Being in the process of writing my thesis, I have realized how important it is to stop from searching through the whirling flux of current information and new developments in the area of privacy and information technology, or more generally “law and technology”, and look back at the beginning of this craziness.
One might find answers for questions she didn’t even know she needed to answer. Or, at least, she might find some reassurance that the legal thought in this field is capable of steadiness and coherence.
This is why I decided to share with you the principles enshrined in the first “internationalization” effort of personal data protection that I know of, RESOLUTION (73) 22 ON THE PROTECTION OF THE PRIVACY OF INDIVIDUALS VIS-A-VIS ELECTRONIC DATA BANKS IN THE PRIVATE SECTOR (Adopted by the Committee of Ministers of the Council of Europe on 26 September 1973).
The information stored should be accurate and should be kept up to date. In general, information relating to the intimate private life of persons or information which might lead to unfair discrimination should not be recorded or, if recorded, should not be disseminated.
The information should be appropriate and relevant with regard to the purpose for which it has been stored.
The information should not be obtained by fraudulent or unfair means.
Rules should be laid down to specify the periods beyond which certain categories of information should no longer be kept or used.
Without appropriate authorisation, information should not be used for purposes other than those for which it has been stored, nor communicated to third parties.
As a general rule, the person concerned should have the right to know the information stored about him, the purpose for which it has been recorded, and particulars of each release of this information.
Every care should be taken to correct inaccurate information and to erase obsolete information or information obtained in an unlawful way.
Precautions should be taken against any abuse or misuse of information. Electronic data banks should be equipped with security systems which bar access to the data held by them to persons not entitled to obtain such information, and which provide for the detection of misdirections of information, whether intentional or not.
Access to the information stored should be confined to persons who have a valid reason to know it. The operating staff of electronic data banks should be bound by rules of conduct aimed at preventing the misuse of data and, in particular, by rules of professional secrecy.
Statistical data should be released only in aggregate form and in such a way that it is impossible to link the information to a particular person.
The original text of the Resolution can be found here.
We encounter access rights, purpose limitation, erasure of obsolete data and even the idea of anonymization. In 1973.
I got my ounce of inspiration from wondering how the essence of these principles are still relevant so many decades after they were published. And I hope you will also find yours.