David Erdos (Oxford, CSLS): The Convention on Modern Liberty scheduled for next February 28 has the potential to be a defining moment for the UK. The ad hoc team putting it together have assembled an exciting array of prominent figures allied to all the main political parties and to none. More important, the Convention will examine many pressing issues facing us in the area of human rights and executive power. Nevertheless, I am troubled. Those creating the Convention seem to have conceptualized the issue of privacy/data protection so that only one aspect of it is given any emphasis.
As you can see from the programme, the Convention will include a session co-supported by NO2ID on the Database State and one on privacy and corporations organized by the Open Rights Group and featuring the Deputy Information Commissioner (Data Protection). What does not seem to get a look in is how the UK/European Union’s data protection/privacy regime (which the Information Commissioner’s Office (ICO) manages and regulates) sits in very great tension with an open society.
In particular, data protection is posing a serious threat to the ability of people – sometimes with little other power – to exercise their fundamental human rights to freedom of expression, inquiry and information.
To take just a few recent examples, this regime has resulted in the following:
- The ICO prosecuting a freelance photographer/journalist, and writing to the National Union of Journalists threatening to further prosecute such freelancers, for failing to maintain an entry on the register of data controllers. See “Data Protection Required”. Maintaining such an entry (“notification”) not only requires the individual/organization to give £35/year to the ICO but also forces them to hand over a good deal of information including their address (in some cases their home address) to be freely searchable worldwide via the internet. Moreover, the ICO openly argues that failure to notify is a criminal offence. It follows that the ICO oversees one of the most intrusive state databases in the country which paradoxically constitutes an infringement of the privacy of many of those who fall within its reach.
- It has led schools to refuse to hand out even the first names of pupils to the parents of fellow classmates on the basis that this would involve the illegal release of personal information. See “Councils under fire for ban on card lists with pupils names”.
- Elsewhere in Europe, it has resulted in the criminal prosecution of a Swedish parishioner, Bodil Lindqvist, for putting on her website (removed as soon as it was apparent it was causing distress) very innocuous details as regards the life of fellow volunteers at her church. The findings of Lindqvist’s guilt for processing personal data without “notification” and processing “sensitive personal data” without “authorization” were worringly confirmed by no lesser institution than the European Court of Justice – the EU’s top court!
- It has resulted in the National Archives of Scotland threatening with enforcement action (apparently even criminal prosecution under section 55 of the Data Protection Act) anyone who publishes or reveals to any other person, information included in their collections about an identified or identifiable individual – even, it would appear, an important public decision-maker such as the Prime Minister! See http://www.nas.gov.uk/searchRooms/dataProtection.asp.
I believe that not all, and perhaps not most, of the developments above are correct in their analysis of privacy/data protection law. However, it is incorrect, and far too easy, to pass off these examples off as “anomalies” (there are many more well-documented – far too many to write off in this fashion) or simply due to the “abuse”, “misapplication” or “poor-implementation” of the EU’s data protection regime. The basic fact is that data protection/privacy law itself is so potentially all-encompassing in the “protections” which it grants (and, of course, the responsibilities and restrictions it thereby, and additionally, enforces) as to be a great menace to human rights.
Moreover, much of the “misapplication” which occurs is unfortunately almost to be expected in today’s risk-adverse regulatory environment (especially in large parts of the public and charity sector). Creating more and more formalized “protections” and more paranoia about contraventions of them will only further entrench this culture. It is also clear to me that, to a large extent, the UK’s “poor-implementation” of the EU’s data protection regime is a blessing (albeit it small) rather than a curse.
What the European Commission and the ICO are clearly pushing for is an even broader definition of “personal data” and even more draconian regulatory powers. This would make matters worse not better. For example, if the changes which the ICO have recently been pushing for had been granted (rather than partially suspended) then users of the Scottish National Archives would be being threatened not only with potential prosecution with the possibility of an unlimited fine but prosecution with the possibility of a two-year prison sentence! Finally, it is no lesser a body than the EU’s highest court which has, notably through the Lindqvist case, issued legal interpretations which put data protection on a collision course with freedom of expression.
People in power are going to be extremely reluctant about a debate about fundamentally reforming the European privacy/data protection regime for a whole number of questionable reasons including, firstly, the fact that it is now super-glued in and entrenched at a pan-European level and, secondly, that in today’s climate many people, in a knee-jerk sort of way, demand more and more “protections” without realising or thinking through the implications of what they are asking for. All those who care about liberty (modern or otherwise), however, should consider it is imperative that a really wide and clear debate is started on these issues. We can call the bluff of our self-appointed guardians and work for a radically new understanding of the role of regulation - one which preserves, rather than destroys, human dignity and autonomy.