data protection: an opening door?

JONATHAN STEELE

DATA PROTECTION: AN OPENING DOOR?

The Relationship between Accessibility and Privacy in Sweden in an EUPerspective

ABSTRACT. Swedish public law has incorporated a general rule of public access todocuments, and to information in the wider sense, since the Freedom of the Press Actof 1766. On the Community level, the relationship between Regulation (EC) 45/2001 ondata protection and Regulation (EC) 1049/2001 on public access to documents exemplifiesthe tension between the public’s interest in scrutinising the administration carried on inits name, and the integrity of the individual. However, a similar tension exists betweenSweden’s Personal Data Act of 1998, implementing Directive 95/46, and the Freedomof the Press Act. A misuse model of data protection law, by seeking to concentrate onserious rather than technical infringements of privacy, might serve to ease the tension. Theviews expressed in this article are solely those of the author and are not attributable to anyCommunity institution.

KEY WORDS: access to documents, data protection, misuse model, Regulation (EC)45/2001, Regulation (EC) 1049/2001

INTRODUCTION

On 1 January 1995, Sweden, along with Austria and Finland, acceded tothe European Union. Joining a supranational order with over 40 years’history of progressive development would inevitably involve some degreeof compromise on the part of the new member states, as they absorbedthe acquis communautaire into their domestic legal systems. A countrywhich had enjoyed guaranteed public access to official documents since thefirst Freedom of the Press Act was passed in 1766, and which regards theprinciple as one of the foundation stones of its democratic order, was boundto attach importance to the question of the compatibility of its cherishedoffentlighetsprincip, or principle of openness with the Community legalorder.

It was in this context that Sweden made a declaration prior to entryabout the importance of openness: “Sweden welcomes the developmentnow taking place in the European Union towards greater openness andtransparency. Open government and, in particular, public access to officialrecords as well as the constitutional protection afforded to those who give

Liverpool Law Review 24: 19–39, 2002.© 2002 Kluwer Academic Publishers. Printed in the Netherlands.

20 JONATHAN STEELE

information to the media are and remain fundamental principles whichform part of Sweden’s constitutional, political and cultural heritage.”1

However, the reply of the existing member states was a model ofconciseness: “The present Member states take note of the unilateralDeclaration of Sweden concerning openness and transparency. They takeit for granted that, as a member of the European Union, Sweden will fullycomply with Community law in this respect.”2

The unmistakeable brusqueness of the response can have done littleto mollify Swedish concerns over the matter. This article will examinesome of the points of tension where Community law strains against theSwedish openness principle, taking Sweden as an example of openness inpublic life. This Swedish approach will be contrasted with certain aspectsof Community law.

On the Community level, the relationship between Regulation (EC)45/20013 on data protection and Regulation (EC) 1049/20014 on publicaccess to documents exemplifies the tension between two at times opposeddesiderata, the public’s interest in scrutinising the administration carriedon in its name, and the integrity of the individual. However, a similartension can be found in the context of Sweden’s Personal Data Act of1998, implementing Directive 95/46,5 and the Freedom of the Press Actreferred to above.

The access to information which had always been publicly availableto those willing and able to visit in person the appropriate offices andarchives has been so facilitated by on-line access that new issues of prin-ciple have been raised. There can be no doubt that many people will makeon-line searches of public records who otherwise would not be undertakingsuch research.6 It is in this context that the US courts have developed theconcept of “practical obscurity” to justify the denial of access to documentscontaining even publicly available information.7

As regards the developments in the European Union “towards greateropenness and transparency” which the Swedish government welcomed

1 Official Journal C 241, 29 August 1994, p. 397.2 Official Journal, ibid.3 Regulation (EC) 45/2001, Official Journal L 008, 12 January 2001, pp. 1–22.4 Regulation (EC) 1049/2001, Official Journal L 145, 31 May 2001, pp. 43–48.5 Directive 95/46, Official Journal L 281, 23 November 1995, pp. 31–50.6 A striking illustration of this tendency came when the UK’s Public Records Office

placed the 1901 census on-line only to suspend the service after a week: a site designed tocope with 1.2 million hits a day had been getting up to 30 million. See “Census website isclosed after 30 m hits a day”, The Daily Telegraph, 9 January 2002.

7 See in particular U.S. Department of Justice et al. v. Reporters Committee for theFreedom of the Press, 489 U.S. 749, 1989.

DATA PROTECTION: AN OPENING DOOR? 21

in the declaration referred to above, it is true to say that their mostevident manifestation is Regulation (EC) 1049/2001 on public access todocuments. However, an important impetus has come from the EuropeanOmbudsman, who has consistently pressed the institutions to adopt apolicy of openness in dealings with citizens.

OPENNESS

A Long Tradition

The routine and systematic access of the public to information about theadministrative workings of government and the decision-taking processhas not generally been taken for granted in all Western democracies.Although, as this article will set out to show, Sweden has a particularly welldeveloped tradition of openness, the position in many other jurisdictionsis often selective about the release of information and protective of thecandour of internal discussions, and in particular of the confidentiality ofofficials’ advice to ministers.

Unless access to information related to the functioning of governmentis a matter of rights and duties regulated by law, there is the risk thatan administration will release only such information as it wishes to seereleased.

For the purposes of the present article, it is sufficient to note that theSwedish tradition of public access to information has shaped a certain setof assumptions about the relationship between the citizen and the state, andthat data protection legislation there operates under different conditionsfrom those applying in many other member states of the EU.

The Swedish Accessibility Principle

Freedom of expression and freedom of information are seen in Swedisheyes as being closely linked, if not indeed two aspects of the same freedom.Freedom of information is the right to take note of what others haveexpressed. A right to express oneself, however, is not the same thing asa duty to reveal information.

It is worth noting that the earliest law to impose such a duty datesfrom 1766. The legislation granting a right of access to documents iscontained in the Freedom of the Press Act, which is a fundamental lawand as such, although not part of the constitution, enjoys nonetheless adegree of entrenchment in Swedish jurisprudence.8

8 There are only four such fundamental laws (“grundlagar”): they are the Instrument ofGovernment, the Act of Succession, the Freedom of the Press Act and the FundamentalLaw on Freedom of Expression.

22 JONATHAN STEELE

The basic provision which enshrines the principle of public accessis found at Chapter 2, Article 1 of the Freedom of the Press Act: “Toencourage the free exchange of opinion and availability of comprehensiveinformation, every Swedish citizen shall be entitled to have free accessto official documents.”9 The right of access to documents was thereforelimited to Swedish citizens, at least in theory, until Sweden’s accession tothe EU.

The Secrecy Act10 provides for a general duty on public authorities tofurnish information from public documents except where confidentialityapplies or where it would disturb the normal activities of the authority.To illustrate the extent of this principle, Bohlin quotes the example of ajournalist who telephoned a health authority to ask what was the salary ofa senior official. He was informed that such information could be givenout only to personal visitors to the authority and not over the telephone.The Justice Ombudsman held that there were no confidentiality consider-ations, that giving a single item of information from a public documentcould not be considered to disturb the work of the authority and thattherefore the information should have been given on request to a telephonecaller.11

The Secrecy Act further obliges public authorities to list in a publicregister all documents received or produced in final form with a briefindication of the contents.12

There is therefore considerable freedom of information concerningthird parties in Sweden, to say nothing of information concerning theinquirer. This freedom is considered to have an important role in safe-guarding the participatory nature of democracy in Sweden. It is alsoconsidered to exercise an unseen but pervasive influence on the thoughtsand actions of officials. Strömberg explains this effect: “To the extentthat authorities work in the consciousness that their activities may at

9 In referring to the increasing depth of scrutiny of the executive arm of governmentin the member states of the European Union, Curtin and Meijers point out: “The beliefunderlying these developments is that the quality of the ultimate decisions will be improvednot only by the public’s contribution to the decision-making process itself but perhapseven more by the knowledge of the decision-makers that they are acting in the publicview.” Curtin, D. and Meijers, H., The Principle of Open Government in Schengen and theEuropean Union: Democratic retrogression?, Common Market Law Review, 32: 391–442,1995, Kluwer Academic Publishers, p. 392.

10 Sekretesslagen (Secrecy Act) 1980, at 15:4.11 Bohlin, Alf, Offentlighetsprincipen, 3rd edition, Juristförlaget, Stockholm, 1992,

p. 11.12 Secrecy Act 1980 at Chapter 15, paragraphs 1 and 2. A similar public register has

been instituted in EU institutions under Regulation (EC) 1049/2001, see passim.


any moment emerge into the light of public knowledge, this contains asignificant guarantee of correct administration.”13

The Limits to Openness

We have seen that there is a general rule of public access to documents,and to information in the wider sense, in Swedish public law. Althoughthis rule is subject to a wide range of exceptions, the fact that the startingpoint is the principle of accessibility places the burden of proof on theofficial body seeking to withhold access to a document.

The legal principle outlined in the Freedom of the Press Act (“Tryckfri-hetsförordning”) applies to any public document or “allmän handling.”14

There are considerations of the definition of a public body and ofwhether a document is in the keeping of a public body, which might havebeen expected to become more acute in the context of the trend towardsincreased use of external consultants and other expertise. It does not appearthat this has represented a major departure from the general rule of publicaccess. For instance, the use of an external recruitment agency did notprevent documents in the possession of that agency from being consideredpublic documents in the sense required.15

A significant class of exceptions is contained in the Secrecy Act(“Sekretesslagen”) of 1980. This law however refers to the categoriescontained in the Freedom of the Press Act, and these categories areexclusive. The categories contained in the Act (at 2:2) are as follows:

1. The security of the Realm or its relations with another state orinternational organisation;

2. The central fiscal, monetary or currency policy of the Realm;3. The inspection, control or other supervisory activities of a public

authority;4. The interest of preventing or prosecuting crime;5. The economic interest of the public institutions;6. The protection of the personal or economic circumstances of private

subjects;7. The preservation of animal or plant species.

13 Strömberg, Håkan, Handlingsoffentlighet och sekretess, 8th edition, Studentlitteratur,Lund, 1999, p. 9.

14 The word “allmän” in this context means public in the sense of being in the keepingof a public authority. A document which is public in this sense may or may not be public(“offentlig”) in the sense of being open to public inspection: Strömberg, op. cit., p. 12.

15 The Justice Ombudsman (“justitieombudsmannen”) expressed the view that it wouldhave been preferable for applications to be routed via the public authority; even so theyremained public documents: Strömberg, op. cit., p. 15.

24 JONATHAN STEELE

The Secrecy Act contains a further exception, however, in the form of theduty of silence (“tystnadsplikten”) in 12: 5–7.

The confidentiality test is a harm test in terms of the taxonomydescribed by Frankel,16 according to which exemptions under differentexamples of national legislation on freedom of information may be dividedinto the categories of: (i) class exemptions; (ii) harm test exemptions;(iii) proportionality tests (closely related to (ii)); and (iv) public interestexemptions. So for instance, an example of a class exemption (i) mightbe “all information relating to defence”; an example of an exemptionsubject to a harm test (ii) could be “any information harmful to defence”;a proportionality test (iii) would be “but only to the extent necessary toprotect defence”; whereas a public interest exemption would involve abalancing act, such as “if the harm to defence outweighs the public interestin disclosure.”

Moreover, it is clear that confidentiality does not apply to the personwho is the subject of the information in question, at least in general. Bohlingives the example of a bank inspection authority investigation where thebank authority refused to surrender a document. The administrative court(“Regeringsrätten”) was able to ascertain that certain portions of the docu-ment in question referred to the applicant in the case before it. A claim ofconfidentiality could not prevail as against the person whose secrecy wassupposedly being protected.17

The limits of the right to access to personal data were graphicallyillustrated in the case Leander v. Sweden18 before the European Court ofHuman Rights. A report on Mr Torsten Leander by the National PoliceBoard,19 access to which was denied him, had led to his failing a vettingcheck for a post under naval authority. The Court’s position was that therewas no positive duty to supply information in circumstances of a seriousthreat to national security justifying the collection and maintenance ofsecret files on candidates for sensitive employment positions:

The Court observes that the right to freedom to receive information basically prohibits aGovernment from restricting a person from receiving information that others wish or maybe willing to impart to him. Article 10 does not, in circumstances such as those of thepresent case, confer on the individual a right of access to a register containing informationon his personal position, nor does it embody an obligation on the Government to impartsuch information to the individual.

16 Franckel, Maurice, Freedom of Information: Some International Characteristics,Paper given at a seminar entitled “Transparency in Europe”, The Hague, 15–16 February2001, <www.cfoi.org.uk/overseas.html>.

17 Bohlin, op. cit., p. 141: the example is cited in Regeringsårsbok 1983, 2:37.18 Leander v. Sweden (1987) 9 EHRR 433(at paragraph 74).19 “Rikspolisstyrelsen.”


The post in question in Leander was under naval authority and indeedrequired access to the naval base at Karlskrona, but it was the confiden-tiality of the vetting procedure itself that was subject to national securityconsiderations, in the sense required by paragraph 2:2 of the Secrecy Act.

So although the Freedom of the Press Act and the tradition of publicaccess to documents which it guarantees have led to a remarkable degreeof openness in public administration in Sweden, there are nonethelesssignificant restrictions on the principle. The effect of the legislation whichtransposed into Swedish national law EU Directive 95/46 on data protec-tion has introduced a further factor into the treatment of questions of publicaccess to documents.

The Personal Data Act of 1998

Strömberg questions whether the EU Directive on Data Protection 95/4620

is compatible with the principle of public access to documents, andspecifically whether the Swedish legislation which is meant to implementthe Directive, that is, the Personal Data Act (“personuppgiftslag”) of 1998is in fact compatible with the EU Directive it supposedly implements.21

Part of the reason for this doubt is that the statute itself provides for theprimacy, in case of conflict, of the principle of public access to documents.Paragraph 2 of the Personal Data Act provides as follows: “If there exist inany other law or regulation provisions which conflict with this law, thoseprovisions shall be applicable.” Moreover, the legislator has specificallyprivileged the provisions of the Freedom of the Press Act as against thePersonal Data Act. Paragraphs 7 and 8 provide that the Act is subordinatedto the Freedom of the Press Act in case of conflict.

The opinion of the Swedish Law Commission (“Lagrådet”) on theproposition which finally came into force as the Personal Data Act isinstructive. The Law Commission’s opinion22 faces squarely the problemthat the public access principle, which is considered as a basic law inSwedish jurisprudence, could be in conflict with EU Directive 95/46, andwhether the protection applied to such fundamental laws, as opposed tothe general law, in Sweden, could prevail against European Communitylaw. The question having been posed is then shelved: “The question ofthe relationship between EC law and national fundamental laws cannot beregarded as having in all aspects received a conclusive solution.”23

20 Directive 95/46, Official Journal L 281, 23 November 1995, pp. 31–50.21 Strömberg, Håkan, op. cit., p. 73.22 “Propositioner 1997/98, 41–44”, p. 231, dated 26 November 1997.23 “Frågan om förhållandet mellan EG-rätten och nationella grundlagar kan inte i alla

delar anses ha fått någon slutlig lösning.” Lagrådet, op. cit., p. 232.

26 JONATHAN STEELE

The Swedish government had in its legislative proposal sought to inter-pret the Directive in such a way as to make it compatible with the principleof public access. This involved reasoning which the Law Commissionregarded as far-fetched: “In the view of the Law Commission the inter-pretations made by the government of the above-named articles appearforced.”24

To give one example, Article 7 of the EU Directive provides that datamay be processed only if it is necessary for the execution of a legalduty or an official duty. The Swedish government took the view that thegeneral duty imposed (by pre-existing national law) on public authoritiesto provide information on request was in itself such an official duty, in thesense required by the Directive, as to permit personal information to besupplied on request.

The Law Commission took the view that there should be no such provi-sion as finally became paragraph 8 in the Personal Data Act, on the groundsthat any such provision would be either unnecessary or unlawful: unne-cessary if the pre-existing Swedish law on open public access is in factcompatible with EU Directive 95/46; unlawful, or at least in conflict withEU legislation, if there is any such incompatibility.25

To sum up the examination of the Swedish Personal Data Act, one canfairly say that it has been put into question by an official body charged withexamining the legislative proposal which was enacted as this law, whetherit can be said to implement EU Directive 95/46.

There is a very real possibility of a conflict between a Swedish basiclaw (and a principle which Swedes see as a cornerstone of their society)and the Directive. The Law Commission was clearly aware of the risk thatthe Swedish tradition of openness might be obliged to give way to theprinciple of respect for privacy.

However, these doubts about whether the Swedish legislation fullyimplements EU Directive 95/46 have been aired from the side of Swedenrather than from the side of the European Commission. The Commis-sion has not hesitated to take action against member states which havefailed to implement the Directive: on 11 January 2000 a Commission pressrelease26 announced the commencement of proceedings in the Court underArticle 226 of the EC Treaty against France, Luxembourg, the Nether-

24 “Enligt Lagrådets mening framstår de tolkningar som regeringen gör av de nämndaartiklarna som pressade.” Lagrådet, op. cit., p. 234.

25 “ett sådant undantag synes antingen strida mot EG-rätten eller vara onödigt.”Lagrådet, op. cit., p. 235.

26 Commission press release found at <http://europa.eu.int/comm/internal_market/en/dataprot/news/2k-10.htm>.


lands, Germany and Ireland. Indeed, the Court of Justice ruled againstLuxembourg on 4 October 2001 in proceedings brought by the EuropeanCommission for a declaration that Luxembourg had failed to implementEU Directive 95/46.27 The Internal Market Directorate General of theCommission seems then to be content with the scope of the Swedishlegislation.

However, there is continued debate in Sweden about the effects of thePersonal Data Act. In an essay published in a collection entitled “7:16 –och andra hot mot öppenheten” (“7:16 and other threats to openness”),28

Nils Funke outlines the argument that the provision contained in theeponymous paragraph 16 of Chapter 7 of the Secrecy Act (as amendedby the Personal Data Act) has significantly contracted the duties of publicauthorities to give out information. The provision itself states “Confidenti-ality applies to personal data, if it may be presumed that giving out the datawould result in the data being processed in contravention of the PersonalData Act.”29

The provision has been applied in a number of cases in a fashion,according to Funcke, at variance with the traditions associated with publicaccess to information. Funcke’s view30 is that the courts have in at leastsome cases appeared to take into consideration criteria which sit uneasilywith the Swedish tradition of openness.31 All citizens should enjoy equalrights before the law: the intention of the Act was to protect activities andnot classes of persons.

Another example cited by Funcke of the application of data protectionprinciples concerns a company called “Medipharm” which applied to theAgricultural Agency (“Jordbruksverket”) for the names and addresses ofall farmers in Sweden with more than 15 milking cows. The informationwas sought for marketing purposes. The Agency refused to give out theinformation requested on the grounds that the request failed to meet thecriteria in Article 10 of the Personal Data Act. The Agency claimed that themarketing purposes of the company had to be weighed against the personal

27 Commission v. Luxembourg, Case C-450/00, European Court Reports 2001 Page I-07069.

28 7:16 – och andra hot mot öppenheten, Eva Spira and Ann Dahlin (editors), 1st edition,Statstjästemannaförbundet, Stockholm, 2000, p. 47 ff.

29 “Sekretess gäller för personuppgift, om det kan antas att ett utlämnande skullemedföra att uppgiften behandlas i strid med personuppgiftslagen (1998: 204).”

30 Funcke, op. cit., p. 50 ff.31 Special protection for journalism is one example: Funcke describes how Zendry

Svärdkrona, an employee of the newspaper “Expressen”, working on marketing activities,requested certain information from the Maritime Authority (“Sjöfartsverket”) which wasrefused, partly on the grounds that the applicant was not a journalist. See Funcke, op. cit.,p. 51.

28 JONATHAN STEELE

integrity of the individuals involved. The Chamber Court (“Kammar-rätten”) in Jönköping found against the company. Funcke disagrees withthe conclusion that the data could be considered as a matter where personalintegrity is at stake.32 In my view this seems to demonstrate a failure toappreciate the implications of the data protection regime resulting fromEU Directive 95/46, under which there is no longer an absolute right toprocess data for any given purpose which may seem appropriate to theperson who has those data.

Under this regime, the onus is on the agency to demonstrate that theproposed operation is lawful, which means in this context necessary. Whatthen has become of the Swedish government’s contention (as cited in theLaw Commission’s appraisal of the draft legislation later enacted as thePersonal Data Act) that the duty on official bodies to give out informationunder the Freedom of the Press Act would continue to prevail? It maybe the case that although the fundamental law provisions are apparentlyprotected even in the Personal Data Act, nonetheless greater weight isbeing given to considerations of privacy as against public access, andthat this shift can be traced to EU Directive 95/46. The tension betweenconfidentiality and openness is replicated at the Community level in thecontext of a different legislative tradition, which merits examination in itsown right.

TRANSPARENCY

The Community Level

So far as access to documents at the EU level33 is concerned, opinion wasdivided on the question of whether there was a general right of accessto documents in Community law prior to the passage of Regulation (EC)1049/2001. The question arose, but was not definitely resolved, in Neth-erlands v. Council, where the opinion of Advocate General Tesauro made

32 Funcke, op. cit., p. 54.33 In December 1993 the Council promulgated a “Code of Conduct concerning Public

Access to Council and Commission Documents”: Official Journal L 340, 31/12/1993,pp. 0043–0044. This code of conduct was limited in its scope, for example, it did not applyto documents generated by a third party and received by the Council: any requests for suchdocuments were to be directed to the originator of the document. The code also provided“Access to a Council document may be refused in order to protect the confidentiality of theCouncil’s proceedings.” Moreover, the onus was on the applicant to identify the documentrequested in a “sufficiently precise manner” with information enabling the document to beidentified. The applicant had to know what to request.


the point that access to official documents had become a precondition forthe effective exercise of democratic rights.34

The next revision of the EC Treaty, brought about in the Treaty ofAmsterdam, added a new Article 255 to the Treaty:

1. Any citizen of the Union, and any natural or legal person residing orhaving its registered office in a Member State, shall have a right ofaccess to European Parliament, Council and Commission documents,subject to the principles and the conditions to be defined in accordancewith paragraphs 2 and 3.

2. General principles and limits on grounds of public or private interestgoverning this right of access to documents shall be determined bythe Council, acting in accordance with the procedure referred to inArticle 251 within two years of the entry into force of the Treaty ofAmsterdam.

3. Each institution referred to above shall elaborate in its own Rules ofProcedure specific provisions regarding access to its documents.

This was the background against which Regulation (EC) 1049/2001 cameinto being. This Regulation, which applies only to the Commission, Parlia-ment and Council, obliged those three institutions to set up public registersof all documents by 3 June 2002.

The restriction of the Regulation to the three named institutions hasbeen variously interpreted:35 the interpretation that the Communities’legislative function is the focus of the Regulation appears to be confirmedby the sixth recital to Regulation (EC) 1049/2001, which states “Wideraccess should be given to documents in cases where the institutions areacting in their legislative capacity, including under delegated powers,while at the same time preserving the effectiveness of the institutions’decision-making powers.”36

34 Opinion of Mr Advocate General Tesauro delivered on 28 November 1995, Case C-58/94, Netherlands v. Council, [1996] ECR I-2169.

35 Harden’s view is that remedies in the event of non-production of documents bythe institution concerned might not have been available against other institutions: “Theexplanation . . . is not clear, but a provision applying to all the Community institutionsand bodies would surely have raised the question of possible judicial remedies and henceof the scope of Article 230 EC [Treaty]. Limiting Article 255 to the three best knowninstitutions might have seemed a justifiable way to avoid this difficult issue, especiallysince the Netherlands case and the Ombudsman’s own-initiative inquiry had ensured theadoption of rules on public access to documents by other institutions and bodies, as a matterof good administration.” Harden, Ian, Citizenship and Information, European Public Law,Volume 7, Issue 2, Kluwer Law International, 2001, p. 181.

36 Official Journal L 145, 31 May 2001, p. 43.

30 JONATHAN STEELE

Regulation (EC) 1049/2001

In this context37 Regulation (EC) 1049/2001 came into being: the declaredpurpose of the Regulation is “to ensure the widest possible access todocuments.” The Regulation provides at Article 2 (first paragraph):

Any citizen of the Union, and any natural or legal person residing or having its registeredoffice in a Member State, has a right of access to documents of the institutions, subject tothe principles, conditions and limits defined in this Regulation.

The third paragraph of Article 2 provides:

This Regulation shall apply to all documents held by an institution, that is to say, documentsdrawn up or received by it and in its possession, in all areas of activity of the EuropeanUnion.

Freedom of information legislation is always couched in wide terms asregards the general access rule: the key to appreciating the extent of thelegislation lies in the exceptions. The Regulation includes exceptions onsecurity or national interest grounds, exceptions on the grounds of protec-tion of internal decision-making processes, and, in particular, exceptionson privacy or data protection grounds.

The differing ambit of these exceptions is of interest: the Regulationprovides at Article 4(1):

The institutions shall refuse access to a document where disclosure would undermine theprotection of:(a) [public interest](b) privacy and the integrity of the individual, in particular in accordance with Communitylegislation regarding the protection of personal data.

It should be noted that the exceptions here are presented without qual-ification. This seems to imply that considerations of privacy and theintegrity of the individual enjoy primacy over the general right of access todocuments.38

37 There were steps back as well as steps forward on the road to greater openness,notably the so-called “Solana Decision” adopted by the Council on 14 August 2000, theeffect of which was to exclude from public access certain categories of documents relatingto foreign policy, military matters and non-military crisis management, which was attackedin the Court of Justice by the Netherlands and the European Parliament: Case C-369/00,Netherlands v. Council, removed from the register on 6 March 2002: C-387/00 on 22March. Although the cases did not come to trial, the outcome would in all probability havehad academic interest only, as the decision at the heart of the case has been superseded byRegulation (EC) 1049/2001.

38 By contrast with the exceptions under Article 4(1), there is a more restricted scopeto the exceptions provided for at Article 4(2): “The institutions shall refuse access to adocument where disclosure would undermine the protection of:


As regards the register provided for in Regulation (EC) 1049/2001, thepurpose of which is to facilitate public access to documents, it is providedat Article 11(2) that the references in the document register (the referencenumber, the subject matter and/or a short description of contents and thedate recorded in the register) must not undermine protection of the interestscovered in Article 4, which include privacy and individual integrity.

It is submitted that the primacy of data protection considerations isimplied by Regulation (EC) 1049/2001 itself, notably by Article 4(1)(b)and by Article 11(2). Moreover, the fact that Regulation (EC) 1049/2001applies only to the European Parliament, European Commission andthe Council implies that it is the legislative functions of the Europeaninstitutions which are the intended subject of the openness provisions.

This being so, the enactment which applies data protection principlesto the institutions, Regulation (EC) 45/2001, merits particular attention.

Regulation (EC) 45/2001

At the level of the Council of Europe, data protection legislation can betraced back to the early 1980s. The Council of Europe Convention for theProtection of Individuals with regard to Automatic Processing of PersonalData was opened for signature on 28 January 1981, the initial signatoriescomprising Austria, Denmark, France, Germany, Luxembourg, Swedenand Turkey.39 The text of the convention defines principles which haveinfluenced subsequent legislation in this area. Notably, the provisions ondata quality, in particular the principle that data must be accurate, adequatefor their purpose and stored only for as long as necessary, have beensubstantially echoed in Directive 95/46 and in Regulation (EC) 45/2001.

However, there was no legislation applicable to the European Com-munity institutions themselves specifically on data protection prior toRegulation (EC) 45/2001. Nonetheless, the basic concept underlying dataprotection, that of the protection of personal integrity and privacy by meansof prohibitions on communicating information to unauthorised persons,by no means conflicted with the administrative culture of the administra-

– commercial interests of a natural or legal person, including intellectual property,– court proceedings and legal advice,– the purpose of inspections, investigations and audits,unless there is an overriding public interest in disclosure.” The fact that the exception isnot to be applied where there is an overwhelming public interest in disclosure implies abalancing of the public interest in disclosure against the protection of (for example) theconfidentiality of legal advice.

39 Convention for the Protection of Individuals with regard to Automatic Processingof Personal Data, European Treaty Series No. 108: information derived from Council ofEurope website: <http://www.legal.coe.int/dataprotection/Default.asp>.

32 JONATHAN STEELE

tions. However, the prohibition on gathering information save for specificpurposes and on retaining information for any longer than necessary isperhaps more of an innovation, even though the approach is foreshadowedin certain provisions,40 such as Article 287 (formerly Article 214) of theEC Treaty.41

The protection of personal data can be considered to go with the grainof pre-existing Community law as regards the internal workings of theinstitutions. However, one can question whether the approach embodiedin the line of descent traceable back to the 1981 convention is appro-priate for the conditions of the 21st century. This approach is based ona “processing model” rather than a “misuse model”, in terms of the clas-sification used by Seipel42 and which has informed debate in Sweden inparticular. Under a processing model, a central authority seeks to regulateall kinds of processing of personal data; under a misuse model, on theother hand, the central authority seeks to prohibit only certain categoriesof processing while allowing all other activity to continue unchecked.

“Personal data” are very broadly defined (in Article 2 of the Regula-tion) as any information relating to an identified or identifiable person(‘data subject’); i.e., one who can be identified, directly or indirectly,particularly by an identification number or one or more specific factors.Regulation (EC) 45/2001 provides at Article 4 that personal data mustbe processed fairly and lawfully; collected for specified purposes only;accurate and, where necessary, kept up to date; and permit identifica-tion of data subjects for no longer than is necessary. The Regulationfurther provides that personal data may be processed only if processingis necessary or consensual.43

40 For example, the respect shown to confidentiality considerations is illustrated byArticle 17 of the Staff Regulations, which provides: “An official shall exercise the greatestdiscretion with regard to all facts and information coming to his knowledge in the course ofor in connection with the performance of his duties; he shall not . . . disclose to any unau-thorised person any document or information not already made public.” Official Journal L56, 4 March 1968 – Special Edition 1968, 1 December 1972.

41 “The members of the institutions of the Community, the members of committees, andthe officials and other servants of the Community shall be required . . . not to discloseinformation . . . covered by the obligation of professional secrecy, in particular informationabout undertakings, their business relations or their cost components.” Official Journal C340, 10 November 1997, pp. 173–308.

42 Seipel, Peter, Privacy and Freedom of Information in Sweden, in Nordic Data Protec-tion Law, edited by Blume, Peter, 1st edition, DJØF Publishing, Copenhagen, 2001,p. 116 ff.

43 Article 5 provides:Personal data may be processed only if:(a) processing is necessary for the performance of a task carried out in the public interest


The main thrust of Regulation (EC) 45/2001 may therefore be summar-ised as follows: personal data is to be collected, used and disseminatedonly for purposes which are lawful, specific and limited in scope. We haveseen that some commentators refer to this approach as a processing model,perhaps more adapted to the conditions of the 1970s than the present. TheSwedish Data Act of 1973 was based on certain assumptions contained inthe preparatory material associated with the Bill, in which, according toSeipel,44 it was assumed that the estimated 4,000 computerised files thenin existence in Sweden containing data on individuals would grow at a rateof about 500 files per year.

The application of a “processing model” to the internal data processingoperations of the EU institutions presents fewer problems than the applic-ation of a such a model to the entire personal data processing activity in agiven state.

A substantial administrative machinery has been provided for in theRegulation, for as well as a Data Protection Officer in each institution,there is a European Data Protection Supervisor, an officer independent ofthe institutions, who is particularly charged with the protection of personaldata in the institutions.45 One might conclude that if a processing model ofdata protection cannot be made to work in such conditions and with suchbacking, there is no likelihood of success elsewhere.

PRIVACY

The End of Privacy?

No less an authority than the Supreme Court of the United States ofAmerica has advanced the view that even where records such as crim-inal convictions pronounced in open court continue to be open to thepublic, that nonetheless the practical difficulties of accessing information

on the basis of the Treaties establishing the European Communities or other legal instru-ments adopted on the basis thereof or in the legitimate exercise of official authority vestedin the Community institution or body or in a third party to whom the data are disclosed, or(b) processing is necessary for compliance with a legal obligation to which the controlleris subject, or(c) processing is necessary for the performance of a contract to which the data subject isparty or in order to take steps at the request of the data subject prior to entering into acontract, or(d) the data subject has unambiguously given his or her consent, or(e) processing is necessary in order to protect the vital interests of the data subject.

44 Seipel, Peter, op. cit., p. 117.45 At the time of writing no appointment of a European Data Protection Supervisor has

been made.

34 JONATHAN STEELE

has led to its being held in conditions of “practical obscurity.” In the casein question46 CBS News had requested the record of any arrests, indict-ments, acquittals, convictions and sentences held by the FBI in relationto a Charles Medico. Since much of the information requested was heldin various public sources such as court records, the Court of Appealshad taken the view that any privacy interest in information that was amatter of public record was minimal at best. The Supreme Court over-turned this judgement however, supporting the view expressed by JudgeKenneth Starr that the Freedom of Information Act had been intended tofacilitate scrutiny of the government, rather than to turn government into aclearing-house for personal information on private citizens.47

However, the condition known as “practical obscurity” can no longer berelied upon to guard citizens’ activities from the attention of their fellows.The capacity of modern technology for searching and associating items ofinformation as well as advances in communication technologies have ledto exponential increases not only in the volume and quality of informationpotentially available to the average citizen, but also in the ease of access toit.

The principal means of defending privacy is the route of prohibitionas exemplified by data protection legislation. The other would be theuniversal abolition of privacy, an approach advocated by David Brin, whoanticipates that there would result a stand-off assured by universal mutualtransparency.48

An article in The Economist in 1999 identified two further possiblesolutions – market solutions and technological. An example of marketsolutions would be remailing services and anonymous browsing providers.An example of technological solutions would be encryption technology.The same article rejected the feasibility of the compulsory universaltransparency approach:

Yet Mr Brin does not explain what would happen to transparency violators or whether therewould be any limits . . . transparency would be just as difficult to enforce legally as privacyprotection is now. Indeed, the very idea of making privacy into a crime seems outlandish.49

46 U.S. Department of Justice et al. v. Reporters Committee for the Freedom of the Press,489 U.S. 749, 1989.

47 C. Sykes, The End of Privacy, St Martin’s Press, New York, 1999, p. 253.48 Under this approach, everyone would enjoy access to all information. The theory is

that surveillance has to be covert to be attractive to the watcher: if the person observedcan have access to the same information about his watchers, then mutual courtesy could bereasserted. (“Through reciprocal transparency, we might enforce fairness simply by usingone of the oldest and most famous parables ‘Judge not, lest ye be judged’,” Brin, D, TheTransparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?,Perseus Books, Reading, Mass., 1998, p. 82.

49 “The surveillance society”, The Economist, 1 May 1999, p. 19.


The Case against Data Protection

Some commentators have made the case against data protection legisla-tion from a deregulatory standpoint, claiming that the regulatory burdenplaced on business by data protection legislation weighs heavier on newlyestablished and smaller businesses.

As long ago as 1970, under the aegis of the Council of Europe, theCommittee of Experts on Human Rights took the view that the EuropeanConvention on Human Rights, while offering safeguards against theactions of public authorities, did not offer protection against private sectorabuses of computing technology.50

There is a counter-argument to be made in favour of data protectionlegislation, namely that data transfers and therefore trade could be encour-aged as a result of increased consumer confidence that personal data willnot be misused. This point is acknowledged by Swire and Litan,51 who givethe example that potential customers of online services might be encour-aged to make their first purchases by confidence that their personal datawill not be made accessible to third parties.

To some extent this kind of debate reflects a preference in the common-law jurisdictions for private law rather than public law solutions. Bothnational and Community legislation on data protection has sought to offerEuropean citizens a measure of protection against the misuse of databy establishing central bureaucracies charged with overseeing the use ofdata held on individuals and allowing them the opportunity to check andcorrect it. The fact that suspicion of data protection is not confined to theUnited States is shown by the language of a Home Office consultationpaper dating from March 1996: “Over-elaborate data protection threatenscompetitiveness, and does not necessarily bring additional benefits forindividuals.”52

An additional case against data protection legislation is made by Swireand Litan in the context of human resources records:53 there is, on theirassumption, a danger that companies operating in the European Union

50 I.L. Lloyd, Information Technology Law, 3rd edition, Butterworths, London, 2000,p. 52.

51 P. Swire and R. Litan, None of Your Business: World Data Flows, ElectronicCommerce and the European Privacy Directive, Brookings Institution Press, Washington,D.C., 1998, p. 79.

52 Quoted by Lloyd, op. cit., p. 60.53 “There may be applications for which it is not worth gaining consent from each

employee: directories and job skills databases might be developed for other countriesbut not for Europe. Information technologies such as intranets . . . designed to create thefree flow of information within an organisation might not be usable in Europe for humanresources applications.” Swire & Litan, op. cit., p. 93.

36 JONATHAN STEELE

would be prevented from making full use of some useful communicationstechnologies.

There is a further case to be made against data protection: it is thatpublic authorities could be expected to rely to the utmost on data protec-tion legislation to conceal their activities, especially where public accesslegislation is subordinated to it.

Perhaps the most pragmatic argument to be made against data protec-tion would be the argument that it is bound to fail. One might also askwhether statutory data protection agencies are doomed to fail for no otherreason than the mounting volume of data:

Attempts to protect privacy through new laws will fail – as they have done in the past.The European Union’s data protection directive, the most sweeping recent attempt, givesindividuals unprecedented control over information about themselves . . . But it is doubtfulwhether the law can be applied in practice, if too many people try to use it.”54

However, perhaps the fact that data protection legislation would proveunworkable if too many people attempted to assert their rights is not afatal objection. Any public service could conceivably be swamped by asufficiently high level of demand: that is not in itself an argument for itsabolition. The fact that a right of consultation could potentially be asserted;that anyone could ask to see and have corrected the relevant records, couldin itself be a powerful factor influencing the level of care exercised by datacontrollers, to such an extent that the worst extremes of negligence (orworse) are avoided.

Alternative Approaches to Data Protection

Modern technologies have led at the same time to increased decentralisa-tion of data processing and increased interconnectivity (with, for example,palmtops integrated to PCs), with both developments undermining themodels which underpin current legislation. Some commentators havewondered whether carrying a laptop with one on a transatlantic tripconstitutes a data transfer in the sense of Directive 95/46.55

Alternative approaches to the kind of data protection regime applied bythe legislation derived from Directive 95/46 might conceivably meet thesame end of ensuring that individuals’ privacy is not infringed. One suchis legislation based on the “misuse model”, which has been discussed inSweden in particular.

54 “The end of privacy”, The Economist, 1 May 1999.55 Swire & Litan, op. cit., pp. 71–72.


The Misuse Model

Some, in particular Swedish, commentators have proposed that a misusemodel rather than the processing model imposed by Directive 95/46 wouldmeet the objective of defending privacy without excessive burdens onlegitimate commercial and other activity. The central principle of theprocessing model is succinctly described by Seipel: “. . . in principle,all kinds of automated processing of personal data should be subject toregulation and . . . anything that is not explicitly permitted is forbidden.”56

The misuse model, as the name suggests, would concentrate on regu-lating misuse and would allow all processing not explicitly forbidden, asSeipel again makes clear: “In short, the misuse model would mean freedomto process whereas the processing model would mean that processingrequires some kind of permission.”57

Attractive as it appears, the misuse model seems to present somedifficulties when one attempts to define the details of its operation. An offi-cial body charged with advising the Swedish government on informationtechnology matters, the IT Committee (“IT-kommissionen”), published areport in August 1998 detailing how a misuse model could be operated.58

The report proposed that a misuse model should operate by examinationof alleged misuse after the fact rather than by granting prior authorisa-tion.59 Moreover, the focus would be on actual breaches of privacy ratherthan on the risk of potential breaches of privacy.

Nonetheless, the details provided in the report seems either to leadto substantially similar results as the line of legislation derived from EUDirective 95/46, or to be surrounded by such vagueness that it is hard tosee how consistent application of such a model could be maintained. Asan example of the first point, the kinds of processing which should consti-tute misuse according to the report include processing in the absence ofconsent,60 or where the personal data involved are “not adequate, relevantor by some other means do not fulfil the requirements of good quality.”61

56 P. Seipel, Privacy and Freedom of Information in Sweden in Nordic Data ProtectionLaw, ed. P. Blume, First edition, 2001, DJØF Publishing, Copenhagen, p. 124.

57 Seipel, ibid.58 IT-komissionen, En missbruksmodell – ny reglering av skyddet för personuppgifter,

August 1998, <http://www.itkommissionen.se/index_itratt.html>.59 An analogy that suggests itself is the area of regulation of defamatory publications,

which in liberal democracies is in general achieved through a law of defamation operativeafter publication rather than by means of pre-publication censorship.

60 Although such processing is considered misuse, the report recommends that consentbe implied from conduct in certain cases and therefore applicable to a wider range ofcircumstances.

61 “. . . ej varit adekvata, relevanta eller på annat sätt ej uppfyller kraven på god kvalitet”,IT-kommissionen, op. cit., p. 25.

38 JONATHAN STEELE

As an example of the second point, the same list of definitions of misusecontains the case where use “in some other way cannot be regarded asconsistent with good morals (god sed) or defensible.” It is hard to see howa norm couched in such terms could be applied consistently from caseto case, especially where the difficulty resides in balancing two goods,such as personal privacy and the public’s right to knowledge, against eachother.

CONCLUSION

The conclusion of this article is that workable alternatives to the kind ofdata protection legislation exemplified in the line of legislation based onDirective 95/46 have yet to be developed, at least in the level of robustdetail that would inspire confidence in their operability. Indeed, so faras the misuse model is concerned, one might conclude that where it ismost workable it is least distinctive from the “processing model”, as in theinsistence on adequacy and relevance of data referred to above. ProfessorPeter Seipel pointed out when the Personal Data Act was passed in 1998that even under a misuse model relatively detailed rules would be requiredto avoid uncertainty: “It therefore follows that, when it comes to prac-tical execution, there is less difference than one might think between‘all is permitted that is not prohibited’ and ‘all is prohibited that is notpermitted’.”62

So far as the future development of law in this area is concerned, itis suggested that the principal problems in the application of current dataprotection legislation in the European Union are likely to arise from thewide definitions of the concepts of personal data and processing employedin the body of law derived from Directive 95/46. This brings into the ambitof data protection law a wide range of activities which do not impeachthe personal integrity of the persons concerned in a meaningful way. Thesubordination of freedom of information considerations to data protec-tion considerations, noted in the context of EU institutions’ regulatoryframework, reinforces this effect. One method of allowing public bodiesto concentrate on matters of personal integrity (what is meant by personaldata in the everyday sense of the words, that belonging in the private sphereto the exclusion of “business” matters) might be to examine more closelythe “misuse model” discussed in Sweden. Although the version of “misusemodel” proposals discussed in this article might not have appeared work-

62 Seipel, Peter, “Personuppgiftslagen – bättre än sitt rykte”, Svenska Dagbladet, 26November 1998.


able, it is possible that developments along these lines could be made morerigorous.63 Public access to information, the best defence against arbitrarygovernment, should be made compatible with the defence of privacy.

63 It must be conceded that recent developments in case law seems to lend little supportto any approach in this direction. In fact, the line between private and business activitiesseems to be getting less, not more distinct, in this area of law at least. This tendency isseen in Rotaru v. Romania [2000] 8 BCHR 449, in which the European Court of HumanRights took the view that information about which course of studies had been pursued atuniversity fell within the sphere of private life.