November 24, 1998

PINNING DOWN PRIVACY IN SWEDISH DATA COLLECTION LAW

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—A university department in Sweden threw Internet users into intense speculation last month by posting a bold statement on their Web site that, “Due to a new Swedish law…we are no longer allowed to publish archives of our discussion lists.” The fall-out from this protest, at the Web site of the Göteborg University Faculty of Arts, indicts not just Sweden’s privacy protection law, but a European Union directive intended to change the way the world approaches data sharing.

Civil libertarians around the world scratched their heads as mailing lists passed on the news. Was the statement just a flamboyant and manipulative gesture by one system administrator trying to undermine a laudable public policy?

Apparently not. Even before the new, strict law was passed, journalist Christoph Andersson wrote about a small town called Gällivare that ran into draconian limitations on online publication.

Writing for the Swedish Union Magazine Statstjänstemannen and the PUL Web site, Andersson records how the town tried to put public documents on the Internet. The documents recorded such matters as scholarships awarded, debates over drain systems, and other issues that one would not consider particularly private. Since the government served a geographically dispersed and a sparsely populated Northern region, making the information available on the Internet was clearly a public service.

Andersson goes on to recount how a public prosecutor brought a charge against the board publishing the material. Under a 1973 privacy law, the documents could not go online unless all names and other identifying information had to be removed.

According to the prosecutor, one could publicize that a debate over drains took place, but not what citizens engaged in the debate. Only public officials could be listed by name. Eventually a compromise was worked out so that citizens’ names could be listed once they gave their permission.

But Andersson lists several other communities where the law has had a chilling effect. And the new “Personal Registry” law is supposedly even stricter.

There are certainly forces among large direct-marketing firms who would like to weaken data privacy laws. But these forces are unlikely to include academics like the Göteborg University Faculty of Arts or independent journalists like Andersson.

So the best assumption is that something is wrong with the new Swedish law. Privacy advocates are now wondering whether simple clarification is needed from the Swedish government, whether the legislature put too strict an interpretation on the European Directive that inspired the law, or whether a basic philosophical flaw underlies the Directive itself.

The last conclusion is extremely unlikely. The wording of the European Directive was intensely debated and carefully examined; it reflects some 25 years of legal experience. Data privacy laws have been in place all over Western Europe for decades.

Swedish computer scientist Jacob Palme, who specializes in the use of computers to improve communication, writes that the law goes farther than the European Directive was meant to go. The intent of privacy laws is clearly to keep companies and governments from creating databases of information that could be used in discriminatory or abusive ways.

Strong rules govern the collection of information: the subject has to consent, the information must not be used for any purpose other than that consented to, and the information must be deleted when it is no longer needed for that purpose.

But the Swedish Personal Registry law restricts the online dissemination of any information about anybody. Now the rules that were meant to limit faceless databases can be interpreted to stop legitimate online debate. Anyone criticizing someone else on a mailing list could face criminal prosecution on the same grounds as the town of Gällivare. Archives, which many mailing lists automatically create, are particularly at risk because information is never deleted.

The current law does create exemptions for journalists, artists, and authors, but these are too narrow to cover free-wheeling discussion on newsgroups and mailing lists.

Mailing list administrators can avoid some liability by making all list members send in statements that allow their work to be distributed and archived. This exempts list members from the law, but does nothing to solve the problem of messages that refer to people who are not on the list.

Palme’s solution is to be more specific about what data is restricted; don’t create a blanket law that is subject to misinterpretation. “Make a law which specifies certain classes of infringement…This may mean that the law will have to be modified/extended at certain times.”

But it’s hard to draw a clean line between uses of information we like (criticizing opponents’ behavior in public) and uses we don’t like (tracking people’s personal habits). For instance, it would be simple to write a law restricting “collections” of information, but a mailing-list archive is a collection. In fact, one could call the whole Internet a vast collection, in which various servers hosting decades-old information are searchable through automated Web crawlers.

I was surprised myself to find out what the vast Internet database knew about me when I performed a search for my name. It turns out that, if my biography were being written from Web searches, no one would know about my short stories or my technical books for O’Reilly & Associates or even the many position papers I’ve released for CPSR.

Instead, what people would find is an obscure contribution I made to the documentation of a free software library, which happened to get onto the path of the search engines. I had totally forgotten that I had worked on this project—and luckily it was nothing that embarrassed me. Someone else may be less lucky: their employer may find questionable statements he made on some political mailing list as a brash young student 20 years ago.

Palme posits an incompatibility between privacy and free speech. An even more challenging position is stated by noted libertarian Solveig Singleton in a paper written for the Cato Institute, “Privacy as Censorship.”

In this market-oriented view, information belongs to whoever collects it. Thus, the sporting goods store that sells you a fishing rod has a perfect right to tell other companies that might want to offer you a deal on outdoor equipment.

Philosophically, the Cato Institute is at the opposite pole from traditional privacy advocates like Deborah Hurley, director of the Harvard Information Infrastructure Project. Her starting point is that each individual should have control over his or her data.

Singleton’s argument is strong rhetorically but open to critique. “Although both private and government databases can be abused, the abuse of government databases poses a more serious threat for one reason: government controls the courts, the police, and the army. Marketing agencies compile lists primarily to sell us things—a nuisance, perhaps, but little more than that.” Tell this to someone who has been denied payment for a medical procedure because her insurance company has decided her history and lifestyle make her a poor risk.

Ultimately, the Swedish government will probably ease their Internet users’ fears by issuing clarifications that limit the scope of their law. But as governments around the world take steps to protect their residents from data tyranny, they should take into account the more general questions about information sharing and archiving in the modern digital world.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles