open Democracy News Analysis - Modern Liberty: privacy versus freedom: Will data protection inhibit basic rights?, David Erdos - Comments

Simon Davies on "Modern Liberty: privacy versus freedom: Will data protection inhibit basic rights?"

Simon Davies — Sun, 28 Dec 2008 13:58:22 +0000

I had not realised that attacking the Data Protection Act had become so fashionable. Assessments similar to those of David Erdos have always bubbled under the surface, but of late the chorus has grown, and sadly all too often through mischievous or malicious motivations.

I understand that David Erdos has not set out to undermine the principles of the Act, but more to point out inadequacies in its implementation and interpretation. Nevertheless, we should always be on guard against antagonists who twist such a critique to imply that the principles themselves are deficient. For all its faults – and there are many – the Act remains one of the few protections left against the steady intrusion into private life and human autonomy. The principles that underpin the legislation require strengthening through whatever means possible. In the sense that individuals’ privacy is a public right, it is crucial that all of us focus on making it work.

I am no fan of the present data protection regime, or its oversight. Indeed in a Daily Telegraph column I once described the Information Commissioner’s office as “hovering between pointlessness and uselessness”. I have also concluded that the management of some principles of the Act (particularly consent) are fraudulent and largely ineffective.

So, on these grounds I do agree with David Erdos. Where we part ways is on the analysis. The four examples he provides are specious, and do not in any way give credibility to his argument.

I do agree that the current management of the data protection register is largely pointless. The exercise has become little more than a tax on information processing. The entries in the register provide little benefit to people wanting to uphold their data protection rights, and in reality it is the absence of an entry that can provide a more potent weapon for privacy campaigners and activists. However the fault lies entirely with how the register is set up, rather than the concept of the register. Rather than it being an aid to openness, the register is unwieldy, opaque and largely unfathomable. To argue, however, that the compulsion for freelancers to register proves this point misses the bigger picture.

As for schools being banned from providing parents with the first names of school classmates, I would argue (and David Erdos hints) that this situation probably arose because of overzealous interpretation of the Act. I can provide a dozen similar examples, but such idiocy should not form the basis for a challenge against the very important core principles in the legislation. I recall British Gas arguing in 2003 that its failure to assist two elderly customers who subsequently died from hypothermia was down to the data protection act. Rubbish. The Act provides a clear exemption for use of personal information where there is risk of harm to an individual. The Information Commissioner later issued a statement advising: "In any circumstances, for example age or infirmity, where there are grounds for believing that cutting a particular household off would pose significant risk then the Data Protection Act would not prevent an energy supplier from notifying the relevant body."

David Erdos mentions the Swedish case in which a blogger was prosecuted for publishing without consent details of a parishioner’s life and activities. Too right. The person in question was not a public figure, and to the best of my knowledge had never invited such publicity. As a journalist I have always extended the courtesy – and the expectation - of consent in such circumstances. I would expect others to do the same. Would David Erdos welcome reporting and speculation of all elements of his private life without at least theoretical recourse? Such situations serve to define civilized rules of publication, rather than to dampen an open society.

I would like to comment on the Scottish Archives example, but cannot see what David Erdos is trying to say. Is he arguing that there should be a broad derogation from the principles of the Act for any information reserve the government deems fit to be in the public domain?

I dispute the assertion that the current use (or misuse) of the data protection act is a menace to human rights. Only two weeks ago the European Court of Human Rights unanimously ruled in the Marper case that the core DP principles should be upheld with regard to storage of DNA data. Equally, the court has ruled that there should be strict limitations on a wide range of surveillance activities. I would like to read a more comprehensive argument on the point he is making.

Of course I welcome any move to improve human dignity, privacy and autonomy, but not if that means calling into question the very principles that have formed the basis of limitations on the power of those who would exploit people for their own dubious motives.

Simon Davies
Director
Privacy International

Modern Liberty: privacy versus freedom: Will data protection inhibit basic rights?, David Erdos

David Erdos — Tue, 23 Dec 2008 12:21:21 +0000

David Erdos (Oxford, CSLS): The Convention on Modern Liberty scheduled for next February 28 has the potential to be a defining moment for the UK. The ad hoc team putting it together have assembled an exciting array of prominent figures allied to all the main political parties and to none. More important, the Convention will examine many pressing issues facing us in the area of human rights and executive power. Nevertheless, I am troubled. Those creating the Convention seem to have conceptualized the issue of privacy/data protection so that only one aspect of it is given any emphasis.

As you can see from the programme, the Convention will include a session co-supported by NO2ID on the Database State and one on privacy and corporations organized by the Open Rights Group and featuring the Deputy Information Commissioner (Data Protection). What does not seem to get a look in is how the UK/European Union’s data protection/privacy regime (which the Information Commissioner’s Office (ICO) manages and regulates) sits in very great tension with an open society.

In particular, data protection is posing a serious threat to the ability of people – sometimes with little other power – to exercise their fundamental human rights to freedom of expression, inquiry and information.

To take just a few recent examples, this regime has resulted in the following:

The ICO prosecuting a freelance photographer/journalist, and writing to the National Union of Journalists threatening to further prosecute such freelancers, for failing to maintain an entry on the register of data controllers. See “Data Protection Required”. Maintaining such an entry (“notification”) not only requires the individual/organization to give £35/year to the ICO but also forces them to hand over a good deal of information including their address (in some cases their home address) to be freely searchable worldwide via the internet. Moreover, the ICO openly argues that failure to notify is a criminal offence. It follows that the ICO oversees one of the most intrusive state databases in the country which paradoxically constitutes an infringement of the privacy of many of those who fall within its reach.
It has led schools to refuse to hand out even the first names of pupils to the parents of fellow classmates on the basis that this would involve the illegal release of personal information. See “Councils under fire for ban on card lists with pupils names”.
Elsewhere in Europe, it has resulted in the criminal prosecution of a Swedish parishioner, Bodil Lindqvist, for putting on her website (removed as soon as it was apparent it was causing distress) very innocuous details as regards the life of fellow volunteers at her church. The findings of Lindqvist’s guilt for processing personal data without “notification” and processing “sensitive personal data” without “authorization” were worringly confirmed by no lesser institution than the European Court of Justice – the EU’s top court!
It has resulted in the National Archives of Scotland threatening with enforcement action (apparently even criminal prosecution under section 55 of the Data Protection Act) anyone who publishes or reveals to any other person, information included in their collections about an identified or identifiable individual – even, it would appear, an important public decision-maker such as the Prime Minister! See http://www.nas.gov.uk/searchRooms/dataProtection.asp.

I believe that not all, and perhaps not most, of the developments above are correct in their analysis of privacy/data protection law. However, it is incorrect, and far too easy, to pass off these examples off as “anomalies” (there are many more well-documented – far too many to write off in this fashion) or simply due to the “abuse”, “misapplication” or “poor-implementation” of the EU’s data protection regime. The basic fact is that data protection/privacy law itself is so potentially all-encompassing in the “protections” which it grants (and, of course, the responsibilities and restrictions it thereby, and additionally, enforces) as to be a great menace to human rights.

Moreover, much of the “misapplication” which occurs is unfortunately almost to be expected in today’s risk-adverse regulatory environment (especially in large parts of the public and charity sector). Creating more and more formalized “protections” and more paranoia about contraventions of them will only further entrench this culture. It is also clear to me that, to a large extent, the UK’s “poor-implementation” of the EU’s data protection regime is a blessing (albeit it small) rather than a curse.

What the European Commission and the ICO are clearly pushing for is an even broader definition of “personal data” and even more draconian regulatory powers. This would make matters worse not better. For example, if the changes which the ICO have recently been pushing for had been granted (rather than partially suspended) then users of the Scottish National Archives would be being threatened not only with potential prosecution with the possibility of an unlimited fine but prosecution with the possibility of a two-year prison sentence! Finally, it is no lesser a body than the EU’s highest court which has, notably through the Lindqvist case, issued legal interpretations which put data protection on a collision course with freedom of expression.

People in power are going to be extremely reluctant about a debate about fundamentally reforming the European privacy/data protection regime for a whole number of questionable reasons including, firstly, the fact that it is now super-glued in and entrenched at a pan-European level and, secondly, that in today’s climate many people, in a knee-jerk sort of way, demand more and more “protections” without realising or thinking through the implications of what they are asking for. All those who care about liberty (modern or otherwise), however, should consider it is imperative that a really wide and clear debate is started on these issues. We can call the bluff of our self-appointed guardians and work for a radically new understanding of the role of regulation - one which preserves, rather than destroys, human dignity and autonomy.