Comments

This article was published in Published in (2011) Computer Law and Security Review (CLSR) 27: 223-231. This paper may also be referenced as [2011] UNSWLRS 50.

Abstract

The Council of Europe celebrates in 2011 the 30th Anniversary of its Data Protection Convention (usually referred to as Convention 108) which has served as the backbone of international law in over 40 European countries and has influenced policy and legislation far beyond Europe. It is the only legally binding international treaty dealing with privacy and data protection. With new data protection challenges arising regularly, the Council is revising Convention 108 to attempt to meet and overcome these challenges. This paper was a joint submission by its authors on behalf of Computer Law and Security Review (CLSR), the International Association of IT Lawyers (IAITL) and ILAWS, University of Southampton, in response to the Expert Committee’s public consultation on the Convention. Some of the main submissions made are: • The Convention should remain a simple, concise and technologically neutral instrument, while at the same time recognising and addressing some new characteristics of the present and future technological environment. • It would not be helpful to try to define the right to privacy in a data protection Convention. It would be helpful to include “collection” in the definition of automatic processing so that all of the principles apply, where relevant, to collection. Both the proportionality principle (which should apply to all operations carried out on the data) and the data minimisation principle (which aims at limiting the collection of personal data to a strict minimum or even to cease personal data collection when possible) are significant principles which could valuably be added, and we strongly support their inclusion. • A right to be forgotten in respect of online data (that is, people should be able to give informed consent to every site or service that processes their data, and they should also have the right to ask for all of their data to be deleted). • The concept of consent, if it is used, it needs to be expressly defined as meaning free, voluntary, informed and revocable at any time, and not bundled with other consents. • Compatibility (of secondary uses) is a subjective concept, and would be better expressed as “uses or disclosures” which are within the reasonable expectations of the data subject (to which a “reasonable person” test would be applied). • Full application of privacy principles to the behaviour of private individuals would be onerous and oppressive e threatening other important freedoms and rights, but some controls and restrictions are justified. This is best handled by a broad statement of privacy protection in the ECHR and similar human rights instruments, at the international level. • A right for data subjects to be informed of data breaches affecting them that meet specified threshold criteria should stand alone as a separate principle. • There would be no need for separate principles or rules for traffic or location data if personal data is defined as expressly including any information which enables or facilitates communication with a person on an individualised basis, whether or not it meets the current definition of personal data. • There should be an obligation to demonstrate that measures have been taken to ensure full respect for data protection rules, but “accountability” cannot be and must not become an alternative to data export restrictions. • Allowance for anonymity should be made a basic data protection principle in itself, with pseudonymity as the first fall-back option when anonymity cannot be achieved for legal or technical reasons. • One particular task of a supervisory authority that needs to be spelled out is the obligation to account for their performance of their complaint investigation obligations, including by reporting to the public, on objectively determined criteria, of cases investigated (anonymised to the extent necessary to protect privacy but not otherwise), and by statistics including those on outcomes and remedies. • It remains appropriate to require an adequate level of protection as a condition of cross-border transfer.

Disciplines

Computer Law | Cyberspace Law | Human Rights Law | Intellectual Property | International Law

Date of this Version

November 2011