Legal language often contains vague, general wording that actually means very little unless read in a specific context. But legal language also includes clear absolute statements from which no variation seems possible. This is the case when one examines data privacy law. Where used appropriately, the first type—the vague, general wording—is commonly found as expressions of principles that require a flexible interpretation. The focus on concepts such as ‘adequacy’ and ‘proportionality’ are clear examples of this. The second type—the clear absolute statements—are often (appropriately) found as expressions of fundamental rights. Both types of wording may, however, be problematic, as can be seen from the example of European Union (EU) data protection law.
Consider, for example, Article 24(1) of the forthcoming EU General Data Protection Regulation 2016/679:
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. (emphasis added)
Even where there is a strong and genuine desire to comply with such a rule, actual compliance can never be more than a guess made by those seeking to abide by the rule in question. Put differently, there is no realistic way to know in advance whether one is indeed complying with this rule or not. Thus, uncertainty lies ahead, potentially for many years to come.
Consider also Article 3(1) of the forthcoming Regulation (with its counterpart found in Article 4(1)(a) of the EU Data Protection Directive 95/46): ‘This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not’. Despite the fact that the Directive has operated with similar language for 21 years, and despite the voluminous discussions of the forthcoming Regulation, it remains unclear what is meant by the processing of personal data in the context of the activities of an establishment of a controller. In a Directive, this type of vagueness may perhaps be explained, to some degree, by reference to a desire to accommodate differing implementations amongst the Member States. However, such an excuse cannot be maintained in the context of a Regulation. For the Regulation, the vagueness appears instead to be the result of compromises being struck during the complex drafting process. Whatever the reason, leaving a clear interpretation of this phrase to evolve over time is not good lawmaking—clearer, more precise, language would have been helpful for several reasons. As noted by HLA Hart:
The principal functions of the law as a means of social control are not to be seen in private litigation or prosecutions, which represent vital but still ancillary provisions for the failures of the system. It is to be seen in the diverse ways in which the law is used to control, to guide, and to plan life out of court.1
Given the lack of precision in the language, and the lack of predictability that it creates, it cannot be expected that Article 3(1) of the forthcoming Regulation adequately allows us to control, to guide, and to plan life out of court. Indeed, the likelihood of it being interpreted uniformly among the EU Member States is slim, and a uniform interpretation among the data controllers and data processors governed by this rule is an impossibility until further clarification is provided in binding form.
Similar concerns arise in relation to various other parts of the Regulation, not least due to the fact that several key terms such as ‘transfer of personal data’ have not been given defined meanings, either in the Directive or in the Regulation.
A different type of problem can be found, for example, in Article 7(2) of the Regulation:
If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The ambition behind this rule is, of course, commendable. However, data privacy law is often complex and the implications of acts such as transferring personal data overseas do not lend themselves to being explained ‘in an intelligible and easily accessible form, using clear and plain language’. What hope is there for the average individual to evaluate the ultimate implications of data processing no matter how clear and plain the language that is used? Thus, there is a troubling disconnect between what the rule in question is seeking to achieve and any result it realistically may hope to produce. In light of all this, there is little surprise in the findings of a recent survey indicating that: ‘[o]nly four percent of respondents outside of Europe said they are very knowledgeable about the details of GDPR, while just six percent of those in Europe said they are very familiar with the requirements.’2
But these issues do not only arise in legislation, and can also be found in expressions of how the law is being applied. Consider, for example, the following aspect of the Article 29 Data Protection Working Party’s interpretation of the (in)famous Google Spain judgment of the Court of Justice of the EU:
Although concrete solutions may vary depending on the internal organization and structure of search engines, de-listing decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented … . In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.3 (emphasis added)
This statement illustrates both of the language problems alluded to in the introduction. First of all, it is unnecessarily and troublingly vague in that it refers to ‘all relevant domains’ without providing any clues whatsoever as to what makes a domain ‘relevant’. It also contains unrealistically absolute language in that it refers to implementation that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented. There is certainly only one form of implementation that guarantees the effective and complete protection of these rights: that is, delisting with worldwide effect. But then: (i) why the reference to all relevant domains? (ii) and what about the fact that such an approach sets a dangerous precedent internationally? If violations of local EU law must result in worldwide blocking what about content that violates local laws in North Korea or Russia? and (iii) given that the Google Spain judgment makes clear that the original content may remain online, the right expressed in the judgment is not aimed at guaranteeing complete protection in an absolute sense, so why insist on complete protection in a geographical sense?
Having said all this, we acknowledge that legal language must include both vague, general wording that may mean very little unless read in a specific context, as well as clear absolute statements from which no variation seems possible. The trick is, of course, to use these linguistic tools appropriately, and it may perhaps be argued that improvements still can be made in that regard as far as data privacy law is concerned. In fact, where the mentioned linguistic tools are used inappropriately, they lead to a kind of regulatory outsourcing through linguistic vagueness—the lawmakers capitulate, leaving it to the controllers to interpret and implement the vague rules to the best of their abilities, and of course, under the threat of being pursued by the data protection authorities, should their implementation subsequently be regarded as being inadequate.
It is impossible to ignore the irony of lawmakers and regulators using vague and often opaque language, on the one hand, while pushing controllers to communicate in more clear and understandable terms, on the other. Maybe data protection officials should take some of their own medicine to make data protection law more comprehensible, more predictable, and the protection it offers more certain.