ICO Deputy exposes Data Protection law wish list
Harmonisation of EU data protection law may be a pipe-dream
Comment Last Friday, data protection day, was commemorated with a meeting organised by the Ministry of Justice in Whitehall. At that meeting, David Smith, the Deputy Information Commissioner (DIC), reviewed the Information Commissioner’s wish list of changes to data protection law. This blog reports on the content of that list.
Regulation or new directive?
Speaking to “very well informed sources” at a break in the meeting it became clear that the UK government wants the changes to data protection law to be implemented by a Directive (unlike the EDPS, who wants a Regulation). If this is the case, Directive negotiations will take an age, and one can assume that any prospect of a new Data Protection law in the UK will be booted into the long grass (five to eight years at least – well into the next Parliament).
So if the Commission decides on a Regulation, I think it will have to give Member States a considerable degree of subsiduarity (eg, Member States have flexibility in the area of national security or law enforcement). Otherwise, some Member States (eg, the UK) will ensure that any internal discussion about a Regulation will become protracted because, in the UK, law enforcement and national security agencies are used to relying on generous exemptions from the data protection rules. I got the sense at the meeting that this position will NOT substantially change.
Also lurking in the background is the “Protocol on the Position of the United Kingdom and Ireland in Respect of the Area of Freedom, Security and Justice”. Article 6a of this Protocol to the Lisbon Treaty states that:
The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title IV of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16.
Let’s cut the legalese. The above means the UK can opt out in areas of judicial co-operation and serious crime especially where data protection rules impacts in these areas. This is another legacy of New Labour, over-anxious that Europe would not be able to interfere with Surveillance Britain.
It is interesting to note that no one has challenged the Coalition Government as to whether it agrees with this opt-out – I suspect it does agree.
In addition, those who support a Regulation want a Regulation to be a harmonising measure so that all Europe’s data protection laws provide the equivalent standard of data protection. They also support a Regulation as Member States will be obliged to translate its provisions into national data protection laws.
However, if Member States can go their own way – as the UK can in these sensitive areas – then the rationale for supporting a Regulation is lost. To put it bluntly, I can see many Member States saying: “Well if the UK can do it, so can we,” (or “Yes we can,” for American readers).
Accountability and pragmatism
The ICO, like all European Commissioners, supports the idea of a prominent Accountability Principle. For instance, the DIC indicated that the ICO favours details about data protection compliance appearing in Annual Reports and in published Privacy Impact Assessments. However the D. I. C. did not support a statutory appointment of a data protection officer as that might not be appropriate for all Small to Medium Enterprises. What the ICO wants senior management of all endeavours to formally identify someone as being responsible for data protection compliance. So expect this to form part of the UK’s implementation of any new Accountability Principle.
Similarly, the Commissioner is lukewarm with respect to a statutory data breach notification requirement because he considers the requirement to notify data subjects of a breach depends on the circumstances of the breach. He is content with the current UK situation where personal data loss is first notified to the Commissioner.
All this leads to the concept of “pragmatism in data protection”. At the meeting, the DIC stressed that ICO’s policy is to adopt a pragmatic approach to resolving data protection problems because such a pragmatic approach offered more influence with the data controller community. In other words, data protection principles were not fundamental principles to be held inviolate on every processing occasion.
Although the DIC accepted that this pragmatic view was seen by others (presumably other European Privacy Commissioners) as “a sign of weakness”, the approach found acceptance with the Government’s spokeswoman. Dogmatism in data protection was something for those Europeans to have in their law (but not ours!).
The lasting impression is that these statements comprise a public admission that the future development of data protection policy in Europe is split at the highest level. If this is true, any Regulation or Directive is impossible to draft as there appears to be a rift between privacy fundamentalism on the one hand and data protection pragmatism on the other. The only outcome can be an agreement to disagree – especially in the areas of law enforcement.
One can therefore predict that harmonisation of European data protection law may well be a pipe-dream.
A question of harm?
The DIC outlined that the ICO is wanting a “harm” or “risk-based approach” (the harm approach is key to understanding the APEC Framework agreement) towards the protection of privacy. This is a seductive idea because in many instances the data controller can identify potential harm (eg, when processing personal data of a confidential nature). That is one reason why there is the promotion of Privacy Impact Assessments, designed to allow a data controller to quantify such harm, prior to any processing of personal data.
However, a word of warning: old-timers like myself are steeped in data protection history. They will remember that a "harm debate" took place in the UK some 35 years ago, well before the UK had any data protection law, and that the notion underpinning a data protection regime based on "harm" was firmly rejected by the Lindop Committee in its Report on data protection in 1978 (Command 7341, paragraphs 18.24-18.27).
Lindop concluded that there was no objective standard whereby a data controller could be able assess harm prior to the processing of personal data because there was no way an organisation could judge whether its personal data or its processing would be sensitive or non-sensitive. This was because sensitivity was a subjective assessment that could only be accurately judged by each data subject concerned; and of course, such assessments can change over time and in context.
For example, in the UK of the 1950s, most gays were fearful of others knowing of their sexuality, unlike today – but this is not the case in parts of Africa. Those who have eagerly contributed to the font of universal knowledge (eg, by YouTube or Facebook offerings about themselves) can easily regret that contribution when the context is changed to looking for employment. The sensitivity associated with a name and address of a Jewish friend changes dramatically if the book is lost and falls into the hands of the Gestapo.
In other words, an assessment made now can change in an instant (I have friends who took a wonderful holiday in Egypt only a six weeks ago) – and if that is the case, what is the value of such assessments and an approach based on harm?
That is why Lindop concluded that the only real issue was whether the data identified or related to a particular living individual and if so, then all the data protection principles should be applied. However, having established the principles did apply, Lindop concluded that the impact of the principles would be modified by a number of factors – for instance, whether there was foreseeable harm to the data subject, the sensitivity of the personal data, or whether the personal data were in the public domain.
Lindop, I believe, was in the fundamentalist camp – the Principles apply – and any pragmatism comes with enforcement and any analysis of what went wrong.
Modification to the Principles
The ICO will push data minimisation and Privacy by Design mechanisms as one of the key changes to any new law. Although this is not a new pronouncement by the ICO, I would argue that many of these requirements already form part of the current Data Protection Principles. For instance, data minimisation can be achieved by application of the Third Data Protection Principle – for example, why do you need to register your details on a website to access its free content? Isn’t that an example of excessive collection of personal data?
Of course, website owners can make such collection of personal data relevant. For instance, a data controller might want to keep records of who visits sites so that they can modify content to meet the aspirations of those who visit the site, or even deliver some marketing to those registered (heaven forbid). However such purposes (and marketing choices) should be declared to those who register via a fair processing notice.
I also think that many aspects Privacy by Design link to the Seventh and Sixth Principles (eg, obligations to have regard to the “state of the art” in relation to the security of the processing of personal data or in relation to respect the rights of data subject, so that they have choices over who can access their personal data and when. Free subject access can easily be designed into any new project that involves the processing of personal data).
The ICO would like to see collective redress available. Many of you know that the current PECR Regulations allows for aggrieved recipients of marketing messages to claim compensation for damage caused by the processing of such messages sent in breach of the Regulations. So how much is one individual damaged, for example, by a single spam message – somewhere between 0.01p and 0.1p would be a healthy overestimate? The result is that nothing happens on the PECR "compensation for damages" front; however, if there is collective damage, then the costs and risks to the spammer is much increased.
However, I should add that the Commissioner already has powers to protect the collective. For instance, a Monetary Penalty Notice could be applied to spammers using personal data (eg, an email address is personal data) where there has been blatant disregard for the email marketing rules.
With respect to notification (a hated activity), the DIC pointed out that the ICO is funded by notification fees. Reduce notification and the Government would have to pick up the tab. My solution to this is to allow the ICO to be funded by parliament; it is far too easy for an executive to strangle data protection progress by withholding state grant-in-aid to the regulator.
Finally, the Commissioner is fond of soft law – so expect more Codes of Practice in the UK.
What do I think? There will be little progress and the UK’s Data Protection Act will be largely unchanged in the current decade. There might be tweaks at the edges – but no fundamental change.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.