- Data protection — Dignity and autonomy of individuals — Right to access to information — Right to privacy
Published under the direction of the Max Planck Foundation for International Peace and the Rule of Law.
General Editors: Rainer Grote, Frauke Lachenmann, Rüdiger Wolfrum.
A. Meaning and Conceptual Delimitation of Data Protection
1 Data can be defined in a broad sense as material for the purpose of analysis. Information generally refers to what results from data analysis through interpretation (Taylor 41). Because of the data’s potential to provide a large quantity of diverse information on whom data is about, it is not primarily data itself that has to be protected, but the data subject. Personal data protection aims to protect the individuals from whom data originates, in particular to protect their rights and freedoms which may be compromised as a result of their data being applied in different ways. In order for data to qualify as personal data it can both relate to a person who is already identified or to one who is identifiable on the basis of that data. The right to the protection of personal data is a relatively new phenomenon in constitutional law. Its recent emergence explains current and recent approaches to it as an autonomous right and its often unclear distinction from privacy—both of which are still subject to continuous discussion. The right to the protection of personal data is often referred to as information privacy or data privacy.
2 The multifaceted relationship between data protection and privacy can be approached in three different ways. The most prominent approach is to view data protection as a facet of the right to privacy, with different elements of data protection law being justified on the basis of privacy concerns (Solove 8, 27; Poullet 211). The second approach holds that data protection and privacy can be considered to be complementary tools with both serving to support individual self-development, a necessary conceptual component of human dignity, the foundation of the fundamental rights of individuals (Rouvroy and Poullet 47; dignity and autonomy of individuals). Finally, data protection can be approached as an independent right serving a multitude of functions, including but not limited to reasons of privacy (on the European Court of Human Rights: Linskey 94–104, 130).
B. List of Analysed Constitutions
3 Global digitalization, international data sharing, and emerging data processing technologies pose new challenges to data protection and call for a comprehensive comparative analysis of the role of data protection in constitutional laws. In a favourable environment for the growth of a strong data processing industry, global market interests lead to data protection becoming a universal challenge. In this entry, constitutions and case law from around the world are taken into consideration. The constitutional mechanisms of data protection in certain countries such as Canada, South Africa, and the United States (‘US’) are given close attention due to the strong relation between data protection and privacy in their jurisdictions. Asia, Central and South America, as well as Europe receive attention as regions. This includes in Europe Austria, Finland, France, Germany, Hungary, Italy, Lithuania, the Netherlands, Portugal, Slovenia, Spain, Sweden, Switzerland, the United Kingdom (‘UK’), and the European Union (‘EU’), in Central and South America Argentina, Brazil, Colombia, Mexico, Peru and Venezuela, and in Asia Japan, South Korea, and Taiwan. The elaboration on the evolution of data protection in various countries and regions around the world according to its timely progression is followed by a detailed exposition of their contents in a comparative manner.
C. The Evolution of Data Protection in Different Regions and Countries
4 The evolution of data protection in constitutional law is closely linked to technological advances and was established as a response to increasing computerization.
5 Data protection in Europe has been established primarily by means of constitutional amendments and legal acts. There are demonstrably divergent understandings of its constitutional roots and its significance for fundamental rights between countries (Brouwer 194). In the early 1970s, awareness of the surveillance capacity of computers as a threat to society was increasing. At the start the first wave of privacy legislation in Europe, Sweden was the first country to introduce a national data protection law in 1973—with Germany and France following suit in 1977 and 1978 respectively. German data protection is anchored in the principle of human dignity (Population Census Decision), French data protection is rooted in the concept of individual liberty (Loi Portant Création d’une Couverture Maladie Universelle), and Swedish data protection is linked to the principle of personal integrity (Fuster 47–48). Portugal, Austria and Spain were early in providing constitutional recognition of the right to the protection of personal data. Art. 35 of the 1976 Portuguese Constitution regulated the use of data processing, inter alia the rights to receive, access and rectify information (Constitution of the Portuguese Republic: 2 April 1976 (as Amended to 12 December 2001) (Port)). Austria’s 1978 Datenschutzgesetz (Data Protection Act) included Art. 1 § 1 on the Grundrecht auf Datenschutz (basic right to data protection) with constitutional force based on the right to respect for private and family life (protection of the family). Art. 18 of Spain’s 1978 Constitution regulated the right to privacy and also limited the use of computers in order to ensure the citizens’ privacy on an individual and family level (Constitution of the Kingdom of Spain: 6 December 1978 (Spain)). The relationship between privacy and limiting the use of computers by the governmental and public bodies was clarified by recognizing the citizens’ right to access public archives and registers under certain circumstances (Fuster 69).
6 During the second wave of data protection legislation, influenced by the Council of Europe (‘CoE’) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the Netherlands revised the Dutch Constitution in 1983 and incorporated a general right to respect for the personal sphere of life (Constitution of the Kingdom of Netherlands: 17 February 1983 (as Amended to 1995) (Neth), Art. 10). It established the protection of this right in relation to the recording and dissemination of personal data and to the rights to access and rectify such data. In the UK, the Data Protection Act was adopted in 1984. This occurred independently from any right to privacy with the latter staying unrecognized as a right in the UK legal system until 1998 (Chalton 26). Hungary’s 1992 law on data protection emphasized control aspects, placing the right to personal data protection within the framework of the fundamental right to informational self-determination. Art. 13 of the amended 1999 Federal Constitution of the Swiss Confederation granted every person the right to privacy and, in particular, the right to protection against data concerning them being misused (Federal Constitution of the Swiss Confederation: 18 April 1999 (as Amended to 15 March 2012) (Switz)). The Swiss Federal Supreme Court has extensively ruled on different aspects of data protection, including the definition of personal data (Logistep), on the rules for processing such data (Street View), on who is considered a data processor and controller (TdG; A und B AG v Tamedia AG and Others), and on the denial of the right to access data (Bank X AG v AY und BY).
7 In 1995, the faltering ratification of the CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data resulted in the EU drawing up the separate Data Protection Directive (‘DPD’). This directive was influenced by German and French data protection law (Heil 11). Although the EU was committed to data protection as a fundamental right foremost established by Art. 8 of the Charter of Fundamental Rights of the European Union (2000), for a long period the Court of Justice of the European Union (‘CJEU’) was reluctant in acknowledging the DPD’s objective as being the protection of such rights and emphasized the legislation’s role solely in relation to achieving market integration (Linskey 51–76, 62 et seq). A change in the CJEU’s assessment was eventually facilitated by the Lisbon Treaty’s entry into force in 2009 (Art. 16 TFEU, Art. 6 (1) TEU) (Linskey 87).
8 Besides the EU Charter, one of the sources of fundamental rights in EU law is the common constitutional traditions of its member states (Art. 6 TEU). To date, however, the CJEU has not ruled that the constitutional traditions common to member states may extend to safeguarding a fundamental right to personal data protection. Much to the contrary, it is the divergent characteristics of the constitutional traditions of member states in relation to data protection that have influenced national approaches to the implementation of the DPD (implementing legislation). Pioneering countries in the field of data protection, such as Austria, Germany and Sweden, have essentially used the legislative implementation of the Directive as a chance to consolidate their existing approaches to data protection from their respective constitutional positions. In contrast to this, Spain and Portugal have started classifying data protection in relation to privacy as understood in its broader sense—and thus beyond the most protected spheres of personal and family life. In the UK, an understanding of data protection broader than that of privacy continued to carry favour when implementing the DPD (Chalton 2004, 179; Douglas v Hello!; McKennitt v Ash). In Italy and Finland, the DPD has given data protection new constitutional influence by linking data protection to privacy and to the protection of private life for the first time, placing it within the potential scope of fundamental rights (Fuster 148, 152, Constitution of the Republic of Finland: 11 June 1999 (Fin)). The majority of the member states that acceded to the EU in 2004 already had laws on data protection. In most of these cases, data protection was linked to the fundamental right to privacy, as was the case in Slovenia and Lithuania.
2. North America: The United States and Canada
9 The US Constitution and the Bill of Rights do not mention any right to privacy (Constitution of the United States of America: 17 September 1787 (as Amended to 7 May 1992) (US)). However, various aspects of such a right have come to be protected by means of judicial interpretation. This protection has been derived from the Fourth Amendment of the Constitution, which protects individuals against ‘unreasonable searches and seizures’, in conjunction with the Ninth and Fourteenth Amendment. This is understood as a constitutional right of individuals to refuse interference by public authorities (Warren and Brandeis 214; Olmstead v United States; Griswold v Connecticut).
10 With the progress of computerization, both academic literature and legislative advisory committees have increasingly turned their attention to aspects of privacy in relation to personal data which is collected and stored digitally. The key feature of privacy identified here has been the ability of individuals to exercise control over the use and the disclosure of information about themselves (Westin 1970, 17–20, Miller 1971, 25, Fuster 28–33). The 1974 Privacy Act is intended to safeguard individual privacy from being violated through the misuse of federal records and to provide individuals access to such records. In this case, privacy is understood unambiguously as information privacy (Congressional Findings, Sec. 2, points a 1 and a 4).
11 The Supreme Court of the United States first recognized the right to information privacy in 1977, noting that the Constitution protected two kinds of individual interests: ‘One is the individual interest in avoiding disclosure of personal matters, and another is the interest in independence in making certain kinds of important decisions’ (Whalen v Roe, 599–600). The guarantee of the Fourth Amendment is understood to encompass certain data related to a given person, such as telephone or banking records (Smith v Maryland; United States v Miller). However, it only applies in cases where the individual has a ‘reasonable expectation of privacy’, which means where the individual has an actual, subjective expectation of privacy and society is willing to recognize this presumption as reasonable (Katz v United States, 362). This concept has been comprehensively reduced to exclude all cases where an individual has voluntarily turned over the information in question to third parties, effectively excluding a broad range of personal data from Fourth Amendment protection altogether (through what is referred to as the Third Party Doctrine) (Smith v Maryland; United States v Miller). As for the two individual interests protected by information privacy, the first in nondisclosure has resulted in divergent approaches to data protection, although most courts attention has been restricted to the seclusion of information. In contrast, references to the second interest—that of independence in decision-making—have been almost entirely absent from recent judicial decisions (Schwartz and Reidenberg 87, 89).
12 Under the Fourth Amendment, a search or seizure is generally unreasonable and unconstitutional if conducted without a valid warrant and none of the specifically established exceptions to this requirement apply. The exception regarding foreign intelligence surveillance for national security purposes was formally recognized in 2008 (Foreign Intelligence Surveillance Court of Review). In addition, the Fourth Amendment generally does not apply to foreign citizens or residents (United States v Verdugo-Urquides).
13 There is no explicit constitutional right to privacy or data protection in Canada. Section 8 of the Canadian Charter of Rights and Freedoms guarantees everyone the right to be safe from unreasonable search or seizure (Canadian Charter). This right has been interpreted as also protecting a reasonable expectation of privacy (R v Wong 1990, 38), which applies also to modern communication technologies (R v TELUS 2013).
14 The Supreme Court of Canada (Cour suprême du Canada) has identified three zones of privacy over which members of society assumedly exercise control: personal space, dignity, and personal information (R v Dyment 1988, 427; Judge 313–315). The Court has developed criteria which must be considered when examining the totality of circumstances surrounding whether or not a reasonable expectation of privacy exists in relation to acquired and stored information (R v Duarte 1990). The Court has also held that assessing the degree of intrusiveness is not simply a matter of the location of the information in question, but rather the extent to which disclosure of that information would impact the individual’s reasonable expectation of privacy (R v Edwards 1996). However, the Court found that e-mail is subject to a lower expectation of privacy than postal mail because unencrypted e-mails are vulnerable to being read by unintended intermediaries (R v Weir 1998, para. 77). The appropriation of information from computers by state agents may constitute a search or a seizure under section 8 of the Charter because this right is broad enough to ‘embrace all existing means by which the agencies of the state can electronically intrude on the privacy of the individual, and any means which technology places at the disposal of law enforcement authorities in the future’ (R v Wong 1990, 43–44). The Court has also found that the state must seek prior judicial authorization before gathering privately held items of information which in isolation are seemingly innocuous but which cumulatively become personal (R v Eddy 1994).
15 The most significant counterbalance to privacy protections in the US and Canada is the freedom of expression guaranteed by the First Amendment to the US Constitution and by Section 2b of the Canadian Charter of Rights and Freedoms. This amendment and section have been interpreted as also protecting the people’s right to know information of public concern or interest, even if it encroaches on individual privacy to some extent (Raul et al, 269; Whalen v Roe, 600; Nixon v Administrators of General Services, 465; Alberta v United Food).
3. Central and South America
16 The connection between personal data protection and the right to access public documents is the factor that has most influenced Central and South American countries when interpreting personal data protection (Fuster 269). Working on the basis of German constitutional rights and CoE Convention 108, Brazil established the full constitutional right to the ‘habeas data’ individual complaint in its new Constitution in 1988 (Constitution of the Federative Republic of Brazil: 5 October 1988 (Braz), Art. 5; individual complaints procedures). This means individuals have the right to access files containing information about themselves and to rectify inaccurate data when these are of public character.
17 Following the Brazilian example, other Central and South American countries have also incorporated this right to their constitutions. Colombia, Paraguay, Peru, Argentina and Ecuador were the first to take similar actions between 1991 and 1996 (Constitution of the Republic of Paraguay: 20 June 1992 (Para), Political Constitution of the Republic of Peru: 31 October 1993 (Peru), Constitution of the Republic of Ecuador: 11 August 1998 (Ecuador)).
18 During its widespread implementation in different countries, the original habeas data right of the 1988 Brazilian Constitution was modified and enhanced in several ways (Constitution of the Bolivarian Republic of Venezuela: 15 December 1999 (Venez), Constitution of the Republic of Panama: 11 October 1972 (as Amended to 27 July 2004) (Pan)).
19 Despite these differences in the constitutional amendments, many courts have been active in interpreting the habeas data constitutional right (Supreme Tribunal Venezuela, Judgment No 1729, Constitutional Court of Colombia (Corte Constitucional de Colombia) Sentence No T-176/95, Sentence No C-1011/08). In particular higher courts in Venezuela and in Colombia have recognized its informational and self-determinative aspect beyond the traditional protection of the right to privacy and have formulated important data protection principles such as the principle of purpose (Supreme Tribunal Venezuela, Judgment No 1729). Constitutional jurisprudence has also established, in relation to personal data conservation, the concept of a right to oblivion and to the expiration of personal information (Constitutional Court of Colombia, Sentence No T-176/95). Courts have also acknowledged that law makers have the power to set limitations on the period for which personal data may be retained in databases and physical files (Constitutional Court of Colombia, Sentence No C-1011/08).
20 The South Korean Constitution protects privacy in general and the privacy of the home and communications in particular (Constitution of the Republic of Korea: 12 July 1948 (last Amended to 29 October 1987) (S Kor), Arts 17–18). The Constitution also affirms that rights and freedoms of citizens must not be neglected on the grounds that they are not stated in the Constitution itself (Art. 37(1)). In 2003, the Constitutional Court of Korea interpreted these provisions as protecting people from inappropriate accessing, abuse or misuse of their personal information (Mandatory Seatbelt). In 2005, the Court found that the governmental power to collect and keep a full set of fingerprints of all citizens aged 17 years or older and to use them for investigation purposes does not excessively violate the right to control personal information (‘Fingerprints’ Case). In 2012, the Court ruled that the statute requiring Internet users to use their real name online was unconstitutional because the public benefit achieved by providing the real names of individuals for online postings is not substantial enough to justify restrictions on individuals’ rights to free speech and privacy (Real Name Cases). It declared this to be a violation of the users’ right to self-determination of personal information (Park and Greenleaf 21). In several other cases, the Constitutional Court has ruled on specific issues involving personal information. These include the disclosure of diseases by public servants (‘Disclosure’ Case), the numbers of cases handled by lawyers (Report of the Number of Cases) and cases regarding the balance of personal data protection with freedom of speech (Information Publication Prohibition Case).
21 Taiwan’s Constitution does not provide an explicit right to privacy, although Art. 12 provides for the ‘freedom of privacy of correspondence’ (Constitution of the Republic of China (Taiwan): 25 December 1947 (as Amended to 10 June 2005) (Taiwan)). In 2004, the country’s Council of Grand Justices categorized the ‘freedom of self-control of personal information’ as one of the aspects of privacy which is protected. In 2005, the Council considered the constitutionality of compulsory fingerprinting for ID cards and provided extensive elaboration on the right of information privacy. In 2007 and 2011, the Council dealt again with issues of the self-control of personal information and in doing so cumulatively provided the most detailed and strongest protection of data privacy to be found in Asia (Greenleaf 2014, 170).
All of the people shall be respected as individuals. The right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.
23 In regard to personal information databases and privacy, the Supreme Court of Japan (Saikō-Saibansho) held that the Jūki Net resident registration network (established to link up national and local government agencies in order to share some of the information in the online resident registries) does not infringe Art. 13 in the absence of the consent of individuals to be included in it. However, the Court confirmed the basis for the protection of privacy under Art. 13 and stated that, as one of their liberties in private life, every individual has the liberty of protecting their own personal information from being disclosed to a third party or being made public without good reason (Judgement Concerning the Relationship between the Act of an Administrative Organ to Collect, Manage or Use Identification Information of Inhabitants by Way of the Basic Resident Register Network, and Article 13 of the Constitution). In other decisions, the Supreme Court has found that the fingerprinting of foreigners involves privacy issues and has stated that individuals have a rational expectation that their voluntarily provided information concerning their personal lives would be adequately protected depending on their intention or consent (Judgment upon the Case Concerning whether Information on Names, Addresses, etc., of Students who Applied for Participation in a Lecture Meeting Held by a University Can Be Protected by Law). Although the Supreme Court has never referred to the right to control one’s own information (Umeda) or dealt explicitly with the question of informational self-determination, it has inherently provided the potential for Art. 13 to be used to guarantee protections for information privacy generally in its decisions (Greenleaf 2010, 4).
5. South Africa
24 In South Africa, the right to privacy has been enshrined in Section 14 of the Bill of Rights in the 1996 Constitution (Constitution of the Republic of South Africa: 11 October 1996 (S Afr)). This document breaks down the right into a non-exhaustive list of its facets and predominately deals with potential infringements by the State. Section 32 of the Constitution also provides for the right of access to personal information. In common law, the right to privacy is recognized as an independent right of personality (Universiteit van Pretoria v Tommie Meyer Films) by encompassing it within the concept of human dignity (Jansen Van Vuuren ao NNO v Kruger,849 ; O’Keeffe v Argus Printing and Publishing Co Ltd ao).
25 By and by, South African courts have started to fashion a concept of privacy that provides a remedy for the public disclosure of private facts, with the possibility of such disclosures amounting to a breach of ‘informational or data’ privacy (Jansen van Vuuren ao NNO v Kruger; Burchell 7). It was the initial view of the Constitutional Court of South Africa that although the breaching of informational privacy was not expressly mentioned in the Constitution, it is covered by the broad protection of the right to privacy (Mistry v Interim National Medical and Dental Council of South Africa ao, para. 14). The Constitutional Court also listed some general guidelines governing data protection (Mistry v Interim Medical, para. 23). In addition to this interpretation, a restrictive interpretation of privacy also continued to be held with the implication that the right to privacy relates only to the most personal aspects of a person’s existence and not to every aspect within their personal knowledge and experience (Bernstein ao v Bester NO ao, 789). This view has, however, provided grounds for criticism (South African Law Reform Commission 15). More recently, the Constitutional Court has moved away from the restrictive interpretation and holds that the right to privacy can be characterized as lying along a continuum whereby the more a person interrelates with the world, the more their right to privacy is attenuated (Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd). The right to informational privacy was interpreted as coming into play whenever an individual has the ability to decide what they wish to disclose to the public and whenever the expectation that such a decision will be respected is reasonable (Investigating Directorate: Serious Economic Offences ao v Hyundai Motor Distributors (Pty) Ltd; In re Hyundai Motor Distributors (Pty) Ltd v Smit NO, 557, para. 16). This right extends to those aspects of a person’s life in regard to which he or she has a legitimate expectation of privacy (Bernstein ao v Bester NO ao, 792; Protea Technology Ltd and Another v Wainer ao, 1241). This active control over personal information is therefore based on common law and the Constitutional Court’s recognition of the fact that the right to privacy encompasses the competence of a person to make decisions for themselves, to control the destiny of their private details and to determine the scope of their own interest in their own privacy (National Media Ltd and Another v Jooste, 271–272; Investigating Directorate: Serious Economic Offences ao v Hyundai Motor Distributors (Pty) Ltd; In re Hyundai Motor Distributors (Pty) Ltd v Smit NO, 557).
D. Comparative Description and Assessment
26 In the EU, the data protection regulatory framework has, alongside its objective of market integration, a fundamental rights character based on Art. 8 of the EU Charter and with EU secondary legislation determining its meaning (Linskey 47 et seq; subordinate / delegated / secondary legislation).
27 The EU’s approach to data protection provides a general and uniform protection based on the concept of the fundamental right to privacy whereby the state must intervene by taking on an active role in protecting individuals’ rights (Gregorio 312). In the EU, the understanding of data protection has evolved within the traditional understanding of privacy and has only recently been reinterpreted in response to the challenges posed by new technologies (Case C-131/12). Public and private actors generally fall under the same legislation (Art. 16 TFEU in conjunction with Art. 39 TEU and Declaration 21 of the Lisbon Treaty, Linskey 18–23). The enforcement of data protection regulation by independent national supervisory authorities occurs parallel to that by judicial authorities (Art. 16 TFEU, Art. 8 EU Charter). The complete independence of such national supervisory authorities, as defined by Art. 28 of the DPD, has been interpreted strictly by the CJEU (Case C-518/07, para 19, see also Case C-362/14). This court has stated that independent supervision is an essential component for the protection of individuals in regard to their personal data and that it derives from EU primary law (Case C-288/12, paras 47–48).
28 The EU General Data Protection Regulation (‘GDPR’) which entered into force in May 2016 aims to secure an even higher level of protection of personal data in all member states. It removes most references to privacy and refers primarily to the right to data protection. It is therefore applicable to a broader range of personal data processing activities and grants individuals more rights in relation to a broader range of data categories. Inter alia, the right to be forgotten (also right to erasure) is now codified in the Regulation (Art. 17 GDPR, Google Spain, para 93). This enhanced control of the data subject has both an instrumental function, exercised through the subjective rights granted to individuals in relation to controllers, and a conceptual function. This later function is exercised by identifying different forms of harm caused by personal data processing which limit individuals’ negative freedom, prevent them from presenting themselves freely to others and exacerbating the informational and power asymmetries between individuals and data controllers (Linskey 11 et seq).
29 By seeking the enactment of legislation which cannot be circumvented by private agreements due to its fundamental rights character, the EU has eschewed private law solutions for data protection (A29WP, 2). Nonetheless, the GDPR leaves ample latitude in the application of national laws. It will be left up to the national legal system of each member state to determine the procedural rules under which EU rights are protected subject to the requirement of effectiveness and equivalence. In addition, member states will be able to go beyond the provisions of the GDPR and add provisions regarding specific data processing situations (EDPS 9–10). This means that substantive data protection will remain elusive and there will be considerable latitude for different regulatory options. According to the evolution of data protection, the only similarity shared by all member states up to date is that they all have data protection laws which are linked somehow to rights regarded to be constitutional or rights of equivalent importance (Korff 5).Given the changing approach to data protection in the GDPR and the different constitutional traditions of the member states in regard to the constitutional status of data protection, it is not likely that data protection will be continued to be asserted solely as a support that is particular to the right to privacy in all member states as it has been interpreted by the CJEU once the GDPR comes into force in the member states (Fuster 156).
2. United States
30 In the US, the application of the Fourth Amendment is limited to those places, things, and actions in relation to which the individual has a ‘legitimate expectation of privacy’ and excludes information individuals voluntarily turn over to third parties. Although the Supreme Court has not yet overruled the Third Party Doctrine, it should be noted that other courts have recently endeavoured to scrutinize the broad exemption of voluntary transfer in light of the changing electronic and technological landscape (ACLU v Clapper). This has therefore become ‘an issue on which the Supreme Court’s jurisprudence is in some turmoil’ (ACLU v Clapper, 22). In addition, the Fourth Amendment has recently been applied in a judgment that has been interpreted as creating a potential ‘right to deletion’ of outdated data held by law enforcement agencies (United States v Ganias, 140).
31 The US data protection model essentially bases its approach around the concept of freedom as a protection against interference by the state in the life of individuals. This protection of liberty points more strongly towards an understanding of information privacy as a right of defence against state activities and less towards a right to access or rectification (Schwartz and Reidenberg 35). Compared to Europe, from its earliest stages, the development of this conceptualization has been increasingly driven forward by new technologies and therefore by the understanding of privacy generally as information privacy. Nonetheless, the US Supreme Court’s jurisprudence regarding the Fourth Amendment has failed to provide substantive protection to individuals against the governmental use of new technologies and has not kept pace with advances in technology (Weaver and Friedland 5). In contrast to the EU, there is no horizontal data protection legislation in the US, applicable to both public and private actors alike (Sotto and Simpson 191). The private sector is governed by a mixture of ad hoc legislative initiatives, industry self-regulation, and market forces (Reidenberg 730–1). There is also no supervisory authority and federal courts can only bring about a limited range of changes in conduct under the 1974 Privacy Act and have no powers to compel federal agencies to change their overall general practices (Schwartz and Reidenberg 100). Oversight by designated internal officials, by the Office of Management and Budget and by Congress has proven itself rather ineffective (Schwartz and Reidenberg 119). With privacy regulation in the private sector restricted to sensitive areas such as health care and banking and the idea of a supervisory authority for privacy issues being rejected, this field is to a large extent unregulated and lacks effective enforcement of rules (Newman 57–60). By limiting only governmental action, data protection is understood as informational seclusion and a right to be left alone (Schwartz und Reidenberg 37), thus resulting in an incomplete constitutional paradigm. Modern threats to data protection often come from private sources so that this constitutional approach might also refrains from the effective preservation and promotion of the individual’s capacity to make decisions freely about their data.
32 Although the Canadian Charter of Rights and Freedoms also forgoes stating a right to privacy, let alone a right to data protection, it contains a right similar to the US Constitution’s Fourth Amendment. Nonetheless, even the earliest interpretation of this right deviated from that found in the US. The Canadian Supreme Court did not subsume the concept of data protection into those of informational privacy and privacy generally. Instead it identified different facets of data protection whereby both informational and data aspects are taken into consideration. This enabled the Supreme Court to further refine these aspects and to interpret section 8 of the Charter as also protecting the right to information self-determination (R v Plant, para. 20) with an emphasis on individual autonomy being exercised through personal control of access to one’s person and information about one’s self (De Hert and Gutwirth 10, Fn. 39). In Canada’s case, concern about the manner in which personal information is handled by others goes beyond the concern that this represents a threat to liberty if data is mishandled by the public sector, or a threat to dignity if it is mishandled by the private sector (Levin and Nicholson 392). This is reflected in the constitutional context where the aim is instead to facilitate the preservation of autonomy and the control over one’s personal information.
4. Asia and Africa
33 Similarly, higher courts in several Asian countries, such as Taiwan, South Korea and Japan, where constitutions do not refer to data protection or to such aspects of privacy in an explicit manner, have used privacy or other fundamental rights to emphasize the aspects of self-control and self-determination as regards personal information. A similar interpretation process has taken place over a longer period in South Africa. Although the South African Constitution defines privacy, for a long time the courts here only took its informational aspects into consideration to the degree necessary to protect individuals from searches and seizures by the government. Step by step, this approach is nonetheless leading to an interpretation of data control derived from the self-determination of individuals. This tendency can also be observed in other African countries in which the informational aspects of privacy are established on a constitutional level. Art. 57 of the Egyptian Constitution (Constitution of the Arab Republic of Egypt: 18 January 2014 (Egypt)) provides for the protection of privacy and secrecy of different methods of communication. Constitutional principles concerning the individuals’ privacy have been interpreted to govern the collection, use and processing of personal data. Section 37 of the Constitution of the Federal Republic of Nigeria provides for the protection of the informational aspects of citizens’ privacy (Constitution of the Federal Republic of Nigeria: 29 May 1999 (Nigeria)).
5. Central and South America
34 Divergences between the US and EU forms of data protection served as the main source of inspiration for Central and South American countries when addressing the issue of data access by means of a constitutional remedy (Gakh 783). In comparison to the US model, the main difference is that in a large number of Latin American legal systems, data protection, or at least an aspect of this right, is enshrined in the countries’ constitutions. The main difference between the habeas data right and the European right to personal data protection is that although European countries were similarly concerned with the issue of automated data processing by public authorities to begin with, the European approach now encompasses more than just a subjective right to access data and to rectify it and also covers the obligations of data processors and the requirement of independent supervision. Compared to the European model, Latin America has no international treaty or supranational regional body of rules (in Mercosur or in the CAN) to regulate the protection of personal data or its transfer. Since 1999, several countries have enacted data protection laws to regulate the procedure of filing a habeas data application in detail (DLA Piper). The aspects of personal data protection in the Latin American constitutions range from the right to access data stored in public and (certain) private databases (eg Constitution of Argentine Nation: 23 August 1994 (Arg), Art. 43); the right to access data stored only in public databases (eg Political Constitution of the United Mexican States: 5 February 1917 (as Amended to 29 July 2010) (Mex), Art. 6); the right to know the purported use of data (eg Constitution of Argentina, Art. 43); the right to know and update information in data banks and in the records of public and private entities (eg Constitution of Colombia: 4 July 1991 (Colom), Art. 15); the right to request data amendments or corrections (eg Constitution of Mexico, Arts 6 and 16); the right to request data removal, deletion, destruction or cancellation; the right to require that data be treated with confidentiality (eg for both Constitution of Argentina, Art. 43); the right to oppose data disclosure, according to the law (eg Constitution of Mexico, Art. 6); the processing, circulation and collection of data (eg Constitution of Colombia, Art. 15), and the right to respect freedom and other guarantees approved in the Constitution by the gathering, handling and circulation of data (eg Constitution of Colombia, Art. 15). Of all Central and South American constitutions, however, only the Mexican Constitution sets forth the explicit right to personal data protection (Art. 16). However, with the exception of Argentina (PDL), no general data protection regulation existed for a long time in many countries (de Azevedo Cunha and Doneda 221). Recently, Latin-American legislations have moved towards the European data protection model in an effort to achieve frameworks with an appropriate level of protection from the European perspective and with a view to business based on the international transfer of data (Remolina 493). Increasingly, comprehensive data protection regimes are being established. In this context, standardization of data protection laws with clear and consistent rules is a matter of significant concern, especially for facilitating the development of Internet-based businesses (OAS 19–21; Rich et al 12).
35 At the time of writing, over 100 countries have adopted comprehensive data protection laws (Greenleaf 2013). Even in countries where data protection has no roots in constitutional or common law (eg Australia, India, China and Singapore), comprehensive statutory protection is now emerging. As its consequence, this trend might ultimately allow for the introduction of data protection regulation with greater emphasis on active control over data by individuals. This could be done while also allowing case law to determine data protection requirements in the contexts of constitutional law and fundamental rights and freedoms.
Brouwer, E, Digital Boarders and Real Rights: Effective Remedies for Third-Country Nationals in the Schengen Information System (Nijhoff 2008).
Burchell, J, ‘The Legal Protection of Privacy in South Africa: A Transplantable Hybrid’ (2009) 13 Electronic Journal of Comparative Law 1.
Chalton, S, ‘The Court of Appeal’s Interpretation of ‘Personal Data’ in Durant v FSA—a Welcome Clarification, or a Cat amongst the Data Protection Pigeons?’ (2004) 20 Computer Law & Security Review 175.
Chalton, S, ‘The Transposition into UK Law of EU Directive 95/46/EC (The Data Protection Directive)’ (1997) 11 International Review of Law 25.
De Azevedo Cunha, MV, and Doneda, D, ‘Privacy, Security and New Technologies: A Brazilian Approach to Privacy Issues in the Public Security Field’ in de Azevedo Cunha, MV, Nuno Gomes de Andrade, N, Lixinski, L, and Tomé Féteira, L, New Technologies and Human Rights. Challenges to Regulation (Ashgate 2013) 217.
De Hert, P, and Gutwirth, S, ‘Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action’ in Gutwirth, S, Poullet, Y, De Hert, P, de Terwangne, C, and Nouwt, S, (eds), Reinventing Data Protection? (Springer 2009) 3.
DLA Piper, Data Protection Laws of the World, available at http://dlapiperdataprotection.com/#handbook/world-map-section/c1_PA (9 December 2016).
Fuster, GG, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014).
Gakh, M, ‘Argentina’s Protection of Personal Data: Initiation and Response’ (2006) 2 Journal of Law and Policy for the Information Society 781.
Greenleaf, G, ‘B.5-Japan’ in Korff, D, (ed.), Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments. Country Studies (2010).
Greenleaf, G, Data Privacy Laws in Asia (OUP 2014).
Greenlief, G, ‘Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ (2014) 23 Journal of Law, Information & Science, Special Edition: Privacy in the Social Networking World.
Gregorio, CG, ‘Protección de Datos Personales: Europa v Estados Unidos, todo un Dilema para América Latina’ in Concha Cantú, HA, López-Ayllón, S, and Tacher Epelstein, L, (eds), Transparentar al Estado: la Experiencia Mexicana de Acceso a la Información; sine Nomine et sine Loco (Universidad Nacional Autónoma de Méxiko 2004) 299.
Heil, H, ‘Directive 95/46/EC of the European Parliament and the Council’ in Büllesbach, A, Poullet, Y, and Prins, C, (eds), Concise European IT Law (Kluwer Law International 2010) 9.
Judge, EF, ‘Book Review of the Law of Privacy in Canada by B McIsaac, R & K Klein’ (2000) 32 Ottawa Law Review 311.
Korff, D, Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments, European Commission DG Justice, Freedom and Security, Working Paper No 2 (2010).
Levin, A, and Nicholson, MJ, ‘Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground’ (2005) 2 UOLTJ 357.
Linskey, O, The Foundations of EU Data Protection Law (OUP 2015).
Miller, AR, The Assault on Privacy (University of Michigan Press 1971).
Newman, AL, Protectors of Privacy: Regulating Personal Data in the Global Economy (Cornell University Press 2008).
Park, W, and Greenleaf, G, ‘Korea Rolls Back Real Name and ID Number Surveillance’ (2012) 119 Privacy Laws & Business International Report 20.
Poullet, Y, ‘Data Protection Legislation: What is at Stake for our Society and for Democracy?’ (2009) 25 Computer Law and Security Review 211.
Raul, AC, Manoranjan, TD, and Mohan, V, ‘United States’ in Raul, AC, (ed.), The Privacy, Data Protection and Cybersecurity Law Review (Law Business Research 2014) 268.
Reidenberg, J, ‘E-Commerce and Trans-Atlantic Privacy’ (2001) 38 Houston Law Review 717.
Remolina, N, ‘¿Tiene Colombia un Nivel Adecua Do de Protección de Datos Personales a la Luz del Estándar Europeo?’ (2010) 16 International Law, Revista Colombiana de Derecho Internacional 493.
Rich, C, Waldmann Agarwal, M, and Wugmeister, M, ‘Privacy in Latin America’ (2013) 12 Privacy and Security Law Report 12.
Rouvroy, A, and Poullet, R, ‘The Right to Informational Self-Determination’ in Guthwirth, S, (ed.), Reinventing Data Protection (Springer 2009) 45.
Schwartz, PM, and Reidenberg, JR, Data Privacy Law. A Study of United States Data Protection (Michie 1996).
Solove, DJ, The digital Person: Technology, and Privacy in the Information Age (NYU Press 2004).
Sotto, LJ, and Simpson, AP, ‘United States’ in Jay, RP, (ed.), Data Protection and Privacy in 26 Jurisdictions World Wide (Gideon Roberton 2014) 191.
Taylor, M, Genetic Data and the Law. A Critical Perspective on Privacy Protection (Cambridge 2012).
Umeda, S, ‘Online Privacy Law: Japan’ (2012) Library of Congress.
Warren, S, and Brandeis, L, ‘The Right to Privacy’ (1890) 4 HarvLRev 193.
Weaver, RL, and Friedland, SI, ‘Privacy and the Fourth Amendment’ in Dörr, D, and Weaver, RL, (eds), Perspectives on Privacy. Increasing Regulation in the USA, Canada, Australia and European Countries (De Gruyter 2014) 1.
Westin, AF, Privacy and Freedom (Atheneum 1967).
- Charter of Fundamental Rights of the European Union (done 7 December 2000, entered into force 1 December 2009) (2001) 40 ILM 266
- Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data’ (done 28 January 1981, entered into force 1 October 1985) CETS No 108
- Congressional Findings and Statement of Purpose, Privacy Act of 1974, 5 U.S.C. § 552a (1988)
- Consolidated Version of the Treaty in the Functioning of the European Union (2010) OJ C83/47
- Consolidated Version of the Treaty on European Union (2010) OJ C83/13
- European Commission ‘Communication on a Community Data-Processing Policy’ (1973) Policy SEC (73) 4300 final
- European Commission DG Justice, Freedom and Security ‘Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, Opinion 1/98’ (16 June 1998) XV D/5032/98 WP 11
- European Commission Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (A29WP), ‘Opinion 1/98, Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS)’ (16 June 1998)
- European Data Protection Supervisor ‘Opinion of the European Data Protection Supervisor on the Data Protection Reform Package’ (2012)
- European Parliament and Council of the European Union ‘Directive 95/45/EC of the European Parliament and of the Council of 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (DPD)’  OJ L281/31
- European Parliament and Council of the European Union ‘Proposal C7–0025/2012 of the European Parliament and of the Council of 15 December 2015 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation, GDPR)’ (first reading)  OJ L8/2001
- OAS Committee on Juridical and Political Affairs ‘Draft Preliminary Principles and Recommendations on Data Protection’ (19 November 2010) CP/CAJP-2921/10
- South African Law Reform Commission ‘Privacy and Data Protection’ Discussion Paper 109, Project 124 (2005)
- Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community (signed 13 December 2007, entered into force 1 December 2009)  OJ C306
- A und B AG v Tamedia AG, 20 Minuten AG und Espace Media AG (6 May 2015) BGer 5A_658/2014 (Switz)
- ACLU v Clapper  No 14–42 (US)
- Bank X AG v AY und BY (17 April 2012) DFC 138 II 425 (Switz).
- Bernstein ao v Bester NO ao  CCT23/95 (S Afr)
- Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos and Mario Costejo González  OJ C212/4
- Case C-288/12 European Commission v Hungary  OJ C175/6
- Case C-362/14 Maximillian Schrems v Data Protection Commissioner (6 October 2015)
- Case C-518/07 Commission v Germany (15 July 2010) ECR I-1885
- Collecting and Computerizing Fingerprints and Using them for Investigation Purposes Case  17–1 KCCR 668, 99Hun-Ma513 and 2004Hun-Ma190 (consolidated) (S Kor)
- Council of Grand Justices, Are the Relevant Provisions of Article 8-II and III of the Household Registration Act, Stating to the Effect that the New ROC Identity Card Will Not Be Issued Without the Applicant Being Fingerprinted, Unconstitutional?  JY Interpretation NO-603 TWCC 16 (Taiwan)
- Council of Grand Justices, Does Article 89, Paragraph 2 of the Social Order Maintenance Act Restricting the Act of Stalking by a Journalist Violate the Constitution? (29 July 2011) JY Interpretation NO-689 (Taiwan)
- Council of Grand Justices, Has the Legislative Yuan, by Enacting the Act of the Special Commission on the Investigation of the Truth in Respect of the 319 Shooting, Gone Beyond the Scope of its Legislative Authorities? Are Any of the Relevant Provisions Contained therein Unconstitutional?  JY Interpretation NO-585TWCC 15 (Taiwan)
- Council of Grand Justices, Is Article 5-II of the Communication Protection and Monitoring Law, Promulgated and Implemented on 14 July 1999, Unconstitutional? (20 July 2007) JY Interpretation No-631 (Taiwan)
- Disclosure of Military Health Records of Public Officials Cases  2005 Hun-Ma 1139 KRCC 4 (31 May 2007) (S Kor).
- Douglas v Hello!  QB 967 (UK)
- Griswold v Connecticut 318 (1965) US 479 (US)
- Information and Privacy Commissioner Alberta v United Food and Commercial Workers, Local  401 3 SCR 733 (Can)
- Information Publication Prohibition Case (2 September 2011) 2008Da42430 (S Kor)
- Investigating Directorate: Serious Economic Offences ao v Hyundai Motor Distributors (Pty) Ltd ao In re: Hyundai Motor Distributors (Pty) Ltd ao v Smit NO ao  CCT1/00 (S Afr)
- Jansen Van Vuuren ao NNO v Kruger  (4) SA 842 (A) (S Afr)
- Judgement Concerning the Relationship between the Act of an Administrative Organ to Collect, Manage or Use Identification Information of Inhabitants by Way of the Basic Resident Register Network, and Article 13 of the Constitution  SCt O No 403 Ju No 454 Minshū Vol 62 No 3 (Japan)
- Judgment No 1729, Supreme Tribunal of Justice of Venezuela (6 October 2006) No de Expediente 06–0984 (Venez)
- Judgment upon the Case Concerning whether Information on Names, Addresses, etc., of Students who Applied for Participation in a Lecture Meeting Held by a University Can Be Protected by Law  JPSC 36 Minshu Vol 57 No 8 at 973 (Japan)
- Katz v United States  389 US 347 (US)
- Logistep (8 September 2010) DFC 136 II 508 (Switz)
- Loi Portant Création d’une Couverture Maladie Universelle (23 July 1999) Décision No 99–416 DC (Fr)
- Mandatory Seatbelt  15–2(B) KCCR 185 (S Kor)
- McKennitt v Ash  QB 73 (UK)
- Mistry v Interim Medical and Dental Council of South Africa ao  CCT13/97 (29 May 1998) (S Afr)
- National Media Ltd ao v Jooste (26 March 1996) (3) SA 262 SCA (S Afr)
- Nixon v Administrators of General Services  433 US 425 (US)
- O’Keeffe v Argus Printing and Publishing Co Ltd ao  (3) SA 244 (C) (S Afr)
- Olmstead v United States  277 US 438 (US)
- Population Census Decision 1 BvR 209/83 (15 December 1983) BVerfG 65, 1 (Ger)
- Protea Technology Ltd v Wainer ao  (9) BCLR 1225 (W) (S Afr)
- R v Duarte  1 SCR 30 (Can)
- R v Dyment  2 SCR 417 (Can)
- R v Eddy  NJ No 142, 119 Nfld & PEIR 91 (SCDT) (Can)
- R v Edwards  1 SCR 128 (Can)
- R v Plant  3 SCR 281 (Can)
- R v TELUS Communications Co  2 SCR 3 (Can)
- R v Weir  ABQB 56 (CanLII), 2001 ABCA 181 (CanLII) (Can)
- R v Wong  3 SCR 36 (Can)
- Real Name Cases (23 August 2012) 2010Hun-Ma47 (S Kor)
- Report of the Number of Cases Accepted and the Amount of Case Acceptance by Attorneys Case  2007 Hun-Ma667 KRCC 26 (S Kor)
- Sentence No T-176/95 (24 April 1995) Expediente T-58238 CC (Colom)
- Sentence No T-307/99 (5 May 1999) Expediente T-187958 CC (Colom)
- Sentence No T-729/02 (5 September 2002) Expediente T-467467 CC (Colom)
- Sentence No C-1011/08 Colombia (16 October 2008) Expediente PE-029 CC (Colom)
- Smith v Maryland  442 US 735 (US)
- Street View (31 May 2012) DFC 138 II 346 (Switz)
- TdG-Urteil (14 January 2013) BGer 5A_792/2011 (Switz)
- United States Foreign Intelligence Surveillance Court of Review  Case No. 08–01 Retrieved 15 July (US)
- United States v Ganias  No 12–240 (US)
- United States v Miller  425 US 435 (US)
- United States v Verdugo-Urquides  494 US 1092 (US)
- Universiteit van Pretoria v Tommie Meyer Films (Edms)  Case No 437/2010 ZASCA (S Afr).
- Whalen v Roe  429 US 589 (US)
- Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest (Art. 1(1) /1992) (Hung)
- Canadian Charter of Rights and Freedoms (S 2 Part I of the Constitution Act 1982, Being Schedule B to the Canada Act 1982 (UK) c11) (Can)
- Data Act Given in the Palace of Stockholm (SFS 1973: 289 /1973) (Swed)
- Data Protection Act (C 35 /1984) (UK)
- Data Protection Act of Argentina (Law 25, 326 (‘PDPL’) and Regulation Decree 1558/2001) (Arg)
- Federal Act Concerning the Protection of Personal Data (BGBl. No 565/1978) (Austria)
- Federal Act Concerning the Protection of Personal Data 2000 (Art. 1(1)) (Austria)
- Gesetz zur Änderung des Bundesdatenschutzgesetzes und anderer Gesetze (BGBl. I S 904 /2001) (Ger)
- Law on Computers, Files and Freedoms (Loi No 78–17) (Fr)
- Law on Legal Protection of Personal Data (No IX-1296, Art. 1 /2003) (Lith)
- Law on Protection against the Misuse of Personal Data in Data Processing (BGBl 1 S 201 /1977) (Ger)
- Law on the Protection of Data with Personal Character (LOPD) (BOE No 298 /1999) (Spain)
- Law on the Protection of Personal Data (Lei No 67/98, Art. 2) (Port)
- Personal Data Act (No 1998: 204 /1998) (Swed)
- Personal Data Protection Act (ZVOP, Url RS No 55/99, Art. 1) (Slovn)
- Privacy Act (5 USC § 552a /1974) (US)