Freedom Bill: Data Protection amendments
Background to Data Protection Act Amendments
April 2011.
See amendment papers One and two
Privacy advocates and the EU’s privacy legislators believe that the regulation and oversight of privacy in the UK is too weak. This is down to what are believed to be fundamental weaknesses in the powers and remit of the Information Commissioner, combined with problems with the Data Protection Act that the ICO enforces. Regarding the latter point, the focus of dispute largely revolves around the UK’s failure to ensure that the Data Protection Act properly implements the EU Data Protection Directive.
In fact, the European Commission is pursuing the UK in the ECJ over their perception of these failures; in the lead up to this the European Commission requested that the UK “strengthen the powers of its data protection authority so that it complies with the EU’s Data Protection Directive.” Privacy International suggested that they ‘cannot imagine another domain of public policy where the regulators’ powers and effectiveness are so weak to question the very integrity of the law.’
We see the Freedom Bill as an opportunity to make the case for corrective measures to address this regulatory failure.
The amendments
Implied consent
Purpose: Create a requirement for ‘specific and informed’ consent (through the addition of the word explicit’ in the opening paragraph of Schedule 2) under the Data Protection Act, in order to ensure that users have to show they know what they are signing up to when handing over their personal data.
Background: The EU Data Protection Directive specifies that user consent must be ‘freely given, specific and informed’ (Article 2(h) of Directive 95/46/EC). The UK’s Data Protection Act merely uses the phrase ‘has given his consent to the processing’, which has led to the notion of ‘implied consent’ – a long way from ‘freely given, specific and informed.’
Example of the problem: The lack of proper definitions in the UK was highlighted to the EU by the actions of citizens concerned by the technology ‘Phorm’, a behavioural advertising technology. BT did not seek the consent of its users before beginning trials. As a result, the Commission drew the UK government’s attention to their incorrect definition of ‘consent’. The UK is now being taken to court, in part over that incorrect definition.
Powers of entry
Purpose: To allow the ICO to enter and inspect an organisations premises for evidence of breaches of privacy regulation.
Background: The EU, in its complaint about the UK’s implementation of the Directive, complained that the ‘ICO can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.’ This has the effect of significantly reducing the teeth of the regulator, in that he or she relies on the goodwill of organisations under his remit and currently gives organisations time to prepare for inspections in advance.
Examples: Privacy International on BT: ‘BT escaped action over the ACS Law scandal because the ICO ruled that a company with appropriate policies should not be held responsible for the conduct of its employees.’
Google Street View: Many ICOs initiated investigations on Google’s collect of Wifi data but this did not take place in the UK. The information that the ICO did get from Google, they had to request from them. In fact, Privacy International had to intervene to stop the destruction of evidence on the advice of the ICO in the UK and elsewhere.
Damages
Background: A further complaint from the EU regarding the UK’s transposition of the Directive stated that ‘the right to compensation for moral damage when personal information is used inappropriately is also restricted.’
Example: In September 2010 there were two significant data breaches affecting law firm ACS:Law, who had engaged in a controversial ‘speculative invoicing’ campaign aimed at people accused of infringing copyright. Combined they revealed the details of over 13,000 individuals to whom they had written, including around 5,000 suspected of downloading adult films, covering a range of sexual preferences. Also included in the leaked information were around 1,000 emails between alleged infringers of copyright and ACS:Law, and also credit card details of those who had settled with the law firm. The concern is that those involved would be able to claim damages; despite obvious distress, no demonstrable financial harm had accrued to them.
Privacy Commissioner
Purpose: To bring all privacy related commissioners under one regulatory body, in order to close regulatory ‘gaps’ and solve lack of cooperation.
Background: (see also ArchRight’s joint briefing)
Extending the definition of personal information
Purpose: To make UK law consistent with the wording of the Data Protection Directive, and ‘knock out’ previous case Durant, which is considered by many to be ‘bad law’ due to its narrowing of the definition of personal information.
Background: The Directive defines ‘personal data’ as “information relating to identified or identifiable person”. ‘Identification’ is explained in the recitals to cover: “all the means likely reasonably to be used either by the controller or by any other person to identify the said person” The UK has taken a narrower and less clear view, reinforced by widely-criticised court decisions. Most importantly, the Durant v Financial Services Authorities case interpreted ‘personal data’ on the basis of ‘relevance or proximity’ to the data subject. The practical result is that many forms of what should be classed as ‘personal data’ is not in the UK.
Example: IP addresses are not, by themselves, an indicator of a person, but they can be used to identify someone in conjunction with other information. They are also in extremely common use, are often publicly visible and very frequently retained. Their ubiquity in records of internet traffic makes them potentially a way to reveal highly sensitive information about someone, including information their about health, sexuality, opinions and beliefs.
The DPA says: “personal data” means data which relate to a living individual who can be identified—
(a)from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;