Information Law Possum (discontinued)

My friend and colleague Thomas Hautle has added an interesting antithesis to my earlier post on self-erasing paper: He basically argues that the employees of many companies handle hardcopies containing sensitive information very carelessly, e.g. by throwing them away on their way home. As long as that happens, he goes on, self-erasing paper can mitigate these information security risks.

So here’s an attempt for a synthesis:

• If a company has a sound information security policy, and has taken the necessary steps to enforce it, self-erasing paper creates an additional security risk, which can be tackled without difficulty, given the company’s information security culture.

• If information security isn’t a big issue for the management of a company (i.e. if a company has a bad management), self-erasing paper might well lower the company’s risk exposure.

To conclude, this isn’t just a question of whether the glass is half-full or half-empty, but self-erasing paper adds to the complexity of corporate information management, but — luckily — not in a way that is necessarily detrimental for those who are unable to manage that complexity.

“I have nothing to hide, of course. But still, that’s no one’s business.”

(Paul-Henri Steinauer, in: Hommage à Henri Deschenaux, 1988, 20.)

The spammer I sent a request for information to has responded very quickly:

 ”Dear Mr. Haeusermann,
We have taken over the ____ portal beginning of November, which included an address database. We wrote to the people in the database once, and at the same time deleted the addresses.
[apologies]“

So far so good.

The conference on data protection was a big success, as the organizers were able to gather the crème of Swiss data protection lawyers. One of the lessons learned from the keynotes of Prof. Herbert Burkert (President of the FIR-HSG), Prof. Rainer J. Schweizer (President of the Federal Data Protection and Transparency Commission and member of the board of the FIR-HSG), Sig. Tiziana Mona (Member of the Federal Data Protection and Transparency Commission), and Hanspeter Thür (the Federal Data Protection and Information Commissioner) is that individual enforcement of data protection law (e.g. what I did vis-à-vis the spammer) is important, but other regulatory instruments can be more effective.

• As a first example, the Data Protection Commissioner may publish recommendations which are directed at the private sector and have covered fields such as the collection of data by property management companies, spamming, or the use of biometrical access controls by recreational facilities. Mr. Thür explained that these recommendations, though not binding, regularly provoke intense reactions (both positive and negative) from the public. He also has the impression that the recommendations have a much broader impact than court decisions (which are quite rare, btw).
• Second, in the fields of national security and the war on organized crime, the access right of individuals cannot but hamper these (largely) legitimate ends. In a recent judgment, which is currently on appeal with the Federal Supreme Court, the Data Protection and Transparency Commission decided on the basis of the European Convention on Human Rights that the access right has to prevail. That case is extremely interesting, and I’ll get back to it next year after the verdict of the Supreme Court. In essence, the Commission found the statutory mechanisms, by which individuals can have the lawfulness of data processing checked, ineffective and thus unconstitutional. Where the necessity of enforcement of data protection law by individuals results in crippled information rights, it seems to be a better idea to create institutional safeguards, for instance regular data protection audits with law enforcement and national security agencies by an independent, but trustworthy institution (e.g. the Data Protection Commissioner).

Next Monday, December 4, the Research Center for Information Law at the University of St. Gallen, in collaboration with the Federal Chancellery, is going to hold a conference on data protection law in Berne. Honoring the event, I’d like to point at some aspects of data protection law that neither have become obsolete nor problematic during the internet revolution.

My first example is spamming, one of the digital scourges of mankind, and a phenomenon which has become recently under suspicion of deepening the digital divide between digital natives and older people (twenty-something +).

Lately, I received one of the few “domestic” spam emails, that is, one from a Swiss million pixel website. As spamming is not clearly illegal in Switzerland yet–an anti-spam amendment to the Unfair Competition Act is under way–, I decided to test that company’s data protection compliance:

Under Swiss (and European) law, every person whose data (i.e. information on an identifiable person) are processed, has an unconditional right of access ot these data, including the right to know the purpose of processing, the categories of data processed, the persons involved in the processing of data, the source of their data, etc. (Art. 8 of the Swiss Data Protection Act [in English]–its EU equivalent, though with a different scope, is Art. 12 of the Data Protection Directive 95/46/EC.)

The data controller has thirty days to respond to a request; the information must be given free of charge (with very narrow exceptions); and a violation of the right of access by the controller is punishable by a fine and/or up to 90 days of imprisonment.

This morning, I sent the spammer a request pursuant to Art. 8 Data Protection Act, mainly because I wonder how he got my email address, but also because requests like mine are apt to make spamming horribly expensive: It is hardly conceivable that these requests can be processed automatically. So, if only a small percentage of spammees “ask back”, they can make spamming prohibitively expensive, and probably even drive a SME out of business.

To conclude: the regulatory burden Art. 8 Data Protection Act creates can be a very effective weapon, which can be used against legitimate and illegitimate businesses.