Peter Blume. International Review of Law, Computers, and Technology. Volume 11, Issue 1. March 1997.
The consequences of the Data Protection Directive of the EU are different in the individual member states. They depend on existing national regulation and in particular the legal tradition and culture with respect to protection of personal data. Accordingly, it is necessary to begin this article with an outline of the current situation in Danish law. This outline will focus on the main features that are of common international interest and will not in any detail describe current law. As existing rules will be changed by the implementation of the directive, current law as a starting point has little interest for future developments. However, current law provides a well-known fundament and a basic question will often be whether the directive makes it necessary to amend a current rule. This rather conservative approach to the implementation task will probably be used in some member countries. The following remarks should not be seen as an endorsement of such an approach.
First, it is worthwhile to notice that rules concerning processing of personal data occur throughout Danish legislation. The current regulation can be characterized as diversified, and this is of course important with respect to the transposition of the directive. Complete implementation is a very difficult task. The basic rules are contained in the two data protection acts that cover the private sector and public administration. These acts, which first came into force in 1979, provide a natural starting point for a description of Danish law, but as mentioned they do not stand alone. It falls outside the scope of this article to list all Danish rules, but some additional acts should be mentioned. In the credit card act, use of personal data derived from use of credit cards is regulated. In the act on public archives the question of maintaining personal data and access to old data is regulated. It should also be mentioned that use of personal data by the mass media is regulated by a special act. These rules are not described in the following where emphasis is on the two data protection acts.
In the two data protection acts it is registration and dissemination of registered data that are regulated. The main target is computerized processing, but the private act also covers manual files. An important distinction is made between ordinary and sensitive data. In the public act the category `confidential data’ is also used in some respects. The data that are considered sensitive are listed in the acts but it is an important point that the list is not exhaustive. It is possible for the supervisory authority to add other kinds of data. As will be discussed at a later stage, this mode of regulation makes the regulation flexible and easy to adjust to new situations. It is also necessary, as it makes it possible to place protection of personal data on a level which is also reasonable from the perspective of data users. It is not practical to have the same rules applying to all data, and it must be recognized that not all personal data are private in the strict sense of this concept. Not least in the private sector, this assumption is in reality quite essential. I return to this point below, where the concept of personal data is discussed.
Registration of ordinary data can take place when it is in accordance with the normal tasks of the controller. The wording is different but the meaning the same in both sectors. This rule probably states what would in any case be the legal position, at least in the public sector. With respect to sensitive data the rules are somewhat different. In the private sector such data can only be registered if this is necessary and the data subject is informed. This means that only few private controllers can process such data. In the public sector it is also prescribed that registration is necessary, but owing to the tasks statutory law place, on administrative authorities, this condition will frequently be met. The requirement of necessity is probably most important in connection with the possibilities of communicating data to third parties. This is best illustrated by the rules governing the public sector, where a distinction is drawn between third parties in the private sector and in the public sector. The conditions of dissemination are most strict with respect to sensitive data and, without going into detail, it must be highlighted that this is also the case with respect to other public authorities. Data cannot travel freely within the public sector. This is often criticized and is a major legal policy issue to which I will return later. In the private sector the rules on communication also make a distinction between the two kinds of data, and in particular it is only rarely that sensitive data can be communicated without the consent of the data subject. These basic rules illustrate that current Danish law is based on a clear understanding of the concept of personal data.
In the following it will be briefly listed which other issues the two data protection acts deal with. The private act is in this respect the most interesting. In this act there are special rules concerning matching, third-party use of data with respect to marketing and automated registration of dialled telephone numbers. Well-known issues such as data quality, data security, access and transborder data flow are also dealt with. Furthermore, there are special rules concerning credit reference bureaus, data-processing agencies and mailing firms. All in all this act covers the whole private sector. The public act is not quite as sophisticated but it can be mentioned that there are elaborate rules concerning instigation of files where a special decree is necessary if the file contains confidential or sensitive data. Other files have to be reported to the supervisory authority. There are also rules on matching and special rules on communication of health data, which are more lenient than the ordinary rules.
Data protection regulation has been in force since 1 January 1979, and accordingly a long and fairly consistent practice has been developed. Both public authorities and private controllers are used to rules of this kind, and in most cases they function quite smoothly. However, in accordance with the development of information technology and not least the fact that this technology is so widespread, there is fierce opposition to the current regulation. It is likely that this would have been changed before if it had not been expedient to await the Directive. It seems appropriate to outline the basic points in the criticism of the acts, as this provides a good background for the discussion of the Directive in the following sections.
Opponents of the current regulation emphasize the fact that legislation restricts use of modern technology and thereby limits the societal benefits that can emerge from this technology. There are few who openly argue for abolishing all rules, but at least the following should be changed. First, emphasis should be placed solely on sensitive data. It is only with respect to processing of such data that an infringement of privacy can occur. It is clear that this argument leads to a substantial decrease in the scope of the legislation. Second, the ability to communicate data, in particular by public sector controllers, should be much improved. In this sector vast amounts of data are registered and these data can be useful in the private sector. Within the public sector data should flow freely, enabling a much more efficient public administration to develop. In this connection it is also maintained that matching should take place freely. Third, the bureaucratic aspects of current regulation are under heavy attack. Obligations to notify the supervisory authority and similar rules should be removed, as they place unwanted burdens on controllers. It is interesting to note that it is probably this question that attracts most attention. The role and position of the supervisory authority must be given high priority on the legal policy agenda.
Closing this section, it should be emphasized that, although many criticize the current rules, they also have supporters. It is obvious that laws enacted in 1978 should be considered very carefully in 1996 with the development of the information society and cyberspace. A change of law is needed; the question is ‘just’ how radical a change and how new rules should be drafted.
The Mode or Structure of Regulation
Directive 95/46 does not prescribe the method of transposition, which is left to the discretion of the member states. An important general question is how data protection is best achieved. In the legislative process in connection with the implementation this should be carefully considered with an open mind to all possible solutions. The goal is to have a mode of regulation which is likely to be adhered to in practice. It is likely that a combination of different forms of regulation will be most successful. In order to reach conclusions it is necessary to analyse the different societal environments within which the rules are to function.
First, I look at the private sector. This is characterized by being very divergent and not bound together by common goals or by common rules. Competition and the market are important factors, and this means that all players are aware of the importance of costs. Modern technology is used mainly because it is efficient, and personal data are gathered because they have a value that can be exploited. From these starting points the private sector can be evaluated. It would seem likely that restrictions on the possibility of using personal data will be looked upon as an unwanted development. With this background, it is essential that the mode of regulation has the potential to convince or persuade controllers that it is reasonable to protect personal data. Even when it is taken into account that respect for privacy can be used by private enterprise as a competitive factor today, this in itself is not sufficient. Merely to regulate via statutory rules and administrative (judicial) decisions is probably not enough and will not produce the desired results.
Dialogue and forms of self-regulation are important regulative means in the private sector. Accordingly, article 27 of the Directive is in practice very important. This rule encourages member states to promote the development of codes of conduct within special branches both on a national and an EU level. These codes of conduct must of course be coherent with the statutory rules, but as many of these rules are legal standards this leaves plenty of space for drafters of codes. In order to make data protection function, it is expedient that the general principles are applied with an understanding of the nature of the different branches within the private sector. It is presupposed that the controllers are active in the process leading up to the final code. When this is the case it becomes likely that the rules will be respected in practice.
In many EU countries use of codes of conduct with respect to data protection is a novelty and is viewed with caution. Even though this is understandable, codes should be welcomed as an addition to more formal modes of regulation. The national supervisory authority should be given sufficient resources to enable it to participate in the code-making process.
As a further step it can be considered whether standards can be used. This approach is being tried in Canada. The important feature is that a controller can be certified as conducting his/her business in accordance with the standard. Data protection becomes a competitive asset. It is interesting that standards are used in soft areas. They can provide increased possibilities of ensuring compliance with the rules. This approach is not currently being used in Europe and is not mentioned in the EU Directive, but nevertheless it should be studied carefully, as it could be a useful mode of regulation in the private sector.
The decentralized supervision of data protection rules as applied in German law (Bundesdatenschutzgesetz, 20 December 1990, sections 36 and 37) is also interesting. All businesses with more than five employees must have an employee with responsibility for data protection. The inclination to respect the different rules and principles is thus strengthened. All in all it can be concluded that it seems possible to utilize varying modes of regulation in order to get data protection accepted by controllers.
With respect to central and local government, it is, at least as a starting point, easier to regulate use of personal data. This regulation can be viewed as a natural part of legislation concerning administrative procedure. It can also be presumed that public authorities will comply with the law. This does not mean that supervision and control are not necessary but ‘only’ that the legal environment is more inclined towards data protection. From this observation it follows that there probably is no need for very varied regulation. Statutory rules combined with decisions from the supervisory body and the courts are sufficient. This is furthermore indicated by the observation that data protection is a part of public law and thereby fits better to the public than the private sector. This is the case regardless of the fact that these rules can lead to a restriction on administrative efficiency.
The Directive prescribes that the same rules must apply in both sectors. This can be a useful starting point. Here it is important to note that the fact that the same substantial rules apply does not mean that the mode of regulation has to be the same. The same level of protection can be reached taking into account the special features of the two sectors. To ensure that data protection works in practice this approach is essential. There is nothing in the Directive that prohibits a varied use of modes of regulation. It is also possible to maintain the current Danish system of two data protection acts. However, this is probably not practical and it is likely that in Danish law there will be one single data protection act.
The Concept of Personal Data
A fundamental question is which data must be deemed as personal and accordingly be covered by data protection law (Directive article 2a). This would seem to be an easy question, and there are of course vast amounts of data that form the undisputed core of personal data. It is the fringes that can lead to difficulties. It should be recognized that the development of advanced and sophisticated information technology has led to the problems discussed below. It is the diverging ways of processing data that create what can be labelled as a legal mess. Furthermore, it should be noticed that the problems cannot be solved by legal rules but must be answered by decisions based on the legal principles found in statutory law. Statutory language is not sufficiently sophisticated to determine the borderlines of data protection. It is necessary to use legal standards, and thereby practice becomes decisive. In the following I will first look at statistical data and then face the problem of how many links there can be between the identifier and the person-oriented data. It should be emphasized that there is no correct legal answer and the following are accordingly legal policy considerations. Distinctions within personal data will be discussed at the end of this section.
As a starting point, statistical data fall outside data protection law. This well-known fact is based on the assumption that the data cannot be related to individual data subjects. Today statistical methods have been immensely improved, making it possible to analyse populations in such detail that the border between personal and statistical data seems to have become blurred. When this is taken into account rules that make exemptions for statistical data should be viewed with some caution. Within data protection tradition, such rules are common and the question is whether they are sufficiently sustained today. It might be a good idea to have a precise legal definition of what statistical processing is. The basic notion is of course that data related to a specific person must not be revealed. This must be the case with respect to both the material as such and its elements when processed with advanced statistical instruments. The material must not be split in such a way that it becomes personal data. The increased risks imply that the supervisory authority should be given stronger powers with respect to control of such forms of processing. This means that even though statistical processing in the future is also exempted from the dataprotection rules, it should be supervised from time to time. This will ensure that the borderlines are maintained in practice.
Another difficult question concerns how many links there should be between a piece of information and the data that clearly identify an individual. Use of coding, encryption, etc. means that neutral information occurs even when it is possible with some effort to make an identification. As another example, geographical maps etc. should be mentioned, as they in principle are neutral, but if they are linked with other data it is possible to identify the individuals who inhabit the different places shown on the map. These examples focus on the problem of how far-reaching data protection law should be. There seems to be a risk that the scope will become too broad and thereby create a situation where the rules are deemed unrealistic. The question is how the scope can be described to avoid these consequences. It seems most likely that this goal cannot fully be achieved through the drafting of legal rules, but must be accomplished by decisions and guidance from the supervisory authority.
It should be made clear that it is important not to stretch the statutory rules too far, and that the supervisory authority must have this in mind when it makes its decisions etc. If it is only remotely possible to link data to a certain person, such data should normally fall outside the data protection legislation.
The Directive, articles 7 and 8, makes a distinction between sensitive and non-sensitive personal data, indicating that in particular misuse of sensitive data can infringe privacy. Although it can be discussed which data should be viewed as sensitive, the idea of making a distinction is old and well known. However, it is not uncommon for this mode of regulation to be criticized and it is argued that all data can be sensitive. Such a contextual approach should be applied. Although it is correct that context is important, it would be disastrous not to make the distinction. This would mean that trivial data are regulated much too strictly or sensitive data too leniently. It is problematic that article 8(1) is exhaustive, as it should be possible for the supervisory authority to include other types of data in concrete cases. With this one modification the Directive is drafted in an expedient and practical way.
A major controversy with respect to the EU Directive was whether it should cover manually processed data or be restricted to computerized data. The debate has not been finalized, although it is clear that certain forms of manual data are covered by the Directive (article 3(1)). It is very difficult to determine exactly where the line will be drawn between those manual data that should be covered by dataprotection and those data that should be kept outside. As will be outlined in the following, this problem area must be viewed somewhat differently in the private and the public sectors. It is doubtful whether it is prudent to have the same rules for both sectors. It should accordingly be considered whether it is possible to have diverging rules and still conform with the Directive. As the following remarks will illustrate, the legal questions that have to be considered are quite complex.
In the private sector there are normally no other general rules on processing of data besides the data protection act. This means that outside this act corporations and so on are free to process data as they wish. This legal environment must be taken into account when the scope of data protection is determined. It favours a policy where manual files are to a large extent included. The risks to privacy will be too high if another approach is followed. Furthermore, it must be taken into account that possibilities of circumvention should be reduced and that this is best done by including manual data. It would be unfortunate if data protection rules became an incentive against the use of modern information technology. These reasons outweigh the consideration of costs to private enterprise. It has many times been argued that rules of this kind will be very expensive for corporations, but this argument is often quite unclear and it should be taken into consideration that a protective data policy helps to create a good image for private enterprise.
However, it is also clear that not all manual data can be included, as this will make the rules too impractical. The data must be in some sort of a file, i.e. systematized in such a way that it is possible to retrieve personal data efficiently. Criteria must be applied that point towards personal data and there must also be a compilation of data. The last point is important, as a single piece of paper containing personal datashould not in itself constitute a ‘file’ covered by the data protection act.
It should be considered in practice whether the basic values of data protection make it expedient to include a certain set of manual data. Pragmatic reasons should accordingly play a role. This does not mean that the statutory rule should purposely be unclear, but that its interpretation should be guided by the aforementioned considerations.
The starting point is different in the public sector. Here, the ordinary statutes of administrative procedure cover manual data and the legislative question is ‘only’ which set of rules should apply, and is accordingly not a choice between regulation and freedom. To begin with, this seems to make the problem easy but in reality this is not the case, at any rate not in Danish law. Today it is important to have a clear borderline between administrative and data protection law. For both citizens and civil servants it must be clear which rules apply. As a starting point those manual files that have a primary privacy dimension must be included in the data protection act. It is in general not difficult to determine which files these are. However, there can be data which should be protected but which are not in a file. Even though there is a broad regulation, the concept of a file still constitutes a problem. This cannot be solved by the wording of statutory rules but only in practice. Recitals 15 and 27 illustrate this observation. In the public sector practice should aim at including all data filed with the purpose of being identifiable. There must not be data related to the privacy of citizens that are not covered by data protection law. However, it is reasonable that singular or unstructured data are kept outside this legal domain. There will in practice be a difference between the two sectors and a somewhat stricter privacy regime will apply to the public sector.
A basic feature of the regulation in the EU Directive is transparency. Citizens must have a fair possibility of knowing how and to which ends their data are used. In a more and more complex society it is likely that procedural rights of this nature will form the core of data protection. The right to know and the right to object are fundamental rights in the information society. Such rights are often opposed on the grounds that they impose too heavy burdens on controllers and lead to expenses which are not reasonable. This controversy is well known and will not be discussed here. Focus will instead be placed on the basic obstacle to transparency. There is the interest in processing data to conform with a wide and changing range of purposes: the impetus to make secondary use of data.
In article 6(1b) it is stated that data must only be collected for defined purposes and must not be processed to other ends at some later stage. In the preparatory material it is emphasized that the purpose must be fairly precise and, for example, cannot just be described as a commercial purpose. This rule is a classic data protection principle which is also found in the Council of Europe Convention 108/81 (article 5). However, with the increasing importance of personal data this principle becomes a major obstacle at the same time that it becomes difficult to control whether it is respected in practice.
To illustrate this point, current ideas with respect to adjusting the public administration to the information society are useful. In Denmark, the Ministry of Research is responsible for information technology and the ministry is in practice a driving force behind many of the developments in this field. In 1995 the government published its first action plan, Info-Society 2000, and in 1996 the next plan appeared. During the coming years a new plan will be issued yearly. An important point in the action plans is that data protection regulation should restrict information technology as little as possible. This is because of the following ideas. First and foremost, the public sector, i.e. both central and local government, should be seen as one entity with respect to information. Modern information technology makes it very easy to distribute data and this capacity must be utilized in a public sector like the Danish, where a very large number of computerized files exist and many parts of the administration within few years will be fully computerized. In such an environment it is clear that the huge investments made in the procurement of this technology create pressure on the legislator to take full use of the new possibilities.
Free flow of personal data within the public sector is substantiated in different ways. It is claimed that a basic principle should be that information given to a public authority by a citizen or a firm should not be required by another authority if the data can be communicated electronically. This-it is argued-will be a major improvement of the service provided to citizens and corporations. Furthermore, efficient distribution of data between authorities will improve the quality of administrative decisions and will also lead to quicker decisions. Finally, public administration will become less costly and this is of course in the interest of the taxpayers. All in all there seem to be strong arguments for free distribution of data.
However, it is clear that such a policy is in contradiction with the prohibition against secondary use and actually paints a picture which many will see as a nightmare. It is the picture of the state as one huge entity looming over citizens. It is this scenario that data protection has always aimed at preventing. Even though the Directive provides some protection, it is now the time to stand firm but also to consider whether the classic data protection principles are still valid. Basically, public administration should be open and transparent for citizens. It ought to be clear to which ends personal data are used. These goals are necessary not only to ensure the legal protection of citizens but also to ensure confidence and trust between citizens and administration. Modern information technology can and should be used to strengthen these aspirations instead of weakening them.
There are several risks connected to the free flow of personal data within the public sector, the same risks that apply to matching. When data collected for another purpose and at an earlier time form the basis of an administrative decision, data quality will often be unsatisfactory and the decision accordingly not correct. Against this argument it is maintained that in accordance with administrative procedure a citizen is given a possibility of contradiction and through this the citizen can correct wrong or misleading data. This argument is interesting in many ways, as it can be used to demonstrate some of the general features of data protection law. Public administration makes huge amounts of decisions each year, but these are not spread equally over the population. Typically it is citizens with social or economic problems towards whom most decisions are directed. This means that data protection rules mainly protect this section of the population, and accordingly it is also these citizens that will be affected by more liberal rules. There is an important social dimension in data protection law. This also indicates that the right of contradiction does not provide sufficient protection, as these citizens will often not be able to use this right in practice. They have difficulties in reading the administrative language and they are afraid of the authority whose goodwill they depend upon. They are in a weak position. A broad right to secondary use cannot be legitimized by the possibility of contradiction.
It must also be recognized that data protection rules must to some extent restrict use of the technology, and it seems clear that a networking public sector without restrictions will have undesired consequences for the legal protection of citizens. Restrictions will in some situations mean that the administration is not as efficient as it could be, but this consequence is well known from ordinary administrative law. It is not something unique and data protection law should not be deterred.
While it is fairly easy to argue against absolutely free secondary use, the position becomes more vulnerable when data flow within specific authorities or areas of regulation is considered. Here the increased possibilities of matching and secondary use will often be seen as so evident and natural that data protection principles appear to be rather ridiculous. It seems likely that in practice forms of secondary use will occur that are so obvious that it will be difficult to uphold the ‘high’ principles. As long as it is clear that such cases are exceptions, they should be accepted as rules that are clearly impractical and not wanted. A new point of balance must be found.
A good example of this new situation is the service kiosks that have been instituted in many municipalities. Here citizens can have their cases dealt with on the spot and get a decision. Cases can, for example, be within social, tax and environmental law. This procedure presupposes that the civil servant has access to a wide range of data covering different fields of the administration. In particular, there is a close connection between tax and social law. The question is now whether this kind of secondary use can be accepted from a data protection perspective. First, it must be noticed that the citizen is present and gives his/her consent. It must accordingly be considered whether consent can authorize secondary use. This is not an easy question, as it is often assumed that such a legal regulation in favour of citizens can be waived by the individual citizen. In my opinion some caution must be shown in this case. There are several situations where it is difficult for many citizens to understand the implications of consent. Furthermore, there are also situations where a citizen will feel obliged to give his/her consent either because he/she feels pressure from the authority or because not giving consent can be viewed as suspicious (perhaps social fraud is attempted). This can in particular be the case where data are matched for control purposes, but also in other situations. With this background it should be assumed that secondary use cannot entirely be made legitimate by consent, but that more objective criteria must also be met. This should as a starting point be the case, regardless of the purpose sustaining secondary use.
In this connection it must be considered whether it will be acceptable to have a system where secondary use can take place if it has authority in a statutory rule. Here there would be political control and the rules would be made openly. As a starting point, this would seem to be ideal, as the requirements of democratic law-making are fulfilled. The question is accordingly whether the principle of secondary use should also be binding for the national legislator. This must clearly be the case. As secondary use increases the efficiency of public administration, it is very likely that parliament will accept proposals that authorize such data processing and will often not be sufficiently aware of the data protection implications. This legislative situation is well known in Denmark, in particular with respect to statutes deriving from political agreements relating to the Budget. In practice, this approach will often mean that use of matching is restricted. This seems necessary to uphold a basic and fundamental data protection regulation. It is interesting to note that a Danish survey concerning attitudes towards modern information technology carried out in 1995 showed a clear majority in favour of matching for control purposes as a weapon against tax or social fraud. The general opinion appeared to be that it would be a waste of invested resources not to use the technology in this way. As is well known, it is difficult to determine to what extent such surveys should be used when drafting legislation. The answers depend on the questions and it is uncertain whether all consequences have been considered.
With this background, it is concluded that the principle that secondary use should not take place should be maintained, but that it should not be completely without exceptions. It is not the purpose of dataprotection to support persons who commit fraud, but on the other hand administrative control must not be so extensive that fundamental values such as privacy are undermined. A delicate balance must be found and there is little doubt that this problem area will be in focus in the legal policy debates in the years to come.
One of the commercial areas that has been most debated in respect of data protection is direct marketing. How should use of personal data for marketing purposes be regulated? To what extent can such marketing constitute an infringement of privacy? These are difficult questions, as they make it necessary once again to determine partly what privacy is and partly what the scope of data protection law should be. Basically, it must be considered whether the fact that a person receives advertisements addressed to him/her infringes his/her privacy.
When one is deliberating this problem it should be made clear how the division between consumer and data protection law should be drawn. It is easier to consider use of personal data when it is recognized that the methods used in marketing must be dealt with in consumer law. In practice, this means that questions such as whether there can be direct contact between marketer and customer, whether such contacts can only take place within certain hours and whether there are types of goods/services that cannot be marketed directly have to be dealt with in consumer law. Here it can be assumed that there should be restrictions on direct contact (i.e. both face-to-face and phone/digital) and likewise on times of contact and types of products. It is, for example, taken for granted that products which in themselves can disclose sensitive data, e.g. pornography, should not marketed in this way without the express consent of the consumer.
Such a clear distinction between consumer law and data protection provides a good basis for considerations with respect to privacy dimensions. It is very difficult to understand that direct marketing as such infringes privacy. The starting point should be that use of data for this purpose is acceptable. However, as indicated above, this assumption does not cover all types of personal data, as sensitive data should not be used. Acceptable data are data on identification (name, address) and interests/patterns of behaviour that can determine which products might be marketed with success. Use of data should take place openly and with an opt-out possibility for the data subject. The Directive’s article 14(b) seems to be in accordance with such a regulation.
However, it must be considered whether the prohibition on secondary use is violated. As a starting point, this seems to be the case in all situations where data are collected for purposes other than marketing. This problem disappears if marketing is clearly mentioned in connection with the collection, and data subjects are provided with an easy way of opting out. The ability to opt out is essential, as the ideal is that the data subject voluntarily lets his/her data be used, although this does not make it necessary to have an opt-in solution.
The sketched solution is in general acceptable both for data subjects and for business. It is a balanced solution based on a clear idea of the themes of data protection. In this way it ensures that citizens have legal protection without restricting normal forms of business. This should also ensure that the rules are adhered to in practice.
Transborder Data Flow
The impetus for international regulation is to establish a legal situation that makes it possible for personal data to flow freely over national borders. Although it can also be a goal to prevent data protection from being an instrument of competition, it is transborder flows of data that are essential for the international information society. It is a classic observation that such data flows are only ensured when national legislation provides similar levels of protection.
The Council of Europe Convention 108/81 has this goal, but in practice it has not been achieved, as there are too many possibilities of deviation in the convention and there is no international sanctioning authority. In this respect it is important to note that data protection is closely linked to national legal culture, and that this makes it necessary for a legally strong international instrument favouring data flow to be used. Taking this into account, it would seem likely that an EU Directive will be able to achieve this fundamental goal.
In article 1(2) of the Directive, the necessity of free flow of data is highlighted. This is without doubt a major goal for the Directive. It is much too early to know whether the goal will be fulfilled, but there are some indications that this will not be the case. The history of the Directive is in itself illuminating, as the very harmonizing first draft (1990) changed to a quite openly drafted Directive which provides considerable freedom for the member countries. It is in particular interesting that it is recognized in the recitals that this freedom can lead to restrictions of the free flow of data. This is underlined in recital 9. To some extent the efforts to achieve a precise Directive have been a failure, as the national differences have proved to be too strong. With this background it must be considered to what extent data flow will actually be restricted. The strong need for transborder data flow will sustain the basic idea of the Directive, and it is therefore most likely that data as the main rule will flow freely.
It must furthermore be considered whether this is a desirable situation seen from the perspective of the data subjects. In this respect the main problem is that the Directive makes it possible for the member states to enact different rules with regard to many of the basic principles (article 5). This does not necessarily mean that the levels of protection in substance will become uneven, but it makes it in any case difficult to compare the national rules. Citizens cannot in all cases be certain that their personal data are treated in the same way in all member states. This is a disturbing fact, as confidence in the information society can be weakened, which in the long run can create an uneasy situation.
In the first years after 1998, when the Directive will have been transposed in all countries, the regulation must be watched very carefully, as the Directive must be adjusted if there are real differences between member states. In the first instance, the Commission together with the article 29 working party will be responsible for this supervision, which will become even more difficult if the number of member states increases.
Another question concerns export of data to third countries (articles 25 and 26). Although it is stated as a main rule that there must be an appropriate level of protection in order to accept export of personal data, there are so many exceptions to this rule that it might only in theory be the main rule. The drafting of these two articles demonstrates the power behind the need for transborder data flows and, seen from the perspective of data subjects, they are quite problematic. It seems to be a real risk that personal data can end up in countries without sufficient legal protection. When this is taken into account it becomes clear that the national supervisory authority has a very important role to play. It must try by all means to prevent data being transferred to countries that do not have an acceptable level of protection. As far as this is possible within the Directive, the supervisory authority should be granted powers to advise upon and control data export.
Supervision and Control
It is possible to draft data protection laws in such a way that they impress readers because of the extensive rights provided for citizens. Such laws often have little value, as they are not adhered to in practice. Even when a more realistic attitude is used there are still many difficulties with respect to ensuring compliance with the rules. To some extent this is owing to the fact that legal standards are used, as it is not possible exactly to describe the level of protection in all respects. A large space for interpretation is provided and it is practice that decides the extent and depth of data protection.
The status, composition and powers of the supervisory authority are accordingly essential for data protection. The Directive (article 28) is clear in this respect and gives quite strong powers to the authority. Even when this is the case, much depends on how the Directive is understood in the member states and of course, in the long run how the authority is treated by controllers.
In many ways this depends on how the authority conducts its tasks. This should be done firmly but also with the recognition that it is important that controllers understand the reasons behind the different rules and can understand why they should be respected. With this background, the authority must have the ability to enter into a dialogue with controllers within different lines of business and in both the private and public sectors. Such a dialogue is not always easy to accomplish, as it depends on trust between the included parties. It is necessary that the authority has a sufficient amount of knowledge about computer technology in order to understand ideas and suggestions from controllers, and it must also be able to inspect computer systems in use. It is furthermore necessary that the employed personnel cover as many sectors as possible and strive to learn the methods of thinking in different branches.
The main communicative problems exist with respect to the private sector and it is in particular here that the authority should act with caution in order to have the legal standards implemented in a satisfactory way. All in all, a spirit of cooperation should be promoted. Although this could seem obvious, it is not at all easy. To a certain extent this goal is linked to the status of the authority.
In Denmark, the Data Protection Agency (DPA) is an authority within the Ministry of Justice. Its personnel come from the ministry and its budget is a part of the budget of the ministry. Decisions are final and cannot be reviewed by the ministry. In practice there have not been cases where the ministry has been given a more lenient treatment than other controllers. Even if this is the case, the situation is not ideal and anyway in theory it can be questioned whether the agency is fully independent. The Directive does not make it necessary to change the current situation. However, it is not expedient that personnel are shared with the Ministry of Justice and in particular it can be dangerous that the career of the single employee depends on the ministry. Furthermore, this structure in practice means that staff, including the director, only work in the DPA for a limited number of years, which makes it difficult to develop and in particular maintain deep knowledge and understanding of data protection.
With this background, it would be better to place the DPA directly under parliament and thus provide the most independent status and at the same time improve the importance attached to decisions made by the DPA. There do not seem to be any constitutional problems in this respect but just now (October 1996) it is uncertain what will become the result of the transposition process.
When one is discussing the importance of the Directive and how it should be transposed, it is expedient to recognize that this is not the final stage in data protection. It is evident that the evolving information society and the expansion of cyberspace will create new forms of processing personal data and make it expedient to adjust (expand) legal rules. At the same time, internationalization will increase and deepen, with the result that a truly international regulation is needed. There are many challenges in the not so far future. This ought to be taken into account, as the basic rules should be phrased so broadly that at the beginning they can cope with new developments. Such an approach only solves such problems for a short time, but the important thing is to ensure that there at no time emerges a situation where dataprocessing is not covered by existing legal rules.
It is easy to conclude that data protection will be in the focus of legal policy not just in the next two years, but for a long time will maintain a leading position within cyberlaw. For jurists it is essential that the chosen regulation demonstrates respect for the present, the future and the past: a regulation that sustains the information society and provides citizens with a strong and expedient protection of their privacy.