Government in court over failure of “duty of care”

Grand_Hall_de_Justice_de_Palais_de_La_Paix_à_La_Haye_Pays-BasOn June 24th a Dutch court sided with environment campaigners, ruling that the state has a “duty of care” for its citizens which requires it to “mitigate as quickly and as much as possible” the risks of climate change by reducing greenhouse gas emissions, regardless of failures to each strong international commitments. What might the implications of such a ruling be for other areas of social-economic policy such as the issues of privacy and citizen rights in the digital economy?

Before we go on, important disclaimer: I am not a lawyer and the following is simply a lay person’s musings.

There are three areas of concern in the online space, each intricately connect to the other, which seem like they could trigger a class-action court case against the government: the erosions of privacy (or control over private data); failures to safeguard that elicited consent is properly informed consent; and impenetrable (due to length and/or language) nature of non-negotiable “Terms and Conditions” in online contracts for services that people increasing views as indispensable for a socially engaged life.

In the vast majority of cases these interactions take place between citizens and businesses, often foreign corporations, rather than between citizens and the government. So why might a case be filed against the government? If such as case were to be made in some country, it might again be on the basis that the government is failing in its “duty of care” towards its citizens.

Consider for instance the following analysis (applied to German law) in ‘Consent under pressure and the Right to Informational Self-Determination‘ by J. Stabne (Internet Policy Review, 1(4), 2012 DOI: 10.14763/2012.4.265.):

“[I]f it comes to such a domination of one party over another that one of them can unilaterally set the contractual terms, it is the duty of the State to “save the fundamental rights of the parties involved in order to prevent the inversion of self-determination into external determination“. Followed a bit later by the following suggestion concerning the type of government action that is being called far: “[S]ome sort of consent to data processing must remain the underlying legal principle of data protection in the future. Existing approaches of simplified presentation of information may help to restore the informational basis of consent. Additionally, it can be tried to set minimum standards in certain areas by the complementary effect of precise, compelling law.”

The fundamental “duty of care” in this case might be argued to derive from a wide range of human rights law. As stated in ‘The unbearable lightness of user consent‘ by R. Joergensen(Internet Policy Review, 3(4), 2014. DOI: 10.14763/2014.4.330):

“The right to privacy is a core component of international human rights law stipulated in Article 12 of the Universal Declaration of Human Rights (United Nations, 1948) and in Article 17 of the International Covenant on Civil and Political Rights (United Nations, 1966). It is also part of numerous international and regional human rights treaties and conventions such as the European Convention on Human Rights (Council of Europe, 1950). The right to privacy protects specific private domains such as a person’s body, family, home and correspondence and restricts the collection, use and exchange of personal data3 about the individual, often referred to as informational privacy (Westin, 1967). A common denominator for the different areas of privacy is access control (Rössler, 2007). This includes informational privacy (control over what others know about us); decisional privacy (control over private decisions and actions); and local privacy (control over a physical space). Individuals have a right to privacy not only in the private domain but also when acting in public spaces.

Within the member states of the Council of Europe the right to privacy is protected by Article 8 of the European Convention on Human Rights. The European Court of Human Rights has stated that while Article 8 essentially protects the individual against arbitrary interference by the state, there may be positive obligations inherent to an effective respect for privacy (K.U. v. Finland, 2 December 2008). As regards the internet, a state could arguably be liable in respect of third parties who store data on individuals (Council of Europe, October 2013). Up until now, the court has not resolved any cases dealing specifically with the collection, use and distribution of personal data by social media companies.”

But is there evidence of a lack of action by governments to do their best to “mitigate as quickly and as much as possible” as assaults on these rights of their citizens?

To go beyond the anecdotal evidence of personal experience, the plaintiffs might draw upon the 2012 recommendations from the Council of Europe which “highlights two factors that threaten the right to private life. First, the lack of privacy-friendly default settings. Second, the lack of transparency about the purposes for which personal data is collected. To counter these the Council proposed that “social network sites should provide users with explanations of the terms and conditions of their services in a form that is easily understandable; they should – by default – limit access by third parties to contacts identified by the user; and when allowing third party applications to access users’ personal data, they should allow users to specifically consent to access to different kinds of data.” If the case were made in the UK, the plaintiffs might additionally cite the findings of the House of Commons Science and Technology Committee report on Responsible Use of Data which concluded with the statement that “the Government’s approach to online safety has been piecemeal and conducted tactically to meet immediate needs with little evidence of any horizon scanning. The Government should be considering now how it wants UK citizens to engage with both governmental and commercial online services. It should be seeking to provide a platform for UK citizens to engage those services without unnecessarily risking their personal data and enabling its citizens to make informed choices about what data to share, with whom and for what purpose. Future prosperity will be impacted by how well information flows between government, citizens and business. The Government needs to begin work so that all of its citizens have firm and secure foundations from which to build their online functionality.”

Based on such arguments, whether or not a court would rule against the government on the basis of a failure in its “duty of care” would obviously depend on the extent to which one could show that the government is indeed negligent in attempting to “mitigate as quickly and as much as possible” and not just slow due to the inherent rhythms of the democratic parliamentary process.

Go on, leave us a reply!