Paul-André Comeau, Visiting professor
École nationale d'administration publique
paul-andre.comeau@enap.ca

The protection of personal data and information refers to both the legal framework and the mechanisms designed to ensure respect for an aspect of human rights (Oble-Laffaire, 2005) or to encourage the free exchange of goods, products and data (Simitis, 1995, pp. 446-7; Poullet et al., 2009). The protection of personal information is often paired with the right to privacy, which covers broader sectors of private life.

Laws and measures intended to ensure the protection of personal information and privacy appeared in the wake of a two-pronged movement in certain Western nations and international organizations. On the one hand, there was a reaction to the ever-growing intrusion of the state in numerous areas of daily life.[1] The U.S.A. was the first nation to enact legislation in this respect; the Privacy Act was passed in 1974 (U.S.A., 1974). In the same period, concern arose about the increasing power of the early supercomputers, which, it was feared, might eventually be capable of exerting absolute control over people, in the manner of Big Brother. In response to this concern, the land (State) of Hesse, West Germany, passed the first law to protect personal information. Similar laws followed in other Western European countries, Canada and Quebec (Flaherty, 1989).

More or less concomitantly, two international organizations, the OECD and the Council of Europe, studied the question of protecting personal information and produced fundamental documents that have exerted a major influence in the field. On the one hand, the OECD developed guidelines for the protection of privacy and transborder flows of personal data (OECD, 1980); on the other hand, nearly all the members of the Council of Europe ratified a binding convention that established basic principles for protecting people's rights with respect to the production, automatic processing and use of personal data (Council of Europe, 1981). In 1995, the European Union broadened the scope of its member states' laws by issuing instructions making the transfer of personal data from and to Europe subject to strict conditions (European Union, 1995). This was an initial step towards internationalizing the protection of personal information.

With the fall of the Berlin Wall and the disintegration of the USSR, the protection of personal information gained new status, becoming a prerequisite for a nation to be recognized as respecting the rule of law. The adoption of a privacy protection regime, one of the Copenhagen criteria established by the European Union as a condition to be met by the former “people's democracies” seeking membership, has now been legislated in some 90 nations, as well as in numerous federated states and even in municipal governments.

The notion of personal information is relatively simple. It designates all the terms, data, symbols and other elements that make it possible to identify an individual and distinguish this person from any other. Photographs and the many identifiers used particularly in the realm of social security are examples of personal information, to name the most obvious ones. Certain privacy laws target sensitive information (religious affiliation, health records, union membership, ideological beliefs, etc.) and spell out a series of specific precautions to be respected in this regard.

In some cases, the initial legislation covered only the public sector. Quite soon, however, these laws were extended to the private sector, as it too began to produce, use and store vast amounts of personal information.

Such laws are intended to ensure that personal information is processed correctly at various stages throughout its life cycle. They regulate the production, collection, use, storage, flow and eventual destruction of personal information. These provisions are fundamentally based on the “principle of purpose,” according to which any personal information collected must correspond to a precisely articulated objective and that objective only. A protection regime also guarantees that citizens have the right to inspect information collated or stored with respect to themselves and that this right of access is accompanied by provisions allowing for the correction of incomplete or erroneous data.

The passage of these laws has been accompanied in almost every country – with the notable exception of the U.S.A. – by the creation of watchdog organizations (Holder and Grimes, 2007). These organizations or independent agencies are entrusted with the goal of ensuring that the principles established by the legislature are complied with and that citizens have the right of access to their person information. Such organizations may take action at every stage of data processing (McCullagh, 2009). Some act in a consultant role, while others have binding powers. In 1982, the Quebec government enacted innovative legislation by combining its protection of personal information regime with its access to information regime and placing both under the control of a single oversight agency. This precedent became widely accepted and several nations have adopted the model as their own (Comeau and Couture, 2003).

At present, personal information protection regimes are confronted with two main problems. The first has to do with the fact that security concerns often take precedence over individual rights, to the detriment of the latter. The events of September 11, 2001 (Nelson, 2001) led to a series of reactions constituting an erosion of citizens' privacy rights (Martin and Rabina, 2009). Originating in the U.S.A. but soon influencing almost every nation, this trend has coincided with the dizzying transformation of information technologies (Francou, Nepote and Kaplan, 2010), which highlights the second type of problem. Quite apart from instruments and tools, it is now necessary to take into account technological configurations for which national borders are meaningless (Gunasekara, 2007). The use of remote servers for data processing and the online integration of various components to carry out multiple and complex operations (an approximate description of cloud computing) today raise major new questions (Poullet et al., 2010). These technological advances represent a challenge for the traditional means used by citizens to protect personal information. Likewise, the rapid growth of social networks like Facebook has significantly changed the very notion of privacy.

In reaction to recent undertakings by Google, which has developed into a major world player, some dozen data protection and privacy commissioners issued a joint warning that caught the attention of the planet's media (Office of the Privacy Commissioner of Canada, 2010). This joint approach is part of the project launched over 30 years ago by those holding this office (31st International Conference of Data Protection and Privacy Commissioners, 2009).

Bibliography

31st International Conference of Data Protection and Privacy Commissionners (2009). Web Site, www.privacyconference2009.org/home/index-iden-idweb.html (last retrieved in May 2010).

Comeau, P.-A. and M. Couture (2003). “Accès à l'information et protection des renseignements personnels : le précédent québécois,” Canadian Public Administration, vol. 46, no. 3, pp. 364-389.

Cooley, T. M. (1888). A Treatise on the Law of Torts, or, the Wrongs which Arise Independent of Contract, 2nd ed., Chicago, Callaghan.

Commission for the Protection of Privacy (2010). Article 29 Data Protection Working Party, www.privacycommission.be/en/international/article-29/index.html (last retrieved in May 2010).

Conseil de l'Europe (1981). Convention pour la protection des données à caractère personnel, Strasbourg, STE no. 108.

Electronic Privacy Information Center (n.d.). Web Site, www.epic.org (last retrieved in May 2010).

Flaherty, D. H. (1989). Protecting Privacy in Surveillance Societies: the Federal Republic of Germany, Sweden, France, Canada, and the United States, Chapel Hill, University of North Carolina Press.

Francou, R., C. Nepote and D. Kaplan (2010). Informatique, libertés, identités, Paris, FYP Éditions.

Gunasekara, G. (2007). “The ‘Final' Privacy Frontier? Regulating Trans-Border Data Flows,” International Journal of Law and Information Technology, vol. 17, no. 2, pp. 1-33.

Holder, J. T. and D. E. Grimes (2007). “Government Regulated Data Privacy: The Challenge for Global Outsourcers”, Georgetown Journal of International Law, vol. 38, no. 3, pp. 695-711.

Martin, S. and D. Rabina (2009). “National Security, Individual Privacy and Public Access to Government-Held Information: The Need for Changing Perspectives in a Global Environment,” Information and Communications Technology Law, vol. 18, no. 1, pp. 13-18.

McCullagh, K. (2009). “Protecting ‘Privacy' through Control of ‘Personal' Data Processing: A Flawed Approach,” International Review of Law, Computers and Technology, vol. 23, no. 2, pp. 13-24.

Nelson, L. (2004). “Privacy and Technology: Reconsidering a Crucial Public Policy Debate in the Post-September 11 Era,” Public Administration Review, vol. 64, no. 3, pp. 259-269.

Oble-Laffaire, M. L. (2005). Protection des données à caractère personnel, Paris, Éditions d'Organisation.

OECD (2000). OECD Privacy Statement Generator, www.oecd.org/document/42/0,3746,en_2649_34255_28863271_1_1_1_1,00.html (last retrieved
in May 2010).

OECD (1980). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Paris, OECD.

Office of the Privacy Commissioner of Canada (2010). Letter to Google Inc. Chief Executive Officer, www.priv.gc.ca/media/nr-c/2010/let_100420_e.cfm (last retrieved in May 2010).

Poullet, Y. et al. (2010). Cloud Computing and its Implications on Data Protection, Namur, CRID.

Poullet, Y. et al. (2009). L'opposition entre la protection de la vie privée et les intérêts économiques: dans quelle pièce joue-t-on?, Dordrecht, Springer Science.

Privacy International (n.d.). Web Site, www.privacyinternational.org (last retrieved in May 2010).

Simitis, S. (1995). “From the Market to the Polls: The EU Directive on the Protection of Personal Data,” Iowa Law Review, vol. 80, no. 3, pp. 445-470.

Tabatoni, P. (ed.) (2000). La protection de la vie privée dans la société d'information, tome 2 : L'impact des systèmes électroniques d'information, Paris, Presses universitaires de France.

Europa (1995). European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://europa.eu/legislation_summaries/information_society/l14012_en.htm (last retrieved in
May 2010).

Department of Justice (1974). Privacy Act of 1974, 5 U.S.C. 552(a), www.justice.gov/opcl/privstat.htm (last retrieved in May 2010).

Warren, S. D. and L. D. Brandeis (1890). “The Right to Privacy,” Harvard Law Review, vol. 4, no. 5, pp. 193.