Recommendation of the Data Protection Commissioner
on
certain issues of handling data in connection with the Internet
CHAPTER I
The gaining ground of the Internet in Hungary, the attendant tide of new data subjects, the emergence of hitherto unknown needs and opportunities generated by the world-wide web, the shortcomings of international and domestic regulations, and the increasing number of requests addressed to my Office seeking redress or consultation in this special field - all these circumstances have made it necessary for me to issue a Recommendation on certain issues of handling data in connection with the Internet.
A Recommendation - in which I will make reference to my former statements on the subject - seems timely despite the fact that over the past year, certain "players" of the Internet (providers, web page operators, end-users) introduced a number of technical and organizational measures in order to enforce official Hungarian standards of privacy and disclosure, and opened new doors of access to information of public interest. Increasingly, we encounter start-up pages that display data protection rules and principles. The majority of national and local government agencies now have their own home page publicizing important information on the operation of the agency. On the receiving end, an increasing portion of users take steps to protect their personal data.
As a world-wide network of computers collecting, storing, forwarding and making available millions of personal data and data of public interest, the Internet possesses a number of characteristics that one cannot pass over in addressing issues of data protection. The Internet as a medium is:
A Recommendation - in which I will make reference to my former statements on the subject - seems timely despite the fact that over the past year, certain "players" of the Internet (providers, web page operators, end-users) introduced a number of technical and organizational measures in order to enforce official Hungarian standards of privacy and disclosure, and opened new doors of access to information of public interest. Increasingly, we encounter start-up pages that display data protection rules and principles. The majority of national and local government agencies now have their own home page publicizing important information on the operation of the agency. On the receiving end, an increasing portion of users take steps to protect their personal data.
As a world-wide network of computers collecting, storing, forwarding and making available millions of personal data and data of public interest, the Internet possesses a number of characteristics that one cannot pass over in addressing issues of data protection. The Internet as a medium is:
- public and, in theory at least, available for anyone;
- oblivious to national boundaries;
- rather vulnerable in terms of data security;
- a useful tool for opening access to data of public interest disclosed by various national and local government agencies;
- a potential source of inaccurate or untruthful information;
- apt to make room for illegal activity.
Most professional responses to events and phenomena related to the Internet affirm that the Web is not a realm of legal immunity. Although it is regulated in the majority of its functions, not all regulations can be applied to it without adjusting their form and content, and some of its areas call for altogether new legal rules of their own.
Since 1996 my Office has received a number of complaints about the handling of data on the Net, of users as well as others. One submission concerned the on-line hawking of Hungarian babies for adoption, complete with photos and personal data case. Several citizens questioned the legality of the police routine of demanding data from Internet providers; others took issue with on-line direct marketing practices. There was one complaint from an individual against a provider's disclosure of his data when registering his domain name.
By issuing this Recommendation I intend once again to alert legislators to the shortfalls of Hungarian regulations, and to urge providers and users to embrace and demand compliance with existing privacy provisions.
Since 1996 my Office has received a number of complaints about the handling of data on the Net, of users as well as others. One submission concerned the on-line hawking of Hungarian babies for adoption, complete with photos and personal data case. Several citizens questioned the legality of the police routine of demanding data from Internet providers; others took issue with on-line direct marketing practices. There was one complaint from an individual against a provider's disclosure of his data when registering his domain name.
By issuing this Recommendation I intend once again to alert legislators to the shortfalls of Hungarian regulations, and to urge providers and users to embrace and demand compliance with existing privacy provisions.
CHAPTER II
1. Data transfer abroad
Section 9 of Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Data of Public Interest (hereinafter: "DP&FOIA") provides that -
"Personal data shall not be transferred from the country to a data controller abroad, whatever the data medium or the mode of transmission is, except when consented to by the data subject or permitted by law, provided that the same principles of data protection shall be obeyed by the foreign controller in respect of each data."
This means that the receiving country must either have privacy regulations affording the same protection as the Hungarian standards, or else the foreign recipient of the data must sign a contract guaranteeing equivalent protection.
By making the data transfer subject to equivalent protection even if the subject's consent has been secured, this provision restricts the free flow of information. While the provision cannot be challenged with reference to the Strasbourg Convention for the protection of individuals with regard to automatic processing of personal data, dated 28 January 1981, and promulgated by Act VI of 1998, it does stand at odds with the data transfer provisions in Chapter IV of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This is to be particularly regretted after the European Commission in July 2000 found that the level of privacy protection in Hungary was adequate, effectively rendering the flow of personal data from EU Member States to Hungary as unencumbered as if all parties to the transaction were members of the EU. The feasibility of enforcing section 9 of the DP&FOIA had always been doubtful, but the stipulation has become downright frivolous since electronic data transfer achieved ubiquity. The need is now pressing to replace this provision with one that is in tune with both the Directive and the concept of the right to informational self-determination.
2. Regulating unsolicited junk mail (spams)
In my estimation, spamming must be regarded as a case of handling data in abuse of the original purpose. Hungarian legislators will eventually have to decide whether to side with efforts to ban such activity altogether, or to legalize it subject to restrictions by amending Act CXIX of 1995 on Handling Names and Addresses in Research and Direct Marketing (hereinafter: "RDMA"). In the latter scenario, the legislation should follow Directive 2000/31/EC of the European Parliament and Council in requiring such messages to be clearly recognizable for recipients. It should also ensure, in harmony with the Directive and the provisions of the RMDA currently in force, that no such messages will be sent to users who do not wish to receive them. This amounts to the obligation of keeping opt-out records (a so-called "Robinson List").
3. Public-key cryptography
Privacy becomes especially vulnerable in the medium that is the Net, where the security of personal data in messages can only be guaranteed through the use of encrypting devices. Currently there is no prohibition in Hungary against the use of encryption software for civilian purposes. In the wake of some international precedents, it is to be expected that law enforcement agencies will push the Government to regulate this area and, subject to certain legal conditions, to grant them access to the codes. Having studied international experiences, I have come to the conclusion that it is harmful to curb the lawful use of civilian cryptography. The benefits of such a restriction for law enforcement are as dubious as its detriments to privacy are clear.
4. Electronic freedom of information
The rapid growth of computer networks everywhere not only raises new privacy issues but also enables citizens - not just inquisitive journalists - to exercise their right to freedom of information faster and cheaper than it has been possible in the past.
The notion of electronic freedom of information originated in the United States. There, the Electronic Freedom of Information Act of 1996, an amendment of freedom of information legislation dating from 1966, spells out a number of obligations for public institutions to facilitate the practical implementation of freedom of information. Most importantly, the U.S. federal administration must make available certain types of information of public interest controlled by it, either by posting on a computer network or, if the agency does not possess these means, in some other electronic format.
Hungary, too, has made the first steps toward electronic freedom of information. A number of ministries, administrative agencies and local governments now maintain their own home page. In December 2000, a Government Decision [1113/2000 (XII. 27) on Keeping Records of Data Assets Controlled by the Public Administration] issued the mandate to set up and post on a public network a record of types and sources of data of public interest handled by the administration. ("KIKERES")
In full support of the Government's measures to date aimed at establishing electronic freedom of information, I find it vital that the Parliament amend the DP&FOIA to require electronic posting of data of public interest under section 2(3). This would guarantee that the Internet is not merely a unilateral tool of information wielded by the administration but rather a new medium for the constitutional right of knowing data of public interest.
5. The need for regulation on the legislative level
Current Hungarian laws in force do not authorize Internet providers to control certain types of information. Some have argued convincingly that handling turnover and traffic data is an imperative of maintaining system security. In the future such activity will have to be classified as legal, with limits assigned to the scope of data collected.
In my opinion, the legally reassuring solution would be uniformly to modify and amend sectoral laws that regulate, among other things, the data-handling practices of Internet users and providers (such as the Telecommunications Act, the Direct Marketing Act, or the DP&FOIA itself). The example to follow here could be the data protection chapter (Teledienstedatenschutzgesetz) of Germany's 1997 Informations- und Kommunikationsdienste-Gesetz. This legislation contains a number of novel solutions: it regulates the institution of electronically granted consent to data processing, and it requires providers to contemplate privacy criteria early on by choosing the type of technology that will reduce the reliance on handling personal data to zero, or at least to a bare minimum.
This law offers the sensible compromise of satisfying the demands of data protection while enabling efficient marketing. It allows profiling based on observed user habits, but also stipulates that such data may be collected under a pseudonym only, that is in a form which cannot be linked to the real name and identity of the user.
The new regulations will have to define precisely the notion of "subjects" in the camps of users and providers alike, to assign to them specific rights and obligations in controlling information, and to help the fight against illegal intrusions over the network by reserving the option of recording and using data suitable to identify hackers.
Section 9 of Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Data of Public Interest (hereinafter: "DP&FOIA") provides that -
"Personal data shall not be transferred from the country to a data controller abroad, whatever the data medium or the mode of transmission is, except when consented to by the data subject or permitted by law, provided that the same principles of data protection shall be obeyed by the foreign controller in respect of each data."
This means that the receiving country must either have privacy regulations affording the same protection as the Hungarian standards, or else the foreign recipient of the data must sign a contract guaranteeing equivalent protection.
By making the data transfer subject to equivalent protection even if the subject's consent has been secured, this provision restricts the free flow of information. While the provision cannot be challenged with reference to the Strasbourg Convention for the protection of individuals with regard to automatic processing of personal data, dated 28 January 1981, and promulgated by Act VI of 1998, it does stand at odds with the data transfer provisions in Chapter IV of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This is to be particularly regretted after the European Commission in July 2000 found that the level of privacy protection in Hungary was adequate, effectively rendering the flow of personal data from EU Member States to Hungary as unencumbered as if all parties to the transaction were members of the EU. The feasibility of enforcing section 9 of the DP&FOIA had always been doubtful, but the stipulation has become downright frivolous since electronic data transfer achieved ubiquity. The need is now pressing to replace this provision with one that is in tune with both the Directive and the concept of the right to informational self-determination.
2. Regulating unsolicited junk mail (spams)
In my estimation, spamming must be regarded as a case of handling data in abuse of the original purpose. Hungarian legislators will eventually have to decide whether to side with efforts to ban such activity altogether, or to legalize it subject to restrictions by amending Act CXIX of 1995 on Handling Names and Addresses in Research and Direct Marketing (hereinafter: "RDMA"). In the latter scenario, the legislation should follow Directive 2000/31/EC of the European Parliament and Council in requiring such messages to be clearly recognizable for recipients. It should also ensure, in harmony with the Directive and the provisions of the RMDA currently in force, that no such messages will be sent to users who do not wish to receive them. This amounts to the obligation of keeping opt-out records (a so-called "Robinson List").
3. Public-key cryptography
Privacy becomes especially vulnerable in the medium that is the Net, where the security of personal data in messages can only be guaranteed through the use of encrypting devices. Currently there is no prohibition in Hungary against the use of encryption software for civilian purposes. In the wake of some international precedents, it is to be expected that law enforcement agencies will push the Government to regulate this area and, subject to certain legal conditions, to grant them access to the codes. Having studied international experiences, I have come to the conclusion that it is harmful to curb the lawful use of civilian cryptography. The benefits of such a restriction for law enforcement are as dubious as its detriments to privacy are clear.
4. Electronic freedom of information
The rapid growth of computer networks everywhere not only raises new privacy issues but also enables citizens - not just inquisitive journalists - to exercise their right to freedom of information faster and cheaper than it has been possible in the past.
The notion of electronic freedom of information originated in the United States. There, the Electronic Freedom of Information Act of 1996, an amendment of freedom of information legislation dating from 1966, spells out a number of obligations for public institutions to facilitate the practical implementation of freedom of information. Most importantly, the U.S. federal administration must make available certain types of information of public interest controlled by it, either by posting on a computer network or, if the agency does not possess these means, in some other electronic format.
Hungary, too, has made the first steps toward electronic freedom of information. A number of ministries, administrative agencies and local governments now maintain their own home page. In December 2000, a Government Decision [1113/2000 (XII. 27) on Keeping Records of Data Assets Controlled by the Public Administration] issued the mandate to set up and post on a public network a record of types and sources of data of public interest handled by the administration. ("KIKERES")
In full support of the Government's measures to date aimed at establishing electronic freedom of information, I find it vital that the Parliament amend the DP&FOIA to require electronic posting of data of public interest under section 2(3). This would guarantee that the Internet is not merely a unilateral tool of information wielded by the administration but rather a new medium for the constitutional right of knowing data of public interest.
5. The need for regulation on the legislative level
Current Hungarian laws in force do not authorize Internet providers to control certain types of information. Some have argued convincingly that handling turnover and traffic data is an imperative of maintaining system security. In the future such activity will have to be classified as legal, with limits assigned to the scope of data collected.
In my opinion, the legally reassuring solution would be uniformly to modify and amend sectoral laws that regulate, among other things, the data-handling practices of Internet users and providers (such as the Telecommunications Act, the Direct Marketing Act, or the DP&FOIA itself). The example to follow here could be the data protection chapter (Teledienstedatenschutzgesetz) of Germany's 1997 Informations- und Kommunikationsdienste-Gesetz. This legislation contains a number of novel solutions: it regulates the institution of electronically granted consent to data processing, and it requires providers to contemplate privacy criteria early on by choosing the type of technology that will reduce the reliance on handling personal data to zero, or at least to a bare minimum.
This law offers the sensible compromise of satisfying the demands of data protection while enabling efficient marketing. It allows profiling based on observed user habits, but also stipulates that such data may be collected under a pseudonym only, that is in a form which cannot be linked to the real name and identity of the user.
The new regulations will have to define precisely the notion of "subjects" in the camps of users and providers alike, to assign to them specific rights and obligations in controlling information, and to help the fight against illegal intrusions over the network by reserving the option of recording and using data suitable to identify hackers.
CHAPTER III
The privacy rights and obligations of users and providers
1. General requirements of privacy
It is the legal duty of every user and provider to comply with the DP&FOIA in all acts of controlling data. The responsibilities highlighted in the clauses below do not constitute a complete list of these obligations. It is important to remember that unlawful data control is subject to liability for damages and may carry sanctions under criminal law.
2. Data security
I warn all providers that they owe a special responsibility for the security of personal data under their control. Pursuant to section 10 of the DP&FOIA, "Data controller and within its competence the data processor shall ensure data security and shall take all technical and organizational measures and develop rules of procedure, required to the enforcement of this Act and other regulations concerning data protection and secrecy." Subject to section 18, the data controller is liable to compensate the subject for any damage caused by non-compliance with privacy regulations. Exemption from this liability is subject to proving that the damage arose from an unavoidable cause beyond the scope of data control.
3. Notification
Under the DP&FOIA, data subjects must be advised on certain circumstances before personal information is collected from them: For what purpose are the data going to be used? Are they to be supplied on a compulsory or voluntary basis? Who are going to control and process these data? Answers to these questions must be given in advance on a mandatory basis, while other details must be supplied only if requested by the subject. The law requires providers contracting with individual users to advise them, expediently at the time of executing the contract, on how their data are going to be handled, and to satisfy any further requests about the fate of personal data. Under the DP&FOIA, server operators and content providers who acquire personal data in the course of providing service must advise users of this fact before collecting their data. The Recommendation of the Council of Europe No. R 99(5) for the protection of privacy on the Internet suggests posting an explicit privacy statement on the main web page, with links to information about the scope, method and duration of using the data obtained.
It is my belief that, beyond supplying information on the fate of data in their possession, providers should also caution users against the threats to privacy lurking on the Net, as well as direct their attention to technologies enabling secure communication.
4. Enforcing user rights
I warn all users that their privacy becomes especially vulnerable on the Net. I encourage them to press their providers for sharing data protection policies, and to contact my Office with any complaints about data protection. It will serve them well to seek their provider's advice on privacy-enhancing technologies, and to protect their personal data by using encryption software.
As players of the Net, users themselves may come into possession of personal data, such as names, e-mail addresses etc. If they do, they will be subject to the same provisions of the DP&FOIA: generally, they may transfer or disclose these data only as allowed by law, or specifically upon the consent of the subject.
1. General requirements of privacy
It is the legal duty of every user and provider to comply with the DP&FOIA in all acts of controlling data. The responsibilities highlighted in the clauses below do not constitute a complete list of these obligations. It is important to remember that unlawful data control is subject to liability for damages and may carry sanctions under criminal law.
2. Data security
I warn all providers that they owe a special responsibility for the security of personal data under their control. Pursuant to section 10 of the DP&FOIA, "Data controller and within its competence the data processor shall ensure data security and shall take all technical and organizational measures and develop rules of procedure, required to the enforcement of this Act and other regulations concerning data protection and secrecy." Subject to section 18, the data controller is liable to compensate the subject for any damage caused by non-compliance with privacy regulations. Exemption from this liability is subject to proving that the damage arose from an unavoidable cause beyond the scope of data control.
3. Notification
Under the DP&FOIA, data subjects must be advised on certain circumstances before personal information is collected from them: For what purpose are the data going to be used? Are they to be supplied on a compulsory or voluntary basis? Who are going to control and process these data? Answers to these questions must be given in advance on a mandatory basis, while other details must be supplied only if requested by the subject. The law requires providers contracting with individual users to advise them, expediently at the time of executing the contract, on how their data are going to be handled, and to satisfy any further requests about the fate of personal data. Under the DP&FOIA, server operators and content providers who acquire personal data in the course of providing service must advise users of this fact before collecting their data. The Recommendation of the Council of Europe No. R 99(5) for the protection of privacy on the Internet suggests posting an explicit privacy statement on the main web page, with links to information about the scope, method and duration of using the data obtained.
It is my belief that, beyond supplying information on the fate of data in their possession, providers should also caution users against the threats to privacy lurking on the Net, as well as direct their attention to technologies enabling secure communication.
4. Enforcing user rights
I warn all users that their privacy becomes especially vulnerable on the Net. I encourage them to press their providers for sharing data protection policies, and to contact my Office with any complaints about data protection. It will serve them well to seek their provider's advice on privacy-enhancing technologies, and to protect their personal data by using encryption software.
As players of the Net, users themselves may come into possession of personal data, such as names, e-mail addresses etc. If they do, they will be subject to the same provisions of the DP&FOIA: generally, they may transfer or disclose these data only as allowed by law, or specifically upon the consent of the subject.
CHAPTER IV
I make my Recommendation as follows:
- advise the legislative body
- to amend the DP&FOIA in order to harmonize its rules of cross-border data transfer with those of Directive 95/46/EC, and to promote electronic freedom of information by requiring a specific range of data of public interest to be posted in the electronic media;
- to modify relevant sectoral laws as a means of enacting spam regulations, legalizing the control of traffic-related data, and staking out legal options to combat hackers;
- always to consult industry representatives before finalizing regulations concerning the Internet.
- call on providers to follow privacy regulations in fashioning their data controlling practices; to publicize their privacy policies and measures; and to inform users on the options of protecting personal data. Providers have a special responsibility to safeguard the personal data they handle and to ensure the technical background of privacy. I stress the providers' liability properly to inform users at the time of collecting personal data from them.
- For network users my recommendation above all is to keep track of their providers' privacy policies. I encourage them to make use of privacy-enhancing tools, and I invite providers to assist them in this effort. Under the new circumstances, no regulation can be effective without the aid of technology protecting the privacy and personal data of users.
Budapest, 1 February 2001
Dr. László Majtényi
Dr. László Majtényi