Habeas Data – Datos Personales – Privacidad

Interview with Prof. Spiros Simitis

Posted: septiembre 19th, 2006 | Author: | Filed under: Competencia judicial, Habeas Data, Público en general, Unión Europea | No Comments »

*Interview with Prof. Spiros Simitis*

See “Spanish version here”:http://www.habeasdata.org/Entrevista-Prof-Spiros-Simitis .

*1) Germany is linked to the early history of data protection with the fist statute enacted in the Land of Hesse. Can you describe us briefly how it all started?*

The nineteen-sixties were the years in which the attention was increasingly drawn to computers. The magic word was -cybernetics-. Especially Governments expected to be able to put their policies on a new, order perfectly rational basis, permitting them to timely collect all information possibly needed and to use it for an unlimited number of purposes. For precisely this reason many of the Governments of the Federal States in Germany planned the establishment of central data banks storing the personal data of all their citizens. Thus, the Government of Hesse advertised its intention to gather the medical data by claiming that in accidents on the motorway help for victims would be instant and most efficient, since a direct and immediate connection to the data bank would permit to learn all about the health of the victim including medicine taken and potential allergies.

I had already in the second half of the nineteen-sixties explicitly addressed the danger of a growing manipulation of the citizens by a limitless use of their data and asked for clear rules definitely restricting the access to personal information and determining the conditions of their use. As a result, the same demand was expressed and supported in early 1969 in a leading article of one of the main German newspapers. Only a few weeks later the consultations for a law begun and finally, the Hesse Parliament adopted the worldwide first Data Protection Act in September 1970.

*2) Can you tell us a bit about your experience as Data Protection Commissioner of the State of Hesse: how was it to be a commissioner in the early days of data protection? How did companies, data subjects and the government react to those new data protection rules?*

One was generally regarded as a rather strange person. Computers and their use were still a mystery, possible consequences definitely more a matter of anticipation and speculation than of real experiences. Besides, the attention focused primarily on Government, all the more that private companies pretended that they would never have the means to establish huge data banks. But it was also clear, that data protection could only have a chance if it included from the very begin both state and private activities.

*3) In Latin America we been hearing a lot about the German census case and the right to -information self-determination-. Can you summarize for a Latin American audience the significance of the decision in its historical context?*

At the begin of the nineteen-eighties the German Federal Government signaled its intention to proceed to a population-wide census. It was described as an indispensable source of a broad information on all citizens to be used for a wide range of state policies. The reaction of citizens was, against the background of a growing consciousness of the implications of a computer use, nearly unanimously critical and their appeal to the Federal Constitutional Court an expression of the hope that it would still be possible to control the consequences and to restrict the Government-™s -data-hunger-. And indeed the Court explicitly stated that the citizens-™ right to know, who intends to use their data for what purposes, under what conditions and for how long is an elementary premise of any democratic system. Citizens have therefore a constitutionally granted right to -informational self-determination-. One of its principal effects is the duty of persons or institutions interested in the access to personal data to define their intended use in advance and to strictly limit the processing of the data to this particular purpose.

*4) On May 22, 2006, the German Constitutional Court (Bundesverfassungsgericht) declared illegal under the German Constitution (Grundgesetz) the preventive screening of data across multiple private and public databases in order to find potential terrorists. Can you tell us your opinion about the decision and its significance?*

The Court reacted to the growing tendency to establish a preventive screening of a mounting number of databases in order to better combat -terrorism- and other -serious crimes-. The Court reminded that the use of data must be definitely purpose-bound. But wherever prevention is regarded as an absolutely sufficient reason for processing personal data the purpose becomes more and more unclear, particularly when a term as vague and abstract as -terrorism- are used. To the extent therefore that a preventive access is to be accepted, both its scope and its conditions have to be limited and unequivocally defined, if prevention is not to become a master-key guaranteeing access to any data at all times.

*5) In your lecture in your “visit to Buenos Aires”:http://www.habeasdata.org/SpirosSimitis you provided us a history of data protection and you signaled a shift from data collection by the government to data collection by private companies. Who should we fear more today?*

In fact, the old distinction between public and private databanks has disappeared. Examples, as those of the collections established by credit-card companies, shops with the help of consumer-cards, biobanks, insurance companies or banks, illustrate that Government needs less and less to have its own databanks. A direct access to the private collections is, as illustrated by telecommunication data, perfectly sufficient. Consequently, the accent must more than ever lie on a definitely purpose-bound use and truly limitative rules of access.

*6) You were a consultant of the International Labor Office for the drafting of a regulation concerning the processing of employee personal data. Do you think generally that employee data is protected nowadays? Are there differences between the EU and the US?*

One of the most important lessons of the past years is, that a regulation of the use of personal data may start with a few general rules. But it can only achieve its aim, an efficient protection of the persons concerned, by provisions more and more concentrated on the specific processing contexts. The use of employee data is the classic example for precisely this insight. Unfortunately, we are still far from the really necessary rules. The International Labour Office Code was a first step. It has however no binding consequences. The proposed Directive of the European Commission has not yet been adopted. And on the national lever we certainly do increasingly have provisions but hey are not true regulations. Britain for instance relies upon a code of conduct controlled by the Information Commissioner. In Germany, the agreements between the Works-™ Councils and the employers play an important role. However, we still wait for a comprehensive regulation. Nevertheless, the reactions in the European Union have definitely gone further than in the United States.

*7) Let* ´s talk about genetic databanks. We know that in the coming years the storage and use of such genetic information will be routinely gathered because of medical and technological advance. What safeguards can be adopted?*

Here again we need specific rules. Genetic data have for far too long been regarded as part of the medical information. Both their importance and their impact have therefore been under-estimated. Especially the experiences in the insurance, the labor, the health policy and the security sector underscore the necessity of a regulation. Significantly enough the International Labour Organization has in the case of genetic data rejected consent as a means to legitimize their use and expressly demanded a statute. However, the content of the rules can lastly only be convincingly determined in connection with a specific context as employment, health policies or insurances.,

*8) The terrorist attack of September 11 to the U.S. has clearly affected the debate between privacy and security. How can we measure the impact?*

-Terrorism- is increasingly used as a pretext to dismantle data protection on both the national and the international level. Debates, as those on the retention of telecommunication data, the transmission of flight passenger data or the access to an equally international transmission of financial data, show day after day that barriers otherwise respected are torn down and restrictions thought to be generally accepted are ignored. As important as security is and as necessary as preventive actions are, a democratic society has to ask itself what its own premises demand and imposes, if its very structure is not to be irreparably affected.

*9) The PNR case. Did you expect the EU Court to rule on the main issue?*

Yes. Especially the European Parliament but also institutions as the Group of Experts on Data Protection of the European Commission had categorically stated the illegality of the European Commission-™s agreement with United States, an opinion shared also by the Advocate General of the Court.

*10) DRM and Privacy. Are we going towards a surveillance society in culture and entertainment users?*

I am afraid, the tendency can hardly be ignored. However, this is one more sign for the profound changes achieved in a context in which the persons concerned are not only involved but also favor if not promote developments slowly but surely destroying their chances of a truly respected privacy by a marked indifference and unwillingness to insist on their rights.

*11) We have had a huge debate in Argentina related to the data retention law. The Argentine Congress enacted a law mandating ten years on data retention but the law has been twice declared unconstitutional. Can you tell us about a bit of the new EU Data Retention Directive?*

Firstly, the controversy over the Directive is not yet terminated. Exactly as in the case of the transmission of flight-passengers-data to the United States the EC-Commission was not entitled to adopt a regulation on a matter that, as especially security issues, clearly transcends the limits of its competence. A substantial number of members of the European have as in particular their colleagues in the Federal German Parliament asked that an annulment of the Directive should be sought. Secondly, the Directive is, because of its vagueness, incompatible with the constitutional premises only recently stated anew in the afore mentioned decision of the Federal German Constitutional Court. Thirdly, though it is certainly correct that the original text of the Directive has, in particular after an intervention of the German Government, been widely corrected, important questions have still not been answered in a convincing way. Thus, it is unclear, whether the telephone companies in Britain will not be allowed to follow a suggestion of the British Government and sell the data in order to finance the retention costs.

*12) Do you think there should be a right to -forget- or a right to oblivion related to privacy, and specifically in matters of commercial data? Must society delete certain information after the passage of time?*

The duty to restrict the collection and processing of personal data to specific, clearly determined purposes implies that the information has to be deleted from the moment on the purpose has been fulfilled, an expectation asserted by the data protection laws and applicable to both the public and private sector. Data protection tolerates, in other words, by definition only a deliberately limited memory. For exactly this reason the discussion on data protection has from its earliest days on been complemented by a debate on the need and the structure of public archives. To be sure: Data protection and archives are not a contradiction but mutually completing elements of a democratic society.

*13) The German federal data protection act has been changed many times. Can you tell us what prompted these changes?*

Mainly two different issues. The last review was prompted by the 1995 European Union Directive on Data Protection. However, in this as in all other cases the lastly decisive reason was the progressive acceptance of the need to constantly review data protection laws in view of in view of the continuously accelerated development of the information and communication technology. Therefore, the Norwegian legislators had already in the nineteen-eighties fixed in the data protection law a date for the begin of a review debate. Data Protection necessitates indeed a virtually unending debate forcing to reconsider the decisions adopted and thus to reexamine the demands regarding the access and the use of personal data.

*14) Search engines and privacy. Recently many search engines were compelled to provide search queries to the U.S. government. Should anonymity be safeguarded in the internet? Should it be the standard?*

I do indeed think that especially because of the incessant commercialization of personal data in the Internet rules establishing access barriers and guaranteeing anonymity as far as possible are overdue.

*15) Prof. Simitis, we thank you for this interview.*

Pablo A. Palazzi
Foro de Habeas Data

Leave a Reply

You must be logged in to post a comment.