Now that last week’s General Election is done and dusted, what can we expect with respect to data protection from the new majority Conservative Government? In summary, there is much in the first year program that could impact on privacy.
In addition, given the SNP landslide in Scotland, there is the interesting question of whether or not Scotland will emerge with more privacy protection than the rest of the UK.
The European “in-out” referendum
After a negotiation, the Government intends to deliver an “in-out” referendum on UK membership of the Europe Union (EU) by 2017. The referendum result will therefore emerge after the text of the Data Protection Regulation has been finalised (my estimate; early 2016) but just before the date for implementation (my estimate; early 2018).
Although the Prime Minister claims to want a successful negotiation and a subsequent “stay in” vote, this outcome is not at all certain; at first sight, being out of the EU means “no more Regulation”.
However, after considering all possible outcomes of the negotiations and “in-out” votes, all of them point to the UK implementing the Regulation! The reason why is as follows:
(a) The UK votes to stay in the EU; this means UK data controllers have to comply with the Data Protection Regulation (obviously).
(b) The UK votes to stay in the EU but the negotiations change UK’s position more to a “trading only” status like an EEA state. As such states have to implement EU Directives and Regulations once their content have been decided by EU Member States, a “trading only” status implies the UK would have to implement the Regulation.
(c) The UK votes to stay in the EU but the Data Protection Regulation has formed part of the negotiations and non-implementation of the Regulation has become one of the “victorious” outcomes that the Prime Minister has negotiated for the UK. This prospect is not as remote as it seems as the Data Protection Regulation was at the top of the Prime Minister’s hit list of “red-tape” at the EU Heads of State meeting in October 2013.
So if the UK negotiated a “not to implement the Regulation” position, I would assume that European Member States would retain the right to consider whether or not the UK offered an adequate level of protection. In other words, any negotiated “opt-out” of the Regulation could constitute a risk to the transfer of personal data from the continent; the main way to avoid the risk is to implement something like the Regulation.
(d) The UK votes to leave the EU. Although this would mean that the UK would not have to implement the Data Protection Regulation, it would also mean that the UK would become a territory outside the EEA which has to offer an adequate level of protection. The only way to avoid the risk to the transfers of personal data from the EU (e.g. to the City of London) is to implement something like the Regulation.
So my conclusion is that the only safe option is for the UK to implement the Regulation – irrespective of the negotiations or referendum decision. This is especially the case if the Council of Ministers' modifications to the Regulation, which largely consists of amendments that allow Member States to go their own way (e.g. on exemptions, use of health data), gains the ascendancy.
Repeal of the Human Rights Act
According to the Manifesto, a Conservative Government intends to “scrap the Human Rights Act, and introduce a British Bill of Rights. This will break the formal link between British courts and the European Court of Human Rights (ECHR), and make our own Supreme Court the ultimate arbiter of human rights matters in the UK”.
I will give a real example that demonstrates how the protection for individuals is reduced by this commitment; it arises with the retention of DNA personal data of those individuals who have been arrested and have been subsequently acquitted or not proceeded against.
In Marper, when this issue was before the House of Lords, a panel of five Law Lords decided by 5-0 that Marper’s Article 8 right (respect for private and family life etc) had not been infringed by the retention of his DNA even though he was arrested (but the case was discontinued). The Court was inclined to the view that the mere retention of fingerprints and DNA samples did not constitute an interference with the right to respect for private life but if that view was wrong, any interference would have been very modest.
When the issue came before the ECHR (UK v Marper) it was considered by a Grand Chamber of seventeen judges; there was a 17-0 victory in favour of the fact that the UK Government had infringed Marper’s Article 8 right. This 17-0 result produced the legislative changes with respect to DNA retention in Protection of Freedoms Act 2012.
Note that if the Government’s proposed policy was in place at the time of Marper’s action, the House of Lords judgment would allow for the retention of DNA data of the innocent; Marper’s approach to the ECHR and subsequent victory would not be enforceable (see references re Marper).
5-0 win (home fixture); 0-17 loss (away fixture)!
The reason for Marper’s complete reversal of fortune needs explaining. In summary, the UK Courts in Marper did not consider that the collection/retention of personal data constituted a significant Article 8 intrusion. Instead, it accepted the idea that the question of intrusion only became a consideration when there was a subsequent use of personal data after they had been collected/retained.
So suppose the police collect/retain your DNA and related personal data; all that has happened is that some personal data have been collected and stored somewhere. This collection/retention, according to the UK Court in Marper, constitutes no (or very minimal) Article 8 infringement.
Once there is a use, the UK Court’s view in Marper, was that the Article 8 right became engaged. So suppose there is a subsequent use of your DNA for a crime related purpose (e.g. following the discovery of your DNA at a crime scene) then this use can be seen as falling within the exceptions in Article 8(2) and has a legitimate ground for interference with your Article 8 right (e.g. as part of a criminal investigation).
However, if your DNA is not at the crime scene, then your personal data would not be used; all that happens is that the marginal Article 8 infringement with respect to retention continues. That is how the 5-0 decision arose; the UK Courts in Marper effectively separated the collection/retention of personal data from their subsequent use.
By contrast the ECHR has always concluded that the collection/retention of personal data is intrinsically linked to a purpose and that purpose constitutes an interference with the Article 8 right unless justified in terms of the exceptions in Article 8(2). The ECHR view is that the collection of the personal data cannot be separated from the use/purpose associated with their collection. This is how the 17-0 decision arose.
Note that the Data Protection Act follows the ECHR view; the fair processing notice states that the purpose of collection has to be identified (e.g. prior to collection); the schedule 2 ground ensures that each processing operation constitutes a “necessary” interference (e.g. necessary for some public authority function where “necessary” has the same meaning as in Article 8(2)).
Data retention
The Home Secretary has signalled that the mass retention of communications data (the so-called “Snooper’s Charter”) will be implemented as soon as possible; it is important to understand how the UK courts are likely to deal with such retention.
So suppose there is retention of all your communications data for a year, then following the logic of Marper in the UK Courts, this collection/retention is a marginal interference of your Article 8 right. You will be informed about the purpose of collection (e.g. national security) and the legislation provides the Schedule 2 grounds. The legislation will identify what is collected and the retention period; rights of access will still apply
Thus so long as each data controller retaining the personal data sticks to the statutory specification like a limpet, there are very few data protection challenges open to a data subject.
Now suppose there is a profiling project to “find a suspect terrorist” and suppose further mass data retention is contested after the proposed Bill of Rights is in force. Your communications data are either used (or not used) in relation to the profiling. If your communications data are not used in the profiling, then the marginal interference of your Article 8 right merely continues through retention. If your communications data are used, then their use is justified in terms of Article 8(2) as it is necessary to find out more about your suspected activities in detail.
In other words, the commitment to scrap the Human Rights Act and the mass retention for communications data are intrinsically linked. The intention is for UK citizens to be unable to access the European Court of Human Rights (ECHR) to have the ultimate test of the Article 8 position in circumstances where the Data Protection Act will offer minimal protection.
Given the extent of the Snowden revelations, it opens the door to the argument that the UK is implementing mass data retention law AND a Bill of Rights legislation merely to deny its citizens an effective judicial remedy at the ECHR in circumstances where recent history shows the UK Courts have drawn the wrong conclusions with respect to Article 8 and data retention.
Leveson
There will be no further implementation of Leveson (which a cynic will assume is to return the favour for favourable press coverage before the Election of which there is much to admire in The Sun, Daily Mail and Daily Express – see references).
Scottish Nationalist Party (SNP)
The SNP Manifesto says it:
Opposes withdrawal from the European Union “we will oppose a referendum on membership of the EU and we will seek to amend the legislation to ensure that no constituent part of the UK can be taken out of the EU against its will”.
Supports the Human Rights Act: "Given the central place of human rights in Scotland’s constitutional settlement, and their importance at the heart of our politics, we will oppose scrapping the Human Rights Act or withdrawal from the European Convention on Human Rights".
Protects personal data: "We do not support Tory plans for the reintroduction of the so-called ‘snoopers’ charter’, which would see all online activity of every person in the UK stored for a year. Instead, we need a proportionate response to extremism. That is why we will support targeted, and properly overseen, measures to identify suspected extremists and, if necessary, examine their online activity and communications".
Leveson: "The Scottish Parliament chose, on a cross party basis, to support the (previous) UK Government’s actions to implement Leveson. We will consider carefully the results of the first year review and work with other parties, in Scotland and at Westminster, to ensure effective regulation of the media on a non-political basis".
If the SNP are successful in protecting/incorporating any of the above Manifesto objectives (e.g. on data retention), it could mean that the Scottish electorate would have more privacy protection than the English electorate.
If, on the other hand, the Government uses its majority, it means that it is imposing alien policies on Scotland without any Scottish mandate; if this is continued throughout the next five years, it could start a journey that leads to the breakup of the UK.
In other words, the forthcoming debates about human rights and data retention are a bellwether for the future of the UK. Interesting times ahead!
References
DNA references: Case of S. and Marper v. The United Kingdom, (Applications nos. 30562/04 and 30566/04; judgement delivered 4 December 2008);: see http://amberhawk.typepad.com/amberhawk/2009/11/uk-courts-view-any-data-retention-as-human-rights-compliant.html and http://amberhawk.typepad.com/amberhawk/2010/01/uk-terror-case-judgment-illustrates-a-failed-system-that-cannot-protect-privacy.html
“Red tape” data protection regulation: http://amberhawk.typepad.com/amberhawk/2013/11/data-protection-regulation-is-it-on-or-off.html
Member States have flexibility to implement the Regulation in their own way: http://amberhawk.typepad.com/amberhawk/2014/12/italian-data-protection-regulation-text-exposes-member-states-disharmony-risk-of-weaker-protection-for-data-subjects-increas.html
Now Tories can push through 'snoopers' charter', says May; http://www.telegraph.co.uk/news/shopping-and-consumer-news/11591937/Now-Tories-can-push-through-snoopers-charter-says-May.html
Leveson: “General Election front pages show the British Press at 'Partisan Worst,' BBC's Andrew Neil says”: http://www.huffingtonpost.co.uk/2015/05/06/general-election-front-pages_n_7219736.html
The other dangerous aspect of the UK ruling in S and Marper is that collection and retention of sensitive personal information increases risk to the individual, through abuse, poor governance, inadvertent exposure and so on. It's regrettable that the judgement encourages a belief that mere collection and retention are neutral in terms of ethics and risk. They are far from it.
Posted by: Robin Wilton | 15/05/2015 at 08:03 PM