Recent Articles

Data privacy

Data Privacy refers to the evolving relationship between technology and the legal right to, or public expectation of privacy in the collection and sharing of data.

Privacy problems exist wherever uniquely identifiable data relating to a person or persons are collected and stored, in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. The most common sources of data that are affected by data privacy issues are:

• Health information
• Criminal justice
• Financial information
• Genetic information

The challenge in data privacy is to share data while protecting the personally identifiable information. Consider the example of health data which are collected from hospitals in a district; it is standard practice to share this only in the aggregate. The idea of sharing the data in the aggregate is to ensure that only non-identifiable data are shared.

The legal protection of the right to privacy in general and of data privacy in particular varies greatly around the world.

The Universal Declaration of Human Rights states in its article 12 that:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

North-America

Data privacy is not a highly developed area of law in the U.S.. Although partial regulations exist, for instance the Children's Online Privacy Protection Act, there is no all-encompassing legislation on the protection of personal data. Very few states recognize an individual's right to privacy, a notable exception being California.

In Canada, the European Convention on Human Rights(ECHR) provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in it's jurisprudence. According to the Court's case law the collection of information by officials of the state about an individual without his consent always falls within the scope or article 8. Thus, gathering information for the official census, recording fingerprints and photographs in a police register, collecting Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was concluded within the Council of Europe in 1981. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

As all the member states of the European Union are also signatories of the European Convention on Human Rights and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the European Commission was concerned that diverging data protection legislation would emerge and impede the free flow of data within the EU zone. Therefor the European Commission decided to harmonize data protection regulation and proposed the Directive on the protection of personal data.

The directive contains a number of key principles which must be complied with. Anyone processing personal data must comply with the eight enforceable principles of good practice.
They say that data must be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', 'holding' and 'disclosing'. For more details on these data principles, read the article about the directive on the protection of personal data or visit the .

All EU member states adopted legislation pursuant this directive or adapted their existing laws. Each country also has it's own supervisory authority to monitor the level of protection.

• In the United Kingdom the Data Protection Act 1984 was extended in 1998. For details, visit or read the article about the Information Commissioner
• France adapted it's existing law (law no. 78-17 of 6 January 1978 concerning information technology, files and civil liberties). More information is available on the website of the CNIL (in French only) (Commission Nationale de l'Informatique et des Libertés)
• In Germany both the federal government and the states enacted legislation. For details, visit the page of the (Bundesbeauftragter für den Datenschutz).