Tilting at Windmills - Has the New Data Protection Law failed to make
a Significant Contribution to
Rights of Privacy
Dr David Bainbridgeand Mr Graham Pearce
Aston Business School
Aston University, Birmingham, UK
D.I.Bainbridge@aston.ac.uk
Abstract
This article examines the provisions of the new data protection law which are aimed at securing and consolidating the rights of individuals with respect to the processing of personal data relating them. The effectiveness of the new and enhanced rights of data subjects is considered, with an emphasis on the impact on individuals' rights of privacy. Although one of the main thrusts of the Directive underpinning the new law was to bring transparency to processing operations involving personal data, the Data Protection Act 1998 is disappointing in this respect and compromises the spirit of the Directive in this respect. Furthermore, some of the rights of data subjects can only be fully effective if individuals are proactive and take the necessary steps to take advantage of them. The interaction between data protection law and the Human Rights Act 1998, including the possibility of conflicts between these two bodies of law is also considered.
Keywords:data protection - privacy - individuals' rights and freedoms - Data Protection Act 1998 - Human Rights Act 1998 - processing personal data - transparency.
This is a Refereed Article published on 30 June 2000.
Citation: Bainbridge D et al, 'Tilting the Windmills - Has the New Data Protection Law failed to make a Significant Contribution to Rights of Privacy', 2000 (2)The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/00-2/bainbridge.html>/. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_2/bainbridge/>
1. Introduction
That there has been no general law of privacy in England has drawn adverse comment on many occasions.[ 1] Legal protection of an individual's privacy can be described as capricious and sporadic. Where it exists at all, it comes from a diverse variety of sources, such as the law of breach of confidence, the torts of defamation and malicious falsehood and, to some extent, indirectly through copyright.[ 2] Of course, the perennial difficulty for legislators is balancing the rights of individuals with freedom of expression: an almost impossible task. So much so that Parliament has seldom been prepared to legislate specifically to ensure rights to privacy, leaving it to the courts to develop common law and equitable principles. The courts, whilst not altogether shirking this responsibility, have proceeded with extreme, and some would say undue, caution.[ 3] Until very recently, the United Kingdom chose not to ratify the European Convention for the Protection of Human Rights and Fundamental Freedoms,[ 4] Article 8 of which provided for the right to respect for an individual's private and family life, home and correspondence. Now we have the Human Rights Act 1998 which, inter alia, gives full effect the rights and freedoms guaranteed by the Convention. This important Act is due to come into force on 2 October 2000, some seven months after the main provisions of the Data Protection Act 1998 came into force.
The advent of computer technology was perceived as a massive threat to privacy and individual freedoms and the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data was an attempt to impose a regime on the processing of computer data relating to individuals such that the risks to privacy and freedom would not be unduly compromised.[ 5] The Data Protection Act 1984 was the United Kingdom's response to the Convention and can best be described as taking a minimalist approach. Providing data users[ 6] completed the necessary registration forms reasonably competently and their disclosed processing activities appeared to comply with the data protection principles,[ 7] their registrations would be accepted and they could then process personal data in accordance with their registration with relative impunity.[ 8] In many cases, compliance with the 1984 Act has been seen as little more than a regulatory chore and the Act has done little to consolidate and reinforce individuals' right and freedoms in respect of personal data relating to them. Although individuals were given rights of access to their personal data and rights to compensation in certain circumstances, most persons who felt aggrieved complained to the Data Protection Registrar who could then exercise her powers of investigation and enforcement.[ 9]
Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data[ 10] (the 'Data Protection Directive') provided a further opportunity to review and strengthen data protection law. The Data Protection Directive certainly goes much further than the Data Protection Act 1984 and has a substantial emphasis on privacy. Article 1(1) of the Data Protection Directive requires Member States to '... protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data'.[ 11] In today's world, the greater use of information technology coupled with the growing reliance on data and new and sophisticated uses of it make it imperative to have an effective yet workable data protection law. Specific dangers are posed to individuals through the processing of genetic data, lifestyle data, impaired life databases, through the activities of private investigators and the growing use of surveillance. Techniques such as data matching and data warehousing are becoming widespread and have significant potential to adversely affect individuals' rights and freedoms, for example, as a result of inaccurate or incomplete data. Furthermore, much more data of a sensitive nature is being processed by automatic means than was the case even a short time ago. Nor do all the dangers stem from computer processing as structured manual files, where information about a particular individual can be accessed readily, also present threats to privacy.
The Data Protection Directive, in addition to extending data protection law to structured manual files, has two primary thrusts which consolidate and enhance individuals' rights and freedoms. These are the principles of transparency and control. By ensuring that individuals have rights to be informed of processing activity, in respect of disclosures to third parties of personal data relating to them and by requiring more information to be supplied in response to subject access requests, the objective of transparency is achieved. By giving individuals rights to object to processing, to prevent processing and, in some cases, requiring their consent, they are given significantly more control over the processing of personal data relating to them. How successful the Data Protection Act 1998 will be in achieving these objectives and thereby advancing the right to privacy is examined below.
2. Transparency
The general tenor of the Data Protection Directive is that processing activity should be as transparent as possible. For example, obligations are imposed on data controllers to provide data subjects with information on collection of the data from the individual or, in other cases, such as when the data are disclosed to a third party. This is reinforced by the recitals to the Directive and recital 38 states that '... the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection'. Where the data have not been collected directly from the data subject,[ 12] the individual concerned should be informed when the data are recorded or at the latest when they are disclosed to a third party (Recital 39). Transparency is also effected by giving individuals a right of access to personal data relating to them. As under the 1984 Act, individuals have a right to be informed as to whether the data controller is processing data concerning the particular individual and, if so, a right of access to that data. The Data Protection Directive goes further in requiring the provision of additional information such as the purposes of the processing.
To some extent transparency under the 1984 Act was achieved by virtue of the data protection register, a publicly available register of data users and computer bureaux. However, much of the information contained in the register was of a generalised nature and not particularly helpful as far as data subjects were concerned. Furthermore, many organisations had several register entries and other cumbersome rules existed such as the requirement for every partner in a partnership to register separately. Perhaps the worst feature was that, apart from data controllers such as the individual's employer, bank and central and local government bodies, general practitioners and the Health Service, it was impossible to discover the identity of all the other data controllers who held data relating to a particular individual. The individual would be alerted that an organisation held his personal data only when he received his first mailing of marketing material. The aim of the Directive clearly is to increase transparency.
2.1 Providing Information to Data Subjects
A fundamental right under the Directive is for an individual[ 13] to be informed of processing activity involving personal data relating to him. A data subject must be provided with certain information when data are collected from him or in other cases, for example, where the data, having originated from the data subject are transferred to or disclosed to another data controller or where the data have been generated by a data controller. The only exceptions in the Directive were '... in particular for processing for statistical purposes or for the purposes of historical or scientific research ...' where the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In such cases, Member States must provide appropriate safeguards (Article 11(2)). Unless within the specific exceptions in the Act,[ 14] this should enable data subjects to know the identity of data controllers processing personal data relating to them and the purposes for which they are processing those data. However, the exceptions in the Act, together with further exceptions from the requirement to notify contained within the Data Protection (Notification and Notification Fees) Regulations 2000,[ 15] goes well beyond the right to respect for private and family life in Article 8 of the European Convention on Human Rights. Surely it is reasonable to assume there should be some synergy between the Data Protection Act 1998 and the European Convention. If it is made more difficult or impossible for individuals to discover the identity of data controllers processing personal data relating to them, then this prejudices their ability to find out whether their right of privacy has been infringed.
The express requirement to provide information to data subjects has no direct equivalent under the 1984 Act except to the extent that processing must be carried out fairly and lawfully under the first data protection principle. As interpreted by case law such as Innovations (Mail Order) Ltd v Data Protection Registrar (29 September 1993, Data Protection Tribunal) and British Gas Trading Ltd v Data Protection Registrar, (24 March 1998, Data Protection Tribunal) this required that data subjects be informed of non-obvious uses of personal data relating to them at the time of collection and that data subjects should not be required to expressly object to non-obvious processing at some time later than when the data were collected from the data subject. For example, where the data controller intended to sell his customer database to another organisation for marketing purposes. Each data subject should be informed of this at the time he volunteered his personal data and given an opportunity to object there and then, for example, by ticking a box on an order form or application form.
The manner in which the Directive has been enacted in the United Kingdom is somewhat unsatisfactory. By paragraph 2(1), Part II, Schedule 1 of the 1998 Act,[ 16] where the data are obtained from the data subject, the data controller must ensure so far as is practicable that the data subject has or is provided with the 'relevant information' or has made it readily available to him. In any other case, the data controller must ensure so far as practicable that, before the 'relevant time' or as soon as practicable thereafter, the data subject has or is provided with the relevant information or has made it readily available to him. Under paragraph 3, this latter requirement does not apply where the provision would involve a disproportionate effort or where the recording or disclosure is necessary to comply with a legal obligation to which the data controller is subject (other than a contractual obligation) together with such further conditions as may be prescribed by regulations. This seems to go further than the Directive which restricts the 'disproportionate effort' exception primarily to statistics or research[ 17] and, although the Directive excuses the provision of information where the data subject already has it, (Articles 10 and 11) there is no further allowance for failing to provide the information or delaying its provision, apart from the limited disproportionate effort exception. By using a 'practicability' test, in both cases as regards the provision of information and, in the latter case, also in the timing of that provision, the Act fails to fully implement these aspects of the Directive.
The 'relevant time' is when the controller first processes the data[ 18] or, where disclosure to a third party within a reasonable period is envisaged, by paragraph 2(2)(b):
(i) if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,
(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed, to such a person within that period, the time when the data controller does become, or ought to become, so aware, or
(iii) in any other case, the end of that period.
There are a number of problems with this provision. The Act does not say by whom the disclosure is envisaged, whether it is the data controller, the data subject or both. If it is the data controller only, this could result, under cases (ii) and (iii), in the data subject, who may have had no inkling that his data were intended to be disclosed to a third party, being informed that his data are not after all going to be disclosed to the third party. This is completely unnecessary. It makes more sense if the disclosure is envisaged by the data subject or both the data subject and the data controller, for example, if the data subject has filled out an order form and failed to tick the box preventing disclosure of his data to other organisations, for example, in the case of list trading for marketing purposes. This is a more reasonable interpretation though, as at the time of completing the form, the data subject is unlikely to know the specific identity of the third parties to whom his data are to be disclosed, there seems little point in telling him his data are not going to be disclosed after all. A further problem is knowing what a reasonable time is. It is submitted that this may vary according to the circumstances. For example, it might be different in a commercial context than in the case of data disclosed by a public body. However, in either case, it must also be a question of how long it is likely to be, in an average case, before the data are unreliable because of changes in the data subject's circumstances, unless such changes are incorporated in the collection of data in question.
The objective of transparency is seriously compromised by the amount of information that must be provided. It is the identity of the data controller (and representative, if any), the purpose or purposes of the processing and any further information, having regard to the circumstances in which the data are or are to be processed to enable such processing in respect of the data subject to be fair (para 2(3), Part II Schedule 1). In respect of 'further information' the White Paper which preceded the 1998 Act suggested that it would be, in the first instance, the controller who would decide whether any further information was required to be given.[ 19] The Act is silent on this point. It is unlikely that data controllers will volunteer any further information other than his identity for, if the data controller has notified his processing (as he must do for automated processing and may do for manual processing), the notification itself may satisfy the requirement to give information as to the purposes of processing. Under paragraph 5 of Part II of Schedule 1, the purpose or purposes for which personal data are obtained may in particular be specified in a notice informing the data subject as required by paragraph 2 or in a notification given to the Commissioner under Part III of the Act. This seems to defeat the spirit of the Directive as data subjects would have to obtain a copy of the register entry to discover the purposes unless the data controller is prepared to volunteer that information. Even though the register is now available on the Internet,[ 20] the vast majority of data subjects will not consult it.
In many cases, and bearing in mind the manner in which the requirement for fair processing has been interpreted under the 1984 Act, requiring data subjects to be informed of non-obvious processing at the time of obtaining their personal data, the 1998 Act may do little in practice to increase transparency of processing, especially when many data controllers are likely to plead 'disproportionate effort'.
2.2 Subject Access
As regards knowing the identity of data controllers processing personal data relating to them, apart from the obvious ones, data subjects may not be much better placed than is the case under the 1984 Act. However, individuals' right of access to their personal data has been significantly improved. Under the 1984 Act, data subjects had a right to be informed by the data controller whether he held personal data relating to them and, if so, to be given access to such data. Sections 7 to 9 of the 1998 Act deal with data subjects' right of access. Under section 7(1), subject to sections 8 and 9, a data subject is entitled
(a) to be informed whether personal data relating to the him are being processed by or on behalf of the data controller,
(b) if that is the case, to be given a description of the personal data of which that individual is the data subject, the purposes for which they are being or are to be processed and the recipients or classes of recipients to whom they are or may be disclosed;
(c) to have communicated to him in an intelligible form, accompanied with an explanation if necessary, the information constituting any personal data of which that individual is the data subject (a copy in permanent form unless this is not possible or would require a disproportionate effort or if the data subject agrees otherwise), and any information available as to the source of those data, and
(d) to a description of the logic involved in any automated decision-taking, likely to constitute the sole basis for any decision significantly affecting him.
More information must be provided than under the 1984 Act.[ 21] Although a data subject could previously obtain information as to the description of the data, the purposes of processing and the recipients by consulting the register entry, under the 1998 Act, this information must be provided in response to a subject access request, together with a description of the source of the data and of any logic employed in certain types of automated decision-taking. This is a welcome step. Whilst in respect of information within (b) above data controllers are likely only to provide the relevant extracts from their register entries, it must be remembered that this information must also be given in respect of manual files caught by the Act.
As under the 1984 Act, the data controller can refuse to comply with a subsequent identical or similar request by a particular individual unless a reasonable interval has elapsed. In determining what a reasonable interval is, regard shall be had to the nature of the data, the purposes of the processing and the frequency with which the data are altered. The information to be given must be as it was when the request was received apart from deletions or amendments that would have been notwithstanding the request. The maximum fee that can be charged by a data controller in respect of a subject access request is GBP 10 in most cases.[ 22]
Data controllers who are susceptible to fraud will be concerned that they are required to provide information concerning the logic of their automated decision-taking processes. For example, details relating to an individual applying for credit, such as postcode, employment and housing status, may be submitted to computer software which accepts or rejects the application for credit based upon a weighted assessment of a number of parameters. On the one hand, providing details of the logic could facilitate the activities of fraudsters who would simply be able to discover what the 'right' answers are likely to be. On the other hand, it is possible for unfair or prejudicial factors or weightings to be used. The use of factors such as postcodes or the credit rating of a previous occupant of the dwelling now occupied by the data subject in question are inherently unfair even if they are reliable predictors. The dangers were highlighted in Equifax Europe Ltd v Data Protection Registrar ((unreported) 28 February 1992, Data Protection Tribunal) where a number of credit reference agencies were extracting personal data relating to the financial status of individuals by reference to the current or previous address of the data subject together with financial information relating to any other individual who had been recorded as residing at any time at the same or a similar address as the data subject. The Data Protection Registrar issued an enforcement notice prohibiting the use of such third party data.[ 23]
The requirement to be informed of the underlying logic does not apply to all forms of automated decision-taking. It applies where the purpose is to evaluate matters relating to the data subject such as performance at work, creditworthiness, reliability of conduct and has or is likely to constitute the sole basis for any decision significantly affecting him. The 1998 Act closely follows the language in the Directive[ 24] but as the list of circumstances is non-exhaustive, it is not possible, apart from an application of the esjudem generis rule, to predict other forms of purposes that will be caught. Again, in the first instance, the data controller is likely to take his own view on this matter.
In addressing the concerns of data controllers about providing information as to the logic in automated decision-taking, the 1998 Act has unduly compromised this right to information. Section 8(5) excuses the data controller from providing such information if, and to the extent that, the information constitutes a trade secret. This would appear to allow the data controller to refuse to provide any information as to the logic if he claims it is, in its entirety, a trade secret. This goes further than the Directive which states in recital 41 that the right to information as to the logic in any automated decision-taking concerning the data subject must '...not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information' (emphasis added). It is likely that one of two things may happen. Data controllers may simply claim all of the logic, and information relating to it, is a trade secret[ 25] or they will prepare some bland sanitised description of the logic that is little better than meaningless. If this happens, the only remedy for an aggrieved data subject will be to ask the Commissioner for an assessment since automated decision-taking, in common with other forms of processing, must comply with the principles and, in particular, the first principle requiring processing to be fair and lawful.
There are specific provisions dealing with the situation when compliance with a subject access request would disclose information relating to another identifiable individual. These are significantly modified in comparison to the equivalent provisions under the 1984 Act. Where data relating to another individual would be disclosed, in order to comply with the request, the data controller must be satisfied that the other person has consented to the disclosure of his personal data to the person making the request or where it is reasonable in all the circumstances to comply without the consent of the other. (Section 7(4)) References to another individual includes a reference to that individual as the source of the information sought by the request, for example, where a social worker or person in charge of a home for children in care had written a report on the person now making the subject access request. In determining whether it is reasonable in all the circumstances to comply without the consent of the other, factors that may be taken into account include any duty of confidentiality owed to the other, any steps taken by the data controller to gain the consent of the other, whether the other is capable of giving consent and any express refusal of consent by the other individual. (Section 7(6))
These provisions are intended to comply with the judgment of the European Court of Human Rights in Gaskin v United Kingdom[ 26] in which the applicant, who claimed he had been ill-treated, sought access to confidential records concerning him whilst he was in care. Liverpool City Council were required to keep such records. The City Council resolved to give Gaskin access provided the contributors to the file consented. Only 19 out of 46 of the contributors gave their consent and the relevant documents were released to him but the remainder, where the contributors refused consent or could not be traced, were not disclosed to him. It was held by the European Court of Human Rights that this was a breach of his right to respect for his private and family life under Article 8 of the European Convention on Human Rights. Although the United Kingdom could not be said to have interfered with his private life, there may be certain circumstances where a positive obligation arose inherent in respect for private life. Whether such an obligation arose in a particular case was a matter of balance and, on the basis of proportionality, required that an independent authority decided whether access should be granted or denied if a contributor to such records withheld consent or did not answer. That had not happened in Gaskin, hence the breach of Article 8.
By virtue of the Data Protection Act 1998, it is the data controller who decides in the first instance whether to grant access in such a case. However, under section 7(5) the data controller is not excused granting access in respect of so much of the information sought as can be communicated without disclosing the identity of the other individual. This may require omission of the name or other identifying particulars. In terms of computer files, it may be a relatively easy matter to suppress names of the other persons such as those who compiled the information when printing out the data subject's details for him to see. However, where access to a manual file is requested, suppressing the names of other individuals could prove very onerous, requiring masking out the particulars relating to those other persons before copies are made for inspection by the data subject making the subject access request, unless, of course, those persons consent or where it is reasonable in all the circumstances to comply without the consent of the other.
Under the 1984 Act, one difficulty was that many large organisations had a number of separate registrations, reflecting their different information systems or different purposes of processing and, in such cases, a separate request and separate fee was required in respect of each register entry. (Section 21(3) of the Data Protection Act 1984.) Unless the data controller was prepared to be helpful, this could result in a data subject having to request access in respect of most or all of the register entries to be confident that he had access to all the personal data relating to him that were held by the data controller.[ 27] At least, under the 1998 Act, there will be only one register entry in respect of each data controller and only one entry will be necessary for partnerships. The maximum length of time to comply under the 1998 Act will be, initially at least, the same as before, that is 40 days.[ 28] This is an unnecessarily long period of time. The data controller is not obliged to comply unless the request has been made in writing and the fee paid, unless exempt, and he has been supplied with information as he reasonably requires to satisfy himself as to the identity of the person making the request.[ 29]
It is essential that data controllers exercise great care in verifying the identity of the individual making the request but experience shows that this is not always so. In one case, a private investigator obtained personal information relating to famous people from British Telecom by deception, some of which she sold to tabloid newspapers. She was prosecuted for 6 offences under section 5(6) of the 1984 Act for procuring the information and 6 offences under section 5(7) of the 1984 Act for selling the information to her clients.[ 30] She was fined a total of GBP 1,200. A relatively small fine compared to the gravity of the offences which reflects the failure of magistrates to take data protection offences seriously.[ 31] In the last five years the maximum fine for a single offence was GBP 3,000[ 32] but many fines are much smaller and absolute and conditional discharges account for a significant proportion of outcomes.[ 33]
It is also important that data controllers ensure that their employee and agents who process personal data on their behalf are reliable and trustworthy.[ 34] The dangers of employees disclosing personal data in an unauthorised manner was highlighted in a prosecution concluded in July 1998 where a father and son were found guilty of a number of offences under the 1984 Act.[ 35] The son worked for the National Westminster Bank and was passing on information concerning some of the bank's customers to his father who was a private investigator. Total fines of GBP 6,000 in respect of nine offences were imposed, the son being fined GBP 1,000 only.
Under the 1998 Act, all offences are triable either way with the exception of search warrant offences which are triable summarily only. None of the offences carry custodial sentences and it is unlikely that punishments meted out by magistrates courts will increase by any significant amount if at all. That being so and bearing in mind the number of prosecutions each year is only a few dozen, the teeth of the new data protection law in terms of criminal liability are not particularly sharp and do little to encourage full compliance with data protection law with the result that, in a many cases, individuals' rights under data protection law may be seriously compromised. As the vast majority of prosecutions in the past have been for failing to register, the danger is that a culture of 'register and ignore' the data protection principles will be tacitly encouraged. The registrar's civil powers of enforcement are exercised only infrequently. In the year to 31 March 1998, only three enforcement notices were served and there were only 22 preliminary notices served. These are tiny numbers given that there were at that time no less than 211,992 registered data users.[ 36]
2.2.1 Credit Reference
Under section 9 an application to a credit reference agency is taken to be limited to financial information relating to the data subject unless a contrary intention is expressed. The data controller must include a statement of the data subject's rights under section 159 of the Consumer Credit Act 1974, to the extent required as prescribed. Section 62 of the Data Protection Act 1998 modifies section 158 of the Consumer Credit Act 1974 and the right under that section to obtain a copy of a file applies only in relation to partnerships. For other individuals the right to a copy of the file is under section 9 of the 1998 Act although the right of correction of wrong information remains under section 159 of the Consumer Credit Act. Basically, the regime seems much as before but credit reference agencies present particular problems in terms of personal data.[ 37] Particular concerns relate to the use and disclosure by credit reference agencies of 'white data' and 'grey data', the former being data indicating that a data subject has a good credit record and the latter being where the data indicate that the data subject has been in default but not for a period sufficient for the data to be regarded as 'black data'.
The law of breach of confidence has long since regulated the disclosure of personal data by financial institutions. In Tournier v National Provincial and Union Bank of England [1924] 1 KB 461, it was held that a bank could disclose information about its customers where the disclosure was required by law, where there is a public duty to disclose, where the interests of the bank require disclosure, or where the customer has consented, expressly or impliedly. Apart from the duty of confidence and the data protection principles, particularly that processing must be fair and lawful, there are further restrictions on disclosures of white data and grey data. The Tournier principles are limited in that disclosure may be permitted if it is in the institution's interests, which it may be if it intends to disclose white data, for example to a credit reference agency, in return for subsequent disclosures from the credit reference in respect of other data subjects. Of course, white data are valuable in relation to activities other than the decision to grant credit, such as in targeted marketing. Except where the data subject concerned has submitted an application for credit, any other disclosure of white data could be perceived as an infringement of the basic right to privacy under Article 8 of the Human Rights Convention.[ 38]
2.2.2 Enforced Subject Access
Enforced subject access occurs, typically, where a prospective employee is required to carry out a subject access request with the police in order to confirm that the individual has not previous criminal convictions or police cautions. This practice has been deprecated by the Data Protection Registrar for some time.[ 39] Indeed, it can result in serious injustice. For example, in R v Chief Constable of 'B' ex parte R (unreported) 24 November 1997, Queen's Bench Division, R, who was 29 years old, wanted to travel to a foreign country to teach English to adults and had to apply for a visa. He was required by the Consulate General of that country to provide a certificate of prosecution and conviction history. Unfortunately, R had a spent conviction for a minor offence of theft committed when he was 19 years old for which he received a conditional discharge and was ordered to pay compensation. Although the Chief Constable supplied a statement to the effect that R had 'no citeable convictions', it was not on the standard form issued under the Data Protection Act 1984 as required by the Consulate General. This form would show R's spent conviction.[ 40] However, the Data Protection Act 1984 contained no discretion to exclude some information from being provided under a subject access request and, according to Laws LJ, section 21 of that Act clearly required all the information constituting the personal data to be supplied. Any conflict with the Rehabilitation of Offenders Act 1974 was removed by section 26(4) of the 1984 Act which stated that the subject access provisions apply notwithstanding any enactment or rule of law prohibiting or restricting disclosure or withholding information.[ 41]
In the above case, Laws LJ said it was no comfort to the applicant for the enforced subject access that legislation is in place which is intended to obviate the problems he had encountered. This was not strictly true as the Bill was yet to be introduced into Parliament and, in its original form it had no restrictions on enforced subject access.[ 42] Nor did the Data Protection Directive mention enforced subject access except, perhaps, obliquely by requiring subject access to be 'without constraint'. (Article 12(a)) Provisions dealing with enforced subject access were included in the Bill in an amendment in the House of Lords.
The Data Protection Act 1998 makes enforced subject access a criminal offence. It applies, under section 56, in relation to the recruitment of another as an employee, the continued employment of another person, any contract for the provision of services by another person, or the provision of goods, facilities or services to any person (this extends also to the supply of a relevant record by a third party). It covers 'relevant records', being those showing convictions and cautions where the data controller is a chief officer of police or the Secretary of State. Also included are details of the detention of young persons for long periods of time for grave crimes under section 53 of the Children and Young Persons Act 1933, the Secretary of State's functions under the Prison Act 1952, under the Social Security Contributions and Benefits Act 1992, the Social Security Administration Act 1992, the Jobseekers Act 1995 or in relation to certificates of criminal records under Part V of the Police Act 1997 (with necessary amendments for Scotland and Northern Ireland).
The offence is one of strict liability. However, the provisions do not apply where the requirement is authorised or required by law or court order or justified as being in the public interest but this does not include the ground that it would assist in the prevention or detection of crime. Specific provision will be made to allow enforced subject access in specific cases such as where a person is to be appointed to work in a children's home.[ 43] Unfortunately, section 56 will not be brought into force until certain provisions of the Police Act 1997 dealing with certificates of criminal records and the like.[ 44] Bearing in mind the unhappy outcome of the above case, it is regrettable that there will be any further delay to bringing section 56 into force.
Under section 57, any term or condition in a contract is void in as much as it purports to require the supply of, or producing to another person, a record, copy or part of a record consisting of information contained in any health record as defined in section 68(2).[ 45] There is no criminal offence for enforced subject access to health records.
The inclusion of restrictions on enforced subject access is a welcome step in terms of privacy and the introduction of criminal penalties indicates the seriousness with which it is viewed. Without such restrictions, there was a danger that, eventually, the provision of a certificate of criminal prosecution and conviction history would become a prerequisite for most jobs and appointments. However, where the subject access is required by an organisation outside the European Economic Area, as in the above case, the Act is of no assistance.[ 46] It does not, for example, allow a data controller receiving a subject access request to refuse to comply if he has good reason for believing that it is enforced.
3. Individuals' Control over Processing
Before the Data Protection Act 1998, individuals had very little control over processing of personal data relating to them. Areas of law other than data protection law may have been useful in some cases, such as the law of breach of confidence, copyright and defamation but, generally, the 1984 Act had very little impact in this respect, other than by an individual signifying his disapproval to disclosure of data to third parties by ticking the ubiquitous box on a pro forma. Providing that a data user kept his processing within the principles and his registered particulars, the data subject had little effective control. The Data Protection Act 1998, in line with the Directive has changed this and has, at first sight, empowered the data subject. Now, he can object to processing likely to cause substantial damage or substantial distress, he can prevent processing for the purposes of direct marketing and can prevent certain forms of automatic decision-taking. For some forms of processing, the data subject's consent may be required and, in some cases, the traditional 'tick-box' approach may not be sufficient. A further factor increasing the data subject's muscle-power is that the meaning of 'personal data' and 'processing' are very much wider than was the case under the 1984 Act.
A major concern for data controllers during the lead up to the new law was the inclusion of provisions allowing data subjects to object to or prevent processing of their personal data or to withhold consent to the processing of their personal data. The spectre of individuals interfering with processing of personal data relating to them was raised whereas, under the 1984 Act, provided personal data was processed in accordance with the registered details and the data protection principles, there was nothing data subjects could do to obstruct or restrict the processing of their data. Under the new law, apart from data subjects having new rights to object to processing, in some cases the consent of the data subject must be obtained which must be express or unambiguous. However, the substance of the new law is less fearsome for data controllers than the embryonic model set out in proposals for the Directive.
3.1 Right to Prevent Processing Likely to Cause Substantial Damage or Substantial Distress
A data subject can require the data controller to cease or not to begin processing for a specified purpose or in a specified manner on the ground that, for specified reasons, it is unwarranted as causing or being likely to cause substantial damage or substantial distress to him or another. (Section 10(1) of the Data Protection Act 1998.) This right does not apply to processing under conditions 1 to 4 in Schedule 2, being processing where the data subject has given consent, where necessary in relation to a contract, where necessary for compliance with a legal obligation or where necessary to protect the vital interests of the data subject. The Secretary of State may order other exceptions to this right. It is difficult to think of an example where this might apply bearing in mind that the first data protection principle requires processing to be fair and lawful. It is self-evident that processing that is fair is unlikely to cause damage or distress. The government Consultation Paper gave an example, being where personal data might be disclosed in such a way that in practice it might come into the hands of a person known to the data subject.[ 47] It did not elucidate further. Presumably an example could be where the data subject in question has an embarrassing illness, is terminally ill or has a criminal record. (Subject, of course, to the provisions on enforced subject access.)
Where the right was most likely to have proved important is where processing is for journalistic purposes but it is severely curtailed in this respect. There are numerous exemptions from the new law for processing is for the 'special purposes' being, under section 3, the purposes of journalism and artistic and literary expression.[ 48] By virtue of section 32(2), exemption is from all the principles, except the seventh on security measures, subject access, the right to prevent processing likely to cause substantial damage or substantial distress, rights in relation to automated decision-taking and some of the rights of rectification, blocking, erasure or destruction of personal data. The exemptions apply only if compliance is incompatible with the special purposes and the processing is undertaken with a view to publication and the data controller reasonably believes that publication is in the public interest.[ 49] Otherwise, the exemptions do not apply and, importantly, individuals may still have a right to compensation for damage and/or distress as discussed in the following section. Although an individual may not be able to prevent processing for the special purposes, he may be entitled to compensation if he can show that the exemption from the right to prevent processing was wrongly relied on by the data controller.
To effect the right to prevent processing likely to cause substantial damage or substantial distress, the data subject has to give notice in writing to the data controller, specifying the purpose or manner of processing objected to and the reasons why he or another is likely to be caused substantial damage or substantial distress. Within 21 days, the data controller must give written notice stating that he has complied with the data subject's notice or intends to do so or stating why he considers the notice unjustified to any extent and the extent, if any, to which he has complied or intends to comply. As with the other provisions involving data subjects' rights, the right is backed by the power of the court to order compliance.
3.1.1 Laws of Defamation and Passing off Supplemented?
The law of defamation gives a person a cause of action in respect of published information or words concerning him, directly or by innuendo, which 'tend to lower the plaintiff in the estimation of right thinking members of society generally'.[ 50] Although there is no satisfactory single definition of defamation, it is tested through the eyes of the ordinary, reasonable person and there will be no remedy where some people see or read the information carelessly on incompletely. In Charleston v News Group Newspapers [1995] 2 AC 65, a Sunday newspaper carried a photograph of a man and a woman who appeared to be engaged in sexual intercourse. Superimposed on the photographs were images of the faces of the plaintiffs, actors who played Harold and Madge Bishop in the television 'soap' 'Neighbours'. The captions ran 'Strewth! What's Harold up to with our Madge?' and 'Porn Shocker for Neighbours Stars'. The text underneath made it clear that the image had been produced as part of a pornographic computer game which had used the images of the claimants without their permission.
The House of Lords held that the article as a whole was not defamatory, rejecting the argument that the headlines and photographs could found a claim in libel in isolation from the related text even though Lord Bridge accepted that some readers would not read the text. These readers, who might not take the trouble to read the text to discover what the article was about, according to Lord Bridge, could hardly be described as 'ordinary, reasonable, fair minded readers'. This case shows a serious failing in the law of defamation as, although held not to be defamatory, the publication would almost certainly have caused the claimants plaintiffs substantial distress.[ 51]
The law of passing off is unlikely to be much help in such situations either because of the requirement for a common field of activity[ 52] or because no account is taken of whether 'a moron in a hurry' might be fooled by the defendant's misrepresentation.[ 53] However, in Alan Kenneth McKenzie Clark v Associated Newspapers Ltd [1998] RPC 261, the late Alan Clark MP was successful in a passing off action (and also in respect of false attribution of authorship under copyright law) after complaining about a spoof diary which appeared in the London Evening Standard based on what a journalist imagined Alan Clark might record in his Diary. The newspaper column was headed 'Alan Clark's Secret Political Diaries' and included a photograph of Alan Clark. Below was a statement identifying the journalist as the author and the basis for the articles. Nevertheless, the court held that, to be actionable as passing off, the deception had to be more than momentary and inconsequential and the article had to be looked at as a whole to decide whether a substantial number of readers would think that the articles were written by Alan Clark. Nor was it a defence to claim that readers of the column would not be misled had they been more careful. In the event, the defendant was permitted to continue to publish the 'diaries' providing the identity of the true author was made sufficiently clear. Of course, as Alan Clark had written his own diaries, there was a common field of activity.[ 54]
With the advent of information technology it is very easy to manipulate text and images. Situations such as the Neighbours and Alan Clark cases will become more and more common. Such material may be placed on a Web page on the Internet, making it available on an unprecedented scale. The new data protection law may provide some control over this, particularly where the material is placed on a computer situated within the European Economic Area (EEA). The definition of personal data under the Data Protection Act 1998 extends to data (information) which relates to a living individual who can be identified from those data, or from those data and any other information which is in the possession of, or is likely to come into the possession of, the data controller. This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; section 1(1). 'Information' is not a precise term,[ 55] but Article 2(1) of the Directive is more helpful in that personal data is defined by reference to identifiers such as identification number or one or more factors specific to the individual's physical, physiological, mental, economic, cultural or social identity and recital 14 confirms that processing sound and image data are within the scope of the Directive.[ 56]
If sound and image data are processed automatically, that is, by computer, or are intended to be so processed, or are or are intended to form part of a relevant filing system (manual files caught by the new law) they will fall within the scope of the new data protection law and will be subject to the rights given to individuals. These rights include a right to prevent processing causing or likely to cause substantial damage or substantial distress to the individual concerned.[ 57] That would certainly be applicable to the Neighbours case. Although the right to prevent processing is suppressed where the processing is for the special purposes which include journalism, it is still available unless the publication is in the public interest. That would not appear to be the case here. If the exemption is lost, then the right to compensation under section 13 is available and, where processing is for the special purposes, compensation for distress is recoverable in the absence of damage. In a situation analogous to passing off as in Sim v H J Heinz Co Ltd, damages for distress may be awarded if damage can be proved, for example, if the plaintiff can show that he has lost work or orders because of the defendant's misrepresentation. There is no need to show a common field of activity. If a 'disclaimer' is included in the publication or misrepresentation, it would have to be very prominent. In any case, there is no provision for disclaimers in the new law and it would simply be a question of the individual proving that he has suffered or is likely to suffer distress and, where appropriate, damage.
Another concern is the use of images and, perhaps, voices of famous deceased persons. The technology already exists to create new films, photographs and advertisements using images and voice patterns belonging to actors such as Marilyn Monroe and Sidney James. Relatives and friends may find these activities particularly distressing. The Data Protection Act 1998 is unhelpful in that 'personal data' are defined as data which relate to a living individual (Section 1(1)) and, therefore, the Act does not apply to deceased persons, although the Directive is ambivalent on this point although it does define data in relation to 'natural persons'.[ 58] There is a precedent for giving 'rights' to deceased persons as, under copyright law, there is a right not to have a work falsely attributed to a person as author or film director.[ 59] This right endures for 20 years after the death of the person falsely attributed and is exercisable by his personal representatives.[ 60] It is clear that trade mark law is unhelpful in this respect and attempts to register images of Diana, Princess of Wales as trade marks have been unsuccessful thus far. Providing limited data protection rights for a number of years in respect of recently deceased persons should have been included in new Data Protection Act, especially as such rights would not be onerous to respect, excepting persons with an unsavoury wish to capitalise on the reputation of recently deceased persons.
3.2 Right to Prevent Processing for Direct Marketing
Direct marketing is perceived as a scourge by some people whilst others may think it a minor annoyance. Yet others may positively welcome it. Regardless of one's own individual view, it is, nevertheless, an effective manner of marketing and direct marketing in the United Kingdom is a major industry and likely to grow in importance as it becomes more targeted, focusing on individuals' lifestyles, spending profiles and other characteristics and idiosyncrasies. The Directive contained two ways of controlling direct marketing from the data subject's point of view. One possibility was the right to object, on request and free of charge. The other was to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.[ 61]
The Data Protection Act 1998 elects the former approach, giving the data subject a right, by giving written notice, to require a data controller to cease within a reasonable time in the circumstances or not to begin processing his personal data for the purposes of direct marketing; section 11. 'Direct marketing' is defined as the communication by any means of any advertising or marketing material which is directed at particular individuals. The right to object is an absolute one, notwithstanding the existing of the Mailing Preference Scheme in the United Kingdom.[ 62] The data controller must give the data subject a written notice within 21 days of receipt of the data subject's notice stating what steps he has or will take to comply.
3.3 Rights in Relation to Automated Decision-taking
Automated decision-taking has the potential for being very prejudicial to individuals. For example, a person may be denied credit or some other advantage simply because of his post code or because the previous occupant of his dwelling had a bad record.[ 63] Statistically predictive measures which may find their way into automated decision systems may operate unfairly in individual cases. In its initial form the Data Protection Bill, following the Directive, only allowed decision taken solely by automated means which significantly affects the data subject and which is intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability or conduct in the context of a contract with the data subject or where authorised by law. (Article 15.)
Under section 12(1) of the Act an individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken, by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him as above-mentioned. This does not apply to all automated decision-taking and there are some decisions exempt from this right. They are where the decision is taken in the course of steps taken for the purpose of considering whether to enter into a contract with the data subject, with a view to entering into such a contract, or in the course of performing such a contract, or where the decision is authorised or required by or under any enactment. In terms of these exempt decisions, if the decision is not to grant a request of the data subject, steps must be taken to safeguard the legitimate interests of the data subject, for example, by allowing him to make representations. Where the decision is not an exempt one and the data subject has not exercised his right to prevent such decisions being taken, the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and give the individual, within 21 days of receiving that notification from the data controller, the right by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis. In other words, the data subject can insist that the data controller reconsider the decision by other means, for example, by involving some direct human input in the decision process.
Few data subjects are likely to exercise their right to prevent automated decision-taking. Indeed, it is difficult to think of examples outside contract where the right would be valuable. Of course, the vast majority of such decisions will be in the context of a contract, for example a credit agreement where the right does not apply and is replaced by a right to be informed together with, for example, a right to make representations. The Act does not specifically require the data controller to do anything further although it could be argued that, if a data subject's legitimate interests are to be safeguarded, it implies that the representations he makes are taken seriously and action is taken if, for example, the processing would otherwise be unfair. Of course, if the data subject suspects that the processing is unfair, he could apply to the Data Protection Commissioner for an assessment under section 42.
3.4 Requirements for Individuals' Consent
For processing to be within the first Data Protection Principle, one of the conditions in Schedule 2 to the Act must be met and, in the case of sensitive data,[ 64] one of the conditions in Schedule 3 must also be met. In both Schedules, one of the conditions is the data subject's consent. Therefore, if the data controller has that consent, in either case, this requirement is satisfied. For non-sensitive data, the wording is simply that the data subject has given his consent to the processing, whilst for sensitive data, the expression used is that the data subject has given his explicit consent to the processing of the personal data. From this it would seem that consent may be implied for non-sensitive processing, for example, by the data subject failing to tick the ubiquitous box of a form, but for sensitive personal data express and informed consent appears to be required.
In reality, however, one or more of the other conditions in the Schedules are likely to be applicable in the vast majority of cases. For example, for processing non-sensitive data, many data controllers will be able to rely on the condition that processing is necessary for the purposes of the legitimate interests of the data controller or a third party to whom the data are to be disclosed, although this must not be unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. This is unlikely to be particular problem in many cases. Of course, one may question what the word 'legitimate' means in this context. Presumably, in the context or a body such as a company or public authority, this could simply mean that the processing is intra vires the powers of the organisation and not otherwise unlawful.
Processing with appropriate safeguards by a non-profit making body which exists for political, philosophical, religious or trade-union purposes is one of the conditions for processing sensitive data, which is defined as including personal data relating to political opinions, religious beliefs or other beliefs of a similar nature and trade union membership. (Section 2.) However, the data may not be disclosed to a third party without the consent of the data subject. Considering that explicit consent is one of the conditions for processing sensitive data, it seems reasonable to assume that consent here also ought to be explicit, that is, express and informed consent.
Another situation where the data subject's consent may be required is in the context of transfers of personal data to third countries[ 65] not having an adequate level of protection. The basic rule is that personal data must not be transferred to such countries, but it was possible for Member States to derogate from this in certain circumstances. (Article 26(1)) Again, there are a set of conditions and the data controller has to satisfy only one. These are set out in Schedule 4 to the Act. The data subject's consent is one possibility. However, again the ability of the data subject to prevent transfers of data outside the European Economic Area is seriously prejudiced because one of several other conditions may be relied on by the data controller instead of seeking consent. An important one is where the transfer is necessary for the performance of a contract between the data subject and the data controller, or for taking steps at the request of the data subject with a view to his entering into a contract with the data controller or where the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject entered into at the request of the data subject, or is in the interests of the data subject, or for the performance of such a contract. (paragraphs 2 & 3 of Schedule 4.)
Other conditions include where the transfer is necessary for reasons of substantial public interest or for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) or obtaining legal advice or is in order to protect the vital interests of the data subject or the data is on a public register or is authorised by the Commissioner.
A further condition is where the transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects. (paragraph 8 of Schedule 4.) A working party and committee (Articles 29 to 31.) is established under the Directive and where the Commission decides, in accordance with the committee procedure, (Article 31(2)) that certain standard contractual clauses offer sufficient safeguards as required by Article 26(2), Member States shall take the necessary measures to comply with that decision. The Commission should be in a position to hand down standard contractual terms which can be incorporated into the contract between European data controllers and the recipient of the data in the third country concerned. First impressions are that the terms will attempt to impose on the recipient in the third country, by contractual means, a data protection regime equivalent in important respects to that set out in the Directive.[ 66] The details of such terms will be communicated to data controllers via the Data Protection Commissioner.
Although various forms of processing will be subject to the data subject's consent, this will be so only in a minority of cases as consent is generally only one of a number of alternative conditions. In most cases, except in the case of disclosures by non-profit making bodies where there is no alternative to consent, an alternative ground for processing can be relied upon by the data controller. That being so, the data subject's right to prevent processing by withholding his consent is, in the vast majority of cases, merely illusory.
3.5 Impact of the Human Rights Act 1998 on Data Protection Law
Alongside implementing the new data protection law, the United Kingdom government has chosen to embark upon a major constitutional change by incorporating into United Kingdom law the rights and freedoms guaranteed under the European Convention on Human Rights. Section 1 of the Human Rights Act 1998 lists the key rights stemming from the Convention and associated Protocols, which includes the presumption that each individual has a right to privacy. Article 8, of the Human Rights Convention is most relevant to individual privacy and, therefore, of the utmost importance in the field of data protection. It requires that everyone has a right to respect for an individual's private and family life, his home and his correspondence. If personal data are processed in a manner which conflicts with this basic principle of privacy then it will be deemed to be unlawful notwithstanding the provisions of the Data Protection Act 1998 and associated subordinate legislation.
Indeed, the Human Rights Act 1998, incorporating in Schedule 1 the main provisions of the European Convention on Human Rights, is an important platform from which other United Kingdom legislation can be challenged. This is particularly so where laws relating to privacy are concerned. Section 3 of the Human Rights Act 1998 states that:
So far as is possible to do so, primary legislation and subordinate legislation must be read and given effect in a way which is compatible with the Convention rights.
This is quite a sea change in English jurisprudence - that one Act of Parliament is deemed superior to another Act of Parliament. However, this is in terms of interpretation only and can be seen as an example of Parliamentary supremacy at work - Parliament has deemed it so. Nevertheless, it is possible that such a brief and seemingly innocuous legislative provision may prove to be a can of worms. Worse still it applies retrospectively.[ 67] Already there are serious problems raised by Article 6 of the Convention in respect of the appointment of sheriffs in Scotland and potentially similar issues relating to the appointment of recorders, assistant recorders and stipendiaries in England and Wales.[ 68]
Paragraph 2 of Article 8 of the European Convention on Human Rights allows derogation from the basic principle contained in paragraph 1 in accordance with law 'if necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of crime, for the protection of health or morals, or for the protection of the rights and freedoms of others'.
Matching this up with the Data Protection Act 1998 (which takes near maximum advantage of the possible exemptions permitted under the Directive) could be a source of conflict. Some exemptions under the Data Protection Act 1998 could fall foul of Article 8, examples being exemptions under the heads of education, social work, domestic purposes, management forecasts and negotiations. This is notwithstanding that the scope of derogations permitted by the Convention may not precisely match those under data protection law. The potential for legal challenges to the United Kingdom's version of data protection law, bearing in mind the Convention will very soon by justiciable in domestic courts in England, is immense. Furthermore, the Convention may be used as a shield or a sword. Data controllers finding themselves in trouble for apparent breaches of the Data Protection Act 1998 will be tempted to look at the Convention and case law under it to deflect any enforcement actions brought by the Data Protection Commissioner or individuals. On the other hand, individuals seeking redress may try to use the Convention to drive a coach and horses through the provisions of the Data Protection Act 1998 - a complex piece of legislation in its own right.
From the Data Protection Commissioner's point of view the introduction of the European Convention on Human Rights could give her a welcome second string to her bow. One example is in the context of data matching. The Social Security Administration Fraud Act 1997 facilitates the exchange of personal data about benefit claimants between relevant Government Departments and Local Authorities if the data are for use in the prevention, detection, investigation or prosecution of offences relating to social security, or are for use in checking the accuracy of information relating to benefits. These provisions permit the interference by a public authority with the right to respect to private life and may constitute a violation of that right unless they fall within the proviso contained in Article 8. The discretion bestowed by the Data Protection Act 1998 and the lack of safeguards for the prevention of abuse of its provisions could result in the violation of rights guaranteed by the Convention.
4. Summary
The Data Protection Act 1998 attempts to address and reconcile the tensions between rights to privacy and the goals pursued by persons processing personal data. Those goals cover an enormous number of purposes. They may be related to business, economic or social needs and be of a commercial, governmental or public service nature. Given the diversity of information processing, trying to achieve a fair balance which will work well across all sectors is ambitious to say the least. To some extent the legislators have not been completely free to draw up a new model of data protection law and the now withering hand of the European Convention of the protection of personal data can be seen at work in the Directive. That Convention is nearly 20 years old and the data protection principles contained within it are a reflection of what is now incredibly dated technology. Current computer technology is light years ahead of what was around in the early 1980s and of particular importance is the phenomenal growth of global networks such as the Internet.[ 69] Other factors include the massive improvements in storage capacity and processing speed.
From the perspective of rights of privacy, some aspects of the new law are to be welcomed. These include the extension of data protection law to certain types of manual files and the right to prevent processing for direct marketing together with the greater emphasis on security. Some provisions appear cumbersome and unwieldy, an example being the provisions relating to data subjects and automated decision-taking. Others will be rarely used, for example, the right to prevent processing likely to cause substantial damage or substantial distress and rights to compensation. The greater weight given to the principle of transparency is a central plank of the new law but it has been compromised somewhat, first by the numerous exemptions from the subject information provisions and from the requirement to notify and, secondly from the paucity of information to be provided by the data controller to the data subject on collection of personal data or otherwise.
It could be argued that transparency could be better achieved by self-regulation[ 70] together with the imposition of duties, enforceable by data subjects, to provide more information giving a full and frank disclosure of the nature of the processing activity including disclosures to third parties and transfers to other countries, including countries within the European Economic Area.[ 71] Of course, codes of practice may be helpful in some circumstances in encouraging data controllers to increase transparency. In return for data controllers making full and frank disclosures to data subjects, they could be freed from the burden of the formal notification and annual renewal of the register entry.[ 72]
The Human Rights Act 1998 is likely to have a significant impact on data protection law. Article 8 of the European Convention on Human Rights and Fundamental Freedoms is specifically mentioned in the recitals to the Directive (recital 10) in terms showing that it underpins the level of protection for individuals set out in the Directive. Although, at this stage, it may be difficult to predict the impact of Article 8 of the Convention, some flavour of its application may be derived from case law before the European Court of Human Rights which also has to grapple with balancing the right to privacy with the exceptions contained in Article 8(2).[ 73]
Unfortunately, the new and enhanced rights for data subjects are illusory unless individuals are prepared to be proactive and take appropriate action, by serving notices on data controllers, by commencing legal proceedings against data controllers or by making a complaint to the Data Protection Commissioner. This latter approach appears to be the most favoured in 1998/99, a total of 3,653 complaints were received by the Registrar.[ 74] It is important that the process of raising awareness amongst data subjects continues. In the year 1998/99 only 21 per cent of data subjects were aware of their rights under data protection law.[ 75] Although much has been done in the past to publicise the rights of data subjects, much more must be done if the full benefit of the new and enhanced rights for data subjects are to be realised.
|
