UN Guidelines for the Regulation of Computerized Personal Data Files 1990

In contrast to the UDHR and ICCPR, the UN Guidelines for the Regulation of Computerized Personal Data Files constitute the first efforts by the United Nations to develop concrete rules for protection of personal data.⁵²⁸ The UN Guidelines were preceded by two regional instruments specifically made to regulate processing of personal data: the Organization for Economic Co-operation and Development (OECD), Guidelines on the Protection on Privacy and Transborder Flows of Personal Data 1980⁵²⁹ (OECD Guidelines) and the Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981⁵³⁰ (CoE Convention 108/1981). Perhaps because of this, the UN Guidelines are influenced by its predecessors more particularly the OECD Guidelines.

Two main objectives are at the core of the UN Guidelines: supply of broad minimum guarantees that should be incorporated in the national legislation of the member states⁵³¹ and encouraging governmental and non-governmental international organizations to apply the Guidelines in

524 Ibid.

525 Ibid.

526 Ibid; see also, Art 36 of the Statute of the International Court of Justice (ICJ), http://www.icj-cij.org/documents/index.php?p1=4&p2=2&p3=0 last visited 7/12/2011; Crook, J.R., ‘The International Court of Justice and Human Rights’, Northwestern University Journal of International Human Rights, 2004, Vol.1, pp.1-8, http://www.law.northwestern.edu/journals/JIHR/v1/2/Crook.pdf last visited 7/12/2011.

527 ICCPR, Art 2(3) (b).

528 Historically the UN Guidelines can be traced from the UN General Assembly Resolution 2450 of December 1968(

Doc E/CN.4/1025) in which the UN Secretary-General was invited to examine the impact of technological developments on human rights, including consideration of individuals’ right to privacy ‘in the light of advances in recording and other techniques’. The resulting study by the Secretary-General led to the publication of a report in 1976 urging states to adopt privacy legislation covering computerised personal data systems in the public and private sectors, and listing minimum standards for such legislation, Bygrave, p.29, note 503, supra.

529 OECD Doc. C (80)58/FINAL, adopted on 23 September 1980.

530 ETS No. 108; opened for signature 28 January 1981; in force 1 October 1985.

531 UN Guidelines, PART A.

112

processing personal data.⁵³² To achieve the two objectives, the UN Guidelines lay down general principles concerning processing of personal data held in computerized files. These principles are provided in the form of non-legally binding guidelines. The responsibility of developing concrete detailed regulations for regulating personal data is left to states taking into account the principles spelt in the UN Guidelines as the minimum standard.

Structurally, the UN Guidelines contain ten provisions. There is neither a preamble preceding these provisions nor definition of terms in the Guidelines. Such omissions diminish considerably the Guidelines’ practical utility.⁵³³

The scope and application of the principles provided in the UN Guidelines is primarily limited to the processing of personal data of natural persons in the public and private sector with respect to computerized files.⁵³⁴ This limited scope can also be depicted from the long title of the Guidelines.

However two exceptions may also apply. First, the principles contained in the UN Guidelines may be extended subject to appropriate adjustments to manual files.⁵³⁵ Second, such principles may be exceptionally extended to files on juristic persons especially when they contain information on individuals.⁵³⁶

The UN Guidelines contain seven fair information processing principles of computerized personal files: lawfulness and fairness, accuracy, purpose specification, disclosure limitation, interested personal access, non-discrimination and security. These are usual principles of personal information processing found in most data privacy protection regulatory instruments (see 3.3). It is imperative to note that, there are interdependence in these principles. The implementation of one principle in practice requires the existence of the other. Thus although attempts to analyze these principles is made on each, one should not be mislead to think that each principle exists independently.

The first principle, principle of lawfulness and fairness, requires that information about persons should not be collected or processed in unfair or unlawful ways, nor should it be used for ends contrary to the purposes and principles of the Charter of the United Nations.⁵³⁷ This principle embodies

532 Ibid, PART B.

533 Bygrave, p.30, note 503, supra.

534 UN Guidelines, Para. 10.

535 Ibid.

536 Ibid.

537 Ibid, Para 1.

113

two criteria at a time, lawfulness and fairness. Lawfulness criterion is relatively self-explanatory.⁵³⁸ It may simply mean that before any processing activity can take place the data controller must ensure that the intended processing is backed by an enabling instrument or consent from the data subject.⁵³⁹ Unlike lawfulness criterion, fairness is more complicated to explain. Part and parcel of this complexity is the fact that fairness cannot be achieved in the abstract.⁵⁴⁰ Also, general agreement on what is fair is inevitably subject to change.⁵⁴¹ Yet, despite these hurdles, fairness can generally mean the following: taking into account of data subjects’ interests and reasonable expectations in the course of processing their personal information; unduly pressurizing data subjects to disclose information about them or accepting such information to be used for other particular purposes; transparency of the personal data processing activities; direct collection of personal data from the data subjects; abstaining from re-use of personal information collected for one purpose for other purposes than the one specified during collection; etc.⁵⁴²

The second principle is the principle of accuracy. According to this principle, persons responsible for the compilation of files or those responsible for keeping them have an obligation to conduct regular check on the accuracy and relevancy of the data recorded and to ensure that they are kept as complete as possible to avoid errors of omission and that they are kept up to date regularly or when information contained in a file is used as long as they are being processed.⁵⁴³ Four criteria can be isolated from this principle: accuracy, relevancy, completeness and up-to-datedness.

Information is considered accurate as long as it is correct and true in every detail and in any case it does not contain errors. This may entail a number of things. For example, to ensure that personal information is collected directly from data subjects; there are no omissions in such information in which case information becomes complete and most important such information is updated. As for relevancy of information, this criterion is linked to other principles. The purpose specification is one of such principles. At the same time both the requirements of relevancy and purpose specification operate to limit information collected to a minimum.⁵⁴⁴

538 Bygrave, p.58, note 24, supra.

539 See e.g Kalliopi Nikolaou v. Commission, Case T-259/03, European Court of First Instance, Luxembourg where the Commission was held in breach of Article 5 of Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data after disclosing leak information concerning Nikolaou which in the eyes of the Court constituted unauthorised transmission.

540 Bygrave, note 538, supra.

541 Ibid.

542 Ibid, pp.58-59.

543 UN Guidelines, Para 2.

544 Bygrave argues that the UN Guidelines does not contain any express provision on the information minimality principle yet such requirement can be red into the more general criterion of the fairness as set out in Principle 1 of the UN Guidelines; Bygrave, p.60, note 24, supra.

114

The third principle is the purpose specification. This principle states that the purpose for which a file is to serve and its utilization in terms of that purpose should be specified, legitimate and, when it is established, receive a certain amount of publicity or be brought to the attention of the person concerned, in order to make it possible subsequently to ensure that all personal data collected and recorded remain relevant and adequate to the purpose so specified; no disclosure of such information is made without consent of the person concerned and for purposes incompatible from those specified and the period for which such data is kept does not exceed achievement of the purpose specified.⁵⁴⁵ The purpose specification principle is a cluster of many requirements. In the first place it requires the purpose for collection of personal data to be specified. This ensures to determine if such information is really relevant to achieve a specified purpose. Apart from that the purpose itself needs to be legitimate. The bulk of data protection instruments comprehend legitimacy prima facie in terms of procedural norms hanging on a criteria of lawfulness( e.g., that the purpose for which personal data are collected should be compatible with the ordinary, lawful ambit of the particular data controller’s activities).⁵⁴⁶ There is also a requirement of publicity or notification of data processing to the personal concerned. This requirement intends to ensure that data processing remains transparent to the persons concerned so that they can be able to ascertain if it is compatible with the purpose of its collection. Also it facilitates data subject’s participation in the data processing activities.

The fourth principle is the disclosure limitation.⁵⁴⁷ This principle is expressly embedded in the third principle above-i.e. purpose specification. It is also linked to the interested-person access which ensures that all disclosures of a data subject’s personal information are brought into his or her attention with the purpose of seeking consent where applicable.

The fifth principle, interested-person access, provides that everyone who offers proof of identity has the right to know whether information concerning him is being processed and to obtain it in an intelligible form, without undue delay or expenses, and to have appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entry and, when it is being communicated, to be informed of the addressees. This principle further states that provision should be made for a remedy, if need be with the supervisory authority. The costs of any rectification shall be borne by the person responsible for the file. Further that it is desirable the provisions of this principle should apply to everyone, irrespective of nationality or place of

545 UN Guidelines, Para 3.

546 Bygrave, pp.61-62, note 24, supra.

547 UN Guidelines, Para 3(b).

115

residence.⁵⁴⁸ ‘Access’ under this principle entails that a data subject possesses knowledge of processing of personal data about him or her. This includes knowing which information about him or her is held by the data controller and how such information is being used and for what purpose. The right of access is also being made meaningful if the data subject can cheaply in terms of both time and cost obtain in an intelligible form such information about him or her and the manner it is being used and processed by the data controller. Also part and parcel of the right of access is the ability of a data subject to demand rectification or erasure of such information which has been unlawfully obtained, irrelevant or contains inaccuracies. Moreover, the right of access entails that a data subject is specifically informed of the recipients of information about him or her. This is important because of controlling re-use of personal information for purposes other than those specified during collection. The interested- person access principle also requires that a person concerned is able to obtain appropriate remedy for correction or eraser at the expense of the data controller. Also important to note is the fact that the UN Guidelines require the right of access to apply to everyone irrespective of one’s nationality or place of residence.

This partly gives the UN Guidelines its universal character.

The sixth principle is non-discrimination. This principle requires that data likely to give rise to unlawful or arbitrary discrimination, including information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union, should not be compiled.⁵⁴⁹ However exceptions for this rule are acceptable only within the framework of the provisions of the International Bill of Human Rights and other relevant instruments in the field of protection of human rights and prevention of discrimination.⁵⁵⁰ Unlike other instruments (see 3.3) which deal with the same principle under sensitivity, the UN Guidelines deploy the term non-discrimination. Perhaps because of this, the latter does not address health information in its list while the former does. Also, the latter goes far to deal with discrimination on membership of an association in general while the former only stops at trade-union membership.

The seventh principle is about security. Accordingly appropriate measures are required to be taken to protect the files against both natural dangers, such as accidental loss or destruction and human dangers, such unauthorized access, fraudulent misuse of data or contamination by computer viruses. Worthy note is that while security and privacy issues are not identical limitations on data

548 Ibid, Para 4.

549 Ibid, Para 5.

550 Ibid, see also UN Guidelines, Para 6.

116

use and disclosure must be reinforced by security safeguards.⁵⁵¹ The measures envisaged under this principle include use of appropriate and up-to-date software, physical measures (e.g. looked doors and identification cards), trainings, pre-employment vetting and adoption of security codes.⁵⁵²

It is important to underline that the UN Guidelines does not specifically contain the principle of minimality as a standalone principle. This is in sharp contrast to other instruments (see 3.3) which deal with minimality as an independent principle. Nevertheless, the minimality requirement in processing personal data can still be read into other principles of the Guidelines more particularly accuracy, fair processing and purpose specification.

To ensure that the above principles are complied with, the UN Guidelines calls every country to designate a supervisory authority to offer supervision.⁵⁵³ The Guidelines sets three attributes for such authorities: impartiality, independence vis-à-vis persons or agencies responsible for processing and establishing data and technical competence.⁵⁵⁴ Also the supervisory authorities have to be empowered as part and parcel of such enforcement to inflict criminal sanctions as well as appropriate individual remedies in case of breaches of the above principles.⁵⁵⁵ Aware of variations of domestic legal systems, the Guidelines directs that the designation of supervisory authorities must be fitting into such systems. Some jurisdictions have designated the Freedom of Information Act (FOIA) authorities as also discharging the function of data protection authorities.⁵⁵⁶ Others have separated the two authorities to keep clear lines between them.⁵⁵⁷ Yet, it must be admitted that even in such latter case there are intersection between the enforcement authorities hence cooperation between them is necessary.

There are also provisions as to regulation of transboder data flows in the UN Guidelines.⁵⁵⁸ The Guidelines requires that when two countries in the context of transfer of personal data have

551 Greenleaf, G et al., ‘Interpreting the Security Principle’, Working Paper No.1, v.6 March 2007, pp.1-37, at 6, http://www.cyberlawcentre.org/ipp/wp/WP1%20Security.pdf last visited 10/12/2011.

552 Ibid.

553 UN Guidelines, Para 8.

554 Ibid.

555 Ibid.

556 The UK Information Commissioner’s Office (ICO) is a direct case to the point. The ICO supervises the Data Protection Act 1998; Freedom of Information Act 2000; Privacy and Electronic Communications (EC Directive) Regulations 2003 changed on 26 May 2011 and above all the Environmental Information Regulations 2004 which does not directly regulate processing of personal information.

557 See e.g., the Norwegian Data Protection Inspectorate which only administers the Data Register Act 1978 now replaced by the Personal Data Act 2000.

558 UN Guidelines, Para 9.

117

‘comparable’ safeguards in their laws regulating privacy information should be left to circulate freely in the two countries. Yet, if there are no reciprocal safeguards, the Guidelines require that such circulation may not be imposed unduly and only in so far the protection of privacy demands. Few questions may arise here. Who is to determine the comparability of safeguards?

Certainly the supervisory authorities in the countries concerned. What are the criteria/parameters of comparison? What are the criteria that countries concerned should take into account not to impose unduly restrictions to the free flow of circulation of personal data? The Guidelines are silent on all these questions. Undoubtedly this silence may result into practical difficulties in their implementation.

An overview of the universal systems of privacy protection leads to the following conclusions.

First, although the UDHR and ICCPR do not expressly spell principles of data protection they offer strong normative roots for the data protection laws in regional and national jurisdictions.⁵⁵⁹ This normativity can well be noticed expressly or impliedly from the preambles and recitals of such regional and national legislation dealing with data protection. At national level, frequent reference to the UDHR and ICCPR in the preamble of the constitutions generally affirms the universal recognition and acceptance of these international documents within domestic legal systems. Since the right to privacy is incorporated in the Bill of Rights of such constitutions, it serves to domesticate the right to privacy found in the UDHR and ICCPR. Second, under the universal system only the UN Guidelines deals with data protection more specifically. Nonetheless such Guidelines have received relatively little attention as compared to the regional instruments on data protection specifically those in Europe (see 3.3). This is partly because the Guidelines are not legally binding and seem to have had little practical effect relative to the other instruments.⁵⁶⁰ Indeed, the Guidelines tend to be overlooked in much data protection discourse, at least in Scandinavia.⁵⁶¹ The other reasons that may have significantly reduced the practical effect of the UN Guidelines is the fact that they came later in the 1990 after the OECD Guidelines 1980 and CoE Convention 108/1981 had been in place and already influenced adoption of data protection legislation in many countries. Of course, this reason though may seem weak in the context of the adoption of Directive 95/46/EC in 1995 well after the UN Guidelines were already in place, it has to be understood that the scope of the former in terms of elaboration of the principles, binding

559 See e.g., Bygrave, p.45, note 503, supra; Bygrave, p. 332, note 25, supra; Bygrave, p.180, note 27, supra; Kuner, p.309, note 264, supra.

560 Bygrave, p. 33, note 24, supra; Bygrave, note 533, supra; Karanja, p.126, note 239, supra; Greenleaf, G., ‘Asia-Pacific Developments in Information Privacy Law and Its Interpretation’, New Zealand Privacy Issues Forum, 2006, pp.1-25, at pp5-6.

561 Bygrave, p. 33, note 24, supra.

118

nature and enforcement institutions generally exceed far the latter. Moreover, the Directive 95/46/EC seems to incline more to the OED Guidelines and CoE Convention 108/1981 than to the UN Guidelines. Third, the efforts to achieve a legally binding global data privacy treaty are far from reality. Calls for such an instrument are increasingly made, and work is underway to draft an appropriate set of international rules on point.⁵⁶² Yet, while there is clearly a need for a global legal approach in the field, there are, realistically, scant chances of say, a UN-sponsored convention being adopted in the short term.⁵⁶³ This is partly because the differences in cultural, historical and legal approaches to data protection mean once one descends from the highest level

nature and enforcement institutions generally exceed far the latter. Moreover, the Directive 95/46/EC seems to incline more to the OED Guidelines and CoE Convention 108/1981 than to the UN Guidelines. Third, the efforts to achieve a legally binding global data privacy treaty are far from reality. Calls for such an instrument are increasingly made, and work is underway to draft an appropriate set of international rules on point.⁵⁶² Yet, while there is clearly a need for a global legal approach in the field, there are, realistically, scant chances of say, a UN-sponsored convention being adopted in the short term.⁵⁶³ This is partly because the differences in cultural, historical and legal approaches to data protection mean once one descends from the highest level