found in the other main international data protection instruments.[273] None of the latter, with the exception of the UN Guidelines, specifically mention the right to be informed of the recipients of data. And none of them specifically mention the right to be informed of the logic behind automated data processing. Most national laws also omit specification of the latter rights, though the Directive should soon bring about a change in this situation - at least in Europe.[274]

The third major category of rules are those which allow persons to object to others' processing of data on themselves and to demand that these data be rectified or erased insofar as the data are invalid, irrelevant, illegally held, etc. The ability to object is linked primarily to rules prohibiting various types of data processing without the consent of the data subjects. Such rules are especially prominent in the EC Directive, relative to older data protection instruments.[275] Of the latter, some make no express mention of a consent requirement,[276] while others often stipulate consent in fairly narrow contexts - eg, as a precondition for disclosure of data to third parties.[277] It is important to note that consent is rarely laid down as the sole precondition for the particular type of processing in question; consent tends to be one of several alternative prerequisites. This is also the case with the EC Directive. The alternative prerequisites are often broadly formulated, thereby reducing significantly the extent to which data controllers are hostage to the consent requirement in practice. With regard to Art 7 of the EC Directive, for example, most instances of processing will be able to be justified under the criteria in paras (b)-(f) of the provision (set out in section 3.3 above and Chapter 18 (section 18.4.3)).

A specific right to object is also laid down in some data protection laws. The EC Directive contains important instances of such a right, namely in Art 14(a) (which provides a right to object to data processing generally), Art 14(b) (which sets out a right to object to direct marketing) and, most innovatively, Art 15(1) (stipulating a right to object to decisions based on fully automated assessments of one's personal character).[278] These instances of the right to object are not found in the other main international data protection instruments.[279] Neither are they currently found in the bulk of national laws, though this situation will change in the near future - at least in Europe - under the influence of the Directive. As noted in Chapter 1 (section 1.1), the right in Art 15 could well be treated as the basis for a new data protection principle: ie, that fully automated assessments of a person's character should not form the basis of decisions that significantly impinge upon the person's interests.

With respect to rectification rights, most data protection instruments have provisions which give persons the right to demand that incorrect, misleading or obsolescent data relating to them be rectified or deleted by those in control of the data, and/or require that data controllers rectify or delete such data.[280]

3.7. Disclosure Limitation

A sixth core principle of data protection laws is that data controllers' disclosure of personal data to third parties shall be restricted, such that disclosure may occur only upon certain conditions. This principle, like that of individual participation and control, is not always expressed in data protection instruments in the manner formulated above. Neither the CoE Convention nor the EC Directive, for instance, specifically address the issue of disclosure limitation but treat it as part of the broader issue of the conditions for processing data.[281] Concomitantly, neither of these instruments apparently recognise disclosure limitation as a separate principle but incorporate it within other principles, particularly those of fair and lawful processing and of purpose specification. As for the OECD Guidelines, these incorporate the principle of disclosure limitation within a broader principle termed the "Use Limitation Principle" (para 10), while the UN Guidelines specifically address the issue of disclosure under the principle of purpose specification. That I choose, nevertheless, to treat disclosure limitation as a separate principle mainly reflects a conviction that it tends to play a significant role in shaping the content and application of data protection laws.

Disclosure limitation means, as a bare minimum, that personal data "should not be disclosed ... except: (a) with the consent of the data subject; or (b) by the authority of law".[282] Examples of other important, alternative conditions for disclosure are set out in Arts 7 and 8 of the EC Directive (see section 3.3 above and Chapter 18 (section 18.4.3)).

3.8. Information Security

Another core principle of data protection laws is that data controllers should take steps to ensure that personal data are not destroyed accidentally and not subject to unauthorised access, alteration, destruction or disclosure. A representative provision to this effect is Art 7 of the CoE Convention which stipulates:

Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination.

The relevant provisions of the EC Directive are a little more detailed. Article 17(1) requires data controllers to implement security measures for ensuring that personal data are protected from accidental and unlawful destruction, alteration or disclosure. The measures taken are to be commensurate with the risks involved in the data processing "having regard to the state of the art and the cost of their implementation". A controller must also ensure - by way of contract or other legal act (Art 17(3)) - that data processors engaged by him/her/it provide "sufficient guarantees in respect of the technical security measures and organizational security measures governing the processing to be carried out" (Art 17(2)).[283] Further, the measures taken pursuant to Art 17(1) and (3) shall be documented (Art 17(4)).

As indicated by the above, security provisions as they appear in data protection laws are often formulated in very general terms. However, more detailed requirements and guidelines can sometimes be issued by national data protection authorities.[284]

Of security provisions in national laws, s 12(3) of Denmark's Public Authorities' Registers Act and s 29 of the Icelandic Act of 1989 are especially noteworthy. These stipulate that for personal data registers containing information of particular interest for foreign powers, measures shall be taken to ensure destruction of the registers in the event of war or similar threat. To my knowledge, these provisions are unique in the context of data protection legislation.[285] Also noteworthy for its uniqueness is s 21 of the Swedish Data Act of 1973. This provision specifically penalises "hacking" ("dataintrång") in relation to any recordings for automatic data processing, whether or not these recordings contain personal data.286

3.9. Sensitivity

Many data protection laws place special limits on the processing of certain types of data that are regarded as especially sensitive for the data subjects. The most influential list of these categories of data is provided in Art 8(1) of the EC Directive: it embraces data on a person's "racial or ethnic origin", "political opinions", "religious or philosophical beliefs", "trade-union membership", "health" and "sexual life". Further, Art 8(5) makes special provision for data on criminal records and the like. Broadly similar lists are found in numerous other data protection instruments at both international and national level, though these vary somewhat in scope. For instance, the list in Art 6 of the CoE Convention omits data on trade-union membership, while the list in the UN Guidelines includes data on membership of associations in general (not just trade unions). The lists in some national laws also include, or have previously included, data revealing a person to be in receipt of social welfare benefits.[287] References to this sort of data, though, will have to be dropped from the lists of the data protection laws of EU member states, given that the list of data categories in Art 8(1) of the Directive is intended to be exhaustive.[288]

For present purposes, it is unnecessary to describe the special legal safeguards set down for these data categories. A description of such safeguards is given in Chapter 18 (section 18.4.3).

The singling out of relatively fixed sub-sets of personal data for special protection breaks with the assumption that the sensitivity of data is essentially context-dependant. Accordingly, attempts to single out particular categories of data for special protection independent of the context in which the data are processed, has not been without controversy.[289] Further, not all data protection instruments contain extra safeguards for designated categories of data. This is the case with the OECD Guidelines and data protection laws of the Pacific-rim countries. It is also the case with Austria's Data Protection Act of 18.10.1978[290] and, to a lesser extent, the UK Data Protection Act of 1984[291] and Germany's Federal Data Protection Act.292 However, some such safeguards can be found in other legislation in these countries.[293]

The absence of such safeguards in the OECD Guidelines appears to be due partly to failure by the Expert Group responsible for drafting the Guidelines to achieve consensus on which categories of data deserve special protection, and partly to a belief that the sensitivity of personal data is not an a priori given but dependant on the context in which the data are used.[294] The absence of extra protections for designated categories of especially sensitive data in national data protection laws would appear to be due to much the same considerations, along with uncertainty over what the possible extra protection should involve.[295]

[243] See the references cited supra n 35.

[244] See further Chapter 2 (section 2.2).

[245] See, eg, Art 5(a) of the CoE Convention, Art 6(1)(a) of the EC Directive, Art 9 of the Italian Act and DPP 1 in Part 1 of Schedule 1 to the UK Act (of both 1984 and 1998). For what is, in effect, the same norm, see, eg, Principle 1 of the UN Guidelines, Art 3 of the Hungarian Act and Art 4(2) of the Swiss Act.

[246] This is the case, for example, with the OECD Guidelines (see para 7).

[247] As is the case, for example, with the Norwegian PDRA.

[248] The latter term is employed by the CoE in several of its data protection instruments: see, eg, para 4.7 of Recommendation No R (97) 18 on the Protection of Personal Data Collected and Processed for Statistical Purposes (adopted 30.9.1997); para 24 of the Explanatory Memorandum to Recommendation No R (86) 1 on the Protection of Personal Data used for Social Security Purposes (adopted 23.1.1986).

[249] See Art 6(1)(e) of the EC Directive and Art 5(e) of the CoE Convention. The former provision is set out in Chapter 18 (section 18.4.3).

[250] It is also embodied in Art 8 in relation to the processing of certain categories of especially sensitive data. See further section 3.9 below and Chapter 18 (section 18.4.3).

[251] A point noted in para 54 of the Guidelines' Explanatory Memorandum.

[252] Australia's federal Privacy Act being an example.

[253] See, eg, para 9 of the OECD Guidelines and Principle 3 of the UN Guidelines.

[254] See Art 5(b) of the CoE Convention, Art 6(1)(b) of the EC Directive, Principle 3 of the UN Guidelines and para 9 of the OECD Guidelines.

[255] Norway's PDRA is an example here. However, the principle is enshrined in chapters 2-3 (see espec s 3-1) of the main regulations to the PDRA and in administrative practice pursuant to the Act. See further Chapter 18 (sections 18.4.2 and 18.4.7).

[256] See, eg, DPP 2 in Part I of Schedule 1 to the UK Act of 1998. This is also the case with the OECD Guidelines.

[257] See, eg, para 8 of the OECD Guidelines.

[258] The case, for example, in both the CoE Convention and EC Directive.

[259] Identical or near-identical requirements are set down in the provisions of several national laws, including Art 9(1)(c) of the Italian Act and DPP 4 in Part 1 of Schedule 1 to the UK Act of 1998.

[260] See, eg, Art 5 of the Swiss Act.

[261] This is the case, for example, with para 8 of the OECD Guidelines and, in effect, s 8 of the Norwegian PDRA.

[262] Similarly formulated requirements are found in several national laws: see, eg, Art 9(1)(d) of the Italian Act, Art 5(2) of the Hungarian Act and, in effect, s 552a(e)(1), (5) & (6) of the US Act. As noted in section 3.3, the equivalent provision in the CoE Convention is almost identical except that it refers only to the purposes for which data are "stored" (Art 5(c)).

[263] See, eg, para 8 of the OECD Guidelines and ss 4-8 of Canada's federal Privacy Act.

[264] See s 552a(e)(2) of the US Act, s 5(1) of the Canadian Act, IPP 2 of New Zealand's Act, para 3.2 of CoE Recommendation No R (86) 1 on the Protection of Personal Data used for Social Security Purposes (adopted 23.1.1986), para 4.1 of Recommendation No R (89) 2 on the Protection of Personal Data used for Employment Purposes (adopted 18.1.1989), para 3.3 of CoE Recommendation No R (90) 19 on the Protection of Personal Data used for Payment and Other Related Operations (adopted 13.9.1990) and point 6.1 of the ILO Code of Practice on Protection of Workers' Personal Data (ILO, supra n 129).

[265] See further Chapter 18 (section 18.4.1).

[266] The provisions are described in more detail in Chapter 18 (section 18.4.5).

[267] The UN Guidelines' "principle of purpose specification" (principle 3) stipulates that the purpose of a computerised personal data file should "receive a certain amount of publicity or be brought to the attention of the person concerned". Cf the more generally formulated "Openness Principle" in para 12 of the OECD Guidelines: "There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller". Articles 10-11 of the Directive are supplemented by Art 21 which requires member states to "take measures to ensure that processing operations are publicized" (Art 21(1)) and to ensure that there is a register of processing operations open to public inspection (Art 21(2)).

[268] See, eg, s 552a(e)(3) of the US Act, IPP 2 of the Australian Act and Art 18(1) of the Swiss Act (only in relation to "systematic" collection by federal government bodies). Cf Art 10 of the Italian Act which requires notification of data subjects also when data are obtained from other sources. The same applies pursuant to s 40-5 of the French Act (but only in relation to processing of personal data for research purposes in the field of public health), and Art 18(2) of the Swiss Act (but only in relation to processing by federal government bodies of designated categories of especially sensitive data and data constituting "personality profiles").

[269] See, eg, s 19 of Norway's PDRA.

[270] See, eg, s 4b(2) of Denmark's Private Registers Act.

[271] See further Chapter 18 (section 18.4.5).

[272] Article 15(1) is analysed in detail in Chapter 18 (section 18.3.1).

[273] See Art 8 of the CoE Convention, paras 12-13 of the OECD Guidelines and principle 4 of the UN Guidelines.

[274] As an aside, it is uncertain if Art 12 prohibits the practice of so-called "enforced access" whereby persons are pushed into utilising their access rights in order to provide a body on which they are dependent (eg, employer, insurance company) with personal information normally unavailable to it. Reference to the practice is made in, ia, the Fifth Report of the [UK] Data Protection Registrar, June 1989 (London: HMSO, 1989), Part B, paras 240 & 290; T McBride, "Coerced release of criminal history information" (1998) 5 PLPR, 119. Article 12(a) stipulates that access rights are to be exercised "without constraint", but it is uncertain if this phrase should be read only in the sense of "without hindrance" or also in the sense of "freely"/"without duress". The French text uses the phrase "sans contrainte" which arguably connotes both senses, whereas the German text uses the phrase "frei und ungehindert". The phrase used in the Danish text ("frit og uhindret") is similar to the German. Cf the Swedish text which only mentions "utan hinder" ("without hindrance"). As it presently stands, Art 12 fails to remedy the practice of enforced access clearly and directly. This is also the case with the CoE Convention, OECD Guidelines and UN Guidelines. Cf Art 13(2) of the 1992 amended proposal for the Directive (providing that member states grant each data subject the right "to refuse any demand by a third party that he should exercise his right of access in order to communicate the data in question to that third party or to another party, unless the third party's request is founded on national or Community law"), and s 56 of the 1998 UK Data Protection Act (expressly prohibiting the practice, with some exceptions).

[275] See espec Art 7(a) of the Directive which stipulates consent as one (albeit alternative) precondition for processing generally.

[276] This is the case with the CoE Convention.

[277] See, eg, para 10 of the OECD Guidelines, s 4(2) of the Danish Private Registers Act and Art 19(1) of the Swiss Act.

[278] These provisions are described in detail in Chapter 18 (sections 18.3.1 & 18.4.5).

[279] Cf principles 5.5, 5.6, 6.10 and 6.11 of the ILO Code of Practice on Protection of Workers' Personal Data (ILO, supra n 129) which seek to limit the use of automated decision-making procedures for assessing worker conduct. These principles are described in more detail in Chapter 18 (section 18.3.1).

[280] See, eg, Art 12(b) of the EC Directive, Principle 4 of the UN Guidelines, s 14 of the UK Act of 1998, Art 13(1)(c) of the Italian Act, IPP 7 of the New Zealand Act and ss 8(1), 15(1) & 33(2) of Norway's PDRA.

[281] See espec Arts 5(a), 5(b) & 6 of the Convention, and Arts 6(1)(a), 6(1)(b), 7 & 8 of the Directive.

[282] Paragraph 10 of the OECD Guidelines.

[283] The latter requirements are supplemented in Art 16 which provides: "Any person acting under the authority of the controller or ... processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law".

[284] See, eg, the security guidelines issued 9.6.1998 by the Norwegian Data Inspectorate (Retningslinjer for informasjonssikkerhet ved behandling av personopplysninger), available at URL <http://www.datatilsynet.no/eksternweb/informasjon/sikkerhet/ retning/retnings.htm> (last visited 31.5.1999).

[285] Section 12(3) of the Danish Act is preserved in s 41(2) of the Bill for Denmark's new data protection Act: see the Bill introduced into Parliament by the Justice Minister on 8.10.1998 (Lovforslag nr L 44: Forslag til lov om behandling af personoplysninger). Note, though, the uncertainty surrounding the future of this Bill: supra n 172.

286 The provision has been removed from the new Personal Data Act of 1998.

[287] See s 6(6) of Finland's Personal Data Registers Act of 1987, s 4(2) of Sweden's Data Act of 1973 and Art 3(c)(3) of the Swiss Act.

[288] See further the discussion of this point in Chapter 18 (section 18.4.3).

[289] For a forceful, highly persuasive critique of such attempts, see S Simitis, "`Sensitive Daten' - Zur Geschichte und Wirkung einer Fiktion", in E Brem, J N Druey, E A Kramer & I Schwander (eds), Festschrift zum 65. Geburtstag von Mario M. Pedrazzini (Bern: Verlag Stämpfli & Cie, 1990), 469-493. Cf my comments in Chapter 7 (section 7.2.1).

[290] Bundesgesetz vom 18 Oktober 1978 über den Schutz personenbezogener Daten (BGBl No 565/1978); currently set to be repealed 1.1.2000. Under the influence of the EC Directive, s 9 of the Bill for Austria's proposed new data protection law (which is intended to enter into force on 1.1.2000) provides special safeguards for the data types designated in Art 8(1) of the Directive. See Regierungsvorlage: Bundesgesetz über den Schutz personenbezogener Daten (Datenschutzgesetz 2000); 1613 der Beilagen zu den Stenographischen Protokollen des Nationalrates XX.GP, 18.3.1999.

[291] Section 2(3) enables the Secretary of State to subject to special provision the data categories listed in Art 6 of the CoE Convention. However, the Secretary has never made use of this power.

292 Sections 28(2) & 29(2) set limits on communication by private bodies of certain of the data types listed in Art 6 of the CoE Convention. See also s 35(2) which requires erasure of the same data types if their accuracy cannot be proved by the data controller.

[293] For Austria, see, eg, s 268(7) of the Trade Professions Act (Gewerbeordnung) of 1994 (BGBl No 194/1994) which prohibits list brokers and direct marketers from collecting, processing or transmitting data revealing, ia, "political views or religious or other convictions", or "penal convictions", without the written consent of the data subjects. This provision modifies s 18 of the Austrian Data Protection Act of 1978 with regard to list broking and direct marketing. For Australia, see, eg, Part VIIC of the Crimes Act 1914 which restricts use and disclosure of information on past criminal convictions.

[294] See the Guidelines' Explanatory Memorandum, paras 43 & 51; P Seipel, "Transborder Flows of Personal Data: Reflections on the OECD Guidelines" (1981) 4 TDR, no 1, 32, 36.

[295] See, eg, Law Reform Commission of Hong Kong, Report on Reform of the Law Relating to the Protection of Personal Data (Hong Kong: Government Printer, 1994), 99ff; Australian Law Reform Commission (ALRC), Privacy, Report No 22 (Canberra: AGPS, 1983), vol 2, paras 1218ff.

[Previous] [Next] [Title]