20 July 2015

Data Protection

'The Battle for Rights   ̶  Getting Data Protection Cases to Court' by Megan Richardson in (2015) 1 Oslo Law Review 23-35 compares
the legal protection of privacy and personal data principally in common law jurisdictions. It points out that the growth of privacy law in these jurisdictions has traditionally centred on the ability of individuals to bring claims to court, with claims largely dealt with as a matter of common law (i.e. judge-made law). However, the absence of a generally accepted principle that individuals should be free to bring a claim in court for a breach of a statute has worked to limit the development of (statutory) data protection norms in the common law world. Nevertheless, the situation now appears to be changing with some recent cases. 
Richardson comments
In his 1872 masterwork Der Kampf ums Recht, or The Battle for Right as it was known in England, the German legal sociologist Rudolf von Jhering argued that the ideal environment for the creation of law is one in which aggrieved individuals voice their grievances publicly, and lawmakers including judges respond with the development of legal standards in sympathy with their concerns. Law is thus the product of a constant struggle by individuals for the recognition of legal rights. In words later echoed to a considerable extent by the American jurist Oliver Wendall Holmes Jr, von Jhering said that ‘[t]he life of the law’ is based on the idea of ‘restless striving and working’. Or as Holmes eloquently put it in his own masterwork The Common Law in 1881, ‘the life of the law has not been logic; it has been experience’. Von Jhering may have restricted his comments to private law, taking the benevolent view that ‘the realisation in practice of public law and criminal law is assured, because it is imposed as a duty on public officials’. However, his logic may be extended to any law whose ‘practical realisation depends on the assertion by individuals of their legal rights’, including where public officials have wide discretion rather than a specific ‘duty’ to give effect to the law for the individual’s protection. In these instances, as in others where ‘the realisation’ of the law depends upon the ability of individuals to bring claims, it can be argued that the individuals concerned should have the power directly to vindicate their legal rights. 
In any event, this was the position taken by the framers of the Bürgerliches Gesetzbuch (BGB) who, in 1896, responded to von Jhering and others who maintained that law should reflect modern concerns, including protection against ‘attacks on personality’. Section 823 II of the BGB stated that a person harmed as a result of another’s breach of a statutory provision adopted for his or her protection is entitled to bring a claim for damages in court. After the BGB came into force the provision became an early platform for the development of personality rights in Germany in the early 1900s, even before the inclusion of rights to dignity and personality in the post-second world war German Constitution, which prompted a more expansive reading of the provisions of the BGB to flesh out personality rights in accordance with the new constitutional standards. 
A number of jurisdictions in the common law world have adopted versions of section 823 II of the BGB in ways tailored to personality rights. For example, the New York legislature, after the failure of the plaintiff’s privacy claim in the 1902 case of Roberson v Rochester Folding Box Co, enacted sections 50 and 51 of the New York Civil Rights Law in 1903. These sections, which continue in force today, impose criminal liability on those who without consent use a person’s name or likeness for advertising or trade purposes (the circumstances of the Roberson case) and further specify that a person harmed can bring a civil action for damages. Thus, even without much by way of common law protection of privacy in New York, there is some statutory protection available to privacy through sections 50 and 51 of the Civil Rights Law including a right to bring claims to court. Moreover, this protection has withstood (to an extent) the broad reading given by the US courts, especially from the 1960s onwards, of the right to freedom of speech and the press under the First Amendment to the Bill of Rights in the US Constitution. 
Norway provides an example of a mixed system with some common law features. As noted in Lillo-Stenberg and Sæther v Norway, plaintiffs can rely on sections 3-6 of the Damages Compensation Act of 1969 in conjunction with section 390 of the Penal Code of 1902 to bring civil claims for legal protection of privacy. Although Norwegian courts have also developed their own non-statutory precedents in favour of privacy, the above statutory provisions have often been relied on in cases involving privacy claims, including the Lillo-Stenberg case. It was only because of the particular circumstances of the latter case (involving celebrity performers engaged in a spectacular celebration of their marriage in a publicly accessible area) that the Norwegian Supreme Court held that the publication of unauthorised photographs of parts of the celebration (but not the actual marriage ceremony) in the magazine Se og Hør was not an unlawful violation of the plaintiffs’ privacy. When the case came before the European Court of Human Rights, the latter accepted that an appropriate balance had been reached between the rights to private life and freedom of expression under Articles 8 and 10 of the European Convention on Human Rights and Fundamental Freedoms (ECHR) taking into account the margin of appreciation afforded to national law. 
Nevertheless, common law jurisdictions have not, as a general matter, accepted that individuals should be entitled to bring an action under a statute adopted for their protection. Rather, developments of privacy law in common law jurisdictions have mainly been focused on common law (i.e. judge-made law), which itself is premised on the central idea of individuals bringing claims to court. While this approach has worked reasonably well for aspects of privacy law, it has led to a relative lack of development of data protection norms in these jurisdictions, although the situation appears now to be changing.