El Senado y Cámara de Diputados…
La nueva Ley de la Provincia de Buenos Aires n.14.214
La ley provincial fue promulgada mediante Decreto 2756/10 del 22/12/10 y Publicada el 14/1/11 en el boletín oficial provincial Nº 26514. Mediante esta ley se reglamenta la acción de habeas data en la Provincia de Buenos Aires. Lo positivo es que ahora no se aplicará la ley provincial de amparo, que era muy limitativa y coartaba acciones de habeas data. Además se establece la legitimación colectiva. La ley sin embargo no contiene normas sustantivas para las bases de datos públicas (tal como hizo la ley 1.845 de la Ciudad de Buenos Aires y su reglamentación) ni designa una autoridad de aplicación provincial en la materia. Asimismo se establece que también se podrá usar la ley para el acceso a la información pública en la provincia. Esta norma se suma a la aprobada hace dos meses por la provincia de San Luis.
Texto de la ley
LEY 14.214 – REGLAMENTACIóN DEL PROCESO CONSTITUCIONAL DE HáBEAS DATA, DE CONFORMIDAD A LO ESTABLECIDO EN EL ARTíCULO 20º INCISO 3) DE LA CONSTITUCIóN.
TÍTULO I – DISPOSICIONES GENERALES
ARTÍCULO 1º: Objeto. La presente Ley tiene por objeto la reglamentación del proceso constitucional de hábeas data, de conformidad a lo establecido en el artículo 20º inciso 3) de la Constitución.
LEY Nº I-0733-2010 – BOLETIN OFICIAL del 5 de noviembre de 2010.
EL SENADO Y LA CAMARA DE DIPUTADOS DE LA PROVINCIA DE
SAN LUIS, SANCIONAN CON FUERZA DE LEY:
GARANTIA A LA INTIMIDAD Y PRIVACIDAD
ARTÍCULO 1°.- El Estado Provincial garantiza los derechos fundamentales a la privacidad y a la intimidad, reconocidos en la Constitución de la provincia de San Luis.-
*Interview with Prof. Spiros Simitis*
See “Spanish version here”:http://www.habeasdata.org/Entrevista-Prof-Spiros-Simitis .
*1) Germany is linked to the early history of data protection with the fist statute enacted in the Land of Hesse. Can you describe us briefly how it all started?*
The nineteen-sixties were the years in which the attention was increasingly drawn to computers. The magic word was -cybernetics-. Especially Governments expected to be able to put their policies on a new, perfectly rational basis, permitting them to timely collect all information possibly needed and to use it for an unlimited number of purposes. For precisely this reason many of the Governments of the Federal States in Germany planned the establishment of central data banks storing the personal data of all their citizens. Thus, the Government of Hesse advertised its intention to gather the medical data by claiming that in accidents on the motorway help for victims would be instant and most efficient, since a direct and immediate connection to the data bank would permit to learn all about the health of the victim including medicine taken and potential allergies.
I had already in the second half of the nineteen-sixties explicitly addressed the danger of a growing manipulation of the citizens by a limitless use of their data and asked for clear rules definitely restricting the access to personal information and determining the conditions of their use. As a result, the same demand was expressed and supported in early 1969 in a leading article of one of the main German newspapers. Only a few weeks later the consultations for a law begun and finally, the Hesse Parliament adopted the worldwide first Data Protection Act in September 1970.
*2) Can you tell us a bit about your experience as Data Protection Commissioner of the State of Hesse: how was it to be a commissioner in the early days of data protection? How did companies, data subjects and the government react to those new data protection rules?*
One was generally regarded as a rather strange person. Computers and their use were still a mystery, possible consequences definitely more a matter of anticipation and speculation than of real experiences. Besides, the attention focused primarily on Government, all the more that private companies pretended that they would never have the means to establish huge data banks. But it was also clear, that data protection could only have a chance if it included from the very begin both state and private activities.
*3) In Latin America we been hearing a lot about the German census case and the right to -information self-determination-. Can you summarize for a Latin American audience the significance of the decision in its historical context?*
At the begin of the nineteen-eighties the German Federal Government signaled its intention to proceed to a population-wide census. It was described as an indispensable source of a broad information on all citizens to be used for a wide range of state policies. The reaction of citizens was, against the background of a growing consciousness of the implications of a computer use, nearly unanimously critical and their appeal to the Federal Constitutional Court an expression of the hope that it would still be possible to control the consequences and to restrict the Government-™s -data-hunger-. And indeed the Court explicitly stated that the citizens-™ right to know, who intends to use their data for what purposes, under what conditions and for how long is an elementary premise of any democratic system. Citizens have therefore a constitutionally granted right to -informational self-determination-. One of its principal effects is the duty of persons or institutions interested in the access to personal data to define their intended use in advance and to strictly limit the processing of the data to this particular purpose.
*4) On May 22, 2006, the German Constitutional Court (Bundesverfassungsgericht) declared illegal under the German Constitution (Grundgesetz) the preventive screening of data across multiple private and public databases in order to find potential terrorists. Can you tell us your opinion about the decision and its significance?*
The Court reacted to the growing tendency to establish a preventive screening of a mounting number of databases in order to better combat -terrorism- and other -serious crimes-. The Court reminded that the use of data must be definitely purpose-bound. But wherever prevention is regarded as an absolutely sufficient reason for processing personal data the purpose becomes more and more unclear, particularly when a term as vague and abstract as -terrorism- are used. To the extent therefore that a preventive access is to be accepted, both its scope and its conditions have to be limited and unequivocally defined, if prevention is not to become a master-key guaranteeing access to any data at all times.
*5) In your lecture in your “visit to Buenos Aires”:http://www.habeasdata.org/SpirosSimitis you provided us a history of data protection and you signaled a shift from data collection by the government to data collection by private companies. Who should we fear more today?*
In fact, the old distinction between public and private databanks has disappeared. Examples, as those of the collections established by credit-card companies, shops with the help of consumer-cards, biobanks, insurance companies or banks, illustrate that Government needs less and less to have its own databanks. A direct access to the private collections is, as illustrated by telecommunication data, perfectly sufficient. Consequently, the accent must more than ever lie on a definitely purpose-bound use and truly limitative rules of access.
*6) You were a consultant of the International Labor Office for the drafting of a regulation concerning the processing of employee personal data. Do you think generally that employee data is protected nowadays? Are there differences between the EU and the US?*
One of the most important lessons of the past years is, that a regulation of the use of personal data may start with a few general rules. But it can only achieve its aim, an efficient protection of the persons concerned, by provisions more and more concentrated on the specific processing contexts. The use of employee data is the classic example for precisely this insight. Unfortunately, we are still far from the really necessary rules. The International Labour Office Code was a first step. It has however no binding consequences. The proposed Directive of the European Commission has not yet been adopted. And on the national lever we certainly do increasingly have provisions but hey are not true regulations. Britain for instance relies upon a code of conduct controlled by the Information Commissioner. In Germany, the agreements between the Works-™ Councils and the employers play an important role. However, we still wait for a comprehensive regulation. Nevertheless, the reactions in the European Union have definitely gone further than in the United States.
*7) Let* ´s talk about genetic databanks. We know that in the coming years the storage and use of such genetic information will be routinely gathered because of medical and technological advance. What safeguards can be adopted?*
Here again we need specific rules. Genetic data have for far too long been regarded as part of the medical information. Both their importance and their impact have therefore been under-estimated. Especially the experiences in the insurance, the labor, the health policy and the security sector underscore the necessity of a regulation. Significantly enough the International Labour Organization has in the case of genetic data rejected consent as a means to legitimize their use and expressly demanded a statute. However, the content of the rules can lastly only be convincingly determined in connection with a specific context as employment, health policies or insurances.,
*8) The terrorist attack of September 11 to the U.S. has clearly affected the debate between privacy and security. How can we measure the impact?*
-Terrorism- is increasingly used as a pretext to dismantle data protection on both the national and the international level. Debates, as those on the retention of telecommunication data, the transmission of flight passenger data or the access to an equally international transmission of financial data, show day after day that barriers otherwise respected are torn down and restrictions thought to be generally accepted are ignored. As important as security is and as necessary as preventive actions are, a democratic society has to ask itself what its own premises demand and imposes, if its very structure is not to be irreparably affected.
*9) The PNR case. Did you expect the EU Court to rule on the main issue?*
Yes. Especially the European Parliament but also institutions as the Group of Experts on Data Protection of the European Commission had categorically stated the illegality of the European Commission-™s agreement with United States, an opinion shared also by the Advocate General of the Court.
*10) DRM and Privacy. Are we going towards a surveillance society in culture and entertainment users?*
I am afraid, the tendency can hardly be ignored. However, this is one more sign for the profound changes achieved in a context in which the persons concerned are not only involved but also favor if not promote developments slowly but surely destroying their chances of a truly respected privacy by a marked indifference and unwillingness to insist on their rights.
*11) We have had a huge debate in Argentina related to the data retention law. The Argentine Congress enacted a law mandating ten years on data retention but the law has been twice declared unconstitutional. Can you tell us about a bit of the new EU Data Retention Directive?*
Firstly, the controversy over the Directive is not yet terminated. Exactly as in the case of the transmission of flight-passengers-data to the United States the EC-Commission was not entitled to adopt a regulation on a matter that, as especially security issues, clearly transcends the limits of its competence. A substantial number of members of the European have as in particular their colleagues in the Federal German Parliament asked that an annulment of the Directive should be sought. Secondly, the Directive is, because of its vagueness, incompatible with the constitutional premises only recently stated anew in the afore mentioned decision of the Federal German Constitutional Court. Thirdly, though it is certainly correct that the original text of the Directive has, in particular after an intervention of the German Government, been widely corrected, important questions have still not been answered in a convincing way. Thus, it is unclear, whether the telephone companies in Britain will not be allowed to follow a suggestion of the British Government and sell the data in order to finance the retention costs.
*12) Do you think there should be a right to -forget- or a right to oblivion related to privacy, and specifically in matters of commercial data? Must society delete certain information after the passage of time?*
The duty to restrict the collection and processing of personal data to specific, clearly determined purposes implies that the information has to be deleted from the moment on the purpose has been fulfilled, an expectation asserted by the data protection laws and applicable to both the public and private sector. Data protection tolerates, in other words, by definition only a deliberately limited memory. For exactly this reason the discussion on data protection has from its earliest days on been complemented by a debate on the need and the structure of public archives. To be sure: Data protection and archives are not a contradiction but mutually completing elements of a democratic society.
*13) The German federal data protection act has been changed many times. Can you tell us what prompted these changes?*
Mainly two different issues. The last review was prompted by the 1995 European Union Directive on Data Protection. However, in this as in all other cases the lastly decisive reason was the progressive acceptance of the need to constantly review data protection laws in view of in view of the continuously accelerated development of the information and communication technology. Therefore, the Norwegian legislators had already in the nineteen-eighties fixed in the data protection law a date for the begin of a review debate. Data Protection necessitates indeed a virtually unending debate forcing to reconsider the decisions adopted and thus to reexamine the demands regarding the access and the use of personal data.
*14) Search engines and privacy. Recently many search engines were compelled to provide search queries to the U.S. government. Should anonymity be safeguarded in the internet? Should it be the standard?*
I do indeed think that especially because of the incessant commercialization of personal data in the Internet rules establishing access barriers and guaranteeing anonymity as far as possible are overdue.
*15) Prof. Simitis, we thank you for this interview.*
Pablo A. Palazzi
Foro de Habeas Data
*Interview with Chris Hoofnagle*
“Chris Jay Hoofnagle”:http://choof.org/ is a privacy expert and lawyer admitted to practice law in California and DC. Currently, he is non-residential fellow at Stanford University’s Center for Internet and Society and a consultant on privacy litigation. Until recently he worked at the Electronic Privacy Information Center, where he was in charge of the organization of EPIC West Coast Office. He had testified before Congress, the California Legislature, and before the Judicial Conference of the United States on various privacy issues. His academic articles on the First Amendment and privacy “are online at the SSRN web site”:http://papers.ssrn.com/sol3/results.cfm.
See “Spanish version here”:http://www.habeasdata.org/Entrevista_Chris_Hoofnagle.
*HabeasData: Can you tell us about your work in privacy? How did you started to be interested in privacy issues?*
*CJH:* Back in the 1990s, direct marketers were seen as a serious privacy threat, in part, because they might take troves of consumer transactional information and sell it to law enforcement. Officials from the Direct Marketing Association established an ethical rule barring the use of marketing data for government purposes, and emphatically argued that they would not allow their data to be sold to law enforcement. These arguments, bolstered by the “free market” types, protected the direct marketers from new federal regulation, and allowed a great trade in personal information to arise. Privacy advocates were skeptical of this trade, and I believe rightly so. I’ve always thought it naive to hold that big business poses different privacy risks than government. And, the failure to rein in data marketing companies in the 1990s led directly to the current situation, where despite past promises, almost all the companies selling personal data to the government are direct marketing operations. So, I have focused my work on commercial collection of personal information, and the nexus with law enforcement. This nexus obviously has expanded, given recent events.
*HabeasData: Privacy after 911: can you summarize, for a Latin American audience, what kind of programs/actions have been proposed/applied in the United States that may affect privacy?*
*CJH:* Rather than enumerate the various programs that have been proposed or implemented, let me just make the principal point: After 9/11, US law enforcement shifted its paradigm from a crime solving approach to one focusing on preventing crime. This principle of prevention of crime, of trying to predict and interdict criminals, drives many of the programs in the US now. There is a belief associated with this principle that technology can be used to find suspicious patterns and to identify possible criminals. Report after report has concluded that there is no reliable terrorist profile, but officials continue to believe computers have some mystical power to solve all problems.
*HabeasData: Americans have a different view of data protection than the EU and some Latin American countries. Can you explain us why?*
*CJH:* The first exhibit in the Holocaust Museum in Washington, DC features a “Hollerith Machine”:http://www3.iath.virginia.edu/holocaust/infotech.html a census tool that aggregated personal information. The Germans collected personal information on punch cards that were then fed through the machine, and used the data to increase the efficiency of the Holocaust. Historical analyses of the Holocaust showed that the Germans were more effective in states where there were high rates of participation in censuses. The history of the Holocaust informed Europeans’ views of the relationship of personal information to state control.
In the US, we did have the opportunity to adopt a comprehensive set of protections for personal information. The US started by enacting the Privacy Act of 1974, which created procedural and some substantive protections for personal information in the hands of the federal government. A study commission created by the law concluded that those protections should be extended to corporations, but Congress never enacted this recommendation.
At the same time, companies that used personal information organized and strongly opposed privacy laws. In recent years, data companies have become very sophisticated in their opposition to all privacy law. There is a marked difference between privacy laws enacted in the 1980s and early 1990s and those considered today. I remain convinced that the Fair Credit Reporting Act of 1970, which incorporates all Fair Information Practices, would not even get a hearing in today’s Congress. The industry is simply too well organized and well funded, and they want to limit privacy to giving consumers “privacy notices” and “choice.”
*HabeasData: The differences in privacy protection between the U.S. and some Latin American countries may have lead to more protection in those countries. However a company like “Choicepoint was able to gather and sell personal data from Latin Americans”:http://www.epic.org/privacy/choicepoint/#documents to the U.S. government. How did it started? Where are we now?*
*CJH:* It got started because they could collect the data. Business practices and technology are far ahead of the public’s understanding of the issues and the legal framework. If there are ambiguities in the law, or where there is no law, information companies are going to take advantage of the situation and collect personal data.
But, I am convinced that Choicepoint will be the big winner from the security breach and resulting Federal Trade Commission settlement. From a legal perspective, Choicepoint has a more sophisticated infrastructure, and many of its competitors will trip over the standards set by the FTC settlement. Ten years from now, Choicepoint will be the leading data broker, and it could be the case that its entire business operations will operate under the Federal Fair Credit Reporting Act.
*HabeasData: Why the US have not yet recognized a constitutional right to privacy in information?*
*CJH:* In “a 1976 case”:http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?navby=case&court=us&vol=425&invol=435, the Supreme Court held that individuals do not have a right of privacy in information voluntarily given to others. This is what we refer to as the “secrecy paradigm,” the idea that information is only private if no one else knows about it.
Practically, this means that the government can go to businesses and request personal information about customers without a subpoena or warrant. In fact, since 9/11, many businesses have volunteered to provide their databases of personal information to law enforcement.
Why is this the case? Criminal procedure and First Amendment rights experienced a great expansion from the 1950s-1970. Following this period, our Supreme Court became more conservative, and attempted to limit many of these rights.
*HabeasData: Who do you fear more in terms of privacy threats in the next years: the public or the private sector? Why?*
*CJH:* I do not believe that there is a distinction between public and private sector privacy threats anymore. The private sector has shown itself more than willing to give customer data to the government. One cannot trust the private or public sectors to balance privacy interests of consumer/citizens out of goodwill. Private actors’ first loyalty is to increasing shareholder wealth, and public actors do not want to place limits on their power to use personal information.
*HabeasData: DRM & Privacy: you* ´ve researched this nascent area of law. Are we heading towards a world of non anonymous consumption of content?*
*CJH:* DRM is threatening anonymity, but so is the lack of payment systems that provide privacy. There is very little economic incentive for businesses to create anonymous DRM or payment systems. We’re moving towards more electronic transactions (credit/debit card use surpassed cash in 2003). We have to find a way to build more privacy into transactions generally.
** · Thank you for you time,*
Pablo A. Palazzi
Foro de Habeas Data