András Jóri: An Outline of the History of Data Protection (IJ, 2008/1., (23.), 5-14. o.)

1. The notion of data protection

1. The notion of data protection (Datenschutz) became widespread from the 1970s, signifying a new type of protection compared to earlier personal rights. This new protection, according to data protection regulations, applies (usually) to natural persons, not only regarding specified types of data (portrait, sound recording); it is usually not restricted to "sensitive" data, nor does it have to be matched with the consequences of data abuse. By way of introduction, it might be useful to offer a proposition for the definition of data protection, to specify the term as understood within the scope of the present study, as well as the relation of the term to other notions which are often used as synonyms for data protection.[1]

2. The concept of data protection is often treated as a part of privacy protection, or, on the contrary, opposing it, as a specifically European legal solution to a problem which contributed to the appearance of the "right for private life" in American constitutional law.

In my view several - legal and extra-legal - tools, methods of privacy protection may be distinguished, and the notion itself may be applied to a far wider category of phenomena than data protection. Data protection might, indeed, be understood only within the framework of privacy protection as a legal tool of privacy protection, born within a given social and technical context. Also we should not disregard the fact that the notion of privacy is used today in a much broader sense in American legal thinking - as I mentioned above, as a result of the development which it has gone through since the end of the last century, and by now it can be interpreted as the equivalent of a general personal right.

This protection already existed before the appearance of data protection: privacy protection was provided by extra-legal, natural boundaries, or the extra-legal system of social norms. Following the appearance of data protection, these tools may be (are) applied continuously. Data protection as a specific legal protection appeared as a result of the weakening or disappearance of some natural boundaries which earlier ensured the protection of privacy.

In recent years, however, parallel modes of privacy protection have regained their earlier significance - this phenomenon might be understood as the crisis of data protection. On the one hand, this crisis is prompting efforts to renew data protection as legal protection; on the other hand, it widens data protection regulations, since the size of other (mostly technological) measures and tools serving privacy protection is increasing (on this issue see, below, the section on data security). Data protection, consequently, may be interpreted within privacy protection according to the following:

a) data protection in all cases means the legal protection of an individual's privacy,[2] which

b) appeared in Europe as an answer to the dangers of electronic data processing which were becoming widespread via the electronic revolution, beginning with the 1970s, and

c) the content of the legal protection provided by it has changed significantly several times since its appearance, and is still changing currently.

3. The right of informational self-determination is "the right of the individual to have a basic decision over the rendition and use of his personal data."[3] In the literature, data protection is very frequently identified with rules ensuring the right of informational autonomy.[4] I disagree with this view. As I argue below, when discussing the history of data protection, the concept of the right of informational self-determination is a much later development compared to the appearance of data protection (namely the appearance of the legal protection realized through the regulation of processing specific, personal data of individuals), and its appearance can be linked, first of all, to the Census Decision of the German Constitutional Court of 1983.

Data protection cannot be identified with the right of informational autonomy, since the early data protection laws did not ensure an individual any disposal over his personal data. Although the appearance of the right of informational autonomy is a significant milestone in the history of data protection, it is still wrong to claim that the development of data protection cannot go beyond the basic principles of the right of informational self-determination. There is a view, according to which data protection based on the right of informational autonomy is undergoing a crisis, and that the latest generation of data protection regulations is based on the right of informational self-determination only nominally.[5] Therefore, data protection includes all regulations which, via the regulation of the treatment of an individual's personal data, aim at the protection of these data, irrespective of whether this regulation ensures the

- 5/6 -

right of informational self-determination of i an individual or not.

4. While data protection is a tool of privacy protection, and as such, is aimed necessarily at the individual, the object of data security is data themselves. Data security means the protection of the integrity and confidentiality of data, irrespective of the information content and legal qualification of data.[6]

Data security is served by technical and organizational measures, which might be stipulated both by legal and extra-legal norms. Data security regulations are applied by several legal norms; such an example is the legal formulation of data security regulations concerning qualified data (state secrets and intelligence).

There is a complex network of connections between data protection and data security. The two most important elements of this network are:

a) In different phases of development, data protection regulations - although to a variable extent - usually contain data security rules serving data protection (which give specifications of the technical, organizational or other measures that are to be followed by the addressee of the norm when treating personal data). Therefore, in respect of personal data, data security is the object of data protection regulations.

b) it is a new development that, among the tools of privacy protection, the role of data security technologies is increasing. With the development of computer technology, modern data processing technologies are available at a low price, almost for everyone. At the same time, the appearance of international computer networks has opened the road to the globalization of data processing also. In this situation, data protection regulations of the 1970s necessarily require reform, and their role in the protection of privacy may decrease in the future. The effective protection of privacy in an open network environment might be provided primarily by technological tools (for example with the so-called "strong" encryption). These tools do not offer legal protection, but in several cases they become the objects of legal regulation themselves - precisely because their use has become widespread in the protection of privacy, or because of the consequences of such use. (The use of "strong" encryption, for example, might hinder legitimate data collection carried out for reasons of national security or criminal investigation. In such cases the legislator might have to intervene in order to strike a balance between the national security interest, on the one hand, and the protection of privacy on the other. However, such regulation cannot be considered as the legal regulation of data protection, although it is relevant regarding privacy, since it can hinder or facilitate the use of technologies which enhance privacy.