International review of criminal policy - Nos. 43 and 44/SUBSTANTIVE CRIMINAL LAW PROTECTING PRIVACY/The development of national law

128. The penal provisions in privacy laws largely refer to the corresponding administrative provisions. Accordingly, first the administrative provisions are surveyed briefly and then the related questions of criminal law are dealt with.

1. Differing concepts of privacy laws

129. Special legislation against infringements of privacy have been past in most western legal systems. Moreover, the courts in most countries have also developed a civil action protecting privacy interests. An analysis of national laws demonstrates that various international actions have led to a considerable degree of uniformity among the general administrative and civil law regulations of national privacy laws. Most national privacy statutes include, for example, provisions addressing the limitation of data collection or the individual's right of access to his or her personal data. In spite of this tendency, considerable differences in general administrative and civil regulations remain. These differences concern the legislative rationale, the scope of application (especially with regard to legal persons and manually recorded data), the procedural requirements for commencing the processing of personal data and the substantive requirements for processing such data, as well as the respective control institutions.

130. The differences among the general administrative regulations are not only relevant for administrative law but to a significant extent also determine the existence of differences between criminal law provisions, which largely refer to these regulations. For example, one difference among criminal offences in various national privacy laws is found in the prohibition of the use of various types of data.

2. Differing acts covered by criminal law.

131. The main difference among the penal privacy offences, however, derive not from their general scope of application but from the different illegal acts that they cover . These differences in penal coverage are mainly caused by a divergent evaluation of the criminal character of privacy infringements and the role that penal law should play in this field. In some countries, especially Canada, Japan and the United States , criminal law is not widely used for privacy protection. In other countries, the criminal law includes comprehensive lists of severe criminal offences that refer to many of the actions regulated by administrative law. Some legislation even punishes negligent acts. In Finland, the Committee on Informational Crimes and, in France, the Commission for the Revision of the Penal Code intend to stress the importance of criminal sanctions of privacy legislations by implementing the most important infringements in their general penal codes.

132. The most important differences among the crimes against privacy in the various data protection laws emerge when the penal provisions are analysed in detail. Such a comparative analysis should differentiate four main categories of criminal privacy infringements, which are to be found particularly in European privacy laws:

1. The first main group of crimes against of privacy relates to infringements of substantive privacy rights and includes such acts as illegal disclosure, dissemination, obtaining of and/or access to data; unlawful use of data; illegal entering, modification and/or falsification of data with an intent to cause damage; collection, recording and/or storage of data, which is illegal for reasons of substantive policy; or storage of incorrect data. Detailed analysis of the respective criminal provisions indicates that these substantive infringements of privacy rights differ with regard not only to the data covered but also to the types of acts punished. They differ further according to the extent to which the described acts are permitted by law. Since the penal provisions either refer to the respective general provisions of the civil privacy laws or justify exceptions permitting the use of personal data by reference to general clauses, which are similar to those of the administrative provisions, all anomalies, inaccuracies and uncertainties in the field of administrative law can also be found within the corresponding penal provisions;
2. As a result of the uncertainties in the substantive provisions, many legal systems rely to a great extent on a second, and additional, group of offences and are directed towards enforcing various formal legal requirements or orders of supervisory agencies. These offences, included in most privacy laws, generally contain more precise descriptions of the prohibited conduct than do the substantive offences. However, these formal provisions also vary considerably among the various national laws. The main type of formal infraction covered in many states by penal law concerns infringement of the legal requirements for commencing the processing of personal data (e.g. registration, notification, application for registration, declaration or licensing). Additional, and considerably varying, offences that can be found in much of the European privacy legislation are infringement of certain regulations, prohibitions or decisions of the regulatory authorities; refusal to give information or release of false information to the regulatory authorities; refusal to grant access to property and refusal to permit inspections by regulatory authorities; obstruction of the execution of a warrant; failure to appoint a controller of data protection for a company; and failure to record the grounds or means for the dissemination of personal data;
3. A third type of criminal privacy infringement is infringement of access laws, e.g. the individual's rights to access information (freedom of information). With respect to a party's right of access, in many European countries it is an offence to give false information or not to inform the registered party or not to reply to a request;
4. Some countries go further and punish neglect of security measures with an administrative fine or even with a criminal sanction. This constitutes a fourth type of offence.