Data Protection in the Online Age

Abstract

The underlying thesis challenges the current approach adopted by the Data Protection Directive (DPD) and the Directive on Privacy and Electronic Communications 2002/58/EC (DPEC) towards the protection of privacy/personal information online. The thesis uses the recent Council of Europe Report into Informational self-determination in the internet era to measure the adequacy of the data protection framework. The model examines subjects that should be considered by the DPD and DPEC including the interpretation of personal data; approaches to sensitive data; interpretation of journalistic purposes and the interaction of the DPD and DPEC.Part One of the thesis examines the data protection framework, as provided by the DPD and DPEC. The main issues covered include the interpretation of “personal data”; current categorisation of “sensitive data”; the interpretation of “journalistic purposes” in the context of weblogs within the online environment and the lack of legal protection for legal entities under the DPD. The interaction between the DPD and the DPEC is also considered. Another problem identified include the competing values between the protection of privacy and freedom of expression/information on the internet. Are these values reconcilable or has the internet blurred the distinction between the traditional media and new forms of publishing? The thesis critiques the current approach to sensitive data under Art. 8 to the internet and questions whether there is a need to change this. More specifically, the author considers two alternative approaches towards sensitive data. These are the purposive and the contextualised approach.Part Two of the thesis then considers the data protection laws of Sweden, Germany and the UK, examining the extent to which their laws protect privacy online. The study found that there were varied interpretations to the transposition of Art. 4 (on the law to be applicable) of the Data Protection Directive by Sweden and Germany. In addition, it found that there was no official guidance issued by the respective Data Protection Authorities of Germany, Sweden and the UK towards the concept of “clickstream data” and whether this constituted personal data. Part Three of the thesis argues that the current data protection framework does not adequately protect privacy and contends that it is with respect to groups, legal persons and virtual identities that privacy protection is most inadequate. The framework should be rebalanced to deal with the subject of sensitive data, misuse-orientated approach and freedom of expression.