Where have all the judges gone? Reflections on judicial involvement
in developing data protection law
[Published in P. Wahlgren (ed.), IT och juristutbildning. Nordisk årsbok i rättsinformatik 2000
(Stockholm: Jure AB, 2001), pp. 113–125; also published in Privacy Law & Policy Reporter,
2000, volume 7, pp. 11–14, 33–36]
Lee A. Bygrave
In this day and age, when alternative dispute resolution (ADR) is all the rage, it seems rather
quaint to pose the question opening the title of this article. Indeed, one might well invite ridicule
were the question to be voiced in any way that bespeaks a wistful yearning for judges. For these
days, the courts are often viewed as cumbersome, bumbling behemoths that should be bypassed
for ostensibly faster, cheaper, more flexible, and more sector-specific systems of adjudication.
So, in answer to the above question, many acolytes of ADR would reply: ‘Who cares where all
the judges are? And good riddance to them too if they’re not around!’.
In this article, I want ultimately to reflect on the propriety of such a reply. On the way to doing
so, it is necessay first to elaborate on just where the judges are and have been in the context of
data protection law.
Judicial involvement – the state of play
As a starting point, we find that in many countries, court involvement in interpreting and
applying data protection statutes has been minor, if not marginal. There seem to be few judicial
decisions in which the interpretation of such legislation figures centrally. This is not a unique
feature of data protection law but it is certainly striking.
In Norway, for example, there has only been one instance – over a period of two decades – in
which an appeal from a decision of the country’s data protection authority, the Data Inspectorate,
has been treated by the courts.1 Apart from that case, only one other notable example exists of
judicial commentary on Norway’s main piece of data protection law, the Personal Data Registers
Act (PDRA) of 1978.2 In neither case can the court decisions be characterised as ground-breaking
or even significantly helpful for interpretation and application of the PDRA.3
1
2
3
See the decisions of the Norwegian Supreme Court and Oslo City Court in the so-called ‘psychosis-register’ case of 1994: Norsk
Retstidende (Rt) 1994, 691. Even in that instance, the judicial proceedings in the matter were only indirectly linked to the
complaints process in which the Data Inspectorate was involved.
See the decision of the Supreme Court in the so-called ‘snack-bar’ case of 1991: Rt 1991, 616.
In the ‘psychosis-register’ case, the provisions of the PDRA were touched upon only very briefly, with the Supreme Court
making the (obvious) point that registration of personal data in violation of a legal duty of confidence would be unlawful even if
the registration is licensed pursuant to the PDRA. The Court went on to hold that such data can rightfully be erased without
regard to the other conditions for erasure stipulated by the Act: Rt 1994, 698. In the ‘snack-bar’ case, the Supreme Court was
called upon to assess the lawfulness of video-recordings secretly made by a snack-bar owner of his employees working in the bar.
Such a state of affairs is not unique to Norway. In Australia, there has not been a single case of a
court directly interpreting aspects of the federal Privacy Act 1988. In Denmark, there have only
been three cases in which a court has handled an appeal stemming from a decision of the
country’s data protection authority.4 In the UK, only a handful of court decisions have arisen
which address the proper application of the 1984 or 1998 Data Protection Act.5
There are exceptions to this pattern. For example, application of the US federal Privacy Act of
1974 has given rise to relatively extensive court litigation.6 This is not surprising given the
absence in the USA of an independent data protection authority and the weakness of alternative
oversight bodies.7 At the same time, the courts’ ability to influence the way in which US federal
government agencies implement the provisions of the Privacy Act has been severely restricted.
The range of remedies given to courts pursuant to the Act is narrow.8 A federal court can only
issue enforcement orders relating to the exercise of a person’s rights to access and rectify
information relating to him- or herself. A court can also order relief for damages in limited
situations. But a court cannot otherwise order agencies to change their data-processing practices.
This effectively marginalises the role of the US judiciary when it comes to ensuring
implementation of large swathes of the Privacy Act provisions.
Why have courts often taken a backseat in the interpretation and application of data protection
laws? There are several factors here. One important factor has to do with the existence and
regulatory strategies of data protection authorities. In dealing with complaints, these authorities
often put weight on conciliation rather than confrontation,9 and this approach tends to head off
court litigation.
Another important factor is that, in some countries, appeals from decisions of data protection
authorities, or complaints which authorities fail to resolve, do not go directly to ordinary courts
for adjudication but to other quasi-judicial bodies first. Examples of such bodies are the
Complaints Review Tribunal in New Zealand and the Data Protection Tribunal in the UK.
Appeals from these bodies to the courts can only be on a question of law as opposed to fact. In
some other countries, appeals from decisions of the data protection authorities have been handled
first by an ordinary government department with the possibility of further appeal to the courts
being restricted to questions of law. This has been the case in Norway where appeals from the
Data Inspectorate have usually gone to the Ministry of Justice.
4
5
6
7
8
9
In the course of its assessment, the Court expressed some doubt that the video-recordings constituted a ‘personal data register’
pursuant to the PDRA: Rt 1991, 622. The Court’s comments, though, were strictly obiter dicta.
According to an electronic mail of 26.1.1999 sent to me from the Danish expert in data protection, Peter Blume. He adds that
there might be one or two other court cases that he does not know of but that, in any case, Danish courts have played and continue
to play a marginal role in this area of law.
See SNL Chalton, SJ Gaskill & JAL Sterling (eds), Encyclopedia of Data Protection (London, 1988–1997), vol 2, part 6. The
1984 Act has now been repealed with the entry into force in March 2000 of the 1998 Act.
See generally PM Schwartz & JR Reidenberg, Data Privacy Law: A Study of United States Data Protection (Charlottesville,
Virginia, 1996), chapt 5.
Ibid, 118ff (reviewing the efficacy of these alternative bodies).
Ibid, 100, 114ff (describing these remedies and their effectiveness).
My impressions here are based on perusal of the annual reports issued by the data protection authorities of Australia, Denmark,
Norway, Switzerland and the UK. See also the detailed description of enforcement practices in Sweden, France, Germany and
Canada provided by David Flaherty in his work, Protecting Privacy in Surveillance Societies (Chapel Hill/London, 1989).
2
There are also jurisdictions where the possibility for court appeal from the decisions of the
national data protection authority has been largely eliminated. This is the case, for example,
under Australia’s federal Privacy Act with respect to determinations by the Privacy
Commissioner of complaints against federal government agencies.10 Insofar as the Act regulates
the activities of other bodies, provision is made under s 55 for the Federal Court to institute
hearings de novo of complaints with respect to such activities, though only in the context of
enforcing complaint determinations by the Commissioner. Enactment of the Privacy Amendment
(Private Sector) Bill 2000 is unlikely to result in significantly increased court involvement in
interpretation and application of the Act as the Bill does not provide for a direct right of appeal to
the courts (or any quasi-judicial body) from decisions of either the Privacy Commissioner or any
of the complaint bodies to be set up under envisaged sectoral codes of practice.11
A range of other factors also play a role in reducing court involvement. For instance, in many
countries, courts have a long and well-known tradition of refusing to overturn decisions of
administrative agencies when the matter in dispute turns on the exercise of the agencies’
discretionary powers. The extent of such powers is often considerable under data protection
laws.12 Of course, to a significant extent, innovative and enterprising courts can work their way
past the barriers to judicial review which are posed by the exercise of broad administrative
discretion. Courts can also sometimes work their way around similar barriers posed by the
question-of-fact / question-of-law distinction. Nevertheless, courts are often reluctant to push
against the outer boundaries of their review powers. This reluctance is not necessarily due just to
a belief that pushing against these boundaries is legally improper. Sometimes it is due also to the
courts already being burdened by large case-loads.
Finally, there are factors that arguably relate more to the broad cultural characteristics of a
particular jurisdiction than to strictly legal matters. For instance, the corporate cultures of some
countries – Norway is a pertinent example here – are relatively unlitigious and unaggressive in
exploiting or testing legal rights and obligations. In other words, these cultures lack a corporate
push to carry appeals up through the administrative-legal hierarchy.
Nevertheless, courts in some countries have played a significant role in steering the direction of
data protection laws. The most notable case is the landmark decision of 15 December 1983 by the
German Federal Constitutional Court.13 This ruling struck down parts of the federal Census Act
for lack of data protection guarantees. In the process, the Court found a right to ‘informational
10
11
12
13
See s 58 of the Act. A limited right of appeal to the Administrative Appeals Tribunal for review of orders on compensation and
expenses is provided for under s 61 (though government agencies may only appeal if permitted by the federal Attorney-General).
Judicial review of the Commissioner’s decisions could always be sought pursuant to the Administrative Decisions (Judicial
Review) Act 1977 (Cth) but such review will not address the merits of the Commissioner’s policy choice except insofar as an
error of law is involved. At the same time, a respondent to an unfavourable complaint determination made under the Privacy Act
could effectively obtain full judicial review of the determination by simply refusing to abide by it, as court enforcement of the
determination may only occur on the basis of a Federal Court hearing de novo of whether the respondent has breached the
complainant’s privacy (see proposed new s 55A(5) of the Privacy Act). Unfortunately, the Privacy Amendment (Private Sector)
Bill 2000 does not afford complainants with a similar review possibility. See further G Greenleaf, ‘Submission on the Privacy
Amendment (Private Sector) Bill 2000’, 14 May 2000, at <http://www2.austlii.edu.au/~graham/CyberLRes/2000/5/#Heading5>.
See, eg, s 72 of Australia’s federal Privacy Act (dealing with the federal Privacy Commissioner’s power to make ‘public interest’
determinations); ss 10–11 of Norway’s Personal Data Registers Act (dealing with the Data Inspectorate’s power to authorise
establishment and running of personal data registers); clause 3, Fourth Schedule to New Zealand’s Privacy Act 1993 (dealing
with the power of the Privacy Commissioner to approve certain aspects of data matching).
See 65 BverfGE (Entscheidungen des Bundesverfassungsgerichts), 1.
3
self-determination’ pursuant to Arts 1(1) and 2(1) of the Federal Republic’s Grundgesetz. The
decision helped stimulate efforts to revise and strengthen Germany’s federal data protection
legislation.
At an international level, we should not overlook the case law of the European Court of Human
Rights (ECtHR) pursuant to Art 8 of the European Convention for the Protection of Human
Rights and Fundamental Freedoms (ECHR) of 1950. Over the last 15 years or so, and with
increasing intensity, the ECtHR has helped make plain and clear where the principal formal
normative underpinnings of European data protection laws lie – they lie in the field of human
rights, more specifically in the ambit of the right to respect for private life stipulated in Art 8 of
the ECHR.14 In this way, the Court has helped influence the way we conceptualise data protection
laws, at least within a trans-European context. However, the Court has also helped to highlight
the close relationship between traditional rule-of-law doctrines and the central principles of data
protection laws.15 For example, the principles of purpose specification, transparency and
information quality which we find in most data protection laws can and should be seen as
promoting the certainty and foreseeability of data processing outcomes and thereby reducing
arbitrariness.
At the same time, the case law of the ECtHR has helped to show that the provisions of Art 8 of
the ECHR can function as an important data protection instrument in their own right. It is
questionable, though, just how much Art 8 – and similar provisions in other international human
rights treaties – add to the more specific data protection instruments. The case law pursuant to Art
8 touching upon data protection is now relatively extensive. In that case law, the Strasbourg
Court has inched towards a recognition of various data protection guarantees in Art 8.16
Nevertheless, the Court has made few references to the requirements found in the laws dealing
specifically with data protection.
Further, while the data protection case law on Art 8 is considerable, it is also somewhat
confusing. The confusion arises largely because of the frequent failure by the ECtHR to indicate
exactly which elements of the contested data-processing practices have constituted an
interference with respect to Art 8(1). Too often the Court has failed to make clear exactly which
element of the contested data-processing practice has interfered with the right under Art 8(1); too
often has there been a concomitant failure to describe the threatened interest.17
Moreover, much of the case law concerns data processing in a rather special context (ie, secret
surveillance activities by police or intelligence agencies), while virtually none of it deals with
private entities’ data-processing practices. Indeed, the issue of whether or not Art 8 provides
protection against the data-processing activities of private bodies has still not been conclusively
determined by the ECtHR. While it is extremely doubtful that the Court would refuse to construe
Art 8 as providing some measure of protection against the data-processing activities of private
bodies, the exact extent of such protection to be afforded is uncertain.18
14
15
16
17
18
See generally LA Bygrave, ‘Data Protection Pursuant to the Right to Privacy in Human Rights Treaties’ (1998) 6 International
Journal of Law and Information Technology, 247, 254ff.
Ibid, 270ff.
Ibid, 254ff.
Ibid, 269.
Ibid, 257–259 and references cited therein.
4
The case law of the ECtHR pursuant to Art 8 will probably continue to have most direct impact
on the data-processing practices of police and state intelligence agencies. This is particularly
because the practices of these agencies formally fall outside the scope of the EC Directive on data
protection.19 The important practical contribution of the ECtHR in this respect will continue to be
to elaborate on the procedural safeguards for individuals with respect to data processing by such
agencies. We already see that these elaborations are having an effect on mainstream data
protection discourse. For instance, the Data Protection Working Party established pursuant to Art
29 of the EC Directive on data protection makes extensive reference to Art 8 case law in its
Recommendation 2/99 on the respect of privacy in the context of interception of
telecommunications, adopted on 3 May 1999.20
We should not underestimate the impact of case law more generally on the development of data
protection law. Case law stretching across a broad range of fields – from judicial review of
government decision making to defamation to duties of confidence to trespass to copyright – has
fertilised the ground for planting the seeds of law on data protection. It has also provided some of
these seeds.21
It would be wrong, though, to characterise courts as uniformly interested in, or enthusiastic about,
protecting the basic interests promoted by data protection law. Contrast, for example, the
reluctance of courts in the UK and Australia to develop or recognise a specific right of privacy
under common law with the eagerness of US courts to embrace such a right.22
This difference in judicial attitudes – and the possible reasons for the difference – make up one of
the most fascinating aspects of the ‘prehistory’ of data protection law. A large variety of claims
abound as to why these differences emerged.23 I shall not dwell on these claims here, suffice to
note that even though these differences surfaced during the prehistory of data protection law, they
are still bound to have an impact on judicial decision making today and in the future. It will be
interesting to see, for example, how English judges’ traditional dislike for concepts like privacy
which are nebulous, potentially far-reaching and difficult to box neatly, will carry over to their
decision making on the privacy right that has recently been incorporated, along with the rest of
the ECHR, into English law.24
The other point we should take with us in relation to the attitudes of English and Australian
courts is that they helped create a need for data protection legislation. The steadfast refusal of
these courts to develop a specific right of privacy under common law, together with their
concomitant steadfast adherence to the doctrine of parliamentary supremacy, resulted in an ad
19
20
21
22
23
24
See Art 3 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data.
Available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp18en.htm>.
See further LA Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits (Oslo, 1999), chapt 6, section 6.4.1.
See inter alia L Brittan, ‘The Right of Privacy in England and the United States’ (1963) 37 Tulane L Rev, 235–268; G Dworkin,
‘Privacy and the Law’, in JB Young (ed), Privacy (Chichester, 1978), 113, 115ff.
See, eg, J Martin & ARD Norman, The Computerized Society (Englewood Cliffs, New Jersey, 1970), 468 (claiming that the
social need to develop a right to privacy at common law was not as great in the UK as it was in the USA); BW Napier,
‘International Data Protection Standards and British Experience’ (1992) 1 Informatica e diritto, 83, 85 (attributing the nondevelopment of a right to privacy in English common law to the ‘narrow-mindedness’ of English judges).
See Human Rights Act 1998 (UK), fully in force on 2 October 2000.
5
hoc, interstitial protection of informational privacy under Anglo-Australian common law. This
helped create a need for relatively comprehensive data protection legislation in both jurisdictions.
Parallels to this dynamic can arguably be found also in other jurisdictions – such as the
Netherlands – where courts were slow or sporadic in protecting privacy interests.25
All of the judicial activity outlined above still does not discount the fact that courts have
generally been on the side-line when it comes to interpreting and applying laws dealing
specifically with data protection. The question that we now must raise is whether this sidelining
of the judiciary has any problematic consequences.
Problematic consequences of marginalising the judiciary
The paucity of court decisions touching directly on data protection laws hampers our ability to
arrive at firm conclusions on the proper interpretation of such legislation. This ability is already
hampered by the diffuse formulation of many of these laws’ provisions, a difficulty frequently
compounded by sparse and/or nebulous commentary in the preparatory works and explanatory
memoranda for the laws.
In particular, there is an urgent need for rulings by the European Court of Justice on the EC
Directive on data protection. The Directive is intended to steer the legislative strategies of a large
number of countries yet many of its provisions are difficult to comprehend. We find some
national case law starting to emerge which touches on how to properly construe certain
provisions of the Directive but, to my knowledge, this hardly amounts to more than a trickle. A
lonely example is the case of R v Department of Health; ex parte Source Informatics Ltd,26
decided by the UK Court of Appeal on 21 December 1999. Amongst other things, the Court had
to consider if the action of anonymising sensitive data falls within the Directive’s definition of
data ‘processing’, such that the anonymisation process itself has to meet the conditions laid down
in Art 8 of the Directive. Taking a purposive approach, the Court sensibly held that the Directive
does not set limitations on anonymisation of data in this way. Again, though, this decision is
hardly ground-breaking.
Also of concern is that the marginalisation of courts contributes to a marginalisation of data
protection law. It is my impression that data protection laws figure little in the consciousness of
most lawyers. I do not think this is because lawyers generally believe that little money is to be
gained from expertise in the field relative to other legal areas. I think it has more to do with the
scarcity of case law of the type with which lawyers are most comfortable. The scarcity of such
case law helps give data protection law a dull if not ‘poor cousin’ status relative to the apparently
more glamorous and litigation-intensive areas of law like defamation, trade secrets and the like.
This poor cousin status means, in turn, that data protection laws are poorly understood by the
majority of lawyers and citizens (reinforcing again their poor cousin status). It could be argued
that this status also detracts from the general authority of, and respect for, data protection law in
the community. I am uncertain if this argument has any merit but it is worth keeping in mind.
25
26
See further F de Graaf, Rechtsbescherming van persoonlijkheid, privéleven, persoonsgegevens (Utrecht, 1977).
[2000] 1 All ER 786; [2000] 2 WLR 940.
6
What is more problematic is that the marginalisation of courts reduces their ability to function as
a corrective to the development of data protection law and policy. To some extent, data protection
authorities and data protection advocates constitute a club. It is quite a cosy club, even though
tensions do exist. In such a situation, there is a great risk that the members of this club develop
rather narrow mindsets. There is also a risk that they start assuming too much. Courts that are
normally outside the data protection club can provide a useful corrective here.
This point is well-illustrated by the House of Lords’ decision in the case of R v Brown.27 The case
turned on the issue of whether or not a person who simply gains access to personal data by
calling those data on to a computer screen and viewing them, ‘uses’ the data within the meaning
of s 5(2)(b) of the UK Data Protection Act 1984 (now repealed). Section 5(2)(b) prohibited the
‘use’ of personal data for certain purposes. The term ‘use’ was not defined in the Act. By a threeto-two majority, the House of Lords found that accessing data as described above did not involve
‘use’ of the data within the meaning of s 5(2)(b). The Brown decision took many in the data
protection club by surprise. The view of the court majority in the case was looked upon by some
with a mixture of exasperation and ridicule. The important aspect of the Brown decision was that
it demonstrated the need for statutory definitions of terms that are apparently obvious in their
meaning. In other words, we cannot take for granted that everyone outside the data protection
club – most importantly, the vast mass of data controllers and data subjects – will understand
commonly used terms in data protection legislation in the same way as the club members do. The
Brown decision highlights, in turn, the need for more guidance from legislators on the ambit of
data protection laws.
The extent to which we should be concerned about the lack of court involvement depends also on
the extent to which data protection authorities and any administrative appeals bodies act in a
manner upholding the ideals of the rule of law (ie, ideals to ensure legal certainty and
foreseeability and to counter decisional arbitrariness). I do not have any large empirical base on
which to draw firm conclusions about the complaints-handling procedures of agencies in this
respect. I can say, though, that when it comes to the practices of the data protection authority with
which I am most familiar – those of the Norwegian Data Inspectorate – I have found very little
evidence of inconsistency in the development and application of data protection policy. The most
glaring instances of inconsistency I have found stem from the appeal decisions of the Ministry of
Justice but, again, these instances are few and far between.28
Regarding the detail and clarity of reasoning in the agencies’ decisions, again I have found this to
be usually satisfactory.
As for bias in the agencies’ decision making, I have found very few cases where the
Inspectorate’s interpretation of the law has been obviously biased towards furthering the cause of
data protection at the expense of other factors that deserve equal or greater weighing in law. We
should keep in mind, though, that the risk of unlawful bias is considerable as is the risk of the
wider community believing that such bias exists.
27
28
[1996] 1 All ER 545.
See further LA Bygrave, Personvern i praksis. Justisdepartementets behandling av klager på Datatilsynets enkeltvedtak 1980–
1996 (Oslo, 1997), especially 30–31.
7
The main sticking point concerns the ease of public access to the agencies’ decisions. The Annual
Reports of the Data Inspectorate often fail to give a clear and full description of the reasoning
adopted by the Inspectorate (or by the Ministry of Justice if the case has been appealed). It was
not until the appearance of my book, Personvern i praksis,29 in 1997 that the general public in
Norway was able to gain relatively easy access to a complete, systematic and indexed collation of
appeal cases that had gone from the Data Inspectorate to the Ministry of Justice. This was some
15 years after the Personal Data Registers Act entered into force!
The Data Inspectorate is not the only sinner in this context. Data protection authorities in many
other jurisdictions are just as bad, and in some cases worse. Particularly problematic is public
accessibility to the reasoning of the Australian federal Privacy Commissioner. Under the federal
Privacy Act, the Privacy Commissioner is only required to give a written statement of reasons
when making formal Determinations of complaints pursuant to s 52. To my knowledge, only two
such Determinations have been made.30 As for the other complaints, all we find are brief
summaries of selected cases in the Commissioner’s Annual Reports. Usually these summaries
contain little detail about the legal interpretations involved. Enactment of the Privacy
Amendment (Private Sector) Bill 2000 is unlikely to remedy this situation. Indeed, the situation
will probably be exacerbated by the fact that the Bill allows for the setting up of a congeries of
industry code bodies, each of which will be able to make binding decisions against which there
will be very limited possibilities for appeal. The Bill omits requiring that complaint organs
established under the various codes publish reasons for their formal decisions or publish details
about matters that have been mediated more informally.
The problem of lack of public access to authoritative interpretations by data protection authorities
is not directly a problem about the role of the courts. Rather it is about the weakening of the
ability of both data subjects and data controllers to predict what data-processing behaviour is in
compliance with the legislation. It is about diminishment of the guidance potential of data
protection laws. Further, the problem concerns data protection authorities operating,
paradoxically, somewhat like the ‘black boxes’ they are meant to help unlock. It is a problem that
is exacerbated when the data protection authority is given relatively broad discretionary powers.
The problem is further exacerbated when – as will likely be the case in, say, Australia – there is a
profusion of bodies developing their own (and possibly inconsistent) versions of data protection
law pursuant to sectoral codes of practice.
This problem could be resolved simply by data protection authorities (and sectoral code bodies)
putting in place decision-reporting systems that are more extensive and include more decisional
detail. In the age of the Internet, the problem should be able to be fixed quite easily. An
exemplary model in this respect is the website of the Information and Privacy Commissioner of
British Columbia.31
At the same time, this strategy does not fix all problems. For example, the Australian experience
outlined above highlights the danger of conciliatory strategies of data protection authorities
29
30
31
Ibid.
I say this on the basis of a perusal of the Commissioner’s Annual Reports for the period up until June 1999. The two
Determinations are described in the Commissioner’s Sixth Annual Report (Canberra, 1994), 58–59. See also (1994) 1 Privacy
Law & Policy Reporter, 152 & 170.
See <http://www.oipcbc.org/>.
8
hampering development of data protection laws by heading off actions that could have ended up
before an appeals tribunal or court and resulted in the clarification of points of ambiguous law.
The EC Directive to the rescue?
The role of the judiciary in enforcing national data protection laws and otherwise handling
complaints pursuant to such laws is touched upon at several points in the 1995 EC Directive on
data protection. The relevant provisions are Arts 22 and 28. Article 22 states:
‘Without prejudice to any administrative remedy for which provision may be made … prior to
referral to the judicial authority, Member States shall provide for the right of every person to a
judicial remedy for any breach of the rights guaranteed him by the national law applicable to the
processing in question’ (emphasis added).32
Article 28(3) states, inter alia, that ‘[d]ecisions by the supervisory authority [data protection
authority] which give rise to complaints may be appealed against through the courts’.33
It is clear that Art 22 does not require EU Member States to permit individuals to go directly to
the courts for breach of data protection rights (effectively bypassing the national data protection
authorities) but leaves it open for Member States to allow direct access to the courts.34 Less clear
is whether the reference to ‘rights’ also embraces those provisions in the Directive that are
formulated as duties or obligations on data controllers. Given that breach of a duty or obligation
is likely to result in infringement of a data subject’s general right to privacy (a right that is
indirectly, if not directly, guaranteed by the Directive),35 and given that the Directive aims at
ensuring a ‘high’ level of data protection,36 the question is probably to be answered in the
affirmative.
Ambiguity also inheres in Art 28(3): does the provision require Member States to permit court
appeals on both questions of law and questions of fact, or are Member States able to restrict
appeals to questions of law only? As the term ‘complaints’ is not qualified in any way, Art 28(3)
appears to encourage, if not require, a broad right of appeal. But EU/EC legislators would
probably be exceeding their legal competence if the provision were to require changes to present
domestic rules that limit judicial review of administrative decisions to questions of law.
32
33
34
35
36
Cf Art 14(8) of the 1990 Directive Proposal (COM(90) 314 final – 13.9.1990) which provided that a judicial remedy was to be
granted only in relation to breach of a relatively limited set of data subject rights enumerated in Art 14 of the Proposal. The
European Parliament susbsequently insisted on extending the right of court appeal to all the rights guaranteed by the Directive.
This provision did not appear in any of the previous proposals for the Directive. Note too that Art 28(3) also addresses the issue of
standing with respect to data protection authorities: Each such authority is to be given ‘the power to engage in legal proceedings
where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of
the judicial authorities’.
Cf Art 22 of the 1992 Amended Proposal for the Directive ((COM(92) 422 final – SYN 287, 15.10.1992) which makes no
mention of administrative remedies prior to court referral: ‘Member States shall provide for the right of every person to a judicial
remedy for any breach of the rights guaranteed by this Directive’. Had this provision been adopted, data subjects would have
found it easier to go straight to the courts with their complaints, bypassing national data protection authorities and any other
administrative complaints-resolution bodies.
See especially Art 1(1).
See especially recital 10 in the Directive’s preamble.
9
As for the issue of public access to the reasoning of data protection authorities, this is broached in
Art 28(4)–(5). Article 28(4) requires a data protection authority to inform a claimant of the
‘outcome’ of the claim, though does not, on its face, require the authority to communicate to the
claimant (or to anyone else) reasons for the outcome. The latter requirement, however, would
most likely follow from general rules of administrative procedure in each jurisdiction (though
only in relation to the claimant as party to case proceedings). Regarding information to the
general public (and not simply a claimant), Art 28(5) requires a data protection authority to
publish ‘a report on its activities at regular intervals’. Unfortunately, however, there is no
stipulation here or elsewhere in the Directive dealing specifically with access by the general
public to legal interpretations held by an authority (or other administrative complaints-resolution
body).
In sum, it is commendable that the Directive encourages court involvement in applying data
protection law. It is also commendable that the Directive broaches the issue of public access to
the findings and activities of data protection authorities. Nevertheless, it would have been
desirable that the Directive devoted more attention to both issues and in a manner that places
greater pressure on data protection authorities to provide the public with detailed guidance on
their reasoning. At the same time, it is understandable that the drafters of the Directive did not
elaborate further on these points given the principle of subsidiarity and the risk of overstepping
their legal competence.
Conclusion
To conclude, I am not arguing that courts should relieve data protection authorities of their
complaints-handling tasks. There are good grounds for keeping data protection authorities as the
primary mediators of disputes. The authorities are staffed by experts in the field. As experts,
these people tend to be savvy not just with the relevant legal rules but also the broader
technological and organisational developments that spark disputes in the field. Further, data
protection authorities will normally be more accessible than courts. The pursuit of remedies
through courts tends to be too expensive and drawn-out for the majority of people. At the same
time, data protection authorities will tend to be able to engineer compromises in a more
conciliatory, less destructive manner than court litigation usually can.
Still, I firmly believe that we should care where the judges are. I believe equally firmly that if the
judges are not around in the field of data protection law, or not around often enough, then this
absence is problematic. It is problematic because it increases the risk of compromising basic ruleof-law ideals. And it is problematic because an absence or scarcity of judicial opinion inevitably
impoverishes law and policy on data protection. If the judges are not around to a significant
degree, we should either make sure that they can come around more easily in the future, or ensure
that there are bodies to effectively emulate their role.
In the latter regard, the UK experience with its Data Protection Tribunal serves as a positive
model. The Tribunal appears to have acted in a balanced, neutral manner with an attention to
legal detail that should characterise the standards of decision making by the ordinary courts.37
37
The Tribunal’s decisions are set out in Chalton, Gaskill & Sterling, supra n 5, Part 6.
10
The UK Data Protection Commissioner (formerly Registrar) has actively used the Tribunal to
resolve problems of interpretation of the data protection legislation, particularly with regard to
the rule that personal data shall be processed ‘fairly’.38 In doing so, the Commissioner has acted
on behalf of the interests of the wider community of citizens as data subjects and data controllers
in knowing how to behave pursuant to the legislation.
38
See Data Protection Principle 1 in Part 1 of Schedule 1 to the 1984 Act (now repealed) and to the Data Protection Act 1998.
11