From the late 1960s onwards, the idea of data protection (DP) developed as a reaction to fears, particularly prominent in Europe, that the unregulated use of computers would pose an unacceptable threat to individuals in terms of their autonomy, dignity and privacy. It is now over thirty years since the first legally binding transnational DP instrument, the Council of Europe Convention, was finalised. Back then the risks posed by computers was justifiably seen by many, especially in the UK and US, as largely hypothetical. And DP was often conceived as a technical subject best confined to experts managing specialist systems in large-scale public and private organisations.
Since this time, the situation has dramatically changed. Today the power of computers, both for good and for ill, has become not only immense but also diffuse. An individual today with access to an ordinary laptop has vastly more processing power than those who owned the most advanced industrial machines thirty years ago. Moreover, through the internet, he or she can spread information on others instantly and irrevocably, sometimes with devastating consequences. Meanwhile, web giants such as Google are developing ever more sophisticated products which can leave individuals with a past or who are simply seeking solitude feeling that they have nowhere left to hide. The case for some real and effective protections for individual data subjects has never been stronger. And it will grow.
It is in this context that the European Commission recently proposed a Data Protection Regulation to govern this area on a pan-EU basis. The regulation builds on the current framework encapsulated in the Data Protection Directive of 1995 (and the convention noted above) but with a generally higher level of common protection, much less scope for divergent national approaches and considerably greater emphasis on trying to ensure effective enforcement of the rules.
A key problem with the proposed package, however, is that it fails to address the twin structural problems in the current regime, namely, its unfathomable scope and often overly onerous general restrictions on the right to “receive and impart information and ideas without interference by public authority and regardless of frontiers” (Article 10, European Convention). Thus, both the current and proposed future EU scheme will apply to all information “concerning” or “relating” to an identified or identifiable individual.
It has been suggested that may even cover innocuous public domain information such as author and book title details held on a library catalogue (Ticker, 2001, p. 7), information about the deceased and images of inanimate objects such as apartments which can be linked by others to identifiable individuals. (A combination of deft legislative drafting and robust judicial interpretation has spared the UK much of this expansive approach to date – but such an ad hoc solution would almost certainly not be possible under a harmonised regulation.)
The general rules governing the processing of information are not only equally breathtaking but would be further strengthened by the regulation. Thus, Article 14 mandates that no fewer than nine different pieces of information must be provided when information is collected directly from data subjects. It should be pointed out at this juncture that it has been stated that even taking a picture of someone constitutes direct collection for these purposes (p. 21). Moreover, absent the express and rescindable consent of the data subject, the transfer of information to a country which has not been expressly deemed by the commission to have an “adequate level of [data] protection” will, according to Chapter V, generally require at least notification to, and often the authorisation of, a national data protection authority.
Meanwhile, the processing of whole categories of personal data revealing, for example, political opinions, religion or beliefs or race/ethnic origin (which several European courts have suggested includes colour photography) will generally be banned unless the data subject gives express and rescindable consent or where the data “are manifestly made public” by them (the continuing tense of the latter potentially opening the way for individuals to later seek to withdraw such information from the public domain). Of course, many of these provisions already find a place within the current framework. It may therefore be legitimately asked how so many private sector processing activities have been able not only to continue but to significantly expand.
The basic, albeit unpalatable, truth is that from the beginning this body of law has been routinely and often necessarily ignored, misapplied and/or evaded. As Professor Lucas Bergkamp has rather more pithily argued, “European industry can survive under this regime only because enforcement is extremely lax. Data protection as currently conceived by the EU is a fallacy” (2001, p. 31). But this in any case unsatisfactory and unstable modus vivendi would come under significant pressure as a result of regulation’s proposed sanctioning of violations of numerous elements of the framework by mandatory fines of either up to 1 million euros or up to 2% of a company’s worldwide turnover (which in the case of a conglomerate such as Google or Facebook would clearly be considerably greater than the 1-million-euro sum).
It important to note at this juncture that, balancing this severity, Article 83 of the regulation does state that EU member states shall provide derogations for processing “solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression”. (Considerably more limited exemptions are made mandatory for “research” in Article 82 and optional for “the rights and freedoms of others” in Article 21.1.) Recital 121 informs us that the derogations under Article 83 should be those “necessary for the purpose of balancing these fundamental rights”. But two key problems remain. Firstly, it is very unclear which activities can claim to be “solely” journalistic, artistic and/or literary. Following the logic developed in a European Court of Justice (ECJ) decision of late 2008, Recital 121 states that these terms should be interpreted “broadly”.
But even after the ECJ’s intervention there has been a notable lack of consensus across Europe as to whether activities as varied as academic investigation, speech by politicians, rating websites, mapping services and search engines can or cannot claim these protections. Even more problematically, the derogations from DP currently provided for within EU states are wildly divergent. Approximately 20% of EU states provide no or almost no derogation in this area – freedom of expression therefore only continuing through the widespread non-application of these laws. In around another 20% of countries, the laws provide a near complete exemption from DP here – a liberality which is unwarranted given the massive harm which the inappropriate dissemination of information can have on data subjects.
Meanwhile, the difficulties of determining which national law is applicable to concrete expressive activities online is becoming ever more acute. Neither of these two extreme approaches was likely intended by the architects of the 1995 directive. But despite this they have been allowed to continue. And, at least as currently drafted, the law in this area will not become any clearer after the new regulation. In fact, as a result of the growing challenges posed by socio-technological change, the confusing interface between DP and freedom of expression may well worsen.
None of this should suggest that the task of ensuring appropriate informational protection for individuals in this age of mass expression is unimportant. To the contrary, it is precisely because it is so important that in their current negotiations over the proposed regulation, EU member states should decide to fundamentally reform the DP framework to make it truly fit for modern conditions and thereby capable of robust and effective enforcement. This would involve narrowing the scope of the law, eliminating many of its particularly onerous general provisions and ensuring that derogations granted for particular activities (even those involving public expression) are genuinely proportionate. Such a task will be as Herculean as the very concept of data protection always has been. However, the complex realities of life in the Web 2.0 age demand nothing less.