I. Introduction
For years, data protection was seen more or less as a niche area of law, of interest solely to specialists. However, since the development and universal adoption of the Internet, the processing and transfer of personal data have become ubiquitous, and are of central importance to the functioning of the global economy. Data protection law has also become a global phenomenon since the EU Data Protection Directive 95/46/EC was first enacted in 1995. These developments have all increased the importance of legal rules that grant rights to citizens in how their personal data are processed, which is the central function of data protection law.
The UK has had data protection legislation in place since 1984, predating adoption of the Directive, and the update of the Data Protection Act in 1998 gave the UK a comprehensive legal framework for data protection. Nevertheless, in the UK it is often not realized to what extent the roots of European data protection law are deeply entwined with European culture and history. Moreover, continental approaches can provide a valuable source of inspiration to strengthen data protection in the UK.
II. The Historical Background of Data Protection Law
The roots of data protection law reach back into the 20th century history of Europe. During World War II, atrocities and violations of human rights were often facilitated by the data collection practices that various governments had been engaging in. For example, in the 1930s the Netherlands instituted a ‘cradle to grave’ population registration system that included the collection of comprehensive data on residents. By consulting these registers, the Nazis were easily able to identify members of particular religious and ethnic groups, with the result that, for example, Dutch Jews had the highest death rate of Jews residing in all occupied countries in western Europe.[1]
These experiences naturally left deep historical scars in the various EU Member States when the EU was founded. Despite the terrible suffering they underwent during World War II, the Anglo-Saxon countries were spared the genocide and the worst human rights atrocities that occurred in continental Europe. The association between the collection of personal data and the potential for violations of human rights may thus never have become as deeply ingrained in the public consciousness in countries such as Ireland and the UK as it did in the continental countries.
The first data protection laws in Europe were enacted in countries like France and Germany (the federal state of Hessen).[2] In 1981, the Council of Europe also approved the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108),[3] which remains the sole international treaty containing legally-binding rules on data protection (the Convention entered into force in the UK in January 1985). The next breakthrough occurred in 1983 when, in a major judgment, the German Federal Constitutional Court recognized a right to ‘informational self-determination’, ie a fundamental right to data protection.[4] Data protection is also explicitly mentioned as a fundamental right in several Member State constitutions.[5] Thereafter, data protection was recognized in various human rights treaties (for example, in Article 8 of the Charter of Fundamental Rights of the European Union),[6] and the UK passed the Data Protection Act 1984.
As national data protection laws were adopted across the European Communities, the European Commission became concerned that differences between them, and the lack of data protection laws in some Member States, could lead to both a lower level of data protection and to barriers to the free flow of personal data within the EU. Perhaps the most famous case that highlighted the dangers of varying levels of data protection around Europe occurred when the French subsidiary of the Italian automobile manufacturer Fiat resisted the transfer of employee data to the Italian parent company, on the basis that Italy lacked data protection legislation and thus did not provide an ‘adequate level of data protection’.
Incidents such as these led to the Directive, which was finalized and adopted in October 1995. The Conservative governments of Margaret Thatcher and John Major lobbied actively against adoption of the Directive, and it is thus not surprising that the Directive tends to reflect the data protection traditions of continental Member States such as France and Germany more than it does that of the UK. Since adoption of the Directive, UK case law has also focused more on privacy suits involving intrusion into the ‘personal space’ of individuals than on issues involving informational self-determination (ie data protection).[7]
III. Differences between Continental and UK Approaches to Data Protection
For a while following enactment of the Directive, the attitude of the UK government to data protection could be characterized as one of ‘benign neglect’, with the Information Commissioner’s Office and the government itself being noticeably less active in policymaking and enforcement than were many data protection authorities (DPAs) and governments on the Continent. Since then, and in recent years, both the ICO and the UK government have become much more active, and even pro-active, with regard to data protection. However, a number of important differences between the UK and continental approaches to data protection remain, in particular the following:
· Data protection enforcement based on a showing of harm
Traditionally, the UK Information Commissioner was hesitant to bring enforcement actions, and tended to do so only in particularly egregious cases and especially when there was a showing of harm to data subjects.[8] In most continental legal systems, on the other hand, there is no requirement that harm be demonstrated before an enforcement action is brought. The divergence between the UK and continental approaches with regard to enforcement was demonstrated by the 2003 Rechnungshof judgment of the European Court of Justice, in which the Court found that to establish an interference with private life, ‘it does not matter whether the information communicated is of a sensitive character or whether the persons concerned have been inconvenienced in any way’,[9] thus implying that harm is not a necessary element of a violation of data protection law. While the ICO has become much more proactive with regard to enforcement in recent years, most observers who deal with both the ICO and continental DPAs on a regular basis would likely agree that a showing of harm plays less of a role in enforcement actions on the Continent than it does in the UK.
· Less bureaucratic legal regime for international data transfers
Article 25 of the EU Data Protection Directive restricts transfers of personal data to countries that are not recognized as having an ‘adequate level of data protection’. In most Member States, compliance with EU data transfer restrictions requires that the data controller notify the transfer to the local data protection authority and, in many cases, obtain authorization from the DPA. However, this is not the case in the UK, where the ICO allows data controllers to rely on a ‘self-assessment’ approach in many cases. As the ICO’s guidance document on international data transfers states:
Where the data protection regime in the third country has not been subject to a Commission finding of adequacy, it is for exporting controllers to assess adequacy in a way which is consistent with the Directive and the Act. In carrying out this assessment of adequacy, the Commissioner would expect exporting controllers to be able to demonstrate how they have addressed the [adequacy test] set out in this guidance.[10]
Thus, in practice, the ICO routinely allows data controllers to reach their own adequacy determinations, based on Article 25(2) of the General Directive, without notifying such determinations to the Commissioner. The ICO also does not require that use of the EU-approved standard contractual clauses be authorized by it, or even notified to it. This approach is very different from that in most continental countries, which usually do not allow a self-assessment approach to international transfers. In addition, the European Commission apparently opposes the UK ‘self-assessment’ approach for adequacy and believes that it violates EU law.
· Differences in definitions of key data protection concepts
Certain fundamental concepts of data protection law may also be interpreted differently in the UK than in most other Member States, an example of this being the concept of ‘personal data’. In the case of Durant v Financial Services Authority [2003] EWCA Civ 1746, the Court of Appeal refused the appellant Durant’s request for disclosure of his unredacted computerized documents and manual records held by Barclay’s Bank, on the basis that the records did not all qualify as ‘personal data’. In a guidance document, the Information Commissioner interpreted this decision as indicating that a determination of whether information constitutes ‘personal data’ hinges largely on whether it affects an individual’s ‘privacy’, and on whether it may have an adverse impact on the individual.[11] DPAs in other Member States and the European Commission have been openly critical of the Durant decision, and questions have been raised about its compatibility with European law. Thus, Durant and the UK definition of ‘personal data’ seem to be out of the mainstream of European data protection law. In addition, basic data protection principles are often interpreted more strictly on the Continent than they are in the UK, with the result that there may be greater restrictions on certain data processing activities. For example, the principle of proportionality is often interpreted more strictly in the context of collecting information about suspected violations by employees in a country such as Germany than it is in the UK, which can make it more difficult to operate such databases in continental countries.[12]
· Differences in administrative style and procedure
There are substantial differences in the way that the law is administered in the UK and in continental countries. These differences can include, for example, an increased requirement in continental countries to obtain approval for various kinds of data processing; lengthier periods on the Continent for receiving such approval; and a more pro-active attitude by data protection authorities with regard to prior checking of certain types of data processing.
IV. Conclusions
There is no doubt that the UK approach to data protection is gradually becoming closer to the continental approach. Thus, the ICO seems to have become more aggressive and proactive in its approach to enforcement of data protection rights,[13] while at the same time certain continental DPAs are increasingly recognizing the merits of the more pragmatic UK approach.
At the same time, fundamental differences in the UK and continental approach to data protection will remain. In particular, with the coming into effect of the Lisbon Treaty, a legally-binding right to data protection will apply in most EU Member States, but not in the UK, which has obtained an opt-out to the Charter; this difference may potentially drive the UK and continental European approaches to data protection still farther apart. The UK has also had a different historical experience than has the Continent, and the differences between the UK’s common-law system and the civil-law approach on the Continent mean that further differences between the two approaches to data protection are inevitable. Thus, anyone involved in the processing of personal data in continental Europe should be aware of fundamental differences between data protection requirements there and those that apply in the UK.
Finally, it is ironic to note that, while the UK was spared the worst abuses of human rights during World War II that ultimately led to adoption of the Directive, the UK has been described by the Information Commissioner as presently ‘sleepwalking into a surveillance society’,[14] based on increased governmental intrusion into citizens’ private lives. Both the UK and continental countries have much to learn from each other’s experiences, and it is imperative that they work together to prevent an erosion of data protection rights throughout the EU.
Christopher Kuner is a Partner at Hunton & Williams, Brussels. He is Chairman of the Task Force on Privacy and the Protection of Personal Data of the International Chamber of Commerce and Chairman of the European Privacy Officers Forum (EPOF): ckuner@hunton.com. The author is grateful to his colleague Bridget Treacy for her valuable comments.
[1] William Seltzer and Margo Anderson, ‘The Dark Side of Numbers: The Role of Population Data Systems in Human Rights Abuses’ (2001) Social Research 481, 486-488.
[2] See, e.g., Hessisches Datenschutzgesetz of 30 September 1970 (Data Protection Act of the German federal state of Hessen); Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés (French Act N. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties).
[3] January 28, 1981, ETS 108 (1981).
[4] Bundesverfassungsgericht, Judgment of 15 December 1983, 65 BVerfGE 1.
[5] See, e.g., Belgian Constitution of 7 February 1831, last revised in July 1993, Art 22; French Declaration of the Rights of Man and of the Citizen of 26 August 1789, Art 12; Swedish Constitution of 1 January 1975, Art 2.
[6] [2000] OJ C364/1.
[7] See Rosemary Jay and Angus Hamilton, Data Protection Law and Practice (3rd edn, Sweet and Maxwell, 2007) 20, referring to ‘the tendency of the UK courts to regard data protection as wholly coterminous with conventional privacy rights and their refusal to countenance the wider issues of information self-determination which the scope of data protection legislation more properly addresses.’
[8] See R Vosper, ‘Companies Struggle to Navigate Through the UK’s Hazy Data-Protection Law’ (May 2002) Corporate Legal Times International 18, 20, quoting David Clancy, then strategic policy officer with the ICO, as follows: ‘We have only gone for enforcement when there has been a blatant infringement of the act or data controllers have ignored advice sent by this office’.
[9] Joined Cases C-465/00 and C-138/01 Rechnungshof [2003] ECR I-6041, para 75.
[10] ‘The Eighth Data Protection Principle and international data transfers’ (30 May 2006) para 2.3.1.
[11] UK Information Commissioner, ‘The ‘Durant’ Case and its impact on the interpretation of the Data Protection Act 1998’, 27 February 2006, 2.
[12] See, e.g., Christopher Kuner, ‘Proportionality in European Data Protection Law and its Importance for Data Processing by Companies’ (2008) BNA Privacy & Security Law Reporter 1615, 1617-18, referring to a case in which the Berlin Data Protection Commissioner decided that the proportionality principle limited the ability of a company to create a database for the retail sector containing information about actual and suspected criminal violations by employees.
[13] See ICO Press Release, ‘Privacy Watchdog Calls on CEOs to Take Responsibility for data protection safeguards’, 29 October 2008, <http://www.ico.gov.uk/upload/documents/pressreleases/2008/data_breaches_29_october_2008.pdf>, quoting former Information Commissioner Richard Thomas as stressing the need to ‘highlight the risks associated with large databases, the need for tougher sanctions to deter data breaches’ and the need for CEOs ‘to take responsibility for the personal information their organisations hold’.
[14] See Information Commissioner Press Release of 2 November 2006, <http://www.ico.gov.uk/upload/documents/pressreleases/2006/waking_up_to_a_surveillance_society_version_2001.pdf>.