Rosemary Jay is a Senior Consultant at Masons (Manchester) and was formerly Adviser to the Data Protection Registrar. She may be contacted at rosemary.jay@masons.com.
Implementation of the Directives
The Data Protection Act 1998, the Telecommunication (Data Protection and Privacy) Regulations 1999 and the various statutory instruments supporting the legislation which had previously been issued in draft came into force on 1 March. With this package of measures the UK has all but concluded its implementation of the two data protection directives, 95/46 EC and 97/66 EC. However Article 5 of 66/98 EC, which deals with the interception of telecommunications remains to be implemented.
Article 5 requires Member States to ensure, via national regulations, the confidentiality of communications by means of a public telecommunications network and publicly available telecommunications services. In particular they must prohibit listening, tapping, storage or other kinds of storage or surveillance of communications, by others than users, without the consent of the users concerned, except where legally authorised in accordance with Article 14(1). This prohibition does not affect any legally authorised recording of communications in the course of lawful business practice for the purposes of providing evidence of a commercial transaction or other business communication. Article 5 applies only to publicly available telecommunications services and public networks. It will not apply to a private network even if the private network is connected to a public one.
Article 14 sets out the grounds which will justify the interception of calls on public telephones. These are the safeguarding of national security, defence, public security, the prevention, investigation detection or prosecution of criminal offences or of unauthorised use of the telecommunications system. Such interceptions must be in accordance with law. The implementation of this remaining requirement is to be dealt with in the Regulation of Investigatory Powers (RIP) Bill which will alter the legal basis for telephone tapping in the UK.
The current provisions in the UK law are found in the Interception of Communications Act 1985 (IOCA). Section 1 of IOCA makes it an offence to intercept intentionally a communication in the course of transmission by a public telecommunications system unless it is done under a warrant issued by the Secretary of State or the interceptor has reasonable grounds for believing that either the sender or the recipient has consented to the interception. The IOCA is to be repealed by the RIP. It will become an offence to intercept any communication on a public telecommunications system without the consent of the controller of the system or other lawful authority. Lawful authority may be found in a warrant. Even where the interception is carried out with the consent of the controller of the system it will be actionable by the recipient or the sender unless it also has their consent or is based on one of a number of specified grounds. The grounds are to be set out in regulations. Under the regulations the Secretary of State may authorise such conduct as appears to him to constitute a legitimate business practice reasonably required for the purpose, in connection with the carrying on of any business, of monitoring or keeping a record of communications by means of which transactions are entered into in the course of business or other communications relating to the business or taking place in the course of the business.
No further draft SIs have been issued although consideration is apparently still being given to the questions of general identifiers and prior notification. Two of the existing SIs will require minor amendments: to alter a reference to a press code and to include voluntary adoption agencies. However these are administrative matters rather than ones of substance.
Guidance issued by the Registrar
We understand that revised guidance on the telecommunications regulations, a revised Introduction to the Act and guidance on third-party data and subject access are due out in June. However no new formal Guidance has emerged from the Commissioner’s Office since the date of the last column (in January). Resource has been concentrated instead on education and awareness raising, including the launch of a training video, called ‘Barry’s Bad Data Day’. The video lasts about half an hour and in it actors play out a day in which every possible data disaster befalls a well-meaning but unaware accounts manager (Barry). After each incident we see Barry sitting in the pub explaining what went wrong and drawing out the data protection implications over a well earned pint. Eventually his problems are solved by the production of a proper data protection policy following which he appears to live compliantly ever after. While it may not make Cannes, the video is a clear, simply presented and watchable introduction which is likely to be a useful additional tool in staff training. One copy per data controller is available free from the Commissioner’s office.
The Commissioner has launched an ‘Information Padlock’ in conjunction with the National Consumer Council. This is an interesting idea. It consists of a graphic signpost to be used by organisations collecting personal data. It is to be used to direct people to explanations of how their information will be used. Details are available on the Commissioner’s Web site which also now includes information about assessments and notification.
A report on the ‘Availability and use of Personal Information in Public Registers’ has been published by the Commissioner’s office. The Report examines how information is made available in public registers and considers their impact on personal privacy protection.
Safe Harbours
The EU and the US are nearing formal agreement on the Safe Harbour principles. Speaking at an open forum in Brussels, John Mogg of the Commission said that it is anticipated that the formal processes involving adoption by the Commission will be completed by summer. The principles are voluntary and organisations can qualify to claim the benefit of them in several ways. If they adopt the principles they must publicly declare that they have done so.
European Codes
Three Codes of Practice have now been submitted to the Article 30 Working Group under the Directive. They are from IATA, FEDMA and AESC ( Association of Executive Search Consultants). The European Committee for Standardisation (CEN) held an open workshop in Brussels on 22/23 March to discuss the possibility of developing a European Code on data protection based on the code produced by the International Commerce Exchange. It is understood that CEN will be carrying out some further work in this area.
Case Law
Eastweek Publisher Limited and Eastweek Limited Applicants and Privacy Commissioner for Personal Data Respondent CACV 331/1999 judgment delivered 28 March 2000
The High Court in Hong Kong has heard a case on the meaning of the term ‘personal data’ in the Personal Data (Privacy) Ordinance (‘the Ordinance’). The Court held that a photograph of a lady taken in the street and published in a fashion magazine where the publisher did not know and did not seek to know the name or other particulars of information about the lady was not personal data within the meaning of the Ordinance. The case hinged on the following definition of personal data in the Ordinance:
‘Personal data means any data:
(a) relating directly or indirectly to a living individual
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained
(c) in a form in which access to or processing of the data is practicable’.
Despite a strong dissenting judgment from Wong JA, the court held that the photograph was not personal data as the data controller (in this case the publisher) had no interest in the identity of the individual. It was not practicable for the identity of the individual to be ascertained by the publisher on the information he held and he had no intention of altering that position. The fact that the identity of the individual was ascertainable by others who already knew her or could be by one determined to find her did not alter the case.
This central point was clearly expressed by Godfrey VP agreeing with the main judgment, in the following terms:
‘… it is of the essence of an act of personal data collection that the data user must thereby be compiling information about a person already identified or about a person whom the data user intends or seeks to identify. I know this is not expressly spelt out in the legislation but I am satisfied from the way in which the legislation is framed that this is its underlying purpose, and that it was never intended to apply to the sort of factual situation which we have here.’
The court took considerable pains to make clear what it was not deciding in this case. It explained that it was not deciding that a photograph could never be personal data, nor was it saying there was no breach of the individual’s privacy, nor that the media were outside the scope of the Ordinance.
The report makes clear that the point was not argued by the parties until the High Court hearing and it appears to have been accepted by both sides in the early stages that personal data was involved.
If a similar case were to come before the UK courts the case could be referred to in argument. The decision is based on a very similar statutory provision to that in the UK law and the Ordinance was passed in the light of the European Directive with considerations of adequacy in mind. The wording of the equivalent UK section definition is, if anything, narrower than the Ordinance on the point, as it reads:
‘Personal data means data which relate to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…’
Concern has been expressed that the definition as transcribed into the UK law might fail to meet the Directive unless a wide meaning is given to the concept of identification. The Directive employs a wider formulation as follows:
‘Personal data shall mean any information relating to an identified or identifiable natural person (‘‘data subject’’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.
Under the Directive the question of identifiability is left at large. It does not appear to be restricted to cases where the data subject is identifiable by the data controller. As the obligation of the UK court would be to give effect to the Directive, they would be more likely to follow the reasoning set out in the dissenting judgment in this case.
R v Broadcasting Standards Commission ex parte British Broadcasting Corporation
In this case the Court of Appeal held on 6 April that the Broadcasting Act 1996 could be used to protect the activities of a company from unwarranted intrusion. A company could therefore bring a complaint of unwarranted infringement of its privacy in respect of secret filming of transactions in its stores. The case was an appeal from a judgment of the High Court which had held that the meaning of the term ‘privacy’ in the 1996 Act was ambiguous and relied on the European Convention on Human Rights to resolve the ambiguity. Applying this approach the High Court had held that, as Article 8 of the Convention (which protects private and family life, home and correspondence) did not apply to companies, the Broadcasting Act should be interpreted accordingly. The judge further held in the High Court that there could be no infringement of privacy by the mere fact of surreptitious filming of an event in public if there was no element of seclusion in the event being filmed. The Court of Appeal appears to have also overruled this aspect of the judgment and held that secret filming could be an unwarranted intrusion into privacy even if the events filmed were not conducted in particular confidence or secrecy.
R v Secretary of State for Health ex parte C
In this case the Court of Appeal decision deals with privacy issues in a very different way. The Department of Health had listed an individual on a list, the Consultancy Service Index, maintained by the Department on people in respect of whom there were concerns about their suitability for working with children. There are relevant provisions in the Protection of Children Act 1999 which would give a statutory basis for such a list however these have not yet been brought into force and the Index is run currently on a non-statutory basis. Potential employers are encouraged to consult the list when offering positions to those working with children. The applicant claimed that the maintenance of the list was ultra vires as there was no statutory basis for it. He also claimed it breached his right under Article 6 of the ECHR because it was determinative of a civil right and he had no appeal against inclusion. The Court did not consider Article 8. The Court rejected his claim. It reiterated the view that the Crown has the same powers as a natural person but must not act so as to interfere with the rights or liberties of others without a lawful basis. As the applicant did not have a right to a job, the maintenance of the list did not interfere with any right.
Amman v Switzerland ECHR
On 16 February the European Court of Human Rights delivered judgment in a similar type of case but with a very different result. In this case the applicant was an importer of depilatory machines who had been telephoned by a woman from the former Soviet Embassy enquiring about an appliance. The telephone call was intercepted by the authorities and an investigation into the applicant followed. A record was then maintained by the authorities on the applicant which indicated that he had contacts with the Russian Embassy and was involved in espionage. When the applicant discovered the existence of the record, a decade later, he sought full disclosure of the record and compensation. The Swiss court refused and he took his case to Strasbourg. The European Court of Human Rights decided that the interception and the maintenance of the record amounted to an interference with the applicant’s private life. It held that the law relating to the interception was not sufficiently precise and therefore the interception had not been in accordance with law and there had been a violation. In respect of the maintenance of the record the Court reiterated that the storing of information by a public authority of data relating to him amounted in itself to an interference with private life within the meaning of Article 8. The subsequent use of the information had no bearing on that finding, nor did the nature of the information or the question of whether the storage led to any effect on the individual. The storage would breach Article 8 unless it was in accordance with the law, pursued one of the legitimate aims in paragraph 2 of Article 8 and was necessary in a democratic society to achieve those aims. The Court considered that the relevant legal provisions did not contain specific and detailed provisions on the gathering, recording and storing of information. It also pointed out that domestic law expressly provided that documents which were no longer necessary should be destroyed but these had not been. The Court determined that there had been a violation of the applicant’s Article 8 rights.
Khan v United Kingdom (Application No 35394/97)
The European Court of Human Rights followed the same line in this case, reported in The Times on 23 May. The applicant had been convicted on the basis of information obtained by covert surveillance in the UK at a time when the law did not regulate the use of covert surveillance devices. It was not disputed that the surveillance amounted to an interference with the applicant’s right to private life; the issues were whether it was conducted ‘in accordance with law’ and was ‘necessary in a democratic society’. The court held that domestic law must provide protection against interference with an individual’s right to private and family life and the law must be sufficiently clear in its terms. As the UK law did not regulate this area, there was a violation of Article 8. As noted above, the RIP Bill will deal with this problem for the future.