Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK
Standard YouTube Licence
Jane Lambert
The reaction of Brenda from Bristol to Mrs May's announcement of a snap election earlier this year made her an internet star. There was a similar reaction to the government's introduction of a new Data Protection Bill last week and one can understand why. Three statutes, one Council regulation and a directive in a little over 30 years for the processing of personal data is quite a lot of legislation - especially for an activity that the United States leaves largely unregulated.
The Younger Report
Towards the end of the 1960s and the beginning of the 1970s, concern was expressed in a number of countries about the power of computers to gather, collate and disseminate personal information. In the UK, such concerns were referred to a committee chaired by Sir Kenneth Younger that had been appointed to consider privacy. In its report - the Younger Committee Report on Privacy 1972 (Cmnd 5012) - the committee found no evidence that the use of computers by the private sector constituted a threat to privacy at that time but it accepted the possibility that such use might be a threat in the future (para 69 of that report). Younger advised the government to set up a body with representatives from the computer industry to monitor and report on such use and to recommend action as and when necessary.
Lindop on Data Protection
In response to that report, Sir Kenneth was asked to chair another committee to inquire specifically into the effect of the use of computers on privacy. Sir Kenneth died in 1976 before the committee had reported and Sir Norman Lindop was appointed in his place. Lindop found that there was indeed a threat:
"The speed of computers, their capacity to store, combine, retrieve and transfer data, their flexibility, and the low unit cost of the work which they can do have the following practical implications for privacy:
(1) they facilitate the maintenance of extensive record systems and the retention of data in these systems,
(2) they can make data easily and quickly available from many distant points;
(3) they can make it possible for data to be transferred quickly from one information system to another;
(4) they make it possible for data to be concealed in ways that might not otherwise be practicable,
(5) because the data are stored, processed and often transmitted in a form which is not directly intelligible, few people may know what is in the records or what is happening to them" (see para 7 of the Report of the Committee on Data Protection (Cmnd 7341).
The committee identified the following problems:
- information systems might be used to store inaccurate, incomplete or irrelevant information;
- access to personal information might be gained by persons who had no right to it, and
- information gathered for one purpose might be used for another in quite a different context.
Lindop recommended legislation to enable data subjects to access data relating to them and to require the correction, restriction or deletion of such data. Data processors would be obliged to register with a new data protection authority which would regulate data processing.
The Swedish Data Protection Law
Sweden passed the first data protection law in 1973. The Swedish statute established a data protection agency which regulated data processing on Sweden. One of that agency's early decisions was to forbid the transfer of 80,000 health and social security records from a Swedish municipality to a British company that had contracted to make identity cards for that municipality on the ground that there was no data protection law in the UK. It was decisions such as these rather than Lindop's recommendations that persuaded the British and other governments to consider similar legislation for their countries (see Ernst-Jochim Mestmacker's presentation to the ITU's 4th Telecommunications Forum 28 Oct 1983 published by the ITU as IBN 92 61018270). Restrictions on the flow of data across national frontiers were particularly serious for countries like the UK with large financial services industries.
The Swedish Data Protection Law
Sweden passed the first data protection law in 1973. The Swedish statute established a data protection agency which regulated data processing on Sweden. One of that agency's early decisions was to forbid the transfer of 80,000 health and social security records from a Swedish municipality to a British company that had contracted to make identity cards for that municipality on the ground that there was no data protection law in the UK. It was decisions such as these rather than Lindop's recommendations that persuaded the British and other governments to consider similar legislation for their countries (see Ernst-Jochim Mestmacker's presentation to the ITU's 4th Telecommunications Forum 28 Oct 1983 published by the ITU as IBN 92 61018270). Restrictions on the flow of data across national frontiers were particularly serious for countries like the UK with large financial services industries.
The OECD Guidelines
In response to such decisions, the Organization for Economic Cooperation and Development ("OECD") appointed a committee of experts chaired by Mr Justice Kirby of Australia to consider ways of balancing the need for privacy against the need to ensure trans-border data flow The committee prepared a set of guidelines which were approved by the OECD Council and published as the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data on 23 Sept 1980. The Council recommended
- Member countries to take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the guidelines and contained in an annexe;
- Member countries to endeavour to remove or avoid creating, in the name of privacy protection, unjustified obstacles to trans-border flows of personal data;
- Member countries to co-operate in the implementation of the annexed guidelines; and
- Member countries to agree as soon as possible on specific procedures of consultation and co-operation for the application of the guidelines.
Part two of the annexe set out a number of data protection principles while part three provided basic principles for the free flow of data between member countries:
"15. Member countries should take into consideration the implications for other Member countries of domestic processing and re-export of personal data.
16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
17. A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.
18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to trans-border flows of personal data that would exceed requirements for such protection."
"15. Member countries should take into consideration the implications for other Member countries of domestic processing and re-export of personal data.
16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
17. A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.
18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to trans-border flows of personal data that would exceed requirements for such protection."
Part four of the annexe required member countries to "adopt appropriate domestic legislation" while at the same time encouraging and supporting self-regulation, whether in the form of codes of conduct or otherwise. While it has been possible to obtain general agreement throughout the world on the data protection principles in part two of the annexe, the emphasis in the United States has been on self-regulation while in Europe it has been on legislation.
Council of Europe Convention
On 28 Jan 1981, a Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data that had been drafted by a committee of experts was opened for signature by the member states of the Council of Europe. The United Kingdom was one of the early signatories of that Convention. Art 1 declared that:
"The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ('data protection')."
By art 3 (1) contracting parties undertook to apply the Convention to automated personal data files and automatic processing of personal data in the public and private sectors. Art 4 (1) required each contracting state to take the necessary measures in its domestic law to give effect to the basic principles of data protection. Art 5 stipulated that personal data undergoing automatic processing should be:
"(1) The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.
(2) A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation trans-border flows of personal data going to the territory of another Party.
(3) Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph (2)
(a) insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;
Council of Europe Convention
On 28 Jan 1981, a Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data that had been drafted by a committee of experts was opened for signature by the member states of the Council of Europe. The United Kingdom was one of the early signatories of that Convention. Art 1 declared that:
"The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ('data protection')."
By art 3 (1) contracting parties undertook to apply the Convention to automated personal data files and automatic processing of personal data in the public and private sectors. Art 4 (1) required each contracting state to take the necessary measures in its domestic law to give effect to the basic principles of data protection. Art 5 stipulated that personal data undergoing automatic processing should be:
- obtained and processed fairly and lawfully;
- stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purposes for which they are stored;
- accurate and, where necessary, kept up to date;
- preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
Art 6 provided special safeguards for "personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life." Art 7 required appropriate security measures to be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination. Art 8 enabled data subject to inspect files in which they were mentioned without undue difficulty or expense and, if necessary, to correct or erase such records. Under art 10 contracting countries undertook to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to these data protection principles.
Art 12 provided for trans-border data flow as a special chapter:
(2) A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation trans-border flows of personal data going to the territory of another Party.
(3) Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph (2)
(a) insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;
(b) when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph."
The Convention has been signed by the member states of the Council of Europe and several outside Europe, the latest being Tunisia which acceded to the Convention on 18 July 2017 (see the Chart of signatures and ratifications of the Convention).
The Data Protection Act 1984
Parliament passed the Data Protection Act 1984 to enable this country to ratify the Convention (see the white paper, Data Protection — the Government's Proposals for Legislation, Cmnd. 8539, London, 1982).
S.3 (1) (a) provided for an official known as "the Data Protection Registrar" to administer the Act. He was responsible for keeping a register of data users who were required to register with him if they wished to process personal data. It was an offence under s.5 for an unregistered person to hold or process personal data or for a person to hold or process personal data otherwise than in accordance with his or her entry in the register. The registrar enforced compliance with a number of data protection principles set out in Schedule 1 to the Act by issuing enforcement notices requiring compliance with those principles with the ultimate sanction of deregistration for disobedience.
Appeals against decisions of the Registrar lay to a tribunal known as "the Data Protection Tribunal" which was established by s.3 (1) (b) of the Act. It consisted of a legally qualified chair or deputy chairperson and a number of members representing data users and data subjects.
Data subjects had the right to access data relating to them under s.21 of the Act and to apply to the High Court or a county court for orders for the rectification or erasure of inaccurate data. They could also sue for compensation for any damage or distress that they might suffer as a result of the loss, unauthorized access to or inaccuracy of personal data,
Although this Act created a regulatory framework that has survived to the present, it contained several significant loopholes. One of the most important is that it applied only to automated data processing which meant that information held on card indexes or other manual files was totally exempt. Another was that word processing (that is to say, "any operation performed only for the purpose of preparing the text of documents") was specifically excluded from the definition of processing by s.1 (8) of the Act.
Data Protection Directive
Although all the member states of the European Union are members of the Council of Europe and the OECD it was feared that
"difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may, therefore, constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions" (see para (7) of the recitals to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23/11/1995 P. 31 - 50 ("the Data Protection Directive").
To harmonize national data protection laws so as to remove restrictions to trans-border data flow, the EU Council and European Parliment adopted the Data Protection Directive on 24 Oct 1995. This directive will remain in force until the 25 May 2018 when it will be repealed by art 94 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation ("the GDPR"),
The twin objects of the Data Protection Directive are set out in art 1:
"1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1."
S.3 (1) (a) provided for an official known as "the Data Protection Registrar" to administer the Act. He was responsible for keeping a register of data users who were required to register with him if they wished to process personal data. It was an offence under s.5 for an unregistered person to hold or process personal data or for a person to hold or process personal data otherwise than in accordance with his or her entry in the register. The registrar enforced compliance with a number of data protection principles set out in Schedule 1 to the Act by issuing enforcement notices requiring compliance with those principles with the ultimate sanction of deregistration for disobedience.
Appeals against decisions of the Registrar lay to a tribunal known as "the Data Protection Tribunal" which was established by s.3 (1) (b) of the Act. It consisted of a legally qualified chair or deputy chairperson and a number of members representing data users and data subjects.
Data subjects had the right to access data relating to them under s.21 of the Act and to apply to the High Court or a county court for orders for the rectification or erasure of inaccurate data. They could also sue for compensation for any damage or distress that they might suffer as a result of the loss, unauthorized access to or inaccuracy of personal data,
Although this Act created a regulatory framework that has survived to the present, it contained several significant loopholes. One of the most important is that it applied only to automated data processing which meant that information held on card indexes or other manual files was totally exempt. Another was that word processing (that is to say, "any operation performed only for the purpose of preparing the text of documents") was specifically excluded from the definition of processing by s.1 (8) of the Act.
Data Protection Directive
Although all the member states of the European Union are members of the Council of Europe and the OECD it was feared that
"difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may, therefore, constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions" (see para (7) of the recitals to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23/11/1995 P. 31 - 50 ("the Data Protection Directive").
To harmonize national data protection laws so as to remove restrictions to trans-border data flow, the EU Council and European Parliment adopted the Data Protection Directive on 24 Oct 1995. This directive will remain in force until the 25 May 2018 when it will be repealed by art 94 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation ("the GDPR"),
The twin objects of the Data Protection Directive are set out in art 1:
"1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1."
Member states were required by art 32 (1) of the directive to transpose its provisions into national law before 24 Oct 1998. The directive applied not just to the processing of personal data wholly or partly by automatic means but also to "the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system" (art 3 (1)). However, it did not extend the processing of personal data by "a natural person in the course of a purely personal or household activity" (art 3 (2)).
The Directive is divided into 7 chapters:
- Chapter I: General Provisions (arts 1 to 4)
- Chapter II: General Rules on the Lawfulness of the Processing of Personal Data (arts 5 to 21)
- Chapter III: Judicial Remedies, Liabilities and Sanctions (arts 22 to 24)
- Chapter IV: Transfer of Personal Data to Third Countries (arts 25 to 26)
- Chapter V: Codes of Conduct (art 27)
- Chapter VI: Supervisory Authority and Working Party on the Protection of Individuals with Regards to the Processing of Personal Data (arts 28 to 30), and
- Chapter VII: Community and Implementing Measures (arts 31 to 34).
The most important of those chapters is Chapter II which is divided into 9 sections on data quality, legitimacy, special categories of processing, subject access, exemptions and restrictions, data subjects rights of action, confidentiality and security and the obligation to notify. Data subjects may seek injunctions to enforce their rights as well as damages and other remedies from the civil courts.
The Data Protection Act 1998
Although the Data Protection Act 1998 was passed to implement the Data Protection Directive it was one of several statutes enacted by Tony Blair's government in its first term of office that enhanced citizens rights. The others were the Human Rights Act 1998 which imported the European Convention on Human Rights into English and Welsh, Scottish and Northern Irish law and the Freedom of Information Act 2000 which enabled members of the public to access information held by central and local government and other public authorities. It also coincided with the introduction of the Civil Procedure Rules which were intended to make civil justice more accessible and affordable. The Data Protection Act 1998 is the current data protection statute for the United Kingdom and it will remain in force until the 25 May 2018 when the GDPR comes into force.
The 1998 Act when it was enacted was a much longer and more complex instrument than its 1984 predecessor. It consisted of 75 sections in 6 Parts and 16 Schedules. It has been amended several times, most notably by the Freedom of Information Act 2000. The Act retained the Data Protection Registrar who was renamed the "Data Protection Commissioner" by s.6 (1). S.18 (1) of the Freedom of Information Act 2000 changed the title of that office again to "Information Commissioner" when the Data Protection Commissioner was given new responsibilities under the 2000 Act. Similarly, s.6 (3) retained the Data Protection Tribunal which was renamed the "Information Tribunal" by s.18 (2) of the Freedom of Information Act. It was superseded by the General Regulatory Chamber in accordance with the Tribunals Courts and Enforcement Act 2007.
The Data Protection Act 1998 broke the link between registration and enforcement. Those controlling the processing of personal data known as "data controllers" must still notify certain particulars to the Information Commissioner under s.16 and they may not process personal data without registering under s.17 (1) but the Commissioner regulates data processing by means of a new range of instruments known as enforcement, assessment and information orders. Data subjects retain the rights of actions and remedies under the old Act. When the 1998 Act was contemplated it was hoped that data subjects would rely on those rights of action instead of looking to the Commissioner to enforce their rights but that does not seem to have happened on any significant scale. The 1998 Act has closed the loopholes in the old Act in that it applies to all processing whether manual, mechanical or electronic and the old word processing exception has been abolished.
The Reform of European Data Protection Law
The GDPR is one of two enactments that will come into force in May 2018. The GDPR is a Council Regulation which will apply directly and uniformly in each of the member states of the European Union including the United Kingdom for so long as it remains in the EU. The other is Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA OJ L 119, 4.5.2016, p. 89–131 ("the Law Enforcement Data Protection Directive") which binds EU member states including the UK from the 5 May 2018.
The Data Protection Bill
On 13 Sept 2017, the government introduced the Data Protection Bill into the House of Lords. I discussed it in outline in my Introduction to the Data Protection Bill on 18 Sept 2017 in NIPC Data Protection. Some sort of legislation would have been required to transpose the Law Enforcement Data Protection Directive into the laws of the UK even if the 2016 referendum had gone the other way. As the EU treaties and the regulations made under them will cease to apply to the UK after we leave the EU we require an Act of Parliament to incorporate the main provisions of the GDPR into English and Welsh, Scottish and Northern Irish law. It is important that we do that because data protection has become an issue in the Brexit negotiations (see my articles What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 20917 and Commission Position Paper on Data Protection and Protection of Information obtained or processed before the Withdrawal Date 15 Sept 2017 NIPC Brexit). The need for agreement on data protection is spelt out starkly in the Commission's Position paper .... on the Use of Data and Protection of Information Obtained or Processed before the withdrawal Date of 6 Sept 2017:
"It is recalled that the United Kingdom's access to networks, information systems and databases established by Union law is, as a general rule, terminated on the date of withdrawal.
"It is recalled that the United Kingdom's access to networks, information systems and databases established by Union law is, as a general rule, terminated on the date of withdrawal.
The United Kingdom or entities in the United Kingdom may keep and continue to use data or information received/processed1 in the United Kingdom before the withdrawal date and referred to below only if the conditions set out in this paper are fulfilled. Otherwise such data or information (including any copies thereof) should be erased or destroyed."
That would not be good for the City of London. Happily, it is a remote possibility, at least for now.
Which Law applies?
Data protection law will stay as it is until 6 May 2018 when the provisions of the Law Enforcement Data Protection Directive should have been transposed into national law. Ideally, it should be implemented by the Data Protection Bill but it is hard to see how it can clear all its legislative hurdles in a little over 7 months time, especially as the government lacks an overall majority in the House of Commons. From 25 May 2018 until 29 March 2019 or perhaps even longer if the 2-year transitional period proposed by Mrs May in Florence is agreed the GDPR applies to us as it does to the rest of Europe. From 29 March 2019 or some other time in the future the new Data Protection Act should take over.
Conclusion
Data protection law is important in many contexts - computer supply contracts, the delivery of web-based services, public services and local government as well as privacy. I shall be discussing the GDPR and the Law Enforcement Data Protection Directive and how businesses can prepare for them as the 5 and 25 May 2018 approaches in NIPC Data Protection and I shall probably give at least one talk in London and the North on anything important that the GDPR preparation industry may miss. Should anyone wish to discuss this article or data protection in general, I can be reached on +44 (0)20 7404 5252 during office hours or through my contact page.
Comments