Mind the Gap: Loopholes in the EU Data Privacy Regime

By Theodore Chua, J.D. Candidate 2018, Columbia Law School

I. Introduction

With the modernization of databases and search engines, information seemingly lost in a sea of information can be retrieved almost instantaneously. Due to the value of analyzing personal data (e.g. for the purpose of understanding voter demographics or consumer groups), legislatures are alive to the need for data protection laws regulating how personal data can be processed or transferred. Paving the way forward, the EU (then the EC) in 1995 enacted a single data protection law—the Data Protection Directive (the “Directive”)—to establish uniform data protection standards across member states.

But how successful has the Directive been? Are there gaps that the Directive and its successor come 2018 (the General Data Protection Regulation) fail to address? While the Directive on its face seems to apply with equal force to personal data stored in hard copies rather than a computerized database, practitioners have observed that certain hard copy filing systems seemingly escape the purview of the Directive. This post will explore whether the reach of the Directive is indeed curtailed by this loophole, while also evaluating the Directive against U.K. and U.S. statutes and case law where such comparison is instructive.

II. The Key Provisions

The Directive establishes standards that govern the processing of personal data, requiring the EU member states to “protect the fundamental rights and freedoms” of data subjects, and in particular their right to privacy.”

While the Directive defines the “processing of personal data” to include “operations [] performed upon personal data, whether or not by automatic means,” the scope of processing that the Directive covers is not co-extensive. Rather, if the processing is not performed by automatic means, then the Directive only applies if the personal data processed forms “part of a filing system or are intended to form part of a filing system.” A “filing system” is then defined as “any structured set of personal data which are accessible according to specific criteria.”

Close reading of the Directive thus elucidates a critical gap: so long as personal data is not searchable by a specific criteria, it is not considered part of a filing system. If it is then not processed by automatic means, the Directive simply does not apply to it and, accordingly, the right to privacy is not safeguarded in that scenario.

III. Filing Systems Escaping the Purview of the Directive

Under the case law of the European Court of Justice, plaintiffs suing in the domestic courts of member states cannot invoke a directive against a private party. Directives only have ‘vertical’ direct effect, in the sense that they can be invoked only against the government. Thus, until a member state enacts implementing legislation, plaintiffs cannot rely on rights contained in the Directive in a lawsuit against an individual defendant, because Directives do not apply in a ‘horizontal’ situation.

From this, two problems arise. First, member states might have data privacy standards less protective than that contained the Directive, as illustrated by the U.K. Data Protection Act 1998 (the “UKDPA”). Second—and arguably this is the more troubling issue—is a flaw with the Directive itself in that the seemingly encompassing definition of a “personal data filing system” does not actually include manual record systems in some circumstances.

A. The U.K. Data Protection Act 1998

While the Directive defines a “filing system” as “any structured set of personal data which are accessible according to specific criteria”, the UKDPA on its face appears more restrictive in defining a “relevant filing system”:

any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

This language of “specific information [that] is readily accessible” indeed was interpreted by the English courts in a manner conflicting with the Directive. In Durant v. Financial Services Authority, the English and Wales Court of Appeal formulated a two part test to evaluate whether a filing system is caught by the Directive:

(i) [T]he files forming part of [the filing system] are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data [] is held within the system and, if so, in which file or files it is held;

(ii) [The filing system] has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.

Even though “whether a particular file or files will amount to such a system is necessarily fact sensitive,” the English Court’s hypothetical is instructive. Manual records must be “of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system”; if the person searching the data has to “leaf through files, possibly at great length and cost”, this “bears… no resemblance to a computerised search.” The upshot is that hard copy records can be handled without regard for data protection standards so long as they are not individually labelled by identifying information that allows the searcher to recall a specific file in an instant, as one might do with a digital catalogue.

Durant was swiftly followed by two lower English courts, illustrating the ramifications of restrictively defining what constitutes a filing system. In one case, a medical negligence claim was thwarted because the crucial documents “were non-electronically stored” but “retained only in manual form.” In the other case, the plaintiff was unable to gain access to “unstructured bundles kept in boxes” kept by a bank because a “non-computerised manual system is only to be treated as data if the filing system is sufficiently structured to allow easy access to information specific to the data subject.” The English High Court rejected a further argument: the “once processed always processed” theory. The argument ran that even though the data was no longer capable of being automatically processed, so long as it was automatically processed at some point in the past, then the data controller cannot circumvent his obligations by consciously retaining the information only in hard copies thereafter. Emphatically, the court held that “the question of whether information is data has to be answered at the time of the data request”. To hold otherwise would amount to “destroy[ing] the distinction between information processed by automatic equipment and information kept in relevant filing systems,” and this was a result envisioned by the Directive and the UKDPA, “[f]or better or worse.”

It is thus evident that the U.K.’s interpretation of their data privacy obligations under the Directive does not give individuals asserting privacy rights a leg to stand on. By limiting what counts as a “relevant filing system”, the U.K. Parliament—and the courts, in giving effect to their legislative intent—has wrongly focused on how information is stored, rather than what information is being stored. In so doing, the UKDPA eschews the classic definition of information privacy, which is (as per Alan Westin) “the claim of individuals… to determine for themselves when, how, and to what extent information about them is communicated to others”—a result that surely disappoints the EU’s objective behind the Directive: to protect the right to privacy with respect to the processing of personal data.

B. Problems at The Source: Article 2(c) of the Directive

On the one hand, the U.K. regime is perhaps reflective of the fact that there is no freestanding constitutional, common law or statutory right to privacy in the U.K. However, the stronger view points the finger at the Directive, which “clearly leaves considerable scope for Member States to determine the extent to which manual records should be brought within the scope of their implementing legislation.” By failing to adequately guide, or perhaps constrain, the EU member states in their domestic legislative process, the Directive was doomed to fail when it came to hard copy filing systems. Yet, one could attribute this flaw to the unsophisticated state of technology when the Directive was enacted.

However, despite the 20-odd years between the Directive and the EU’s new General Data Protection Regulation (the “GDPR”) (effective in 2018), the latter is equally flawed. Because a Regulation has binding force and can be invoked by individuals against a private party (and not only the government), the EU had a golden opportunity to plug the holes that doomed the Directive and to force this standard onto its member states. But it utterly fails to do so—its purported scope is identically restricted to manual records that “form [] or are intended to form part of a filing system,” and the GDPR’s definition of “filing system” is identical to that in Art. 2(c) of the Directive. The current state of affairs in the EU is aptly summed up by two practitioners:

An unstructured box of hard copy case files arranged by year only (and not labelled by name or any other identifier specific to any individual) would not be a relevant filing system. Data contained in the documents within that box would fall outside the scope of EU data protection law, until such time as those data are structured or processed for another purpose.

C. The View Across The Atlantic: The U.S. Privacy Act

The EU is not alone in using a statutory definition that frustrates the data protection objectives of the statute. The U.S. Congress made a similar error in enacting the Privacy Act, which prohibits governmental agencies from disclosing certain personal information contained in a “system of records” without the individual’s consent. In turn, “system of records” is defined as “a group of any records [] from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” Thus, the Privacy Act only applies to information maintained in a form searchable by reference to the individual.

The Privacy Act has been interpreted to that effect in a variety of circuits. In Bechhoefer v. U.S. Dept. of Justice, even though a law enforcement official had in his possession a letter allegedly containing the plaintiff’s false claims against the sheriff’s office (for which he was prosecuted), disclosure of the letter did not violate the Privacy Act because it had not been stored in a “system of records.” It was not classified under a manual or electronic filing system and not retrievable by reference to the plaintiff, and in language strikingly similar to that when the UKDPA was passed, the court held that “the only way [defendant] could locate it was to leaf through his drawer.”

In so holding, the Second Circuit took the same position as the Fifth, Sixth, Tenth and Eleventh Circuits. However, the Tenth Circuit gave a warning that applies with equal force to the EU data privacy regime: “an unscrupulous person may try to mask a record properly subject to the [statute] by labelling it with a generic code word that effectively acts as a personal identifier.” It is one thing to escape the EU’s data privacy requirements by maintaining only hard copy records, because in that situation, the data controller is presumably unable to sift through the data as quickly as he could if he could sort the data by identifying information. But the legislation is rendered totally ineffective if companies and employers are free to mark personal data with disguised identifying particulars. Again, this illustrates the doctrinal shortcoming of legislation that fails to focus on the data subject’s expectations in relation to the data. While it would cause some confusion and it would take time for a coherent body of case law to bring clarity, the EU would be better off by enacting, for example, a regulation that imposes data privacy standards whenever the data subject would have a reasonable expectation of privacy. By instead tying data processing restrictions to how the data is catalogued or whether the data is retrievable, the EU has deprived individuals of “the right to exercise at least a measure of control over the collection and use of personal data.”

The D.C. Circuit’s case law exposes another flaw in the Privacy Act’s wording. Because the statute only covers a system of records “from which information is retrieved by” an “identifying particular”, the D.C. Circuit requires not only “retrieval capability” but also the requirement that “the agency must in practice retrieve information by personal identifier.” Arguably, this is an overly technical reading that hinges on the fact that the statute does not read “system of records from which information can be retrieved by an identifying particular”, but the EU Directive suffers from a similar flaw. The latter defines a filing system as “any structured set of personal data which are accessible according to specific criteria.” An astute advocate could thus argue to the European Court of Justice that the Directive does not apply even if a manual filing system has retrieval capability because the data controller does not in practice retrieve files based on this specific criteria.

D. Judicial Interpretation to The Rescue?

Barring a legislative solution, which the EU has in any event missed because the GDPR does not improve on the Directive’s language, it might be left to judges to ensure that this data privacy statute does not become redundant. After all, if the stated objective of the Directive is to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy,” then it is not unreasonable for the European Court of Justice to interpret the Directive more expansively. And there is precedent for this: before other directives had been transposed into domestic law by member states, courts in those states were exhorted by the European Court of Justice to interpret their existing national law in light of the wording and purpose of the directive in question.

How might this look like in practice? A U.S. court has shed some light on what can be done, through its interpretation of the Privacy Act to require only retrieval capability but not a practice of retrieval by the agency:

[W]e believe it is more important in this posture to be animated by the spirit of the Privacy Act. The foresight exhibited in the Act’s raison d’etre, to provide for protection against possible abuses of governmental power to affect an individual’s privacy and confidential information, has become only more manifest as our society enmeshes itself ever more deeply into the Information Age.

Applying these principles, courts of the EU or the EU member states should look to the spirit of the data privacy legislation before them. Even if hard copy files are not technically being stored as they would be in a computerized database, the reviewing court should ask itself whether the reasonable data subject is entitled to a right to privacy in this situation and balance this against any interest the data controller has, in order to reach the just result. It should not simply take the Directive’s underwhelming definition of “personal data filing system” at its word and find that the Directive is simply irrelevant to the situation at hand. Only then would courts avoid “focus[ing] on the trees at the expense of the forest” and reaching an absurd result even though the text does not clearly demand such an interpretation.

IV. Conclusion

It is perhaps counter-intuitive that, in the digital age, the way to escape data privacy obligations is to go back to basics and maintain sensitive information in hard copy records. But this under-noticed loophole can make all the difference, especially in the context of data transfers to a country outside the EU.  While the non-EU recipient of the personal data in such a situation has to comply with the provisions of the Directive, the recipient can ignore the Directive when dealing with an unstructured box of hard copy files, however sensitive the information contained therein might be.

Featured Image Source: https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-safe