Regulatory approaches to protection of human rights in the digital society: case law and users’ expectations in personal data protection area
As we announced in the previous article, this one, the last in the series, will present how corporations can regain their users’ trust, and help them understand the importance and price of their data.
On the 12th of September 2003, People’s Republic of China sentenced one of its citizens, Wao Xiaoning, to 10 years’ imprisonment and additional 2 years of deprivation of political rights in the Yahoo! lawsuit (re China). Xiaoning has published and shared via Internet several essays which supported democratic reforms in China and he communicated with the American (overseas) organizations where he stated that Chinese government is being hostile. According to Xiaoning, while he was held as a political prisoner he was abused. After the Supreme People’s Court of China rejected Xiaoning’s complaint, the World Organization for Human Rights filed a lawsuit against the American company Yahoo! Inc. on behalf of Xiaoning’s wife, in which she stated that Yahoo! is responsible for violating the Alien Tort Statute. According to this law, the district courts in the United States shall have original jurisdiction of any civil action by an alien for a tort only, committed in violation of the law of nations or a treaty of the United States. To be precise, World Organization for Human Rights has accused Yahoo! for intentionally helping and encouraging the torture of Xiaoning by submitting data from Xiaoning e-mail and user identification data through which Xiaoning was identified online, arrested and imprisoned.
The case was closed in 2007 by a settlement between the two parties and Xiaoning was released in August 2012, after 9 years in prison. Even though the case was an out-of-court settlement, it is very important for jurisprudence because it was one of the first attempts to hold companies accountable for unauthorized and illegal data handling, and therefore personal data protection is set as one of the foundations of responsible company management.
Another interesting case of the European Court of Justice (ECJ) is the Bodil Lindqvist case from 2003, which was also the Court’s first case in personal data protection domain. Ms. Lindqvist created a web page which was a part of the course she enrolled, and on which personal data of the people who volunteered with her in a parish of Swedish Protestant church could be found. Alongside with the names and addresses of these people, there were information about family circumstances, health conditions and other comments. No one consented to publishing their personal data and she didn’t register to a competent authority, that is the Commissioner. She was obliged to pay several fines for publishing the data, so she addressed ECJ with a request for the Court to decide “if there is a cross-border data transfer … in case of publishing the data on a web page … and making the data available to everyone who has Internet access, including the individuals from other countries” and if the Court’s decision would be affected by the fact that no persons from other countries visited the web page. The problem, of course, was the fact that the Directive 95/46/EC didn’t predict the possibility of data transfer via Internet, but the Courts decided that it can be presumed. The Court also suggested that, having in mind Internet’s nature, the interpretation which would lead to the fact that publishing via the Internet will be considered as a cross-border data transfer would make the Directive be used globally, but would at the same time restrain legal publishing of information on the Internet. Court’s general decision was, when it comes to data access via the Internet, that data is not directly transferred between those who have published the data and those who can read it and, as a result, there was no cross-border transfer between the data published on the web page.
This court decision has important effect because it clarifies to either individuals or corporations that personal data is protected and that no one can use it before one’s consent. Moreover, this decision has reinforced the Commissioner’s opinion as stipulated in Directive 95/46/EC, because it said that everyone must consult the Commissioner before personal data processing.
In order to avoid proceedings which usually entails high costs and it certainly creates a negative reputation, corporations should operate in accordance with data protection standards. Users’ trust in the digital age depends on corporation’s capability to provide legal and technical infrastructure which can develop and preserve the trust within the digital society. Unfortunately, this trust has been shaken up with various scandals concerning private communications surveillance. To rebuild consumer confidence in the ICT market, users need to be certain that their rights to privacy, confidentiality of their communications and protection of their personal information are respected, as stated in the opinion of the EU Commissioner for Data Protection.
Influencing factors on increasing or decreasing users’ trust are the level of respect of regulations by corporations, operating in accordance with contractual obligations between consumers and corporations, respect of internal acts (General Terms and Conditions etc), as well as providing Notifications about data processing before collecting the data and any changes related to data processing. It is necessary for corporations to provide its users to, in a simple and suitable procedure, request an insight, alteration and data removal. It is very certain that the corporations with acts and mechanisms for preventing security system crisis will have a better reputation. Those who operate against these rules represent disloyal competition.
In order to to create a system in which consumers would have relevant information on how corporations treat personal data, it is necessary to strengthen the position of the Commissioner for Personal Data Protection and monitoring, i.e. the supervision he conducts. Corporations should primarily adopt internal regulations which will provide data protection and prevent any unauthorized access, including unauthorized access by public authorities. The Commissioner mentioned an alarming example in his Report on Implementation of the Law of on Free Access to Information of Public Importance and the Law on Personal Data Protection in 2012: “The number of requests for submitting retained user data. Four operators have received more than 4 000 requests and have replied positively on more than 90% of the requests. Only one of the four operators has allowed public authorities to independently access retained data 270 000 times. The remaining three operators do not document these cases of access and they are not obliged by the law to do so.”
For states to protect human rights, the users must have a bigger control over their personal data in order to make the right decisions about their data, so they can be more aware of the risk that can result from data processing and how can they be protected.
In the report “Internet freedom and right to private life, protection of personal data and due process of law”, presented on the Council of Europe Conference of Ministers that took place in Belgrade on the 7th and 8th of November 2013, and it indicates the importance of digital literacy in the Council of Europe member states. The report emphasizes that the Council of Europe member states should promote the usage of open software that protect privacy and to allocate special fundings for research, designing and developing these technologies. The report presents an example of Swedish International Development Agency (SIDA) which funds the development of the Tor project. This software represents a web of virtual tunnels that allows individuals and groups to enhance their privacy and online security. Tor also offers the possibility for software programmers to build new communication tools with built-in privacy protection. By using Tor, individuals and organizations can share information via public networks without compromising their privacy. Firstly invented for protecting government communications, Tor is today used by “ordinary” people, military, journalists, police, activists and many others.
With this series of articles in the field of business and human rights, with a particular focus on data protection, we wanted to present international and national regulations in this area, and the work of organizations and associations that enable the business sector to work together to improve their business in this field. On the other hand, we have presented the work of the Commissioner for Data Protection as a government body, but also the function of the Privacy and Data Protection Officer in domestic and foreign companies. We hope that some of the alternative methods that the business sector can use will facilitate their operations and provide better security of our data. In any case, we are confident that this issue will be very interesting and that it will attract more attention, and we will therefore closely monitor new trends, and keep you informed.
Thank you for your attention.
Yours truly,
SHARE Defense team!