Data Protection

Data protection is a species of privacy law that controls access to information relating to the individual. Typically, data protection provides an individual with the right to see data held about himself or herself and to require their correction. Beyond that, data protection determines how organizations holding data may—or may not—process them, and, in particular, it regulates access to personal data by third parties. Data protection regimes are customarily overseen by independent regulators with the power to impose penalties on organizations misusing data. Exemptions from the regime, of varying scope, are provided for such purposes as law enforcement and national security.

Data protection was originally promoted as a protection against tyranny in postwar Europe, and it should be understood as one expression of the desire to safeguard an individual's family and personal life (as enshrined in the European Convention on Human Rights). This concern was coupled with a growing awareness of the power of computers—in public and private sectors—to process and manipulate data about individuals. The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and the Council of Europe's 1980 Convention on the Automatic Processing of Personal Data should be seen as products of this mindset.

The adoption of the European Union (EU)'s Data Protection Directive (95/46) gave added impetus to this emerging international legal regime. The directive established a comprehensive (and extremely complicated) system of information privacy whose impact was soon felt far beyond the EU itself. Mindful of the transfer of personal data across international boundaries, the EU has sought to police the handling of data in third-world countries. Its influence can be seen in Australia's Privacy Amendment Act 2000—which is modeled on the European principles—and in the 2000 personal data safe-harbor agreement between the EU and the United States.

In many countries, data protection systems now exist alongside freedom of information regimes. The latter are restricted to the public sector, whereas the former may or may not take in the private as well as public sector. The junction between the two regimes has proved problematic for legislators. Canada provides a relatively unusual example of an integrated regime; others have grafted one system onto another, with results that are difficult for the lay observer—or the specialist—to understand (see, for example, the United Kingdom's 2000 Freedom of Information Act).

Data protection will remain one of the most significant instruments regulating the global Information Society. The progressive extension of regulation to the private sector has proved contentious in a number of jurisdictions. Equally controversial has been governments' desire to share data between public-sector [Page 194]agencies—to improve service delivery or to strengthen their fight against organized crime and terrorism. In reaction to these pressures, reformers have sought a system that is less burdensome and that is easier for all parties to understand.