AustLII [Home] [Help] [Databases] [World Law] [Feedback] PLPR Home Page

Privacy Law and Policy Reporter

[Global Search] [PLPR Search] [PLPR Homepage] [Contents] [Help]

Where have all the judges gone? Reflections on judicial involvement in developing data protection law - Part 1

Lee A Bygrave

In this day and age, when alternative dispute resolution (ADR) is all the rage, it seems rather quaint to pose the question opening the title of this article. Indeed, one might well invite ridicule were the question to be voiced in any way that bespeaks a wistful yearning for judges. For these days, the courts are often viewed as cumbersome, bumbling behemoths that should be bypassed for ostensibly faster, cheaper, more flexible and more sector specific systems of adjudication. So, in answer to the above question, many acolytes of ADR would reply, ‘Who cares where all the judges are? And good riddance to them too if they’re not around!’.

In this article, I want ultimately to reflect on the propriety of such a reply. On the way to doing so, it is necessary to first elaborate on just where the judges are and have been in the context of data protection law.

Judicial involvement — the state of play

As a starting point, we find that in many countries, court involvement in interpreting and applying data protection statutes has been minor, if not marginal. There seem to be few judicial decisions in which the interpretation of such legislation figures centrally. This is not a unique feature of data protection law but it is certainly striking.

In Norway, for example, there has only been one instance — over a period of two decades — in which an appeal from a decision of the country’s data protection authority, the Data Inspectorate, has been treated by the courts.[1] Apart from that case, only one other notable example exists of judicial commentary on Norway’s main piece of data protection law, the Personal Data Registers Act (PDRA) of 1978.[2] In neither case can the court decisions be characterised as ground-breaking or even significantly helpful for interpretation and application of the PDRA.[3]

Such a state of affairs is not unique to Norway. In Australia, there has not been a single case of a court directly interpreting aspects of the Privacy Act 1988 (Cth). In Denmark, there have only been three cases in which a court has handled an appeal stemming from a decision of the country’s data protection authority.[4] In the UK, only a handful of court decisions have arisen which address the proper application of the 1984 or 1998 Data Protection Act.[5]

There are exceptions to this pattern. For example, application of the US federal Privacy Act of 1974 has given rise to relatively extensive court litigation.[6] This is not surprising given the absence in the US of an independent data protection authority and the weakness of alternative oversight bodies.[7] At the same time, the courts’ ability to influence the way in which US federal government agencies implement the provisions of the Privacy Act has been severely restricted. The range of remedies given to courts pursuant to the Act is narrow.[8] A federal court can only issue enforcement orders relating to the exercise of a person’s rights to access and rectify information relating to him or herself. A court can also order relief for damages in limited situations, but it cannot otherwise order agencies to change their data processing practices. This effectively marginalises the role of the US judiciary when it comes to ensuring implementation of large swathes of the Privacy Act provisions.

Why have courts often taken a backseat in the interpretation and application of data protection laws? There are several factors here. One important factor has to do with the existence and regulatory strategies of data protection authorities. In dealing with complaints, these authorities often put weight on conciliation rather than confrontation,[9] and this approach tends to head off court litigation.

Another important factor is that, in some countries, appeals from decisions of data protection authorities or complaints which authorities fail to resolve do not go directly to ordinary courts for adjudication but to other quasi-judicial bodies first. Examples of such bodies are the Complaints Review Tribunal in New Zealand and the Data Protection Tribunal in the UK. Appeals from these bodies to the courts can only be on a question of law (as opposed to fact). In some other countries, appeals from decisions of the data protection authorities have been handled first by an ordinary government department, with the possibility of further appeal to the courts being restricted to questions of law. This has been the case in Norway where appeals from the Data Inspectorate have usually gone to the Ministry of Justice.

There are also jurisdictions where the possibility for court appeal from the decisions of the national data protection authority has been largely eliminated. This is the case, for example, under Australia’s federal Privacy Act with respect to determinations by the Privacy Commissioner of complaints against federal government agencies.[10] Insofar as the Act regulates the activities of other bodies, provision is made under s 55 for the Federal Court to institute hearings de novo of complaints with respect to such activities, though only in the context of enforcing complaint determinations by the Commissioner. Enactment of the Privacy Amendment (Private Sector) Bill 2000 (Cth) is unlikely to result in significantly increased court involvement in interpretation and application of the Act, as the Bill does not provide for a direct right of appeal to the courts (or any quasi-judicial body) from decisions of either the Privacy Commissioner or any of the complaint bodies to be set up under envisaged sectoral codes of practice.[11]

A range of other factors also play a role in reducing court involvement. For instance, in many countries, courts have a long and well known tradition of refusing to overturn decisions of administrative agencies when the matter in dispute turns on the exercise of the agency’s discretionary powers. The extent of such powers is often considerable under data protection laws.[12] Of course, to a significant extent, innovative and enterprising courts can work their way past the barriers to judicial review which are posed by the exercise of broad administrative discretion. Courts can also sometimes work their way around similar barriers posed by the question of fact/question of law distinction. Nevertheless, courts are often reluctant to push against the outer boundaries of their review powers. This reluctance is not necessarily just due to a belief that pushing against these boundaries is legally improper; sometimes it is due also to the courts already being burdened by large caseloads.

Finally, there are factors that arguably relate more to the broad cultural characteristics of a particular jurisdiction than to strictly legal matters. For instance, the corporate cultures of some countries — Norway is a pertinent example here — are relatively unlitigious and unaggressive in exploiting or testing legal rights and obligations. In other words, these cultures lack a corporate push to carry appeals up through the administrative/legal hierarchy.

Nevertheless, courts in some countries have played a significant role in steering the direction of data protection laws. The most notable case is the landmark decision of 15 December 1983 by the German Federal Constitutional Court.[13] This ruling struck down parts of the federal Census Act for lack of data protection guarantees. In the process, the Court found a right to ‘informational self-determination’ pursuant to arts 1(1) and 2(1) of the Federal Republic’s Grund-gesetz. The decision helped stimulate efforts to revise and strengthen Germany’s federal data protection legislation.

At an international level, we should not overlook the case law of the European Court of Human Rights (ECtHR) pursuant to art 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) of 1950. Over the last 15 years or so, and with increasing intensity, the ECtHR has helped make plain and clear where the principal formal normative underpinnings of European data protection laws lie — they lie in the field of human rights, more specifically in the ambit of the right to respect for private life stipulated in art 8 of the ECHR.[14] In this way, the Court has helped influence the way we conceptualise data protection laws, at least within a trans-European context. However, the Court has also helped to highlight the close relationship between traditional rule of law doctrines and the central principles of data protection laws.[15] For example, the principles of purpose specification, transparency and information quality which we find in most data protection laws can and should be seen as promoting the certainty and foreseeability of data processing outcomes and thereby reducing arbitrariness.

At the same time, the case law of the ECtHR has helped to show that the provisions of art 8 of the ECHR can function as an important data protection instrument in their own right. It is questionable, though, just how much art 8 — and similar provisions in other international human rights treaties — add to the more specific data protection instruments. The case law pursuant to art 8 touching upon data protection is now relatively extensive. In that case law, the Strasbourg Court has inched towards a recognition of various data protection guarantees in art 8.[16] Nevertheless, the Court has made few references to the requirements found in the laws dealing specifically with data protection.

Further, while the data protection case law on art 8 is considerable, it is also somewhat confusing. The confusion arises largely because of the frequent failure by the ECtHR to indicate exactly which elements of the contested data processing practices have constituted an interference with respect to art 8(1). Too often the Court has failed to make clear exactly which element of the contested data processing practice has interfered with the right under art 8(1); too often has there been a concomitant failure to describe the threatened interest.[17]

Moreover, much of the case law concerns data processing in a rather special context (that is, secret surveillance activities by police or intelligence agencies), while virtually none of it deals with private entities’ data processing practices. Indeed, the issue of whether or not art 8 provides protection against the data processing activities of private bodies has still not been conclusively determined by the ECtHR. While it is extremely doubtful that the Court would refuse to construe art 8 as providing some measure of protection against the data processing activities of private bodies, the exact extent of such protection to be afforded is uncertain.[18]

The case law of the ECtHR pursuant to art 8 will probably continue to have most direct impact on the data processing practices of police and state intelligence agencies. This is particularly because the practices of these agencies formally fall outside the scope of the EC Directive on data protection.[19] The important practical contribution of the ECtHR in this respect will continue to be elaboration on the procedural safeguards for individuals with respect to data processing by such agencies. We already see that these elaborations are having an effect on mainstream data protection discourse. For instance, the Data Protection Working Party established pursuant to art 29 of the EC Directive on data protection makes extensive reference to art 8 case law in its Recommendation 2/99 on the respect of privacy in the context of interception of telecommunications, adopted on 3 May 1999.[20]

We should not underestimate the impact of case law more generally on the development of data protection law. Case law stretching across a broad range of fields — from judicial review of government decision-making to defamation to duties of confidence to trespass to copyright — has fertilised the ground for planting the seeds of law on data protection. It has also provided some of these seeds.[21]

It would be wrong, though, to characterise courts as uniformly interested in, or enthusiastic about, protecting the basic interests promoted by data protection law. Contrast, for example, the reluctance of courts in the UK and Australia to develop or recognise a specific right of privacy under common law with the eagerness of US courts to embrace such a right.[22]

This difference in judicial attitudes — and the possible reasons for the difference — make up one of the most fascinating aspects of the ‘prehistory’ of data protection law. A large variety of claims abound as to why these differences emerged.[23] I shall not dwell on these claims here; suffice to note that even though these differences surfaced during the prehistory of data protection law, they are still bound to have an impact on judicial decision-making today and in the future. It will be interesting to see, for example, how English judges’ traditional dislike for concepts like privacy which are nebulous, potentially far reaching and difficult to box neatly, will carry over to their decision-making on the privacy right that is in the process of being incorporated, along with the rest of the European Convention on Human Rights, into English law.[24]

The other point we should take with us in relation to the attitudes of English and Australian courts is that they helped create a need for data protection legislation. The steadfast refusal of these courts to develop a specific right of privacy under common law, together with their concomitant steadfast adherence to the doctrine of parliamentary supremacy, resulted in an ad hoc, interstitial protection of informational privacy under Anglo-Australian common law. This helped create, in turn, a need for relatively comprehensive data protection legislation in both jurisdictions. Parallels to this dynamic can arguably be found also in other jurisdictions — such as the Netherlands — where courts were slow or sporadic in protecting privacy interests.[25]

All of the judicial activity outlined above still does not discount the fact that courts have generally been on the sideline when it comes to interpreting and applying laws dealing specifically with data protection. The question that we now must raise is whether this sidelining of the judiciary has any problematic consequences.

Lee A Bygrave, Research Fellow, Norwegian Research Centre for Computers and Law.In the second part of this article in PLPR 7(2), Dr Bygrave will discuss ‘Problematic consequences of marginalising the judiciary’ and ‘The EC Directive to the rescue?’.

[1] See the decisions of the Norwegian Supreme Court and Oslo City Court in the so called ‘psychosis-register’ case of 1994: Norsk Retstidende (Rt) 1994, 691. Even in that instance, the judicial proceedings in the matter were only indirectly linked to the complaints process in which the Data Inspectorate was involved.

[2] See the decision of the Supreme Court in the so called ‘snack-bar’ case of 1991: Rt 1991, 616.

[3] In the ‘psychosis-register’ case, the provisions of the PDRA were touched upon only very briefly, with the Supreme Court making the (obvious) point that registration of personal data in violation of a legal duty of confidence would be unlawful even if the registration is licensed pursuant to the PDRA. The Court went on to hold that such data can rightfully be erased without regard to the other conditions for erasure stipulated by the Act: Rt 1994, 698. In the ‘snack-bar’ case, the Supreme Court was called upon to assess the lawfulness of video recordings secretly made by a snack-bar owner of his employees working in the bar. In the course of its assessment, the Court expressed some doubt that the video recordings constituted a ‘personal data register’ pursuant to the PDRA: Rt 1991, 622. The Court’s comments, though, were strictly obiter dicta.

[4] According to an email of 26 January 1999 sent to me from a Danish expert in data protection, Peter Blume. He adds that there might be one or two other court cases that he does not know of but that, in any case, Danish courts have played and continue to play a marginal role in this area of law.

[5] See Chalton S N L, Gaskill S J and Sterling J A L (eds), Encyclopedia of Data Protection London 1988-1997, vol 2, pt 6. The 1984 Act has now been repealed with the entry into force in March 2000 of the 1998 Act.

[6] See generally Schwartz P M and Reidenberg J R Data Privacy Law: A Study of United States Data Protection Charlottesville Virginia 1996, ch 5.

[7] As above, p 118 and following (reviewing the efficacy of these alternative bodies).

[8] As above, p 100, 114 and following (describing these remedies and their effectiveness).

[9] My impressions here are based on perusal of the annual reports issued by the data protection authorities of Australia, Denmark, Norway, Switzerland and the UK. See also the detailed description of enforcement practices in Sweden, France, Germany and Canada provided by David Flaherty in his work Protecting Privacy in Surveillance Societies Chapel Hill London 1989.

[10] See s 58 of the Act. A limited right of appeal to the Administrative Appeals Tribunal for review of orders on compensation and expenses is provided for under s 61 (though government agencies may only appeal if permitted by the federal Attorney-General).

[11] Judicial review of the Commissioner’s decisions could always be sought pursuant to the Administrative Decisions (Judicial Review) Act 1977 (Cth) but such review will not address the merits of the Commissioner’s policy choice except insofar as an error of law is involved. At the same time, a respondent to an unfavourable complaint determination made under the Privacy Act could effectively obtain full judicial review of the determination by simply refusing to abide by it, as court enforcement of the determination may only occur on the basis of a Federal Court hearing de novo of whether the respondent has breached the complainant’s privacy (see proposed new s 55A(5) of the Privacy Act). Unfortunately, the Privacy Amendment (Private Sector) Bill 2000 does not afford complainants with a similar review possibility. See further Greenleaf G, ‘Submission on the Privacy Amendment (Private Sector) Bill 2000’ 14 May 2000, at <>.

[12] See, for example, s 72 of Australia’s federal Privacy Act (dealing with the federal Privacy Commissioner’s power to make ‘public interest’ determinations); ss 10–11 of Norway’s Personal Data Registers Act (dealing with the Data Inspectorate’s power to authorise establishment and running of personal data registers); and cl 3, Fourth Schedule to New Zealand’s Privacy Act 1993 (dealing with the power of the Privacy Commissioner to approve certain aspects of data matching).

[13] See 65 BverfGE (Entscheidungen des Bundesverfassungsgerichts), 1.

[14] See generally Bygrave L A ‘Data Protection Pursuant to the Right to Privacy in Human Rights Treaties’ (1998) 6 International Journal of Law and Information Technology, 247 at 254 and following.

[15] As above at 270 and following.

[16] As above at 254 and following.

[17] As above at 269.

[18] As above at 257-9 and references cited therein.

[19] See art 3 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[20] Available at <>.

[21] See further Bygrave L A, Data Protection Law: Approaching Its Rationale, Logic and Limits Oslo 1999, ch 6, section 6.4.1.

[22] See for example Brittan L, ‘The Right of Privacy in England and the United States’ (1963) 37 Tulane L Rev, 235–268; Dworkin G, ‘Privacy and the Law’, in Young J B (ed), Privacy Chichester 1978, pp 115 and following.

[23] See, for example Martin J and Norman A R D, The Computerized Society Englewood Cliffs New Jersey 1970, p 468 (claiming that the social need to develop a right to privacy at common law was not as great in the UK as it was in the US); Napier B W, ‘International Data Protection Standards and British Experience’ (1992) 1 Informatica e diritto 83 at 85 (attributing the non-development of a right to privacy in English common law to the ‘narrow-mindedness’ of English judges).

[24] See Human Rights Act 1998 (UK), fully in force on 2 October 2000.

[25] See further de Graaf F, Rechtsbescherming van persoonlijkheid, privéleven, persoonsgegevens Utrecht 1977.

[Global Search] [PLPR Search] [PLPR Homepage] [Contents] [Help]