Information Law Possum (discontinued)

The media, amongst them the excellent english-speaking news portal swissinfo.org, report that my hometown Basel has been shaken by a minor earthquake (3.4 on the Richter Scale).

The tremor was caused by drilling work for a geothermal power plant, and so public prosecutors have started an investigation for damage to property (if there was any) and threats causing public alarm (Article 258 of the Swiss Penal Code).

The latter has the following wording (my translation):
“Whosoever causes public alarm by threatening or pretending a danger for life, physical condition or property, shall be liable to imprisonment of up to three years.”

I doubt that there will be a conviction based on Article 258 because apparently, there wasn’t any intention on the part of the persons involved to threaten the population. Nevertheless, I take my hat off to the creativity of Basel’s public prosecutors.

As a matter of principle, I’m not particularly happy with Article 258:

• First, there may be free speech issues — not in this case, but the classic example would be Orson Welles’ famous radio adaptation of H.G. Wells’ novel “The War of the Worlds”, which did cause public alarm in 1938.
• Second, the population sometimes can react hysterically to certain threats or dangers, and it seems problematic that a potential over-reaction is attributed to the person who is responsible for the threat or danger, even if that person had the intention to scare some people.

Nevertheless, we possibly can hardly do without Article 258 Penal Code because of its preventive effect, in particular with respect to would-be imitators of amok runs, bombings, and all the other nasty things that have been happening way too often in Europe over the last couple of years.

P.S. A quick scan of the blog posts on the topic of the man-made earthquake has revealed that most bloggers rather seem to act as news brokers than as citizen journalists (or eye-witnesses, depending on your standpoint).

My friend and colleague James Thurman, the FIR-HSG’s top news hub, pointed me to a piece of news hardly noticed on this side of the atlantic: Xerox’ efforts to develop erasable — or rather: self-erasing — paper.

As the New York Times reports, the researchers have developed a specially coated paper with a light yellow tint. The printed information on the paper disappears within 16 to 24 hours or immediately when the paper is heated. (Is this perhaps a user-friendly further development of thermal paper?) The only limit in the printing-and-disappearing process appears to be paper life.

This is potentially wonderful news for our environment: According to a Xerox study, the average Dilbert of this planet prints 1,200 pages per month, 250 of which are returned to the recycling bin the same day.

The New York Times continues:

Brinda Dalal, [an anthropologist with Xerox], has discovered … a notable change in the role of paper in modern offices, where it is increasingly used as a medium of display rather than storage. Documents are stored on … computers and printed only as needed; for meetings, editing or reviewing information.

In other words: instead of going paperless, as many people predicted in — as far as I can remember — the early Nineties, we are often using hardcopies as sort of an outsourced short-time memory.

As far as I can tell, the law still considers paper as a storage medium, and if erasable paper is a success on the market, it will be extremely interesting to see if this triggers changes in the law, in a sense that the role of paper as a permanent storage medium will be legally less important than nowadays.

Speaking of the new paper’s possible market success, one drawback might be the compliance costs the introduction of this paper necessarily generates:

• For instance, I am not sure how erased “erased” really will be — in other words: can we be sure that nobody, not even a criminologist, will be able to read the information that has faded on a piece of erasable paper? For nothing is more dangerous than covert information. If the information can be regained, employees should be made aware of this issue, and they might even be instructed to treat the paper as if it contained sensitive information, or forbidden to print sensitive information onto that paper.
• In the latter scenario, the human factor will remain as a residual risk, but it can also be the primary risk. One rather harmless example would be the intern who by mistake mails a large number of invoices printed on the erasable paper to his employer’s customers.
• In any event, the self-erasing paper should be easily distinguishable from ordinary paper. I have doubts that a yellowish tint will be enough in this respect.

Fingers crossed that these risks and compliance costs won’t outweigh the economies caused by the use of erasable paper!

The spammer I sent a request for information to has responded very quickly:

 ”Dear Mr. Haeusermann,
We have taken over the ____ portal beginning of November, which included an address database. We wrote to the people in the database once, and at the same time deleted the addresses.
[apologies]“

So far so good.

The conference on data protection was a big success, as the organizers were able to gather the crème of Swiss data protection lawyers. One of the lessons learned from the keynotes of Prof. Herbert Burkert (President of the FIR-HSG), Prof. Rainer J. Schweizer (President of the Federal Data Protection and Transparency Commission and member of the board of the FIR-HSG), Sig. Tiziana Mona (Member of the Federal Data Protection and Transparency Commission), and Hanspeter Thür (the Federal Data Protection and Information Commissioner) is that individual enforcement of data protection law (e.g. what I did vis-à-vis the spammer) is important, but other regulatory instruments can be more effective.

• As a first example, the Data Protection Commissioner may publish recommendations which are directed at the private sector and have covered fields such as the collection of data by property management companies, spamming, or the use of biometrical access controls by recreational facilities. Mr. Thür explained that these recommendations, though not binding, regularly provoke intense reactions (both positive and negative) from the public. He also has the impression that the recommendations have a much broader impact than court decisions (which are quite rare, btw).
• Second, in the fields of national security and the war on organized crime, the access right of individuals cannot but hamper these (largely) legitimate ends. In a recent judgment, which is currently on appeal with the Federal Supreme Court, the Data Protection and Transparency Commission decided on the basis of the European Convention on Human Rights that the access right has to prevail. That case is extremely interesting, and I’ll get back to it next year after the verdict of the Supreme Court. In essence, the Commission found the statutory mechanisms, by which individuals can have the lawfulness of data processing checked, ineffective and thus unconstitutional. Where the necessity of enforcement of data protection law by individuals results in crippled information rights, it seems to be a better idea to create institutional safeguards, for instance regular data protection audits with law enforcement and national security agencies by an independent, but trustworthy institution (e.g. the Data Protection Commissioner).