Data Protection Special # 1: Information Right Attacks
November 30th, 2006Next Monday, December 4, the Research Center for Information Law at the University of St. Gallen, in collaboration with the Federal Chancellery, is going to hold a conference on data protection law in Berne. Honoring the event, I’d like to point at some aspects of data protection law that neither have become obsolete nor problematic during the internet revolution.
My first example is spamming, one of the digital scourges of mankind, and a phenomenon which has become recently under suspicion of deepening the digital divide between digital natives and older people (twenty-something +).
Lately, I received one of the few “domestic” spam emails, that is, one from a Swiss million pixel website. As spamming is not clearly illegal in Switzerland yet–an anti-spam amendment to the Unfair Competition Act is under way–, I decided to test that company’s data protection compliance:
Under Swiss (and European) law, every person whose data (i.e. information on an identifiable person) are processed, has an unconditional right of access ot these data, including the right to know the purpose of processing, the categories of data processed, the persons involved in the processing of data, the source of their data, etc. (Art. 8 of the Swiss Data Protection Act [in English]–its EU equivalent, though with a different scope, is Art. 12 of the Data Protection Directive 95/46/EC.)
The data controller has thirty days to respond to a request; the information must be given free of charge (with very narrow exceptions); and a violation of the right of access by the controller is punishable by a fine and/or up to 90 days of imprisonment.
This morning, I sent the spammer a request pursuant to Art. 8 Data Protection Act, mainly because I wonder how he got my email address, but also because requests like mine are apt to make spamming horribly expensive: It is hardly conceivable that these requests can be processed automatically. So, if only a small percentage of spammees “ask back”, they can make spamming prohibitively expensive, and probably even drive a SME out of business.
To conclude: the regulatory burden Art. 8 Data Protection Act creates can be a very effective weapon, which can be used against legitimate and illegitimate businesses.