[Previous] [Next] [Title]

CHAPTER 7. The Values and Interests Safeguarded by Data Protection Laws

7.1. Introduction

This chapter explores the rationale of data protection laws by elucidating the values and interests that these laws aim, explicitly and/or implicitly, to safeguard. In the following, the term "data protection interests" is used to denote these concerns of data protection laws. These concerns need not manifest themselves in the provisions of the laws; traces of them might be found instead in the travaux préparatoires for the laws or in the way the laws are applied by data protection authorities and other enforcement bodies.

While the term "data protection interests" is primarily used in this chapter to denote the current concerns of data protection laws, it is also capable of embracing interests which closely relate, conceptually and ethically, to these concerns but which are not safeguarded to a significant degree by the present laws. The identification of such interests serves to point out directions in which data protection laws might move in the future. Indeed, it bears emphasising that an intention of this chapter is not simply to aid in delineating the legally valid ambit of current data protection legislation (ie, the ambit that would be seen as acceptable by the judiciary); it is also to aid in delineating the potential "agenda" of data protection as a body of law. This point is especially important to have in mind given the issues taken up in Parts III and IV.

Data protection interests can be divided into two main categories: (i) the interests held by data subjects; and (ii) the interests held by data controllers. The first category is dealt with in section 7.2, the latter in section 7.3. The bulk of the chapter is taken up with analysing the first category. This is due not just to the primary thrust of the basic aims of data protection laws, it is also due to the concerns of Part III. Of decisive importance for resolving the central issue taken up in that Part is the extent to which the interests outlined in section 7.2 can be held by collective entities.

7.2. Interests of Data Subjects

This section elucidates the data protection interests held by data subjects. It is concerned foremost with the relevant interests of individual, natural/physical persons, though much of the analysis is capable of applying to groups and organisations of such persons. A fuller analysis of the data protection interests of collective entities as data subjects is found in Part III.

In this section, I first look at interest conceptualisations that have enjoyed considerable popularity in data protection discourse. I then present an alternative interest typology of my own which builds upon and refines these conceptualisations.

7.2.1. Privacy and integrity

The notions of privacy and, to a lesser extent, integrity figure centrally in the most popular conceptualisations of the data protection interests of data subjects. According to these conceptualisations, one - if not the - major aim of data protection laws is to safeguard the privacy and/or integrity of data subjects. Of the two notions, it is privacy that tends to enjoy most prominence. As shown below, however, the notions of privacy and integrity are often defined similarly in data protection discourse.

It is difficult to disagree with the proposition that data protection laws are very much concerned with safeguarding the privacy and/or integrity of data subjects. This concern is expressly manifest in the opening provisions of many data protection laws, both old and new, or in the laws' travaux préparatoires.570

The salience of the privacy concept in this context partly reflects the fact that privacy as ideal and value has traditionally been accorded central importance in liberal ideology.[571] And it is in societies built up to a large extent around liberalism that data protection discourse has flourished. Concomitantly, widespread public discussion of the implications of computerised processing of personal data first took off in the USA, where there already existed a long (though by no means consistent) tradition of public, academic and judicial concern for privacy.[572] The salience of the privacy concept in North American data protection discourse contributed to ensuring a high profile for the concept in the subsequent discussions in other countries on data protection issues. This was particularly the case with other English-speaking countries and in international forums where English dominates.

But also countries in which English is not the main language framed much of their discussions, at least initially, around concepts that roughly equate with, or embrace, the privacy concept. In Western Europe, these concepts tended to be drawn from jurisprudence developed there on legal protection of personality. For example, discussion in the Federal Republic of Germany initially focused to a considerable extent on the concept of "Privatsphäre" ("private sphere").[573] In Sweden - as shown further below - it centred around the concept of "personlig integritet" ("personal integrity").

Despite their high profile in data protection discourse, the concepts of privacy and integrity remain somewhat nebulous. This is notoriously so with privacy. As many writers on privacy have observed, the concept is difficult to define with precision. This difficulty is both engendered and exacerbated by the loose, haphazard manner in which the concept is sometimes used,[574] and by the fact that existing definitions can be so vacuous as to render the concept analytically unserviceable.[575] There is also considerable controversy, if not confusion, both within and outside academic circles over the proper ambit of the privacy concept.[576] It does not help either that what is considered private, plus the manner in which privacy norms are enforced, can vary from one period and culture to another.[577] All of the above difficulties apply equally, if not more, in relation to the concept of integrity.[578]

Thus, it should come as no surprise to find that privacy and integrity are never directly defined in those data protection laws that employ the terms. The laws which come closest to defining either of the terms only provide definitions of what amounts to a breach of privacy for the purposes of each Act.[579] This failure to define privacy and integrity entails that the meaning of these concepts for the purposes of data protection laws must be sought partly in the substance of the principles laid down in the laws themselves and partly in the way these principles have been applied. At the same time, if use of the terms privacy and integrity in the legislation is not to be regarded as redundant, the failure to define the terms entails that their meaning must also be derived in part from general, societal notions of what privacy and integrity are.

I should emphasise that the failure to define privacy and integrity in data protection laws is not necessarily a weakness with these laws: it provides room for flexibility in their implementation. Further, the fact that the concepts of privacy and integrity are somewhat vague does not necessarily detract from their utility in data protection laws and discourse: it enables them to assimilate and express in a relatively comprehensive, economic manner the congeries of fears attached to increasingly intrusive data-processing practices.[580] Indeed, this characteristic undoubtedly helps to explain the protracted prominence of these concepts in data protection discourse. Moreover, in data protection advocacy, it "may be useful to adopt a large concept in order to offset an equally large rhetorical counter-claim: freedom of inquiry, the right to know, liberty of the press ...".[581]

Nevertheless, failure to define the concepts in data protection laws has a cost insofar as it detracts from the laws' capacity for prescriptive guidance. The exact extent of this cost depends on the way in which the concepts are employed: if they merely figure in the objects clause of a law, the cost will tend not to be so great as when the concepts are employed in rules intended to regulate behaviour more directly. Another cost of failure to define the concepts, not just in the context of their use in data protection laws, is that they remain vulnerable to the criticism that they are incapable of definition. Such criticism runs over easily into claims that the concepts have no independent, coherent meaning in themselves and should be subsumed by other concepts.[582] This cost is difficult to tolerate for persons (such as myself) who view the concepts of privacy and integrity as denoting distinct values that are not adequately delineated by other notions, and who believe, accordingly, that normative discourse would be impoverished were these concepts to fall into disuse.[583]

The above remarks notwithstanding, it cannot be denied that a concept like privacy is pregnant with definitional variation. Analysis of the literature on privacy reveals four major ways of defining the concept.

One group of definitions views privacy essentially in terms of non-interference. This sort of characterisation of privacy has gained prominence largely in the wake of the law review article by Warren and Brandeis who argued that the right to privacy in Anglo-American common law is part and parcel of a right "to be let alone".[584] In Sweden, the concept of personal integrity has also been defined along similar lines.[585]

A second group of definitions, closely related to the first, conceives of privacy in terms of degree of access to a person. Ruth Gavison's definition of privacy as a condition of "limited accessibility" is a leading example here. According to Gavison, this condition of limited accessibility consists of three elements: "secrecy" ("the extent to which we are known to others"); "solitude" ("the extent to which others have physical access to us"); and "anonymity" ("the extent to which we are the subject of others' attention").[586]

A third group of definitions conceives of privacy primarily in terms of information control. The most influential of these definitions is the following given by Alan Westin:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.[587]

In Sweden, the concept of personal integrity has also been viewed as embracing (though not necessarily limited to) a similar claim to information control.[588]

Finally, there is a group of definitions which relates privacy exclusively to those aspects of persons' lives that are "intimate" and/or "sensitive". Julie Inness, for instance, defines privacy as "the state of possessing control over a realm of intimate decisions, which includes decisions about intimate access, intimate information, and intimate actions",[589] while Morison defines it as "the condition of an individual when he is free from interference with his intimate personal interests by others".[590] According to such a view of privacy, not every disclosure of any type of information about a person will amount to a loss of privacy. There will only be a loss when "sensitive" and/or "intimate" personal information is disclosed.[591]

The above four groups of definitions are by no means exhaustive of the various ways in which privacy is conceived, but they constitute the main lines of definition. Putting aside differences in terms of whether they view privacy as a state/condition, claim or right,[592] there is little direct clash between them. This harmony, however, is preconditioned on the assumption that the first three definitional categories (ie, those defining privacy in terms of non-interference, inaccessibility and information control) only encompass intimate and/or sensitive aspects of persons' lives. As it turns out, many of the scholars etc who champion one of the first three groups of definitions, do not view privacy as delimited in this way. I return to this point further below.

An extensive and long-running debate has raged over which of the above types of definitions is the most correct. To analyse this debate in detail is unnecessary for the purposes of this thesis. It suffices to note, first, that the debate carries with it the danger of underplaying the multidimensional character of privacy. Much of it also overlooks the fact that law and policy do not always need to operate with precise, clean-cut definitions of values.[593] Furthermore, the debate is difficult to resolve conclusively because it rests to a considerable extent on intuitive assessments of how the privacy concept is supposed to be commonly understood.

The major role played by intuition is especially apparent in relation to the issue of whether or not the disclosure of "non-intimate" information about oneself involves a loss of privacy. Some scholars contend that privacy is not diminished by disclosure of such information, and appeal to our intuition in support of their contention.[594] Other scholars appeal to our intuition in order to justify the opposite claim.[595] On this issue, my intuition sides with the latter scholars.[596] Another issue in which intuition plays a significant role concerns whether the notion of privacy can apply to corporate entities.[597]

Of the four definitional groups outlined above, the conception of privacy that best accords with my intuition is in terms of limited accessibility along informational, spatial and psychological planes. I believe that this conception comes closest to capturing the core of privacy at the same time as it does relatively large justice to the multidimensionality of the concept.

In data protection discourse, however, the most popular definitions of privacy are in terms of information control.[598] Also non-English words describing the data protection interest(s) of data subjects - for instance, "personvern" (Norwegian) and "personlig integritet" (Swedish) - are commonly defined along similar lines.[599] The popularity of such definitions in data protection discourse should come as no surprise. They are definitions that appear directly applicable to the issues raised by organisations' data-processing practices, at the same time as they harmonise fairly well with, and build upon, central principles on due administrative process. Furthermore, a control-based definition of privacy arguably lends the concept considerable normative force, as it allows privacy advocates to tap into the dynamic ethical undercurrent associated with the ideal of self-determination. In my opinion, though, privacy is more aptly characterised as a condition which can result from, or facilitate, exercise of information control, rather than as co-extensive with such control. Concomitantly, I would argue that conflating privacy with control serves to rob privacy of its conceptual uniqueness, which is already under much press.[600] This might detract, in turn, from the force of privacy advocacy in the long run. Witness, for instance, the considerable criticism of US case law on the constitutional right to privacy for using the privacy concept to address issues that seem essentially to concern autonomy.[601]

The least popular conception of privacy in data protection discourse appears to be that linking privacy exclusively to intimate or sensitive aspects of persons' lives. One probable factor behind this relative unpopularity is that intimacy-oriented definitions of privacy are unable to anticipate and capture the process by which detailed personal profiles are created through combining disparate pieces of ostensibly innocuous information. By "innocuous" information is meant pieces of data that, on their own and on their face, are not sensitive or intimate for the person concerned. The aggregation of such data presently constitutes one of the major methods of creating personal profiles.[602] As administrative systems in both the public and private sectors become increasingly integrated, such aggregation is likely to occur on an even larger scale during the coming decades. Accordingly, any conception of privacy which does not capture or reflect this process is of relatively little utility for present and future appreciation of data protection issues.

Another reason for rejecting an intimacy-oriented definition of privacy is that such a definition makes it difficult, if not impossible, to apply the privacy concept to many collective entities, especially corporations.[603] However, I have not found any evidence suggesting that this difficulty has been a significant cause of the relative unpopularity of intimacy-oriented definitions in data protection discourse.

A more significant cause of such unpopularity - and one directly related to the first factor mentioned above - stems arguably from the relatively close connection between intimacy-oriented conceptions of privacy and so-called "Sphärentheorie" ("sphere theory").[604] The latter, which appears to have reached its fullest development in German jurisprudence on "Persönlichkeitsrecht" ("law of personality"), is based upon a view of personal life as divided into a series of spheres ("Sphären") or realms ("Bereich") of activity (including expression and thought), each protected from intrusion according to its intimacy or sensitivity for the individual concerned.[605] Hubmann, for instance, identifies three main spheres. In order of ascending intimacy and worthiness of protection, these are: the individual sphere ("Individualsphäre"), private sphere ("Privatsphäre) and secret sphere ("Geheimsphäre").[606] Information about activities belonging to the latter sphere is said to enjoy stringent protection against unauthorised disclosure.[607]

Elements of the theory had some influence on early contributions to data protection discourse. This can be seen, for example, in Jon Bing's valiant attempt to categorise all personal data according to their sensitivity.[608] But the theory was quickly dispensed with as the primary operational rationale for data protection law, mainly because it fails to delineate clearly the contours of the various spheres, why these exist and what breaches them.[609] It has also been argued that the basic assumptions of the theory have little or no foundation in reality: it is claimed, for instance, that the intimacy or sensitivity of data always varies from context to context.[610]

I am not entirely convinced that the latter claim amounts to a telling objection to the validity of sphere theory. The claim rests on an assumption that the degree of intimacy and/or sensitivity of all personal information is ultimately a function of culturally relative norms rather than of, say, a psychological disposition shared by all human beings. This assumption is plausible but difficult to prove. Moreover, within particular, albeit broadly defined, cultures (eg, "modern Western society"), there are some types of information (eg, information concerning persons' affliction by sexually-transmitted diseases) that remain intimate and/or sensitive in most - if not all - contexts (within the particular culture). It might be more correct to argue that what changes from context to context (within the particular culture) is not the degree of intimacy and/or sensitivity of such information, but the extent to which one is prepared or required to allow it to be disclosed or used.[611]

In any case, however, sphere theory has the same major drawback, from a data protection perspective, as intimacy-oriented definitions of privacy; that is, it fails to capture the creation of detailed personal profiles through the aggregation of ostensibly innocuous information.[612] A more practical problem is that legislative embodiment of the theory, or of concomitant attempts to grade data according to their sensitivity, would require a casuistic form of regulation which is complex and lengthy.[613]

Given the above problems, it is not surprising to find that there is little direct manifestation of sphere theory and intimacy-oriented conceptions of privacy in the provisions of data protection laws. The ambit of data protection laws is generally not limited to information of a particular, predefined quality about persons.[614] Nevertheless, we find direct manifestation of sphere theory and intimacy-oriented conceptions of privacy in those data protection laws that place extra restrictions on the processing of certain types of especially sensitive, personal data.[615]

It is also arguable that traces of sphere theory are imported into the German Federal Data Protection Act due to the links made in the Act's objects clause with general doctrines on "Persönlichkeitsrecht".[616] Some legal scholars claim, however, that the theory has been debunked by the 1983 Census Act decision of the German Federal Constitutional Court.[617] Other scholars, though, claim the opposite.[618] In my opinion, there is little doubt that, in the context of data protection, sphere theory has been dethroned and largely dismantled by the Court's decision. The Court makes clear that the nature of that to which data refer is no longer to be regarded as the only factor to be taken into account when determining the protective status of the data; what is decisive is how and to what ends the data may be used.[619] The Court goes on to recognise that data, which are apparently trivial by themselves, can be accorded a new "significance" ("Stellenwert") when linked with other data; concomitantly, the Court holds, there are no longer any "insignificant" data in the light of modern techniques for data processing.[620] But the Court does not hold that the nature of that to which data refer is without any relevance whatsoever for determining the protective status of the data.[621] In this respect, therefore, it can be argued that the Court does not kill all vestiges of sphere theory.

Even if intimacy-oriented conceptions of privacy are reflected only weakly in the provisions of data protection laws, this does not mean that we can conclude that such laws are only marginally concerned with safeguarding privacy. For each of the other three conceptions of privacy (ie, in terms of non-interference, limited accessibility and information control) are clearly embodied in most of the laws' core principles. On this point, I refer to what is written in section 7.2.5 below.

7.2.2. Values and interests associated with privacy

While data protection laws can help to safeguard data subjects' privacy, it is not the case that this is their only rationale, even from the perspective of data subjects. Many contributors to data protection discourse recognise that the safeguarding of privacy itself serves a large range of other values and interests, each of which must accordingly form part of the rationale for data protection laws.

There is an immense literature on the values and interests served by privacy.[622] There is also an immense number of ways in which these values and interests are described. Further, there is considerable debate in this literature over the exact role privacy plays in securing these values and interests: is privacy, for instance, a necessary prerequisite for realising the value or interest concerned or is it simply a factor that enhances the likelihood of realisation? For present purposes, it suffices merely to point to central values and interests that recur in this literature, without canvassing the complicated issue of the exact role played by privacy in securing each value/interest. Further, it is unnecessary to differentiate here between the various definitions of privacy advanced in the literature: the analysis below is pitched at such a level of generality that it is capable of applying to accounts of privacy in terms of either limited accessibility, non-interference, information control or protection of intimate matters.

One value promoted by privacy (and, thereby, data protection laws) is individuality.623 Privacy helps to set the boundaries by which we constitute and regard ourselves as individual persons.[624] Further, privacy helps to prevent the flattening out of human personalities such that they become one-dimensional[625] and/or merge with the mass.[626]

Closely related to individuality is autonomy. A person's privacy acts as a barrier to manipulation or control by others.[627] Concomitantly, it facilitates a person's ability to choose freely social roles.[628] Such independence, of course, also promotes individuality as described above.[629]

Another pertinent value - also closely related to the first two - is dignity (ie, persons' intrinsic worth).[630] A person's privacy serves to screen out behaviour by others which can affront his/her sense of intrinsic worth.[631] In so doing, privacy also serves to maintain the person's integrity (ie, state of harmonious functionality).[632] At the same time, rules and other social conventions for the protection of privacy (including, of course, data protection laws) may be viewed as ultimately grounded in respect for dignity.[633]

A fifth value served by privacy is emotional release. Privacy provides a refuge from the psychological stresses of having to comply with the social expectations inherent in public role-playing.[634] Concomitantly, privacy goes some way to providing an antidote for psychological overheating in the form, say, of schizophrenic behaviour.[635]

Closely connected to emotional release is self-evaluation. Privacy provides a person the necessary space and peace "to integrate his experiences into a meaningful pattern and to exert his individuality on events".[636]

A seventh value promoted by privacy is inter-personal relationships of love, friendship and/or trust. Privacy fosters such relationships by allowing persons to discriminate between other persons in terms of what information they are willing to share.[637]

All of the above values can be summed up as being more or less concerned with "achieving individual goals of self-realization".[638] It is important to note, though, that privacy and the above values do not simply have relevance for the well-being of individual persons; they have a broader societal significance too. Their protection serves to constitute a society infused with civility, stability, pluralism and democracy.

With regard to civility, norms for the protection of privacy (and of the other values listed above) both promote and embrace a concern for mutual respect between individual persons.[639] Without such mutual respect there is little chance of building a secure sense of community.[640] Similarly, these norms help to maintain societal stability by dissipating the tensions inherent in social relations.[641]

With regard to pluralism, safeguards for privacy (and for the other values listed above) help to secure diversity of opinion and lifestyle.[642] Such safeguards also help to prevent the accumulation of political, social and/or economic power within the hands of a small group of persons.[643] Concomitantly, such safeguards also serve to secure the necessary conditions for active citizen participation in public life; in other words, they serve to secure democracy.644

The insight that privacy safeguards have broad societal benefits is not something that we can take for granted. Much of the discourse on privacy and privacy rights - particularly in the USA - has tended to focus only on the benefits these have for individuals qua individuals.[645] Moreover, privacy and privacy rights have often been seen as essentially in conflict with the needs of "society".[646] The counterpart of this is a considerable literature seeking to highlight various ways in which privacy rights detract from the common good.[647] As Priscilla Regan convincingly shows in relation to US legislative processes, these tendencies have the unfortunate consequence that they lead to skewed appreciation of the societal benefits of privacy rights, thus hampering advocacy for strong(er) data protection laws.[648]

Fortunately, it is my impression that data protection discourse shows increasing recognition of the value of privacy and data protection norms not simply for individual persons but also for the maintenance of pluralist, democratic society. In the terminology of Michelman, Habermas and others, we can say that data protection discourse is gradually supplementing a "liberal" perspective on data protection rights with a "republican" perspective. Under the former perspective, rights are viewed as securing negative liberties (ie, freedom from), while the republican perspective sees rights as securing positive freedoms (ie, freedom to). Concomitantly, the liberal perspective stresses the importance of rights as safeguarding the individual against intrusions from the public sphere (polity), while the republican perspective stresses the importance of rights as enabling individuals' participation in the public sphere (polity).[649]

Prominent advocates of the latter perspective within data protection discourse are Spiros Simitis in Germany and Paul Schwartz in the USA. For Simitis, data protection laws do not signal a concern to maintain a closed, private sphere for the individual citizen but formulate rather the preconditions for creating a society based on citizen participation.[650] Schwartz argues that data protection laws should be seen as furthering both "deliberative autonomy" (ie, "the underlying capacity of individuals to form and act on their notions of the good when deciding how to live their lives") and "deliberative democracy" (ie, "the decisional process by which individuals make choices about the merits of political institutions and social policies").[651] Under the latter parole, he states that data protection laws "must structure the use of personal data so that individuals will be free from state or community intimidation that would destroy their involvement in the democratic life of the community".[652]

7.2.3. Informational values and interests

Some contributors to data protection discourse draw attention to the fact that data protection laws are expressly concerned with setting standards for the quality of personal information. Mallmann, for instance, views concern for adequate information quality as one of the two basic "Zielfunktionen" of data protection.[653] Mallmann divides this concern into three elements: ensuring that information is (i) correct, (ii) complete and (iii) not used out of context.

Similarly, Burkert observes that data protection laws attempt to maintain "borderlines of meaning" in the face of the technological possibility for cross-contextual processing of data:

Data protection legislation seeks to reintroduce normatively what information technology has taken away technologically: physical limits of the handling of personal data are maintained by normative limits. Data protection seen from this perspective is nothing but an attempt to maintain borderlines of meaning at a stage when the elements of meaning can be combined at the administration's will. With regard to documents containing personal data, data protection is the attempt to maintain the character of the traditional (personal data) document as singular, context related, time defined unit. Hence the emphasis on purpose limitation, on relevance, accuracy, timeliness, etc in national and international data protection regulations.[654]

At an even higher level of abstraction, data protection laws have been viewed as measures to counter what Jean Nicholas Druey calls "Daten-schmutz" ("information pollution").[655] Hans-Peter Gassmann, for example, draws parallels between data protection laws and environmental protection laws, not just in the history of their development but also in their respective concerns. He suggests that data protection laws are concerned with sanitising the informational environment.[656]

Concern for adequate information quality appears to figure evermore prominently in data protection discourse, at least in Norway. Indeed, the Bill for a new Norwegian data protection statute contains an objects clause (s 1) specifically referring to the need for "adequate quality of personal data" ("tilstrekkelig kvalitet på personopplysninger") in addition to the needs for "personal integrity" ("personlig integritet") and "privacy" ("privatlivets fred").[657] The growing prominence of concern for adequate information quality is due partly to aspects of the trend towards electronic interpenetration - most notably the increasingly cross-contextual character of data processing, as described in Chapter 6 (sections 6.2.1 and 6.2.2).[658] It is due also to an accumulating body of empirical evidence suggesting that the quality of information processed by various organisations is often poor.[659]

While adequate information quality obviously can serve to secure the privacy and related interests of data subjects,[660] it breaks down into a multiplicity of interests that have little direct connection to the values described in sections 7.2.1 and 7.2.2.[661] Thus, Mallmann treats information quality and privacy as denoting distinct "Interessenpositionen", though he correctly recognises overlaps.[662]

7.2.4. Norwegian interest models

In this section, I describe Norwegian attempts to conceptualise the data protection interests of data subjects. I do so for two reasons: first, these attempts are amongst the most comprehensive and systematic of their kind; secondly, they are concerned to a great extent with finding stable points of reference in the actual development and practice of data protection legislation.

In Norway, the central term used in discourse on privacy and data protection is "personvern". Somewhat paradoxically, though, the Norwegian PDRA refers to the term in only one provision: s 3 (which states, ia, that the Data Inspectorate shall provide advice and guidance on questions relating to "personvern" to those who are planning to establish personal data registers). The term has occasionally found its way into data protection discourse in other Nordic countries.[663] Generally, though, it is eschewed there for other terminology.

Translated directly into English, "personvern" means "protection of the person". Other terms are sometimes used in data protection discourse instead of "personvern",[664] but the latter term predominates. The term was coined in the early 1970s to denote primarily the interest(s) a person has in being able to control the processing of information on him-/herself, particularly when the processing is done by computer.[665] This definition of the term was adopted early on by the Data Inspectorate,[666] and has been dominant in Norwegian discourse on data protection generally. However, alternative definitions have been advanced within this discourse, especially in recent years. An example is provided by Knut Selmer who describes "personvern" as "first and foremost a safeguard for the individual to ensure that the processing of information in public and private administration is not carried out secretly or does not otherwise expose the individual to certain dangers, drawbacks or unpleasantness".[667] Another example is provided in the report of the committee - headed by Arne Skauge (hereinafter termed "Skauge Committee") - which was officially charged in 1995 with revising Norway's PDRA: there, "personvern" is said to concern "requirements for processing personal information when the requirements are founded on certain ideal (non-economic) interests that are attached to physical (and possibly legal) persons".[668] Both these alternative definitions are arguably more in line with the literal connotation of "personvern" than is the traditional definition.

The traditional definition of "personvern" in terms of information control is close to the definition of privacy given by Westin, Miller and others.[669] This is expressly acknowledged by Ragnar Dag Blekeli in an English-language article presenting Norwegian theory on data protection. In this article, Blekeli translates "personvern" as "privacy", defining the latter as "an interest of identifiable single persons (physical or legal) in exercising control of the information describing themselves".[670]

The notion of "personvern" has close thematic and etymological ties to the older notions of "personlighetsvern" ("protection of the personality") and "personlighetens rettsvern" ("legal protection of the personality"). The latter notions describe a body of law which protects the individual in various contexts from breaches of his or her physical and mental integrity.[671] Much of this body of law is set down in statutory rules, especially those of the Penal Code.672 There is, however, a general protection of personality which exists independently of statute law (but which helps constitute the latter) and which can be developed and applied by the courts. While case law applying this non-statutory protection of personality is far from extensive, it confirms that a major dimension of such protection is the safeguarding of privacy and related interests in connection with the processing of personal information.[673]

Despite the close thematic and etymological ties between "personlighetsvern"/"personlighetens rettsvern" and "personvern", some scholars claim that the focus of the former notions differs from that of the latter. "Personvern", according to these scholars, focuses upon the phenomenon of mass administration based on systematic, computerised processing of personal data on large numbers of persons. In contrast, the orientation of the concepts of "personlighetsvern" and "personlighetens rettsvern", along with their accompanying legal doctrines, is said to be towards protecting individuals' integrity in ad hoc situations (eg, exposure of individuals' private affairs in the mass media) that do not necessarily involve computerised data processing.[674]

While "personvern" was originally intended to pertain solely to core data protection issues, the term's extensive literal breadth has contributed to a situation in which it is now increasingly employed to include a range of concerns beyond those usually associated with computerised data-processing practices. For example, Norway's National Research Ethics Committee for Medicine (Den nasjonale forskningsetiske komité for medisin) uses the term to denote "ethical and legal norms which aim at protection of the individual both with respect to physical and mental integrity".[675] Similarly, the report of a government-appointed committee headed by Erik Boe and charged with assessing regulation of personal health/medical registers in Norway (hereinafter termed "Boe Committee"), defines "personvern" in terms of protection of "personal integrity".[676] The report notes additionally that the term is capable of encompassing "everything from physical mortification to exposure in the mass media".[677]

One finds the term also being used by the judiciary, the government bureaucracy and some legal scholars in cases that previously have been viewed as typically concerning "personlighetsvern" or "personlighetens rettsvern".[678] Moreover, Knut Selmer, who is credited with coining the term, has recently stated that the Norwegian Data Inspectorate deals only with "one side" of "personvern".[679] By contrast, Ørnulf Rasmussen, in a recent study dealing with the processing of personal health/medical information, distinguishes "personvern" from what he calls "integritetsvern" (literally, "protection of integrity").[680] Unfortunately, Rasmussen does not directly define the latter concept, thereby compounding terminological confusion. However, he appears to view "integritetsvern" as intimately linked to, if not synonymous with, protection of personal self-determination.[681] The possible implication, though, that self-determination is not a central element of "personvern" is problematic, especially given that the existence or otherwise of data subjects' opportunity to consent to certain forms of data processing has been an important consideration in the practice of Norwegian data protection law.[682]

In the following, I focus first on a conceptualisation of "personvern" developed in the main by Ragnar Dag Blekeli and Knut Selmer, each of whom have been attached to the NRCCL. It is a conceptualisation that has dominated data protection discourse in Norway. In the following, I term this the "traditional" conceptualisation of "personvern".

One of the basic premises of this conceptualisation is that "personvern" is not linked to a particular object or sphere, such as the individual's personality. As Blekeli puts it:

"Personvern" is not concerned primarily with an object or thing - the individual's personality - but with a relation. This ... is the relationship between an individual and other persons or organisations that use information on that individual.[683]

Concomitantly, the idea that "personvern" is concerned with protecting a personal sphere or space ("sphere theory" or "sfæreteorien") is rejected.[684] This does not mean that conceptualisations of "personvern" along the lines of "sphere theory" have been laid completely dead,[685] but they are rare.

In general, "personvern" has tended to be explicated in the context of decision-making processes. In this context, "personvern" is said to embrace a set of related interests which a person has in relation to the making of decisions by others on the basis of information about him-/herself. The notion of interest seems to be synonymous with a concern to realise certain valued states of affairs.[686] As for the notion of decision ("beslutning"), this is sometimes viewed as capable of embracing both formal decisions made by organisations and informal reactions from persons with whom one has everyday contact.[687] Nevertheless, the thrust of analysis seems to focus on relatively formal decision-making processes, in line with the thrust of doctrines on "rule of law" ("rettssikkerhet"). Indeed, the latter doctrines appear to have had a pervasive influence on development of the traditional conceptualisation of "personvern". This becomes clear when we examine the interests described below.

Three core interests have been linked to "personvern". In summary form, these interests are usually formulated in terms of "confidentiality" ("diskresjon"), "insight" ("innsyn") and "completeness" ("fullstendighet"). The interest in confidentiality is described in terms of a person's desire to restrict the flow of data about him-/herself to other persons or organisations. This interest pertains both to the situation in which the data flows directly from the data subject to another person/organisation and to the situation in which the data flow onwards from that person/organisation to third parties. The interest in insight - also sometimes expressed as an interest in awareness ("opplysthet") - is said to concern a person's desire to know who processes data about him-/herself, what data are processed and the purpose(s) for the processing. As for completeness, this denotes an interest in ensuring that personal information is complete, correct, relevant and not misleading in relation to the purpose(s) for which it is processed.[688]

The link between "personvern" and decision-making processes is drawn most clearly in the work of Blekeli. For Blekeli, "personvern" and "privacy" involve securing for a person a "relevant information basis" for the taking of decisions that make use of information about that person.[689] He describes the interests in confidentiality, completeness and insight largely in terms of this concern for relevance. He emphasises that upholding the interest in confidentiality helps to prevent personal information being applied to specific decision types for which the information is irrelevant. Completeness is described as an interest that "no information element that [the data subject] ... considers to be relevant to the decision basis should be omitted and that the relevant elements should be correct, up to date and sufficiently precise". Similarly, the interest in insight is viewed in terms of the ability of the data subject to control the relevance of "decision bases".

The last interest, that of insight, is often linked to data subjects' interest in "participation" ("deltagelse") and "influence" ("medvirkning" and/or "innflytelse") in relation to decision-making processes based on data about them. In some analyses, the latter interest appears to be regarded as part-and-parcel of the interest in insight;[690] in others, the interest in participation and influence is viewed as the core basis of "personvern".[691]

The above interests have figured prominently in Norwegian theory on "personvern" right from the time when the latter concept began to be used. They have been subsequently supplemented by four other interest types. One of these is the interest in "protection from unreasonable disturbance of private life" ("vern mot utidig innblanding i privatlivet").[692] This interest concerns the desire to preserve the peace of one's private life from being disturbed by the intrusive activities of others.

The other three interests, compared with those described above, are said to relate not so directly to persons as individuals but to have a more collective, societal relevance.[693] They are commonly described in terms of "citizen-friendly administration" ("borgervennlig forvaltning"), "protection against misuse of power and excessive control" ("vern mot maktmisbruk og overdreven kontroll") and "robust society" ("robust samfunn").

The interest in citizen-friendly administration denotes a desire that citizens be served cordially, efficiently and correctly by the organisations with which they deal. This implies that communication between organisations and citizens be open and informative, and that organisations preserve their "human face".[694] In terms of organisational decision making, the interest is also said to involve ensuring that decisions are properly reasoned, reached without undue delay and in accordance with applicable law.[695]

The interest in protection against misuse of power and excessive control is said to embrace the so-called "legality principle" ("legalitetsprinsipp")[696] in Norwegian law.[697] It is also said to embrace the desire to avoid a surveillance level in society which renders citizens so transparent that they are stripped of any real ability to play different roles in different contexts.[698] Moreover, the interest denotes a concern that the development and organisation of a country's information systems take due account of the possibility of the systems being utilised for totalitarian ends in the event, say, of foreign occupation.[699]

As for the interest in robust society, this relates to the issue of "vulnerability"; ie, the growing dependency of modern society on information technology to execute administrative, political and economic tasks, and the resultant social crisis that could occur were this technology to malfunction. A robust society is said to be a society in which such vulnerability is minimised; in other words, it is a society in which information and information systems are protected from damage caused by accident or intentional interference.[700]

The interest catalogue set out above is not the only interest catalogue to have been advanced in relation to "personvern" as concept and concern. But it has been the most influential in setting the agenda for Norwegian data protection law, specifically the PDRA. The interest catalogue has also functioned - with a fair amount of success - as the main heuristic aid in explaining the nebulous notion of "personvern" to newcomers to the field of data protection.[701]

The development of the interest catalogue is largely an attempt to make "personvern" operational. More specifically, it is an attempt to generate tangible points of reference to guide the drafting and implementation of data protection law. As such, the interest catalogue plays an important role in explaining the rationale for, and practice of, the PDRA.[702] Further, the catalogue has acquired a legal basis, in the sense that all of the above interests are more or less embodied in the provisions of the PDRA, its travaux préparatoires or in the Data Inspectorate's practice pursuant to the Act.[703]

According to Selmer, who was Chairman of the Inspectorate's Steering Committee from 1980 to 1996, the interest catalogue also sets out the scope for what the Data Inspectorate may base its decisions upon when exercising its discretionary powers pursuant to the PDRA.[704] In other words, the catalogue not only has an explanatory function but prescriptive and legitimating roles too. Selmer does not elaborate upon the exact legal status of the interest catalogue in this regard. It may be apposite in a normative/legal context to regard the catalogue as functioning as a set of guiding standards ("retningslinjer") in Sundby and Eckhoff's sense of the term.[705] In other words, they indicate which factors should be taken into account when weighing up the pros and cons of a particular phenomenon that falls to be regulated pursuant to the PDRA, but they lack the determinative force that fully-fledged legal rules typically possess.

At the same time, there is nothing in the PDRA or its travaux préparatoires which suggests that the Data Inspectorate's discretionary decision making pursuant to, say, s 10 of the Act must keep strictly within the boundaries set by the interest catalogue. In practice, though, it will be rare that the Inspectorate is unable to justify its decision making in terms of one or more elements contained in the interest catalogue, given the latter's wide-ranging nature. Moreover, as Selmer notes, the Data Inspectorate is able to expand legitimately upon the catalogue through its uncontested exercise of discretionary powers pursuant to the PDRA:

If, in a series of cases, the Data Inspectorate has decided to put weight on a certain factor, and this practice is not stopped by a superior authority or by complaint, then the factor concerned enters into the "interest catalogue" upon which the Inspectorate may legitimately build.[706]

The legitimacy of this expansion, though, is conditional upon the Inspectorate not going beyond the limits of its competence as fixed by Parliament.

The new factor concerned may flesh out one or more of the above interests or it may constitute an interest in itself. An example of a relatively "new" interest is the interest in protection from unreasonable disturbance of private life. The Data Inspectorate has put weight on the interest when restricting telemarketing activity directed at private homes.[707] Weight has also been put on the interest in the Inspectorate's regulation of the contact that researchers may have with potential survey respondents.[708] As the Inspectorate's emphasis on the interest has not been rebuked by higher authority (notably the Ministry of Justice),[709] the interest is now viewed as a legitimate supplement to the interest catalogue presented above.

What is especially noteworthy with the interest in protection from unreasonable disturbance of private life is that it relates more closely to the ideals of "sphere theory" and the need to protect persons' "inner space" than the other interests do. This is not to suggest that the other interests contain no traces of a concern for preserving a person's "inner space". In my view, the interests in confidentiality and protection against excessive control contain such traces though these usually have not been given prominence in explications of the two interests.

At the same time, it is interesting to observe that the explication of "personvern" in terms of the above interest catalogue allows "personvern" to be applied in large part to corporate and collective entities.[710] Most, if not all, of the above interests can easily be shared by private corporations and groups, though it is arguable that the interest in protection from unreasonable disturbance of private life is less relevant for some such entities than it is for individual natural/physical persons. The implications of this insight are explored in Part III.

The explication of "personvern" in terms of the above catalogue of interests has not been without criticism. This criticism has manifested itself largely in the 1990s. The substance of the criticism is that the interest catalogue is not sufficiently comprehensive, in part because of its focus on administrative decision-making processes,[711] and in part because of its failure to indicate the relative weight of the interests concerned vis-à-vis each other and opposing interests.[712] Some of the labels used to identify the interests concerned have also been criticised.[713]

While much of this criticism is valid, it should be noted that the catalogue of interests set out above has not been intended by its exponents to constitute an exhaustive definition of the "personvern" concept.[714] Its exponents recognised early on that the catalogue could be developed further. Decision-making processes have simply constituted a point of departure for development of the catalogue, not necessarily the end-point for this development. The initial focus on such processes is justified to some extent by the fact that in large organisations, personal data tend to be registered, stored, disseminated and used in order to ground decisions that can have detrimental consequences for the data subject(s); concomitantly, the need for data protection tends to be most acute in these contexts. The focus on decision-making processes is further justified by the fact that many of the interests - particularly the interests in completeness and insight - have little practical meaning except in relation to the actual uses to which personal data are put.[715] One can also protest that it is too much to ask that the interest catalogue indicate the relative weight of the interests concerned, as such weighting is largely context-dependant. Given the multiplicity of contexts for the processing of personal data, it is scarcely possible to present in the abstract an accurate description of the interests' relative weight without making the presentation excessively complex and casuistic.

This said, I believe that the interest catalogue as presented above (hereinafter termed the traditional catalogue) still needs to be both refined and expanded if it is to provide a fully accurate conceptualisation of the rationale for data protection laws from the perspective of data subjects. I attempt to justify my claim further below by formulating an alternative interest catalogue. Before doing this, however, it is worth taking note of several other alternative catalogues that have been proposed already.

One such catalogue is proposed by Erik Samuelsen in the first major Norwegian analysis of data protection issues in relation to the processing of personal information by the public sector.[716] Samuelsen identifies as "amongst the most important" interests of data subjects the following: (1) "personal autonomy" ("personlig uavhengighet"); (2) "protection of communication with others" ("beskyttelse av kommunikasjon med andre"); (3) "avoidance of alienation and conformity" ("å unngå fremmedgjøring og konformitet"); (4) "social role playing" ("å spille en rolle"); and (5) "protection of self-conception" ("vern om individets identitetsbilde").

While the first two interests listed are self-explanatory, a few words of explanation are needed for the other three. Samuelsen explicates the interest in avoiding alienation and conformity in the context of the control dynamics associated with panopticism. Thus, the interest expresses a desire to prevent a situation in which people regulate all or much of their behaviour to conform with what they perceive to be the standards and expectations of authorities. The interest falls within the ambit of the interest described above in protection from excessive control. As for social role playing, this interest is described by Samuelsen in terms of a person's need to play different roles vis-à-vis different persons and organisations. Samuelsen observes that the ability to play different social roles is partly a function of the degree to which a person can control the flow of information about him-/herself to others. Accordingly, the interest in social role playing is closely linked to the interests in personal autonomy and protection of communication with others. It is also closely linked with the interests in confidentiality and protection from excessive control. Regarding the interest in protecting self-conception ("identitetsbilde"), this refers to the need to avoid being confronted with, or made aware of, information about oneself which can threaten one's self-conception and result in psychological problems. Examples given by Samuelsen of such information include results of certain types of psychological and medical tests.

Another noteworthy interest catalogue is that proposed in a 1979 report by a Working Group commissioned by the former Norwegian Research Council for Science and the Humanities (Norges almennvitenskapelige forskningsråd (NAVF)) to examine ethical norms relating to use of personal information for research purposes.[717] In addition to the interests in confidentiality, completeness and insight, the Working Group identifies the interests in "genuine consent" ("reelt samtykke") and "protection of psychic and physical integrity" ("vern om psykisk og fysisk integritet"). The latter interest is defined in terms of avoiding "uncomfortable situations" ("ubehagelige situasjoner"), or, more specifically, situations that detrimentally affect a person's "psychic balance" ("psykiske balanse") or "physical well-being" ("fysiske velvære").

The report of the Boe Committee contains an interest catalogue consisting of the following elements: (1) "being left in peace" ("å være i fred"); (2) "self-determination/autonomy" ("selvbestemmelse" /"autonomi"); (3) "control and oversight over information on oneself" ("kontroll og oversikt over opplysninger om seg selv"); (4) "avoidance of transparency" ("unngå gjennomsiktighet"); (5) "anonymity" ("anonymitet"); (6) "protected communication" ("beskyttet kommunikasjon"); and (7) "correct person-portrayal" ("korrekt person-bilde").[718]

A basic point of departure for this interest catalogue is that "personvern" arises as a concern not just when personal data are actually used in a decision-making process affecting the data subject; "personvern" is equally as much a concern in relation to data subjects' fears (rational or not) about potential use of data. Thus, the interest in being left in peace, for example, is explicated partly in terms of a person's desire to avoid first-time registration of data on him-/herself.[719] Both the terminology used to describe the above interests and the way in which the interests are explicated reflect a basic concern in the report for the integrity and psychological/emotional well-being of data subjects. Nevertheless, there is considerable overlap between this interest catalogue and the traditional catalogue expounded by Blekeli, Selmer and Bing. For example, the first of the above-listed interests equates with the interest in protection from unreasonable disturbance of private life. The second-listed interest embraces the interest in controlling the processing of data on oneself (ie, the core interest that Blekeli and Bing associate with "personvern"). The third-listed interest corresponds with the interests in insight, participation and influence. The fourth- and fifth-listed interests are embraced by the interest in protection against excessive control. The interest in protected communication is explicated in terms of the interest in confidentiality, while the interest in correct person-portrayal is explicated in terms of the interest in completeness.

Finally, Jens Petter Berg and I have set out two alternative interest catalogues in an article published in 1995.[720] The one catalogue embodies a so-called "personality-oriented" conceptualisation of data protection interests, focusing on data subjects' interests in privacy and integrity. The other catalogue embodies a so-called "context-oriented" conceptualisation of interests, focusing on the context and manner in which personal data are processed. Read together, the two catalogues both refine and supplement the other interest catalogues described above. The basic intention of the article, though, is to show that the two catalogues (and the two ways of conceptualising data protection interests) are complementary and that the distinction between them is neither always, nor necessarily, strong.

The first-mentioned catalogue (ie, embodying a "personality-oriented" conceptualisation of data protection interests) is organised around the four definitions of privacy which are set out in section 6.2.2 (ie, non-interference, limited accessibility, information control and protection of intimate matters). The second-mentioned catalogue embraces the following interests: (1) "rule of law"; (2) "relevance, adequacy and non-excessiveness"; (3) "accuracy"; (4) "confidentiality"; (5) "openness and transparency"; (6) "security"; and (7) "non-automated decision making". What is particularly noteworthy with this catalogue compared to the catalogues set out above is that it is based directly on the provisions of data protection laws. This partly accounts for the prominence it gives to the interest in "rule of law". This interest is defined in the article as the subjection of activities (in the instant case, data processing) to legal controls so that there exists, ia, legal authorisation and accountability for these activities. Berg and I write that this interest is "[a]rguably the most fundamental interest that is safeguarded by data protection laws".[721] Also noteworthy is the interest in "non-automated decision making". This interest is said to be

concerned with ensuring that human data subjects are not subjected to non-human (and perhaps inhuman) decision-making procedures. More specifically, the interest is concerned with ensuring that human beings retain an ability to resist being adversely affected by decisions made exclusively by computers.[722]

This interest, however, can be subsumed under other interests: notably, those concerned with adequate information quality and citizen-friendly administration. Ultimately, the interest pertains to a broader concern for treating human beings with respect.[723]

Common for the alternative interest catalogues, compared with the traditional catalogue, is that they give more prominence to the interest in integrity and, concomitantly, focus more explicitly on the psychological effects of certain data-processing activities on data subjects. Yet, as noted above, there is a great deal of overlap between all of the catalogues. Moreover, a concern for data subjects' integrity lies implicit in the traditional catalogue. It would be fair to say that the differences between the catalogues reflect variations in emphasis rather than a clash of paradigms. The same can be said for the interest catalogue I propose in the next section. It refines and supplements the above catalogues rather than breaks with them.

7.2.5. A re-elaboration of data protection interests

Introductory remarks

Like most of the above catalogues, the set of interests presented in this section is intended both to delineate the concerns of data protection generally and the concerns of data protection as a legislative phenomenon, primarily in relation to data subjects. Concomitantly, this set of interests is not intended solely to depict the agenda of data protection laws as they currently stand; it is also intended to depict some of the potential agenda of future data protection laws. Ultimately, of course, this set of interests depicts the concerns of human beings - a point elaborated upon further below.

Again, like the above catalogues, this set of interests is not intended to determine the outcome of the myriad conflicts thrown up by the existence and implementation of data protection laws; it simply aids in identifying and clarifying the interests at stake. In other words, it helps to structure interest-balancing processes pursuant to these laws, but does not directly determine the outcome of such processes.

Along with the above catalogues, this set of interests also plays a pedagogical/heuristic role in explaining the ambit of data protection concerns to newcomers to the field. Closely linked to this pedagogical role is the catalogue's legal-political function: the catalogue can be used as a standpoint from which to compare how various data protection laws safeguard the interests concerned, and it can buttress attempts to extend the scope and stringency of these laws.

It is important to note that very few of the interests set out below are uniquely the concerns of law and policy on data protection. Indeed, some of the interests are promoted to a far greater extent through other types of instruments than data protection laws. It could be argued, accordingly, that it is misconceived to term such interests "data protection interests". However, this argument rests on a misconception of what is meant here by "data protection interests": the latter term is not intended to be proprietary in the sense that those interests embraced by it are to be regarded as exclusively the concerns of law and policy on data protection. An interest can be categorised as a "data protection interest" and still be capable of categorisation under another field of law and policy.

The catalogue is divided into two groups of interests. The first of these groups (hereinafter termed group 1) contains interests that relate to the quality of personal data, information and information systems. The second group (group 2) comprises interests concerned with the condition of persons as data subjects and with the quality of society generally.

For the most part, the interest catalogue pertains to data that are personal (ie, capable of being linked to specific persons). However, some interests pertain also to situations in which non-personal data are processed. In those situations involving personal data, it is assumed (as in the catalogues above and data protection laws generally) that the data do not necessarily relate to especially intimate or sensitive aspects of the data subjects' lives.

Although the interest catalogue is presented here primarily from the perspective of individual persons in the role of data subjects, it should be kept in mind that the catalogue is also capable of applying to collective entities in the same role. This capability is explored further in Part III.

In the following, I first provide a brief description of each interest, then a brief description of the manifestation(s) of the interest in data protection laws.

Group 1 interests

These interests concern the quality of personal information and information systems. They fall, to some extent, under the rubric of "completeness" in the traditional interest catalogue. The term "completeness", however, is too narrow to capture the full breadth of either the interest(s) to which it is supposed to refer or the interests described immediately below. There are three main sets of group 1 interests: one set relates directly to the content of personal data; another relates to the uses to which personal data are put; the third set concerns the quality of the information systems that process the data. It should be stressed that each of these sets of interests is, in practice, related to, and affected by, the other two sets.

With regard to the set of interests that directly concern data content, the overarching interest here is what I term the interest in validity of personal data. Validity is a measure of the extent to which personal data correspond with the attributes of persons which the data are supposed to represent. For the sake of brevity and convenience, I term these attributes as Real World Objects (RWO). When I claim that persons have an interest in the validity of data, I mean that they are desirous of the data corresponding with the appropriate RWO as closely as possible. The interest in validity is composed of several sub-interests:

(i) the precision of data (ie, the level of detail at which the data describe or define the RWO);

(ii) the comprehensiveness of data (ie, the extent to which all data that are necessary to represent the RWO are present); and

(iii) the correctness of data (ie, the degree to which the correspondence between the data and the RWO is error-free).

An important aspect of the second dimension (comprehensiveness) is the identifiability of the data (ie, the extent to which the data are able to be connected to the RWO that they are supposed to represent). An important aspect of the third dimension (correctness) is the currency, actuality or up-to-dateness of the data (ie, the age of the data measured in terms of the time difference between when the data are used for a given purpose and when the data first were collected and stored).

The second main set of group 1 interests relates to the uses to which personal data are put. The overarching interest here is what I term the interest in utility of personal information. Utility is a measure of the correspondence between information and the purpose(s) for which the information is processed (ie, collected, registered, stored, used and/or disseminated). The interest in utility is composed of two main sub-interests: the relevance and completeness of information. The notion of completeness is easy to define; it simply refers to the extent to which all relevant information is present in relation to a particular application. The notion of relevance, however, is difficult to describe in the abstract and without resorting to circular definitions that refer to concepts (such as pertinence, suitability or conformity) that are equally hard to define. It is often, though not always, possible to measure the hypothetical degree to which a given set of information is relevant to a given application, in terms of the extent to which the outcome of the application would differ according to whether or not the information is taken into account. Nevertheless, this does not explain how relevance is determined.

There are two classes of factors that determine relevance: those that could be loosely called "logical", and those that could be loosely termed "legal/moral". Of the former, the primary factor concerns the tightness of the logical/semantic link between the information and the use (potential or actual) of the information. Another logical factor is the weight carried by the information because of its perceived credibility and reliability - though this factor can also be partly a function of legal/moral factors. The latter class of factors is constituted by rules (legal and/or moral) that allow only certain types of information to be taken into account for certain purposes. Often the two classes of factors will be in harmony with each other, but this will not always be the case. Thus, the two classes of factors can give rise to two kinds of relevance - logical and legal/moral - which are not co-extensive.

The third set of group 1 interests relate first and foremost to the quality of information systems. The overarching interests in this respect can be summed up in terms of the manageability, robustness, accessibility, reliability and comprehensibility of information systems.

The manageability of an information system (IS) refers to the degree to which the IS - and interactions between the IS and other systems - can be steered, administered and maintained in a desired manner. It also refers to the extent to which the IS operates on the basis of a clear allocation of responsibilities for defining, registering, storing, rectifying and disseminating the data handled by it.

The robustness of an IS refers to the degree to which the system is (in)vulnerable to extraneous interference. This interest is roughly similar to what is denoted in the traditional catalogue by the interest in a "robust society".

The interest in accessibility of an IS relates to the extent to which an IS allows data to be located and retrieved. The interest covers both the practical/physical ease with which data can be located and retrieved, and the time it takes to locate and retrieve the data.

The reliability of an IS relates to the extent to which the system functions in accordance with the expectations of those who use it and those who are affected by it. This interest also embraces the degree to which the system takes account of the levels of random error and bias ("systematic" error) with which it operates.

The comprehensibility of an IS relates to the degree to which the system hinders or promotes understanding of the way in which it functions. By "understanding" is meant not just the understanding of the persons or organisations which are responsible for operating the system, but also the understanding of persons or organisations which are affected by the system (eg, as data subjects). Furthermore, the interest in comprehensibility embraces the capacity of the IS to promote or hinder understanding of the data it handles, including how easily the system permits discovery of faults with these data.

It should be emphasised that these five IS interests should not be understood as rigid categories, nor as being entirely separate of each other. Considerable overlap occurs between, eg, the robustness and reliability of an IS, and between its manageability and comprehensibility.

There also exist a range of miscellaneous interests which are embraced by various of the five IS interests but which are not made adequately explicit in the above presentation. One such interest concerns the integrity of data (ie, the extent to which the data remain free from unauthorised alteration or destruction whilst being processed). This interest falls mainly under the interests in IS robustness and reliability.

Another such interest concerns the interpretability of data (ie, the extent to which the data can be usefully understood). An essential component of interpretability is, of course, the presentation and form of the data (ie, the way in which data appear). The interest in interpretability falls mainly under the interest in IS comprehensibility.

A third such interest relates to the predictability of the means and outcome of data-processing operations from the perspective of the data subject. This interest can be read into the interest in IS reliability. However, its realisation also depends on realisation of most of the other category 1 interests, along with some of the interests in category 2 - particularly the interest in insight.

Yet another interest relates to registration quality (ie, the way in which data are registered in a given IS).[724] Essential components of registration quality are:

(i) registration completeness (ie, the extent to which each RWO that is supposed to be registered in a given IS, actually is registered in that system);

(ii) conversely, registration correctness (ie, the degree to which entities that are not supposed to be registered in the IS are not in fact registered, and the degree of mistaken double or multiple registration of an RWO in a given IS).

The interest in registration quality embraces the interest in data interpretability at the same time as it falls under the interests in IS comprehensibility, reliability and manageability.

To sum up, all of the above quality elements can be placed diagramatically as follows:


[1] Validity (of data)

[Sigma] precision

[Sigma] comprehensiveness (including identifiability)

[Sigma] correctness (including currency/up-to-dateness)

[2] Integrity (of data); robustness and reliability (of IS)

[3] Utility (of information)

[Sigma] relevance

[Sigma] completeness

[4] Manageability (of IS)

[Sigma] registration quality

[4] Robustness (of IS)

[4] Accessibility (of IS)

[4] Reliability (of IS)

[Sigma] predictability

[Sigma] registration quality

[4] Comprehensibility (of IS)

[Sigma] interpretability

[Sigma] registration quality

Finally, it should be noted that realisation of each of the sets of group 1 interests defined above is always affected by the understanding, motivations and worldview of the data controller/processor/user. All information is created and processed on the basis of certain perceptions. Such perceptions help determine how a particular problem or task is understood, and, accordingly, which information is deemed relevant and necessary for tackling it. Concomitantly, poor understanding of a problem/task (or what can be termed poor cognitive quality) will tend to result in poor interpretation, organisation and/or application of the information that is processed to address the problem/task - a point brought home in Chapter 6 (section 6.2.3). Thus, we can read into each of the three sets of interests described above an interest in adequate cognitive quality; ie, a concern to ensure that data controllers/processors/users (i) properly comprehend the nature of the problems/tasks for which they process information, and (ii) properly comprehend the quality (relevance, validity, etc) of the information they process to address those problems/tasks.

Legal manifestation of group 1 interests

The clearest embodiment of the interest in validity is in provisions such as Art 5(d) of the CoE Convention and Art 6(1)(d) of the EC Directive which state that personal data "shall be accurate and, where necessary, kept up to date". Broadly similar provisions are found in all data protection laws.[725] It is noteworthy, however, that the laws tend: (i) to eschew use of the term "validity" for a variety of other terms; (ii) to make explicit mention of some of the sub-interests of validity (eg, up-to-dateness) but not all of the sub-interests; and (iii) to differ according to the stringency with which they require checks on data validity.[726] Legal manifestation of the interest in validity occurs also in provisions giving data subjects rectification rights with respect to incorrect, misleading or obsolescent data.[727] By implication, the interest in validity is also manifest in provisions creating access rights for data subjects or notification duties for data controllers.[728] The latter duties not only serve the interest in validity by alerting data subjects to the existence of data-processing practices which they (the data subjects) might want to monitor; in situations where the data are supplied by the data subjects (eg, in response to a questionnaire), notification duties can also help foster a climate of trust which can increase the probability of the data subjects supplying valid data.[729] Such a climate of trust can also be fostered by data controllers publicising the fact that they handle data in conformity with basic data protection principles.[730]

The clearest legal manifestation of the interest in utility is in provisions, such as Art 6(1)(c) of the EC Directive, stating that personal data "shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed".[731] The interest is also embodied, though a little less directly, in provisions setting out the principles of purpose specification[732] and minimality.[733] Broadly similar provisions are found in most data protection laws. Legal manifestation of the interest in completeness occurs also, albeit indirectly, in provisions like Art 15(1) of the EC Directive which regulate the use of fully automated decision-making processes.[734]

There is little direct legal manifestation of the five interests relating expressly to the quality of information systems. This is because data protection laws tend expressly to address various stages in the processing of personal data rather than the operation of the information systems for such processing, Nevertheless, the interest in IS manageability lies implicit in all of the provisions setting out data subjects' rights and data controllers' corresponding duties. The interest is also expressly manifest in provisions like Art 17(2) and 17(3) of the EC Directive which expressly require a data controller to ensure by way of contract or some other legal act that data processors engaged by the controller provide "sufficient guarantees" of technical and organisational security with respect to the processing. The interests in IS robustness and reliability, together with the concomitant interest in data integrity, lie implicit in provisions concerned with data security[735] and data validity. The interests in IS accessibility and comprehensibility, along with the concomitant interests in data interpretability and registration quality, can be read into provisions on access rights for data subjects and notification duties for data controllers. Concern for registration quality also lies implicit in the provisions on data validity. As for the interest in predictability, this can be discerned in provisions embodying the purpose specification principle, as well as in provisions on data subjects' access rights and data controllers' notification duties.

Finally, there is little direct legal manifestation of the interest in adequate cognitive quality. However, the interest lies implicit in many of the provisions that help to secure the interest in utility. Through use of criteria such as "relevance" and "compatibility", these provisions require data controllers to reflect over the nature of the data being processed, the nature of the purposes for which processing takes place, and the nature of the relationship between the data and the processing purposes.

Group 2 interests

This group of interests are primarily concerned with the condition of persons as data subjects and secondarily with the condition of society generally. There are seven basic interests in this group: privacy, autonomy, civility, pluralism, democracy, rule of law and balanced control. The divisions between these interests should not be seen as hard and fast; there is considerable overlap between all of them. Moreover, realisation of the one interest will be partly a function of realisation of one or more of the other interests. Further, each of the interests are ultimately grounded in concern for human dignity.

A person's interest in privacy is his/her interest in being inaccessible to other persons and organisations.[736] This interest is composed of two main sub-interests:

(i) non-transparency (ie, a person's interest in avoiding being rendered transparent vis-à-vis other persons and organisations);

(ii) non-interference (ie, a person's interest in being left alone, physically and/or psychologically).

Part of the interest in non-transparency is the interest in anonymity (ie, a person's interest in being able to act without being identified). Part of the interest in non-interference is the interest in non-information (ie, a person's interest in not being given information by other persons or organisations).

A person's interest in autonomy encompasses his/her interest in informational self-determination; ie, the interest of a person in freely determining how data on him-/herself are processed by others. A "weaker" version of the interest is an interest in informational co-determination; ie, the interest of a person in having some, though not the final, say in how data on him-/herself are processed by others. This interest equates roughly with the interest in participation sometimes inserted in the traditional catalogue.

The interests in informational self-determination and co-determination include the following sub-interests:

(i) insight (ie, a person's interest in knowing who processes data about him-/herself, what data are processed, the purpose(s) of the processing, etc);

(ii) outflow control (ie, a person's interest in determining the flow of information from him-/herself to others);

(iii) inflow control (ie, a person's interest in determining the flow of information from others to her-/himself).

Closely related to the interest in insight are the interests in accessibility and comprehensibility of information systems. The latter two interests are described above in the category of group 1 interests.

Closely related to both the interests in outflow and inflow control is the interest in identificational self-determination (ie, a person's interest in being able to determine and protect his/her identity in relation to both him-/herself and others).[737] This interest encompasses the interest in protecting self-conception as defined by Samuelsen.[738]

Part of the interest in inflow control, and closely related to the interest in non-information, is the interest in attentional self-determination (ie, a person's interest in being able to give his/her attention to what he/she wants).[739] In contrast to the interest in identificational self-determination, which is mainly actualised when incoming (and outgoing) information relates to the person concerned, the interest in attentional self-determination, along with the interest in non-information, can also be relevant when incoming information relates solely to other persons or is non-personal.

While the above group 2 interests primarily concern various forms of information processing at the level of the individual data subject, the interests described below tend to lie on a different plane; they primarily concern relatively abstract, society-wide goals. The first of these interests, civility, denotes a desire to establish attitudes of mutual respect between persons, at both individual and collective levels, and in both private and public sectors. The interest encompasses the interest in citizen-friendly administration listed in the traditional catalogue, though it is broader than the latter as it pertains to more relationships than just that between individual persons and the organisations with which they deal.

The interest in pluralism denotes a concern, firstly, to secure a diversity of opinions and lifestyles, and, secondly, to ensure that social, economic and/or political power is spread across a broad range of groups and organisations so that not one single such group/organisation is able to dominate the others. In other words, the interest denotes a concern to avoid both conformist and totalitarian tendencies. As such, the interest in pluralism has much the same content as the interest in protection against misuse of power and excessive control listed in the traditional catalogue.

As for the interest in democracy, this denotes an interest in ensuring that all citizens actively participate in the public government of societal processes. I use the notion of "democracy" here to encompass not just participation through formal parliamentary elections but participation through all kinds of actions - both formal and informal - that are public in the sense that they are aimed at attracting the attention of, and influencing, persons outside the citizen's domestic/family sphere. The interest in democracy does not figure explicitly in the traditional catalogue or in the alternative catalogues presented in section 7.2.4, though it arguably lies implicit in the interest in protection against misuse of power and excessive control.

The interest in rule of law denotes here a concern to subject certain activities (in the instant case, data processing) to legal controls so as to secure accountability, foreseeability and proportionality in the execution and outcome of those activities. It also denotes a concern not just to ensure that the activities are carried out within the boundaries set by law but that they are actively regulated by legal measures. Moreover, it denotes a concern to ensure that these measures are themselves of a certain quality; ie, that they are sufficiently accessible and precise to allow data controllers and data subjects to foresee their consequences. In the context of the traditional catalogue, the interest in rule of law embraces aspects of the interest in citizen-friendly administration and the interest in protection against misuse of power and excessive control. One group of experts on data protection implicitly recognises the close connection between the interest in rule of law and the interest in pluralism, by noting that data protection involves "the creation of rules of law for information collection and use, so that the activities of the centers of power in a society are controlled by law".[740] However, the interest in rule of law is also closely linked to, and overlaps with, the other group 2 interests, particularly the interest in balanced control.

The latter interest I have extracted from the work of Dag Wiese Schartum,[741] who argues that control measures (in the sense of measures to monitor the extent to which legal rules are properly applied)[742] ought not to be one-sidedly focused on curbing, say, criminal acts of citizens, but to focus on a range of other concerns as well. Schartum lists five "dichotomies" in terms of control efforts: (1) effort spent on controlling citizens as opposed to effort spent on providing citizens with guidance; (2) effort spent on carrying out advance (ex ante) control as opposed to effort spent on retrospective (ex post facto) control; (3) effort spent on control operating in disfavour of citizens (eg, taking away benefits from citizens who are not entitled to them) in contrast to effort spent on control operating in favour of citizens (eg, identifying under-use of welfare services); (4) effort spent on control directed towards the operations of the controlling body (internal control) as opposed to control efforts directed at the operations of others (external control); (5) effort spent on controlling computerised operations in contrast to effort spent on controlling non-automated/manual operations. In each of these five cases, Schartum proposes, there should be some "proportionality" of efforts in the sense that the one effort should not be given priority at the complete expense of the other effort. In my view, these five axes of proportionality make up (and form sub-interests of) the interest in balanced control. I use the notion of control here in much the same sense as Schartum does. However, I should emphasise that control covers measures for monitoring not just the case-handling procedures of public authorities but also the equivalent procedures of private organisations. Additionally, it bears emphasising that both sets of measures tend to involve the monitoring, in turn, of the activities of private citizens. The interest in balanced control does not figure explicitly in any of the interest catalogues described in section 7.2.4, though aspects of it arguably lie implicit in the interest in citizen-friendly administration and the interest in protection against excessive control. The interest is closely related to the interest in rule of law; indeed, it can be seen as an outgrowth of the criterion of proportionality embraced by the latter interest.

Legal manifestation of group 2 interests

The interests in non-transparency and non-interference are most directly manifest in provisions setting out the principles of fair and lawful processing,[743] purpose specification, minimality, disclosure limitation[744] and information security. Implementation of these provisions places restrictions on the ability of people and organisations to gain access to information on others. It can also decrease the chance of persons being asked to supply information on themselves and thereby decrease the extent to which they suffer interference or attention from information gatherers. The same can be said for provisions requiring data controllers to take measures to safeguard or improve information quality. Implementation of such provisions lessens the risk of a data controller making a decision concerning a person on the basis of inaccurate and/or irrelevant information. This, in turn, lessens the risk of a data controller then taking, say, unwarranted investigative action which interferes with or disturbs that person.

It is noteworthy that express concern in data protection laws for the interest in anonymity tends to be muted. While most data protection laws provide for the anonymisation of personal data once the need for person-identification lapses, they do not contain rules stipulating, say, that active consideration be given to crafting technical solutions for ensuring transactional anonymity. The closest they come to such a stipulation is in rules embodying the minimality principle, particularly those providing that personal data must not be "excessive" in relation to the purposes for which they are processed.[745] At the same time, though, data protection discourse is increasingly showing express concern for the interest in anonymity. Numerous policy documents issued in recent years, together with at least one recently enacted piece of sectoral data protection legislation, make specific provision for securing the interest.[746] This development is particularly significant for resolution of the issue concerning the ability of data protection laws to regulate profiling practices. Concomitantly, it is also pertinent for consideration of the extent to which data protection laws are able to safeguard the interests of collective entities, especially those entities that are non-organised. I refer to the analyses in Parts III and IV for further details on these points.

As for legal manifestation of the interest in informational self-determination, this is most obvious in those provisions of data protection laws which prohibit the processing of personal data without the consent of the data subject, or which give the latter a right to object to processing.[747] The interest is also clearly manifest in rules providing data subjects with access and rectification rights. An indirect manifestation of the interest is found in those provisions setting out the principles of purpose specification and fair and lawful processing, together with rules on notification duties. The connection is indirect because implementation of these principles cannot be seen as a direct exercise of information control on the part of data subjects; primary responsibility for implementing the principles is given to data controllers. Nevertheless, implementing the principles will help to increase the possibility for persons to determine what information is collected on them and how that information shall be used.

It is important to note that the above provisions typically refrain from giving data subjects an absolute right to dispense with data on themselves as they see fit. For example, the requirement of data subject consent is usually laid down as just one of several alternative prerequisites for data processing.[748] Thus, the above provisions are better viewed as manifestations of an interest in informational co-determination as opposed to self-determination.

Regarding legal manifestation of the interest in insight, this comes through strongly in provisions on data subjects' access rights and data controllers' notification duties. The same applies for the interests in accessibility and comprehensibility of information systems.

Legal manifestation of the interest in outflow control is most prominent in provisions dealing directly with disclosure limitation. Slightly more indirect manifestation of the interest is found in rules requiring the consent of data subjects to data processing and provisions for rectification and erasure rights.

The latter provisions embody also a direct concern for securing the interest in identificational self-/co-determination. Further manifestation of this interest is found in relatively rare provisions such as s 7(1) of the Norwegian PDRA (which eliminates access rights in relation to "such information which it is considered inadvisable to bring to the knowledge of the person concerned out of regard for his health or his relations with persons close to him")[749] and Art 12(6) of Greece's Law on the Protection of Individuals with regard to the Processing of Personal Data[750] (which stipulates that "[d]ata pertaining to the health of the data subject shall be made known to the data subject via a medical doctor").[751] Arguably, some manifestation of concern for the interest is also found in more generally formulated provisions such as Art 13(1)(g) of the EC Directive (which permits restrictions on access rights insofar as is necessary for "the protection of the data subject"). Moreover, several of the policies of data protection authorities appear to have put weight on the interest when restricting, for example, the manner in which researchers can make contact with potential respondents to research surveys.[752] At the same time, I have not found any provisions in data protection laws which expressly set out a right "not to know" certain types of information. However, principles 5.6 and 8.2 of CoE Recommendation No R (97) 5 on the Protection of Medical Data (adopted 13.2.1997) open up for the development of such a right in relation to medical (including genetic) data generally. Additionally, a right not to be informed of information collected about one's health is set down in Art 10(2) of the CoE's 1997 Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine.753 Considerable potential for developing such a right would seem also to be contained in Art 13(1)(g) of the EC Directive (mentioned above), despite the relatively narrow exemplification of this potential given in recital 42.[754]

Many of the provisions and policies mentioned in the immediately preceding paragraph also show a concern for securing the interests in inflow control, non-information and attentional self-determination. Manifestation of these interests is found as well in rules providing data subjects with a right to object to certain types of data processing, especially those involving direct marketing.[755]

Concern for the interest in civility is especially apparent in those provisions of data protection laws which embrace the principles of fair and lawful processing and purpose specification. It is further apparent in provisions setting out access rights for data subjects and corresponding notification duties for data controllers. And it is apparent in provisions that give data subjects a right to object to fully automated decision making and to direct marketing.

There is a relatively small number of provisions in which the interest in pluralism is obviously discernible. The interest is clearly manifested in those few data protection laws that expressly concern themselves with ensuring "informational equilibrium" between legislative and executive organs of government.[756] More indirect manifestation of the interest is found in those few laws with provisions aimed at preventing the creation of information systems that can easily be turned to serve dictatorial interests in the event of foreign invasion or war.[757] The interest also emerges in some of the policies adopted by data protection authorities, particularly those policies that attempt to set limits on the processing of large amounts of data relating to large numbers of persons.[758] At the same time, though, the interest underlies the basic thrust of data protection laws - as intimated in the Final Report of the Bellagio Conference.[759]

The interest in democracy also underlies the general thrust of all data protection laws, in that the latter help to secure confidence on the part of citizens that their participation in public affairs will not result in personal risks arising out of the registration of their activities.[760] We find more direct manifestations of the democracy interest in those provisions creating access rights for data subjects and notification duties for data controllers. As Simitis points out, the democracy interest also figures centrally in those laws that attempt specifically to secure "informational equilibrium" between the legislature and executive.[761]

As for the interest in rule of law, the entire body of data protection laws may be viewed as an embodiment of this interest by the very fact that they subject certain forms of data processing to legal regulation. All of the laws' basic principles may also be viewed as embodying the interest inasmuch as they are concerned with securing accountability, foreseeability and/or proportionality in relation to data processing. We find some express recognition of these views in the data protection instruments of the CoE.[762]

The interest in balanced control is not obviously manifest in current data protection laws, though aspects of it can arguably be read into some of their provisions. For instance, provisions setting out data controllers' notification duties indirectly embody a concern to counterbalance control with guidance. Provisions concerned with ensuring information security and data validity indirectly embody a desire to counterbalance external control with internal control. Further, aspects of the interest show through in some of the policies adopted by data protection authorities, especially those dealing with data-matching practices.[763] Also noteworthy is s 35(2)(4) of the draft Bill proposed by the Skauge Committee for a new data protection law in Norway. This provides that the Data Inspectorate, when assessing the necessity of setting down conditions for the licensing of certain data-processing operations, should take into consideration, ia, the extent to which there are planned advisory/guidance measures that are reasonably proportional to control measures.[764]

Concluding commentary on the above catalogue

The above catalogue is essentially a distillation of assumptions about some of the concerns of persons generally. As such, the catalogue is a type of abstract profile.[765] The assumptions have a variety of origins that help to lend them objective (inter-subjective) validity: most notably, existing legal rules (particularly those in data protection laws), the results of public opinion surveys,[766] and the interest catalogues canvassed in the previous section. But they unavoidably rest, in part, also on my own (subjective) observations of human needs and preferences.

What is perhaps most problematic with the interest catalogue is that it is prima facie global in application: it does not distinguish, for instance, between the interests of different national, cultural or ethnic groups. However, these problems are mitigated by the fact that the catalogue refrains from ranking the extra-legal importance of the interests in relation to each other and in relation to other interests.

The catalogue lists well over twenty interests. This is a large number of interests relative to previous catalogues. Some of these interests could, of course, be collapsed together. That this has not been done is due to a desire to highlight the multifaceted character of data protection concerns from the viewpoint of data subjects. The complexity and length of the catalogue is a reflection of the fact that data protection concerns are themselves complex and wide-ranging.

At the same time, it should not be forgotten that many, if not all, of the interests in the catalogue are also protected to varying degrees by a range of other legal rules that often antedate the emergence of data protection laws. For example, rules on negligence and judicial review of administrative decision making have long been concerned with aspects of the quality of information, though these aspects traditionally have not been expressly framed in terms of the quality concept. To take another example, the interest in identificational self-determination is partly upheld by long-standing rules on defamation, though, again, these rules have traditionally eschewed explicit concern for such an interest. The important point is that the interests in the catalogue tend not to be uniquely the concerns of data protection laws.[767]

Undoubtedly, the interest catalogue I present above is too cumbersome to function usefully as a rhetorical device in popular political debates. However, the catalogue is by no means too cumbersome to function usefully in academic discourse about the rationale and limits of data protection concerns. Neither is it too cumbersome to function usefully as a guide for data protection authorities, legislators and other policy makers in assessing or developing law and policy on data protection.

The catalogue provides a considerably more sophisticated depiction of the interests related to information quality than is found in the catalogues presented in section 7.2.4. Particularly noteworthy in this regard is the catalogue's explicit focus on the quality of information systems - a focus that all too often has been absent from data protection discourse. The relatively detailed treatment of group 1 interests is called for in the face of the trend towards electronic interpenetration and of problems with the quality of information used by many organisations.[768]

The catalogue is also considerably more extensive in its coverage of group 2 interests than are the other catalogues presented in section 7.2.4. Indeed, the catalogue could be expanded even further in this regard. For instance, several of the values listed in section 7.2.2 - namely, individuality, emotional release, self-evaluation and (social) stability - could be incorporated more explicitly in group 2. That I refrain from doing so is because these values are implicit in the interest catalogue as set out above.

Not all of the interests in group 2 can properly be said to lie close to core data protection concerns as expressed in current legislation. This is especially so with respect to the interest in balanced control. It is also somewhat the case with respect to, ia, the interests in attentional self-determination and non-information. I include all these interests, though, because some traces of them are discernible in current law and policy on data protection. I include them also in order to indicate avenues along which such law and policy might develop in the future - particularly given the trends identified in Chapter 6 (section 6.2).

The division of the catalogue into two groups of interests reflects the fact that there is a basic difference between each group. Unlike the interests in group 2, the interests in group 1 are primarily technical-organisational in orientation. They pertain first and foremost to the field of data security.[769] This distinction, however, should not overshadow the fact that realisation of group 1 interests is, in practice, important for the realisation of many of the group 2 interests.

It needs to be remembered that the interests in the catalogue will not always be in harmony with each other. For instance, attempts to further the interest in data validity by allowing organisations to reference personal data with multi-context PINs can potentially weaken, ia, the interest in non-transparency insofar as the PINs enhance possibilities for linking personal data from different registers.[770] To take another example, attempts to further the interests in predictability and insight by allowing, say, providers of telecommunications services to register and store, for billing purposes, detailed information about subscribers' private telephone calls can potentially clash with, ia, the interests in autonomy and pluralism.[771] To take yet another example, the interests in non-interference (non-information) and attentional self-determination can be detrimentally affected by measures aimed at safeguarding the interest in informational self-determination (eg, when a data controller is forced to contact data subjects in order to ask for their consent to data processing).[772] The same interests can additionally be affected by measures aimed at enhancing the interest in non-transparency (eg, through making it difficult for an organisation to collect data on a person from another organisation); for if an organisation is unable to collect personal data held by another organisation, it might end up attempting to gain the data directly from the data subject.

The catalogue does not provide guidance for resolving such interest conflicts as it refrains from indicating the respective importance of each interest. This omission is grounded in a belief that the weighting given each interest must be largely context-dependant. I refer here to what is written in section 7.2.4. On this point, it is also worth noting that data protection laws themselves tend not to prescribe how such interest conflicts are to be resolved. Indeed, they usually do not recognise on their face any possibility of such conflicts. Concomitantly, they often omit to indicate which of the interests are more important than the others, instead referring simply to the interests as a largely undifferentiated group.[773] Some provisions, though, implicitly give priority to some interests over others,[774] but these are rare. As a consequence, data protection authorities and other bodies charged with overseeing implementation of data protection laws are frequently left with fairly free reins to resolve such interest conflicts as they see fit.

It is not only each interest's relative importance that must be determined on a case-by-case basis; also the degree to which each interest is threatened by data processing will depend on the particular circumstances of each processing operation. Important factors here include:[775]

the content and nature of the data (eg, to what do the data refer?; how comprehensive are they?);

the source of the data (eg, do they come from the data subject or a third party?; how reliable is the source?);

to whom the data are communicated (eg, to what extent is that person or organisation known by, or under the control of, the data subject(s)?;

what limits are imposed on that person/organisation's re-disclosure of the data?; to what extent can the person/organisation be trusted to interpret the data correctly?);

how the data are communicated and registered (manually?; by computer?; in encrypted form?).

7.3. Interests of Data Controllers

Many of the interests in the catalogue presented in the preceding section are shared by data controllers in either the private or public sectors. It is obvious that all of the group 1 interests will typically fall within this category. Data controllers will also share one or more of the group 2 interests insofar as they support the needs and values of which the interests are an expression or insofar as they see such interests as capable of serving other interests they have.

The latter point is well exemplified in the efforts of private corporations to use data protection as a tool for retaining and/or expanding their respective customer bases. These efforts commonly involve the development by a corporation of a formalised, publicly available, data protection policy aimed at showing customers (current and potential) that the corporation handles customer data in a reliable and responsible manner.[776] Less commonly, these efforts involve a corporation invoking data protection rules in order to prevent its competitors from engaging in conduct that is detrimental to its business interests.[777]

At the same time, the importance attributed by data controllers to realising the data protection interests they share with data subjects will not necessarily be the same as that attributed by the data subjects themselves. Concomitantly, the effort (time, money and other resources) which a data controller is prepared to put into realising the interests will not necessarily suffice to realise the interests from the data subject's perspective. Further, the goals and values for which data controllers seek to realise the interests will not necessarily be the same as the equivalent goals and values of data subjects.

To take a simple example of these differences, a data controller will often seek to ensure that data are valid not just in order to safeguard the interests of the data subject in privacy, autonomy, etc - indeed, such interests might not figure at all in the controller's agenda of concerns - but to achieve, say, operational efficiency. At the same time, the controller's level of error tolerance in relation to the data could be higher than the data subject's tolerance levels. This, in turn, might mean that the amount of effort the controller is prepared to put into checking the validity of the data is not enough to ensure a validity level that guarantees satisfaction of the data subject's interest in such validity.[778]

Concern for operational efficiency is just one of numerous interests that data controllers will typically have and do not figure explicitly in the list of interests given in the preceding sections. Little point is served for the purposes of the thesis in attempting to set out a detailed list of such interests. It suffices to note that while some of them lie latent - at least in part - in the interest catalogue presented in section 7.2.5,[779] many of them do not.

It is also noteworthy that we find some manifestation of these interests in data protection laws. The interests are most clearly manifest in exemption clauses to the rules embodying core data protection principles,[780] and/or in provisions specifying the considerations to be taken into account by data protection authorities either when (i) carrying out their functions generally,[781] or (ii) exercising their discretionary powers in more specific contexts.[782] Arguably, we can also find more subtle manifestation of a concern to uphold the data-processing interests of data controllers in the very fact that the laws tend to operate with largely procedural rules that do not challenge fundamentally the bulk of established patterns of information use. In the language of road signs, data protection laws tend to post the warning "Proceed with Care!"; they rarely order "Stop!".

The latter points figure prominently in the work of James Rule and several of his colleagues. According to these scholars, data protection laws operationalise an "efficiency criterion" for safeguarding privacy and related values in the face of increasing bureaucratic surveillance.[783] This criterion allows surveillance to go ahead as long as core data protection principles are met.[784] These principles, Rule et al suggest, do not radically threaten organisations' established systems of surveillance; they simply seek to make these systems more efficient, fair and, hence, socially acceptable. Concomitantly, they fail to confront the questions: "How far into previously private areas of life ought these systems to extend? At what point does even just, efficient monitoring of private affairs become excessive?".[785] As a result, Rule et al argue, adherence to the principles facilitates the avoidance of a "frontal collision" between the privacy demands of the general populace and the surveillance practices of organisations.[786]

The above analysis by Rule et al focuses on the development of data protection law and policy in the USA before 1980, and enjoys a high degree of validity in that context. Its validity with respect to other jurisdictions and periods is by no means negligible but, in some cases, it is reduced. There are at least several instances of data protection regimes - particularly in Europe - which provide for the possibility of prohibiting or severely restricting data-processing practices on the basis of application of criteria that are broader than the "efficiency criterion" described above.[787] Nevertheless, even these regimes are scarcely concerned with stopping or bringing about radical change to the bulk of established data-processing practices.

It bears reminding that while concern for privacy and related values can have been uppermost in the minds of citizens when they have clamoured for data protection laws to be introduced, this concern has not necessarily been shared to the same degree by the governments which have enacted such laws. Legislators have been primarily interested in finding a balance between the concerns of citizens as data subjects and the data-processing interests of data controllers (especially government agencies). This is reflected in many of the laws themselves, which, as exemplified above, acknowledge that data controllers have legitimate interests in processing personal data, and that these interests should, in appropriate cases, override opposing interests of the data subject.

Legislators' concern for citizens' privacy was perhaps greatest in the early years of legislating for data protection. From the late 1970s, the preoccupation with privacy and related values seems to have increasingly lost ground to other, predominantly economic, concerns. Much of the impulse behind the main data protection initiatives undertaken at an international level has stemmed from a desire to harmonise national data protection laws in order to maintain the free flow of data across borders.[788] Concomitantly, there is increasing pressure on national legislators to pass data protection laws in order to avoid a situation in which the flow of data into their respective countries is restricted pursuant to the data protection laws of other countries.[789] In some jurisdictions, work on the enactment of data protection legislation has been motivated to a large extent by a concern to create public acceptance for new or existing information systems. Thus, enactment of Australia's federal Privacy Act came about partly from a desire on the part of the federal government to win support for a proposed national PIN scheme aimed at reducing, ia, fraud of the income-tax system and welfare programmes.[790] Similarly, enactment of New Zealand's Privacy Act was motivated partly by concern to create acceptance for planned and existing data-matching operations aimed at combatting abuse of government services.[791] Further, work on drafting a range of more recent data protection instruments, including the EC Directive and new federal data protection legislation for Canada, has arisen partly in order to engender public confidence in using new systems of electronic commerce.[792]

In light of the above, together with the observations made in Chapter 6 (especially section 6.3), it arguable that the predominant interest held by data controllers (and legislators) with respect to data protection laws is to shore up data subjects' confidence that data are processed in a secure, responsible way. This interest does not necessarily conflict with the data protection interests held by data subjects, but efforts at realising it can result in a situation whereby the latter interests fail to be legally secured in much more than symbolic fashion.[793]

570 See Chapter 2 (section 2.3).

[571] See S Lukes, Individualism (Oxford: Blackwell, 1973), 62 (claiming that privacy in the sense of "a sphere of thought and action that should be free from public interference" constitutes "perhaps the central idea of liberalism"). See also Mallmann, supra n 22, 17.

[572] For an excellent overview of the development of US concern for privacy, see P M Regan, Legislating Privacy: Technology, Social Values, and Public Policy (Chapel Hill/London: University of North Carolina Press, 1995).

[573] See, eg, the 1970 proposal by the (West) German Interparliamentary Working Committee (Interparlamentarische Arbeitsgemeinschaft) for a "Law for the Protection of Privacy from Misuse of Databank Information" (Gesetz zum Schutz der Privatsphäre gegen Missbrauch von Datenbankinformationen): described in Bull, supra n 444, 85.

[574] See, eg, Katsh, supra n 430, 234 (employing privacy as both a condition - "[p]rivacy is a condition that allows the individual freedom to choose when to establish a relationship and when not" - and as a doctrine with a particular goal - "[p]rivacy needs to be understood as being an inherently pro-choice doctrine in that its goal is to provide the individual with an environment in which he or she can make independent choices").

[575] See, eg, S Davies, Monitor: Extinguishing Privacy on the Information Superhighway (Sydney: Pan Macmillan Australia, 1996), 260 (defining privacy as "the relationship between people and the world around them").

[576] For an overview of the lines of debate, see generally J C Inness, Privacy, Intimacy, and Isolation (New York/Oxford: Oxford University Press, 1992), chapt 2; J W DeCew, In Pursuit of Privacy: Law, Ethics, and the Rise of Technology (Ithaca/London: Cornell University Press, 1997), chapts 2-3.

[577] For examples of variation, see, ia, B Moore, Privacy: Studies in Social and Cultural History (Armonk, New York: M E Sharpe, 1984); J M Roberts & T Gregor, "Privacy: A Cultural View", in J R Pennock & J W Chapman (eds), Privacy: Nomos XIII (New York: Atherton Press, 1971), 199-225; Westin, supra n 355, 11-22.

[578] See, eg, En ny datalag, SOU 1993:10, 150-161 (documenting the difficulties experienced in Swedish data protection discourse with respect to arriving at a precise definition of "personlig integritet").

[579] See, eg, s 13 of Australia's federal Privacy Act and s 2 of Israel's Protection of Privacy Law, 5741-1981.

[580] In the words of Paul Freund, "[t]he value of a rich and pliable concept of privacy needs no laboring when our technology is bringing new threats ... It is surely useful to have at hand a concept that alerts us to, and bespeaks a limitation on, a profusion of potential intrusions". See P A Freund, "Privacy: One Concept or Many", in J R Pennock & J W Chapman (eds), Privacy: Nomos XIII (New York: Atherton Press, 1971), 182, 193-194.

[581] Ibid, 193.

[582] For an example of this sort of claim mounted against the privacy concept, see J J Thomson, "The Right to Privacy" (1975) 4 Philosophy and Public Affairs, 295-314.

[583] This line is argued most convincingly and elegantly by Ruth Gavison: see Gavison, supra n 108.

[584] Warren & Brandeis, supra n 552, 195, 205. See also the influential definition of the right to privacy adopted at the Nordic Conference of Jurists (organised by the International Commission of Jurists) in Stockholm, May 1967: "The Right to Privacy is the right to be let alone to live one's own life with the minimum of interference". Cited in S Strömholm, Right of Privacy and Rights of the Personality (Stockholm: P A Norstedt & Söners Förlag, 1967), Appendix IV, 237.

[585] See, eg, Data och integritet, SOU 1972:47, 56 and Personregister - Datorer - Integritet, SOU 1978:54, 36 (both reports viewing "personlig integritet" in terms of an individual's claim to enjoy a "protected space, in which he can reject unwanted interference from others" ("en fredad sektor, inom vilken kan kan avvisa sådan inblandning både från det allmänna och från andra som uppfattas som otillbörlig")).

[586] Gavison, supra n 108, 428-436. Other examples of definitions that conceive of privacy essentially in terms of limited accessibility are found in: A Allen, Uneasy Access: Privacy for Women in a Free Society (Totoma, New Jersey: Rowman & Littlefield Publishers, 1988), 15 ("personal privacy is a condition of inaccessibility of the person, his or her mental states, or information about the person to the senses or surveillance devices of others"); Bok, supra n 110, 10 (privacy is "the condition of being protected from unwanted access by others - either physical access, personal information, or attention"); J H Reiman, "Driving to the Panopticon" (1995) 11 Santa Clara Computer and High Technology LJ, 27, 30 (privacy is a condition "in which other people are deprived of access to either some information about you or some experience of you"); O'Brien, supra n 107, 16 (privacy denotes "an existential condition of limited access to an individual's life experiences and engagements").

[587] Westin, supra n 355, 7. Other examples of definitions of privacy primarily in terms of information control are found in L Lusky, "Invasion of Privacy: A Classification of Concepts" (1972) 72 Columbia L Rev, 693, 709 ("Privacy is the condition enjoyed by one who can control the communication of information about himself"); Miller, supra n 355, 40 (privacy is "the individual's ability to control the circulation of information relating to him"); E A Shils, "Privacy: Its Constitution and Vicissitudes" (1966) 31 Law & Contemporary Problems, 281, 282 ("privacy exists where the persons whose actions engender or become the objects of information retain possession of that information, and any flow outward of that information from the persons to whom it refers (and who share it where more than one person is involved) occurs on the initiative of its possessors"). See also infra n 598 and references cited therein.

[588] See, eg, Skydd mot avlyssning, SOU 1970:47, 58 (defining "personal integrity" as "the claim by an individual that information about his private affairs shall not be accessible to, or be used by, outsiders without his consent" ("den enskildes anspråk att informationer om hans privata angelägenheter inte skall vara tillgängliga för eller få begagnas av utenomstående utan hans vilja")). For similar definitions, see also, ia, Fotografering och integritet, SOU 1974:85, 56; ADB och samordning, SOU 1976:58, 127; En ny datalag, SOU 1993:10, 159.

[589] Inness, supra n 576, 140.

[590] W L Morison, Report on the Law of Privacy to the Standing Committee of Commonwealth and State Attorneys-General, Report No 170/1973 (Canberra: AGPS, 1974), para 1 (emphasis added).

[591] See, eg, Inness, supra n 576, 58ff; W A Parent, "A New Definition of Privacy for the Law" (1983) 2 Law and Philosophy, 305, 306-307; Wacks, supra n 556, 16-18.

[592] These differences cut across the boundaries of the four definitional groups.

[593] See supra nn 580-581 and accompanying text. See also DeCew, supra n 576, espec chapt 4 (championing use of privacy as a "broad and multifaceted cluster concept"); A L Allen, "Genetic Privacy: Emerging Concepts and Values", in M A Rothstein (ed), Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic Era (New Haven/London: Yale University Press, 1997), 31, 35 ("the time has probably come to recognize that the quest for an ideal, all-purpose philosophical or legal definition of privacy is futile. Rather than devoting attention to whether particular values and states should be labeled `privacy', we ought to shift resources fully to the task of deciding whether the values and states that are in fact labeled `privacy' warrant ethical or legal protection").

[594] See, eg, Wacks, supra n 556, 19; Inness, supra n 576, 58.

[595] See, eg, A Schafer, "Privacy: A Philosophical Overview", in D Gibson (ed), Aspects of Privacy: Essays in Honour of John M Sharp (Toronto: Butterworths, 1980), 1, 11; J W DeCew, "The Scope of Privacy in Law and Ethics" (1986) 5 Law and Philosophy, 145, 168-169.

[596] I recognise, though, that the nature of the information disclosed will help to determine the significance of the privacy loss for the person concerned and thereby the extent to which a remedy for that loss is required. See also Chapter 1 (section 1.6).

[597] See further Chapter 12 (section 12.2).

[598] In addition to the references cited supra n 587, see, ia, R D Blekeli, "Framework for the Analysis of Privacy and Information Systems", in J Bing & K S Selmer (eds), A Decade of Computers and Law (Oslo: Universitetsforlaget, 1980), 21, 24 ("privacy related to information systems generally means an interest of identifiable single persons (physical or legal) in exercising control of the information describing themselves"); Committee on Data Processing (the Lindop Committee), Report of the Committee on Data Protection, Cmnd 7341 (London: HMSO, 1978), 10, para 2.04 (defining "data privacy" as "the individual's claim to control the circulation of data about himself"); Rodotà, supra n 33, 261 (privacy is "the right to maintain control over one's own data"); B Slane, in Private Word: News from the Office of the Privacy Commissioner, April 1996, no 4, 6 ("Privacy is not simply an absence of information about us in the minds of others - it is the control we have of information about ourselves").

[599] On definitions of "personvern", see infra n 665 et seq and accompanying text. On definitions of "personlig integritet", see supra n 588.

[600] Another problem I have with control-based definitions of privacy is that they imply that exercise of control is the only means of attaining privacy; this implies, in turn, that privacy cannot be had by, say, a comatose person. For my part, such implications are counter-intuitive.

[601] See, eg, R Wacks, "The Poverty of Privacy" (1980) 96 Law Quarterly Rev, 73, espec 78ff; H Gross, "Privacy and Autonomy", in J R Pennock & J W Chapman (eds), Privacy: Nomos XIII (New York: Atherton Press, 1971), 169, 180-181; T I Emerson, "The Right of Privacy and Freedom of the Press" (1979) 14 Harvard Civil Rights-Civil Liberties L Rev, 329, 340-341; E Boe, "`The Right to Privacy' i USA" (1994) LoR, 577-578.

[602] See further Chapters 6 and 17 (sections 6.2.2 and 17.2).

[603] See further Chapter 12 (section 12.2.2).

[604] This is not to suggest that conceptualisations of privacy in terms of non-intrusiveness, inaccessibility or information control necessarily clash with sphere theory, but the connection between them and this theory are not as obvious since they do not expressly focus on a particular grading of intimacy or sensitivity.

[605] For overviews of the theory, its origins and problems, see, ia, A Hasselkuss & C-J Kaminski, "Persönlichkeitsrecht und Datenschutz", in W Kilian, K Lenk & W Steinmüller (eds), Datenschutz (Frankfurt am Main: Athenäum-Verlag, 1973), 109, 115-126; H-H Maass, Information und Geheimnis im Zivilrecht (Stuttgart: Ferdinand Enke Verlag, 1970), 22ff.

[606] H Hubmann, Das Persönlichkeitsrecht (Cologne/Graz: Böhlau Verlag, 1967, 2nd ed), 268-332.

[607] Ibid, 325 ("Als Ausschnitt aus dem Privatleben bedarf der Geheimbereich eines verstärkten Rechtsschutzes. In ihn muss sich der einzelne zurückziehen können, wenn er ganz für sich sein will, ohne die Zudringlichkeit anderer befürchten zu müssen. Was er dort tenkt, fühlt und tut, muss er vor jedem, dem er nicht selbst Zutritt gewährt, verborgen halten können").

[608] J Bing, "Classification of Personal Information with Respect to the Sensitivity Aspect" in Proceedings of the First International Oslo Symposium on Data Banks and Society (Oslo: Universitetsforlaget, 1972), 98-141.

[609] For early Norwegian criticism of the theory, see, ia, R D Blekeli, "Individ og informasjonsbehandling - et teoribidrag" (1974) 7 Skriftserien Jus og EDB, 1, 11, 18-19; Offentlige persondatasystem og personvern, NOU 1975:10, 12, 38; Persondata og personvern, NOU 1974:22, 31; K S Selmer, "Elektronisk databehandling: Kan trollet temmes?" (1973) LoR, 195, 196.

[610] See, eg, S Simitis, "Datenschutz - Notwendigkeit und Voraussetzungen einer gesetzlichen Regelung" (1973) 2 DVR, 138, 143-145; W Steinmüller, "Objektbereich `Verwaltungsautomation' und Prinzipien des Datenschutzes", in Kilian, Lenk & Steinmüller, supra n 605, 51, 67-68.

[611] See also Wacks, supra n 556, 23, 181.

[612] See, eg, Simitis, supra n 610, 151-154; Steinmüller, supra n 610, 68-69.

[613] This is indicated by Bing's attempted sensitivity grading (supra n 608), which listed several hundred separate data items.

[614] See further Chapter 2 (section 2.4.1). Hence, Inness, who champions an intimacy-oriented definition of privacy, claims it is misconceived to characterise data protection laws as concerned with privacy. In her view, it is better to characterise such laws as protecting "secrecy": Inness, supra n 576, 60-61.

[615] See further Chapter 3 (section 3.9).

[616] See supra n 170.

[617] See, eg, Simitis, "SS1", supra n 102, para 183 ("[Das Bundesverfassungsgericht hat] in seiner Entscheidung zum VZG 83 die ... `Sphärentheorie' aufgegeben und den Verwendungskontext in den Mittelpunkt gestellt"). See also Simitis, "Die informationelle Selbstbestimmung - Grundbedingung einer verfassungskonformen Informationsordnung" supra n 536, 402. For a short summary of the Census Act decision, see Chapter 6 (section 6.4.1).

[618] See, eg, Aulehner, supra n 536, 453 ("Die Nähe einer Information zum Intimbereich bleibt nach wie vor von Bedeutung für den durch das Recht auf informationelle Selbstbestimmung entfalteten Schutz. Der Informationsinhalt und die sphärenmässig betrachtete Informationsherkunft bleiben damit für das Recht auf informationelle Selbstbestimmung relevant; sie verlieren nur ihre dominierende Stellung als allein relevante Kriterien"); M Wächter, "Was ist und was soll Datenschutz? Ein Dekalog zum `Persönlichkeitsrecht' nach SS 1 Abs. BDSG" (1994) DuD, 75, 75 (claiming that the Court's decision "begründet ... keine Abkehr von der Sphärentheori").

[619] 65 BVerfGE, 1, 45 ("Dabei kann nicht allein auf die Art der Angaben abgestellt werden. Entscheidend sind ihre Nutzbarkeit und Verwendungsmöglichkeit. Diese hängen einerseits von dem Zweck, dem die Erhebung dient, und andereseits von den der Informationstechnologie eigenen Verarbeitungs- und Verknüpfungs-möglichkeiten ab").

[620] Id ("insoweit gibt es unter den Bedingungen der automatischen Datenverarbeitung kein `belangloses' Datum mehr").

[621] "Wieweit Informationen sensibel sind, kann hiernach nicht allein davon abhängen, ob sie intime Vorgänge betreffen. Vielmehr bedarf es zur Feststellung der persönlichkeitsrechtlichen Bedeutung eines Datums der Kenntnis seines Verwendungszusammenhangs": id (emphasis added). Note also the Court's reference to the need to take extra care when processing information that might involve the danger of "soziale Abstempelung" ("social stigmatism"): ibid, 48. As examples of such information, the Court lists data concerning drug addiction, criminal convictions, insane or anti-social behaviour.

[622] For an excellent overview, see Allen, supra n 586, chapt 2.

623 See further section 7.2.5.

[624] See, eg, J H Reiman, "Privacy, Intimacy, and Personhood" (1976) 6 Philosophy & Public Affairs, 26-44; I Altman, The Environment and Social Behavior: Privacy, Personal Space, Territory, Crowding (Monterey: Brooks/Cole Publishing Company, 1975), 48-50.

[625] See, eg, H Arendt, The Human Condition (Chicago: The University of Chicago Press, 1958), 71 ("A life spent entirely in public, in the presence of others, becomes ... shallow. While it retains its visibility, it loses the quality of rising into sight from some darker ground which must remain hidden if it is not to lose its depth in a very real, non-subjective sense").

[626] See, eg, E J Bloustein: "Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser" (1964) 39 New York University L Rev, 962, 1003 ("The man who is compelled to live every minute of his life among others and whose every need, thought, desire, fancy or gratification is subject to public scrutiny, has been deprived of his individuality and human dignity. Such an individual merges with the mass. His opinions, being public, tend never to be different; his aspirations, being known, tend always to be conventionally accepted ones; his feelings, being openly exhibited, tend to lose their quality of unique personal warmth and to become the feelings of every man. Such a being, although sentient, is fungible; he is not an individual").

[627] See, eg, Westin, supra n 355, 33. See further section 6.2.5.

[628] See, eg, Mallmann, supra n 22, 36ff and references cited therein.

[629] Hence, Westin (supra n 355, 34) runs the values of individuality and autonomy together under the autonomy parole.

[630] Refer to the definition of "dignity" in Chapter 1 (section 1.6).

[631] See, eg, D N Weisstub & C C Gotlieb, The Nature of Privacy: A Study for the Privacy and Computers Task Force (Ottowa: Departments of Communications and Justice, 1972), 46 ("If we go about observing a man's conduct against his will the consequence of such observation is that either the man's conduct is altered or his perception of h/self as a moral agent is altered. The notion of altering conduct or self-perception against the will of moral agent is offensive to our sense of human dignity"). See also Bloustein, supra n 626.

[632] Refer to the definition of "integrity" in Chapter 1 (section 1.6).

[633] See, eg, ILO, supra n 129, 16 ("The quest for principles to govern the processing of personal data expresses ... the need to protect human dignity"); Weisstub & Gotlieb, supra n 631, 50 (human dignity is "the covering genus of which privacy is a species"); Bloustein, supra n 626, 1003ff (arguing that the basic rationale for US tort law on invasion of privacy is respect for human dignity). Those who argue that respect for privacy is grounded on respect for persons as autonomous agents, also show an implicit concern for human dignity. In this regard, see, eg, S I Benn, "Privacy, Freedom, and Respect for Persons", in J R Pennock & J W Chapman (eds), Privacy: Nomos XIII (New York: Atherton Press, 1971), 1-26; Inness, supra n 576, 102ff.

[634] See, eg, Westin, supra n 355, 34-36.

[635] See, eg, R K Merton, Social Theory and Social Structure (New York/London: The Free Press, 1968), 429 (claiming that without privacy "the pressure to live up to the details of all (and often conflicting) social norms would become literally unbearable; in a complex society, schizophrenic behavior would become the rule rather than the formidable exception it already is").

[636] Westin, supra n 355, 36.

[637] See, eg, C Fried, "Privacy (A Moral Analysis)" (1968) 77 Yale LJ, 475, 484-485; R S Gerstein, "Intimacy and Privacy" (1978) 89 Ethics, 76-81; J Rachels, "Why Privacy is Important" (1975) 4 Philosophy & Public Affairs, 295, 329.

[638] Westin, supra n 355, 39.

[639] See further section 7.2.5.

[640] See further R C Post, "The Social Foundations of Privacy: Community and Self in the Common Law" (1989) 77 California L Rev, 957-1010 (arguing that the tort of invasion of privacy in US law does not simply uphold the interests of individuals against the demands of community, but safeguards rules of civility which constitute both individuals and community). See also D Feldman, "Privacy-related Rights and their Social Value", in P Birks (ed), Privacy and Loyalty (Oxford: Clarendon Press, 1997), 15, 22ff (arguing that privacy helps to define and defend fields of social co-operation). More generally, see J Rawls, Political Liberalism (New York: Columbia University Press, 1993), 319 ("[S]elf-respect depends upon and is encouraged by certain public features of basic social institutions, how they work together and how people who accept these arrangements are expected to (and normally do) regard and treat one another. [...] For our sense of our own value, as well as our self-confidence, depends on the respect and mutuality shown us by others. By publicly affirming the basic liberties citizens in a well-ordered society express their mutual respect for one another as reasonable and trustworthy, as well as their recognition of the worth all citizens attach to their way of life").

[641] See further B Schwartz, "The Social Psychology of Privacy" (1968) 73 American J of Sociology, 741-752, espec 742 ("Guarantees of privacy, that is, rules as to who may and who may not observe or reveal information about whom, must be established in any stable social system. [...] After a certain point the presence of others becomes irritating and leave taking, which is a mutual agreement to part company, is no less a binding agent than the ritual of meeting. In both cases individual needs (for gregariousness and isolation) are expressed and fulfilled in collectively indorsed manners. The dissociation ritual presupposes (and sustains) the social relation").

[642] Refer, eg, to the conformity-inducing potential of panopticism as described in Chapter 6 (section 6.3.1). See also Simitis, supra n 33, 733-734 ("the transparency achieved through automated data processing creates possibly the best conditions for colonization of the individual's lifeworld. Accurate, constantly updated knowledge of her personal history is systematically incorporated into policies that deliberately structure her behavior. [...] Where privacy is dismantled, both the chance for personal assessment of the political and societal process and the opportunity to develop and maintain a particular style of life fade").

[643] See, eg, K Lenk, "Information Technology and Society", in G Friedrichs & A Schaff (eds), Microelectronics and Society: For Better or For Worse (Oxford: Pergamon Press, 1982), 273, 284 (claiming that data protection is fundamentally about preventing "power gains of bureaucracies, both private and public, at the expense of individuals and of the non-organised sectors of society"). As is apparent from the above, I use the notion of "pluralism" to denote, on the one hand, diversity of opinion and lifestyle, and, on the other hand, broad distribution of power. See further section 7.2.5 below.

644 As is made clear in, ia, the Census Act decision of the German Federal Constitutional Court: see supra n 474. See also, ia, R Gavison, "Too Early for a Requiem: Warren and Brandeis were Right on Privacy vs. Freedom of Speech" (1992) 43 South Carolina L Rev, 437, 461-462; Napier, supra n 27, 100; Regan, supra n 572, chapt 8; B R Ruiz, Privacy in Telecommunications: A European and an American Approach (The Hague/London/Boston: Kluwer Law International, 1997), espec 10ff; E F Ryan, "Privacy Orthodoxy and Democracy" (1973) 51 Canadian Bar Rev, 84, 85. See further section 7.2.5 below.

[645] See generally the overview in Regan, supra n 572, chapts 2 & 8.

[646] Id.

[647] Common criticisms of privacy rights are that they entrench social hierarchies, promote insularity and intolerance, and permit deception and hypocrisy to flourish. Prominent examples of works in which various of these criticisms are advanced include those of Koen Raes (see supra n 425; "De skjulte dimensioner i rätten til privatliv" (1989) 12 Retfærd, no 45, 4-17), Richard A Posner (see espec "The Right to Privacy" (1978) 12 Georgia L Rev, 393-422; "Privacy, Secrecy and Reputation" (1979) 28 Buffalo L Rev, 1-55), and Anders R Olsson (see IT och det fria ordet - myten om Storebror (Stockholm: Juridik & Samhälle, 1996)). In Norway, see, eg, E Øyen, "Taushetspliktens sosiale funksjon", in A Kjønstad & E Øyen, Taushetsplikt i sosialsektoren (Bergen: Universitetsforlaget, 1980), 75-111; and G Benneche, Taushet. Vern eller maktmiddel? (Oslo: Institutt for Journalistikk, 1979). While some of these criticisms have a limited validity, they are frequently advanced in an overly blunt, simplistic manner. Concomitantly, they often fail to take adequately into account the fact that privacy rights co-exist with, and are balanced and modified by, a range of other rules, and that it is the function of privacy rights in the overall scheme of a legal system which is crucial for assessment of their effects.

[648] Regan, supra n 572. See also, ia, Ruiz, supra n 644, espec 54ff & 169ff, and Schwartz, supra n 536 (both scholars critically commenting upon the narrow, individualistic conceptualisation adopted by the US Supreme Court of the value of privacy).

[649] See, eg, J Habermas, Faktizität und Geltung. Beiträge zur Diskurstheori des Rechts und des demokratischen Rechtsstaates (Frankfurt am Main: Suhrkamp, 1992), 325ff and references cited therein; F Michelman, "Law's Republic" (1988) 97 Yale LJ, 1493, 1503ff and references cited therein.

[650] See, eg, S Simitis, supra n 356, 111 ("Die Datenschutzvorkehrungen signalisieren ... keineswegs den Rückzug in eine rechtlich abgesicherte, gleichsam vorstaatliche und aussergesellschaftliche Sphäre, sie formulieren vielmehr Voraussetzungen, unter denen die Funktionsfähigkeit einer auf die Partizipation des einzelnen gegründeten Gesellschaft erst hergestellt werden kann").

[651] P M Schwartz, "Privacy and Participation: Personal Information and Public Sector Regulation in the United States" (1995) 80 Iowa L Rev, 553, 560-561.

[652] Ibid, 561.

[653] Mallmann, supra n 22, 70-79. The other of these "Zielfunktionen" is protection of privacy: ibid, 16-69.

[654] H Burkert, "Data Protection and Access to Data", in P Seipel (ed), From Data Protection to Knowledge Machines (Deventer/Boston: Kluwer Law & Taxation Publishers, 1990), 49, 62. See also Burkert, "Data-Protection Legislation and the Modernization of Public Administration", supra n 366, 565.

[655] J N Druey, "`Daten-Schmutz' - Rechtliche Ansatzpunkte zum Problem der Über-Information", in E Brem, J N Druey, E A Kramer & I Schwander (eds), Festschrift zum 65. Geburtstag von Mario M. Pedrazzini (Bern: Verlag Stämpfli & Cie, 1990), 379-396.

[656] H-P Gassmann, "Probleme bei internationalen Datenflüssen und Gemeinsamkeiten des Datenschutzes in Europa", in R Dierstein, H Fiedler & A Schulz, Datenschutz und Datensicherung (Cologne: J P Bachem Verlag, 1976), 11, 13-15.

[657] Ot prp 92 (1998-99), 138. See also Et bedre personvern, NOU 1997:19, 164.

[658] For similar observations, see also Selmer, supra n 38, 25ff.

[659] See further Chapter 6 (section 6.2.3).

[660] See further, ia, section 7.2.5; Pseudonyme helseregistre, NOU 1993:22, 134-135, 172.

[661] See further section 7.2.5. Indeed, as demonstrated in that section, efforts to realise the values constituting adequate information quality can clash with realisation of data subjects' privacy, integrity and autonomy.

[662] Mallmann, supra n 22, 70.

[663] See, eg, A von Koskull, "Personvärn och personalrekrytering, eller transformation och skygglappar" (1996) Tidsskrift utgiven av Juridiska Föreningen i Finland, no 6, 391-433; P Blume, Persondatabeskyttelse i den private sektor - retspolitiske overvejelser (Copenhagen: Forlaget FSR, 1995), 17 (employing the term "personværn").

[664] See, eg, "Datapolitiske grunnholdninger for Den norske lægeforening" (1991) Tidsskrift for Den norske lægeforening, no 23, 2881-2887 (using the terms "personsikkerhet" and "integritet" instead of "personvern"). Some scholars tend to describe data protection issues in terms of "rettssikkerhet" (roughly corresponding to the notion of "rule of law") rather than "personvern". Thomas Mathiesen is such a scholar. See, eg, his criticism of the proposed establishment of a register over drug addicts in Norway due to the allegedly deleterious effects of the register on the addicts' interests in "rettssikkerhet": see Arbeiderbladet (Oslo), 13.2.1997, 6. When criticising the Schengen Information System, Mathiesen tends also to use "rettssikkerhet" where many others would use "personvern": see, eg, Mathiesen, Er Schengen noe for Norge? Et bidrag til europeisk politiforskning, Skriftserie no 54 (Oslo: Institutt for rettssosiologi, University of Oslo, 1996), 28, 34 & 49; Schengen - Politisamarbeid, overvåking og rettssikkerhet i Europa (Oslo: Spartacus, 1997), 32, 52. Cf his article, "Schengens femte dimensjon", Dagbladet, 9.6.1997, 48 (referring to "personvernproblemene" arising from the Schengen Information System). On the relationship between "rettssikkerhet" ("rule of law") and "personvern" (data protection), see Chapter 6 (section 6.4.1).

[665] See espec the definition of "personvern" given in R D Blekeli, "Hva er personvern?", in R D Blekeli & K S Selmer (eds), Data og personvern (Oslo: Universitetsforlaget, 1977), 21 ("Personvern kan i utgangspunkt sees som en mulig interesse fra enkeltpersoners side i å utøve kontroll med den informasjon som beskriver dem").

[666] See, eg, St meld 14 (1983-84), Datatilsynets årsmelding 1982, 15 ("Personvern kan være den interesse fysiske og juridiske personer har i å utøve kontroll med den informasjon som beskriver dem").

[667] K S Selmer, "Datatilsynets rolle i et komplisert samfunn", in E Djønne (ed), Datatilsynet: 10 år som personvernets vokter, CompLex 4/90 (Oslo: TANO, 1990), 59, 66 ("Personvern er først og fremst et vern for enkeltindividet mot at informasjonsbehandlingen i offentlig og privat administrasjon blir holdt skjult eller ellers foregår på måter som utsetter individet for nærmere bestemte farer, ulemper eller ubehag").

[668] Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, 21 ("På et helt generelt plan kan personvernet sies å gjelde krav til behandling av personopplysninger når kravene er begrunnet ut i fra visse ideelle (ikke-økonomiske) interesser som en tillegger fysiske (og eventuelt juridiske) personer").

[669] See supra 587.

[670] Blekeli, supra n 598, 24.

[671] For a summary description of this body of law, see A Bratholm & B Stuevold Lassen, "Personlighetens rettsvern", in K Lilleholt (ed), Knophs oversikt over Norges rett (Oslo: Universitetsforlaget, 1998, 11th ed), 102-113. Bratholm observes in an earlier edition of this work that it is impossible to describe precisely the scope of "personlighetsrettsvernet": A Bratholm, "Personlighetens rettsvern", in B Stuevold Lassen (ed), Knophs oversikt over Norges rett (Oslo: Universitetsforlaget, 1993, 10th ed), 113, 126. In another article, Bratholm describes "personlighetsvern" as embracing protection against undue violation of a person's self-respect or dignity: A Bratholm, "Politiet og personlighetsvernet" (1968) LoR, 289, 289 ("personlighetsvernet omfatter det vern som den enkelte nyter mot at hans selvrespekt eller menneskeverd krenkes på en utilbørlig måte"). Bratholm offers this description of "personlighetsvernet" more as a "point of orientation" than as a definition. Selmer characterises "personlighetens rettsvern" in terms of legal protection from "influences which, from experience, lead to mental disturbance or overload": K S Selmer, "Bør vi få rettsregler om personlighetens rettsvern?" (1955) 24 Nordiskt Immateriellt Rättskydd, 1, 1 ("Rettsvern for personligheten foreligger overalt hvor en person kan påberope seg rettsregler som verner ham mot påvirkninger som erfaringsmessig fører til sjelelig ufred eller overlast"). With a slightly different, but essentially complementary, point of focus, Arnholm describes "personlighetsvern" as embracing "rules for protecting the individual from interference with his desire to lead his own life, alone and together with others, within the society he lives": C J Arnholm, Personretten (Oslo: Tanum, 1959), 83 ("reglene om hvordan den enkelte er sikret mot inngrep i hans ønsker om særliv og samliv innenfor det samfunn han lever i").

672 See, eg, s 390 (punishing violation of privacy caused by "public disclosure of information relating to personal or domestic affairs"), s 390b (punishing covert television surveillance of public areas or workplaces), s 121 (punishing breaches of statutory duties of confidence) and ss 246-247 (punishing defamation).

[673] See especially the decisions of the Norwegian Supreme Court reported in Rt 1952, 1217 and Rt 1991, 616. The first decision concerned plans for the public screening of a film that, though primarily fictional, was based around a set of crimes committed some twenty years earlier by two men. One of the latter - who had since served a prison sentence for the crimes, changed his name and begun a new life - sought an injunction against the planned screening of the film for fear that it would reveal his background and damage his attempt to embark on a new existence. The Court granted the injunction, finding that the film screening would breach non-statutory protection of the plaintiff's personality. In the second case, the Court found that video recordings made surreptitously by a snack-bar owner of the activities of a woman working in the snack-bar, were in violation of the non-statutory protection of her privacy. As a consequence, the Court refused to allow the recordings to be admitted as evidence in prosecution of the woman for embezzlement.

[674] See Schartum, "Mot et helhetlig perspektiv på publikumsinteresser i offentlig forvaltning? - Rettssikkerhet, personvern og service", supra n 550, 46 ("Til tross for slektskap er imidlertid forskjellen forholdsvis stor mellom det tradisjonelle "personlighetens rettsvern" og det moderne personvernet. Personvernteorien og personregisterloven kan langt på vei sies å ha tatt utgangspunkt i edb-teknologi og den datamaskinbaserte saksbehandling som i løpet av 1960-årene ble introdusert i offentlig forvaltning og i store private organisasjoner. Mens en ved å hevde det tradisjonelle "personlighetens rettsvern" forholdt seg til enkelthendelser vedrørende enkeltpersoner, forholder det moderne personvernet seg til systematisk forekommende beslutninger og hendelser vedrørende større deler av befolkningen"). The same point is made in Schartum, Rettssikkerhet og systemutvikling i offentlig forvalting, supra n 550, 71. See also Bing, supra n 374, 33 (claiming that the "personvern" concept "har å gjøre med det moderne informasjonssamfunnets teknologi - ikke med skandalepresse, nærgående fotografer eller dokumentarfilm. Det er først og fremst reaksjonen på automatisk behandling og sammenstilling av store mengder personopplysninger ... som betegnes av dette ordet").

[675] Den nasjonale forskningsetiske komité for medisin, Registrering, bruk og gjenbruk av genetiske data (Oslo: Norges forskningsråd, 1993), 12 ("Personvern dreier seg om etiske og rettslige normer som tar sikte på beskyttelse av individet både med hensyn til fysisk og psykisk integritet").

[676] Pseudonyme helseregistre, NOU 1993:22, 42 ("Personvern betyr i hovedsak vern om den personlige integritet").

[677] Id ("I vid forstand kan personvernbegrepet omfatte alt fra fysiske krenkelser til å bli blottstilt i massemedia ...").

[678] With respect to the judiciary, see, eg, Rt 1994, 51, 56 (in which the Supreme Court mentions the need to take account of "personvernet" in the context of a defamation suit) and Rt 1991, 616, 623 (in which the Supreme Court refers to "alminnelige personvernhensyn"). With respect to the bureaucracy, see the statement of the Ministry of Justice in St meld 33 (1994-95), Personvern og telekommunikasjon, 5 ("Personvern betyr i hovedsak vern om den personlige integritet. Tidligere snakket man gjerne om personlighetens rettsvern"). With respect to scholars, see H Jakhelln, Fjernarbeid: Noen sentrale rettsspørsmål ved nyere former for hjemmearbeid og arbeid utenfor arbeidsgiverens øvrige virksomhet, CompLex 5/96 (Oslo: Tano/Aschehoug, 1996), 150; O Tokvam, Personvern og straffeansvar - Straffelovens SS 390, CompLex 4/95 (Oslo: TANO, 1995), 9-11; A H Aarø, Arbeidstagers rett til personvern, espec sections 2.5.2-2.5.3 (undergraduate thesis, Law Faculty, Oslo University; to be published in the CompLex book series).

[679] K S Selmer, "Personvern og pasientvern", in Oppsøkende genetisk veiledning (Oslo: De nasjonale forskningsetiske komitéer, 1996), 39, 41 ("det er bare én side av `personvernet' i vid forstand som Datatilsynet har noe med å gjøre, nemlig den som knytter seg til registrering av personopplysninger i registre, og bruken av slike registre"). See also K S Selmer, "Oversikt over personregisterloven og Datatilsynets arbeid" (1992) Hefte for kritisk juss, no 4, 180, 181 (acknowledging that the notion of "personvern" is now used to cover everything that previously was expressed in terms of "personlighetens rettsvern").

[680] Rasmussen, supra n 555, 31-32.

[681] Id.

[682] See, eg, cases 81/532, 81/1479, 85/32, 87/625, 86/372, 87/792, 90/1601, 93/0185 & 94/2180, set out in Bygrave, supra n 65, 46-51, 79-81, 86-90, 130-132, 172-174, 190-192.

[683] Blekeli, supra n 665, 15 ("Personvern dreier seg ikke først og fremst om et objekt eller en gjenstand - den enkeltes personlighet - men om en relasjon. Den relasjon ... er forholdet mellom et individ og andre personer eller organisjoner som bruker opplysninger om dette individet"). See also J Bing, "Personvern og EDB: En internasjonal oversikt", in Den personliga integriteten: Föredrag vid den XX:e nordiska studentjuriststämman i Lund (Lund: Juridiska Föreningen i Lund, 1979), 49, 50 (" ... i forhold til EDB er det mer treffende å se personvern som en relasjon, som forholdet mellom det enkelte individ og andre personer eller organisasjoner som bruker opplysninger om dette individet").

[684] See, eg, Blekeli, supra n 609, 18-19; Offentlige persondatasystem og personvern, NOU 1975:10, 12; Selmer, supra n 609, 196.

[685] A fairly recent example of such a conceptualisation is found in a public lecture given by the current data protection commissioner of Norway, Georg Apenes, in 1993. According to Apenes, "personvern" involves "the passive acceptance of, or preferably active respect for, the individual's right of self-determination and right to a personal sphere about his/her person; a psychological and social, defined territory where the individual reigns supreme". See G Apenes, "Personvern kontra bedriftssikring - sikring av materielle verdier eller vern av personers integritet?", lecture held at a conference entitled "Sikkerhetsdagene" in Trondheim, 1.11.1993 ("personvern innebærer passiv aksept eller ... aktiv respekt for den enkeltes selvbestemmelsesrett og rett til en personlig sfære rundt sin person; et psykologisk og sosialt, definert territorium der individet hersker suverent").

[686] Thus, Blekeli views an interest in terms of "a specific will that may better the accordance between real events/objects and the normative specifications of the goal": Blekeli, supra n 598, 23; see also Blekeli, supra n 609, 20 ("Å ville noe bestemt som kan bedre samsvaret mellom mål og virkelighet, kaller vi å ha en interesse").

[687] See, eg, Blekeli, supra n 665, 21.

[688] Fuller descriptions of these three interests, along with the other interests commonly linked to the notion of "personvern" (see below), can be found in, ia, K S Selmer, "Innledning", in E Djønne, T Grønn & T Hafli, Personregisterloven med kommentarer (Oslo: TANO, 1987), 9, 13-15; Bing, supra n 374, 42-63; Schartum, Rettssikkerhet og systemutvikling i offentlig forvaltning, supra n 550, 51-71; and Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, 24-26. For a short account of these interests in English, see J Bing, "Norway", supra n 58, 401-403.

[689] Blekeli, supra n 598, 26-27.

[690] See, eg, K S Selmer, "Det stramme samfunn", in R D Blekeli & K S Selmer (eds), Data og personvern (Oslo: Universitetsforlaget, 1977), 27, 32 (referring to "interessen i innsikt og deltagelse").

[691] See Bing, supra n 683, 61 ("Personvern er en interesse som jeg anser å være forankret i den interesse den enkelte har i å øve innflytelse på det grunnlag beslutninger om ham selv treffes på"). See also Blekeli, supra n 609, 34.

[692] Selmer, supra n 688, 14.

[693] See, eg, Bing, supra n 374, 42.

[694] See, eg, Selmer, supra n 688, 14-15.

[695] See, eg, Selmer, supra n 690, 35. Selmer is alone in reading the latter requirement of legality into the interest in citizen-friendly administration. In some subsequent descriptions of the interest, he omits the requirement: see, eg, Selmer, supra n 688, 14-15.

[696] For present purposes, it suffices to describe the legality principle as requiring clear legal authority for state measures that infringe upon citizens' autonomy, privacy and/or integrity. Admittedly, this description oversimplifies the principle, the content and ambit of which is much-debated in Norwegian legal discourse. For an instructive overview of various formulations of the principle, see I Hjort Kraby, "Hva er lov? - særlig om legalitetsprinsippet og faktiske handlinger" (1996) Jussens Venner, 145-160.

[697] See, eg, Selmer, supra n 688, 15.

[698] Id.

[699] See, eg, Selmer, supra n 479, 44 & 48.

[700] See, eg, Bing, supra n 374, 59-60.

[701] Note too that the interest catalogue has begun to be applied by some non-Norwegian jurists working in the field of privacy and data protection. See, eg, the work of the Finnish jurist, Anders von Koskull, supra n 663 (utilising the catalogue to analyse the rights and interests of prospective employees in the context of personnel recruitment).

[702] K S Selmer, "Datatilsynets kontroll med forvaltningen", in A Bratholm, T Opsahl & M Aarbakke (eds), Samfunn, Rett, Rettferdighet: Festskrift til Torstein Eckhoffs 70-årsdag (Oslo: TANO, 1986), 586, 593 (claiming that the interest catalogue provides a "suitable point of departure" for analysing applicable law pursuant to the PDRA). As already intimated, the interest catalogue is also used by the Data Inspectorate to explain what it means by "personvern" and to explain the basis for its decision making: see, eg, St meld 14 (1983-84), Datatilsynets årsmelding 1982, 15; St meld 15 (1996-97), Datatilsynets årsmelding for 1995, 8 ("Personvern kan være et svar på de interesser enkeltmennesker har i å kontrollere hvordan opplysninger om dem selv blir innhentet og brukt. Det kan være interesser knyttet til diskresjon, fullstendighet i opplysninger, opplysthet, en borgervennlig forvaltning, vern mot urimelig kontroll og maktmisbruk. Dette er utgangspunktet når Datatilsynet tar beslutninger som skal ivareta det enkelte menneskets personvern").

[703] See, eg, Selmer, supra n 702, 593-598 (detailing the way in which central elements of the interest catalogue manifest themselves in the PDRA's provisions and travaux préparatoires). See also Selmer, "Borgenes vakthund - Forvaltningens vokter", in G Hansen, E Erichsen, H Sørebø, T Hafli & E Djønne (eds), Mennesket i sentrum: Festskrift til Helge Seips 70-årsdag (Oslo: TANO, 1989), 145, 146-150.

[704] See, eg, Selmer, supra n 688, 13.

[705] See the references cited supra n 35.

[706] Selmer, "Borgenes vakthund - Forvaltningens vokter", supra n 703, 153 ("Dersom Datatilsynet i en serie av saker har valgt å legge vekt på et bestemt hensyn, og denne praksisen ikke blir stanset av overordnet myndighet eller [sic: this should read "etter"] klage, da er dette hensynet gått inn i den interessekatalogen som Datatilsynet med rette kan bygge på").

[707] Selmer, "Borgenes vakthund - Forvaltningens vokter", supra n 703, 154.

[708] See, eg, cases 86/372 & 87/792 presented in Bygrave, supra n 65, 86-90.

[709] Indeed, in at least one instance, the Ministry has put greater weight on this interest than has the Inspectorate: see case 94/2686 presented infra n 772.

[710] Hence, the explicit references to "legal persons" in several of the definitions of "personvern" set out above: see supra n 666 et seq.

[711] See, eg, Pseudonyme helseregistre, NOU 1993:22, 43 & 236 (pointing out the inadequacy of explicating "personvern" solely in terms of the above catalogue of interests, and solely in the context of decision-making processes: "it is not only when decisions are taken that it is necessary to have regard to "personvern"" ("Det er ikke bare når beslutninger fattes at det er nødvendig å ta hensyn til personvernet")). The same criticism is made by the Ministry of Justice in St meld 33 (1994-95), Personvern og telekommunikasjon, 5. See also K J Ims, Informasjonsetikk i praksis. Datasikkerhet og personvern (Oslo: TANO, 1992), 75 (commenting that fear of information use is just as important in relation to "personvern" as the actual use of information).

[712] See, eg, L A Bygrave & J P Berg, "Reflections on the Rationale for Data Protection Laws", in J Bing & O Torvund (eds), 25 Years Anniversary Anthology in Computers and Law (Oslo: TANO, 1995), 3, 38 (stating that the interest catalogue does not "come very far in defining in detail the values which are at stake when these interests have to be balanced against other interests, nor in defining the relative importance of these interests and values"); Rasmussen, supra n 555, 56 (claiming that the interest catalogue consists of "fragmentary analyses that have not given sufficient recognition to the relativisation of the weight of the interests in the drafting and interpretation of data protection rules" ("fragmentariske analyser som ikke i tilstrekkelig grad har tatt opp i seg relativisering av interessenes tyngde ved utformingen og tolkningen av personvernreglene")).

[713] See, eg, Hansen, supra n 128, 20 ("Fullstendighetsinteressen er en rent for snever formulering av en kvalitetsinteresse som personvernet bør omfatte").

[714] See, eg, Blekeli, supra n 598, 29-30; Bing, "Privacy and Surveillance Systems: Balancing Competing Interests", supra n 58, 403.

[715] Schartum, Rettssikkerhet og systemutvikling i offentlig forvaltning, supra n 550, 60.

[716] Samuelsen, supra n 355, 23-27.

[717] Arbeidsgruppe for fagetiske spørsmål ved Rådet for samfunnsvitenskapelig forskning i NAVF, Forskningsetikk og personopplysninger (Oslo: NAVF, 1979), 13-14.

[718] Pseudonyme helseregistre, NOU 1993:22, 43-44. See also I Mestad, "Velferdsstat, folkehelse og personvern" (1992) Hefte for kritisk juss, no 4, 204, 206-208.

[719] Mestad, supra n 718, 207.

[720] Bygrave & Berg, supra n 712.

[721] Ibid, 17.

[722] Ibid, 25.

[723] Cf ibid, 32 ("the interest in non-automated decision making is founded not simply on the possibility of machines making mistaken judgements; penultimately, the interest embodies a concern for personal integrity, and ultimately a concern for human dignity").

[724] Cf the terminology of the Norwegian Directorate of Public Management (Statskonsult), which describes this factor in terms of "identification quality" ("identifikasjonskvalitet"): supra n 462, 18. Also included under the term "identification quality" is the extent to which identification codes for each registered RWO are correct. Under my classificatory scheme, the latter characteristic is an aspect of the comprehensiveness of data.

[725] See generally Chapters 3 and 18 (sections 3.5 and 18.4.4).

[726] These three points are discussed in more detail in Chapter 18 (section 18.4.4).

[727] For an overview of these provisions, see Chapter 3 (section 3.6).

[728] For an overview of these provisions, see Chapters 3 and 18 (sections 3.6 and 18.4.4).

[729] A point recognised in, ia, para 77b of the Explanatory Memorandum to CoE Recommendation No R (97) 18 on the Protection of Personal Data Collected and Processed for Statistical Purposes: "[notification] is not just an essential ingredient of fair collection but is also a way of winning data subjects' trust so that they answer truthfully and the data are reliable. Fairness of collection and data quality are thus interconnected".

[730] It is well-known, for instance, that tax authorities' much-vaunted regimes for ensuring the confidentiality of income data supplied them is partly in order to generate such trust.

[731] See further Chapters 3 and 18 (sections 3.5 and 18.4.4).

[732] See Chapters 3 and 18 (sections 3.4 and 18.4.2).

[733] See Chapters 3 and 18 (sections 3.3 and 18.4.3).

[734] See further Chapter 18 (section 18.3.1).

[735] For an overview of such provisions, see Chapter 3 (section 3.8).

[736] Refer to the definition of privacy given in Chapter 1 (section 1.6).

[737] Cf Harris et al who term this interest as one of "self-identification": D J Harris, M O'Boyle & C Warbrick, Law of the European Convention on Human Rights (London/Dublin/Edinburgh: Butterworths, 1995), 307. The interest is especially actualised in relation to data about one's genetic make-up and, concomitantly, one's predisposition to illness. The interest is also especially actualised in relation to public registration of the gender of transsexuals. See, eg, the considerable amount of case law by the Strasbourg organs dealing with the latter issue pursuant to Art 8 of the ECHR. Overviews of this case law are given in, ia, Harris et al, ibid, 324-325; Bygrave, supra n 162, 281-282.

[738] See supra n 716 and accompanying text.

[739] This interest is the same as what Stanley Benn refers to as "privacies of attention"; ie, "the ability to exclude intrusions that force one to direct attention to themselves rather than to matters of one's own choosing". See S I Benn, "The Protection and Limitation of Privacy" (1978) 52 Australian LJ, 601, 608; S I Benn, A Theory of Freedom (Cambridge: Cambridge University Press, 1988), 288. Like the interest in non-information (described above), the interest in attentional self-determination is particularly actualised in the context of direct marketing.

[740] See the Final Report of the Bellagio Conference on Current trand Future Problems of Data Protection (held in Bellagio, April 1984), set out in D H Flaherty, "Nineteen Eighty-Four and After" (1984) 1 Government Information Quarterly, 431, 434.

[741] See D W Schartum, "Proportional Control?" (1997) 11 Int Rev of Law Computers & Technology, 107-116; Schartum, "Den kontrollerende forvaltning" (1997) 20 Retfærd, no 77, 51-66.

[742] Schartum employs this notion of control primarily in relation to measures for monitoring the legality of the actions of public authorities when the latter determine individual cases.

[743] See further Chapters 3 and 18 (sections 3.2 and 18.4.1).

[744] See further Chapter 3 (section 3.7).

[745] See, eg, Art 6(1)(c) of the EC Directive set out in Chapters 3 and 18 (sections 3.3 and 18.4.3).

[746] See further Chapter 18 (section 18.4.3).

[747] For an overview of such rules, see Chapter 3 (section 3.6).

[748] See, eg, Chapter 3 (section 3.6).

[749] As the wording of s 7(1) indicates, it is the health and inter-personal relationships of the data subject that are primarily protected by the provision, not the data subject's self-conception. See also the travaux préparatoires (especially Ot prp 27 (1968-69), 42-43) to s 19(1)(c) of the Administrative Procedures Act of 1967 (lov om behandlingsmåten i forvaltningssaker av 10 februar 1967 - hereinafter "APA") upon which s 7(1) is based. However, the provision does afford indirect protection of a data subject's self-conception. See also Offentlige persondatasystem og personvern, NOU 1975:10, 67 ("Den enkelte kunne få en helt uriktig forestilling om sin egen sykdomsrisiko om han får kjennskap til registerinnholdet" (emphasis added)). Almost identical provisions to s 7(1) of the PDRA are found in the data protection legislation of Finland (see s 12(1)(2) of the 1987 Act and s 27(1)(2) of the 1999 Act) and Denmark (see s 13(4) of the Public Authorities' Registers Act, s 7a(2) of the Private Registers Act, and s 30(1) of the proposed new legislation).

[750] Law Nr 2472/97 of 10.4.1997.

[751] This latter provision echoes recital 42 of the EC Directive: see infra n 754. A similar provision is found in Art 8(3) of the Swiss federal Data Protection Act.

[752] With respect to practice of the Norwegian Data Inspectorate and Ministry of Justice, see, eg, cases 86/372 & 87/792 presented in Bygrave, supra n 65, 86-90. Here, the Inspectorate and Ministry set limits on both the number and form of attempts by researchers to contact certain groups of potential survey respondents - in the one case, former patients of a psychiatric clinic; in the other case, former clients of child-welfare agencies. With respect to the latter group, for example, the Inspectorate held: "Det er ... av betydning at et direkte `gjensyn' med fortiden kan virke unødig opprivende for den enkelte, særlig i tilfeller hvor den enkelte nå kan være i en sosial situasjon hvor den tidligere barnevernomsorgen er et bearbeidet/tilbakelagt stadium i ens liv".

753 ETS No 164; not yet in force. Some countries also have biotechnology legislation providing, in effect, this sort of right with respect to the results of genetic testing: see, eg, ss 6-4 & 6-7 of Norway's Medical Use of Biotechnology Act (Lov om medisinsk bruk av bioteknologi av 5 august 1994 nr 56).

[754] "Whereas Member States may ... for example, specify that access to medical data may be obtained only through a health professional".

[755] See espec Art 14(b) of the EC Directive, set out in Chapter 18 (section 18.4.5). Note also Art 12(1) of the EC Directive on telecommunications privacy which states that "use of automated calling systems without human intervention (automatic calling machine) or facsimile machines (fax) for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent".

[756] See Chapter 2 (section 2.3).

[757] See Chapter 3 (section 3.8).

[758] To take one example, the policies of Australia's federal Privacy Commissioner with respect to regulating the data-matching practices of government agencies are partly grounded on recognition of the fact that "data-matching tends to increase the level of information surveillance of the population at large by Government bodies": Privacy Commissioner, Regulation of Data-Matching in Commonwealth Administration - Report to the Attorney-General (Sydney: Privacy Commissioner, September 1994), 5.

[759] Supra n 740.

[760] See espec the comments of the German Federal Constitutional Court in its Census Act decision, cited supra n 474.

[761] Simitis, supra n 102, para 18.

[762] See the preamble to the CoE Convention ("Considering that the aim of the Council ... is to achieve greater unity between its members, based in particular on respect for rule of law ..."), and para 11 of the Explanatory Memorandum to Recommendation No R (91) 10 on the Communication to Third Parties of Personal Data Held by Public Bodies (adopted 9.9.1991) ("the drafters of the recommendation are seeking to emphasise that a legal framework is essential before any communication may be effected. In so doing, they are seeking to avoid the existence of a grey zone, or a situation between law and non-law, wherein vague administrative practices or policies operate"). Note too that a clear concern for upholding the rule of law in the context of data-processing practices is demonstrated in the case law developed pursuant to Art 8(2) of the ECHR: see further Bygrave, supra n 162, 270ff.

[763] See, eg, the line taken by the Norwegian Data Inspectorate and Ministry of Justice in case 91/1563 (set out in Bygrave, supra n 65, 126-129). In this case, the Inspectorate and Ministry prohibited a data-matching operation that would have involved exclusively retrospective control of welfare entitlements, but allowed instead control measures that operate in advance of entitlements allocation.

[764] See Et bedre personvern - forslag til lov om behandling av personopplysninger, NOU 1997:19, 169 ("I vurderingen av om det er nødvendig å sette vilkår ... bør det blant annet tas i betraktning om ... det er planlagt informasjons- og veiledningstiltak som står i et rimelig forhold til kontrolltiltak"). However, the 1999 Bill for a new Norwegian data protection law omits such a provision: see Ot prp 92 (1998-99). Nevertheless, the relevant provisions of the Bill (see ss 34-35) are sufficiently open-ended to permit the type of assessment referred to in s 35(2)(4) of the draft Bill. Note also Ot prp 92 (1998-99), 130: "Eksemplene på vilkår og vurderinger som fremgår av ... [Skauge-]utvalgets SS 35 vil likevel fremdeles kunne være relevante".

[765] I am indebted to Dag Wiese Schartum for this point. The concept of "abstract profile" is explained in Chapter 17 (section 17.2).

[766] See supra n 490 and references cited therein.

[767] See also Chapter 6 (section 6.4.1).

[768] See Chapter 6 (section 6.2).

[769] On the relationship between data security and data protection, see Chapter 1 (section 1.6).

[770] This clash of interests is well-illustrated in two cases handled by the Norwegian Data Inspectorate and Ministry of Justice: see cases 92/2967 & 93/1619, set out in Bygrave, supra n 65, 170-171. Both cases concerned applications from mobile telephone companies for permission to reference their customer data using the unique "birth number" ("fødselsnummer") assigned every individual by the State. The companies pointed out that use of such numbers would ensure correct identification of customers, thereby reducing the possibility of fraud and cases of mistaken identity. The Inspectorate refused permission, holding that registration of the numbers was not objectively justifiable pursuant to s 6(1) of the PDRA. On appeal, the Justice Ministry upheld the Inspectorate's decision on the grounds that "increased use of birth numbers will be perceived by many to be a violation of integrity" ("økt bruk av fødselsnummer vil for mange oppfattes som en integritetskrenkelse"). At the same time, though, the Ministry acknowledged that registration of the numbers would enhance the quality of the customer data.

[771] As illustrated by case 92/2899 dealt with by the Norwegian Data Inspectorate and Ministry of Justice: set out in Bygrave, supra n 65, 136-140. In this case, Norway's principal telecommunications service provider (Televerket, now Telenor) sought permission to register and store more detailed data on telephone calls in order, ia, to give subscribers a better picture of the basis for their respective telephone bills. Permission was refused by the Inspectorate mainly for fear that the planned system would be detrimental to the interests in autonomy and pluralism. The Justice Ministry overturned the Inspectorate's decision on appeal, expressing confidence that the system would not have the effects predicted by the Inspectorate.

[772] Again, this point is illustrated by a case dealt with by the Norwegian Data Inspectorate and Ministry of Justice: see case 94/2686, set out in Bygrave, supra n 65, 213-216. The case involved an application by a criminologist for permission to register, for research purposes, personal data extracted from police files on persons charged with receiving stolen property. The Inspectorate decided to allow registration only upon the basis of prior consent by each data subject. On appeal, the Justice Ministry overturned the Inspectorate's decision, partly on the ground that requiring the criminologist to contact the data subjects in order to ask for their consent would violate their "integrity".

[773] See, eg, Arts 1(1) and 7(f) of the EC Directive.

[774] See, eg, s 7(1) of the PDRA noted above in relation to group 2 interests. In a somewhat parternalistic fashion, this provision gives priority to the interest in protecting self-conception at the expense of the interest in informational self-determination and its sub-interest in attentional self-determination.

[775] See further Rasmussen, supra n 555, 66-70.

[776] See, eg, the data protection policies of Bell Atlantic (available at URL <http://www.bellatlantic.com/about/privacywww.htm> (last visited 30.5.1999)), The McGraw-Hill Companies (available at URL <http://www.mcgraw-hill.com/ corporate/news_info/privacy.html> (last visited 30.5.1999)), and the Information Industry Association of the USA (available at URL <http://www.infoindustry.org/ privacy.htm> (last visited 30.5.1999)). It is noteworthy that development of these policies has not been specifically required under US law.

[777] Belgian case law offers two graphic examples of such action. Both examples concerned plaintiff commercial actors (in the one case, two federations of insurance agents; in the other case, a financial credit bureau) instituting actions before the Tribunals of Commerce in Antwerps and Brussels respectively. The actions were brought against other commercial actors (in both cases, banks) for engaging in unfair competition occasioned by the banks' use of a particular strategy for marketing their services at the expense of similar services offered by the plaintiffs. In both cases, the strategy in dispute involved the banks analysing data on their clients which they had acquired in the course of normal banking operations, to offer the clients certain financial services (in the one case, insurance; in the other case, mortgage loans) that undercut the same sorts of services already received by the clients from the plaintiffs. The plaintiffs claimed that the strategy incurred breach of the purpose specification principle laid down in s 5 of the Belgian data protection law and that this breach also resulted in violation of doctrines on fair competition. The judges found for the plaintiffs in both cases. See Aff OCCH v Générale de Banque, decided by the Tribunal de commerce de Bruxelles, 15.9.1994; Aff Feprabel et Fédération des courtiers en Assurances v Kredietbank NV, decided by the Tribunal de commerce d'Anvers, 7.7.1994. Both cases are reported in, ia, (1994) Droit de l'informatique et des télécoms, no 4, 45-55. For a short commentary on the cases, see ibid, 55-62.

[778] Cf A F Westin & M A Baker, Databanks in a Free Society: Computers, Record-Keeping, and Privacy (New York: Quadrangle Books, 1972), 295 ("There is a fundamental conflict ... between the managerial perspective on record error and that of the individual. Talk about `acceptable' levels of error is hardly satisfactory to the individual if a mistake adversely affects his benefits, rights, or opportunities, and if there are not direct and reasonable ways to correct such errors").

[779] The interest in operational efficiency, for instance, lies latent in the interests in group 1 of the catalogue, while the interest in freedom of expression lies latent in several of the interests in group 2 (particulary the interests in democracy, pluralism and autonomy).

[780] See, eg, Art 13 of the EC Directive, permitting derogation from central obligations and rights in the Directive insofar as is necessary to safeguard, ia, "national security", "defence" or "public security".

[781] See, eg, s 29(a) of Australia's federal Privacy Act which states that, in carrying out his or her functions, the Privacy Commissioner is to "have due regard for the protection of important human rights and interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way".

[782] See, eg, s 10 of Norway's PDRA which provides, ia, that when the Data Inspectorate assesses an application for a license to set up a personal data register it shall give due consideration to whether or not problems which are caused for the individual person by the proposed register and which cannot be solved satisfactorily by rules prescribed under s 11 of the Act, "are outweighed by such considerations as favour the establishment of the register" (emphasis added).

[783] Rule et al, supra n 378, espec 71ff. A condensed version of the points made in the The Politics of Privacy is found in Rule et al, supra n 377, 65-87. Note that Rule et al employ the term "surveillance" to denote "the systematic monitoring of personal data ... for all sorts of purposes, both helpful and coercive": supra n 378, 47.

[784] Ibid, 71 ("By this criterion, surveillance is considered acceptable provided that four conditions are met: first, that personal data are kept accurate, complete and up to date; second, that openly promulgated rules of `due process' govern the workings of data systems, including the decision-making based on the data; third, that organizations collect and use personal data only as necessary to attain `legitimate' organizational goals; fourth, that the people described in data files have the right to monitor and contest adherence to these principles").

[785] Id.

[786] Ibid, 69.

[787] See, eg, the Norwegian data protection regime as described in Chapter 18 (section 18.4.7).

[788] See Chapter 2 (section 2.3). A useful account of the gradual shift in the motives for enacting data protection laws is provided in J A Cannataci, Privacy and Data Protection Law: International Developments and Maltese Perspectives, CompLex 1/87 (Oslo: Norwegian University Press, 1986), 90-100.

[789] See Chapter 6 (section 6.3.2).

[790] See Bygrave, supra n 10, 138 and references cited therein.

[791] See Longworth & McBride, supra n 337, 19ff and references cited therein.

[792] See supra n 509 and references cited therein. Note also the European Commission press release of 25.7.1995 (IP/95/822) accompanying adoption of the EC Directive (citing, ia, comments by Commissioner Mario Monti to the effect that "[t]he Directive will ... help to ensure the free flow of Information Society services in the Single Market by fostering consumer confidence ...").

[793] For a critique of Australia's federal Privacy Act in light of the latter point, see Bygrave, supra n 10.

[Previous] [Next] [Title]