The Use of Animals in Scientific Procedures (vivisection) is covered by the Animals (Scientific Procedures) Act 1986, and there are some interesting similarities between the regulatory structure and that for personal data. A Procedure must be licensed, but the terms are permissive, and reflect the wide range of interests involved – medical, scientific and regulatory. Within this legitimate lawful range, the purpose of the regulations is to keep the number of protected animals used to a minimum, to use the lowest species level compatible with the results required; and outside the procedures to keep the animals at protected environmental levels. Abuses of the regulations are not uncommon. The similarities are clear enough.
Animals, though, don’t consent to being used in a procedure (nor often do people in relation to their data, but the outcome is usually different). Still, on this description you might think that the two regulatory fields are quite straightforward and predictable. Except that they aren’t, for at least three connected reasons.
Firstly, the Politicisation of the practices involved, sustained through Animal Rights or Privacy Rights concerns. What this means is that the purposes of the procedure and the processing are drawn into the debate in a way not allowed by the regulatory structure. For example, the debate about Privacy and the Big State has moved outside current data protection law. There is nothing fundamentally incompatible between data protection rules and big databases; they are not acceptable because of the purposes they might be used for by the State. You could say the same thing about the use of animals in the regulatory testing of cosmetics, which does not happen in the UK today for policy rather than regulatory reasons (the purpose being too trivial to justify animal use).
Secondly, Ethical concerns. These are more explicit in the Animal Rights vocabulary than they are in the Privacy vocabulary. In part this is because of the difficulty in identifying privacy harms – harms to the animal used in a procedure being clear enough. But it is obvious that there are philosophical and ethical concerns arising from ICT’s and personal data use, that there are harms (complained about if not always demonstrated), and that the area would benefit from a more visible applied ethics perspective.
Thirdly, the issue of Technology. Biotechnology is an important area of animal based research, and raises fundamental concerns about the alteration of nature and the human interference with nature. We could say a similar thing about the impact of ICT’s on human behaviour and organisations. Personal data use is only a small part of this, but an important part.
We think that biotechnology changes nature; should we also consider that new information technologies change the nature of the regulated object, a possibility not entertained by Directive 95/46/EC ?
This is just a quick comparative survey, with perhaps some implications for the thinking about a new regulatory structure for data protection. It is the contrast between a simple set of regulatory objectives which one can’t imagine changing very much, and other complex relevant matters that are changing all the time which is common to both regulatory areas; and which make satisfactory reconciliations particularly difficult to achieve.