[Previous] [Next] [Title]

CHAPTER 4. Monitoring, Supervisory and Enforcement Regimes


4.1. Introduction

This chapter surveys the main means by which the implementation of data protection laws is monitored, supervised and enforced. It looks first at the role of authorities charged with overseeing implementation of data protection laws (see section 4.2), then at various legislative requirements to ensure contact between data controllers and these authorities (section 4.3). Sanctions and remedies available in the event of breach of data protection laws are thereafter described briefly in section 4.4. The chapter rounds off with a presentation of the basic rules on transnational flows of personal data (section 4.5).

4.2. Data Protection Authorities

The overwhelming majority of countries with data protection laws have established special authorities (data protection authorities) to oversee specifically the implementation of these laws. Notable exceptions are the USA and Japan. Although there have been repeated attempts to set up a data protection authority at the federal level in the USA, all have stranded largely on account of Americans' deep-seated antipathy to regulation by governmental agencies.[296]

In carrying out their tasks, data protection authorities are required to be functionally independent of the governments and/or legislatures which establish them.[297] This criterion of independence boils down to the capacity for a data protection authority to arrive at its own decision in a concrete case without being given case-specific instructions by another body as to what line it should take. But, insofar as such a decision is legally binding (especially with respect to another government agency), it will usually be subject to political and legal review. Moreover, data protection authorities' decision making will be steered at a more general level by laws and regulations laid down by other bodies.[298]

Data protection authorities' oversight function typically encompasses the handling and resolution of complaints by citizens pertaining to the processing of personal data. It can also involve the auditing of the legality of data-processing operations independent of complaints. In addition, the authorities are often expected to orient and advise governments, parliaments, private organisations and the general public about data protection matters. Concomitantly, an authority is usually under a duty to maintain a publicly accessible register (hereinafter termed "oversight register") containing basic details of various data-processing operations covered by the country's data protection law[299] and to deliver an annual report of its activities to the national government and/or parliament.[300]

The powers of data protection authorities are often broad and largely discretionary.[301] In most cases, the authorities are empowered to issue legally binding (though appealable) orders. In some jurisdictions, however, data protection authorities have either not had such competence at all,[302] or they have not had it in relation to certain sectors.[303]

Turning to the international data protection instruments, both the CoE Convention and OECD Guidelines have little to say about the need for, and competence of, national data protection authorities. Neither instrument, for instance, requires such authorities to be established. In contrast, para 8 of the UN Guidelines specifically addresses the need to establish national data protection authorities that are "impartial", "independent" and "technically competent". So too does the EC Directive: Art 28 of the Directive requires each member state to establish one or more data protection authorities (termed "supervisory authorities") which are to "act with complete independence in exercising the functions entrusted to them" (Art 28(1)). The reference here to "complete independence" means that great care must be taken in ensuring that the authorities' inevitable administrative dependence on other bodies (eg, through budget and personnel allocations) does not undermine the functional independence they are otherwise supposed to have. It also means that administrative and legal frameworks which leave open even a small possibility of a data protection authority being instructed by another administrative body on how to exercise its functions, most probably do not satisfy the criterion of Art 28(1).[304]

According to Art 28(2), the data protection authorities must be consulted when administrative measures or regulations concerning data protection are drawn up (Art 28(2)). They shall also be empowered to monitor, investigate and intervene in data-processing operations, hear complaints and take court action in the event of breach of national data protection law (Art 28(3) & (4)). At the same time, they shall be required under Art 21(2) to maintain a publicly accessible register containing information about the data-processing activities of which they are notified pursuant to, indirectly, Arts 18-19 (dealt with in the next section).

The Directive is silent on whether or not data protection authorities shall be able to impose fines and order compensation for damages; it seems quite clear, though, that such competence would be compatible with the Directive. The Directive also does not specifically address whether or not these authorities must be given competence to issue legally binding orders. Article 28(3), read in conjunction with recitals 9-11,[305] tends to suggest such competence is required but the wording in the Article is not entirely conclusive.[306] According to the Article, authorities are to be given "effective powers of intervention, such as, for example, that of delivering opinions ..., ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing ...". It could be argued, albeit tenuously, that the various types of powers listed here are examples only of options that member states may choose between, not necessary constituents of the concept "effective powers of intervention"; if they were intended to be regarded as necessary constituents, the term "including" would have been used instead of "such as, for example".[307] Moreover, the wording of the provision indicates that the notion of "intervention" is to be read broadly, such that it covers mere delivery of opinion. As for the criterion "effective", there is nothing in the Directive (or its travaux préparatoires) conclusively indicating that this can only be satisfied through imposition of legally binding orders.[308]

The Directive contains several provisions which will stimulate an internationalisation, at least within the EU, of supervisory and monitoring regimes in the field of data protection. An important provision here is Art 28(6). This provides that member states' respective data protection authorities:

[Sigma] may exercise their powers in relation to a particular instance of data processing even when the national law applicable to the processing is that of another member state;

[Sigma] may be requested by another member state's authority to exercise their powers; and

[Sigma] are to "cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information".

The above provisions should entail relatively high levels of co-operation between national data protection authorities. They should also entail increased knowledge and expertise within each of these authorities of other member states' data protection laws.

Further, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data (hereinafter termed "Data Protection Working Party") has been established pursuant to Art 29. This body is composed largely of representatives from each member state's data protection authority. It acts independently but has advisory competence only. Under Art 30, it is to aid the Commission by providing advice on: issues relating to the uniform application of national measures adopted pursuant to the Directive; data protection afforded by non-member states; possible changes to the Directive and other instruments affecting data protection; and codes of conduct drawn up at Community level.[309]

On a more general note, sight should not be lost of the fact that data protection authorities are not alone in monitoring, encouraging and/or enforcing the implementation of data protection laws. A great number of other bodies are involved to varying degrees in one or more of the same tasks, even if their participation is not always formally provided for in data protection instruments. In the words of Charles Raab, data protection is "co-produced" through the interaction of a broad range of bodies and strategies.[310]

On the international plane, notable examples of relevant bodies are the expert committees on data protection formed under the umbrella of the CoE and OECD. Within the EU, relevant bodies are the above-mentioned Data Protection Working Party, the Commission,[311] and the Committee set up to assist the Commission under Art 31 of the EC Directive.[312]

At a national level, obvious examples of relevant bodies are those charged with hearing appeals from the decisions of data protection authorities. Other examples are parliamentary committees, ombudsmen and national auditing offices. In some countries, such as New Zealand and Germany,[313] data controllers themselves are required to appoint internal officers whose tasks are to monitor their respective organisations' compliance with data protection legislation and to function as contacts between the organisations and the data protection authorities.

Further, several countries' laws make specific provision for industries, professions, etc to draw up sectoral codes of conduct/practice on data protection in co-operation with data protection authorities.[314] We are likely to see an increasing number of schemes for the development of such codes, given that Art 27 of the EC Directive requires member states and the Commission to "encourage" the drafting of sectoral codes of conduct, at national and/or Community level, in pursuance of implementing the measures contemplated by the Directive.[315]

4.3. Notification and Licensing Schemes

Most data protection laws lay down special rules to enhance the ability of data protection authorities to monitor the practices of data controllers. There are two main categories of such rules. The basic differences between these categories lie in the degree to which the data protection authority monitors data-processing activities before the latter begin, and the degree to which such monitoring involves formal authorisation of these activities.

One category requires data controllers simply to notify data protection authorities of certain planned processing of personal information. Upon notification, processing is usually allowed to begin. Most data protection laws, including the EC Directive (see below),[316] operate with this sort of requirement, though the ambit of their respective notification schemes varies.[317]

Occasionally, the notification requirement is, or has been, formalised as a system for registration.[318] Under this sort of system, data controllers must, as a general rule, apply to be registered with the data protection authority, their registration being a necessary precondition for their processing of personal data. When applying for registration, a controller is to supply the authority with basic details of its intended processing operations. Once application for registration is lodged, the controller is legally able to begin processing.

The Directive requires that, as a general rule, data controllers or their representatives notify the authority concerned of basic information about "any wholly or partly automatic processing operation" they intend to undertake (Art 18(1)). Several derogations from this notification requirement are provided for in paras 2-4 of Art 18. With some exceptions, the types of information to be notified must include "at least": (a) the identity of the data controller and his/her/its representatives; (b) the purposes of the data processing; (c) the categories of data subject and data held on the latter; (d) the categories of recipients of the data; (e) proposed data transfers to third countries; and (f) a general description of adopted security measures for the data processing (Art 19(1)).

The second category of control/oversight scheme requires that data controllers must apply for, and receive, specific authorisation (in the form of a license) from the relevant data protection authority prior to establishing a personal data register or engaging in a particular data-processing activity. Only a minority of countries operate, or have operated, with comprehensive authorisation/licensing regimes.[319] It has been more common that countries reserve a licensing requirement for for certain designated sectors of business activity, such as credit reporting,[320] or for overseas transfers of personal data,[321] or for the matching of such data.[322]

The EC Directive allows for a system of "prior checking" by national data protection authorities with respect to processing operations that "are likely to present specific risks to the rights and freedoms of data subjects" (Art 20(1)). Elaborating on what might constitute such processing operations, recital 53 refers to operations that are likely to pose specific risks "by virtue of their nature, their scope or their purposes, such as that of excluding individuals from a right, benefit or contract, or by virtue of the specific use of new technologies". It would appear from Art 28(3) of the Directive, together with recitals 9, 10 and 54, that data protection authorities may stop planned data-processing operations pursuant this system of "prior checking".[323] At the same time, though, recital 54 makes clear that such a system is to apply only to a minor proportion of data-processing operations ("with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited"). In other words, data protection regimes, such as those in Norway, in which licensing is the rule rather than exception will need to be changed if they are to conform with the Directive.[324]

It is important to note that licensing, registration and notification procedures do not exist simply for the purposes of direct control on the part of data protection authorities; they also function partly as learning/sensor mechanisms in the face of legislators' uncertainty about the appropriate regulatory response to data-processing activities. The schemes force data controllers to come in contact with data protection authorities, thereby allowing the latter (and, indirectly, data subjects and the public generally) to learn about controllers' practices and needs, and also allowing the authorities to educate controllers about data protection rules.[325]

4.4. Sanctions and Remedies

All data protection Acts stipulate a variety of sanctions and remedies for breach of their provisions. Provision is usually made for a combination of penalties (fines and/or imprisonment), compensatory damages and, where applicable, revocation of licenses and deregistration. Sometimes, strict/objective liability for harm is stipulated.[326] In many cases, compensation may be awarded for non-economic/immaterial injury (emotional distress) as well as economic loss.[327] In a very few cases, allowance is made for class actions to be brought.[328]

The topic of sanctions and remedies is dealt with in only very general terms by the CoE Convention, OECD Guidelines and UN Guidelines. The EC Directive is somewhat more specific. It requires that data subjects be given the right to a "judicial remedy" for any breach of their rights pursuant to the applicable national data protection law (Art 22). In the event of suffering damage from such a breach,[329] data subjects must also be able to receive compensation from the data controller responsible for the damage (Art 23(1)). However, Art 23(2) allows for the complete or partial exemption of data controllers from liability if they are able to prove that they are "not responsible for the event giving rise to the damage". The provisions in Arts 22 and 23 are backed up by Art 24, which requires member states to adopt "suitable measures" (notably sanctions) for ensuring "full implementation" of the Directive's provisions.

The Directive does not clearly specify whether or not the notion of damage in Art 23 covers both economic and non-economic (eg, emotional) loss. Weighing in favour of a broad interpretration of the damage concept in Art 23 are recitals 9 and 10.[330] Further, the Commission's intention with respect to the equivalent provisions in its 1990 Directive proposal was that "[t]he concept of damage covers both physical and non-physical damage".[331] There is, moreover, nothing to indicate that this intention changed in the subsequent drafting process leading to the Directive's adoption,[332] and nothing to indicate that this intention has not been shared by either the European Parliament or Council.[333] Given the ambiguity of the Directive's provisions on this point, the ECJ could well place some weight on this intention if called upon to determine the point.

In many jurisdictions, the enforcement of data protection laws seems rarely to involve meting out penalties in the form of fines or imprisonment. Data protection authorities appear generally reluctant to punitively strike out at illegal activity with a "big stick". A variety of other means of remedying recalcitrance - most notably dialogue and, if necessary, public disclosure via the mass media - seem to be preferred instead.[334] In other words, data protection laws often function to a relatively large extent as "soft law"; ie, law which "works by persuasion, is enforced by shame and punished by blame".[335]

4.5. Transborder Data Flows

Most European data protection laws contain rules providing for restrictions to be put on the flow of personal data to countries without sufficient levels of data protection. The chief aim of these rules is to hinder data controllers from avoiding the requirements of data protection laws by shifting their data-processing operations to countries with more lenient requirements (so-called "data havens").[336] This concern has rarely been shared to the same degree by the legislators of data protection laws in non-European countries; accordingly, most of these laws do not contain rules specifically allowing for restrictions on transborder flows of personal data.[337]

The basic principle which has been espoused by, or applied pursuant to, the rules on transborder data flow is that the transfer of personal data to another country is permitted if the latter provides a level of data protection which is equivalent to the protection provided by the law of the country from which the data are intended to be transferred.[338] In order to ensure effective application of the equivalency criterion, countries have typically required (with some exceptions) that intended cross-border transfers of personal data be licensed or checked by their respective national data protection authorities.[339]

At the international level, all of the primary instruments on data protection contain rules specifically addressing the matter of transborder data flows. The relevant rules in the CoE Convention are set out in Art 12. This provision stipulates that a Party to the Convention "shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party" (Art 12(2)). However, it permits (though does not require) derogation from this prohibition insofar as the data concerned are specifically protected pursuant to the state party's legislation and the regulations of the other party fail to provide "equivalent protection" for these data (Art 12(3)(a)). Derogation is also allowed in order to prevent the transfer of data to a non-contracting state, via another state party, in circumvention of the first state party's legislation (Art 12(3)(b)). The ambit of Art 12 is discussed in more detail in Chapter 11 (section 11.3.3) with respect to the issue of its impact on the transborder flow of data on collective entities.

Broadly similar, but less complicated, principles on transborder data flows are set down in paras 17-18 of the OECD Guidelines and in Principle 9 of the UN Guidelines. However, whereas the CoE Convention and OECD Guidelines employ the criterion of "equivalent" protection, the UN Guidelines refer to the criteria of "comparable" and "reciprocal" protection. The latter terms (which remain undefined) are more diffuse, loose and confusing than the notion of "equivalent", making their practical utility very limited. It is arguable, though, that they are essentially only clumsy formulations of an equivalency criterion. It should also be noted that while the Convention and OECD Guidelines are primarily concerned with regulating flow of personal data between the member states of the CoE and OECD respectively, the UN Guidelines seek to regulate data flows between a much larger range of countries.

Rules on transborder flows of personal data are also found in the EC Directive. As shown below, these rules are likely to have the greatest practical impact on transborder data flows of all the provisions dealt with in this section. With regard to flows of personal data between EU member states, the basic rule is given in Art 1(2), which provides that such flows cannot be restricted for reasons concerned with protection of the "fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data" (Art 1(1)). This prohibition is premised on the assumption - expressed in recitals 8 and 9 of the Directive and necessitated by Art 12(3)(a) of the CoE Convention - that implementation of the Directive will result in equivalent levels of data protection across the EU.[340] A fundamental issue here - not least from the perspective of the individual EU citizen - is whether or not pan-EU equivalency in data protection levels will in fact eventuate.

As for transfer of personal data to countries outside the EU ("third countries"), this is regulated in Arts 25-26. Both provisions are long, complex and raise a variety of legal issues.[341] For present purposes, it is only necessary to present the main rules here. To begin with, Art 25(1) stipulates that transfer "may take place only if ... the third country in question ensures an adequate level of protection". This is another point where the Directive differs from the other international data protection instruments; none of the latter go so far as to make it mandatory for states to restrict flow of personal data to other states that do not offer a particular level of data protection. The impact of the rule in Art 25(1), however, is significantly mitigated by a set of derogations in Art 26. These derogations permit transfer of personal data to a third country lacking adequate protection if, in summary, the proposed transfer:

[Sigma] occurs with the consent of the data subject; or

[Sigma] is necessary for performing a contract between the data subject and the controller, or a contract concluded in the data subject's interest between the controller and a third party; or

[Sigma] is required on important public interest grounds, or for defending "legal claims"; or

[Sigma] is necessary for protecting the data subject's "vital interests"; or

[Sigma] is made from a register of publicly available information; or

[Sigma] is accompanied by "adequate safeguards" instigated by the controller for protecting the privacy and other fundamental rights of the data subject.

[296] See generally Gellman, supra n 147, 199-238; Michael, supra n 151, 83-84.

[297] See, eg, s 2 of the Norwegian PDRA and s 13 of the French data protection law of 1978.

[298] Of course, a range of other administrative, economic and political mechanisms will also tend to undermine their functional independence. An instructive, detailed analysis of the workings of these mechanisms with respect to the national data protection authorities of Sweden, France, the Federal Republic of Germany and Canada is given by David Flaherty in his work, Protecting Privacy in Surveillance Societies (Chapel Hill/London: University of North Carolina Press, 1989).

[299] See, eg, IPP 5 and s 27(1)(g) of the Australian Act and s 22 of the French Act. See also Art 21 of the EC Directive dealt with below.

[300] See, eg, ss 38-40 of the Canadian Act and Art 31(1)(n) of the Italian Act.

[301] For examples, see Chapter 18 (section 18.4.7).

[302] The case with Belgium, Hungary, Germany, Luxembourg and Canada.

[303] This is the case with Denmark where the national data protection authority has had only advisory capacity in relation to the public sector: see ss 27-28 of the Public Authorities' Registers Act. A special case is Finland where primary responsibility for oversight and enforcement of the Personal Data Registers Act of 1987 has been divided between two bodies: the Data Protection Ombudsman ("dataombudsmannen") and the Data Protection Board ("datasekretessnämden"). The ombudsman has had mainly advisory competence only, though extensive investigatory powers (see ss 31-32 of the Act); by contrast, the board has had power to issue legally binding orders, including competence to set aside provisions in the Personal Data Registers Act on a case-by-case basis (see s 37(1) of the Act). The latter competence is abolished under chapt 9 of Finland's new Personal Data Act, whilst the competence of the ombudsman to give legally binding orders is strengthened.

[304] An example of such a framework is the current system in Norway whereby the Ministry of Justice, upon which the Data Inspectorate is administratively dependant, acts as primary instance for the determination of appeals from the Inspectorate's decisions: see further Chapter 1 (section 1.5.3). Accordingly, the 1999 Bill for a new Norwegian data protection law replaces this system by providing for a special independent tribunal ("Personvernnemda") to act as primary appeal instance: see Ot prp 92 (1998-99), espec 91-92, 145. See also Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, espec 118-120, 159.

[305] Set out supra n 196.

[306] The travaux préparatoires are also not entirely conclusive on this point. See, eg, COM(92) 422 final - SYN 287, 15.10.1992, 38 ("To enable the supervisory authority to carry out its duties it must also have effective powers of intervention, such as those enumerated by the Parliament in its opinion, and repeated in the amended proposal: power to order suppression, erasure of data, a ban on the processing operation, etc. Parliament referred to these measures as `sanctions', but it does not appear necessary that the Directive should define their legal nature").

[307] See also the statement of the Council's reasons regarding adoption of the common position for the Directive ("The supervisory authorities' powers of intervention are described in indicative fashion only, so as to allow Member States the requisite leeway in this area"): OJ No C 93, 13.4.1995, 24.

[308] Indeed, there is evidence to suggest that the recommendations of an ombudsman can sometimes be as equally effective as such orders. On this point, see Flaherty's comprehensive study (referred to supra n 298) which concludes, ia, that the German federal Data Protection Commissioner, despite having advisory powers only, has had a more pervasive and profound impact on the public sector in Germany than Sweden's Data Inspection Board has had on the Swedish public sector: ibid, 26.

[309] An up-to-date overview of the Working Party's activities is available via URL <http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/index.htm> (last visited 31.5.1999). Note also that the Council is supposed to have set up by 1.1.1999 an independent body for overseeing the application of EC legislation on data protection to the EC's own institutions: see supra n 136 and accompanying text.

[310] C D Raab, "Co-Producing Data Protection" (1997) 11 Int Rev of Law Computers & Technology, 11, espec 16ff.

[311] Note espec the Commission's considerable powers under the Directive with respect to implementation of the Directive's provisions on transborder data flow (see Arts 25(4), 26(3) and 26(4)).

[312] The Committee is composed of representatives from the member states. Unlike the Data Protection Working Party, this Committee is to have some legal power in relation to the Commission. If it disagrees with a Commission proposal, the Council is to be given an opportunity of determining the proposal's fate (Art 31(2)).

[313] See s 23 of the New Zealand Act and s 36(1) of the German Act.

[314] See s 13 of Ireland's Data Protection Act of 1988, Parts VI-VII of the New Zealand Act, s 51(3)-(4) of the UK Act of 1998, and s 15 of the Netherlands' Act of 1988.

[315] Cf para 19(b) of the OECD Guidelines urging member states to "encourage and support self-regulation, whether in the form of codes of conduct or otherwise". Neither the Guidelines nor Directive, however, provide any indication as to the exact legal status to be given such codes.

[316] The other three main international data protection instruments, however, refrain from specifically laying down requirements for notification or for other control schemes.

[317] Compare, for example, the fairly broad notification requirements under Art 11(2) and (3) of the Swiss Act (particularly with respect to the personal data registers of federal government agencies) with the more narrowly specified requirements under ss 2(3), 3(4), 7g(2), 8 & 20(1) of Denmark's Private Registers Act. See also the comparative overview by the Data Protection Working Party in its Working Document of 3.12.1997 on "Notification" (available at URL <http://europa.eu.int/ comm/dg15/en/media/dataprot/wpdocs/wp8en.htm> (last visited 31.5.1999)).

[318] This is the case, eg, under Arts 28-30 of the Hungarian Act and ss 4-9 of the UK Act of 1984.

[319] Such regimes have been set up pursuant to Norway's PDRA, Sweden's Data Act of 1973, the French Act (in relation to the public sector) and Luxembourg's Act of 31.3.1979 Regulating the Use of Nominative Data in Computer Processing (Loi du 31 mars 1979 réglementant l'utilisation des données nominatives dans les traitements informatiques). Note that most of these regimes also allow for derogation from their licensing requirements. With respect to the Norwegian licensing scheme, see further Chapter 18 (section 18.4.7).

[320] See, eg, s 15 of the Icelandic Act of 1989 and s 3(6) of Denmark's Private Registers Act (in relation to the establishment of so-called "black-list" registers; ie, registers "for the purpose of warning others against doing business with or employing any registered party").

[321] See section 4.5 below.

[322] See, eg, ss 4(4) and 4(5) of Denmark's Private Registers Act.

[323] Article 28(3) provides that authorities generally are to have "effective powers of intervention", including the ability to impose "a temporary or definitive ban on processing". Recital 54 specifies that an authority may "give an opinion or an authorization" following a prior check.

[324] Thus, s 33 of the Bill for a new data protection law in Norway maintains a licensing duty only for the processing of especially sensitive data (as specified in s 2(8) of the Bill; cf Art 8 of the Directive) that are not voluntarily disclosed by the data subject, and for other data processing that the Data Inspectorate finds would "obviously" ("åpenbart") harm "weighty" ("tungtveiende") data protection interests: see Ot prp 92 (1998-99), 60-61, 128-129, 143-144. Cf Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, 81-84, 155-156 (proposing that a licensing duty be maintained only for the processing of sensitive data (as specified in Art 8 of the Directive) for the purposes of making decisions that are determinative of private persons' rights or obligations).

[325] On this "learning" aspect of data protection governance, see further C D Raab, "Data Protection in Britain: Governance and Learning" (1993) 6 Governance, 43, 53ff; Raab, "Implementing data protection in Britain" (1996) 62 Int Rev of Administrative Sciences, 493, 507-508; Burkert, supra n 33, 180ff.

[326] See, eg, s 7(1) of the German Act (in relation to harm caused by public bodies) and s 40 of Norway's PDRA (in relation to harm caused by credit reporting agencies).

[327] See, eg, s 9(2) of the Netherlands' Act of 1988, s 42 of the Finnish Act of 1987 (though not if the suffering is deemed "minor"), and s 52(1A) of the Australian Act.

[328] See, ia, ss 36(2), 38, 38A-38C & 39 of the Australian Act and s 37(2) of Hong Kong's Personal Data (Privacy) Ordinance 1995. See further Chapter 15 (section 15.5).

[329] In fact, the provision is broader, referring to damage resulting from "an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive".

[330] Set out supra n 196. Cf recital 55 which states that "any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller". However, one cannot place much weight on the presence of "any" in the English text of the recital since other texts, such as the French, German, Danish and Swedish, omit the adjective altogether.

[331] COM(90) 314 final - SYN 287, 13.9.1990, 40. Again, both terms are somewhat diffuse, but the reference to "non-physical damage" (the German text uses the term "immateriell Schaden"; the French text "le préjudice moral") seems sufficiently broad to embrace emotional distress.

[332] See, eg, COM(92) 422 final - SYN 287, 15.10.1992, 33 ("Article 23(1), like Article 21(1) in the initial proposal, places a liability on the controller to compensate any damage caused to any person ...": emphasis added). The German text is similar ("Schadenersatz für jeden Schaden einer Person zu leisten"), though not the French text ("une obligation de réparer le préjudice causé à toute personne").

[333] Note too that the Data Protection Working Party claims that the notion of damages in the Directive "includes not only physical and financial loss, but also any psychological or moral harm caused (known as "distress" under UK or US law)": see Data Protection Working Party, "Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive", Working Document adopted 24.7.1998 (available at URL <http://europa.eu.int/comm/dg15/ en/media/wpdocs/wp12en.htm> (last visited 31.5.1999)), chapt 3.

[334] My impressions here are based on perusal of the annual reports issued by the data protection authorities of Australia, Denmark, Norway, Switzerland and the UK, together with Flaherty's description (see supra n 298) of enforcement practices in Sweden, France, Canada and the Federal Republic of Germany.

[335] E Blankenburg, "The Invention of Privacy", in P Ippel, G de Heij & B Crouwers (eds), Privacy disputed (The Haag: SDU/Registratiekamer, 1995), 31, 39.

[336] See generally Ellger, supra n 130, 87ff, and references cited therein. Assertions have been made that these rules are partly intended to protect economic interests as well. These assertions are discussed further in Chapter 6 (section 6.3.2). For an overview of cases in which transborder flows of personal data have been restricted pursuant to data protection laws, see OECD, Privacy and Data Protection: Issues and Challenges (Paris: OECD, 1994), 55-59.

[337] Exceptions are s 33 of Hong Kong's Ordinance; Arts 9 & 24 of Taiwan's Computer-Processed Personal Data Protection Act of 1995; and s 17 of Quebec's Act. Note also s 10 of the New Zealand Act which provides that IPPs 5-11 of the Act (dealing with, ia, storage, security, use, correction and disclosure of personal information) are to apply to personal information transferred and/or held overseas by an agency covered by the Act. The provision is evidently aimed at countering the "data haven" problem: see E Longworth & T McBride, The Privacy Act: A Guide (Wellington: GP Publications, 1994), 36.

[338] See the overview of rules in P M Schwartz, "European Data Protection Law and Restrictions on International Data Flows" (1995) 80 Iowa L Rev, 471, 474-477. For further detail on application of German law, see Simitis, supra n 102, paras 87ff; Dammann, "SS 17", in Simitis et al, supra n 102, paras 29ff. Regarding application of Norwegian law, see E I E Jarbekk, Personvern og overføring av personopplysninger til utlandet, CompLex 4/96 (Oslo: Tano, 1996), espec 95-101. See also Chapter 11 (section 11.3.3).

[339] See, eg, s 21(1) of Denmark's Private Registers Act; ss 19 & 24 of the French Act; Art 6 of the Swiss Act; and s 36 of the Norwegian PDRA in conjunction with s 8-1 of the main regulations issued pursuant to the Act.

[340] See further Chapter 2 (section 2.2).

[341] For discussion of these issues generally, see Data Protection Working Party, supra n 333; EC Commission, Preparation of a methodology for evaluating the adequacy of the level of protection of individuals with regard to the processing of personal data (Luxembourg: Office for Official Publications of the EC, 1998). For discussion of these issues with regard to the operation of systems for electronic copyright management, see L A Bygrave & K Koelman, Privacy, Data Protection and Copyright: Their Interaction in the Context of Electronic Copyright Management Systems (Amsterdam: Institute for Information Law, University of Amsterdam, 1998), 29-31. For discussion of these issues in terms of how Arts 25-26 might impact upon US business interests, see Swire & Litan, supra n 239.


[Previous] [Next] [Title]