[ This was in 1973, 39 years ago, when “when computers ran on steam and the internet was still largely mechanical”. I was led to this document from a message posted by Karl Auerbach in the At Large mailing list today ]
Most of the advanced industrial nations of Western Europe and North America share concerns about the social impact of computer-based personal data systems. Although there are minor differences in the focus and intensity of their concerns, it is clear that there is nothing peculiarly American about the feeling that the struggle of individual versus computer is a fixed feature of modern life. The discussions that have taken place in most of the industrial nations revolve around themes that are familiar to American students of the problem: loss of individuality, loss of control over information, the possibility of linking data banks to create dossiers, rigid decision making by powerful, centralized bureaucracies. Even though there is little evidence that any of these adverse social effects of computer-based record keeping have occurred on a noticeable scale, they have been discussed seriously since the late sixties, and the discussions have prompted official action by many governments as well as by international organizations.
Concern about the effects of computer-based record keeping on personal privacy appears to be related to some common characteristics of life in industrialized societies. In the first place, industrial societies are urban societies. The social milieu of the village that allowed for the exchange of personal information through face-to-face relationships has been replaced by the comparative impersonality of urban living. …
Concern about the effects of computer-based record keeping appears to have deep roots in the public opinion of each country, deeper roots than could exist if the issues were manufactured and merchandised by a coterie of specialists, or reflected only the views of a self-sustaining group of professional Cassandras. The fragility of computer-based systems may account for some of the concern… There are few computer systems designed to deal with the disruption that deliberately lost or mutilated punched cards in a billing system-to give a simple example-would cause. Thus, the very vulnerability of automated personal data systems, systems without which no modern society could function, may make careful attention to the human element transcend national boundaries.
The Response in Individual Nations
On October 7, 1970, the West German State of Hesse adopted the world’s first legislative act directed specifically toward regulating automated data processing. This “Data Protection Act” applies to the official files of the government of Hesse; wholly private files are specifically exempted from control. The Act established a Data Protection Commissioner under the authority of the State parliament whose duty it is to assure that the State’s files are obtained, transmitted, and stored in such a way that they cannot be altered, examined, or destroyed by unauthorized persons…
Thus, the Data Protection Act of Hesse seems designed more to protect the integrity of State data and State government than to protect the interests of the people of the State…
When strong opposition to the 1969 census erupted in Sweden, public mistrust centered not so much on the familiar features of the census itself as on the fact that, for the first time, much of the data gathering would be done in a form specifically designed to facilitate automated data processing. Impressed by the possibility that opposition might be so severe as to invalidate the entire census, the government added the task of studying the problems of computerized record keeping to the work of an official commission already studying policies with respect to the confidentiality of official records.
After a notably thorough survey of personal data holdings in both public and private systems, the commission issued a report containing draft legislation for a comprehensive statute for the regulation of computer-based personal data systems in Sweden.2 The aim of the act is specifically the protection of personal privacy. Its key provisions are these:
- Establishment of an independent “Data Inspectorate,” charged with the responsibility for executing and enforcing the provisions of the Data Law.
- No automated data system containing personal data may be set up without a license from the Data Inspectorate.
- Data subjects have the right to be informed about all uses made of the data about them, and no new use of the data may be made without the consent of the subject.
- Data subjects have the right of access without charge to all data about them, and if the data are found to be incorrect, incomplete, or otherwise faulty, they must either be corrected to the subject’s satisfaction, or a statement of rebuttal from the subject must be filed along with the data.
- The Data Inspectorate will act as ombudsman in all matters regarding automated personal data systems.
The Data Law has been passed by the Swedish Parliament and will become effective on July 1, 1973. A transition period of one year will be allowed to implement all the provisions of the law.
Article 9 of the French Civil Code states plainly, “Everyone has the right to have his private life respected.“ 3 As legal scholars in all countries have noted, however, it is very difficult to define the precise limits of privacy in every case that comes before a court, and in spite of such explicit protection, the privacy of the French, both inside and outside of automated personal data systems, seems in practice no better defended than that of most other people…
One other development on the French scene deserves mention. The 1972 annual report of the Supreme Court of Appeals went considerably out of its way, after reviewing a case of literary invasion of privacy, to comment on the subject of computers and privacy:
… The progress of automation burdens society in each country with the menace of a computer which would centralize the information that each individual is obliged to furnish in the course of his life to the civil authorities, to his employer, his banker, his insurance company, to Internal Revenue, to Social Security, to the census, to university administrations, and, in addition, the data, correct or not, which is received about him by the various services of the police. When one thinks about the uses that might be made of that mass of data by the public powers, of the indiscretions of which that data might be the origin, and of the errors of which the subjects might be the victims, one becomes aware that there lies a very important problem, not only for the private life of everyone, but even for his very liberty.
It appears to us that this eventuality, an extremely probable one, ought to be made the object of consideration of the public power, . . .and that this consideration should take its place among the measures of precaution and of safeguard which should not lack for attention.7
To sum up, the situation in France is complex. The subject of computers and privacy has been given serious attention by a relatively small group of experts, but that group has an influence in government far out of proportion to its numbers. The attitude of the present government is strongly colored by another aspect of the privacy problem: It has been caught in a wiretap scandal, and its defensiveness in that regard appears to be influencing its actions on the computer front. The official report of the present working group is due before the end of 1973, but it does not seem realistic to expect that there will be any definitive action in France before, perhaps, mid-1974.
Britain is unique among the countries reviewed in having recently completed a thorough study of the entire subject of privacy.8 Although the committee in charge of the study, the Younger Committee, was restricted in its terms of reference to private, rather than public, organizations that might threaten privacy, the committee’s report is a model of clarity and concern. In brief, the Committee found that both the customs of society and the Common law had evolved defenses against the traditional intrusions of nosey neighbors, unwelcome visitors, door-to-door salesmen, and the like. Against the new threats of technological intrusions-wiretaps, surveillance cameras, and, of course, computerized data banks-the Committee recognized that the traditional defenses are inadequate. To help deal with the threat of the computer, the Committee recommended specific safeguards to be applied to automated personal data systems, although it left the method of application up to the government to decide. The main features of the safeguards are:
- Information should be regarded as held for a specific purpose and not to be used, without appropriate authorization, for other purposes
- Access to information should be confined to those authorized to have it for the purpose for which it was supplied.
- The amount of information collected and held should be the minimum necessary for the achievement of the specified purpose.
- In computerized systems handling information for statistical purposes, adequate provision should be made in their design and programs for separating identities from the rest of the data.
- There should be arrangements whereby the subject could be told about the information held concerning him.
- The level of security to be achieved by a system should be specified in advance by the user and should include precautions against the deliberate abuse or misuse of information.
- A monitoring system should be provided to facilitate the detection of any violation of the security system.
- In the design of information systems, periods should be specified beyond which the information should not be retained.
- Data held should be accurate. There should be machinery for the correction of inaccuracy and the updating of information.
- Care should betaken in coding value judgments.9
In its report, published in late 1972,11 the Canadian Task Force concluded that computer invasion of privacy is still far short of posing a social crisis. However, the rapidly rising volume of computerized personal data and the equally rapidly rising public expectation of a right to deeper and more secure privacy threaten to converge at the crisis level. To forestall that crisis, the Task Force recommends that a commissioner or ombudsman be established in a suitable administrative setting, that carefully prepared test cases on cogent issues be brought before the courts, and that the operation of government data systems be made to serve as a national model.