The governance of decision-making algorithms is now a pressing issue across many fields of law and policy. Yet, given the technical opacity of advanced data analytics, finding ways to ensure meaningful transparency and sustainable accountability is currently, at best, a work in progress.
New governance tools are widely debated, such as independent algorithm assessment authorities, but have yet to emerge. In such circumstances, the immediate focus is on existing information access rights and disclosure duties, including in particular those available through data protection (‘DP’) and freedom of information (‘FOI’) laws.
The turn to DP and FOI access rights and disclosure duties to help secure algorithmic governance is an unmistakeably improvised solution. DP laws focus on the data subject’s right to fair use of his or her personal data without directly addressing broader societal concerns about data uses. FOI laws, on the other hand, are limited to designated public authorities, which excludes many users of decision making analytics, and only compel the disclosure of information, not the provision of explanations. In short, neither DP nor FOI rights and duties are sufficiently broad or penetrating to ensure effective transparency and scrutiny of algorithmic decision making processes.
DP and FOI laws are, nonetheless, the most adaptable options available in the small toolbox of enforceable information access rights. The innovative convergence of DP and FOI laws in this area should, moreover, come as no surprise. Their operative elements are not only based on a similar original model of access rights and corresponding disclosure duties, but both fields were born out of closely related policy concerns. As the western democracies transformed into post-industrial information economies, reformist policy and law making began to focus on problems of opacity, illegality and unfairness in complex governmental and commercial decision making. DP and FOI laws emerged out of those concerns and have developed in parallel.
This is certainly evident in the Council of Europe’s work in both areas during the 1970’s. Recommendations to member states to create legal rights of access to government information cited the Council’s 1974 Resolution concerning data protection access rights in the public sector as well as the U.S. Freedom of Information Act of 1966 and Privacy Act of 1974, which both created access rights to records held by federal government departments and agencies. In 1974, the U.S. Congress in fact not only passed the Privacy Act but only a month earlier overcame a presidential veto to pass major amendments to the 1966 FOI Act to create rights of recourse to the courts and improve its procedural effectiveness.
Since those formative years, DP and FOI laws have developed along markedly different paths. Nonetheless, it is widely apparent that their structural similarities and overlapping rights and duties have created parallel and even duplicative effects. It has, for example, been evident for some time that data subject access requests are used for purposes unrelated to privacy interests or the fair use of personal data. This includes their use as a pre-litigation tool to secure initial evidence of wrongdoing. The CJEU and member state courts have resisted such unintended uses at the boundaries, but they remain routine practice. On the other hand, FOI laws are intentionally purpose blind, aside from vexatious abuse, readily lending themselves to a host of information access purposes. For public authorities, there are consequently often few practical differences between a DP and an FOI request.
It is consequently important to distinguish the essential differences between DP and FOI from those that primarily reflect their different paths of development. The emergence of DP as a major field of EU law has, for example, no doubt changed its character as it is now geared to the general principles and enforcement methods of EU law. Yet, its basic model, taken from the Council of Europe’s Convention 108 and earlier work on DP law, remains intact. Core similarities in DP and FOI access rights and disclosure duties therefore remain, despite the fact that EU law currently leaves FOI to the member states. Indeed, the recital justifications given for the adoption of the Environmental Information Regulation, the notable exception that transposes Aarhus Convention environmental information obligations into EU law, indicate that further EU instruments regarding FOI are also justifiable.
In seeking to better understand the relationship between DP and FOI laws, the best place to look is in the tangle of European fundamental rights concerning information access and disclosure. In this sphere, DP rights and obligations are currently moving in opposite directions. Within the EU, the inclusion of a novel right to personal data protection in the Charter of Fundamental Rights (‘CFR’), sitting alongside the established right to privacy copied from the European Convention on Human Rights (ECHR’), created a potential circuit breaker between the extensive reach of DP rights and core concepts of privacy. That does not suggest that the CJEU has excluded major DP principles from the scope of the CFR privacy right. Nonetheless, the CFR personal data protection right, with its focus on the fair use of personal data, can better absorb ongoing extensions of DP law into discriminatory effects and other consequential harms. The universality of that focus also builds a bridge towards the goals of FOI law.
The European Court of Human Rights (‘ECtHR’) is, however, moving in a different direction, embracing the entirety of DP principles and applications within the scope of the ECHR Article 8 right to privacy. In decisions such as Gaskin and Guerra, the Court had established by the late 1980’s that Article 8 could create access rights to information held by public authorities. The ECtHR followed that development by establishing in its 1990 decisions in Amann and Rotaru that the principles of DP law correspond to the scope and meaning of the Convention right to privacy.
The fruition of that absorption of DP law into Article 8 is apparent in the recent decision of Catt v. United Kingdom, which concerns retention of identity information in police records. In this judgement, the Court demonstrated the full interdependence of Article 8 and DP principles, even chastising the English courts for failing to treat the case primarily as an interference with DP rights. Given the increasing extension of DP law, it would seem that at some point ECHR Article 8 will need to stop feasting indiscriminately on DP law.
The privileged place of DP law in European fundamental rights is in marked contrast to FOI law, which is barely tolerated within the scope of the right to freedom of expression. In the UK, for example, the Supreme Court made clear its objections to recognition of freedom of information rights within the ECHR right to freedom of expression in Kennedy v. Charity Commission, in which Lord Mance stated that, “Article 10 would itself become a European-wide Freedom of Information law. But it would be a law lacking the specific provisions and qualifications which are in practice debated and fashioned by national legislatures according to national conditions and are set out in national Freedom of Information statutes.”
The ECtHR had initially adopted a similar position in Leander, finding that Article 10 does not confer on individuals a right of access to information. More recently, however, the Grand Chamber clarified growing divergences in its the Court’s case law on access to information under Article 10. In Magyar Helsinki Bizottság, the Court affirmed Leander, but also laid out limiting criteria for individuals or entities acting in public or social watchdog roles that may potentially enjoy an Article 10 right of access to information. The Court did not embrace the Council of Europe’s soft and hard legal instruments concerning FOI in any manner similar to its embrace of the Council’s similar DP instruments within Article 8.That would plainly have gone some way to answering Lord Mance’s objections.
The distinctions that once might have justified the different status of FOI from DP law in European fundamental rights are of diminishing importance. In different ways, DP and FOI law are increasing in scope and overlap. The DP concept of ‘personal data’ is expanding as technologies enable identification of individuals through a widening range of data, which in turn extends DP rights and duties further into the information processed by data controllers or processors. On the other hand, as the Information Commissioner has argued, rigid public private distinctions limiting the application of FOI law need to be re-considered in light of the widespread outsourcing of public services through private or not-for-profit bodies. In short, more kinds of information and more entities are likely to become subject to both DP and FOI access rights and disclosure duties. Those rights and duties, moreover, are now similarly onerous and burdensome.
The point here is not to argue that the EU should harmonise national FOI laws or that the ECtHR and CJEU should now embrace FOI principles and rules within the fundamental right to freedom of expression. Those things may well occur. The more important point, however, is that despite different paths of development DP and FOI information access rights and disclosure duties have durable similarities, which are reflected in convergent applications. At a time when information law is poorly equipped to address the growing challenges of algorithmic decision-making, DP and FOI laws will be a mainstay for societal efforts to achieve meaningful transparency and scrutiny of algorithmic decision-making. While respecting their necessary differences, more systematic and coordinated uses of DP and FOI law to that end are essential.
Perry Keller is Reader in Media and Information Law at King’s College London