Some Milestones of Data Protection in the US, Germany and

26.05.2016
Karen Topaz Druckman/Bettina Kahil-Wolff
Some Milestones of Data
Protection in the US,
Germany and Switzerland
DifferentCulturalNorms
Continental
◊  Given names
U.S.
◊  Salaries
◊  Nudity on TV
◊  Access to court
filings
◊  Notification of
authorities when
moving
◊  Names of parties/
victims
2
Swiss-US Legal Forum on Privacy and Safe Harbor
1.
26.05.2016
DifferentNo1onsofPrivacy
Continental
◊  Honor and
reputation
U.S.
◊  Liberty, sanctity of
home
◊  Prevent unwanted
public exposure
◊  Protection from
gov’t. interference,
persecution
◊  Enemy = media
◊  Enemy = the state
◊  Importance of
freedom of speech
3
LegalFramework
Continental
US
◊  Systematic structure
◊  Ad-hoc adoption of
sectorial legislation
◊  General fundamental
principles in Code
◊  General fundamental
principles in Common
Law
◊  Laws define structure
of coherent legal
system
◊  Laws solve specific
problems not
adequately addressed
by the Common Law
4
Swiss-US Legal Forum on Privacy and Safe Harbor
2.
26.05.2016
«RighttoPrivacy»
◊ Re: marriage, intimate relations,
reproductive rights
◊ First Amendment case law
5
Collec1on,Introduc1onofEvidence/
Criminal
◊ Requires state action
◊ 4th Amendment case law
6
Swiss-US Legal Forum on Privacy and Safe Harbor
3.
26.05.2016
FederalStatutes
◊  Children’s Online Privacy Protection Act (COPPA)
◊  Fair Credit Reporting Act and the Controlling the Assault of
Non-solicited Pornography and Marketing Act known as the
CAN-SPAM
◊  Financial Services Modernization Act (Gramm-Leach-Bliley)
Act; the Dodd-Frank Act Wall Street Reform and Consumer
Protection Act
◊  Health Insurance Portability and Accountability Act (HIPAA)
◊  Electronic Communications Privacy Act; Computer Fraud and
Abuse Act
◊  White House: Consumer Bill of Rights
7
StateLaw
◊ «Privacy Torts»
•  Intrusion upon seclusion or solitude, or into
private affairs;
•  Public disclosure of embarrassing private facts;
•  Publicity which places a person in a false light in
the public eye
•  Appropriation of one’s name or likeness.
◊ Legislation
•  E.g. California “Shine the Light” law
8
Swiss-US Legal Forum on Privacy and Safe Harbor
4.
Milestones of Data Protection: Germany, Switzerland and the US*
1
SWISS-US Legal Forum May 26 2016 (CEDIDAC, ISDC, Faculty of Law - University of Lausanne
1. The European Union is about to renew its data protection framework. The Draft General
Data Protection Regulation, repealing Directive 95/46/EC, is supposed to provide strong
protection against unlawful use of personal data1. From the US, the Commission has obtained
the promise that US companies that offer goods and services in the EU be required to inform
concerned parties of any data breach, to respect an individual’s wishes concerning the
transmission of his or her personal data between service providers, and to observe the “right to
be forgotten”2.
2. EU-Data Protection goes back to 1969 when the European Court of Justice first admitted the
existence of an unwritten fundamental right to remain unidentified and the necessity of justifying
proportional reasons in order to restrict this right (ECJ case 29-69 Erich Stauder v. City of Ulm, Rec.
1969, 419).
3. But the foundations of fundamental rights and data protection in particular go back much
further. In 1948, when Western Germany was governed by the US, Great Britain and France, U.S.
General Lucius D. Clay insisted on the fact that the new Germany must have a Constitution built
on democracy and on fundamental rights. His idea became reality: the German Constitution of
1949 grants the rights of “dignity for human beings” and “individual freedom” (Art. 1 § 1, Art. 2
§ 1 Grundgesetz für die Bundesrepublik Deutschland vom 23. Mai 1949).
4. For the Federal Constitutional Court of Germany this includes the right to choose between
sharing personal data, or keeping this information secret. In 1969, the same year as the decision
in the Stauder case, the Court held that dignity of individuals includes the right of privacy (the
Court was faced with a determination of whether a census of the German population was
consistent with fundamental rights, BVerfGE 27, 1 Microzensus: “Das Grundgesetz (gewährt) dem
einzelnen Bürger einen unantastbaren Bereich privater Lebensgestalung, der der Einwirkung der öffentlichen
Gewalt entzogen ist” Erw. C. II. 1. a)).
5. In 1983, in a judgment called “Volkszählungsurteil”, the Federal Constitutional Court held that
rights to dignity and freedom give rise to a specific rule the Court named “fundamental right of
informational self-determination” and explained that, in a society based on fundamental rights,
the citizen must have control over all personal data3 (BVerfGE 65,1 Volkszählungsurteil, Erw. C. II.
1. a): “Mit dem Recht auf informationelle Selbstbestimmung wären eine Gesellschaftsordnung und eine diese
ermöglichende Rechtsordnung nicht vereinbar, in die Bürger nicht mehr wissen können, wer was wann und bei
welcher Gelegenheit über sie weiß”.
5. Without the influence of the U.S. the country would not have gotten onto the right path so
quickly and adopted a Constitution based on Fundamental Rights. The Microzensus case was
decided just one year after Alan F. Westin’s article about “Privacy and Freedom” was published
in the Washington & Lee Law Review stressing the need for legislation to safeguard the right of
privacy against public surveillance4. In Berger v. New York US 41 (1967), the US Supreme Court
relied on the 4th Amendment to invalidate a New York eavesdropping law. It would not have
been the first time that great ideas crossed the Atlantic.
1
2
3
4
COM(2012) 11 final and COM(2016)214 final.).
http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf
Confirmed by BVerfGE 115, 320 Rasterfahndung; in BVerfGE 120, 274 Onlinedurchsuchung, the Court held
that the Constitution also protects the integrity of IT-Systems as a whole (Grundrecht auf Vertraulichkeit und
Integrität informationstechnischer Systeme). See, for a good summary, Claudio Franzius, Das Recht auf informationelle
Selbstbestimmung, ZJS 2015, 259.
Alan F. Westin, Privacy and Freedom, Washington and Lee Law Review 1968, Volume 25, Issue 1, Article
20.
Bettina Kahil-Wolff, Unil - for the US Law see the contribution of Karen Druckman
Milestones of Data Protection: Germany, Switzerland and the US*
2
SWISS-US Legal Forum May 26 2016 (CEDIDAC, ISDC, Faculty of Law - University of Lausanne
6. And the idea of privacy swept over other European countries as well. The Constitutional law
of Germany was a source of inspiration for the ECJ, as demonstrated by the Stauder case and in
the subsequent case law. The Council of State in France, le Conseil d’État français - the highest
court in administrative matters - refers to the Constitutional Court of Germany and the
Fundamental right of informational self determination: “1° (…) les intéressés doivent disposer d’un droit
de regard et conserver la maîtrise sur les données qui les concernent : c’est ce que (le Conseil) nomme, après la Cour
constitutionnelle d’Allemagne, “l’autodétermination informationnelle”5.
7. The European Court of Justice does not use the term, but the key elements are laid down in
European law. Art. 8 EU-Charter of Fundamental rights grants “the right to the protection of
personal data” and statutory law adopted by the EU legislator must respect this right (e.g. ECJ
joint cases C-92/09 and 93/09 Schecke and Eifert, ECLI:EU:C:2010:662, § n° 46). With Directive
95/46, that grants “the right to privacy with the respect to the processing of personal data” (Art.
1 § 1 Directive 95/46), the EU set a milestone: data protection is mandatory not only for the
administration but also for private persons6.
8. Swiss data protection law, especially the Federal Act on Data Protection7 and Art. 8 of the
Civil Code, preserves the Fundamental right of informational self determination; according to the
Swiss Federal Court Google Street violates this right if it shows pictures of people on the internet8.
Since 2000, the EU-Commission considers that Switzerland provides an adequate level of
protection for personal data and meets the requirements of Art. 25 of Directive 95/46/EC9. A
US-Swiss Safe Harbor Framework is intended to simplify the business related data flow between
Switzerland and the United States10. Data protection is also guarantied in other fields such as
Social Security (see Art. 21 US-Swiss Social Security Agreement11).
5
6
7
8
9
10
11
Conseil d’État de France, Le numérique et les droits fondamentaux, rapport du Conseil d’Etat 2014, in Les
rapports du Conseil d’Etat (ancienne collection - Étude et documents du Conseil d’État)
http://www.cil.cnrs.fr/CIL/IMG/pdf/conseil_etat_numerique-2.pdf; Jean-Philippe Foegle, Le Conseil
d’État, héraut de la revolution numérique - Protection des données personnelles (Conseil d’Etat), La Revue
des Droits de l’Homme, décembre 2014, https://revdh.revues.org/1038
Michael Ronellenfitsch, Der Vorrang des Rechts auf informationelle Selbstbestimmung nach Art. 1 Abs. 1
i.V.m. Art. 2 Abs. 1 GG vor dem AEUV, C. II. a),
https://www.datenschutz.hessen.de/download.php?download_ID=189; see also Gloria Gonzáles Fuster,
The Emergence of Personal Data Protection as a Fundamental Right of the EU, Springer Verlag, Berlin
2014.
Loi fédérale sur la protection des données (LPD), RS 235.1.
ATF 138 II 346 ; see also ATF 141 I FINMA)
Adequancy Decision 2000/518/EC of July 26 2000, OJ 2000 L 215/1.
http://www.edoeb.admin.ch/dokumentation/00153/00262/00278/index.html?lang=en;
http://www.export.gov/safeharbor/
The Convention was signed on December 3rd 2012, entered into force on August 1st 2014 and is replaces an
earlier agreement from 1979; https://www.ssa.gov/international/Agreement_Texts/switzrld.html
Bettina Kahil-Wolff, Unil - for the US Law see the contribution of Karen Druckman