A number of concepts are critical to an understanding of the topic. Data protection legislation has historically applied where personal data concerning an identifiable individual is processed by a data controller using automated equipment. Developments in technology make it increasingly difficult to apply these concepts. Data that a decade ago would have been anonymous can now readily be linked to an individual. The emergence of cloud computing technology also creates legal complications in determining where processing takes place and which legal system will govern conduct. This chapter will focus on definitional issues in order to provide a basis for more detailed discussion of the application of data protection legislation in the following chapters.
Chapter
3. The scope of data protection
Chapter
5. The data protection principles
The notion that data controllers should comply with a set of general data protection principles has been a feature of data protection statutes from the earliest days. As well as imposing obligations on controllers, the principles also confer rights – most notably relating to subject access on data subjects. This chapter will consider the scope and extent of the principles paying particular attention to the requirement that personal data be processed fairly and lawfully. A topic of more recent interest relates to the length of time for which data may be held and made available to third parties. Often referred to as involving the “right to be forgotten”, this is especially relevant to the operation of search engines which make it easy for users to find news stories what would have passed into obscurity in previous eras. The chapter considers also at the operation of the principle requiring users to adopt appropriate security measures against unauthorized access, a topic which is of particular relevance given recent and well publicised large-scale cyber-attacks.
Chapter
2. The beginnings of data protection
Data protection has, at least in western Europe, been seen as a key element of the legal response to the issue of information surveillance. Dating back to the 1970s and 1980s, many data protection laws are, as is the case in the UK, in their 3rd generation of statutes. The scope (and length) of these statutes has expanded significantly although the core data protection principles have remained essentially unaltered. In addition to developments within the EU there have been data protection initiatives within international fora such as the Council of Europe, the Organisation for Economic Cooperation and Development (OECD), the UN, and the Asia-Pacific Privacy Charter initiative. As with early UK developments where commercial pressure driven by the need to guarantee the free movement of data to and from the UK played a major role in the introduction of the first statute – the Data Protection Act 1984 – so commercial factors are once again at play with multi-national companies tending to argue that it is easier for them to comply with a global set of data protection rules – even though restrictive of their commercial freedom, than to have to comply with different rules in every country in which they do business.