AustLII [Home] [Help] [Databases] [World Law] [Feedback] PLPR Home Page

Privacy Law and Policy Reporter

[Global Search] [PLPR Search] [PLPR Homepage] [Contents] [Help]


Where have all the judges gone? Reflections on judicial involvement in developing data protection law – Part 2

Lee A Bygrave

In the first part of this article in PLPR vol 7(1), Dr Bygrave considered the extent of judicial involvement in the development of data protection law around the world.

Problematic consequences of marginalising the judiciary

The paucity of court decisions touching directly on data protection laws hampers our ability to arrive at firm conclusions on the proper interpretation of such legislation. This ability is already hampered by the diffuse formulation of many of these laws’ provisions, a difficulty frequently compounded by sparse and/or nebulous commentary in the preparatory works and explanatory memoranda for the laws.

In particular, there is an urgent need for rulings by the European Court of Justice on the EC Directive on data protection. The Directive is intended to steer the legislative strategies of a large number of countries, yet many of its provisions are difficult to comprehend. Some national case law is starting to emerge which touches on how to properly construe certain provisions of the Directive but, to my knowledge, this hardly amounts to more than a trickle. A lonely example is the case of R v Department of Health; ex parte Source Informatics Ltd,[1] decided by the UK Court of Appeal on 21 December 1999. Among other things, the Court had to consider if the action of anonymising sensitive data fell within the Directive’s definition of data ‘processing’, such that the anonymisation process itself has to meet the conditions laid down in art 8 of the Directive. Taking a purposive approach, the Court sensibly held that the Directive does not set limitations on anonymisation of data in this way. Again, though, this decision is hardly groundbreaking.

Also of concern is that the marginalisation of courts contributes to a marginalisation of data protection law. It is my impression that data protection laws figure little in the consciousness of most lawyers. I do not think this is because lawyers generally believe that little money is to be gained from expertise in the field relative to other legal areas; I think it has more to do with the scarcity of case law of the type with which lawyers are most comfortable. The scarcity of such case law helps give data protection law a dull if not ‘poor cousin’ status relative to the apparently more glamorous and litigation intensive areas of law like defamation, trade secrets and the like. This poor cousin status means, in turn, that data protection laws are poorly understood by the majority of lawyers and citizens (further reinforcing their poor cousin status). It could be argued that this status also detracts from the general authority of, and respect for, data protection law in the community. I am uncertain if this argument has any merit but it is worth keeping in mind.

What is more problematic is that the marginalisation of courts reduces their ability to function as a corrective to the development of data protection law and policy. To some extent, data protection authorities and data protection advocates generally constitute a club. It is quite a cosy club, even though tensions do exist (for example, between some of the advocates on the one hand and the data protection authorities on the other). In such a situation, there is a great risk that the members of this club will develop rather narrow mindsets. There is also a risk that they will start assuming too much. Courts, which are normally outside the data protection club, can provide a useful corrective here.

This point is well illustrated by the House of Lords’ decision in the case of R v Brown.[2] The case turned on the issue of whether or not a person who simply gains access to personal data by calling those data onto a computer screen and viewing them ‘uses’ the data within the meaning of s 5(2)(b) of the UK Data Protection Act 1984. Section 5(2)(b) prohibits the ‘use’ of personal data for certain purposes. The term ‘use’ is not defined in the Act. By a three to two majority, the House of Lords found that accessing data as described above does not involve ‘use’ of the data within the meaning of s 5(2)(b). The Brown decision took many in the data protection club by surprise. The view of the court majority in the case was looked upon by some with a mixture of exasperation and ridicule. The important aspect of the Brown decision was that it demonstrated the need for statutory definitions of terms that are apparently obvious in their meaning. In other words, we cannot take for granted that everyone outside the data protection club — most importantly, the vast mass of data controllers and data subjects — will understand commonly used terms in data protection legislation in the same way as the club members do. The Brown decision highlights, in turn, the need for more guidance from legislators on the ambit of data protection laws.

The extent to which we should be concerned about the lack of court involvement depends also on the extent to which data protection authorities and any administrative appeals bodies act in a manner upholding the ideals of the rule of law (that is, ideals to ensure legal certainty and foreseeability and to counter decisional arbitrariness). I do not have any large empirical base from which to draw firm conclusions about the complaints handling procedures of agencies in this respect. I can say, though, that when it comes to the practices of the data protection authority with which I am most familiar — those of the Norwegian Data Inspectorate — I have found very little evidence of inconsistency in the development and application of data protection policy. The most glaring instances of inconsistency I have found stem from the appeal decisions of the Ministry of Justice but, again, these instances are few and far between.[3]

Regarding the detail and clarity of reasoning in the agencies’ decisions, again I have found this to be usually satisfactory.

As for bias in the agencies’ decision- making, I have found very few cases where the Inspectorate’s interpretation of the law has been obviously biased towards furthering the cause of data protection at the expense of other factors that deserve equal or greater weight in law. We should keep in mind, though, that the risk of unlawful bias is considerable, as is the risk of the wider community believing that such bias exists.

The main sticking point concerns the ease of public access to the agencies’ decisions. The annual reports of the Data Inspectorate often fail to give a clear and full description of the reasoning adopted by the Inspectorate (or by the Ministry of Justice if the case has been appealed). It was not until the appearance of my book, Personvern i praksis,[4] in 1997 that the general public in Norway was able to gain relatively easy access to a complete, systematic and indexed collation of appeal cases that had gone from the Data Inspectorate to the Ministry of Justice. This was some 15 years after the Personal Data Registers Act entered into force!

The Data Inspectorate is not the only sinner in this context. Data protection authorities in many other jurisdictions are just as bad, and in some cases worse. Particularly problematic is public accessibility to the reasoning of the Australian federal Privacy Commissioner. Under the federal Privacy Act, the Privacy Commissioner is only required to give a written statement of reasons when making formal Determinations of complaints pursuant to s 52. To my knowledge, only two such Determinations have been made.[5] As for the other complaints, all we find are brief summaries of selected cases in the Commissioner’s annual reports. Usually these summaries contain little detail about the legal interpretations involved. Enactment of the Privacy Amendment (Private Sector) Bill 2000 is unlikely to remedy this situation. Indeed, the situation will probably be exacerbated by the fact that the Bill allows for the setting up of a collection of industry code bodies, each of which will be able to make binding decisions against which there will be very limited possibilities for appeal. The Bill fails to require that complaint bodies established under the various codes publish reasons for their formal decisions or publish details about matters that have been mediated more informally.

The problem of lack of public access to authoritative interpretations by data protection authorities is not directly a problem about the role of the courts. Rather, it is about the weakening of the ability of both data subjects and data controllers to predict what data processing behaviour is in compliance with the legislation. It is about diminishment of the guidance potential of data protection laws. Further, the problem means data protection authorities are operating, paradoxically, somewhat like the ‘black boxes’ they are meant to help unlock. It is a problem that is exacerbated when the data protection authority is given relatively broad discretionary powers, and further exacerbated when — as will likely be the case in, say, Australia — there is a profusion of bodies developing their own (and possibly inconsistent) versions of data protection law pursuant to sectoral codes of practice.

This problem could be resolved simply by data protection authorities (and sectoral code bodies) putting in place decision reporting systems that are more extensive and include more decisional detail. In the age of the internet, the problem should be able to be fixed quite easily. An exemplary model in this respect is the website of the Information and Privacy Commissioner of British Columbia.[6]

At the same time, this strategy does not fix all problems. For example, the Australian experience outlined above highlights the danger of conciliatory strategies of data protection authorities hampering development of data protection laws by heading off actions that could have ended up before an appeals tribunal or court and resulted in the clarification of points of ambiguous law.

EC Directive to the rescue?

The role of the judiciary in enforcing national data protection laws and otherwise handling complaints pursuant to such laws is touched upon at several points in the 1995 EC Directive on data protection. The relevant provisions are arts 22 and 28. Article 22 states:

Without prejudice to any administrative remedy for which provision may be made ... prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question [emphasis added].[7]

Article 28(3) states, inter alia, that ‘[d]ecisions by the supervisory authority [data protection authority] which give rise to complaints may be appealed against through the courts’.[8]

It is clear that art 22 does not require EU Member States to permit individuals to go directly to the courts for breach of data protection rights (effectively bypassing the national data protection authorities) but leaves it open for Member States to allow direct access to the courts.[9] Less clear is whether the reference to ‘rights’ also embraces those provisions in the Directive that are formulated as duties or obligations on data controllers. Given that breach of a duty or obligation is likely to result in infringement of a data subject’s general right to privacy (a right that is indirectly, if not directly, guaranteed by the Directive),[10] and given that the Directive aims at ensuring a ‘high’ level of data protection,[11] the question is probably to be answered in the affirmative.

Ambiguity also inheres in art 28(3): does the provision require Member States to permit court appeals on both questions of law and questions of fact, or are Member States able to restrict appeals to questions of law only? As the term ‘complaints’ is not qualified in any way, art 28(3) appears to encourage, if not require, a broad right of appeal, but EU/EC legislators would probably be exceeding their legal competence if the provision were to require changes to present domestic rules that limit judicial review of administrative decisions to questions of law.

As for the issue of public access to the reasoning of data protection authorities, this is broached in art 28(4)-(5). Article 28(4) requires a data protection authority to inform a claimant of the ‘outcome’ of the claim, though does not, on its face, require the authority to communicate to the claimant (or to anyone else) reasons for the outcome. The latter requirement, however, would most likely follow from general rules of administrative procedure in each jurisdiction (though only in relation to the claimant as party to case proceedings). Regarding information to the general public (and not simply a claimant), art 28(5) requires a data protection authority to publish ‘a report on its activities at regular intervals’. Unfortun-ately, however, there is no stipulation here or elsewhere in the Directive dealing specifically with access by the general public to legal interpretations held by an authority (or other administrative complaints resolution body).

In sum, it is commendable that the Directive encourages court involvement in applying data protection law. It is also commendable that the Directive broaches the issue of public access to the findings and activities of data protection authorities. Nevertheless, it would have been desirable that the Directive devoted more attention to both issues and in a manner that places greater pressure on data protection authorities to provide the public with detailed guidance on their reasoning. At the same time, it is understandable that the drafters of the Directive did not elaborate further on these points, given the principle of subsidiarity and the risk of overstepping their legal competence.

Conclusion

To conclude, I am not arguing that courts should relieve data protection authorities of their complaint handling tasks. There are good grounds for keeping data protection authorities as the primary mediators of disputes. The authorities are staffed by experts in the field. As experts, these people tend to be savvy not just with the relevant legal rules but also the broader technological and organisational developments that spark disputes in the field. Further, data protection authorities will normally be more accessible than courts. The pursuit of remedies through courts tends to be too expensive and drawn out for the majority of people. At the same time, data protection authorities will tend to be able to engineer compromises in a more conciliatory, less destructive manner than court litigation usually can.

Still, I firmly believe that we should care where the judges are. I believe equally firmly that if the judges are not around in the field of data protection law, or not around often enough, then this absence is problematic. It is problematic because it increases the risk of compromising basic rule of law ideals. And it is problematic because an absence or scarcity of judicial opinion inevitably impoverishes law and policy on data protection. If the judges are not around to a significant degree, we should either make sure that they can come around more easily in the future, or ensure that there are bodies to effectively emulate their role.

In the latter regard, the UK experience with its Data Protection Tribunal serves as a positive model. The Tribunal appears to have acted in a balanced, neutral manner with an attention to legal detail that should characterise the standards of decision-making by the ordinary courts.[12] The UK Data Protection Commissioner (formerly Registrar) has actively used the Tribunal to resolve problems of interpretation of the data protection legislation, particularly with regard to the rule that personal data shall be processed ‘fairly’.[13] In doing so, the Commissioner has acted on behalf of the interests of the wider community of citizens as data subjects and data controllers in knowing how to behave pursuant to the Act.

Lee A Bygrave, Research Fellow, Norwegian Research Centre for Computers and Law.


[1] [2000] 1 All ER 786; [2000] 2 WLR 940.

[2] [1996] 1 All ER 545.

[3] See further Bygrave L A, Personvern i praksis: Justisdepartementets behandling av klager på Datatilsynets enkeltvedtak 1980–1996 Oslo, 1997, especially pp 30-31.

[4] As above.

[5] I say this on the basis of a perusal of the Commissioner’s annual reports for the period up until June 1999. The two Determinations are described in the Commissioner’s Sixth Annual Report Canberra 1994, pp 58-59. See also (1994) 1 PLPR, 152 and 170.

[6] See <http://www.oipcbc.org/>.

[7] Compare art 14(8) of the 1990 Directive Proposal (COM(90) 314 final – 13 September 1990), which provided that a judicial remedy was to be granted only in relation to breach of a relatively limited set of data subject rights enumerated in art 14 of the Proposal. The European Parliament subsequently insisted on extending the right of court appeal to all the rights guaranteed by the Directive.

[8] This provision did not appear in any of the previous proposals for the Directive. Note too that art 28(3) also addresses the issue of standing with respect to data protection authorities: each such authority is to be given ‘the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities’.

[9] Compare art 22 of the 1992 Amended Proposal for the Directive ((COM(92) 422 final – SYN 287, 15 October 1992), which makes no mention of administrative remedies prior to court referral: ‘Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed by this Directive.’ Had this provision been adopted, data subjects would have found it easier to go straight to the courts with their complaints, bypassing national data protection authorities and any other administrative complaints resolution bodies.

[10] See especially art 1(1).

[11] See especially recital 10 in the Directive’s preamble.

[12] The Tribunal’s decisions are set out in Chalton, Gaskill and Sterling (eds), Encyclopedia of Data Protection London 1988-1997 n 5, Part 6.

[13] See Data Protection Principle 1 in Pt 1 of Sch 1 to the 1984 Act (now repealed) and to the Data Protection Act 1998.


[Global Search] [PLPR Search] [PLPR Homepage] [Contents] [Help]