The preservation of any data, including their subsequent permanent archiving, always carries the risk that this data may be subject to unauthorised access, may be extracted and misused. This potential misuse takes on various forms and has different consequences. In this chapter I will take a closer look at some specific record categories which also become, either fully or partly, archival records in the final phase of their life cycle, usually stored in public archives. In doing so, I will present several actual cases illustrating how and in what form data misuse may occur.

The key point here is that the potential risks of data misuse apply both to the management of so-called live records, that is, those that are still held by their creators, whether in registries, actively used databases, and so on, as well as to the archival care of those records that have already been transferred to the archive. At the same time, many archives are still not sufficiently aware of the risks that are transferred to them along with the records, especially those that carry sensitive information about people and which are therefore also valuable in terms of monetisation, most often in the form of blackmail by hackers and data thieves.

The risks of misuse as well as the impact of such misuse have increased dramatically with digital data. I will demonstrate this theory in the following text and illustrate it using the examples of medical records and personal data leaks in the US National Archives and Records Administration (NARA). There are already many estimates of the number of leaks and misuses of digital data, including calculations of the costs involved and some other remarkable parameters. A 2020 report by IBM Security seeks to quantify these financial costs.Footnote 1 In their summary report, the authors used data from 524 organisations in 17 countries and based on these they abstracted global average figures. The very ratio of the individual data categories is well worth noting. By far the absolute largest share of 80% of total data leaks concerned data containing customers’ personal data. Figures related to intellectual property come second (32%) with a large margin.Footnote 2 The estimated costs associated with the leak or loss of a single record containing customers’ personal information was $150.Footnote 3 The volume of data leaks as such reaches alarming figures.Footnote 4 The ones that stand out are the AOL data leaks (leak of 92 million client names and email addresses in 2005), TJX (leak of VisaCard and MasterCard payment details of 94 million customers in 2007), Sony PlayStation Network (names, addresses, and apparently credit card data of 77 million customers leaked in 2010), but also Deep Root Analytics, which leaked a database containing data on 198 million voters in the USA, which was then used for Donald Trump’s presidential campaign in 2016. The absolute winner, however, is Yahoo leaking the data on 1 billion user accounts. The quantity and quality of the leaked data would however be exceeded by the so far only partially verified data leak, in which a hacker stole personal and sensitive data from the Shanghai police database on approximately 1 billion Chinese citizens including the name, address, birthplace, national ID number, mobile number, as well as data on the criminal activities and police investigations of these persons, ranging from petty theft and cyber fraud to, for example, reports of domestic violence.Footnote 5

With this perspective, it is all the more important that in their acquisition of records archives also consider the risks involved in the management of the category or group of records concerned and assess whether it is really necessary to archive those records permanently. It is in this context that this study presents one of its main theses: Archives should carry out proportionality testing and measure, on the one hand, the value of a record for permanent archiving and its importance for future use for various purposes, and, on the other hand, the sensitivity of the data contained in the transferred record and the risk of their (future) misuse.

7.1 Medical Records and Data Security

Medical records represent a typical and very illustrative example of a records category that is, first, very vulnerable to misuse and, second, the consequences of any misuse, given that these records contain some of the most sensitive personal data that can be kept, are fatal. This is by no means just about the risk of an unauthorised person finding out about an individual’s medical condition.

Sharona Hoffman and Andy Podgurski have systematised several forms of risk specifically in the area of biomedical data and databases, where medical records are also often found.Footnote 6 According to their systematisation, the first risk lies in the very fact that the data are not necessarily always correct. The second risk is bias, that is, misinterpretation and distortion of results based on both the nature of the information and the biases of the scientists mining the data. The third risk is the deliberate misinterpretation of the data by some individuals, for example from the fields of politics or economics, who can seemingly scientifically yet deliberately formulate wrong research results and conclusions and manipulate public opinion accordingly.

However, from the perspective of data archiving and archives, the greatest risk is unauthorised access to medical records or other records related to the health status of citizens and the misuse of such data. This risk can also take several forms. In 2013, the German weekly, Die Zeit, revealed that German doctors and pharmacists were massively abusing patients’ personal data by reselling it without the patients’ knowledge for market research purposes for the pharmaceutical industry.Footnote 7 Yet, the most common risk in recent years has been hacker attacks consisting in data theft, or blocking access to them followed by blackmail (ransomware), threatening not to return the access or to publish the stolen data. In recent years, data breaches for illegal financial gain have been on the rise. According to some reports, the number is now nearly 90%Footnote 8 and the increase in health data breaches in the decade between 2009 and 2019 in the USA is estimated to be as high as 2733%, with an average of at least 500 records being compromised every day.Footnote 9 Moreover, some figures suggest a trend of increasing financial costs associated with a single healthcare data breach. An IBM Security study identified a 10% increase in costs between the years 2019 and 2020.Footnote 10

Worldwide, hospitals and medical facilities with their medical records and patient data have become one of the main hacker targets in recent years (perhaps even the most attractive target ever). This is confirmed by reports that provide statistical surveys of data breaches and misuse. Verizon Communications, one of the largest telecommunications companies in the world, has listed healthcare as the most common target of hacker attacks in its annual data breach reports in recent years.Footnote 11 In 2019, the company recorded 798 incidents as part of their investigations of data provided by their customers (not nearly the total number of incidents), and of those, 521 were confirmed data leaks.Footnote 12 These attacks most often take the form of ransomware, that is, extortion software.

Although it is virtually impossible to determine the exact number of people worldwide who have been affected by leaks of personal data from medical records, some studies have attempted to at least bring an estimate. Data based on security incident reports primarily coming from the USA and collected by the Privacy Rights Clearinghouse, a non-profit organisation based in the USA are of great interest. The resulting statistics based on these data speak of nearly 250 million people who were affected by data leaks between 2005 and 2019, including 157 million people in the period 2015–2019 alone.Footnote 13 The statistics for the period 2005–2019 conclude that the absolute majority of attacks and leaks are aimed at the healthcare sector, with 61.55%, that is 3912 cases of confirmed data leaks. There is a recent trend that is even more indicative. Over the five-year period 2015–2019 within the same statistical data set, the percentage of healthcare attacks and leaks rose to 76.59% of the total volume of attacks/leaks. According to other surveys, as of February 2017, a total of 26% of Americans were affected by medical data theft.Footnote 14

One specific feature of healthcare data leaks and thefts is that each incident typically represents a leak concerning an extremely high number of people, often in the millions. These data breaches and leaks include, among many other cases, the Excellus BlueCross BlueShield breach of September 2015 (medical data leak of more than 10 million people), the Premera Blue Cross breach of January 2015 (medical data leak of more than 11 million people), and the Anthem Blue Cross case of January 2015, arguably the largest in history to date, when highly sensitive data on nearly 79 million patients were leaked; the data included names, home addresses, dates of birth, and social security numbers.Footnote 15 Of course, the financial, operational, and other impacts on the medical establishments resulting from the attacks on personal data managed by them are enormous and pose a very serious risk.

Naturally, the risks of data breaches are not solely limited to medical establishments. This segment in the text serves only as an illustrative example of why the management of already archived data should in the future also seriously consider the risks of a breach of the data maintained in archives, including all the potential consequences, both in terms of misuse of sensitive personal data resulting in breaches of privacy, personality rights and, ultimately, potential financial and property damage to citizens, as well as the financial risks for archives as the administrators of these data. Data administrators can also be sanctioned for data leaks if it is proven that they have neglected to take sufficient care to keep data, particularly personal data, secure. At the European level, the form of the sanctions is determined by the General Data Protection Regulation (GDPR).Footnote 16 Naturally, there are risks of litigation and civil lawsuits by the affected individuals.

Above, I have considered medical records only in the context of the security risks of digital data leaks. But that is far from the only risk. Medical records are among a group of records and archives that carry highly sensitive information about individuals, and represent a typical case in which data protection continues long after a person has died. This is when the so-called post-mortem personality and privacy protection comes into play; this protection is analysed in detail in Chaps. 2, 3 and 4 of this book. The disclosure of the psychiatric history of the famous actor, Klaus Kinsky, was a prime example. Although the file was made available by the Landesarchiv Berlin a long 58 years after its creation, and 17 years after the actor’s death, the survivors sued for violation to privacy under the German Criminal Code,Footnote 17 and even though the commission of a crime was not established, the violation of post-mortem protection of privacy was recognised and a conciliation agreement between the survivors and the Landesarchiv Berlin was concluded in court.

The question of whether to transfer medical records from healthcare institutions and doctors to archives, even if only in the form of a small illustrative sample, and whether to perform the irreversible process of anonymisation, is very pressing in international comparison and the approach of individual countries to this issue can differ greatly. On the one hand, some countries designate medical records for destruction after the administrative need expires; currently, for example, the Czech Republic as one of the EU member countries, initiated a legislative process at the end of which medical records are to be exempt from the scope of the Archives Act and from the obligations of records management.Footnote 18 Medical records would thus not be subject to the obligation to preserve records and to archival selection, as imposed by the Czech Archives Act. This would lead to the not unlikely scenario that this obligation would in the future be removed from medical records by other legal regulations coordinating the management and preservation of medical records.Footnote 19

On the other hand, there are countries that have recently began including medical records in long-term or permanent archiving programmes, including digital archiving. On the European continent, Norway is the most recent representative of this approach. In 2010, the Norwegian Health Archives project was launched as one part of the National Archives Services of Norway.Footnote 20 Its aim is to permanently archive patients’ medical records in digital form, additionally digitising the hardcopies of such records and making health data available for research and to surviving relatives. The global goal is then to use the data to “understand national health”.Footnote 21

Currently, the European Commission is developing an eHealth project to provide European citizens with secure access to digital health services.Footnote 22 The EU then models the process of transferring electronic health records from their creators to archives on the SIP package of the aforementioned Norwegian Health Archives.Footnote 23

It will be interesting to see how individual countries approach long-term or permanent archiving of medical records in the future. On the one hand, this may be significant for public healthcare also in the perspective of long-time intervals and long-term archiving—and the COVID-19 epidemic will probably reinforce this view. On the other hand, however, hacker attacks on medical records in particular have increased massively in recent years, targeting huge volumes of sensitive personal data. The financial costs associated with securing these data, and often paying ransoms to blackmailers, have been rising proportionately.

7.2 Census

On the one hand, the census has been an extremely important tool for state and public administration for centuries. At the same time, however, such a complex collection of data, including highly sensitive data on virtually all residents of a country compiled in a single data set, carries great risks. This tension is then palpable for all public administrations, including archives. Should census records be permanently archived? And if so, should the records be archived with “full data” or should they undergo anonymisation? Is there any risk of misuse and does history provide examples of such?

In 2009 in France, census archives were opened under general derogation up to and including the 1974 census. That means that the census was opened very young in the context of current practice in international comparison, with a time gap of only 35 years. However, access to these archives was limited to the purpose of consultation solely for the purposes of public statistics and scientific or historical research (echoing thus the same exemptions that appear in the European GDPR in relation to specific regimes for the processing of personal data), and not for the purpose of “data reuse” (“réutilisation des données”), in particular that with commercial motivations.Footnote 24 If this general derogation were not approved, a period of 75 years would apply, that is, as of 2020 the 1936 census would be the “youngest” accessible (in the twentieth century, censuses in France took place in 1901, 1906, 1911, 1921, 1926, 1931, 1936, 1946, 1954, 1962, 1968, 1975, 1982, 1990, 1999).

The purpose limitation was not the only level on which the protection of those in the census was implemented. Another one was the restriction of access on the census of 1946, 1954, 1962, 1968, 1975 (that were subject to the general derogation) to individual consultation only in the archives research rooms, and not remotely via the web. But is this sufficient protection? As shown above, even an individual consultation does not entirely exclude the possibility of using the researcher’s own reproduction devices. Even though the law prohibits the “reuse” of census archives, is that sufficient to prevent the risks of their misuse?

7.2.1 Misuse of Personal Census Data in the USA

Recognition of the risk of misuse of personal data collected in a census goes back deep into history. The USA has been aware of this danger since the very first formalised census in 1790.Footnote 25 Decades later, it turned out that these fears were not in vain. During the American Civil War (1861–1865), census data were used in a de facto intelligence way by a Northern Union general and later by the commander-in-chief of American troops, William T. Sherman.

As the American historian Susan Schulten details, Sherman approached Joseph Kennedy, the superintendent of the census, to see if he could create a map that would not just cover landscape features, but would include a range of data on the population, food sources, and so on based on information collected in the 1860 census.Footnote 26 Since the time to create such a map was very short, Kennedy used what was available and added the requested data on the existing maps of the states of Georgia and Alabama. This resulted in extremely remarkable maps created not long after 1862. They contain data not only on the composition of the population, the number of conscripts (then 18–45 years old), the number of slaves, but also on the cultivated areas, the harvest volumes of grain, hay, rice, corn, tobacco, and cotton, as well as information on the number of horses, pigs, or cattle.

The data Sherman and his troops gathered were subsequently used during his famous 1864 campaign against part of the Confederate States armies, which became known as the “March to the Sea”. It is well known that Sherman followed a “scorched earth” policy; he himself referred to these debilitating tactics, as “hard war”. He destroyed not only the territory and economy of Georgia in particular, but also the morale of the inhabitants as a result. Of course, he also used the data for logistical purposes, such as when his armies had to break away from the standard supply lines and use local resources in order to march through the territory as quickly as possible. Sherman’s well-known tactics would never have been so effective had it not used the comprehensive data collected in the census. Given the dire impact on the lives of the residents of the areas through which Sherman’s troops marched, serious questions can be asked as to whether it was a simple use of census information and data, or a difficult-to-define and unwritten boundary was crossed and the data were misused.

Although to this day there is no consensus among the experts and authorities involved on this matter, it is very likely that data from other US censuses, this time the ones conducted in 1930 and 1940, were misused to some extent during the unconstitutional internment of some Americans of Japanese ancestry on US soil during World War II.Footnote 27 As of this day, it is still unclear whether a spectacular data breach happened even before the Japanese attack on Pearl Harbor and the USA entry into World War II; it is only certain, that as early as 1939, there was pressure especially from the FBI and military intelligence.Footnote 28 However, the director of the United States Census Bureau at that time, William Lane Austin (1871–1949), prevented the security and intelligence services from getting to information about individuals from the census records. After he was forced to retire in 1941, his successor James Clyde Capt (1888–1949) was much more open to handing over census data to the security and military services. Then, a few years ago, American historian Margo Anderson and statistician William Seltzer, long-time researchers in this subject, proved that the United States Census Bureau provided other institutions (intelligence agencies, the FBI, and military authorities) not only with general information about the population density of a significant number of Japanese Americans in the USA, but also with microdata, that is, names and other data on specific identified individuals, at least for those living in the Washington D.C. area.Footnote 29 Needless to say, this entails a fundamental violation of civil rights and the principle of the protection of personal data collected in a census.

7.2.2 Totalitarian Regimes and Personal Data: Misuse of Personal Census Data in Nazi Germany

One of the most massive (based on the available documented data; it can be assumed, without the possibility to verify the assumption from public sources, that totalitarian regimes, including countries with populations of many hundreds of millions of people, routinely misuse census data also for the purposes of mass persecution of individuals and entire ethnic groups) and extreme cases of census data misuse occurred in Nazi Germany. The Nazi regime needed to obtain as much information on its population as possible, a typical feature of any dictatorship. Special attention was of course paid to those of Jewish origin. Religion was a common information provided in censuses. However, it was more of an expression of religious affiliation. This was still true for the census carried out in Germany on 16 June 1933,Footnote 30 soon after the Nazis took power, after it had been postponed several times from the originally planned date of 1930 due to the very poor economic condition of the municipalities, states, and the whole country as a consequence of the outbreak of The Great Depression.Footnote 31

Six years later, however, the optics changed radically. The Nazi census of 17 May 1939—postponed from the one originally planned for 1938 so that it could also include Austria, which had in the meantime been annexed into the German Reich—focused primarily on racial affiliation rather than religious beliefs. The census included a special questionnaire, the so-called Ergänzungskarten (the full title was Ergänzungskarte für Angaben über Abstammung und Vorbildung), supplementary cards on origin and education. On the back of the form, among the compulsory items, was the question whether the grandparents of the respective household member were Jewish (“Volljude”) according to their race affiliation (“der Rasse nach”) or not. These Ergänzungskarten were then to be handed in separately from the remaining census records in a sealed envelope, a measure which was intended to increase the citizens’ trust in the confidentiality with which the data would be treated.

The extent to which the data contained on these Ergänzungskarten were actually used in the process of exterminating the Jews is still widely debated in Germany and Austria.Footnote 32 In her recent research, Jutta Wietog tried to show that the data from the 1939 census and these Ergänzungskarten were very probably not directly used to prepare deportations and create the Jews register, the Judenkartei.Footnote 33 Yet, Götz Aly and Karl Heinz Roth were inclined to the opposite conclusion as early as the 1980s.Footnote 34 On the other hand, however, it has been indisputably proven that the Ergänzungskarten, after their statistical evaluation by the Reich Statistical Office (Statistisches Reichsamt), were handed over first to the statistical offices of the Länder and the police reporting offices, and then in August 1942 to the Reich Kinship Office (Reichssippenamt).Footnote 35 The data they contained were compared with the existing data kept on individual citizens on the so-called Volkskarteien maintained in the basic register at the local police districts.Footnote 36 In conclusion, the data from the 1939 census were used at least in a complementary manner by the Nazi administration for the purpose of exterminating citizens of Jewish origin.Footnote 37

Both the 1933 and 1939 censuses in Nazi Germany violated the most fundamental principles on which statistical surveys need to be based—and this is especially true for the census; it is the respect for the protection of the data collected in the course of the survey, discretion in handling the data, and the complete elimination of any future misuse of these data for non-statistical purposes. As late as 1933, the otherwise very brief Census Act issued after the Nazis had taken power, explicitly prohibited—as was the tradition up to that time—the use of personality data obtained in the census for other than statistical purposes.Footnote 38 At the same time, however, it was stipulated that the material resulting from the census could only be destroyed with the consent of the Reich Statistical Office, as it can be assumed that they already anticipated the use of the data for purposes beyond mere statistics.Footnote 39

Only four years later, in 1937, the Nazis had blatantly deleted the provision declaring the protection of official secrecy from the Census Act, which had until then guaranteed the de jure inviolability of personal data obtained in the census and expressly prohibited their use for other than statistical purposes.Footnote 40 Strictly speaking, the fact that the data obtained from the 1939 census were subsequently used mainly to obtain information on citizens of Jewish origin as part of Nazi policy did not violate the legislation that was in force at the time. In the same breath, however, it needs to be added that German legislation at the time was already fully in service of the machinery of an absolutely monstrous regime that stood against everything human.

Another example worthy of our attention also comes from the time of the Nazi dictatorship, this time from the occupied Netherlands. The fact that population registers or census data represent extremely risky information in certain circumstances was understood by the Dutch resistance soon after the German invasion. The population register data were misused by the Nazi occupying power for various purposes. One of those purposes was the identification of those suitable for forced labour in Germany and another was the better identification of residents of Jewish origin with the aim of carrying out their systematic extermination. In the Netherlands, the Nazi occupying power made it compulsory for every citizen over the age of 15 to carry a personal identification card (“persoonsbewijs”), marked with a capital “J” for those of Jewish origin. One of the tools of Dutch resistance against the Nazi occupation was thus a highly diverse system of expertly faking identification cards.Footnote 41

In addition to forging identity cards, however, the Dutch resistance also sought to destroy some population registers, an effort shared among various resistance groups. Still, these were rather low-impact events, with one exception. On 27 March 1943, Willem Arondeus and his associates attacked the Amsterdam civil registry office located at 36–38 Plantage Kerklaan.Footnote 42 The result of the bombing, however, was not as significant as the resistance had hoped for. The fire did not have such a devastating impact, among other things, due to the fact that the identity cards were kept in catalogue cabinets and the fire did not cause any significant damage. Some of the files were then damaged by water. Nevertheless, the estimations are that the fire managed to destroy tens of thousands of identification cards (the Yad Vashem memorial claims the number of completely burned cards reached a total of 800,000, which is probably a slight overstatement). Soon after the attack, the civil registry office was largely restored, except for the approximately completely destroyed 15% of records stored in the Amsterdam population register.Footnote 43 It might seem so but this is not a marginal figure. Most of those who helped develop the plan of attack were eventually arrested, 12 resistance fighters were executed, others sent to concentration camps.Footnote 44

One might argue that the provided examples taken from both democratic and totalitarian regimes, primarily relate to the management of records before they were stored in archives. However, these examples prove that personal census data can be misused, sometimes many decades later. In this context, the experience of countries that underwent a totalitarian period, often imposed from the outside, leads to legitimate concerns that one cannot rely on the fact that society currently exists within a democratic legal order with a very sophisticated system that guarantees the protection of personal data, such as the European Union. This order may not last forever and it is therefore impossible to accurately predict the form of future personal data management and the risk of its potential future misuse. And as Christian Keitel succinctly puts it: “Every totalitarianism loves personal data”.Footnote 45

It is for this reason that some countries—no wonder that they include countries that experienced a period of totalitarianism in the twentieth century—protect their citizens by anonymising certain census data or completely removing the link to a specific person from them. The Czech Republic is a prime example; the country experienced a period of Nazi oppression followed by long communist rule. Intense debates arose after the 2011 census, when the authorities themselves could not agree on whether to preserve or destroy the census records filled with personal data. The Czech National Archives asked for complete preservation, while the Czech Statistical Office and the Office for Personal Data Protection sought for the materials containing the data of each citizen to be destroyed, or at least completely anonymised, before being transferred to the National Archives. In the end, the records were archived, but only after complete anonymisation that also included the names of the census subjects.

7.2.3 Germany: “Census Ruling” and the Principle of Timely Anonymisation of Personal Data

Germany, a country with rich experience of totalitarian regimes, also struggles with a continuing concern about the possible misuse of personal data collected in the census. Already in the early 1980s, the West German Federal Constitutional Court commented on the question of whether and in what form data obtained in a census could be maintained. It warned of the risks of misuse and explicitly declared in a judgement known as the 1983 “Judgment on the Census” (“Volkszählungsurteil”) that it was necessary to ensure that, during the collection and subsequent storage of data, sufficient rules were in place that allow data redaction and their subsequent “deanonymisation” (in particular names of persons, addresses, numbers of census officers), that is, the possibility to re-assign the data to specific individuals.Footnote 46

Applied to the specific case of the 1987 census in West Germany,Footnote 47 the census questionnaire consisted of two parts: The first part consisted of individual data, the so-called Einzelangaben, data subject to statistical evaluation and not related to a specific individual or household. The second part consisted of auxiliary characteristics, the so-called Hilfsmerkmale containing data on the household or the person completing the questionnaire. These “Hilfsmerkmale” had to be separated from the “Einzelangaben” part and destroyed as soon as possible.

In the abovementioned decision restricting the handling and storage of personal data, the Federal Constitutional Court defined a new fundamental right to informational self-determination, which is derived from the German Constitution and the right to the free development of personality it guarantees. This also foreshadowed the future practice in the implementation of statistical surveys, which had to comply, inter alia, with the principle of timely anonymisation of personal data (“Gebot der frühzeitigen Anonymisierung”), the purpose of which, according to the decision of the Constitutional Court, is not only to protect the right to informational self-determination, but is constitutive for statistics itself.Footnote 48 Subsequent interpretations derived from this judgement point out that data erasure takes precedence over the obligation to offer the records for archiving in public archives.Footnote 49 Over time, the German Federal Court further strengthened the protection of the private sphere and corrected the legislator in this respect. In 2008, it formulated a new fundamental right to guarantee the confidentiality and integrity of information technology systems, which was derived from the general right to protection of personality guaranteed by the German Constitution.Footnote 50

Indeed, even after the 1983 Census ruling, the practice of protecting personal census data had not been established permanently and invariably. Already during the 1987 census in West Germany, critical voices pointed out that, among other things, no fixed periods were determined for the deletion of auxiliary characteristics allowing the identification of individuals, and the law was very vague on the “as soon as possible” destruction.Footnote 51 For the subsequent census, which only occurred in 2011, German law had already explicitly stipulated a maximum period of four years (after the census report had been produced) for which the auxiliary characteristics allowing the reidentification and thus the re-personalisation of data in the census records could be retained by the statistical office. The data had to be destroyed during this period, which was also the case.Footnote 52 Germany also has a separate law imposing the deletion of auxiliary characteristics allowing identification of persons as soon as possible applying to the production of federal statistics.Footnote 53

As for the very question of archiving census records and other statistics,Footnote 54 it was only from the 1990s onwards that the German Federal Archives began to put pressure on the Federal Statistical Office to start transferring statistical material to the archives for archiving.Footnote 55 Not only the federal but also some of the regional statistical offices were initially reluctant to hand over statistical materials to the archives, including those subject to confidentiality rules. The tension between the Federal Statistics Act and the Archives Act was alleviated by the general principle applied in Germany stating that in the event of a conflict between two legislative regulations of equal weight, the younger, that is, later enacted piece takes precedence, which in this case was the Archives Act.Footnote 56 The dispute over the transfer of statistical materials to the Federal Archives was finally resolved by a decree of the Federal Ministry of the Interior in 1994, by which the Ministry confirmed the obligation to offer statistical material to the archives for permanent archiving.Footnote 57 The fact that the archives would not get the auxiliary characteristics allowing the identification of persons included in the statistical survey as these had already been redacted or deleted by the statistical office, naturally remained unchanged. This also applies to censuses, which are thus transferred to the German archives in a form that does not allow the identification of specific persons.Footnote 58 The development of this issue in Germany in the 1990s has been concisely described by Wolf Buchmann and Michael Wettengel.Footnote 59

The sensitive nature of census personal data management persists in Germany to this day. The census originally planned for 2021 and postponed to 2022 due to the COVID-19 pandemic is a matter of lively debate, especially the issue of transferring and storing non-anonymised data collected in the ongoing pilot testing. The 2022 census is a combination of obtaining data from public administration registers, cleaning them, and finally supplementing them with a representative sample of a selected part of the population in the traditional form of basic household interviews. As part of the testing, non-anonymised data from the residence permits of all residents were transferred to the Federal Statistical Office, a step that was challenged before the German Federal Constitutional Court by the Gesellschaft für Freiheitsrechte. However, the Federal Constitutional Court denied the request to reject such a procedure in 2019.Footnote 60

The development of German society’s attitude to the preservation of data from statistical surveys is a crystalline example of how the experience of the horrific consequences of totalitarian regimes significantly increases the sensitivity and need for the protection of human rights even in an advanced democracy.

7.2.4 Time Capsule Versus Archiving: Census Time Capsules in Australia and Ireland

Finally, I will mention the specific approach Australia and Ireland have implemented in handling census data; the use of the time capsule.

In the last two decades Australia has represented in a sense the opposite tendency to what we have witnessed in, for example, Germany or the Czech Republic. Until 2001, Australia destroyed all the identifiable personal data, starting with the very first census conducted in 1911.Footnote 61 However, in 2001, the hundredth anniversary of the Australian Federation, the country made a substantial change and came up with a new and interesting solution abandoning the previous strict policy of unambiguous privacy protection.

In 1998, the Standing Committee on Legal and Constitutional Affairs of the Australian House of Representatives produced a report entitled “Saving our census and preserving our history”. The Advisory Council on Australian Archives, as an advisory body to the Minister responsible for archives, recommended the preservation of census records, including non-anonymised personal data, with the proviso of applying a 100-year closure period. At the same time, the then-chairman of the Council, Rodney Cavalier, argued that for genealogical and historical purposes, it was not necessary to preserve every single census (Australia conducts censuses in a five-year cycle), but that it would be sufficient to preserve the data every 20 or 25 years to capture a “portrait of each generation” and for future historical research.Footnote 62

The final decision gave each citizen the opportunity to choose whether or not they wanted to keep their personal data from the census.Footnote 63 The personal census data shall be thus preserved in the National Archives of Australia only provided that the individual has given their explicit consent. The data will then be stored in a “time capsule”, where they will be sealed for 99 years, during which time no one will see the data stored inside. The capsule will not be opened and access to the data will only be possible after the given period. That means that the 2001 census data will only be available in 2100. Perhaps even more remarkable is the number of the nearly 10 million, or 52.6% of the population who participated in the Australian census, and consented to their personal data being stored in a “time capsule” in the National Archives of Australia.Footnote 64 The same principle was then applied to subsequent censuses conducted in five-year intervals in 2006, 2011, 2016 and will be applied to the 2021 census as well. In 2006, over 56% of the population agreed to maintain their data in a “time capsule”.Footnote 65 The time capsule stores the census records of those who agreed to archive their data in the form of microfilm.

A quick look at Europe shows that Ireland keeps non-anonymised census records, including personal data, by default. Access to them is granted after 100 years.Footnote 66 Censuses in Ireland after its separation from the United Kingdom were conducted in 1926, 1936, 1946, 1951, 1956, 1961, 1966, 1971, 1979, 1981, 1986, 1991, 1996, 2002, and 2006.Footnote 67 The records are preserved in an astonishingly complete condition, unlike the nineteenth century Irish census forms as the censuses of 1881 and 1891 were deliberately destroyed during World War I, presumably due to lack of paper. The 1821, 1831, 1841, and 1851 census records were then, with minor exceptions, destroyed in 1922 in a fire at the Public Record Office at the outbreak of the Irish Civil War.

What is remarkable is how the data are stored. Census records dating back to 1946 and partly to 1951 are maintained in the National Archives of Ireland. Younger census forms remain in the care of the Central Statistical Office. On the one hand, the census records are non-anonymised, but on the other, access to records less than 100 years old is strictly prohibited and this ban also includes the staff of the National Archives of Ireland as well as any official consultation purposes.

The 2021 census, postponed to 2022 due to the COVID-19 pandemic, was the first time the Irish introduced the option of using a time capsule. Any citizen can write a handwritten message for future generations on the back of the census form. This message will be removed from the time capsule and revealed together with the entire census after 100 years.Footnote 68 In addition, the 2021 census contains an additional eight questions concerning renewable energy sources, internet access, smoke alarms, smoking, working from home, volunteering, childcare, and travelling home from work, school, or college.

On one side, Ireland significantly widens the range of information about a person, their existence, everyday life and privacy, and opens up space for self-expression in the form of a personal message which allows an individual to express their own personality. And as the Central Statistics Office rightly pointed out, the opportunity to self-express into a time capsule adds “a fun element, you can see it as a small reward for filling in the form and making your own mark. Whatever you want can go in there.”Footnote 69

On the other side, it is somewhat of a paradox that just before the latest census planned for 2021 and postponed to a year later, a case of archived census personal data misuse has emerged. In 2020, the data from the 1926 census, which were supposed to be absolutely inaccessible until 2027, appeared on social media.Footnote 70 The records are physically maintained in the National Archives of Ireland but remain under the control of the Central Statistics Office.Footnote 71 The case ended with the Central Statistics Office contacting the person responsible for illegally publishing the data who then removed them from social media.

At the very heart of the issue of managing and archiving personal data is the fundamental tension between the need to obtain and store certain data about citizens and the gradually increasing risk of their misuse. It may seem ironic, but one way to address this tension is by public archives deviating from standard procedures of archiving in the public interest. What does this mean?

It is necessary to start by comparing the time capsule with the principles of standard archiving. Both the time capsule and archiving share the intention of long-term and secure information preservation, but there are fundamental differences. Data archiving and the archival sector intend to preserve data permanently and at the same time want to gradually allow access to the public, while applying all standard closure periods and other legal measures regulating access to the data. On the contrary, time capsules are based on maximum to absolute restriction of access to their contents. Motivations for restricted access have varied throughout history. The reasons usually included security measures protecting the creator and depositor of information whose disclosure would put them at risk. It might also have been simple preservation of information for future generations. In a sense, we might see early examples of time capsules in the preservation of documents and other artefacts in church domes or inside statues, as shown by the recent discovery of a secret box containing a document dated 1777 inside a statue of Christ called Cristo del Miserere inside the church of Santa Águeda in Sotillo de la Ribera, Spain,Footnote 72 and so on.

In the twentieth century, the time capsule began to add a second essential feature; it can be used to determine the exact period for which the information is made absolutely inaccessible and, at the same time, it can pinpoint a specific point in time when the time capsule is to be opened and its contents made available. This feature in its embryonic form was also present in the early stages of time capsules, but was tied to a specific act such as—bearing in mind the above examples—the moment of necessary repair or reconstruction. Naturally, in cases like these it was impossible to determine the exact point in time when the capsule would be opened. This began to change significantly in the twentieth century. A typical early example was a time capsule known as the “Detroit Century Box” created on 31 December 1900 and intended to be opened 100 years later, as actually happened at the end of the year 2000. The similarly famous “Crypt of Civilization” built in 1936 at Oglethorpe University intends to preserve records of period life; it is meant to be unsealed in 8113.Footnote 73 However, the inability to determine an exact moment in time when a capsule will be opened is not solely a thing of the past, just think of the examples of capsules located in space probes Pioneer 10, Pioneer 11, Voyager 1, or Voyager 2.

Nevertheless, traditional archiving and preservation of data is more similar to time capsules with a clearly defined period before they can be opened, a period that is “observable”, and it is much less similar to, for example, the KEO satellite, whose departure has been postponed several times, that is intended to carry various information about humanity and civilisation in their current state for future inhabitants of the Earth and that should return to Earth in approximately 50,000 years.

The principle of preserving certain information, usually for a specific, well-defined period of time, and at the same time the principle of absolutely restricting access to it until the expiration of a specified period of time, eventually became the reason that attracted archives and data archivists to the phenomenon of time capsules. At certain moments, however, the two otherwise substantially different phenomena, the time capsule on one side and archiving on the other, meet and are applied simultaneously. That is the case, for example, of the preservation of census records currently used in Australia and Ireland; based on the proposed four categories of the right to be forgotten presented in Chap. 5, under Sect. 5.3, this case would call for the application of the “temporary absolute” right to be forgotten.

This may actually be the way to balance the tension between the need to collect and store personal data on citizens and the increasing risk of misuse of these data.

Almost without exception, public archives and archiving in standard democracies base their access policies on the principle that there is a fundamental difference in access to archives for official and for private purposes. While closure periods are usually introduced for private access to archives, they do not apply by default in the case of official purposes and the records may thus be accessed immediately. The time capsule, on the other hand, works or can work quite differently, which also applies to it being used in archiving. One of the examples analysed above makes this crystal clear; it is the example of the 2011 archival census records held at the National Archives of Australia. The census records of citizens who gave consent to their non-anonymised preservation are kept in the National Archives sealed in a time capsule for 99 years, and unlike other archival records, access to them is restricted for official purposes and it is explicitly prohibited for court needs.Footnote 74 Still, as is the case in other countries, the Australian Bureau of Statistics will destroy all the original records after statistical evaluation and data extraction is performed.Footnote 75 The only preserved microfilm copies of the records of those who volunteered are archived precisely and only in the time capsule. If this is not opened, no personal data from the census should leak to the public.

The time capsule thus represents an instrument which—legally—increases the protection of personal data contained in the records stored inside. This certainly does not mean that it automatically eliminates the risk of misuse in the case that the democratic state and the rule of law get replaced by a totalitarian, lawless, strongly populist regime, and so on. The seal, honoured by a person, society, or a country just and honest, will wilfully and without hesitation be broken by injustice, malice, and oppression.

7.3 The Case of Jewish Files (“Fichiers Juifs”) in France: Archiving of Materials Intended for Destruction and Their Concealed Existence

In November 1991, Nazi hunter Serge Klarsfeld, a French lawyer specialising in cases of persecution of Jews in France during the Holocaust, discovered files known as “fichiers juifs” that were believed to no longer exist as they should not have existed. No search function in the archive that maintained these records recognised their existence; the only information leading to the files was in an internal function.Footnote 76 The case caused quite a stir throughout the French archival and historical community and became one of the important drivers of change in French archives, which eventually led, years later, to a complete revision of the entire French archives legislation when the Code du patrimoine replaced the original 1979 Archives Act in 2004.Footnote 77 Vincent Duclert considers the outbreak of the case to be one of the important starting points marking the period of the so-called archive crisis (“crise des archives”) of French archiving at the time and consisting essentially, according to Duclert, in the absence of a scientific policy of archival institutions and therefore in the inability to respond when archival work was challenged.Footnote 78

These files were among those created at the behest of the German Nazi occupying power on French territory, but similar ones were also created in Vichy France. Serge Klarsfeld came across some records in the fonds of the Ministère des Anciens combattants (Department of Veterans Affairs) that were at first interpreted as purely a register created by the Préfecture de police de la Région parisienne (Paris Police Prefecture).Footnote 79 Subsequently, by means of a thorough analysis, an independent committee of historians presided by René Rémond concluded that these so-called fichier juif files consist of three categories of archival records.Footnote 80 Firstly, it is a second copy of the Drancy camp register containing the names of deported persons, which was kept and hidden by prisoners detained there. Second, there are files from the Beaune-la-Rolande and Pithiviers camps, which were handed over to the Department of Veterans Affairs by the social assistants at these camps. And finally, there are files of individuals and families of diverse character, which may have included, among other things, information from the Prefecture of Police registers created in 1940, a source whose existence was presumed but that has not survived to this day. And this is the heart of the problem.

During the occupation, police prefectures created file registers of Jewish people, which became an important tool for the Holocaust in the country during World War II. Immediately after the end of the war, the then Minister of the Interior, Édouard Depreux, in a circular dated 6 December 1946, ordered the destruction of “all records based on racial distinctions between Frenchmen” (“tous les documents fondés sur des distinctions d’ordre racial entre Français”).Footnote 81 The Jewish files were also subject to this regulation. In the chaotic times just after the end of the war, however, soon afterwards the same Minister Depreux, albeit in a different government, issued yet another circular dated 31 January 1947, reversing his original decision and calling for the preservation of the records as they might help the Jews affected by the Holocaust, the search for missing and displaced persons, the provision of certificates of deportation or imprisonment, the reparations, the needs of the judicial system, and so on. They were to be kept only as long as they could benefit the affected persons of Jewish origin.Footnote 82 Soon afterwards, there was a massive destruction of records and it was generally believed that these files compiled at the time of World War II were completely destroyed as well.Footnote 83

This obligation was also later sealed at the level of legislation by the Information and Freedoms Act in 1978. This Act imposed an obligation not to preserve any data relating to the names of persons that would directly or indirectly reveal, inter alia, racial origin (as well as other data, nowadays generally referred to as sensitive personal data, such as political or philosophical beliefs, religion, or trade union affiliation).Footnote 84

The first echoes of the Jewish files issue had already appeared in the early 1980s. In the spring of 1980, the investigative magazine, Le Canard enchaîné, drew attention to the fact that there was a Jewish register in one of the National Gendarmerie centres in Rosny-sous-Bois.Footnote 85 The National Commission on Informatics and Liberty (Commission nationale de l’informatique et des libertés) conducted a cross-ministerial survey at the time and concluded that there was no trace of any Jewish files anywhere, but it was equally strange that there was no evidence of their proper destruction except in the Marseille area.Footnote 86 The case was subsequently revived by the above Serge Klarsfeld who discovered parts of the files in the records maintained by the Department of Veterans Affairs.

The case of the French Jewish files provoked a great deal of controversy, especially with regard to the issue of public access to archival material; the subsequent legislative developments confirmed that society demands liberalisation of access to archival records and calls for the introduction of equal access in particular. At the time, the Jewish files were an unfortunate example of creating privileged access to records and archives only for certain individuals; they became one of the indicators of restricted access to newer records to the public. This situation was also reflected in Guy Braibant’s comprehensive report to the French Prime Minister on the state of French archiving, in which he touched on, among other things, the excessively long closure periods.Footnote 87

Yet, in view of the question this text wants to answer, the case of the Jewish files is more important regarding the topic of the preservation of data and archival records in particular. It is remarkable on several levels. First, it demonstrates how the experience of massive crimes against humanity—perpetrated not only by the German occupying power but also by the French themselves—has shown society the risks of collecting personal data. This was one of the reasons why the French Minister of the Interior, Depreux, ordered the destruction of records containing information about individuals of Jewish origins soon after the liberation of France. However, the same minister realised soon after his decision that the very same records could in turn help the Jewish victims of the Holocaust. And so he decided to preserve these materials until they could be used to serve the victims.

The whole case then climaxed half a century later when Klarsfeld discovered the remains of the Jewish files and no longer called for their destruction but rather for their permanent archiving. He and the National Commission on Informatics and Liberty suggested the preservation of the original files, meanwhile transferred to the French National Archives, in what was then the Memorial of the Unknown Jewish Martyr (Mémorial du Martyr juif inconnu), now part of the Memorial of the Shoah (Mémorial de la Shoah).Footnote 88

On the contrary, the Rémond Commission pleaded for the preservation of the records in the National Archives.Footnote 89 In the end, an original compromise was agreed upon, that had the direct support of then President Jacques Chirac. The archival records remained in the official custody of the National Archives in order to fulfil the legal requirements for the maintenance of public records in a public archive, and at the same time they were actually stored in a new depot, located next to the crypt that represents the symbolic tomb of the six million murdered Jews who do not have a grave and which is administered by the Shoah Memorial in France.Footnote 90 The Memorial has no control over the Jewish file, which falls exclusively within the purview of the National Archives.

A significant role in exposing the entire context was played by the intention of the Jewish community that wished to be able to manage material that was once used for its persecution (similarly, Indigenous peoples in Canada are now demanding that public and private organisations in Canada hand over records testifying to the cultural genocide of Indigenous peoples in Indian residential schools to the National Centre for Truth and Reconciliation, as I briefly mentioned in Chap. 4) and which, unfortunately, can never be excluded from being used for persecution in the future. Although this intention was only partially fulfilled in the form of a compromise solution and agreement with the French state, it was in a way accepted. What is remarkable and significant is that half a century after the Holocaust, concerns about the misuse of personal data, and in this case especially data on racial origin, have diminished, and the Jewish community is no longer opposed to their preservation. It is possible that were the files of French Jews to survive in their entirety, they would have been preserved as such. This ultimately shows a process I call “disappearing sensitivity”; data sensitivity fades in proportion to their ageing or to the transformation of the character of the sensitivity. This is a process that I will mention again in the following chapter, and that is central to the whole field of post-mortem protection, which is one of the topics of the preceding chapters.

7.4 Personal Data Breaches: National Archives and Records Administration (NARA) Cases

In 2009, the US National Archives and Records Administration (NARA) discovered that an external hard drive containing a copy of data from the Bill Clinton Administration Executive Office had disappeared.Footnote 91 The hard disk was used as a part of routine copying operations of data intended for long-term archiving. It contained files with the personal information of approximately 250,000 individuals, including the names and social security numbers of, first, the employees of the Executive Office of the President of the USA at that time, and second, the individuals who either contacted, for example, as job applicants, or visited the White House complex. One of the daughters of former Vice President Al Gore was reportedly among the individuals concerned.Footnote 92 The impact of either the lost or stolen hard drive was not that the data was irretrievably lost (they were only backups), but that the protection of the said personal data had been breached and, as a consequence, it was possible for those concerned to fall victim to identity theft.

At the time, NARA initiated a mailing list first of 26,000 letters to those individuals whose data might have been leaked, which was then followed by another 150,000 letters.Footnote 93 NARA offered those affected the option to use credit monitoring, identity theft insurance, and fraud resolution assistance free of charge for one year. In addition, NARA posted a $50,000 reward for providing information that would lead to the recovery of the missing hard drive. According to the information I have available, the disk was never found.

There was yet another case that came to the fore in connection with the US NARA. In that same year, 2009, NARA turned over a damaged hard drive containing personal information (in part presumably including sensitive personal information) of approximately 76 million veterans (including millions of social security numbers dating back to 1972) to a contractor for repair without deleting the personal information on the drive. The contractor found the disc beyond repair and handed it over to yet another company for recycling. Some of the well-known media outlets rushed to conclude that this meant one of the biggest leaks of personal data by a government agency in history.Footnote 94 NARA countered these conclusions arguing that the protection was not breached as all the contractors and subcontractors who came into contact with the incriminated hard drive were contractually bound to NARA and committed to the privacy principles regarding the data with which they came into contact.Footnote 95 At the same time, NARA pointed out that there was no evidence that the companies in question had tampered with the disc. There was even a hearing before the Subcommittee on Information Policy, Census, and National Archives of the House of Representatives Committee on Oversight and Government Reform.Footnote 96 The fact that NARA’s credibility specifically on military veterans affairs had not been undermined was finally confirmed by the latest cooperative agreement with the United States Department of Veterans Affairs to digitise certain archival materials from the Veterans Benefits Administration under the jurisdiction of that Department.Footnote 97 The agreement explicitly declares that the digitised materials also contain sensitive personal information, including, but not limited to, social security numbers, especially when linked to dates of birth, birth names, and other identifiers, and that NARA is responsible for not disclosing such materials that are less than 75 years old.

7.5 Totalitarian Abuse of Totalitarianism: The East German State Security Service and Personal Data Misuse in the “Archive of National Socialism” (“NS-Archiv”)

Paradoxically, there may be cases when personal data of the representatives of a totalitarian regime are misused by yet another dictatorship. After the fall of totalitarian regimes, the documentation may be used by the successor democracy to legally seek and achieve justice. A typical example is the post-war Nuremberg Trials of 1945–1946 held against the top Nazi representatives. But history has also seen other cases. For example, a similar group of materials surviving from the period of Nazi Germany began to be systematically misused by the Ministry for State Security (Stasi) in the newly constituted East Germany (DDR). This process was finally formalised in 1967 when the so-called NS-Archiv was established within the Stasi.Footnote 98

The NS-Archiv, which is now quite well mapped, was created in no small part as a reaction to the activities of the Dokumentationsstelle zur zentralen Erfassung allen Materials der NS-Zeit (1933–1945), which had been formed in 1964 as part of the Staatliche Archivverwaltung (State Archive Administration) of the East German Ministry of the Interior. In this way, the Stasi intended to maintain control and power over all files from the Nazi period. However, the origins of the NS-Archiv date back to the turn of 1953–1954, as reconstructed by the current president of the German Federal Archives, Michael Hollmann.Footnote 99 The resulting NS-Archiv was created by artificially combining materials left over from the activities of a number of offices and party apparatuses of the Third Reich. It is basically built on the principle of pertinence and in this sense stands in opposition to the principle of provenance, the fundamental constituent of modern archiving. For the most part, it consists of materials related to specific persons.Footnote 100

The Stasi systematically collected materials maintained in the NS-Archiv in order to “fulfill so-called ‘political-operational’ tasks: to prosecute Nazi and war criminals or to ‘move’ them to cooperate, which was understood to be an offer to rectify the crimes committed”.Footnote 101 The very motivation for the creation of the NS-Archiv collection was the intention to gather information about people and their Nazi burdens and not an attempt to create an archival collection based on the principle of provenance. In its NS-Archiv collection, the Stasi thus accumulated records such as ordinary personal files, court files, medical records, party membership files, and many other categories of records; these were then processed and used to compile and create “personal files” of persons of interest.Footnote 102

As Michael Hollmann points out, a significant amount of the records have little meaning and testimonial value as such and would not be archivable; what is valuable from today’s point of view is the body of material in the NS-Archiv, which, Hollmann believes, could in a way be described as the “Document Center of the East” (“Document Center des Ostens”).

The misuse of personal data itself not only took place in a massive way within the NS-Archiv, the NS-Archiv was directly built on the misuse of personal data. The data collected on citizens was misused by the Stasi for various purposes, in particular by obtaining compromising material by no means limited only to the citizens of the then DDR. One of their main interests was the citizens of the Federal Republic of Germany. The Main Department IX/11 (Hauptabteilung IX/11) established by the Stasi used the NS-Archiv as a tool particularly for collecting and acquiring data on the Nazi past of key figures in the West German economy, military, politics, and other public authorities.Footnote 103 In some cases, sensitive data were also used for massive political campaigns against Western democracies and their representatives, such as Kurt Georg Kiesinger, Hans Globke, Heinrich Lübke, Theodor Oberländer, and others.

The sheer volume of the NS-Archiv was extraordinary. Towards the end of its operation, it maintained approximately 1 million units.Footnote 104 The amount was estimated between 7–10 linear kilometres.Footnote 105 The NS-Archiv was also, with certain exceptions, the only one of the Stasi archives not to remain under the authority of the Federal Commissioner for the Records of the Stasi (Der Bundesbeauftragte für die Unterlagen des Staatssicherheitsdienstes der ehemaligen Deutschen Demokratischen Republik), but was transferred to the German Federal Archives.

Although it was a special archive artificially created for the purposes of the intelligence service and secret police of the East German dictatorship and not a standard public archive, with the perspective from which we view the minimisation, preservation, and protection of data in archives, the difference does not matter in the end; the data created and preserved during the period of one totalitarianism were used and misused by the next. Although in many cases the intention was to punish the crimes of the Nazi period, this motivation evolved into the determination to use the materials as compromising data on people and their behaviour during the Nazi Third Reich and to exploit them for the purposes of the new East German communist dictatorship. A dictatorship that did not respect the fundamental rights of democratic regimes, including the right to a fair trial or the principle of “ne bis in idem”, which we know as one of the pillars of democratic criminal proceedings. To conclude, the NS-Archiv demonstrates very well how dangerous it is to combine the two elements: 1. the violation of the fundamental principles of the democratic rule of law in totalitarian non-democratic regimes, and 2. the existence and preservation of sensitive data about citizens that are potentially damaging and compromising. Along with this, it is necessary to take very seriously the constant and ever-present risk that at some point in the future a democratic regime may fundamentally change towards a non-democratic one, and the permanence of the rule of law cannot thus be relied upon absolutely. In geopolitical terms, the risks increase especially in countries that do not have a tradition of long-lasting and continuous democracy, or that are threatened by the proximity of non-democratic states with great power ambitions. This is true for the vast majority of existing countries, including many European states.