3C.5 Privacy


3C.5 Privacy

There is no clear definition of what constitutes privacy or the legal right to privacy. What constitutes data protection can be more readily answered by the circular device of saying that it is the application of privacy principles to the collection, retention, use and disclosure of information about individual human beings, especially in a computerized environment. (Regan, p. 134)

One commentator proposes the equation of the notion of "privacy" with that of "control of personal information," arguing that

placing control of information at the heart of our deliberations about privacy achieves what the orthodox analysis has conspicuously failed to do: it postulates a presumptive entitlement accorded to all individuals that their personal data may be collected only lawfully or fairly and that once obtained, may not be used, in the absence of the individual's consent, for a purpose other than that for which it was originally given." (Wacks, p.4)

European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data of October 1995 ("the data protection directive") notes in its preamble the dual purpose of ensuring that personal data should be able to flow freely from one EU member state to another, but also that the fundamental rights of individuals, notably the right to privacy, must be safeguarded. These fundamental rights are recognized in the constitution and laws of member states and in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Article 8(1) of the ECHR provides that "everyone has the right to respect for his private and family life, his home and his correspondence".

Article 5 of the data protection directive sets out strict principles relating to data quality, requiring that data must be:

  1. processed fairly and lawfully;

  2. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that member states provide appropriate safeguards;

  3. adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member states shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

Article 5 further sets out binding criteria for making data processing legitimate, requiring EU member states to provide that personal data may be processed only if:

  1. the data subject [i.e. the identifiable person to whom the information relates] has unambiguously given his consent; or

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

  3. processing is necessary for compliance with a legal obligation to which the controller [i.e. the legal person who determines the purposes and means of processing the data] is subject; or

  4. processing is necessary in order to protect the vital interests of the data subject; or

  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1).

Article 25 of the data protection directive governs principles concerning the transfer of data to third countries, that is, to non-EU member states. Such transfers of data may only take place if the third country "ensures an adequate level of protection". Where third countries do not ensure an adequate level of protection, member states are required to take all measures necessary to prevent the transfer of data to that country. Article 25(2) provides that:

the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

Clearly, these provisions may create a barrier to, say, the sharing of information by law enforcement agencies within and outside of the EU.

Notably, in response to the September 11 terrorist attacks on the United States in 2001, there have been significant efforts in Europe to give state agencies greater access to data relating to personal communications, including telephone records and Internet usage. These efforts have encountered strong opposition because of the concerns over invasion of privacy. Although legislation such as the UK Regulation of Investigatory Powers Act 2000 (RIPA) and the Data Protection Act 1992 in Ireland permit authorities to access personal data under certain circumstances, proposed anti-terrorist legislation could require communication service providers to retain usage records for longer periods of time and give more agencies access to this data.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net