1.
Introduction ^
When we speak of legal informatics in the broader sense, it is essential that any analyses we undertake of the legal impacts of IT bring societal development into the picture. Our digital environment and the information networks it relies on reflect more than the spectacular development of the tools. More than ever the role of networks signals that the society we live in has changed; we are now members of the Network Society. We have come a long way since the Information Society, and its e-government, which relied heavily on electronic tools. At least at this writing we live in the Network Society and in the age of information government. This fact is often overlooked when we operate with tried and true, but dated concepts. The very terms «Information Society» and «e-government» smack of times past and are burdened by the informational baggage of their age.2
2.
Some important basic concepts and principles ^
I will now begin with openness. We often view an open society as the democratic alternative to a closed, totalitarian one. There is no reason to dismiss this distinction between the extremes as such, which is rooted in principle and practice. Openness is an integral element of democracy, whether we are talking about Karl Popper’s (1902–1994) well-known conceptual distinction or the Lisbon Treaty. The Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community emphasises openness as one of the bases for how the Union works. Article 1 of the Treaty states: «This Treaty marks a new stage in the process of creating an ever closer union among the peoples of Europe, in which decisions are taken as openly as possible and as closely as possible to the citizen.» This is very well put.
The principle of openness has a far longer history in the Nordic countries. The first steps in that direction can be traced back to the eighteenth century in what was then Sweden-Finland. A freedom of the press law introduced at that time – albeit an ultimately short-lived one – was the handiwork of a Finnish representative in Parliament. We can thus justifiably claim that openness was originally a Finnish idea, not an exclusively Swedish one.3 The principle of openness is also a fundamental right enshrined in the Finnish Constitution, which reads: «Documents and recordings in the possession of the authorities are public, unless their publication has for compelling reasons been specifically restricted by an Act. Everyone has the right of access to public documents and recordings.»
Transparency is referred to in general as something that complements openness, and in particular as a crucial means for combating corruption. Indeed, we can undoubtedly say that in international debate the term has become synonymous with the prevention of corruption. Where there is extensive transparency, there is less room for corruption in its different forms. Not surprisingly then, the name of the international anti-corruption watchdog is nothing less than Transparency International.4
Here, I use the term in a more neutral sense, one embracing the range of efforts to increase openness in society. These necessarily include the importance of information and how it is processed in different activities. As Silvia Kirkegaard has astutely put it: «The best advice that any government can be given today is to ensure that transparency is firmly embedded into its processes.»5 In fact, one now hears talk of society’s information policy. There is every reason to pursue the issue.
The third important or, rather, essential, basic concept to consider in this connection is privacy. This has been and still is a very difficult legal concept. Frequently one sees complaints, even in the legal literature, that legislation mentions privacy but does not define the term in detail. Like the fruits of Tantalus, privacy eludes our grasp just when we think we know what it is. Law often looks for new definitions and goes on to use these in its work. But in the case of privacy, it has been hard to find an appropriate way to elaborate a detailed definition. The reason for this difficulty is straightforward as such. Privacy is a concept describing the relationship between an individual and society on a general level. In the realm of philosophy, this basic idea was illustrated by Plato no less when writing how the soul and its substance are hidden from the gaze of others.
It is important to notice that only very rarely does our right to privacy allow us to withdraw completely beyond of the reach of other actors. There can be no complete privacy in a democracy. However, extensive privacy is the objective in principle when considering the ways in which we might realise our right to self-determination. It is unequivocally also the aim to pursue on the level of human rights. Similarly, any breach of privacy requires a justification in the law. Lord Denning, quoting William Pitt, once expressed this most compellingly: «The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storms may enter, the rain may enter, – but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement!»6
When we speak about privacy in today’s Network Society, we absolutely must direct special attention to the issue of personal data protection. We are accustomed to seeing it as part of the protection of privacy, and this is indeed still the case in Anglo-American legal culture.7 Things are different in the EU. Today, the right to personal data protection is a fundamental right in Europe. The European Charter of Fundamental Rights, which came into force pursuant to the Treaty of Lisbon recognises the right to personal data protection as one of our fundamental rights.
But this is not the whole story. Personal data protection as a fundamental right has also become distinguished from privacy. Personal data as such are in principle always somehow linked to our privacy. They tell about an individual and his or her characteristics. But personal data are processed as part of the corresponding fundamental right. Accordingly, the European Commission’s proposed new Data Protection Regulation says essentially nothing about privacy.8 The basic term is the protection of personal data. Whenever personal data are processed, it happens in the scope of that fundamental right and the related legislation. The language and the mind-set have changed.
In addition, I must say a few words by way of justifying my conception of the Network Society. I originally delved into the concept as it was interestingly presented from the point of view of communication by Jan van Dijk back at the beginning of the 1990s. He realised at the time that a new information infrastructure might arise. Today, we have seen his work published quite deservedly in a third, revised edition, in an era when the information infrastructure he predicted is with us.9 In legal perspective, this infrastructure clearly encompasses our privacy in the Network Society. This is a positive development as such.
In addition to looking at the Network Society in sociological and communicational terms, we must subject it to legal scrutiny. We need to speak of the Legal Network Society. It is the society we see in the era of the modern constitutional state, a society in which the very exercise and protection of our fundamental rights increasingly take place on information networks. The development of technology and the development of the constitutional state inevitably meet. This is where legal welfare comes into the picture. The use of information systems should contribute to the development of the constitutional state. When we talk about welfare, we should not overlook the aims of legal welfare; yet, this is often what happens. Legal welfare seems to be left out of the societal welfare discussion.11
3.
The legal planning of transparency ^
Today it is time – actually it has been time for a long while – to say goodbye to the e-government we had that was based on an IT-as-a-tool mentality. Government in the Network Society is information government13. We are reliant on information systems and information networks. Good government is not merely a matter of procedure, of how things are done. It is also, and above all, well-designed, sound data processing in high-calibre digital operating environments. In that design and those environments, the legal perspective is the starting-point for everything. We can and should speak of the legal planning of information systems. Where legal planning is lacking, we may encounter rather odd and revealing situations, ones that expose the attitudes of officials in baffling ways. I will illustrate this through two rather regrettable examples from Finland. The first involves document management in the police and the second the work of the highest-ranking body of experts dealing with patient injuries, the Patient Injuries Board.
The second example illustrates a technically outdated procedure and the dubious approval it enjoys under the law. It involves a case where the Patient Injuries Board refused to supply decisions made in its plenary sessions to a law firm that had requested them.15 One reason was that the decisions had been written with the personal data crossed out in a manner that made the decisions hard to understand. The structure of the document had not been planned with transparency in mind. Another reason for the refusal was that reviews of the cases by two experts in medical journals, the publication of the reviews by a commercial publisher in a database and use of the reviews at training sessions were seen as fulfilling the duty imposed on authorities by the Openness Act to produce and disseminate information. In terms of Legal Informatics and document logistics, this ruling is nothing short of unbelievable. The Patient Injuries Board did not comprehend the importance of document logistics when making its decisions and, in addition, the Supreme Administrative Court was not familiar with our right to information – the correct, original information; edited information is another thing. This simply should not happen in a constitutional state in Europe.16
These cases reveal not only the attitudes at work but also the basic problems associated with static documents. A paper document is basically static, the same no matter where and how it is used. It can be altered by covering information or preparing extracts. However, alteration of a document has been regarded as an exception to the main rule, an act requiring extensive justification – preferably regulation.17
One prospect where the development of the digital operating environment is concerned has long been the idea of having a paperless office.18 In public administration this is connected with decision making and the notification of decisions that are verified by electronic signatures and, ultimately, electronic archiving. The EU Electronic Signatures Directive was undoubtedly one of the impetuses for the extensive development that began in the 2000s. For example, in November 2010, the Ministry of the Interior was the first ministry in Finland to change over to electronic document management. A hard copy of an administrative decision can only be obtained on request.
4.
Planning the path of information ^
In examining the path that information takes in the Network Society, it is helpful to distinguish at least five basic factors: content, access, delivery, usability, and information security. The right information must be in the right form at the right time and available in the right manner to those who have a right to use it. These aims are, in principle, straightforward and, indeed essential in a democratic constitutional state. But in practice they are sometimes difficult to implement, above all because legal planning is sketchy, planning is downright lacking and even the required know-how is not there. Adding to the problem is that IT planning has generally been specific to each branch of administration. Narrow scope experts have been responsible for projects.19
It would be misleading, even downright wrong, to claim that these issues have not been given any attention. In fact, legal informatics can boast a long history of addressing them. There was the work that was done already in German legal informatics in the 1970s or the Nordic research of the 1980s. Yet these all predate the Network Society and today’s constitutional state. Needless to say, the efforts mounted in the 2000s to achieve interoperability in the administrative services in Europe also merit our attention. The EIF and EIS programmes have shown that interoperability has been promoted through recommendations.20 In Finland, the approach taken was legislation – the Act on Information Management Governance in Public Administration – which came into force in 2011 and whose particular objective is to promote interoperability and systems architectures as a whole.21
The background to the Act is straightforward: the extensive incompatibility of software applications and the use of data systems in the public sector that resulted from old fashioned, e-government thinking. This has been particularly visible and harmful in social welfare and public health care. In that sector, the independence of Finnish municipalities had resulted in there being a wide variety of information systems and software acquisitions. However, the law itself has an unfortunate cosmetic defect: it defines information management as a support activity only.22
Information management in the constitutional state cannot be allowed to take place on a case-by-case basis. Likewise, we cannot allow the protection of personal data to be jeopardised because the lack of regulation causes an otherwise protected digital document to be printed out and registered as a whole, for anyone to access, in the name of openness. Legal planning should cover the path information takes as comprehensively as possible. Transparency thus necessarily plays an essential role in planning. We have to answer the question, «What kind of information do we produce and use?» We are not entitled to hide public information artificially in invoking the protection of trade secrets or privacy. This is what has occasionally happened where case-by-case discretion has been the approach. In addition, when things are done manually, we have seen that those processing data either lack the requisite skills or have poor skills when it comes to balancing different values and rights. We can also, like Shima Baradaran, speak of «blind balancing», in which attitudes regularly steer things in the same direction without taking seriously all relevant information.23
This proposition of mine might raise suspicions that I am urging a return to the 1980s and 1990s, when expert systems were proffered as systems that could replace human decision-making.24 This is of course not what I have in mind; far from it. Here I see expert systems as tools that support decision making where appropriate, when there is a need to proceed from a legally well-planned standard solution to an individual case; and in such cases the program would only present the available options, seals or marks and the grounds for them.25 Data protection by design and privacy by design are effective approaches for reducing administrative burden only where their implementation includes a functional informational environment that supports decision making. Openness, access, interoperability and surveillance will be properly realised only in environments offering legally well-planned, secure information systems. As information travels its prescribed path in the Network Society, every situation allowing open discretion is a risk.
I mentioned at the beginning that I would also express my position on surveillance in the constitutional state. I will now do so briefly. We can gain insights into surveillance, perhaps best-researched in sociological terms in our time by David Lyon, if we divide it into three types: good surveillance, bad surveillance and surveillance between states.
Good surveillance and monitoring is, in simple terms, the supervision carried out to maintain the functionality of democracy. It is the essential oversight that ensures the realization of human and fundamental rights. In this form, it is one of the basic principles of the law of personality.26 It is also crucial, because transparency cannot be an absolute value that is invoked without due justification to interfere in an individual’s right of self-determination.
5.
Summary ^
Ahti Saarenpää
Professor Dr., University of Lapland, Institute for Law and Informatics
Box 122 96101 Rovaniemi, Finland
- 1 An example of regulated surveillance, albeit a sharply criticised form, is the signal intelligence practiced in Sweden by FRA, the National Defence Radio Establishment. However it is openly regulated.
- 2 See more for example Saarenpää, Data protection in the network society – the exceptional becomes the natural. In Galindo, Fernando (ed.), El Derecho de la sociedad en red 2013.
- 3 For more on the recent development of Nordic openness in Finland, see Erkkilä, Reinventing Nordic Openness: Transparency and State Information in Finland. The author demonstrates that traditional openness has in many respects been transformed into an openness that requires economic efficiency.
- 4 Finland has been considered one of the world’s least corrupt countries. One factor contributing to this is the government’s strict adherence to legalism; the principle is even enshrined in the country’s constitution.
- 5 Kirkegaard, Open access to public documents – More secrecy, less transparency! Computer Law & Security Review 2009 p. 26.
- 6 Lord Denning (1899–1999) in Southam v. Smout (1964).
- 7 Dan Svantesson is one of those, who use the concept data poivasy See more in Svantesson, Extraterritoriality in Data Privacy Law pp. 25.
- 8 The term occurs only twice in the draft Regulation sections and it is not found in the section setting out the objective of the instrument: Section 1.2: This Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
- 9 Van Dijk, The Network Society, 3rd edition (2012).
- 10 Some of the slow processing experienced can no doubt be attributed to users» attitudes but the chief problem has been the badly designed user interface.
- 11 See more Saarenpää, Legal welfare and legal planning in the network society pp. 47–69. In Barzallo/Valdes/Reyes/Amoroso (eds.), XVI Congreco Iberoamericano de Derecho e Informática, Tomo I (2012).
- 12 A graphic example of Finnish practice is a case submitted to the Parliamentary Ombudsman, who issued an opinion in response to the complaint stating that it is not permissible to mark an individual’s personal identity code on documents solely because the information system being used requires it. See eoak 1777/2008.
- 13 Information government is a legal concept which has been brought into the public debate most compellingly by Victor Mayer-Schönberger and David Lazer. It is a good concept.
- 14 This case is also a good example of how the Ombudsman system in Finland has grown to become an important one for overseeing the observance of human and fundamental rights.
- 15 Finnish Supreme Administrative Court (KHO:2013:28).
- 16 Professor Jukka Kemppinen’s snide blog remark to the effect that there are judges who should never be allowed to take pen in hand was borne out in the extreme.
- 17 The Finnish Personal Data Protection Act has an express provision stating that hard copies should not needlessly display personal identity codes. The provision reflects the idea of a dynamic document. See more already David O Stephens in Records Management Quarterly, vol. 32, 1/1998.
- 18 The slow pace of this development is insightfully discussed by Sari Yli-Kauhaluoma/Mika Pantzar/Sammy Toyoki in their article Mundane materials at work. Paper in practice. In Elizabeth Shove/Nicola Spurling (eds.): Sustainable practices: social theory and climate change. London: Routledge. Routledge Advances in Sociology 2013: 69–85.
- 19 From the German point of view Klaus Lenk has written that Germany has good software engineers, but hardly any organasional experts who could be able to analyse what to do. See Lenk, The nuts and bolts of administrative action in the information age pp. 235. In Snellen/van der Donk (eds.), Public information in an information age. Revisited (2012).
- 20 See Schartum, Sharing Information between Government Agencies: Some Legal Challenges Associated with Semantic Interoperability, pp. 347–361. In van der Hof/Groothuis (eds.), Innovating Government and the ISA programme, at ec.europa.eu/isa/index_en.htm.
-
21
Section 1 states: «The purpose of this Act is to improve the efficiency of activities in public administration and to improve public services and their availability by laying down provisions on information management in public administration and on promoting and ensuring the interoperability of information systems.» See more at www.vm.fi/vm/en/03_press_releases_and_speeches/01_press_releases/20121019Firstc/
julkictstrategy_EN_20121031.pdf. - 22 «In this Act, 1) information management in public administration means support activities that ensure the performance of public administration tasks and make use of the methods and means of information and communication technologies».
- 23 See Baradaran Rebalancing the Fourth Amendment, The Georgetown Law Journal, Vol 102:1. Baradaran is of the view that in the United States cases, a lack of information, among other factors, results in cases of privacy being regularly decided in favour of the government.
- 24 At its most trivial, a misdirected faith in expert systems appeared in AATU, a system used in Finland to calculate housing subsidies. When it was being built, there was firm belief that legal rules and the logical rules used by expert systems were similar. The rules of the software were formulated by interviewing experts; knowledge engineers. The software itself was intended for use by staff with less education; all the relevant know-how need was, so it was claimed, programmed into the system.
- 25 Cfr. recital 77 in COM(2012) 11 final : «In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.» This can be one solution of the so called multisensory law idea sketched by Colette R. Brunschwig.
- 26 See more in Saarenpää, Personrätt – integritetsrätt pp. 41–58. In Bärlund/Nybergh/Petrell, Finlands civil- och handelsrätt : en introduktion (4p 2013) (in Swedish).
- 27 As Finnish law has no special provisions on surveillance, drafting of the requisite legislation in has begun in connection with work on the country’s cyberstrategy. The first proposals to this end, drawn up by government civil servants, have met with exceptionally harsh criticism from experts on fundamental rights.
- 28 A decision in principle taken by the Finnish Government in March 2011 to make the use of public digital materials largely free of charge on information networks will improve the chances of detecting information that points to abuses. In sophisticated legally planned information systems that information is in a form that respects the individual’s rights.