Prime Minister, David Cameron, has expressed "serious concerns and misgivings" over bringing in laws to underpin any new body to regulate the press. Mr Cameron told MPs that legislation backing a regulatory body underpinned by statute would "cross the Rubicon" by writing elements of press regulation into the law for the "first time". Because of this, Mr Cameron, is “not convinced at this stage that statute is necessary to achieve Lord Justice Leveson’s objectives”.
In my view the Rubicon has been already crossed and the press are already subject to a statutory framework and a statutory regulator. There is no "first time". Mr Cameron has, like President George Bush, “mis-spoke” and the stated reason for not implementing Leveson’s requirement (i.e. that any new Press Regulator should also be underpinned by statute), simply does not wash.
Firstly, the statutory framework. In the Data Protection Act (DPA) there are the Special Purposes (e.g. journalism) and a Special Purpose enforcement mechanism (enforced by a statutory regulator - the ICO) underpinned by a statutory appeals mechanism (the Tribunal). Although the press don’t take much notice of the DPA because (wrongly) they think they are wholly exempt (via Section 32), there is a regulatory structure that applies to the personal data they process.
For instance, the Seventh Principle is not exempt from Section 32 and fully applies to all processing by the press. So, if the press lost personal data relating to “an exclusive exposure of a celebrity’s peccadillos” (say, for example, after a heavy liquid lunch on expenses that are not subject to FOI requests), that security breach would be a reportable data loss under the current data protection arrangements. Such a loss might even attract a Monetary Penalty Notice (a statutory penalty) as Sensitive Personal Data would have been lost.
In addition, the Section 32 exemption applies to those personal data processed “with a view to publication”. So those personal data not subject to a “view to publication” are fully subject to the Act (i.e. the S.32 exemption does not apply). For example, when the press unlawfully obtained ex-directory numbers, they had no intention to publish these numbers, so these personal data were not held "with a view to publication" (and the First Principle would apply fully).
Even with the Section 32 exemption the rest of the exemption was only meant to apply up to the point of publication (see Naomi Campbell; references). There are numerous Court Cases involving judges applying the data protection principles to press activities. The point being made is that processing by the press is already subject to a statutory framework which is legally tested.
Indeed, in the post Leveson era, one can expect that much more processing by the press (i.e. those things that are not going to be published) are identified as fully subject to the statutory-based DPA (and perhaps, we might have a delegate from the press on our courses!).
Even the existing Press Commission’s Code of Practice has already a statutory status under the DPA in exactly the same form as the “Ofcom Broadcasting Code” (originally published by the Broadcasting Standards Commission under section 107 of the Broadcasting Act 1996). Both these Codes, one voluntary the other statutory regulated, are equated by the “Data Protection (Designated Codes of Practice) (No. 2) Order 2000”
The explanatory memorandum for this Order states that both Codes have been designated “for the purposes of section 32(3) of the Data Protection Act 1998” and that “Compliance with any of the designated codes may be taken into account when considering for the purposes of section 32(1)(b) of the Act whether the belief of a data controller that the publication of any journalistic, literary or artistic material would be in the public interest was reasonable”.
In other words, the personal data processed by the press are subject to a detailed statutory regime (see references for suggested changes) and the current Press Commission’s Code of Practice has a statutory underpinning in relation to that processing "in the public interest".
So whatever the reason for not having a statutory provision that requires the independent regulator to be created, it is not "first time?".
That is why my urgent telegram message to Mr Cameron is quite simple: “Rubicon crossed. Not "first time". Valid excuse needed".
Could the Information Commissioner have stopped the use of ex-directory numbers by the press? http://amberhawk.typepad.com/amberhawk/2012/02/could-the-information-commissioner-have-stopped-the-use-of-ex-directory-numbers-by-the-press.html
For details of Leveson’s recommendations re data protection: see Panopticon Blog post http://www.panopticonblog.com/2012/11/29/leveson-inquiry-report-spotlight-on-proposed-data-protection-reforms/
Naomi Campbell v MGN Ltd.  EWCA Civ 1373 (14 October 2002) (from paragraph 108); changed the status of the S.32 exemption from that debated in Parliament.
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.