Most of the advanced industrial nations of Western Europe and North America share concerns about the social impact of computer-based personal data systems. Although there are minor differences in the focus and intensity of their concerns, it is clear that there is nothing peculiarly American about the feeling that the struggle of individual versus computer is a fixed feature of modern life. The discussions that have taken place in most of the industrial nations revolve around themes that are familiar to American students of the problem: loss of individuality, loss of control over information, the possibility of linking data banks to create dossiers, rigid decision making by powerful, centralized bureaucracies. Even though there is little evidence that any of these adverse social effects of computer-based record keeping have occurred on a noticeable scale, they have been discussed seriously since the late sixties, and the discussions have prompted official action by many governments as well as by international organizations.
Concern about the effects of computer-based record keeping on personal privacy appears to be related to some common characteristics of life in industrialized societies. In the first place, industrial societies are urban societies. The social milieu of the village that allowed for the exchange of personal information through face-to-face relationships has been replaced by the comparative impersonality of urban living. Industrial society also demands a much more pervasive administration of governmental activities-the collection of taxes, health insurance, social security, employment services, education-many of which collect and use personal data in an impersonal way. Nor should we overlook the increasing uniformity of industrial societies fostered by mass communications media so efficient that few issues of genuine interest and importance fail to achieve near-global extent.
Concern about the effects of computer-based record keeping appears to have deep roots in the public opinion of each country, deeper roots than could exist if the issues were manufactured and merchandised by a coterie of specialists, or reflected only the views of a self-sustaining group of professional Cassandras. The fragility of computer-based systems may account for some of the concern. It is not necessary for public opinion to be unanimously opposed to the computerization of personal-data record keeping, or even actively mistrustful of it, to destroy the effectiveness of a record-keeping operation. The active opposition of even a few percent of those whom a system means to serve can cripple the powerful, but fragile, mechanism of a highly automated system.
Nor is it necessary for this opposition to be manifested in physical sabotage of the computer itself (although that has happened); it is enough merely to withhold cooperation. There are few computer systems designed to deal with the disruption that deliberately lost or mutilated punched cards in a billing system-to give a simple example-would cause. Thus, the very vulnerability of automated personal data systems, systems without which no modern society could function, may make careful attention to the human element transcend national boundaries.
The Response in Individual Nations
On October 7, 1970, the West German State of Hesse adopted the world's first legislative act directed specifically toward regulating automated data processing. This "Data Protection Act" applies to the official files of the government of Hesse; wholly private files are specifically exempted from control. The Act established a Data Protection Commissioner under the authority of the State parliament whose duty it is to assure that the State's files are obtained, transmitted, and stored in such a way that they cannot be altered, examined, or destroyed by unauthorized persons. The Commissioner is also explicitly responsible for observing the effects of automated data processing on the operations of the State government, and on its decision-making powers. He must take particular note of whether computerization leads to any displacement in the distribution of powers among the governmental bodies of the State.
Thus, the Data Protection Act of Hesse seems designed more to protect the integrity of State data and State government than to protect the interests of the people of the State. As a pioneer statute in the field of computer law, however, its exact practical effects could scarcely have been predicted, and in no way diminish its usefulness as a guide for other jurisdictions that can learn from the Hesse experience.
To judge from the second annual report of the Data Protection Commissioner, that experience has been one of mild philosophical frustration, punctuated by occasional practical victories.1 In one instance, the Commissioner learned of the existence of a computer in a university clinic only through a newspaper account of a fire; in another the Commissioner successfully blocked the release of criminal records to a private research center.
Based on the experience of Hesse, the States of Rheinland-Pfalz and Hamburg have passed similar acts, and the States of Baden Wiirttemberg, Schleswig-Holstein, Bavaria, and Lower Saxony have adopted slightly more circumscribed laws or regulations. At the Federal level, the Bundestag has considered a number of proposals for national laws of wider scope than any of the present State laws, but the estimated costs to data holders of complying with the proposed requirements for mandatory disclosure of data have thus far raised enough objections to cause the Bundestag to reconsider those requirements. It seems likely, however, that some version of a relatively strong law will be passed during 1973.
When strong opposition to the 1969 census erupted in Sweden, public mistrust centered not so much on the familiar features of the census itself as on the fact that, for the first time, much of the data gathering would be done in a form specifically designed to facilitate automated data processing. Impressed by the possibility that opposition might be so severe as to invalidate the entire census, the government added the task of studying the problems of computerized record keeping to the work of an official commission already studying policies with respect to the confidentiality of official records.
After a notably thorough survey of personal data holdings in both public and private systems, the commission issued a report containing draft legislation for a comprehensive statute for the regulation of computer-based personal data systems in Sweden.2 The aim of the act is specifically the protection of personal privacy. Its key provisions are these:
- Establishment of an independent "Data Inspectorate," charged with the responsibility for executing and enforcing the provisions of the Data Law.
- No automated data system containing personal data may be set up without a license from the Data Inspectorate.
- Data subjects have the right to be informed about all uses made of the data about them, and no new use of the data may be made without the consent of the subject.
- Data subjects have the right of access without charge to all data about them, and if the data are found to be incorrect, incomplete, or otherwise faulty, they must either be corrected to the subject's satisfaction, or a statement of rebuttal from the subject must be filed along with the data.
- The Data Inspectorate will act as ombudsman in all matters regarding automated personal data systems.
The Data Law has been passed by the Swedish Parliament and will become effective on July 1, 1973. A transition period of one year will be allowed to implement all the provisions of the law.
Article 9 of the French Civil Code states plainly, "Everyone has the right to have his private life respected." 3 As legal scholars in all countries have noted, however, it is very difficult to define the precise limits of privacy in every case that comes before a court, and in spite of such explicit protection, the privacy of the French, both inside and outside of automated personal data systems, seems in practice no better defended than that of most other people.
Although concern about the issue of "computers and privacy" has frequently surfaced in the French press4 and in data-processing periodicals,5 public interest in the subject is not deeply engaged. One bill has been introduced in Parliament, but was withdrawn pending completion of a study jointly sponsored by the Department of Justice and the Delegue L'Informatique. An earlier study by the staff of the Conseil d'Etat seems to have influenced the proposed bill, but the legal and administrative implications of many of the features of the proposal appear never to have been carefully developed.6
One other development on the French scene deserves mention. The 1972 annual report of the Supreme Court of Appeals went considerably out of its way, after reviewing a case of literary invasion of privacy, to comment on the subject of computers and privacy:
… The progress of automation burdens society in each country with the menace of a computer which would centralize the information that each individual is obliged to furnish in the course of his life to the civil authorities, to his employer, his banker, his insurance company, to Internal Revenue, to Social Security, to the census, to university administrations, and, in addition, the data, correct or not, which is received about him by the various services of the police. When one thinks about the uses that might be made of that mass of data by the public powers, of the indiscretions of which that data might be the origin, and of the errors of which the subjects might be the victims, one becomes aware that there lies a very important problem, not only for the private life of everyone, but even for his very liberty.
It appears to us that this eventuality, an extremely probable one, ought to be made the object of consideration of the public power, . . .and that this consideration should take its place among the measures of precaution and of safeguard which should not lack for attention.7
To sum up, the situation in France is complex. The subject of computers and privacy has been given serious attention by a relatively small group of experts, but that group has an influence in government far out of proportion to its numbers. The attitude of the present government is strongly colored by another aspect of the privacy problem: It has been caught in a wiretap scandal, and its defensiveness in that regard appears to be influencing its actions on the computer front. The official report of the present working group is due before the end of 1973, but it does not seem realistic to expect that there will be any definitive action in France before, perhaps, mid-1974.
Britain is unique among the countries reviewed in having recently completed a thorough study of the entire subject of privacy.8 Although the committee in charge of the study, the Younger Committee, was restricted in its terms of reference to private, rather than public, organizations that might threaten privacy, the committee's report is a model of clarity and concern. In brief, the Committee found that both the customs of society and the Common law had evolved defenses against the traditional intrusions of nosey neighbors, unwelcome visitors, door-to-door salesmen, and the like. Against the new threats of technological intrusions-wiretaps, surveillance cameras, and, of course, computerized data banks-the Committee recognized that the traditional defenses are inadequate. To help deal with the threat of the computer, the Committee recommended specific safeguards to be applied to automated personal data systems, although it left the method of application up to the government to decide. The main features of the safeguards are:
- Information should be regarded as held for a specific purpose and not to be used, without appropriate authorization, for other purposes
- Access to information should be confined to those authorized to have it for the purpose for which it was supplied.
- The amount of information collected and held should be the minimum necessary for the achievement of the specified purpose.
- In computerized systems handling information for statistical purposes, adequate provision should be made in their design and programs for separating identities from the rest of the data.
- There should be arrangements whereby the subject could be told about the information held concerning him.
- The level of security to be achieved by a system should be specified in advance by the user and should include precautions against the deliberate abuse or misuse of information.
- A monitoring system should be provided to facilitate the detection of any violation of the security system.
- In the design of information systems, periods should be specified beyond which the information should not be retained.
- Data held should be accurate. There should be machinery for the correction of inaccuracy and the updating of information.
- Care should betaken in coding value judgments.9
The Younger Committee also considered proposing specific legislation for automated personal data systems, based upon draft bills that had been submitted to Parliament before the Committee was formed. After concluding that the proposed laws were too constraining to be justified by the level of threat as the Committee saw it, the Committee reserved the option to recommend legislation at a later date, and confined its present recommendation to urging that the data-processing industry voluntarily adopt the safeguards as a code of good practice. This has now been accomplished in the form of a professional code adopted by the British Computer Society.10 Although only about one third of the computer professionals in Britain belong to the Society, those who do belong are, by and large, in a position to enforce the provisions of the code. Further regulation appears to be in the early stages of Parliamentary debate, and it is likely only a question of time until safeguards with the full effect of law will be in force in Britain.
In, April 1971 the Departments of Communications and Justice jointly established a Task Force on Privacy and Computers, growing out of earlier work in the Department of Communications on issues concerning the use of computers in communications. The Task Force was given broad terms of reference to consider the rights and values of the individual that cluster about the notion of privacy, and to examine present and foreseeable effects on those rights and values of computerized information systems containing personal data about identifiable individuals.
The Task Force began by carrying out a thorough survey of the status of personal data files in Canada and of the attitudes of Canadians about those files and their uses. It found that there was much more interchange of data among systems than the public realizes, that there are more inaccuracies in the files than generally realized, but that few individuals had actually experienced any intrusion on their personal privacy through either use or misuse of computers.
In its report, published in late 1972,11 the Canadian Task Force concluded that computer invasion of privacy is still far short of posing a social crisis. However, the rapidly rising volume of computerized personal data and the equally rapidly rising public expectation of a right to deeper and more secure privacy threaten to converge at the crisis level. To forestall that crisis, the Task Force recommends that a commissioner or ombudsman be established in a suitable administrative setting, that carefully prepared test cases on cogent issues be brought before the courts, and that the operation of government data systems be made to serve as a national model.
British Computer Society. Privacy and the Computer-Steps to Practicality. London: British Computer Society, 1972.
Canada. Department of Communication/Department of Justice. Task Force on Privacy and Computers. Privacy and Computers. Ottawa: Information Canada,1972.
Ditchley Foundation. Private Rights and Freedom of the Individual. Ditchley Paper No. 41. Ditchley Park, Emstone, Oxfordshire, England: The Ditchley Foundation, 1972.
Federal Republic of Germany. Hesse State Parliament. Data Protection Commissioner. First Activity Report. (Document 7/1495) 1972. Second Activity Report. (Document 7/3137)1973.
France. Conseil d'Etat. Rapport annuel 1969-1970. Troisième partie: Réformes d órdre législatif, reglementaire ou administratif. Deuxieme etude: Les consequences du développement de l'informatique sur les libertés publiques et privées et sur les décisions administmtives.
Great Britain. Home Office. Report of the Committee on Privacy. Rt. Hon. Kenneth Younger, Chairman. London: H. M. Stationery Office, 1972.
International Commission of Jurists. "The Protection of Privacy." International Social Science Journal, 24:3 (1972).
Justice. (British Section of the International Commission of Jurists.) Privacy and the Law. Mark Littman and Peter Carter-Ruck, Chairmen. London: Stevens & Sons Limited, 1970.
Lenk, Klaus. Automated Information in Public Administration-Present Developments and Impact. Document DAS/SPR/72.18. Paris: Organisation for Economic Cooperation and Development, 1972.
Niblett, G. B. F. Digital Information and the Privacy Problem. OECD Informatics Studies, No. 2. Paris: Organisation for Economic Cooperation and Development, 1971.
Pipe, Russell. Data Base Developments and International Dimensions. Document DAS/SPR/72.20. Pads: Organisation for Economic Cooperation and Development, 1972.
Rowe, B. C., ed. Privacy, Computers and You. Manchester, England: The National Computing Centre Limited, 1972.
Rule, James B. Private Lives and Public Survillance. London: Allen Lane, 1973.
Samuelsen, Erik. Statlige databanker og personlighets vern (Public Data-Banks and the Defense of Privacy). Oslo: Universitets Forlaget, 1972.
Stromholm, Stig. Right of Privacy and Rights of The Personality: A Comparative Survey. Working paper prepared. for the Nordic Conference on Privacy organized by the International Commission of Jurists, Stockholm, May 1967. Stockholm: P. A. Norstedt & Sonars Forlag, 1967.
Sweden. Justitiedepartmentet. Data och integritet (Data and Privacy). Stockholm: Almanna Forlaget, 1972.
Thomas, Uwe. Computerized Data Banks in Public Administration. OECD Informatics Studies, No. 1. Paris: Organisation for Economic Cooperation and Development, 1971.
United Nations. Economic and Social Council. Commission on Human Rights. Human Rights and Scientific and Technological Developments. Report of the Secretary-General. Addendum. 29 December 1970.
Warner, Malcolm, and Michael Stone. The Data Bank Society: Organizations, Computers, and Social Freedom. Old Woking, Surrey, England: Unwin Brothers limited, 1970.
1Federal Republic of Germany, State of Hesse, Hessischer Landtag, Vorlage des Datenschutzbeauftrogten (Report of the Data Protection Commissioner), Document 7/3137, 29 March 1973. Reviewed in Frankfurter Allgemeine Zeitung fur Deutschland, 18 April 1973; English version of review in The German Tribune, No. 578, 10 May 1973, p. 3.
2Sweden, Justice Department, Data och integritet (Data and Privacy), Document SOU 1972:47 (Stockholm: Almänna Förlaget), 1972.
3"The Protection of Privacy," International Social Science Journal, XXIV, No. 3, 1972, p. 448.
4Le Monde, November 29, 1972, pp. 20-21, for example.
5 l'Informatique, Aprll, 1971 (entire issue).
6France, Conseil d'Etat, Rapport Annuel 1969-1970, 3iéme Parties, 2ieme étude, Fascicule 3, "Les conséquences du développment de l'Informatique sur les libertés publiques et privées et sur les décisions administratives," Paris, 1970.
7France, Cour de Cassation, Rapport de Cassation. Année Judiciare 1971-1972 (Paris: La Documentation Francaise), 1972, p. 16.
8Great Britain, Home Office, Report of the Committee on Privacy, Rt. Hon. Kenneth Younger, Chairman (London: H. M. Stationery Office), 1972.
9Ibid., pp. 163-184.
10The British Computer Society, Privacy and the Computer–Steps to Practicality (London: The Society), 1972.
11Privacy and Computers. A report of a Task Force established jointly by Department of Communications/Department of Justice (Ottawa: Information Canada), 1972.