Monday, February 22, 2010

Austrian insights

I've been thinking about the conundrum of trying to fit all of the words data into two random black-and-white categories: "personal" data or "non-personal" data, or personally-identifiable information and non-PII if you prefer. The reason we're all trying to do this is because most of the world's legal regimes create these two categories, and only these two categories, even if it's obvious that many things sit uncomfortably in the gray zone between them. The big privacy debates generally turn on these gray-zone categories, which identify some things about an individual (e.g., speaks Spanish), but don't identify an actual human being. Think of the privacy debates around IP addresses, cookies, RFIDs etc, and you see that the debates can't be settled using only these two categories.

I think the way forward is the creation of a third-category, something we could call "indirectly identifiable data". Interestingly, Austrian law has already done that. Here are some insights into the Austrian law, the Austrian Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000). Under Austrian Law, data is ‘only indirectly personal’ for a controller, a processor or recipient of a transmission when ‘the Data relate to the subject in such a manner that the controller, processor or recipient of a transmission cannot establish the identity of the data subject by legal means." In other words, the identity of the individual can be retraced but not by legal means.

When introducing the concept of indirectly personal data, the Austrian legislators referred on the face of the bill before Parliament to Article 2 (a) of the Directive and, in particular, to the phrase ‘…an identifiable person is one who can be identified, directly or indirectly…’. This suggests that a deliberate decision was made to distinguish between persons who can be identified directly (and for which the full force of the Austrian Law applies) and those persons who can only be identified indirectly – hence the concept of indirectly personal data. In the eyes of the legislators, indirectly personal data did not require the full range of protection that directly personal data required. There may additionally have been commercial and practical reasons considered by the legislators why to require organisations to treat indirectly personal data in the same way as directly personal data made no sense.

This is how I've been told Austrian Law treats indirectly personal data below:

Section

Provision

8 (2)

Use of only indirectly personal data shall not constitute an infringement of the fundamental interest in secrecy that deserves protection under s. 1 (1).

9 (1) (2)

Use of sensitive data does not infringe interests in secrecy deserving protection only and exclusively if data are used only in indirectly personal form.

12 (3)

Transborder data exchange shall not require authorisation if data are transferred or committed that are only indirectly personal to the recipient

17 (2)

There is no requirement to notify the Data Protection Commission where the data application only contains indirectly personal data.

24 (4)

There is no duty to provide information to data subjects when collecting data where such data is not subject to notification under s. 17 i.e. this would include the use of indirectly personal data.

29

The rights granted under s. 26 – 28 cannot be exercised insofar as only indirectly personal data are used.

Section 26: right of access

Section 27: right of rectification/ erasure

Section 28: right to object

46 (1)

For the purpose of scientific or statistical research projects where the goal is not to obtain results in a form relating to specific data subjects, the controller shall have the right to use all data that are only indirectly personal for the controller.

46 (5)

Where the use of data in a form which permits identification of data subjects is legal for purposes of scientific research or statistics, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistic work can be performed with indirectly personal data only


All of this is interesting, because I think privacy law will never adapt to the nuances of the real world if the entire real world has to be fit into only two black and white categories. Finding a legal category to deal with the gray zone is essential to getting privacy laws right, and the Austrian model is one of the most promising I've seen.

No comments: