- Email: [email protected]
Reinventing data protection?
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Book review Reinventing data protection? Serge Gutwirth, Yves Poullet, Paul De Hert, Ce´cile de Terwangne, Sjaak Nouwt (Eds.). Springer (2009). p. 342, £126, ISBN 978-1-4020-9497-2. It has become a common refrain that data protection is in need of fundamental reform, with many of its concepts mapping imperfectly, if at all, to modern privacy risks. (Consider the ongoing debate as to whether IP addresses should be regarded as “personal data”.1) As the (former) UK Information Commissioner Richard Thomas recently said of the Data Protection Directive: The approach is now outdated e in terms of both technology and modern regulatory approaches. Technology has moved on massively in the last 20 years. It is a ‘Mainframe Directive’.2 This collection aims to contribute to the discussion as to how data protection might be reformed. It has its origins in the November 2007 Reinventing Data Protection? Conference organised by the law and technology research centres LSTS (Vrije Universiteit Brussel), CRID (University of Namur) and TILT (Tilburg University). That conference took on the challenge of examining the fundamentals of data protection law and policy e a challenge amply met by the contributors in this book. In the preface the editors take the Charter of Fundamental Rights as a new starting point. They suggest that by identifying data protection as a new fundamental right and not merely a spin-off of the better established privacy right the Charter provides us with the opportunity to reassess the relationship between the rights to privacy and data protection and to consider what purposes we are asking each to serve. Consequently, they call not just for a revision of the existing law but for a complete re-examination of its fundamentals. This call is taken up by 19 stimulating and sometimes provocative chapters, arranged into four parts. Part I examines fundamental concepts, exploring issues such as the ‘constitutionalisation’ of data protection, the interaction of data protection with democratic values and the role of consent as a legitimating factor. Part II looks at the actors in this field, considering the roles of data protection 1 See e.g. Article 29 Data Protection Working Party, “Opinion 4/ 2007 on the concept of personal data,” June 20, 2007. 2 Richard Thomas, “Data Protection in the European Union e Promising Themes for Reform” (presented at the European Privacy and Data Protection Commissioners’ Conference, Edinburgh, April 24, 2009), http://www.ico.gov.uk/upload/documents/ library/corporate/notices/data_protection_in_the_eu.pdf.
authorities, trade associations, and citizens. Part III then considers the regulation of data protection, focusing on issues such as globalisation, the use of technical standards and the role played by courts. Finally, Part IV is a catch all which covers specific issues ranging from the interaction between freedom of information and privacy to the differing approaches of the European Union and the Council of Europe. It is impossible in a short review to do justice to all the chapters; nevertheless, in a collection of this quality it would be invidious to leave out any, so a brief summary of each might be helpful. In chapter 1 Paul De Hert and Serge Gutwirth set the scene, offering a detailed assessment of how data protection has evolved from a legislative principle to a constitutional value as well as a comprehensive overview of the caselaw on privacy and data protection in the European Court of Human Rights and the European Court of Justice. They also draw some interesting inferences from that caselaw, making in particular a convincing argument that both courts have tended to focus on legality to the exclusion of proportionality. Antoinette Rouvroy and Yves Poullet in chapter 2 explore the concept of informational self-determination and argue that it must be understood not merely as an individual right but also as a social and structural tool essential to foster the conditions and individual characteristics necessary for a deliberative democracy. In particular, they argue that conceptualising privacy as a right to data protection creates the risk that personal data will be treated as a commodity, its sale or transfer legitimated by the consent of the individual. Consequently while consent may be a necessary condition for the processing of personal data it must not be treated as sufficient to legitimate processing e in each case proportionality must also be taken into account. In chapter 3, “Data Protection as a Fundamental Right”, Stefano Rodota explores the international trend towards constitutionalising data protection as a new and distinct fundamental right. In a short but tantalising piece he suggests that although data protection is continuously under attack from “security and market logic”, advocates must not limit themselves to a defensive approach but must go further and seek an affirmative reinvention of data protection. Roger Brownsword, in chapter 4, takes the role of consent in data protection law as his focus and argues for the centrality of consent as a legitimating factor. In an interesting counterpoint to the views of Rouvroy and Poullet he defends the role of consent against criticisms from utilitarian and dignitarian perspectives, and in particular counters the
674
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
argument (associated with Manson and O’Neill3) that data protection should be based on a duty of confidence rather than on the right of the individual. Chapter 5 e “The Concepts of Identity and Identifiability: Legal and Technical Deadlocks for Protecting Human Beings in the Information Society” e sees Jean-Marc Dinant offer a computer science perspective on data protection challenges. He offers numerous interesting observations about the limits of data protection concepts as applied to the internet e suggesting for example that anonymous surveillance poses a substantial threat to privacy, notwithstanding that it falls outside current data protection principles e and makes a strong argument that European policy on the use of privacy enhancing technologies has failed to have any substantial result. Part II opens in chapter 6 with Jan Berkvens who considers the role of trade associations as actors in the data protection arena. In a short chapter he suggests that consumer interests have often been excluded from discussion of privacy issues and that trade associations and consumer organisations could remedy this gap by addressing privacy interests in standard terms and conditions. He also suggests that consumer law may have a greater role to play in data protection issues e for example, suggesting that one-sided terms in relation to privacy rights could be challenged under the Unfair Contract Terms Directive. In chapter 7 Peter Hustinx considers the role of data protection authorities in a fascinating discussion which draws on his experience as European Data Protection Supervisor. He starts with the fact that an independent supervisory authority is now a constitutional imperative by virtue of Article 8 of the Charter of Fundamental Rights but notes that this is something of an anomaly: The truth is however that no other fundamental right e except the right to a fair trial e is structurally associated with the role of an independent body to ensure its respect and further development. This right is special in the sense that it is considered to be in need of ‘structural support’ through the establishment of an independent authority with adequate powers and resources. (133) Why has data protection been singled out in this way? He points out that there are no obvious stakeholders in society to assert data protection rights e unlike freedom of expression or association, for example, which can rely on institutional support from the media and trade unions respectively e which necessitates independent authorities to act in an area which is often technical and invisible. At the same time, though, he stresses the limitations of data protection authorities, noting that many are hampered by an over-emphasis on dealing with individual complaints, which tends to drain resources and limits the ability of authorities to set their own priorities and to develop policy. Consequently he suggests that it is vital for data protection authorities to encourage the development of alternative forms of remedies for individuals e to promote class actions, for example, as well as to encourage other bodies such as 3
Neil C. Manson and Onora O’Neill, Rethinking Informed Consent in Bioethics (Cambridge: Cambridge University Press, 2007).
consumer associations or trade unions to become involved in enforcement. In chapter 8 Ronald Lenes and Isabelle Oomen address the role of citizens in data protection, presenting results from a survey of Dutch, Flemish and English students. They note the limited role of the individual in law and in practice, pointing out for example that even the term data “subject” carries with it a connotation of passivity (140), and suggest that an empirical analysis of public views is a necessary first step towards promoting greater involvement of individuals. While their results are difficult to summarise, one notable finding rebuts the common fallacy that younger Internet users care less about privacy and are more likely to disclose personal data. Instead, the authors present a more interesting picture, one where students are careful before disclosing personal data but also worried about a perceived loss of control after disclosure. Part III starts in chapter 9 with Lee Bygrave and Dag Wiese Schartum who write on “Consent, Proportionality and the Collective Power”. In a particularly interesting paper they examine the question of competence to make decisions on protection of personal data and examine the allocation of decision making power between data subject, data controller and data protection authority. They identify a trend away from comprehensive and somewhat paternalist licensing regimes (giving significant powers to data protection authorities) and towards models based on individual consent. In common with Rouvroy and Poullet, however, they see consent as problematic due to the limitations of “informed” consent, bargaining and informational asymmetries between subject and controllers, and consensual exhaustion, laxity and apathy on the part of data subjects faced with multiple, complex choices about privacy related issues. Similarly, they suggest that models based on consent have tended to focus on the initial grant of consent without giving adequate consideration to its later withdrawal. Given these limitations of individual consent, their proposed solution is to develop the use of collective consent where, for example, trade unions, students associations and other groups could negotiate privacy protections on behalf of their members in appropriate situations. In chapter 10 Ce´cile de Terwangne asks whether a global data protection regulatory model is possible. In a short but useful contribution she runs through the disparities which currently exist between the most important national and international standards, suggesting that there is a need for harmonisation of data protection principles but rejecting suggestions that weaker international standards (such as the Asia Pacific Economic Cooperation (APEC) Framework) might suffice. Jane Winn takes on the issue of technical standards in chapter 11 where she analyses the failure of privacy standards e such as P3P e to achieve market success and asks what this might teach us about the prospects of encouraging take up of other privacy enhancing technologies (PETs). Significantly, she points out that there are substantial concerns about the political accountability of systems by which technical standards are developed e something which may also hinder the adoption of PETs. In chapter 12 “Privacy Actors, Performances and the Future of Privacy Protection” Charles Raab and Bert-Jaap Koops stand
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
back somewhat from the fray. Rather than focus on particular privacy tools or instruments they set out to map the landscape of privacy actors at national and international level. In doing so, they reveal an astonishing complex network of policy actors and make a compelling argument that the development of privacy issues can only be understood against this background. Part IV commences with Diana Alonso Blas who writes in chapter 13 on the topic “First Pillar and Third Pillar: Need for a Common Approach on Data Protection?” Drawing on her experience as Data Protection Officer of Eurojust she outlines the curious status of data protection law as applied to law enforcement generally and in particular under the (former) third pillar. She makes a strong case for the development of additional protection in this field, going beyond the existing general principles of data protection and tailored for the law enforcement environment. In chapter 14 Mireille Hildebrandt tackles profiling and presents a persuasive argument that existing data protection concepts e centred as they are on “personal data” and the ability to identify the data subject e do not adequately deal with the risks of profiling technologies and the segmentation of society which they might make possible. In particular, she argues that group profiles can be assembled and deployed without any identification taking place but nevertheless in a way which may unfairly disadvantage the individual or undermine their autonomy. Gus Hosein of Privacy International considers “Challenges in Privacy Advocacy” in chapter 15 where he expresses a guarded optimism about privacy awareness, but pessimism about the state of privacy infrastructure. In common with Raab and Koops he considers the overall landscape of privacy actors, and (echoing Hustinx) notes that privacy has suffered from the fact that it has no natural home in any political movement. From a structural perspective, he notes that privacy advocacy has suffered from a funding crisis e apart from a few well funded organisations in the US privacy campaigners have found themselves having to fund their work through other jobs, leaving them often unable to participate in (supposedly open) policy making and hampered when trying to proactively generate media coverage. In chapter 16 Christopher Kuner considers one of the most practically difficult aspects of data protection law in “Developing an Adequate Legal Framework for International Data Transfers”. Focusing on European Union law, he proposes a move from determinations of adequacy towards an approach based on accountability: that is, one which would hold the data exporter accountable on a continuing basis for personal data transferred outside the EU, and in particular liable for any damage or harm caused by misuse of the data elsewhere. Sjaak Nouwt in chapter 17 “Towards a Common European Approach to Data Protection” also considers the effect of different data protection regimes e this time, however, within Europe itself. He focuses on the competing approaches of the Council of Europe and European Union data protection instruments and points out that despite their similarities there are fundamental differences of approaches between them. For example, he notes that the Council of Europe Data Protection Treaty of 19814 is characterised by a human rights
perspective, while the Data Protection Directive5 has a primary economic approach which reflects its first pillar and internal market background. This disparity, he suggests, is increasingly undesirable e arguing that “now that data protection within the EU is extending to the third pillar, data protection within the EU more than ever needs to be in line with the human rights approach of the CoE.” (291) Chapter 18 by Ivan Szekely poses the question “Freedom of Information versus Privacy: Friends or Foes?” In a particularly interesting chapter he rejects the argument that freedom of information and privacy clash in a zero-sum game, so that the expansion of one must lead to the limitation of the other. Instead, he argues that both concepts should be understood as having a common purpose: to avoid informational asymmetry and to protect the citizen from excessive information power. He also makes a strong argument in favour of joint supervisory agencies e responsible for both freedom of information and data protection oversight e as being the best means of handling the mutually interrelated and mutually interdependent nature of both concepts. In chapter 19 Pierre Trudel writes on the topic of “Privacy Protection on the Internet: Risk Management and Networked Normativity” and aims to set online privacy issues against a wider context of Internet governance. In an discussion which echoes the approach of Murray6 he argues for an understanding of online privacy as an area which is dominated not by national laws but rather by a process of the creation and transmission of norms via risk management. In this process, he claims, we can best understand the protection of privacy by looking at the risk assessments of each individual actor and the resulting way in which they transmit their privacy norms to others. As he puts it: What is at stake is not whether law, technology or self-regulation provides the best protection for privacy. Effective normativity results from dialogue amongst stakeholders and their ability to relay norms and principles. (331e332) Consequently, he argues for an understanding of privacy regulation which considers the overall network in order to identify where and how interventions can best be made. Finally, in a postscript “Towards a New Generation of Data Protection Legislation” Herbert Burkert draws out some common themes from the chapters, identifying the contributors as falling into the broad categories of reformers (who suggest that only minimal change to the law is necessary), reformists (arguing for structural or conceptual changes) and reengineers (who focus on technological, rather than legal, solutions). He himself appears to fall squarely within the reformist camp, identifying two substantial structural defects with data protection. First, he notes that although it is related to constitutional values it has not enjoyed the same protection as other constitutional norms e instead, it has been subject to ad hoc legislative overrides in many cases. Secondly, he identifies the central role of consent as greatly weakening the 5
Directive 95/46/EC. Andrew Murray, The Regulation of Cyberspace: Control in the Online Environment (Abingdon: GlassHouse, 2007). 6
4
ETS No. 108.
675
676
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
promise of data protection e particularly where that consent is obtained in situations where all the power lies with one party. Developing this point further, he argues that data protection laws must be understood as being about the distribution of informational power within society, not merely the individual right to privacy. Overall, then, what should we make of this book? The diversity of contributors is an undoubted strength: while the lawyers are in the majority, views from other disciplines are well represented and it is particularly welcome to see the practical insights of regulators such as Hustinx. The chapters are of a uniformly high quality and almost without exception stimulating and thought-provoking. There is no sense of the chapters being stand-alone items e it is evident throughout that the authors are engaging with
the same themes from different perspectives. One might perhaps quibble that the centrality of some themes has led to others being sidelined: there is, for example, very little consideration given to such developing issues as data breach notification or the growing tension between data protection and freedom of expression. That point aside, however, this is a superb volume of essays which should be the starting point for anyone interesting in reform of data protection. TJ McIntyre ([email protected]) Lecturer in Law, University College Dublin. 0267-3649/$ e see front matter doi:10.1016/j.clsr.2010.07.003
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Book review Reinventing data protection? Serge Gutwirth, Yves Poullet, Paul De Hert, Ce´cile de Terwangne, Sjaak Nouwt (Eds.). Springer (2009). p. 342, £126, ISBN 978-1-4020-9497-2. It has become a common refrain that data protection is in need of fundamental reform, with many of its concepts mapping imperfectly, if at all, to modern privacy risks. (Consider the ongoing debate as to whether IP addresses should be regarded as “personal data”.1) As the (former) UK Information Commissioner Richard Thomas recently said of the Data Protection Directive: The approach is now outdated e in terms of both technology and modern regulatory approaches. Technology has moved on massively in the last 20 years. It is a ‘Mainframe Directive’.2 This collection aims to contribute to the discussion as to how data protection might be reformed. It has its origins in the November 2007 Reinventing Data Protection? Conference organised by the law and technology research centres LSTS (Vrije Universiteit Brussel), CRID (University of Namur) and TILT (Tilburg University). That conference took on the challenge of examining the fundamentals of data protection law and policy e a challenge amply met by the contributors in this book. In the preface the editors take the Charter of Fundamental Rights as a new starting point. They suggest that by identifying data protection as a new fundamental right and not merely a spin-off of the better established privacy right the Charter provides us with the opportunity to reassess the relationship between the rights to privacy and data protection and to consider what purposes we are asking each to serve. Consequently, they call not just for a revision of the existing law but for a complete re-examination of its fundamentals. This call is taken up by 19 stimulating and sometimes provocative chapters, arranged into four parts. Part I examines fundamental concepts, exploring issues such as the ‘constitutionalisation’ of data protection, the interaction of data protection with democratic values and the role of consent as a legitimating factor. Part II looks at the actors in this field, considering the roles of data protection 1 See e.g. Article 29 Data Protection Working Party, “Opinion 4/ 2007 on the concept of personal data,” June 20, 2007. 2 Richard Thomas, “Data Protection in the European Union e Promising Themes for Reform” (presented at the European Privacy and Data Protection Commissioners’ Conference, Edinburgh, April 24, 2009), http://www.ico.gov.uk/upload/documents/ library/corporate/notices/data_protection_in_the_eu.pdf.
authorities, trade associations, and citizens. Part III then considers the regulation of data protection, focusing on issues such as globalisation, the use of technical standards and the role played by courts. Finally, Part IV is a catch all which covers specific issues ranging from the interaction between freedom of information and privacy to the differing approaches of the European Union and the Council of Europe. It is impossible in a short review to do justice to all the chapters; nevertheless, in a collection of this quality it would be invidious to leave out any, so a brief summary of each might be helpful. In chapter 1 Paul De Hert and Serge Gutwirth set the scene, offering a detailed assessment of how data protection has evolved from a legislative principle to a constitutional value as well as a comprehensive overview of the caselaw on privacy and data protection in the European Court of Human Rights and the European Court of Justice. They also draw some interesting inferences from that caselaw, making in particular a convincing argument that both courts have tended to focus on legality to the exclusion of proportionality. Antoinette Rouvroy and Yves Poullet in chapter 2 explore the concept of informational self-determination and argue that it must be understood not merely as an individual right but also as a social and structural tool essential to foster the conditions and individual characteristics necessary for a deliberative democracy. In particular, they argue that conceptualising privacy as a right to data protection creates the risk that personal data will be treated as a commodity, its sale or transfer legitimated by the consent of the individual. Consequently while consent may be a necessary condition for the processing of personal data it must not be treated as sufficient to legitimate processing e in each case proportionality must also be taken into account. In chapter 3, “Data Protection as a Fundamental Right”, Stefano Rodota explores the international trend towards constitutionalising data protection as a new and distinct fundamental right. In a short but tantalising piece he suggests that although data protection is continuously under attack from “security and market logic”, advocates must not limit themselves to a defensive approach but must go further and seek an affirmative reinvention of data protection. Roger Brownsword, in chapter 4, takes the role of consent in data protection law as his focus and argues for the centrality of consent as a legitimating factor. In an interesting counterpoint to the views of Rouvroy and Poullet he defends the role of consent against criticisms from utilitarian and dignitarian perspectives, and in particular counters the
674
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
argument (associated with Manson and O’Neill3) that data protection should be based on a duty of confidence rather than on the right of the individual. Chapter 5 e “The Concepts of Identity and Identifiability: Legal and Technical Deadlocks for Protecting Human Beings in the Information Society” e sees Jean-Marc Dinant offer a computer science perspective on data protection challenges. He offers numerous interesting observations about the limits of data protection concepts as applied to the internet e suggesting for example that anonymous surveillance poses a substantial threat to privacy, notwithstanding that it falls outside current data protection principles e and makes a strong argument that European policy on the use of privacy enhancing technologies has failed to have any substantial result. Part II opens in chapter 6 with Jan Berkvens who considers the role of trade associations as actors in the data protection arena. In a short chapter he suggests that consumer interests have often been excluded from discussion of privacy issues and that trade associations and consumer organisations could remedy this gap by addressing privacy interests in standard terms and conditions. He also suggests that consumer law may have a greater role to play in data protection issues e for example, suggesting that one-sided terms in relation to privacy rights could be challenged under the Unfair Contract Terms Directive. In chapter 7 Peter Hustinx considers the role of data protection authorities in a fascinating discussion which draws on his experience as European Data Protection Supervisor. He starts with the fact that an independent supervisory authority is now a constitutional imperative by virtue of Article 8 of the Charter of Fundamental Rights but notes that this is something of an anomaly: The truth is however that no other fundamental right e except the right to a fair trial e is structurally associated with the role of an independent body to ensure its respect and further development. This right is special in the sense that it is considered to be in need of ‘structural support’ through the establishment of an independent authority with adequate powers and resources. (133) Why has data protection been singled out in this way? He points out that there are no obvious stakeholders in society to assert data protection rights e unlike freedom of expression or association, for example, which can rely on institutional support from the media and trade unions respectively e which necessitates independent authorities to act in an area which is often technical and invisible. At the same time, though, he stresses the limitations of data protection authorities, noting that many are hampered by an over-emphasis on dealing with individual complaints, which tends to drain resources and limits the ability of authorities to set their own priorities and to develop policy. Consequently he suggests that it is vital for data protection authorities to encourage the development of alternative forms of remedies for individuals e to promote class actions, for example, as well as to encourage other bodies such as 3
Neil C. Manson and Onora O’Neill, Rethinking Informed Consent in Bioethics (Cambridge: Cambridge University Press, 2007).
consumer associations or trade unions to become involved in enforcement. In chapter 8 Ronald Lenes and Isabelle Oomen address the role of citizens in data protection, presenting results from a survey of Dutch, Flemish and English students. They note the limited role of the individual in law and in practice, pointing out for example that even the term data “subject” carries with it a connotation of passivity (140), and suggest that an empirical analysis of public views is a necessary first step towards promoting greater involvement of individuals. While their results are difficult to summarise, one notable finding rebuts the common fallacy that younger Internet users care less about privacy and are more likely to disclose personal data. Instead, the authors present a more interesting picture, one where students are careful before disclosing personal data but also worried about a perceived loss of control after disclosure. Part III starts in chapter 9 with Lee Bygrave and Dag Wiese Schartum who write on “Consent, Proportionality and the Collective Power”. In a particularly interesting paper they examine the question of competence to make decisions on protection of personal data and examine the allocation of decision making power between data subject, data controller and data protection authority. They identify a trend away from comprehensive and somewhat paternalist licensing regimes (giving significant powers to data protection authorities) and towards models based on individual consent. In common with Rouvroy and Poullet, however, they see consent as problematic due to the limitations of “informed” consent, bargaining and informational asymmetries between subject and controllers, and consensual exhaustion, laxity and apathy on the part of data subjects faced with multiple, complex choices about privacy related issues. Similarly, they suggest that models based on consent have tended to focus on the initial grant of consent without giving adequate consideration to its later withdrawal. Given these limitations of individual consent, their proposed solution is to develop the use of collective consent where, for example, trade unions, students associations and other groups could negotiate privacy protections on behalf of their members in appropriate situations. In chapter 10 Ce´cile de Terwangne asks whether a global data protection regulatory model is possible. In a short but useful contribution she runs through the disparities which currently exist between the most important national and international standards, suggesting that there is a need for harmonisation of data protection principles but rejecting suggestions that weaker international standards (such as the Asia Pacific Economic Cooperation (APEC) Framework) might suffice. Jane Winn takes on the issue of technical standards in chapter 11 where she analyses the failure of privacy standards e such as P3P e to achieve market success and asks what this might teach us about the prospects of encouraging take up of other privacy enhancing technologies (PETs). Significantly, she points out that there are substantial concerns about the political accountability of systems by which technical standards are developed e something which may also hinder the adoption of PETs. In chapter 12 “Privacy Actors, Performances and the Future of Privacy Protection” Charles Raab and Bert-Jaap Koops stand
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
back somewhat from the fray. Rather than focus on particular privacy tools or instruments they set out to map the landscape of privacy actors at national and international level. In doing so, they reveal an astonishing complex network of policy actors and make a compelling argument that the development of privacy issues can only be understood against this background. Part IV commences with Diana Alonso Blas who writes in chapter 13 on the topic “First Pillar and Third Pillar: Need for a Common Approach on Data Protection?” Drawing on her experience as Data Protection Officer of Eurojust she outlines the curious status of data protection law as applied to law enforcement generally and in particular under the (former) third pillar. She makes a strong case for the development of additional protection in this field, going beyond the existing general principles of data protection and tailored for the law enforcement environment. In chapter 14 Mireille Hildebrandt tackles profiling and presents a persuasive argument that existing data protection concepts e centred as they are on “personal data” and the ability to identify the data subject e do not adequately deal with the risks of profiling technologies and the segmentation of society which they might make possible. In particular, she argues that group profiles can be assembled and deployed without any identification taking place but nevertheless in a way which may unfairly disadvantage the individual or undermine their autonomy. Gus Hosein of Privacy International considers “Challenges in Privacy Advocacy” in chapter 15 where he expresses a guarded optimism about privacy awareness, but pessimism about the state of privacy infrastructure. In common with Raab and Koops he considers the overall landscape of privacy actors, and (echoing Hustinx) notes that privacy has suffered from the fact that it has no natural home in any political movement. From a structural perspective, he notes that privacy advocacy has suffered from a funding crisis e apart from a few well funded organisations in the US privacy campaigners have found themselves having to fund their work through other jobs, leaving them often unable to participate in (supposedly open) policy making and hampered when trying to proactively generate media coverage. In chapter 16 Christopher Kuner considers one of the most practically difficult aspects of data protection law in “Developing an Adequate Legal Framework for International Data Transfers”. Focusing on European Union law, he proposes a move from determinations of adequacy towards an approach based on accountability: that is, one which would hold the data exporter accountable on a continuing basis for personal data transferred outside the EU, and in particular liable for any damage or harm caused by misuse of the data elsewhere. Sjaak Nouwt in chapter 17 “Towards a Common European Approach to Data Protection” also considers the effect of different data protection regimes e this time, however, within Europe itself. He focuses on the competing approaches of the Council of Europe and European Union data protection instruments and points out that despite their similarities there are fundamental differences of approaches between them. For example, he notes that the Council of Europe Data Protection Treaty of 19814 is characterised by a human rights
perspective, while the Data Protection Directive5 has a primary economic approach which reflects its first pillar and internal market background. This disparity, he suggests, is increasingly undesirable e arguing that “now that data protection within the EU is extending to the third pillar, data protection within the EU more than ever needs to be in line with the human rights approach of the CoE.” (291) Chapter 18 by Ivan Szekely poses the question “Freedom of Information versus Privacy: Friends or Foes?” In a particularly interesting chapter he rejects the argument that freedom of information and privacy clash in a zero-sum game, so that the expansion of one must lead to the limitation of the other. Instead, he argues that both concepts should be understood as having a common purpose: to avoid informational asymmetry and to protect the citizen from excessive information power. He also makes a strong argument in favour of joint supervisory agencies e responsible for both freedom of information and data protection oversight e as being the best means of handling the mutually interrelated and mutually interdependent nature of both concepts. In chapter 19 Pierre Trudel writes on the topic of “Privacy Protection on the Internet: Risk Management and Networked Normativity” and aims to set online privacy issues against a wider context of Internet governance. In an discussion which echoes the approach of Murray6 he argues for an understanding of online privacy as an area which is dominated not by national laws but rather by a process of the creation and transmission of norms via risk management. In this process, he claims, we can best understand the protection of privacy by looking at the risk assessments of each individual actor and the resulting way in which they transmit their privacy norms to others. As he puts it: What is at stake is not whether law, technology or self-regulation provides the best protection for privacy. Effective normativity results from dialogue amongst stakeholders and their ability to relay norms and principles. (331e332) Consequently, he argues for an understanding of privacy regulation which considers the overall network in order to identify where and how interventions can best be made. Finally, in a postscript “Towards a New Generation of Data Protection Legislation” Herbert Burkert draws out some common themes from the chapters, identifying the contributors as falling into the broad categories of reformers (who suggest that only minimal change to the law is necessary), reformists (arguing for structural or conceptual changes) and reengineers (who focus on technological, rather than legal, solutions). He himself appears to fall squarely within the reformist camp, identifying two substantial structural defects with data protection. First, he notes that although it is related to constitutional values it has not enjoyed the same protection as other constitutional norms e instead, it has been subject to ad hoc legislative overrides in many cases. Secondly, he identifies the central role of consent as greatly weakening the 5
Directive 95/46/EC. Andrew Murray, The Regulation of Cyberspace: Control in the Online Environment (Abingdon: GlassHouse, 2007). 6
4
ETS No. 108.
675
676
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 6 7 3 e6 7 6
promise of data protection e particularly where that consent is obtained in situations where all the power lies with one party. Developing this point further, he argues that data protection laws must be understood as being about the distribution of informational power within society, not merely the individual right to privacy. Overall, then, what should we make of this book? The diversity of contributors is an undoubted strength: while the lawyers are in the majority, views from other disciplines are well represented and it is particularly welcome to see the practical insights of regulators such as Hustinx. The chapters are of a uniformly high quality and almost without exception stimulating and thought-provoking. There is no sense of the chapters being stand-alone items e it is evident throughout that the authors are engaging with
the same themes from different perspectives. One might perhaps quibble that the centrality of some themes has led to others being sidelined: there is, for example, very little consideration given to such developing issues as data breach notification or the growing tension between data protection and freedom of expression. That point aside, however, this is a superb volume of essays which should be the starting point for anyone interesting in reform of data protection. TJ McIntyre ([email protected]) Lecturer in Law, University College Dublin. 0267-3649/$ e see front matter doi:10.1016/j.clsr.2010.07.003