International review of criminal policy - Nos. 43 and 44/SUBSTANTIVE CRIMINAL LAW PROTECTING PRIVACY/International harmonization

1. Harmonization of underlying administrative and civil law

133. In the field of administrative and civil privacy legislation, various international organizations have developed a common approach to privacy protection in order to prevent the proliferation of different concepts and national regulations that would impede the transborder flow of data. The main work in this field has so far been accomplished by OECD, the Council of Europe and the European Union.

The OECD guidelines

134. In 1977, OECD began to elaborate guidelines governing the protection of privacy and transborder flows of personal data. These guidelines were adopted by the Council of OECD in 1980 as a recommendation to the member States. The eight main points of the guidelines concern the principles of limitation on collection; data quality; specification of purpose; limitation of use; security and safeguards; openness; individual participation; and accountability.

Activities of the Council of Europe

135. In 1980, the Committee of Ministers of the Council of Europe, which had been considering privacy concerns since 1968, adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. In contrast to the OECD guidelines, which are voluntary in nature, the Council of Europe Convention is a contractual commitment of the ratifying States and is legally binding. It formulates 10 basic principles representing minimum standards that must be incorporated in the legislation of the contracting States. Although similar to those of OECD, these principles are narrower and more specific.

136. Further initiatives were undertaken by the Committee of Experts on Data Protection of the Council of Europe. Since the opening for signature of the Convention, the Committee has pursued a sectoral approach to data protection issues aimed at elaborating guidelines, in the form of non-binding

recommendations, addressed to the Governments of the member States.

Proposals of the European Union

137. The European Union started to harmonize privacy laws in 1976. A decisive breakthrough for European privacy protection was reached in September 1990, when the Commission of the European Communities submitted a draft package containing six proposals in the field of personal data protection and information security. The package included the draft of a general directive on data protection applicable to all personal data files within the scope of European Union law. Within the context of the IMPACT2 program of the European Union, the Commission intends to elaborate, when necessary, the instruments concerning personal data protection in specific sectors of information services, mailing list services, credit ratings and solvency services.

Activities of the United Nations

138. In 1988, the Subcommission on the Prevention of Discrimination and the Protection of Minorities of the Commission on Human Rights elaborated draft guidelines for the regulation of computerized personal data files (E/CN.4/Sub.2/1988/22, annex I). In its resolution 45/95, the General Assembly adopted a revised version of these guidelines, which contain principles similar to those of the OECD guidelines and the Council of Europe Convention.

2. Harmonization of criminal law

139. In contrast to the progress achieved in administrative and civil privacy law, international harmonization in the field of criminal privacy law has still not really begun. The main initiative is being undertaken by the Council of Europe. The above-mentioned Convention of the Council of Europe contains, in article 10, a provision stating that "each party undertakes to establish appropriate sanctions and remedies for violation of ... the basic principles for data protection". However, this clause allows States to determine the nature of the sanctions and remedies (civil, administrative or criminal), as well as their scope of application.

140. Further studies to harmonize criminal privacy law were undertaken in the course of the work of the Select Committee of Experts on Computer-Related Crime of the Council of Europe, mentioned in paragraphs 119-122. The Committee recommended six basic principles that should be taken into account by member States when enacting legislation in the field of computer-related criminal privacy:

1. "The protection of privacy against offences caused by modern computer technology is of great importance. However, this protection should be based primarily on administrative and civil law regulations. Recourse to criminal law should be made only as a last resort. This means that criminal sanctions should be used only in cases of severe offences in which adequate regulation cannot be achieved by administrative or civil law measures (ultima ratio principle);
2. The respective criminal provisions must describe the forbidden acts precisely and should avoid vague general clauses. A precise description of illegal acts, without however resorting to a casuistic legislation technique, can easily be achieved, for example, for specific sensitive data. In cases in which precise descriptions of illegal acts are not possible, due to the necessity of a difficult balancing of interests (privacy versus freedom of information), criminal law should decline to incriminate substantive infringements of privacy and adopt a formal approach, based on administrative requirements of notification of potentially harmful data-processing activities. Failure to comply with these notification requirements and to obey regulations of the data protection authorities could then be subject to sanctions. These formal offences are in accordance with the principle of culpability as long as they can be considered bans per se (Gefährdungsdelikte, délits-obstacles), which punish the endangering of privacy rights. In many areas, criminal privacy infringements, therefore, would presuppose both the infringement of formal requirements as well as the endangering of substantive privacy rights (principle of precision in the wording of criminal law);
3. The criminalized acts should be described as clearly as possible by the respective penal law provisions . Therefore, a too-extensive use of the referral technique (that is, the technique pursuant to which activities regulated outside the penal law provisions are criminalized by reference) makes criminal provisions unclear and incomprehensible and should be avoided. If implicit or explicit references of the criminal law are used , the criminal provision itself should at least give an adequate idea of the forbidden acts (clearness principle);
4. Different computer-related infringements of privacy should not be criminalized in one global provision . The principle of culpability requires a differentiation according to the interests affected, the acts committed and the status of the perpetrator, as well as of his intended aims and other mental elements (principle of differentiation);
5. In principle, computer-related infringements of privacy should only be punishable if the perpetrator acts with intent. Criminalization of negligent acts should be an exception requiring a special justification (principle of intent);
6. Minor computer-related offences against privacy should be punished only in accordance with Council of Europe Recommendation No.(87)18 on the simplification of criminal justice, on complaint of the victim or of the Privacy Protection Commissioner or of the Privacy Protection Authority (principle of complaint)."

141. In future, further harmonization of criminal privacy law might be achieved along the lines outlined in the draft directive of the European Union. Chapter VII, article 23, of that draft directive, which concerns sanctions , demands that each member State provide in its laws the use of "sufficient sanctions" to guarantee the rules based on the directive.

142. The issue of privacy protection was also discussed at the AIDP Colloquium on Computer Crime and Other Crimes against Information Technology (see paragraphs 116-126). The discussion demonstrated significant differences of opinion as to the means by which and the degree to which protection should be afforded by administrative , civil, regulatory and criminal law. The draft resolution of the colloquium recommended, therefore, that "non-penal measures should be given priority, especially where the relations between the parties are governed by contract" and that criminal provisions "should only be used where civil law or data protection law do not provide adequate legal remedies".

143. The Colloquium noted the basic principles, as advanced by the Council of Europe, that should be taken into account by States when enacting criminal legislation in this field. The draft resolution of the Colloquium proposes further that criminal provisions in the privacy area should in particular:

1. "Be used only in serious cases, especially those involving highly sensitive data or confidential information traditionally protected by law;
2. Be defined clearly and precisely rather than by the use of vague or general clauses (Generalklauseln), especially in relation to substantive privacy law;
3. Differentiate as between varying levels and requirements of culpability;
4. Display caution, in particular, as regarding matters of intent;
5. Permit the prosecutorial authorities to take into account, in respect of some types of offences, the wishes of the victim regarding the institution of prosecution."

144. The draft resolution also noted as follows:

"The significance of protecting privacy interests in the transformed information age should be recognized, but also balanced by the legitimate interests in the free flow and distribution of information within society. These interests include the right of citizens to access, by legal means consistent with international human rights, information about themselves which is held by others."

145. The Colloquium concluded that further study of this issue should be undertaken.