[Home] [E-Mail Services] [Internet Services] [Some Cloak and Dagger Links] [Research Index]
|Investigation Tool: Knowledge|
Computer Crime Page 4 of 7:
127. Unlike the legal rules concerning corporeal objects, information law does not only consider the economic interests of the proprietor or holder but also takes into account the interests of persons concerned with the content of information. Before the invention of computers, the legal protection of persons in regard to the content of information was limited. Few provisions existed in the criminal law other than those in relation to libel. Since the 1970s, however, new technologies have expanded the possibilities of collecting, storing, accessing, comparing, selecting, linking and transmitting data, thereby causing new threats to privacy. This has prompted many countries to enact new elements of administrative, civil and penal regulations, as discussed in paragraphs 128-132. Various international measures, outlined in paragraphs 133-145, support this evolution by developing a common approach to privacy protection.
B. The development of national law
128. The penal provisions in privacy laws largely refer to the corresponding administrative provisions. Accordingly, first the administrative provisions are surveyed briefly and then the related questions of criminal law are dealt with.
1. Differing concepts of privacy laws
129. Special legislation against infringements of privacy have been past in most western legal systems. Moreover, the courts in most countries have also developed a civil action protecting privacy interests. An analysis of national laws demonstrates that various international actions have led to a considerable degree of uniformity among the general administrative and civil law regulations of national privacy laws. Most national privacy statutes include, for example, provisions addressing the limitation of data collection or the individual's right of access to his or her personal data. In spite of this tendency, considerable differences in general administrative and civil regulations remain. These differences oncern the legislative rationale, the scope of application especially with regard to legal persons and manually recorded ata), the procedural requirements for commencing the processing f personal data and the substantive requirements for processing uch data, as well as the respective control institutions.
130. The differences among the general administrative regulations are not only relevant for administrative law but to a significant extent also determine the existence of differences between criminal law provisions, which largely refer to these regulations. For example, one difference among criminal offences in various national privacy laws is found in the prohibition of the use of various types of data.
2. Differing acts covered by criminal law.
131. The main difference among the penal privacy offences, however, derive not from their general scope of application but from the different illegal acts that they cover . These differences in penal coverage are mainly caused by a divergent evaluation of the criminal character of privacy infringements and the role that penal law should play in this field. In some countries, especially Canada, Japan and the United States , criminal law is not widely used for privacy protection. In other countries, the criminal law includes comprehensive lists of severe criminal offences that refer to many of the actions regulated by administrative law. Some legislation even punishes negligent acts. In Finland, the Committee on Informational Crimes and, in France, the Commission for the Revision of the Penal Code intend to stress the importance of criminal sanctions of privacy legislations by implementing the most important infringements in their general penal codes.
132. The most important differences among the crimes against privacy in the various data protection laws emerge when the penal provisions are analyzed in detail. Such a comparative analysis should differentiate four main categories of criminal privacy infringements, which are to be found particularly in European privacy laws:
The first main group of crimes against of privacy relates to infringements of substantive privacy rights and includes such acts as illegal disclosure, dissemination, obtaining of and/or access to data; unlawful use of data; illegal entering, modification and/or falsification of data with an intent to cause damage; collection, recording and/or storage of data, which is illegal for reasons of substantive policy; or storage of incorrect data. Detailed analysis of the respective criminal provisions indicates that these substantive infringements of privacy rights differ with regard not only to the data covered but also to the types of acts punished. They differ further according to the extent to which the described acts are permitted by law. Since the penal provisions either refer to the respective general provisions of the civil privacy laws or justify exceptions permitting the use of personal data by reference to general clauses, which are similar to those of the administrative provisions, all anomalies, inaccuracies and uncertainties in the field of administrative law can also be found within the corresponding penal provisions;
As a result of the uncertainties in the substantive provisions, many legal systems rely to a great extent on a second, and additional, group of offences and are directed towards enforcing various formal legal requirements or orders of supervisory agencies. These offences, included in most privacy laws, generally contain more precise descriptions of the prohibited conduct than do the substantive offences. However, these formal provisions also vary considerably among the various national laws. The main type of formal infraction covered in many states by penal law concerns infringement of the legal requirements for commencing the processing of personal data (e.g. registration, notification, application for registration, declaration or licensing). Additional, and considerably varying, offences that can be found in much of the European privacy legislation are infringement of certain regulations, prohibitions or decisions of the regulatory authorities; refusal to give information or release of false information to the regulatory authorities; refusal to grant access to property and refusal to permit inspections by regulatory authorities; obstruction of the execution of a warrant; failure to appoint a controller of data protection for a company; and failure to record the grounds or means for the dissemination of personal data;
A third type of criminal privacy infringement is infringement of access laws, e.g. the individual's rights to access information (freedom of information). With respect to a party's right of access, in many European countries it is an offence to give false information or not to inform the registered party or not to reply to a request;
Some countries go further and punish neglect of security measures with an administrative fine or even with a criminal sanction. This constitutes a fourth type of offence.
C. International harmonization
1. Harmonization of underlying administrative and civil law
133. In the field of administrative and civil privacy legislation, various international organizations have developed a common approach to privacy protection in order to prevent the proliferation of different concepts and national regulations that would impede the transborder flow of data. The main work in this field has so far been accomplished by OECD, the Council of Europe and the European Union.
134. In 1977, OECD began to elaborate guidelines governing the protection of privacy and transborder flows of personal data. These guidelines were adopted by the Council of OECD in 1980 as a recommendation to the member States. The eight main points of the guidelines concern the principles of limitation on collection; data quality; specification of purpose; limitation of use; security and safeguards; openness; individual participation; and accountability.
135. In 1980, the Committee of Ministers of the Council of Europe, which had been considering privacy concerns since 1968, adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. In contrast to the OECD guidelines, which are voluntary in nature, the Council of Europe Convention is a contractual commitment of the ratifying States and is legally binding. It formulates 10 basic principles representing minimum standards that must be incorporated in the legislation of the contracting States. Although similar to those of OECD, these principles are narrower and more specific.
136. Further initiatives were undertaken by the Committee of Experts on Data Protection of the Council of Europe. Since the opening for signature of the Convention, the Committee has pursued a sectoral approach to data protection issues aimed at elaborating guidelines, in the form of non-binding recommendations, addressed to the Governments of the member States.
137. The European Union started to harmonize privacy laws in 1976. A decisive breakthrough for European privacy protection was reached in September 1990, when the Commission of the European Communities submitted a draft package containing six proposals in the field of personal data protection and information security. The package included the draft of a general directive on data protection applicable to all personal data files within the scope of European Union law. Within the context of the IMPACT2 programme of the European Union, the Commission intends to elaborate, when necessary, the instruments concerning personal data protection in specific sectors of information services, mailing list services, credit ratings and solvency services.
138. In 1988, the Sub Commission on the Prevention of Discrimination and the Protection of Minorities of the Commission on Human Rights elaborated draft guidelines for the regulation of computerized personal data files (E/CN.4/Sub.2/1988/22, annex I). In its resolution 45/95, the General Assembly adopted a revised version of these guidelines, which contain principles similar to those of the OECD guidelines and the Council of Europe Convention.
2. Harmonization of criminal law
139. In contrast to the progress achieved in administrative and civil privacy law, international harmonization in the field of criminal privacy law has still not really begun. The main initiative is being undertaken by the Council of Europe. The above-mentioned Convention of the Council of Europe contains, in article 10, a provision stating that "each party undertakes to establish appropriate sanctions and remedies for violation of ... the basic principles for data protection". However, this clause allows States to determine the nature of the sanctions and remedies (civil, administrative or criminal), as well as their scope of application.
140. Further studies to harmonize criminal privacy law were undertaken in the course of the work of the Select Committee of Experts on Computer-Related Crime of the Council of Europe, mentioned in paragraphs 119-122. The Committee recommended six basic principles that should be taken into account by member States when enacting legislation in the field of computer-related criminal privacy:
"The protection of privacy against offences caused by modern computer technology is of great importance. However, this protection should be based primarily on administrative and civil law regulations. Recourse to criminal law should be made only as a last resort. This means that criminal sanctions should be used only in cases of severe offences in which adequate regulation cannot be achieved by administrative or civil law measures (ultima ratio principle);
The respective criminal provisions must describe the forbidden acts precisely and should avoid vague general clauses. A precise description of illegal acts, without however resorting to a casuistic legislation technique, can easily be achieved, for example, for specific sensitive data. In cases in which precise descriptions of illegal acts are not possible, due to the necessity of a difficult balancing of interests (privacy versus freedom of information), criminal law should decline to incriminate substantive infringements of privacy and adopt a formal approach, based on administrative requirements of notification of potentially harmful data-processing activities. Failure to comply with these notification requirements and to obey regulations of the data protection authorities could then be subject to sanctions. These formal offences are in accordance with the principle of culpability as long as they can be considered bans per se (Gefahrdungsdelikte, delits-obstacles), which punish the endangering of privacy rights. In many areas, criminal privacy infringements, therefore, would presuppose both the infringement of formal requirements as well as the endangering of substantive privacy rights (principle of precision in the wording of criminal law);
The criminalized acts should be described as clearly as possible by the respective penal law provisions . Therefore, a too-extensive use of the referral technique (that is, the technique pursuant to which activities regulated outside the penal law provisions are criminalized by reference) makes criminal provisions unclear and incomprehensible and should be avoided. If implicit or explicit references of the criminal law are used , the criminal provision itself should at least give an adequate idea of the forbidden acts (clearness principle);
Different computer-related infringements of privacy should not be criminalized in one global provision . The principle of culpability requires a differentiation according to the interests affected, the acts committed and the status of the perpetrator, as well as of his intended aims and other mental elements (principle of differentiation);
In principle, computer-related infringements of privacy should only be punishable if the perpetrator acts with intent. Criminalisation of negligent acts should be an exception requiring a special justification (principle of intent);
Minor computer-related offences against privacy should be punished only in accordance with Council of Europe Recommendation No.(87)18 on the simplification of criminal justice, on complaint of the victim or of the Privacy Protection Commissioner or of the Privacy Protection Authority (principle of complaint)."5
141. In future, further harmonization of criminal privacy law might be achieved along the lines outlined in the draft directive of the European Union. Chapter VII, article 23, of that draft directive, which concerns sanctions , demands that each member State provide in its laws the use of "sufficient sanctions" to guarantee the rules based on the directive.
142. The issue of privacy protection was also discussed at the AIDP Colloquium on Computer Crime and Other Crimes against Information Technology (see paragraphs 116-126). The discussion demonstrated significant differences of opinion as to the means by which and the degree to which protection should be afforded by administrative , civil, regulatory and criminal law. The draft resolution of the colloquium recommended, therefore, that "non-penal measures should be given priority, especially where the relations between the parties are governed by contract" and that criminal provisions "should only be used where civil law or data protection law do not provide adequate legal remedies".
143. The Colloquium noted the basic principles, as advanced by the Council of Europe, that should be taken into account by States when enacting criminal legislation in this field. The draft resolution of the Colloquium proposes further that criminal provisions in the privacy area should in particular:
"Be used only in serious cases, especially those involving highly sensitive data or confidential information traditionally protected by law;
Be defined clearly and precisely rather than by the use of vague or general clauses (Generalklauseln), especially in relation to substantive privacy law;
Differentiate as between varying levels and requirements of culpability;
Display caution, in particular, as regarding matters of intent;
Permit the prosecutorial authorities to take into account, in respect of some types of offences, the wishes of the victim regarding the institution of prosecution."
144. The draft resolution also noted as follows:
"The significance of protecting privacy interests in the transformed information age should be recognized, but also balanced by the legitimate interests in the free flow and distribution of information within society. These interests include the right of citizens to access, by legal means consistent with international human rights, information about themselves which is held by others."
145. The Colloquium concluded that further study of this issue should be undertaken.