The European Commission has released details as to why it sees the UK Data Protection Act as an improper implementation of Directive 95/46/EC, so much so, that it is considering infraction proceedings. Correspondence between the Commission and the UK Government has been exchanged, and despite the possibility of litigation, very little has been published or explained to MPs or MEPs.
Hence the “liberation” of information from the Commission about these infraction proceedings is very timely. It is also the result of an FOI request that commenced in April 2007 and which culminated in the involvement of the European Ombudsman from 2009. These details were released to me last week (February 2011) and are published for the first time below (see references).
Prior to April 2007, and in response to another FOI request to the Commission that commenced in 2006, the Commission had released details that Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 – just under a third of the 34 articles in the Directive 95/46/EC had not been implemented properly (see Out-law reference). However, no reason was given for the underlying problem the Commission had with each Article; hence the reason why I submitted a second FOI request in April 2007.
I my blog of 19/11/2009, I stated that Data Protection Act also failed to implement a further five Articles (Articles 6, 7, 14, 18 and 19 making 16 “deficient” Articles out of 34). This was because a Court of Appeal judgement linked the word “purpose” (as used in notification/registration to the Information Commissioner) to the word “purpose” as used in the Data Protection Principles. As the notification purposes are very broadly defined, the Court’s linkage between Principle and notification means that the purpose in the context of a Principle is now also broadly defined.
This in turn means that a data controller will find it easier to claim that, for example, the processing of personal data is relevant to a purpose, if relevance is assessed against the wide purpose is that notified to the Commissioner. In general, the broader the definition of “purpose”, the more diminished is the protection afforded by a Principle to data subjects. It also means that the Second Data Protection Principle (which limits further uses of personal data for incompatible purposes), and which encouraged the Appeal Court to make the linkage, is likely to be deficient in terms of UK implementation of the intent of the Directive
These additional Articles (i.e. Articles 6, 7, 14, 18 and 19) are not reflected in the information the Commission has reluctantly released. This is because the released information is limited to my request made in 2007. However, if there are actual infraction proceedings taken against the UK, the consequences of the Court of Appeal judgment should form as part of these proceedings.
What can we deduce about the infraction proceedings in 2011?
The starting assumption is that the actual infraction proceedings (if they commence) will be a subset of the issues identified by the Commission in the released information. Hence I make comments in relation to each of Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28, and specify what I think their status is. If you think I am wrong, please add a comment to this blog.
In relation to Article 2, the Commission has a problem with the UK definition of “Relevant Filing Systems” and how the UK Act applies to manual files. I think this is a non-starter in relation to infraction proceedings because Member States can go their own way in relation to manual files. This is made clear in Recital 27 which states that Member States can establish “different criteria for determining the constituents of a structured set of personal data, and the different criteria governing access to such a set”. That is what the UK did with its DPA; minimal involvement of manual personal data files in the data protection regime.
There is a major problem with manual files but it has nothing to do with infraction. I think, for example, that manual employee records should be classified as a new category of “Accessible Record” and fully included in the Act. This is an easy amendment for the UK Government to make now; it does not need to wait for a change in the Directive (see blog of 03/11/2010).
Article 3 relates to the scope of the Directive and the Commission’s complaint that the UK’s domestic purpose exemption includes the processing of personal data for a “recreational purposes”. The Commission are arguing that such “recreational purposes” should not have an exemption from all Principles and all data subject rights.
Since the Lindqvist case (see blog of 25/1/2011), the UK’s “domestic purpose” exemption has been deficient because it includes an exemption from the Eighth Principle in all possible circumstances (in contradiction to Lindqvist). That is why the domestic purpose exemption, in my view, could also form part of the UK infraction proceedings.
The Commission considers that the UK law does not set the proper standards in relation to the processing of sensitive personal data concerning to criminal offences. I can agree with this assessment, and my blog of 14/02/2011 shows that the UK are not following the Article 8 provisions in relation to other forms of sensitive personal data in other areas (e.g. medical records; see references).
The Commission state that the fair processing provisions in Articles 10 and 11 are deficiently implemented if a data controller is legally obliged to make personal data available to the public. This is a swipe at the exemption in Section 34 of the UK Act relating to personal data made available to the public by or under enactment.
The S.34 exemption includes exemption from the subject information provisions and exemption from the non-disclosure exemptions; these exemptions arise because if the personal data are in the public domain, anybody can have access to them and if anybody can have access to them, then they could be used for any purpose.
That is why, in my view, the Commission is wrong here. It is impractical, for example, to expect an Electoral Registrar to issue a precise fair processing notice (unless it says “these personal data can be used by anybody for any purpose” which is hardly informative as to the precise purposes of disclosure or use).
Having said that, I think there are valid data protection issues with respect to publically available registers, especially where electronic forms of public registers containing personal data can be released to any requestor. There are strong arguments that such registers should not be released without the prior obtaining of a data protection guarantee from the person who wants a complete copy of the register; this would include those circumstances when disclosure is a legal requirement (e.g. disclosure of Electoral Rolls to Credit Reference Agencies).
The Commission do not like the provisions in the Act that allow for judicial discretion where a judge may (or may not) decide to do something. For example, Section 14(4) of the Act states that “the court may order the rectification, blocking, erasure or destruction of any of those data”; this of course means that a court may not make such an order. By contrast, Article 12 requires the Member State to “guarantee” data subject rights of rectification, blocking and destruction and the existence of “judicial discretion” is not a guarantee.
The best way to see this is in Durant. Here the UK Court of Appeal stated that section 7(9) (which relates to the question of whether or not the Courts should order a data controller to satisfy a subject access request) that the judicial “discretion conferred by that provision is general and untrammelled”. In other words, the UK DPA llows judges to make up subject access exemptions as they go along (in contrast Article 12 which requires “a guarantee” of data subject access, subject to an exemption specified in Article 13).
I think that the “judicial discretion” issue in relation to rights would be a major factor in any infraction proceedings.
The Commission do not like the exemption from Subject Access for confidential references given by the data controller (in Schedule 7, paragraph 1). It is not covered by the criteria in Article 13. It is in my view a “slam dunk” breach of the Directive requirements, and its days are clearly numbered.
The origins of this exemption lie in the fact that the Data Protection Act was a Home Office Bill. Back in 1997, it was common practice for the Home Office to do the bare minimum to ensure compliance with Human Rights judgments. So when it came to the implementation of the Gaskin judgement (European Court of Human Rights; 1989), which concerned access to confidential information received from a third party, the Home Office noted that the European Court made no direction in relation to an access request sent by that third party.
The Home Secretary of the day decided on the minimal implementation of Gaskin. Hence we have the recipient of the reference dealing with Sections 7(4)-7(6) of the Act, and the sender of the reference dealing with the exemption in Schedule 7 paragraph 1. After 15 years, the Home Office’s formulation of minimal protection for individuals is unravelling.
The Commission claim that the data subject should be able to claim compensation for distress alone. By contrast the UK only compensates for distress when damage also arises except where the Special Purpose (e.g. journalism) is involved. That is behind the Commission’s complaints about Articles 22 and 23.
I should add that where the UK Courts do compensate for distress alone, they usually award small amounts of money:– so there is no prospect of a “data subject gravy train” on the horizon. I suspect that the Commission are keen on this aspect, although in practice the sums involved will be small.
The Commission don’t like the fact that UK data controllers can assess adequacy of the protection in a Third Country without some kind of supervision (Article 25). This could be linked to the fact that the Information Commission (in 2007) was a weak regulator as the Commission has also raised questions of his “investigative powers”.
In practice, I cannot see the Commission pressing these points in any infraction proceedings. Firstly because the whole issue of international transfers in subject to a comprehensive review – so if there is a problem, that problem would form part of that review. Secondly, the Commissioner’s powers have increased (e.g. audit of Government Departments, Monetary Penalty Notices), and that such powers are likely to be extended. Also, the custodial sentence for criminal offences on the same scale as the Computer Misuse Act is on the statute book, even thought it has not yet been commenced.
So what are we left with?
My list of data protection failings that still worry the Commission are: judicial discretion re rights; Article 8 implementation of Sensitive Personal Data; the exemptions (confidential references, domestic purposes and information made public by law); and compensation for distress alone. All the rest are marginal at best.
Concluding comment
However, when reading this list, remember these were the deficiencies that were identified by the Commission in 2004 following Durant. Quite frankly, it is unacceptable for the detail of this list of problems to have been kept secret for seven years. In respect of individual privacy, the Commission and the then New Labour Government have given 60,000,000 UK data subjects a collective V-sign.
The attachment to this blog does not comprise state secrets. In "liberating" these details, the Commission has required me to exhibit an obsessive behaviour on the autistic spectrum; they have delayed wherever possible, required me to endlessly chase them up, and provided bogus arguments in order to stop the release of these details.
Why is this? Why the great secrecy? Well I will let you know with my next blog on Thursday.
References
Click here to view the details released by the Commission Download DP_Infraction_reasons.
Employee manual records blog: http://amberhawk.typepad.com/amberhawk/2010/11/index.html
Sensitive Personal data issue blog: http://amberhawk.typepad.com/amberhawk/2011/02/ignored-notification-requirements-cast-doubt-about-sensitive-personal-data-.html
Other Articles infringed blog: http://amberhawk.typepad.com/amberhawk/2009/11/data-protection-act-fails-to-implement-50-of-the-directive.html
Out-law details of the scope of the infraction: “Europe claims UK botched one third of Data Protection Directive” http://www.out-law.com/page-8472,
Adverts re Data Protection courses
Our Spring UPDATE session is on 11th April in London: follow the link for details of speakers and content on our web-site (at £195+VAT for the day it is a real double dip recession busting snip).
We are also running a Privacy Impact Assessment Course, a RIPA course and a Data Protection Audit on consecutive dates (In London, on 21st to 23rd March). We are starting a 5-day intensive data protection course in London (10th May), and a 7-day course starting in Manchester in (12th may). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details from the Amberhawk website (www.amberhawk.com)
It seems to me the problem we have in the UK isn't so much the failure of the data protection legislation, as a failure of the regulator to employ any of the enforcement powers they already have... particulary against large organisations like BT and Google.
The recent ACS:Law case is a striking example of how weak the enforcement of UK Data Protection is.
Data alleging that hundreds of BT/Plusnet subscribers had illegally shared pornographic videos was leaked to the world at large, after BT ignored a court order instructing them to encrypt the information and convey it on physical media to ACS:Law. It is hard to imagine a more shocking example of a failure to protect acutely sensitive personal information from inappropriate disclosure.
Yet - despite having the expertise, the technology,and the resources required to comply with the court order - BT face no sanction from the ICO of any kind. None at all.
The ICO refused to investigate, because they consider BT's failure to be an internal disciplinary matter.
BT have form. The ICO also refused to investigate or take enforcement action against BT after 200,000 UK internet subscribers were subjected to covert profiling using technology supplied by Phorm.
As a result the UK Government are also subject to a separate infraction process relating to the privacy/security/integrity of telecommunications data...
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1215&format=HTML&aged=0&language=EN&guiLanguage=en
Changing the wording or technical details of UK legislation isn't going to solve the problem with data protection in the UK until the ICO are reformed, preferably with new personnel.
Posted by: Pete | 22/02/2011 at 09:09 PM