Abstract
The preservation of any data, including their subsequent permanent archiving, always carries the risk that this data may be subject to unauthorised access, may be extracted and misused. This potential misuse takes on various forms and has different consequences. In this chapter the author takes a closer look at some specific record categories which also become, either fully or partly, archival records in the final phase of their life cycle, usually stored in public archives. The chapter analyses in detail some strikingly specific examples of the misuse of personal data from records that took place in the twentieth century. The material will comprise in particular census records, medical records, Jewish files from the period of the Nazi dictatorship, East German State Security Service materials, and some other groups of records. The chapter pays particular attention to the significantly increased risk of misuse in the case of digital data and digital records and archives.
In this respect, the chapter will open a new perspective for archiving in the public interest, which can be briefly characterised as follows: While traditional archiving still motivates the need to reduce records before accepting a very small percentage of them for permanent archiving mainly by the sole need to reduce the volume of archivable material, the process of archival appraisal for records reduction should pay equal attention to the protection of (not only) personality rights and privacy of individuals.
You have full access to this open access chapter, Download chapter PDF
The preservation of any data, including their subsequent permanent archiving, always carries the risk that this data may be subject to unauthorised access, may be extracted and misused. This potential misuse takes on various forms and has different consequences. In this chapter I will take a closer look at some specific record categories which also become, either fully or partly, archival records in the final phase of their life cycle, usually stored in public archives. In doing so, I will present several actual cases illustrating how and in what form data misuse may occur.
The key point here is that the potential risks of data misuse apply both to the management of so-called live records, that is, those that are still held by their creators, whether in registries, actively used databases, and so on, as well as to the archival care of those records that have already been transferred to the archive. At the same time, many archives are still not sufficiently aware of the risks that are transferred to them along with the records, especially those that carry sensitive information about people and which are therefore also valuable in terms of monetisation, most often in the form of blackmail by hackers and data thieves.
The risks of misuse as well as the impact of such misuse have increased dramatically with digital data. I will demonstrate this theory in the following text and illustrate it using the examples of medical records and personal data leaks in the US National Archives and Records Administration (NARA). There are already many estimates of the number of leaks and misuses of digital data, including calculations of the costs involved and some other remarkable parameters. A 2020 report by IBM Security seeks to quantify these financial costs.Footnote 1 In their summary report, the authors used data from 524 organisations in 17 countries and based on these they abstracted global average figures. The very ratio of the individual data categories is well worth noting. By far the absolute largest share of 80% of total data leaks concerned data containing customers’ personal data. Figures related to intellectual property come second (32%) with a large margin.Footnote 2 The estimated costs associated with the leak or loss of a single record containing customers’ personal information was $150.Footnote 3 The volume of data leaks as such reaches alarming figures.Footnote 4 The ones that stand out are the AOL data leaks (leak of 92 million client names and email addresses in 2005), TJX (leak of VisaCard and MasterCard payment details of 94 million customers in 2007), Sony PlayStation Network (names, addresses, and apparently credit card data of 77 million customers leaked in 2010), but also Deep Root Analytics, which leaked a database containing data on 198 million voters in the USA, which was then used for Donald Trump’s presidential campaign in 2016. The absolute winner, however, is Yahoo leaking the data on 1 billion user accounts. The quantity and quality of the leaked data would however be exceeded by the so far only partially verified data leak, in which a hacker stole personal and sensitive data from the Shanghai police database on approximately 1 billion Chinese citizens including the name, address, birthplace, national ID number, mobile number, as well as data on the criminal activities and police investigations of these persons, ranging from petty theft and cyber fraud to, for example, reports of domestic violence.Footnote 5
With this perspective, it is all the more important that in their acquisition of records archives also consider the risks involved in the management of the category or group of records concerned and assess whether it is really necessary to archive those records permanently. It is in this context that this study presents one of its main theses: Archives should carry out proportionality testing and measure, on the one hand, the value of a record for permanent archiving and its importance for future use for various purposes, and, on the other hand, the sensitivity of the data contained in the transferred record and the risk of their (future) misuse.
7.1 Medical Records and Data Security
Medical records represent a typical and very illustrative example of a records category that is, first, very vulnerable to misuse and, second, the consequences of any misuse, given that these records contain some of the most sensitive personal data that can be kept, are fatal. This is by no means just about the risk of an unauthorised person finding out about an individual’s medical condition.
Sharona Hoffman and Andy Podgurski have systematised several forms of risk specifically in the area of biomedical data and databases, where medical records are also often found.Footnote 6 According to their systematisation, the first risk lies in the very fact that the data are not necessarily always correct. The second risk is bias, that is, misinterpretation and distortion of results based on both the nature of the information and the biases of the scientists mining the data. The third risk is the deliberate misinterpretation of the data by some individuals, for example from the fields of politics or economics, who can seemingly scientifically yet deliberately formulate wrong research results and conclusions and manipulate public opinion accordingly.
However, from the perspective of data archiving and archives, the greatest risk is unauthorised access to medical records or other records related to the health status of citizens and the misuse of such data. This risk can also take several forms. In 2013, the German weekly, Die Zeit, revealed that German doctors and pharmacists were massively abusing patients’ personal data by reselling it without the patients’ knowledge for market research purposes for the pharmaceutical industry.Footnote 7 Yet, the most common risk in recent years has been hacker attacks consisting in data theft, or blocking access to them followed by blackmail (ransomware), threatening not to return the access or to publish the stolen data. In recent years, data breaches for illegal financial gain have been on the rise. According to some reports, the number is now nearly 90%Footnote 8 and the increase in health data breaches in the decade between 2009 and 2019 in the USA is estimated to be as high as 2733%, with an average of at least 500 records being compromised every day.Footnote 9 Moreover, some figures suggest a trend of increasing financial costs associated with a single healthcare data breach. An IBM Security study identified a 10% increase in costs between the years 2019 and 2020.Footnote 10
Worldwide, hospitals and medical facilities with their medical records and patient data have become one of the main hacker targets in recent years (perhaps even the most attractive target ever). This is confirmed by reports that provide statistical surveys of data breaches and misuse. Verizon Communications, one of the largest telecommunications companies in the world, has listed healthcare as the most common target of hacker attacks in its annual data breach reports in recent years.Footnote 11 In 2019, the company recorded 798 incidents as part of their investigations of data provided by their customers (not nearly the total number of incidents), and of those, 521 were confirmed data leaks.Footnote 12 These attacks most often take the form of ransomware, that is, extortion software.
Although it is virtually impossible to determine the exact number of people worldwide who have been affected by leaks of personal data from medical records, some studies have attempted to at least bring an estimate. Data based on security incident reports primarily coming from the USA and collected by the Privacy Rights Clearinghouse, a non-profit organisation based in the USA are of great interest. The resulting statistics based on these data speak of nearly 250 million people who were affected by data leaks between 2005 and 2019, including 157 million people in the period 2015–2019 alone.Footnote 13 The statistics for the period 2005–2019 conclude that the absolute majority of attacks and leaks are aimed at the healthcare sector, with 61.55%, that is 3912 cases of confirmed data leaks. There is a recent trend that is even more indicative. Over the five-year period 2015–2019 within the same statistical data set, the percentage of healthcare attacks and leaks rose to 76.59% of the total volume of attacks/leaks. According to other surveys, as of February 2017, a total of 26% of Americans were affected by medical data theft.Footnote 14
One specific feature of healthcare data leaks and thefts is that each incident typically represents a leak concerning an extremely high number of people, often in the millions. These data breaches and leaks include, among many other cases, the Excellus BlueCross BlueShield breach of September 2015 (medical data leak of more than 10 million people), the Premera Blue Cross breach of January 2015 (medical data leak of more than 11 million people), and the Anthem Blue Cross case of January 2015, arguably the largest in history to date, when highly sensitive data on nearly 79 million patients were leaked; the data included names, home addresses, dates of birth, and social security numbers.Footnote 15 Of course, the financial, operational, and other impacts on the medical establishments resulting from the attacks on personal data managed by them are enormous and pose a very serious risk.
Naturally, the risks of data breaches are not solely limited to medical establishments. This segment in the text serves only as an illustrative example of why the management of already archived data should in the future also seriously consider the risks of a breach of the data maintained in archives, including all the potential consequences, both in terms of misuse of sensitive personal data resulting in breaches of privacy, personality rights and, ultimately, potential financial and property damage to citizens, as well as the financial risks for archives as the administrators of these data. Data administrators can also be sanctioned for data leaks if it is proven that they have neglected to take sufficient care to keep data, particularly personal data, secure. At the European level, the form of the sanctions is determined by the General Data Protection Regulation (GDPR).Footnote 16 Naturally, there are risks of litigation and civil lawsuits by the affected individuals.
Above, I have considered medical records only in the context of the security risks of digital data leaks. But that is far from the only risk. Medical records are among a group of records and archives that carry highly sensitive information about individuals, and represent a typical case in which data protection continues long after a person has died. This is when the so-called post-mortem personality and privacy protection comes into play; this protection is analysed in detail in Chaps. 2, 3 and 4 of this book. The disclosure of the psychiatric history of the famous actor, Klaus Kinsky, was a prime example. Although the file was made available by the Landesarchiv Berlin a long 58 years after its creation, and 17 years after the actor’s death, the survivors sued for violation to privacy under the German Criminal Code,Footnote 17 and even though the commission of a crime was not established, the violation of post-mortem protection of privacy was recognised and a conciliation agreement between the survivors and the Landesarchiv Berlin was concluded in court.
The question of whether to transfer medical records from healthcare institutions and doctors to archives, even if only in the form of a small illustrative sample, and whether to perform the irreversible process of anonymisation, is very pressing in international comparison and the approach of individual countries to this issue can differ greatly. On the one hand, some countries designate medical records for destruction after the administrative need expires; currently, for example, the Czech Republic as one of the EU member countries, initiated a legislative process at the end of which medical records are to be exempt from the scope of the Archives Act and from the obligations of records management.Footnote 18 Medical records would thus not be subject to the obligation to preserve records and to archival selection, as imposed by the Czech Archives Act. This would lead to the not unlikely scenario that this obligation would in the future be removed from medical records by other legal regulations coordinating the management and preservation of medical records.Footnote 19
On the other hand, there are countries that have recently began including medical records in long-term or permanent archiving programmes, including digital archiving. On the European continent, Norway is the most recent representative of this approach. In 2010, the Norwegian Health Archives project was launched as one part of the National Archives Services of Norway.Footnote 20 Its aim is to permanently archive patients’ medical records in digital form, additionally digitising the hardcopies of such records and making health data available for research and to surviving relatives. The global goal is then to use the data to “understand national health”.Footnote 21
Currently, the European Commission is developing an eHealth project to provide European citizens with secure access to digital health services.Footnote 22 The EU then models the process of transferring electronic health records from their creators to archives on the SIP package of the aforementioned Norwegian Health Archives.Footnote 23
It will be interesting to see how individual countries approach long-term or permanent archiving of medical records in the future. On the one hand, this may be significant for public healthcare also in the perspective of long-time intervals and long-term archiving—and the COVID-19 epidemic will probably reinforce this view. On the other hand, however, hacker attacks on medical records in particular have increased massively in recent years, targeting huge volumes of sensitive personal data. The financial costs associated with securing these data, and often paying ransoms to blackmailers, have been rising proportionately.
7.2 Census
On the one hand, the census has been an extremely important tool for state and public administration for centuries. At the same time, however, such a complex collection of data, including highly sensitive data on virtually all residents of a country compiled in a single data set, carries great risks. This tension is then palpable for all public administrations, including archives. Should census records be permanently archived? And if so, should the records be archived with “full data” or should they undergo anonymisation? Is there any risk of misuse and does history provide examples of such?
In 2009 in France, census archives were opened under general derogation up to and including the 1974 census. That means that the census was opened very young in the context of current practice in international comparison, with a time gap of only 35 years. However, access to these archives was limited to the purpose of consultation solely for the purposes of public statistics and scientific or historical research (echoing thus the same exemptions that appear in the European GDPR in relation to specific regimes for the processing of personal data), and not for the purpose of “data reuse” (“réutilisation des données”), in particular that with commercial motivations.Footnote 24 If this general derogation were not approved, a period of 75 years would apply, that is, as of 2020 the 1936 census would be the “youngest” accessible (in the twentieth century, censuses in France took place in 1901, 1906, 1911, 1921, 1926, 1931, 1936, 1946, 1954, 1962, 1968, 1975, 1982, 1990, 1999).
The purpose limitation was not the only level on which the protection of those in the census was implemented. Another one was the restriction of access on the census of 1946, 1954, 1962, 1968, 1975 (that were subject to the general derogation) to individual consultation only in the archives research rooms, and not remotely via the web. But is this sufficient protection? As shown above, even an individual consultation does not entirely exclude the possibility of using the researcher’s own reproduction devices. Even though the law prohibits the “reuse” of census archives, is that sufficient to prevent the risks of their misuse?
7.2.1 Misuse of Personal Census Data in the USA
Recognition of the risk of misuse of personal data collected in a census goes back deep into history. The USA has been aware of this danger since the very first formalised census in 1790.Footnote 25 Decades later, it turned out that these fears were not in vain. During the American Civil War (1861–1865), census data were used in a de facto intelligence way by a Northern Union general and later by the commander-in-chief of American troops, William T. Sherman.
As the American historian Susan Schulten details, Sherman approached Joseph Kennedy, the superintendent of the census, to see if he could create a map that would not just cover landscape features, but would include a range of data on the population, food sources, and so on based on information collected in the 1860 census.Footnote 26 Since the time to create such a map was very short, Kennedy used what was available and added the requested data on the existing maps of the states of Georgia and Alabama. This resulted in extremely remarkable maps created not long after 1862. They contain data not only on the composition of the population, the number of conscripts (then 18–45 years old), the number of slaves, but also on the cultivated areas, the harvest volumes of grain, hay, rice, corn, tobacco, and cotton, as well as information on the number of horses, pigs, or cattle.
The data Sherman and his troops gathered were subsequently used during his famous 1864 campaign against part of the Confederate States armies, which became known as the “March to the Sea”. It is well known that Sherman followed a “scorched earth” policy; he himself referred to these debilitating tactics, as “hard war”. He destroyed not only the territory and economy of Georgia in particular, but also the morale of the inhabitants as a result. Of course, he also used the data for logistical purposes, such as when his armies had to break away from the standard supply lines and use local resources in order to march through the territory as quickly as possible. Sherman’s well-known tactics would never have been so effective had it not used the comprehensive data collected in the census. Given the dire impact on the lives of the residents of the areas through which Sherman’s troops marched, serious questions can be asked as to whether it was a simple use of census information and data, or a difficult-to-define and unwritten boundary was crossed and the data were misused.
Although to this day there is no consensus among the experts and authorities involved on this matter, it is very likely that data from other US censuses, this time the ones conducted in 1930 and 1940, were misused to some extent during the unconstitutional internment of some Americans of Japanese ancestry on US soil during World War II.Footnote 27 As of this day, it is still unclear whether a spectacular data breach happened even before the Japanese attack on Pearl Harbor and the USA entry into World War II; it is only certain, that as early as 1939, there was pressure especially from the FBI and military intelligence.Footnote 28 However, the director of the United States Census Bureau at that time, William Lane Austin (1871–1949), prevented the security and intelligence services from getting to information about individuals from the census records. After he was forced to retire in 1941, his successor James Clyde Capt (1888–1949) was much more open to handing over census data to the security and military services. Then, a few years ago, American historian Margo Anderson and statistician William Seltzer, long-time researchers in this subject, proved that the United States Census Bureau provided other institutions (intelligence agencies, the FBI, and military authorities) not only with general information about the population density of a significant number of Japanese Americans in the USA, but also with microdata, that is, names and other data on specific identified individuals, at least for those living in the Washington D.C. area.Footnote 29 Needless to say, this entails a fundamental violation of civil rights and the principle of the protection of personal data collected in a census.
7.2.2 Totalitarian Regimes and Personal Data: Misuse of Personal Census Data in Nazi Germany
One of the most massive (based on the available documented data; it can be assumed, without the possibility to verify the assumption from public sources, that totalitarian regimes, including countries with populations of many hundreds of millions of people, routinely misuse census data also for the purposes of mass persecution of individuals and entire ethnic groups) and extreme cases of census data misuse occurred in Nazi Germany. The Nazi regime needed to obtain as much information on its population as possible, a typical feature of any dictatorship. Special attention was of course paid to those of Jewish origin. Religion was a common information provided in censuses. However, it was more of an expression of religious affiliation. This was still true for the census carried out in Germany on 16 June 1933,Footnote 30 soon after the Nazis took power, after it had been postponed several times from the originally planned date of 1930 due to the very poor economic condition of the municipalities, states, and the whole country as a consequence of the outbreak of The Great Depression.Footnote 31
Six years later, however, the optics changed radically. The Nazi census of 17 May 1939—postponed from the one originally planned for 1938 so that it could also include Austria, which had in the meantime been annexed into the German Reich—focused primarily on racial affiliation rather than religious beliefs. The census included a special questionnaire, the so-called Ergänzungskarten (the full title was Ergänzungskarte für Angaben über Abstammung und Vorbildung), supplementary cards on origin and education. On the back of the form, among the compulsory items, was the question whether the grandparents of the respective household member were Jewish (“Volljude”) according to their race affiliation (“der Rasse nach”) or not. These Ergänzungskarten were then to be handed in separately from the remaining census records in a sealed envelope, a measure which was intended to increase the citizens’ trust in the confidentiality with which the data would be treated.
The extent to which the data contained on these Ergänzungskarten were actually used in the process of exterminating the Jews is still widely debated in Germany and Austria.Footnote 32 In her recent research, Jutta Wietog tried to show that the data from the 1939 census and these Ergänzungskarten were very probably not directly used to prepare deportations and create the Jews register, the Judenkartei.Footnote 33 Yet, Götz Aly and Karl Heinz Roth were inclined to the opposite conclusion as early as the 1980s.Footnote 34 On the other hand, however, it has been indisputably proven that the Ergänzungskarten, after their statistical evaluation by the Reich Statistical Office (Statistisches Reichsamt), were handed over first to the statistical offices of the Länder and the police reporting offices, and then in August 1942 to the Reich Kinship Office (Reichssippenamt).Footnote 35 The data they contained were compared with the existing data kept on individual citizens on the so-called Volkskarteien maintained in the basic register at the local police districts.Footnote 36 In conclusion, the data from the 1939 census were used at least in a complementary manner by the Nazi administration for the purpose of exterminating citizens of Jewish origin.Footnote 37
Both the 1933 and 1939 censuses in Nazi Germany violated the most fundamental principles on which statistical surveys need to be based—and this is especially true for the census; it is the respect for the protection of the data collected in the course of the survey, discretion in handling the data, and the complete elimination of any future misuse of these data for non-statistical purposes. As late as 1933, the otherwise very brief Census Act issued after the Nazis had taken power, explicitly prohibited—as was the tradition up to that time—the use of personality data obtained in the census for other than statistical purposes.Footnote 38 At the same time, however, it was stipulated that the material resulting from the census could only be destroyed with the consent of the Reich Statistical Office, as it can be assumed that they already anticipated the use of the data for purposes beyond mere statistics.Footnote 39
Only four years later, in 1937, the Nazis had blatantly deleted the provision declaring the protection of official secrecy from the Census Act, which had until then guaranteed the de jure inviolability of personal data obtained in the census and expressly prohibited their use for other than statistical purposes.Footnote 40 Strictly speaking, the fact that the data obtained from the 1939 census were subsequently used mainly to obtain information on citizens of Jewish origin as part of Nazi policy did not violate the legislation that was in force at the time. In the same breath, however, it needs to be added that German legislation at the time was already fully in service of the machinery of an absolutely monstrous regime that stood against everything human.
Another example worthy of our attention also comes from the time of the Nazi dictatorship, this time from the occupied Netherlands. The fact that population registers or census data represent extremely risky information in certain circumstances was understood by the Dutch resistance soon after the German invasion. The population register data were misused by the Nazi occupying power for various purposes. One of those purposes was the identification of those suitable for forced labour in Germany and another was the better identification of residents of Jewish origin with the aim of carrying out their systematic extermination. In the Netherlands, the Nazi occupying power made it compulsory for every citizen over the age of 15 to carry a personal identification card (“persoonsbewijs”), marked with a capital “J” for those of Jewish origin. One of the tools of Dutch resistance against the Nazi occupation was thus a highly diverse system of expertly faking identification cards.Footnote 41
In addition to forging identity cards, however, the Dutch resistance also sought to destroy some population registers, an effort shared among various resistance groups. Still, these were rather low-impact events, with one exception. On 27 March 1943, Willem Arondeus and his associates attacked the Amsterdam civil registry office located at 36–38 Plantage Kerklaan.Footnote 42 The result of the bombing, however, was not as significant as the resistance had hoped for. The fire did not have such a devastating impact, among other things, due to the fact that the identity cards were kept in catalogue cabinets and the fire did not cause any significant damage. Some of the files were then damaged by water. Nevertheless, the estimations are that the fire managed to destroy tens of thousands of identification cards (the Yad Vashem memorial claims the number of completely burned cards reached a total of 800,000, which is probably a slight overstatement). Soon after the attack, the civil registry office was largely restored, except for the approximately completely destroyed 15% of records stored in the Amsterdam population register.Footnote 43 It might seem so but this is not a marginal figure. Most of those who helped develop the plan of attack were eventually arrested, 12 resistance fighters were executed, others sent to concentration camps.Footnote 44
One might argue that the provided examples taken from both democratic and totalitarian regimes, primarily relate to the management of records before they were stored in archives. However, these examples prove that personal census data can be misused, sometimes many decades later. In this context, the experience of countries that underwent a totalitarian period, often imposed from the outside, leads to legitimate concerns that one cannot rely on the fact that society currently exists within a democratic legal order with a very sophisticated system that guarantees the protection of personal data, such as the European Union. This order may not last forever and it is therefore impossible to accurately predict the form of future personal data management and the risk of its potential future misuse. And as Christian Keitel succinctly puts it: “Every totalitarianism loves personal data”.Footnote 45
It is for this reason that some countries—no wonder that they include countries that experienced a period of totalitarianism in the twentieth century—protect their citizens by anonymising certain census data or completely removing the link to a specific person from them. The Czech Republic is a prime example; the country experienced a period of Nazi oppression followed by long communist rule. Intense debates arose after the 2011 census, when the authorities themselves could not agree on whether to preserve or destroy the census records filled with personal data. The Czech National Archives asked for complete preservation, while the Czech Statistical Office and the Office for Personal Data Protection sought for the materials containing the data of each citizen to be destroyed, or at least completely anonymised, before being transferred to the National Archives. In the end, the records were archived, but only after complete anonymisation that also included the names of the census subjects.
7.2.3 Germany: “Census Ruling” and the Principle of Timely Anonymisation of Personal Data
Germany, a country with rich experience of totalitarian regimes, also struggles with a continuing concern about the possible misuse of personal data collected in the census. Already in the early 1980s, the West German Federal Constitutional Court commented on the question of whether and in what form data obtained in a census could be maintained. It warned of the risks of misuse and explicitly declared in a judgement known as the 1983 “Judgment on the Census” (“Volkszählungsurteil”) that it was necessary to ensure that, during the collection and subsequent storage of data, sufficient rules were in place that allow data redaction and their subsequent “deanonymisation” (in particular names of persons, addresses, numbers of census officers), that is, the possibility to re-assign the data to specific individuals.Footnote 46
Applied to the specific case of the 1987 census in West Germany,Footnote 47 the census questionnaire consisted of two parts: The first part consisted of individual data, the so-called Einzelangaben, data subject to statistical evaluation and not related to a specific individual or household. The second part consisted of auxiliary characteristics, the so-called Hilfsmerkmale containing data on the household or the person completing the questionnaire. These “Hilfsmerkmale” had to be separated from the “Einzelangaben” part and destroyed as soon as possible.
In the abovementioned decision restricting the handling and storage of personal data, the Federal Constitutional Court defined a new fundamental right to informational self-determination, which is derived from the German Constitution and the right to the free development of personality it guarantees. This also foreshadowed the future practice in the implementation of statistical surveys, which had to comply, inter alia, with the principle of timely anonymisation of personal data (“Gebot der frühzeitigen Anonymisierung”), the purpose of which, according to the decision of the Constitutional Court, is not only to protect the right to informational self-determination, but is constitutive for statistics itself.Footnote 48 Subsequent interpretations derived from this judgement point out that data erasure takes precedence over the obligation to offer the records for archiving in public archives.Footnote 49 Over time, the German Federal Court further strengthened the protection of the private sphere and corrected the legislator in this respect. In 2008, it formulated a new fundamental right to guarantee the confidentiality and integrity of information technology systems, which was derived from the general right to protection of personality guaranteed by the German Constitution.Footnote 50
Indeed, even after the 1983 Census ruling, the practice of protecting personal census data had not been established permanently and invariably. Already during the 1987 census in West Germany, critical voices pointed out that, among other things, no fixed periods were determined for the deletion of auxiliary characteristics allowing the identification of individuals, and the law was very vague on the “as soon as possible” destruction.Footnote 51 For the subsequent census, which only occurred in 2011, German law had already explicitly stipulated a maximum period of four years (after the census report had been produced) for which the auxiliary characteristics allowing the reidentification and thus the re-personalisation of data in the census records could be retained by the statistical office. The data had to be destroyed during this period, which was also the case.Footnote 52 Germany also has a separate law imposing the deletion of auxiliary characteristics allowing identification of persons as soon as possible applying to the production of federal statistics.Footnote 53
As for the very question of archiving census records and other statistics,Footnote 54 it was only from the 1990s onwards that the German Federal Archives began to put pressure on the Federal Statistical Office to start transferring statistical material to the archives for archiving.Footnote 55 Not only the federal but also some of the regional statistical offices were initially reluctant to hand over statistical materials to the archives, including those subject to confidentiality rules. The tension between the Federal Statistics Act and the Archives Act was alleviated by the general principle applied in Germany stating that in the event of a conflict between two legislative regulations of equal weight, the younger, that is, later enacted piece takes precedence, which in this case was the Archives Act.Footnote 56 The dispute over the transfer of statistical materials to the Federal Archives was finally resolved by a decree of the Federal Ministry of the Interior in 1994, by which the Ministry confirmed the obligation to offer statistical material to the archives for permanent archiving.Footnote 57 The fact that the archives would not get the auxiliary characteristics allowing the identification of persons included in the statistical survey as these had already been redacted or deleted by the statistical office, naturally remained unchanged. This also applies to censuses, which are thus transferred to the German archives in a form that does not allow the identification of specific persons.Footnote 58 The development of this issue in Germany in the 1990s has been concisely described by Wolf Buchmann and Michael Wettengel.Footnote 59
The sensitive nature of census personal data management persists in Germany to this day. The census originally planned for 2021 and postponed to 2022 due to the COVID-19 pandemic is a matter of lively debate, especially the issue of transferring and storing non-anonymised data collected in the ongoing pilot testing. The 2022 census is a combination of obtaining data from public administration registers, cleaning them, and finally supplementing them with a representative sample of a selected part of the population in the traditional form of basic household interviews. As part of the testing, non-anonymised data from the residence permits of all residents were transferred to the Federal Statistical Office, a step that was challenged before the German Federal Constitutional Court by the Gesellschaft für Freiheitsrechte. However, the Federal Constitutional Court denied the request to reject such a procedure in 2019.Footnote 60
The development of German society’s attitude to the preservation of data from statistical surveys is a crystalline example of how the experience of the horrific consequences of totalitarian regimes significantly increases the sensitivity and need for the protection of human rights even in an advanced democracy.
7.2.4 Time Capsule Versus Archiving: Census Time Capsules in Australia and Ireland
Finally, I will mention the specific approach Australia and Ireland have implemented in handling census data; the use of the time capsule.
In the last two decades Australia has represented in a sense the opposite tendency to what we have witnessed in, for example, Germany or the Czech Republic. Until 2001, Australia destroyed all the identifiable personal data, starting with the very first census conducted in 1911.Footnote 61 However, in 2001, the hundredth anniversary of the Australian Federation, the country made a substantial change and came up with a new and interesting solution abandoning the previous strict policy of unambiguous privacy protection.
In 1998, the Standing Committee on Legal and Constitutional Affairs of the Australian House of Representatives produced a report entitled “Saving our census and preserving our history”. The Advisory Council on Australian Archives, as an advisory body to the Minister responsible for archives, recommended the preservation of census records, including non-anonymised personal data, with the proviso of applying a 100-year closure period. At the same time, the then-chairman of the Council, Rodney Cavalier, argued that for genealogical and historical purposes, it was not necessary to preserve every single census (Australia conducts censuses in a five-year cycle), but that it would be sufficient to preserve the data every 20 or 25 years to capture a “portrait of each generation” and for future historical research.Footnote 62
The final decision gave each citizen the opportunity to choose whether or not they wanted to keep their personal data from the census.Footnote 63 The personal census data shall be thus preserved in the National Archives of Australia only provided that the individual has given their explicit consent. The data will then be stored in a “time capsule”, where they will be sealed for 99 years, during which time no one will see the data stored inside. The capsule will not be opened and access to the data will only be possible after the given period. That means that the 2001 census data will only be available in 2100. Perhaps even more remarkable is the number of the nearly 10 million, or 52.6% of the population who participated in the Australian census, and consented to their personal data being stored in a “time capsule” in the National Archives of Australia.Footnote 64 The same principle was then applied to subsequent censuses conducted in five-year intervals in 2006, 2011, 2016 and will be applied to the 2021 census as well. In 2006, over 56% of the population agreed to maintain their data in a “time capsule”.Footnote 65 The time capsule stores the census records of those who agreed to archive their data in the form of microfilm.
A quick look at Europe shows that Ireland keeps non-anonymised census records, including personal data, by default. Access to them is granted after 100 years.Footnote 66 Censuses in Ireland after its separation from the United Kingdom were conducted in 1926, 1936, 1946, 1951, 1956, 1961, 1966, 1971, 1979, 1981, 1986, 1991, 1996, 2002, and 2006.Footnote 67 The records are preserved in an astonishingly complete condition, unlike the nineteenth century Irish census forms as the censuses of 1881 and 1891 were deliberately destroyed during World War I, presumably due to lack of paper. The 1821, 1831, 1841, and 1851 census records were then, with minor exceptions, destroyed in 1922 in a fire at the Public Record Office at the outbreak of the Irish Civil War.
What is remarkable is how the data are stored. Census records dating back to 1946 and partly to 1951 are maintained in the National Archives of Ireland. Younger census forms remain in the care of the Central Statistical Office. On the one hand, the census records are non-anonymised, but on the other, access to records less than 100 years old is strictly prohibited and this ban also includes the staff of the National Archives of Ireland as well as any official consultation purposes.
The 2021 census, postponed to 2022 due to the COVID-19 pandemic, was the first time the Irish introduced the option of using a time capsule. Any citizen can write a handwritten message for future generations on the back of the census form. This message will be removed from the time capsule and revealed together with the entire census after 100 years.Footnote 68 In addition, the 2021 census contains an additional eight questions concerning renewable energy sources, internet access, smoke alarms, smoking, working from home, volunteering, childcare, and travelling home from work, school, or college.
On one side, Ireland significantly widens the range of information about a person, their existence, everyday life and privacy, and opens up space for self-expression in the form of a personal message which allows an individual to express their own personality. And as the Central Statistics Office rightly pointed out, the opportunity to self-express into a time capsule adds “a fun element, you can see it as a small reward for filling in the form and making your own mark. Whatever you want can go in there.”Footnote 69
On the other side, it is somewhat of a paradox that just before the latest census planned for 2021 and postponed to a year later, a case of archived census personal data misuse has emerged. In 2020, the data from the 1926 census, which were supposed to be absolutely inaccessible until 2027, appeared on social media.Footnote 70 The records are physically maintained in the National Archives of Ireland but remain under the control of the Central Statistics Office.Footnote 71 The case ended with the Central Statistics Office contacting the person responsible for illegally publishing the data who then removed them from social media.
At the very heart of the issue of managing and archiving personal data is the fundamental tension between the need to obtain and store certain data about citizens and the gradually increasing risk of their misuse. It may seem ironic, but one way to address this tension is by public archives deviating from standard procedures of archiving in the public interest. What does this mean?
It is necessary to start by comparing the time capsule with the principles of standard archiving. Both the time capsule and archiving share the intention of long-term and secure information preservation, but there are fundamental differences. Data archiving and the archival sector intend to preserve data permanently and at the same time want to gradually allow access to the public, while applying all standard closure periods and other legal measures regulating access to the data. On the contrary, time capsules are based on maximum to absolute restriction of access to their contents. Motivations for restricted access have varied throughout history. The reasons usually included security measures protecting the creator and depositor of information whose disclosure would put them at risk. It might also have been simple preservation of information for future generations. In a sense, we might see early examples of time capsules in the preservation of documents and other artefacts in church domes or inside statues, as shown by the recent discovery of a secret box containing a document dated 1777 inside a statue of Christ called Cristo del Miserere inside the church of Santa Águeda in Sotillo de la Ribera, Spain,Footnote 72 and so on.
In the twentieth century, the time capsule began to add a second essential feature; it can be used to determine the exact period for which the information is made absolutely inaccessible and, at the same time, it can pinpoint a specific point in time when the time capsule is to be opened and its contents made available. This feature in its embryonic form was also present in the early stages of time capsules, but was tied to a specific act such as—bearing in mind the above examples—the moment of necessary repair or reconstruction. Naturally, in cases like these it was impossible to determine the exact point in time when the capsule would be opened. This began to change significantly in the twentieth century. A typical early example was a time capsule known as the “Detroit Century Box” created on 31 December 1900 and intended to be opened 100 years later, as actually happened at the end of the year 2000. The similarly famous “Crypt of Civilization” built in 1936 at Oglethorpe University intends to preserve records of period life; it is meant to be unsealed in 8113.Footnote 73 However, the inability to determine an exact moment in time when a capsule will be opened is not solely a thing of the past, just think of the examples of capsules located in space probes Pioneer 10, Pioneer 11, Voyager 1, or Voyager 2.
Nevertheless, traditional archiving and preservation of data is more similar to time capsules with a clearly defined period before they can be opened, a period that is “observable”, and it is much less similar to, for example, the KEO satellite, whose departure has been postponed several times, that is intended to carry various information about humanity and civilisation in their current state for future inhabitants of the Earth and that should return to Earth in approximately 50,000 years.
The principle of preserving certain information, usually for a specific, well-defined period of time, and at the same time the principle of absolutely restricting access to it until the expiration of a specified period of time, eventually became the reason that attracted archives and data archivists to the phenomenon of time capsules. At certain moments, however, the two otherwise substantially different phenomena, the time capsule on one side and archiving on the other, meet and are applied simultaneously. That is the case, for example, of the preservation of census records currently used in Australia and Ireland; based on the proposed four categories of the right to be forgotten presented in Chap. 5, under Sect. 5.3, this case would call for the application of the “temporary absolute” right to be forgotten.
This may actually be the way to balance the tension between the need to collect and store personal data on citizens and the increasing risk of misuse of these data.
Almost without exception, public archives and archiving in standard democracies base their access policies on the principle that there is a fundamental difference in access to archives for official and for private purposes. While closure periods are usually introduced for private access to archives, they do not apply by default in the case of official purposes and the records may thus be accessed immediately. The time capsule, on the other hand, works or can work quite differently, which also applies to it being used in archiving. One of the examples analysed above makes this crystal clear; it is the example of the 2011 archival census records held at the National Archives of Australia. The census records of citizens who gave consent to their non-anonymised preservation are kept in the National Archives sealed in a time capsule for 99 years, and unlike other archival records, access to them is restricted for official purposes and it is explicitly prohibited for court needs.Footnote 74 Still, as is the case in other countries, the Australian Bureau of Statistics will destroy all the original records after statistical evaluation and data extraction is performed.Footnote 75 The only preserved microfilm copies of the records of those who volunteered are archived precisely and only in the time capsule. If this is not opened, no personal data from the census should leak to the public.
The time capsule thus represents an instrument which—legally—increases the protection of personal data contained in the records stored inside. This certainly does not mean that it automatically eliminates the risk of misuse in the case that the democratic state and the rule of law get replaced by a totalitarian, lawless, strongly populist regime, and so on. The seal, honoured by a person, society, or a country just and honest, will wilfully and without hesitation be broken by injustice, malice, and oppression.
7.3 The Case of Jewish Files (“Fichiers Juifs”) in France: Archiving of Materials Intended for Destruction and Their Concealed Existence
In November 1991, Nazi hunter Serge Klarsfeld, a French lawyer specialising in cases of persecution of Jews in France during the Holocaust, discovered files known as “fichiers juifs” that were believed to no longer exist as they should not have existed. No search function in the archive that maintained these records recognised their existence; the only information leading to the files was in an internal function.Footnote 76 The case caused quite a stir throughout the French archival and historical community and became one of the important drivers of change in French archives, which eventually led, years later, to a complete revision of the entire French archives legislation when the Code du patrimoine replaced the original 1979 Archives Act in 2004.Footnote 77 Vincent Duclert considers the outbreak of the case to be one of the important starting points marking the period of the so-called archive crisis (“crise des archives”) of French archiving at the time and consisting essentially, according to Duclert, in the absence of a scientific policy of archival institutions and therefore in the inability to respond when archival work was challenged.Footnote 78
These files were among those created at the behest of the German Nazi occupying power on French territory, but similar ones were also created in Vichy France. Serge Klarsfeld came across some records in the fonds of the Ministère des Anciens combattants (Department of Veterans Affairs) that were at first interpreted as purely a register created by the Préfecture de police de la Région parisienne (Paris Police Prefecture).Footnote 79 Subsequently, by means of a thorough analysis, an independent committee of historians presided by René Rémond concluded that these so-called fichier juif files consist of three categories of archival records.Footnote 80 Firstly, it is a second copy of the Drancy camp register containing the names of deported persons, which was kept and hidden by prisoners detained there. Second, there are files from the Beaune-la-Rolande and Pithiviers camps, which were handed over to the Department of Veterans Affairs by the social assistants at these camps. And finally, there are files of individuals and families of diverse character, which may have included, among other things, information from the Prefecture of Police registers created in 1940, a source whose existence was presumed but that has not survived to this day. And this is the heart of the problem.
During the occupation, police prefectures created file registers of Jewish people, which became an important tool for the Holocaust in the country during World War II. Immediately after the end of the war, the then Minister of the Interior, Édouard Depreux, in a circular dated 6 December 1946, ordered the destruction of “all records based on racial distinctions between Frenchmen” (“tous les documents fondés sur des distinctions d’ordre racial entre Français”).Footnote 81 The Jewish files were also subject to this regulation. In the chaotic times just after the end of the war, however, soon afterwards the same Minister Depreux, albeit in a different government, issued yet another circular dated 31 January 1947, reversing his original decision and calling for the preservation of the records as they might help the Jews affected by the Holocaust, the search for missing and displaced persons, the provision of certificates of deportation or imprisonment, the reparations, the needs of the judicial system, and so on. They were to be kept only as long as they could benefit the affected persons of Jewish origin.Footnote 82 Soon afterwards, there was a massive destruction of records and it was generally believed that these files compiled at the time of World War II were completely destroyed as well.Footnote 83
This obligation was also later sealed at the level of legislation by the Information and Freedoms Act in 1978. This Act imposed an obligation not to preserve any data relating to the names of persons that would directly or indirectly reveal, inter alia, racial origin (as well as other data, nowadays generally referred to as sensitive personal data, such as political or philosophical beliefs, religion, or trade union affiliation).Footnote 84
The first echoes of the Jewish files issue had already appeared in the early 1980s. In the spring of 1980, the investigative magazine, Le Canard enchaîné, drew attention to the fact that there was a Jewish register in one of the National Gendarmerie centres in Rosny-sous-Bois.Footnote 85 The National Commission on Informatics and Liberty (Commission nationale de l’informatique et des libertés) conducted a cross-ministerial survey at the time and concluded that there was no trace of any Jewish files anywhere, but it was equally strange that there was no evidence of their proper destruction except in the Marseille area.Footnote 86 The case was subsequently revived by the above Serge Klarsfeld who discovered parts of the files in the records maintained by the Department of Veterans Affairs.
The case of the French Jewish files provoked a great deal of controversy, especially with regard to the issue of public access to archival material; the subsequent legislative developments confirmed that society demands liberalisation of access to archival records and calls for the introduction of equal access in particular. At the time, the Jewish files were an unfortunate example of creating privileged access to records and archives only for certain individuals; they became one of the indicators of restricted access to newer records to the public. This situation was also reflected in Guy Braibant’s comprehensive report to the French Prime Minister on the state of French archiving, in which he touched on, among other things, the excessively long closure periods.Footnote 87
Yet, in view of the question this text wants to answer, the case of the Jewish files is more important regarding the topic of the preservation of data and archival records in particular. It is remarkable on several levels. First, it demonstrates how the experience of massive crimes against humanity—perpetrated not only by the German occupying power but also by the French themselves—has shown society the risks of collecting personal data. This was one of the reasons why the French Minister of the Interior, Depreux, ordered the destruction of records containing information about individuals of Jewish origins soon after the liberation of France. However, the same minister realised soon after his decision that the very same records could in turn help the Jewish victims of the Holocaust. And so he decided to preserve these materials until they could be used to serve the victims.
The whole case then climaxed half a century later when Klarsfeld discovered the remains of the Jewish files and no longer called for their destruction but rather for their permanent archiving. He and the National Commission on Informatics and Liberty suggested the preservation of the original files, meanwhile transferred to the French National Archives, in what was then the Memorial of the Unknown Jewish Martyr (Mémorial du Martyr juif inconnu), now part of the Memorial of the Shoah (Mémorial de la Shoah).Footnote 88
On the contrary, the Rémond Commission pleaded for the preservation of the records in the National Archives.Footnote 89 In the end, an original compromise was agreed upon, that had the direct support of then President Jacques Chirac. The archival records remained in the official custody of the National Archives in order to fulfil the legal requirements for the maintenance of public records in a public archive, and at the same time they were actually stored in a new depot, located next to the crypt that represents the symbolic tomb of the six million murdered Jews who do not have a grave and which is administered by the Shoah Memorial in France.Footnote 90 The Memorial has no control over the Jewish file, which falls exclusively within the purview of the National Archives.
A significant role in exposing the entire context was played by the intention of the Jewish community that wished to be able to manage material that was once used for its persecution (similarly, Indigenous peoples in Canada are now demanding that public and private organisations in Canada hand over records testifying to the cultural genocide of Indigenous peoples in Indian residential schools to the National Centre for Truth and Reconciliation, as I briefly mentioned in Chap. 4) and which, unfortunately, can never be excluded from being used for persecution in the future. Although this intention was only partially fulfilled in the form of a compromise solution and agreement with the French state, it was in a way accepted. What is remarkable and significant is that half a century after the Holocaust, concerns about the misuse of personal data, and in this case especially data on racial origin, have diminished, and the Jewish community is no longer opposed to their preservation. It is possible that were the files of French Jews to survive in their entirety, they would have been preserved as such. This ultimately shows a process I call “disappearing sensitivity”; data sensitivity fades in proportion to their ageing or to the transformation of the character of the sensitivity. This is a process that I will mention again in the following chapter, and that is central to the whole field of post-mortem protection, which is one of the topics of the preceding chapters.
7.4 Personal Data Breaches: National Archives and Records Administration (NARA) Cases
In 2009, the US National Archives and Records Administration (NARA) discovered that an external hard drive containing a copy of data from the Bill Clinton Administration Executive Office had disappeared.Footnote 91 The hard disk was used as a part of routine copying operations of data intended for long-term archiving. It contained files with the personal information of approximately 250,000 individuals, including the names and social security numbers of, first, the employees of the Executive Office of the President of the USA at that time, and second, the individuals who either contacted, for example, as job applicants, or visited the White House complex. One of the daughters of former Vice President Al Gore was reportedly among the individuals concerned.Footnote 92 The impact of either the lost or stolen hard drive was not that the data was irretrievably lost (they were only backups), but that the protection of the said personal data had been breached and, as a consequence, it was possible for those concerned to fall victim to identity theft.
At the time, NARA initiated a mailing list first of 26,000 letters to those individuals whose data might have been leaked, which was then followed by another 150,000 letters.Footnote 93 NARA offered those affected the option to use credit monitoring, identity theft insurance, and fraud resolution assistance free of charge for one year. In addition, NARA posted a $50,000 reward for providing information that would lead to the recovery of the missing hard drive. According to the information I have available, the disk was never found.
There was yet another case that came to the fore in connection with the US NARA. In that same year, 2009, NARA turned over a damaged hard drive containing personal information (in part presumably including sensitive personal information) of approximately 76 million veterans (including millions of social security numbers dating back to 1972) to a contractor for repair without deleting the personal information on the drive. The contractor found the disc beyond repair and handed it over to yet another company for recycling. Some of the well-known media outlets rushed to conclude that this meant one of the biggest leaks of personal data by a government agency in history.Footnote 94 NARA countered these conclusions arguing that the protection was not breached as all the contractors and subcontractors who came into contact with the incriminated hard drive were contractually bound to NARA and committed to the privacy principles regarding the data with which they came into contact.Footnote 95 At the same time, NARA pointed out that there was no evidence that the companies in question had tampered with the disc. There was even a hearing before the Subcommittee on Information Policy, Census, and National Archives of the House of Representatives Committee on Oversight and Government Reform.Footnote 96 The fact that NARA’s credibility specifically on military veterans affairs had not been undermined was finally confirmed by the latest cooperative agreement with the United States Department of Veterans Affairs to digitise certain archival materials from the Veterans Benefits Administration under the jurisdiction of that Department.Footnote 97 The agreement explicitly declares that the digitised materials also contain sensitive personal information, including, but not limited to, social security numbers, especially when linked to dates of birth, birth names, and other identifiers, and that NARA is responsible for not disclosing such materials that are less than 75 years old.
7.5 Totalitarian Abuse of Totalitarianism: The East German State Security Service and Personal Data Misuse in the “Archive of National Socialism” (“NS-Archiv”)
Paradoxically, there may be cases when personal data of the representatives of a totalitarian regime are misused by yet another dictatorship. After the fall of totalitarian regimes, the documentation may be used by the successor democracy to legally seek and achieve justice. A typical example is the post-war Nuremberg Trials of 1945–1946 held against the top Nazi representatives. But history has also seen other cases. For example, a similar group of materials surviving from the period of Nazi Germany began to be systematically misused by the Ministry for State Security (Stasi) in the newly constituted East Germany (DDR). This process was finally formalised in 1967 when the so-called NS-Archiv was established within the Stasi.Footnote 98
The NS-Archiv, which is now quite well mapped, was created in no small part as a reaction to the activities of the Dokumentationsstelle zur zentralen Erfassung allen Materials der NS-Zeit (1933–1945), which had been formed in 1964 as part of the Staatliche Archivverwaltung (State Archive Administration) of the East German Ministry of the Interior. In this way, the Stasi intended to maintain control and power over all files from the Nazi period. However, the origins of the NS-Archiv date back to the turn of 1953–1954, as reconstructed by the current president of the German Federal Archives, Michael Hollmann.Footnote 99 The resulting NS-Archiv was created by artificially combining materials left over from the activities of a number of offices and party apparatuses of the Third Reich. It is basically built on the principle of pertinence and in this sense stands in opposition to the principle of provenance, the fundamental constituent of modern archiving. For the most part, it consists of materials related to specific persons.Footnote 100
The Stasi systematically collected materials maintained in the NS-Archiv in order to “fulfill so-called ‘political-operational’ tasks: to prosecute Nazi and war criminals or to ‘move’ them to cooperate, which was understood to be an offer to rectify the crimes committed”.Footnote 101 The very motivation for the creation of the NS-Archiv collection was the intention to gather information about people and their Nazi burdens and not an attempt to create an archival collection based on the principle of provenance. In its NS-Archiv collection, the Stasi thus accumulated records such as ordinary personal files, court files, medical records, party membership files, and many other categories of records; these were then processed and used to compile and create “personal files” of persons of interest.Footnote 102
As Michael Hollmann points out, a significant amount of the records have little meaning and testimonial value as such and would not be archivable; what is valuable from today’s point of view is the body of material in the NS-Archiv, which, Hollmann believes, could in a way be described as the “Document Center of the East” (“Document Center des Ostens”).
The misuse of personal data itself not only took place in a massive way within the NS-Archiv, the NS-Archiv was directly built on the misuse of personal data. The data collected on citizens was misused by the Stasi for various purposes, in particular by obtaining compromising material by no means limited only to the citizens of the then DDR. One of their main interests was the citizens of the Federal Republic of Germany. The Main Department IX/11 (Hauptabteilung IX/11) established by the Stasi used the NS-Archiv as a tool particularly for collecting and acquiring data on the Nazi past of key figures in the West German economy, military, politics, and other public authorities.Footnote 103 In some cases, sensitive data were also used for massive political campaigns against Western democracies and their representatives, such as Kurt Georg Kiesinger, Hans Globke, Heinrich Lübke, Theodor Oberländer, and others.
The sheer volume of the NS-Archiv was extraordinary. Towards the end of its operation, it maintained approximately 1 million units.Footnote 104 The amount was estimated between 7–10 linear kilometres.Footnote 105 The NS-Archiv was also, with certain exceptions, the only one of the Stasi archives not to remain under the authority of the Federal Commissioner for the Records of the Stasi (Der Bundesbeauftragte für die Unterlagen des Staatssicherheitsdienstes der ehemaligen Deutschen Demokratischen Republik), but was transferred to the German Federal Archives.
Although it was a special archive artificially created for the purposes of the intelligence service and secret police of the East German dictatorship and not a standard public archive, with the perspective from which we view the minimisation, preservation, and protection of data in archives, the difference does not matter in the end; the data created and preserved during the period of one totalitarianism were used and misused by the next. Although in many cases the intention was to punish the crimes of the Nazi period, this motivation evolved into the determination to use the materials as compromising data on people and their behaviour during the Nazi Third Reich and to exploit them for the purposes of the new East German communist dictatorship. A dictatorship that did not respect the fundamental rights of democratic regimes, including the right to a fair trial or the principle of “ne bis in idem”, which we know as one of the pillars of democratic criminal proceedings. To conclude, the NS-Archiv demonstrates very well how dangerous it is to combine the two elements: 1. the violation of the fundamental principles of the democratic rule of law in totalitarian non-democratic regimes, and 2. the existence and preservation of sensitive data about citizens that are potentially damaging and compromising. Along with this, it is necessary to take very seriously the constant and ever-present risk that at some point in the future a democratic regime may fundamentally change towards a non-democratic one, and the permanence of the rule of law cannot thus be relied upon absolutely. In geopolitical terms, the risks increase especially in countries that do not have a tradition of long-lasting and continuous democracy, or that are threatened by the proximity of non-democratic states with great power ambitions. This is true for the vast majority of existing countries, including many European states.
Notes
- 1.
IBM Security. Cost of a Data Breach Report 2020. https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf
- 2.
IBM Security. Cost of a Data Breach Report 2020, p. 18.
- 3.
IBM Security, Cost of a Data Breach Report 2020, p. 19.
- 4.
Some of the biggest data leaks in recent years are summarised in de Groot, J. (2020, 1 December). The History of Data Breaches. Digital Guardian. https://digitalguardian.com/blog/history-data-breaches
- 5.
Hao, K., Liang, R. (2022, 4 July). Vast Cache of Chinese Police Files Offered for Sale in Alleged Hack. The Wall Street Journal. https://www.wsj.com/articles/vast-cache-of-chinese-police-files-offered-for-sale-in-alleged-hack-11656940488; Hacker claims to have stolen 1 billion records of Chinese citizens from police. (2022, July 6). Reuters. https://www.reuters.com/world/china/hacker-claims-have-stolen-1-bln-records-chinese-citizens-police-2022-07-04/
- 6.
Hoffman, S., Podgurski, A. (2013). The use and misuse of biomedical data: is bigger really better? American Journal of Law & Medicine, 39(4), 497–538.
- 7.
Kunze, A. (2013, 31 October). Behandelt und verkauft. Ärzte und Apotheker geben die Kranken- und Rezeptdaten von Millionen Patienten weiter – ohne deren Wissen. Es ist ein dickes Geschäft. Die Zeit. https://www.zeit.de/2013/45/patientendaten-marktforschung-pharmaindustrie
- 8.
2020 Data Breach Investigations Report. (2020). Verizon. https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf, p. 7.
- 9.
Robinson, J. (2020, 9 September). US Healthcare Data Breach Statistics. Privacy Affairs. https://www.privacyaffairs.com/healthcare-data-breach-statistics/
- 10.
IBM Security, Cost of a Data Breach Report 2020, p. 14.
- 11.
2018 Data Breach Investigations Report. (2018). 11th edition. Verizon. https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf, p. 25. 2020 Data Breach Investigations Report. (2020). Verizon, p. 40.
- 12.
2020 Data Breach Investigations Report. (2020). Verizon, pp. 40, 54–56.
- 13.
Based on data from the Data Breaches database compiled by the Privacy Rights Clearinghouse, statistical summaries were conducted by Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., Khan, R. A. (2020). Healthcare Data Breaches: Insights and Implications. Healthcare (Basel), 133 June 8(2). https://www.mdpi.com/2227-9032/8/2/133
- 14.
One in Four US Consumers Have Had Their Healthcare Data Breached, Accenture Survey Reveals (2017, 20 February). Accenture. https://newsroom.accenture.com/subjects/technology/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm
- 15.
Descriptions of these and other cases of massive medical data breaches in the USA are summarised in, for example, Lord, N. (2020, 28 September). Top 10 Biggest Healthcare Data Breaches of All Time. Digital Guardian. https://digitalguardian.com/blog/top-10-biggest-healthcare-data-breaches-all-time
- 16.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj
- 17.
Strafgesetzbuch, § 203 (Verletzung von Privatgeheimnissen).
- 18.
Návrh zákona, kterým se mění některé zákony v souvislosti s přijetím zákona o elektronizaci zdravotnictví. Vládou schváleno jako Usnesení Vlády České republiky ze dne 15. února 2021 čj. 102/21 k návrhu zákona, kterým se mění některé zákony v souvislosti s přijetím zákona o elektronizaci zdravotnictví. Sněmovní tisk 1164/0, Vládní návrh zákona, kterým se mění některé zákony v souvislosti s přijetím zákona o elektronizaci zdravotnictví [Bill amending certain acts in connection with the adoption of the Act on Electronic Healthcare. Approved by the Government as Resolution of the Government of the Czech Republic of 15 February 2021 No. 102/21 on the bill amending certain acts in connection with the adoption of the Act on Electronic Healthcare. Parliamentary Print 1164/0, Government Bill amending certain acts in connection with the adoption of the Act on Electronic Healthcare].
- 19.
Zákon č. 372/2011 Sb., o zdravotních službách a podmínkách jejich poskytování (zákon o zdravotních službách), ve znění pozdějších předpisů [Act No. 372/2011 Coll., on Health Services and Conditions of their Provision (Act on Health Services), as amended]; Vyhláška č. 98/2012 Sb., o zdravotnické dokumentaci, ve znění pozdějších předpisů [Decree No. 98/2012 Coll., on Medical Documentation, as amended].
- 20.
Briefly on the project Ahlquist, K. R. Norwegian health archives. A new type of archive in The National Archives of Norway. https://www.nordiskarkivportal.org/wp-content/uploads/2017/10/24.05_4.3-3_Kurt-Ahlquist_Norway_Norsk-helsearkiv-en-ny-type-virksomhet-....pdf
- 21.
Norwegians’ digital health data to be preserved for future generations (2019, 30 January). https://www.piql.com/news/norwegians-digital-health-data-to-be-preserved-for-future-generations/. The digital archive will use the Archivematica system.
- 22.
European Commission. Shaping Europe’s digital future. eHealth. https://digital-strategy.ec.europa.eu/en/policies/ehealth
- 23.
Guideline for the E-ARK Content Information Type Specification for eHealth1 (CITS eHealth1). (2021, 1 February). https://dilcis.eu/images/2020review/18_Draft_Guideline_CITS_eHealth1.pdf
- 24.
Arrêté du 4 décembre 2009 portant dérogation générale pour la consultation des listes nominatives du recensement général de la population. JORF n°0288 du 12 décembre 2009 page 21505 texte n° 48.
- 25.
Mayer, T. S. (2002). Privacy and Confidentiality Research and the US Census Bureau. Recommendations Based on a Review of the Literature. Research Report Series (Survey Methodology #2002–01). https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.8.3379&rep=rep1&type=pdf, p. 4.
- 26.
Schulten, S. (2014, 20 November). Sherman’s Maps. The New York Times.
- 27.
For most detail cf. Anderson, M., Seltzer, W. (2007). Census Confidentiality under the Second War Powers Act (1942–1947). Paper prepared for presentation at the session on “Confidentiality, Privacy, and Ethical Issues in Demographic Data”. Population Association of America Annual Meeting, 29–31 March 2007, New York, NY. More detailed links to further literature. Most recently Anderson, M. (2015). Public Management of Big Data: Historical Lessons from the 1940s. Federal History, 15, 17–34. Cf. also the printed edition Anderson, M. (2015). The American Census. A Social History. Yale University Press. See also Anderson, M., Seltzer, W. (2000). After Pearl Harbor. The proper role of population data systems in time of war. Material prepared for the meeting, entitled “Human Rights, Population Statistics, and Demography: Threats and Opportunities” and organised by the Population Association of America, 23–25 March 2000, Los Angeles. Cf. also Anderson, M., Seltzer, W. (2009). Federal Statistical Confidentiality and Business Data: Twentieth Century Challenges and Continuing Issues. The Journal of Privacy and Confidentiality, 1(1), 7–52. https://doi.org/10.29012/jpc.v1i1.563, p. 18.
- 28.
Anderson, M., Seltzer, W. (2007). Census Confidentiality under the Second War Powers Act (1942–1947), p. 5. Claims that the Census Bureau was instructed to collect personal data on Japanese Americans of US origin or foreign-born by President Franklin D. Roosevelt prior to the Japanese attack on Pearl Harbor, are made by Daniel J. Solove and Paul M. Schwartz, but without any evidence. Cf. Solove, D. J., Schwartz, P. M. (2018). Information Privacy Law. Wolters Kluwer, p. 733.
- 29.
Anderson, M., Seltzer, W. (2007). Census Confidentiality under the Second War Powers Act (1942–1947). This text also reprints a sample of lists of citizens of Japanese ancestry in the Washington area that were turned over to the Secret Service by the US Census Bureau (pp. 67–68). Cf. also Anderson, M. (2015). Public Management of Big Data, pp. 31–32.
- 30.
The results of the 1933 census for the citizens of Jewish origin were published at the time as: Die Bevölkerung des Deutschen Reichs nach den Ergebnissen der Volkszählung 1933. Heft 5: Die Glaubensjuden im Deutschen Reich. (1936). Verlag für Sozialpolitik, Wirtschaft und Statistik.
- 31.
Cf. Volkszählungen in Berlin seit Bestehen des Statistischen Amtes der Stadt Berlin. (2012). Zeitschrift für amtliche Statistik Berlin Brandenburg, 1+2, 36–57, p. 42.
- 32.
Cf. Wietog, J. (2001). Volkszählungen unter dem Nationalsozialismus. Duncker und Humblot, p. 166ff. Cf. also Aly, G., Roth, K. H. (2000). Die Restlose Erfassung. Volkszählen, Identifizieren, Aussondern im Nationalsozialismus. Fischer E-Books.
- 33.
J. Wietog, J. (2001). Volkszählungen unter dem Nationalsozialismus, p. 193.
- 34.
Aly, G., Roth, K. H. (2000). Die Restlose Erfassung. Volkszählen, Identifizieren, Aussondern im Nationalsozialismus. Fischer E-Books, pp. 93–95.
- 35.
Zimmermann, N. M. Die Ergänzungskarten für Angaben über Abstammung und Vorbildung der Volkszählung vom 17. Mai 1939. Vortrag auf dem Workshop “Datenbanken zu Opfern der nationalsozialistischen Gewaltherrschaft in Deutschland 1933–1945”. https://www.bundesarchiv.de/DE/Content/Publikationen/Aufsaetze/aufsatz-zimmermann-ergaenzungskarten.pdf?__blob=publicationFile, p. 1.
- 36.
Wietog, J. (2001). Volkszählungen unter dem Nationalsozialismus, p. 161. So-called Volkskarteien were introduced by a decree of the Reich Minister of the Interior in April 1941, it was the Verordnung über die Errichtung einer Volkskartei of 21 April 1939. Reichsgesetzblatt 1939, Teil I, Nr. 78, Berlin 1939, p. 823.
- 37.
Cf., for example, 200 Jahre amtliche Statistik in Bayern 1808 bis 2008. (2008). Bayerisches Landesamt für Statistik und Datenverarbeitung, p. 39. The situation in Austria was mapped by Exner, G. (2002). Die Volkszählung von 1939 in Deutschland und Österreich – ein Beitrag zum Holocaust? Austrian Journal of Statistics, 31(4), 249–256.
- 38.
“Jedes Eindringen in die Vermögens- und Einkommensverhältnisse ist ausgeschlossen. Über die bei der Zählung über die Persönlichkeit des Einzelnen sowie über die Verhältnisse der einzelnen Grundstücke und Vertriebe gewonnenen Nachrichten ist das Amtsgeheimnis zu wahren; sie dürfen nur zu statistischen Arbeiten, nicht zu anderen Zwecken benutzt werden.” Gesetz über die Durchführung einer Volks-, Berufs- und Betriebszählung of 12 April 1933, § 4.
- 39.
200 Jahre amtliche Statistik in Bayern 1808 bis 2008. (2008), p. 37.
- 40.
Gesetz über die Durchführung einer Volks-, Berufs- und Betriebszählung of 4 October 1937. The relevant § 4 that in 1933 still provided for the protection of official secrets, was reduced by this provision.
- 41.
Schlebaum, P. (2019, 1 September). Raid on the Population Registry of Amsterdam. https://www.tracesofwar.com/articles/5329/Raid-on-the-Population-Registry-of-Amsterdam.htm
- 42.
The attack is described in detail in Het Koninkrijk der Nederlanden in de Tweede Wereldoorlog. (1969). Deel 6. Tweede helft Juli ‘42 - mei ‘43. Rijksinstituut voor oorlogsdocumentatie, 712–736, p. 733.
Ketelaar, E. (2005). Records and Societal Power. In S. McKemmish, M. Piggott, B. Reed, F. Upward (Eds.), Archives: Recordkeeping in Society (277–298). Centre for Information Studies, Charles Sturt University, p. 286. Cf. also Schlebaum, P. (2019, 1 September). Raid on the Population Registry of Amsterdam.
- 43.
Het Koninkrijk der Nederlanden in de Tweede Wereldoorlog, pp. 734–735. Data from the Yad Washem memorial, including a detailed description of the bombing of the office building, see The Righteous Among the Nations Database, Willem Arondeus (Johannes Arondeus), 1894–1943. https://righteous.yadvashem.org/?searchType=righteous_only&language=en&itemId=4043044&ind=NaN
- 44.
Het Koninkrijk der Nederlanden in de Tweede Wereldoorlog, p. 733.
- 45.
Keitel, Ch. (2019). Archivcamp “Volkszählung 2021 und Rolle der digitalen Archive”. In 23. Tagung des Arbeitskreises Archivierung von Unterlagen aus digitalen Systemen. National Archives (Prague). https://www.nacr.cz/wp-content/uploads/2019/12/KnihaAUDS_e-kniha_DEF.pdf, p. 167.
- 46.
Urteil des Ersten Senats vom 15. Dezember 1983 auf die mündliche Verhandlung vom 18. und 19. Oktober 1983. BVerfGE 65, 1, 49
- 47.
Not only on population censuses, but on the archiving of statistical data in general, see an older but very concise article by Buchmann, W., Wettengel, M. (1996). Auslegung des Bundesstatistikgesetzes bei der Archivierung von Statistikunterlagen. Der Archivar 49(1), 67–74, p. 71 in particular.
- 48.
“ist das Prinzip der Geheimhaltung und möglichst frühzeitigen Anonymisierung der Daten nicht nur zum Schutz des Rechts auf informationelle Selbstbestimmung des Einzelnen vom Grundgesetz gefordert, sondern auch für die Statistik selbst konstitutiv.” “Urteil des Ersten Senats vom 15. Dezember 1983 auf die mündliche Verhandlung vom 18. und 19. Oktober 1983. BVerfGE 65, 1, 51.
- 49.
Cf. Schäfer U. (1997). Die Pflicht zur Anbietung und Übergabe von Unterlagen in der archivarischen Praxis. In R. Kretzschmar (Ed.), Historische Überlieferung aus Verwaltungsunterlagen. Zur Praxis der archivischen Bewertung in Baden-Württemberg (pp. 35–46). Kohlhammer, p. 46 (in his citation of the judgement of the Federal Court, Schäfer made a typo; the correct version is BVerfGE 65, 1).
- 50.
Urteil des Ersten Senats vom 27. Februar 2008–1 BvR 370/07–1 BvR 595/07, BVerfGE 120, 274–350.
- 51.
Gesetz über eine Volks-, Berufs-, Gebäude-, Wohnungs- und Arbeitsstättenzählung (Volkszählungsgesetz 1987) vom 08.11.1985, § 15. The above criticism came, for example, from Rottmann, V. S. (1987). Volkszählung 1987 – wieder verfassungswidrig? Kritische Justiz, 20(1), 77–87, p. 82–83.
- 52.
Gesetz über den registergestützten Zensus im Jahre 2011 vom 8. Juli 2009 (BGBl. I S. 1781), § 19. For information on the deletion of auxiliary characteristics, see Bundesbeauftragte für den Datenschutz und die Informationsfreiheit. Volkszählung 2011. https://www.bfdi.bund.de/DE/Datenschutz/Themen/Melderecht_Statistiken/VolkszaehlungArtikel/Volkszaehlung.html
- 53.
Bundesstatistikgesetz in der Fassung der Bekanntmachung vom 20. Oktober 2016 (BGBl. I S. 2394), § 12.
- 54.
For a comprehensive discussion of the archiving of statistics in German archives, see the reports of several working groups; mainly: KLA-Arbeitsgruppe. (June 2016). Bewertung von Statistikunterlagen. Abschlussbericht. https://www.bundesarchiv.de/DE/Content/Downloads/KLA/abschlussbericht-bewertung-statistikunterlagen.pdf?__blob=publicationFile; ARK-Arbeitsgruppe. (Mai 2008). Bewertung von Statistikunterlagen. Abschlussbericht. https://www.bundesarchiv.de/DE/Content/Downloads/KLA/abschlussbericht-statistikunterlagen.pdf?__blob=publicationFile
- 55.
Keitel, Ch. (2019). Statistik im Archiv – Eine schwierige Beziehung. In 23. Tagung des Arbeitskreises Archivierung von Unterlagen aus digitalen Systemen (pp. 169–176). National Archives (Prag), p. 175.
- 56.
For a comprehensive overview see Buchmann, W., Wettengel, M. (1996). Auslegung des Bundesstatistikgesetzes bei der Archivierung von Statistikunterlagen, p. 70.
- 57.
Bundesministerium des Innern, Erlaß vom 3. August 1994 – O II 3–142,002/16. Cf. Buchmann, W., Wettengel, M. (1996). Auslegung des Bundesstatistikgesetzes bei der Archivierung von Statistikunterlagen, p. 70.
- 58.
Šimůnková, K., Šisler, M. (2019). Zur Problematik der elektronischen Archivierung von Volkszählungen 2011 und 2021 in der Tschechischen Republik. In 23. Tagung des Arbeitskreises Archivierung von Unterlagen aus digitalen Systemen (pp. 177–183). National Archives. Prague 2019. https://www.nacr.cz/wp-content/uploads/2019/12/KnihaAUDS_e-kniha_DEF.pdf
- 59.
Buchmann, W., Wettengel, M. (1996). Auslegung des Bundesstatistikgesetzes bei der Archivierung von Statistikunterlagen.
- 60.
Bundesverfassungsgericht, Beschluss vom 06.02.2019, Az.: 1 BvQ 4/19.
- 61.
Census and Statistics Act 1905, No. 15, 1905. Cf. Iacovino, L., Todd, M. (2007). The long-term preservation of identifiable personal data: a comparative archival perspective on privacy regulatory models in the European Union, Australia, Canada, and the USA. Archival Science, 7, 107–127. https://doi.org/10.1007/s10502-007-9055-5, p. 119; Australian Bureau of Statistics. (2011, 28 April). 2903.0 – How Australia Takes a Census, 2011. https://www.abs.gov.au/ausstats/abs@.nsf/lookup/2903.0Main%20Features52011
- 62.
House of Representatives Committees. Standing Committee on Legal and Constitutional Affairs. (May 1998). Saving our census and preserving our history. https://www.aph.gov.au/parliamentary_business/committees/house_of_representatives_committees?url=/laca/inquiryincensus.htm, Sec. 5.7, p. 87. Commentary on this report by Smith, C. (1998). Review commentary. Saving our census and preserving our history: Report of the House of Representatives Standing Committee on Legal and Constitutional Affairs. Archives and Manuscripts, 26(2), 410–417.
- 63.
Census information Legislation Amendment Act 2000, No. 30, 2000, Sec. 8A a Sec. 19A.
- 64.
Mutch, S. (2001). Public Policy Revolt: Saving the 2001 Australian Census. Archives and Manuscripts, 30(2), 26–44, p. 41. Cf. also Australian Bureau of Statistics. (July 2006). 2902.0 - Census Update (Newsletter). https://www.abs.gov.au/ausstats/abs@.nsf/7d12b0f6763c78caca257061001cc588/ea2223b65f7787aaca2573210017ede3!OpenDocument
- 65.
Australian Bureau of Statistics (2011, 4 August). Census Time Capsule – it’s time!. https://www.abs.gov.au/websitedbs/censushome.nsf/home/CO-42. See also Census Time Capsule delivered to the National Archives vaults today. (2007, 13 September). Joint media release from Australian Bureau of Statistics and National Archives of Australia. https://www.abs.gov.au/AUSSTATS/abs@.nsf/mediareleasesbyReleaseDate/FE3AE1DF58707778CA257354007FC7D9?OpenDocument
- 66.
Statistics Act 1993. Nr. 21 of 1993, Sec. 35.
- 67.
The National Archives of Ireland. History of Irish census records. http://www.census.nationalarchives.ie/help/history.html
- 68.
Central Statistics Office. (2019, 10 July). Press Statement Census 2021 date and questions approved by Government. Press Statement.
- 69.
Aodha, G. N. (2019, 10 July). For the first time, you can write a message for future generations on the Census. The Journal. https://www.thejournal.ie/censuscensus-2021-time-capsule-4718938-Jul2019/
- 70.
Murray, S. (2020, 20 October). The CSO has alerted the gardaí after extracts from the 1926 Census were published on social media. The Journal. https://www.thejournal.ie/cso-1926-censuscensus-5238786-Oct2020/
- 71.
For background information on the census in Ireland and the preservation of census records, see Central Statistics Office. Census through History. https://www.cso.ie/en/census/censusthroughhistory/; The National Archives of Ireland. History of Irish census records. http://www.census.nationalarchives.ie/help/history.html
- 72.
EFE. (28 November 2017). Encuentran una cápsula del tiempo oculta dentro del trasero de un Cristo del XVIII. El Mundo. https://www.elmundo.es/f5/comparte/2017/11/28/5a1d5fd7468aebc0358b4599.html
- 73.
Hudson, P. S. The “Archaeological Duty” Of Thornwell Jacobs: The Oglethorpe Atlanta Crypt of Civilization Time Capsule. https://crypt.oglethorpe.edu/history/detailed-history/
- 74.
Census and Statistics Act 1905, No. 15, 1905, as amended and in force on 1 October 2020, Sec. 19A.
- 75.
Australian Bureau of Statistics. 2903.0 – How Australia Takes a Census, 2011.
- 76.
Cf. Combe, S. (1994). Archives interdites. Les peurs françaises face à l’histoire contemporaine. Albin Michel, p. 200. The same author presents only very brief information on the case of the Jewish files in English in Combe, S. (2013). Confiscated Histories. Access to Sensitive Government Records and Archives in France. Zeithistorische Forschungen/Studies in Contemporary History, 10(1), 123–130, https://zeithistorische-forschungen.de/1-2013/id=4435, p. 126. The case of the Jewish files was the topic of serious discussion in France at the time. It is the subject of Gasnault, F. (2013). L’affaire du “fichier juif”, ou l’éveil d’une nouvelle sensibilité documentaire. In D. Fabre (sous la dir.), Émotions patrimoniales (pp. 237–258). Éditions de la Maison des sciences de l’homme, Ministère de la Culture.
- 77.
The development up to just before the publication of the Code du patrimoine (2004) is followed by Duclert, V. (2003). La politique actuelle des archives. In S. Laurent (sous la dir.), Archives „secrètes“, secrets d’archives. L’historien et l’archiviste face aux archives sensibles (pp. 21–56). CNRS Éditions, p. 25ff.
- 78.
Duclert, V. (2001). Les historiens et la crise des archives. Revue d’histoire moderne & contemporaine, 5(48-4bis), 16–43, p. 34. The crisis of French archives was also addressed by Duclert in other texts in a broader context, including, for example, the question of the relationship between historical science and archives. Among others Duclert, V. (1999). Les historiens et les archives. Introduction à la publication du rapport de Philippe Bélaval sur les Archives nationales. Genèses. Sciences sociales et histoire, 36. Amateurs et professionnels, 132–146.
- 79.
Kahn, A. (1993). Le fichier. Robert Laffont; Combe, S. (1994). Archives interdites, pp. 194–232.
- 80.
Le “Fichier Juif”. Rapport de la Commission présidée par René Rémond au Premier ministre. (1996). Plon.
- 81.
According to Poznanski, R. (1997). Le fichage des juifs de France pendant la Seconde Guerre mondiale et l’affaire du fichier des juifs. Gazette des archives, 177–178. Transparence et secret. L’accès aux archives contemporaines, 250–270, pp. 264–265. Cf. also Chabin, M.-A. (2017, 17 September). Détruire ou conserver les données sensibles… il y a 70 ans. Petit éclairage historique pour la mise en œuvre du Règlement général pour la protection des données personnelles (RGPD). https://www.marieannechabin.fr/2017/09/detruire-ou-conserver-les-donnees-sensibles-il-y-a-70-ans/
- 82.
“Je vous invite, en conséquence, à maintenir, le cas échéant dans vos archives, les documents relatifs aux enquêtes, sévices et arrestations dont les personnes considérées comme juives ont été victimes, lorsque ces documents peuvent présenter des avantages pour de telles personnes, par exemple en permettant la recherche et le regroupement d’individus disparus ou dispersés, ou la délivrance de certificats de déportation ou d’arrestation.” According to Chabin, M.-A. (2017, 17 September). Détruire ou conserver les données sensibles… il y a 70 ans.
- 83.
The destruction took place at the end of 1948. See L’affaire du “fichier juif”. (2020, 5 October). France Culture. https://www.franceculture.fr/emissions/lsd-la-serie-documentaire/politique-et-race-en-france-un-mariage-dangereux-14-episode-1-laffaire-du-fichier-juif
- 84.
Loi n° 78–17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés of 7 January 1978, Art. 31. In the current version it is Art. 6.
- 85.
Cf. Combe, S. (1994). Archives interdites, p. 198.
- 86.
Combe, S. (1994). Archives interdites, p. 199.
- 87.
Braibant, G. (Ed.). (1996). Les Archives en France: rapport au Premier ministre. La Documentation française (Collection des rapports officiels). https://www.vie-publique.fr/sites/default/files/rapport/pdf/964093000.pdf, drafts no. 16, 18 and 19, p. 124. For a detailed discussion of closure periods, see Čtvrtník, M. (2021). Closure periods for access to public records and archives. Comparative-historical analysis. Archival Science, 21(4), 317–351. https://doi.org/10.1007/s10502-021-09361-4
- 88.
Klarsfeld, S. (1996, 6 July). L’embarras de la commission Rémond. Le Monde. Serge Klarsfeld, along with some other experts, commented on the case of the Jewish files at a round table; this commentary was published as Peschanski, D. (1997). Le fichier juif. Table ronde. La Gazette des archives, 177–178. Transparence et secret. L’accès aux archives contemporaines, 241–249.
- 89.
Le “Fichier Juif”. Rapport de la Commission présidée par René Rémond au Premier ministre. (1996), p. 231.
- 90.
Cf. Shoah Memorial website, Les espaces du musée-mémorial. http://www.memorialdelashoah.org/le-memorial/les-espaces-du-musee-memorial/la-crypte-et-le-fichier-juif.html
- 91.
National Archives and Records Administration, Fact Sheet Regarding the National Archives and Records Administration Breach of a Hard Drive Containing Personally Identifiable Information (PII). https://www.archives.gov/files/press/press-releases/2010/pdf/nara-breach-notification-faq-2010-01-12.pdf
- 92.
National Archives Warns Former Clinton Staff, Visitors of Major Data Breach. (2015, December 23). Fox News. https://www.foxnews.com/politics/national-archives-warns-former-clinton-staff-visitors-of-major-data-breach
- 93.
National Archives and Records Administration. (2010, 4 January). Statement on Notification Letters relating to PII Information from Clinton Hard Drive. Press Release. https://www.archives.gov/press/press-releases/2010/nr10-41.html?_ga=2.116140486.152971816.1604912356-605976007.1604912356
- 94.
Singel, R. (2009, 10 January). Probe Targets Archives’ Handling of Data on 70 Million Vets. Wired. https://www.wired.com/2009/10/probe-targets-archives-handling-of-data-on-70-million-vets/. Forbes also came to a similar conclusion, cf. Greenberg, A. (2009, 24 November). The Year Of The Mega Data Breach. Forbes.
- 95.
See NARA Statement Regarding Defective CMRS Disk Drive. (2009, 13 October). Press Release. https://www.archives.gov/press/press-releases/2010/nr10-05.html
- 96.
The National Archives’ ability to safeguard the nation’s electronic records. Hearing before the Subcommittee in information policy, census, and National Archives of the Committee on oversight and Government reform. (2009). House of Representatives. 111 Congress. First Session. November 5, 2009. Serial No. 111–63.
- 97.
Letter of agreement between Department of Veterans Affairs: veterans benefits administration (VBA) and National Archives and Records Administration (NARA). (2019, 9 August). https://www.archives.gov/files/digitization/pdf/va-letterofagreement-final-signed.pdf
- 98.
For a monograph on the Archive of National Socialism cf. Unverhau, D. (Ed.). (2004). Das „NS-Archiv“des Ministeriums für Staatssicherheit. Stationen einer Entwicklung. Lit.
- 99.
On the topic of NS-Archiv, cf. in particular Hollmann, M. (2001). Das “NS-Archiv” des Ministeriums für Staatssicherheit der DDR und seine archivische Bewältigung durch das Bundesarchiv. Mitteilungen aus dem Bundesarchiv, 9(3), 53–62; Dumschat, S. (2007). Archiv oder “Mülleimer”? Das “NS-Archiv” des MfS der DDR und seine Aufarbeitung im Bundesarchiv. Archivalische Zeitschrift, 89, 119–146. https://doi.org/10.7788/az-2007-jg05. https://www.bundesarchiv.de/DE/Content/Downloads/Aus-unserer-Arbeit/ns-archiv-des-mfs1.pdf?__blob=publicationFile (Cited from this issue).
- 100.
Michael Hollmann estimates the number to be as high as 95% of the total material. Hollmann, M. (2001). Das “NS-Archiv” des Ministeriums für Staatssicherheit der DDR und seine archivische Bewältigung durch das Bundesarchiv.
- 101.
Dumschat, S. (2007). Archiv oder “Mülleimer”?, p. 2.
- 102.
For information on this process, cf. Hollmann, M. (2001). Das “NS-Archiv” des Ministeriums für Staatssicherheit der DDR und seine archivische Bewältigung durch das Bundesarchiv.
- 103.
S. Dumschat, Archiv oder “Mülleimer”?, pp. 2–3.
- 104.
Hollmann, M. (2001). Das “NS-Archiv” des Ministeriums für Staatssicherheit der DDR und seine archivische Bewältigung durch das Bundesarchiv.
- 105.
Dumschat, S. (2007). Archiv oder “Mülleimer”?, p. 7.
Author information
Authors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Čtvrtník, M. (2023). Archiving as Security Risk to Protection of Persons and Their Personality Rights. In: Archives and Records. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-031-18667-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-18667-7_7
Published:
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-031-18666-0
Online ISBN: 978-3-031-18667-7
eBook Packages: Literature, Cultural and Media StudiesLiterature, Cultural and Media Studies (R0)