Tilting at Windmills - Has the New Data Protection Law failed to make a Significant Contribution to Rights of Privacy
Dr David Bainbridge and Mr Graham Pearce
Aston Business School, Aston University, Birmingham, UK
1. See, for example, Markesinis, B.S. 'Our Patchy Law of Privacy - Time to do Something about it', (1990) 53 MLR 802.
2. The reproduction of text and images relating to individuals may be controlled by the owner of the copyright and there is a moral right not to have a work falsely attributed and a right of privacy in respect of photographs and films commissioned for private and domestic use.
3. For example, Sim v H J Heinz Co Ltd  1 All ER 547, McCullogh v Lewis A May Ltd (1948) 65 RPC 58 and Bernstein v Skyviews and General Ltd  QB 479.
4. Agreed by the Council of Europe on 4 November 1950.
5. Data protection laws are a form of privacy, '... in principle, in practice and in legal form'. Aldhouse, F. G. B. 'Data protection, privacy and the media',  4(1) Communications Law , 8 at 15.
6. The term used in the Act to describe persons who controlled the contents and use of personal data, equivalent to 'data controller' under the 1998 Act.
7. The principles, which derive from the Council of European Convention, are contained in Schedule 1 to the 1984 Act. The key principle is the first which requires personal data to be obtained and processed fairly and lawfully.
8. Under the 1984 Act, the vast majority of prosecutions concerned a failure to register rather than processing outside the scope of the registered details. Each year there are only a handful of other prosecutions and enforcement notices under the Act are relatively rare.
9. The Data Protection Registrar was renamed the Data Protection Commissioner under the 1998 Act.
10. OJ L281, 23.11.95, p.31. The Directive required Member States to comply by 24 October 1998.
11. Recital 2 reinforces this by stating that data processing systems must '... whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals.'
12. This must include the situation where the data originally have been collected directly from the data subject but are now to be disclosed to a third party, for example, where one data controller provides a copy of his customer database to another data controller.
13. Referred to as a 'data subject' under the Directive and the Data Protection Act 1998.
14. Specific exceptions are laid down in the Data Protection Act 1998 and include national security, the prevention or detection of crime, management forecasts, negotiations with the data subject. In most cases, these exceptions only apply if to comply would be likely to prejudice the particular activity concerned.
15. Exemptions from notification are afforded in respect of staff administration, advertising marketing and public relations, accounts and records and processing by non-profit-making organisation. The exemptions are limited to relevant purposes and disclosures required by law.
16. Part II of Schedule 1 contains provisions for interpretation of the data protection principles.
17. In the Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000, further requirements are placed on the data controller who relies on disproportionate effort.
18. As processing includes obtaining data under section 1(1), where the data are obtained from the data subject, he must be informed at that time and not later.
19. Home Office (1997) Data Protection: The Government's Proposals, Cm 3725 at para.3.11.
20. The register is available on the Data Protection Registrar's Web Site at <http://www.open.gov.uk/dpr/dprhome.htm>. Note: under the Act the Registrar is renamed the Data Protection Commissioner and, consequently, the address may change.
21. Because the information provided is more extensive than before and individuals making subject access requests may not realise that, the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 treats a request for any information required to be given as extending to other information required to be given with the exception of the logic involved in any automatic decision-taking unless the individual makes it clear that he wants such information.
22. It is £2 in respect of applications to credit reference agencies if limited to financial standing and there is a sliding scale as regards subject access to educational records where a permanent copy is handed over, rising to a maximum of £50; Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000.
23. The notice was amended by the Tribunal to allow the use of such data where there was a link between the data subject and the third party, such as a close family tie or financial relationship.
24. Article 15(1). The Directive added the word 'etc.' to the list of circumstances and also includes decisions having 'legal effects' in addition to those significantly affecting the data subject.
25 . Of course, 'trade secret' is a very imprecise term in any case. See Coleman, A, (1992) The Legal Protection of Trade Secrets (London: Sweet & Maxwell), Chapter 2. In Herbert Morris Ltd v Saxelby  1 AC 688 , Lord Atkinson gave a tautologous definition of trade secrets as (at 705), '... trade secrets, such as prices, &c., or any secret process or things of a nature which the man [the defendant] was not entitled to reveal'.
26. (1990) 12 EHRR 36. The litigation in England pre-dated the coming into force of the relevant provisions of the Data Protection Act 1984.
27. Inspecting the register entries might give some insight into which of the registrations would be relevant for the data subject to apply for access.
28. However, for credit reference agencies limited to personal data relating to an individual's financial standing, the maximum period is only seven working days; reg. 4 of the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000.
29. Any failure to comply with a subject access request may result in a court order ordering compliance, section 7(9).
30. Data Protection Registrar, Fourteenth Annual Report, (London: Stationery Office, 1998) at 21 & 54.
31. Most offences under the 1984 Act were triable either way but were almost invariably prosecuted in the Magistrates' Courts. In the last five years there was not a single example of a prosecution being brought in the Crown Court.
32. Data Protection Registrar, Thirteenth Annual Report, (London: Stationery Office, 1997) at 46. This was in respect of the offence of failing to register under section 5(1) of the Data Protection Act 1984.
33. In one case, a Clerk to the Justices was prosecuted under section 5(1) of the 1984 Act and was, unsurprisingly, given an absolute discharge, Data Protection Registrar, Fourteenth Annual Report, (London: Stationery Office, 1998) at 54.
34. In para 10 of Part II of Schedule 1 (interpretation of the seventh data protection principle), data controllers are under an obligation to ensure the reliability of employee having access to personal data and, under para 11, data processors processing data on behalf of the data controller are required to process under a contract made or evidenced in writing which imposes equivalent security obligations as the data controller is under by virtue of the seventh principle.
35. Press release, Office of the Data Protection Registrar, 15 July 1998.
36. Data Protection Registrar, Fourteenth Annual Report, (London: Stationery Office, 1998) at 24. Presumably this figure includes registered computer bureaux.
37. See for example, Equifax Europe Ltd v Data Protection Registrar, supra.
38. The Data Protection Registrar considered that disclosure of white data and grey data without the consent of the data subject did not fall within the third Tournier exception; Data Protection Registrar, Tenth Annual Report (London, HMSO, 1994) at 66.
39. Ibid., at 24. In the year to March 1994, there were some 11,500 subject access requests made in respect of the Police National Computer System, the majority of which were believed to be enforced subject access requests.
40. The Code of Practice for Data Protection used by the Association of Chief Police Officers generally requires 'reportable' offences to be retained for 20 years, even though they may be spent convictions.
41. The judge expressed his sympathy for R who he described as having lived down his conviction and had gained a series of academic and professional qualifications and had subsequently led an exemplary and productive life.
42. The Bill had its first reading (in the House of Lords) on 14 January 1998.
43. Part V of the Police Act 1997, yet to be brought into force, contains provisions relating to certificates of criminal records.
44. This is stated in the explanatory note to the Data Protection Act 1998 (Commencement Order) 2000.
45. A health record is one containing information relating to the physical or mental health or condition of an individual which was made by or on behalf of a health professional. 'Health professional' is widely defined in section 69.
46. The organisation will be technically outside the jurisdiction of the English courts and, if the requirement is imposed through a Consul, he should be able to rely on diplomatic immunity.
47. Home Office (1996) Consultation Paper on the EC Data Protection Directive, at 30.
48. Section 3. Unlike the Data Protection Directive and the 1998 Act, there were no specific provisions in the 1984 Act in relation to processing for such purposes.
49. Regard is to be had to the special importance of the public interest in freedom of expression. This must be taken to be a far-reaching public interest.
50. Per Lord Atkin in Sim v Stretch  2 All ER 1237.
51. They would have been unlikely to submit themselves to the vagaries and uncertainty of a libel action otherwise.
52. See, for example, Sim v H J Heinz Co Ltd  1 All ER 547 (another actor mimicking Alistair Sim's voice in an advertisement for Heinz Baked Beans) and McCullogh v Lewis A May Ltd (1948) 65 RPC 58 (the 'Uncle Mac' case).
53. Per Foster J in Morning Star Cooperative Society Ltd v Express Newspapers Ltd  FSR 113.
54. Notwithstanding Lego Systems A/S v Lego M Lemelstrich Ltd  FSR 155 (plastic drainage pipes and children's plastic building bricks), a common field of activity is still important, particularly in terms of whether there is confusion; Nice and Safe Attitude Ltd v Piers Flook  FSR 14.
55. A dictionary meaning is 'something told or knowledge', Concise Oxford Dictionary, (1995) 9th edition, Clarendon Press: Oxford.
56. However, recital 16 limits the scope of this by excluding processing such as video surveillance is carried out for the purposes of public security, defence, national security or State activities relating to criminal law or other activities outside the scope of Community law.
57. Section 10(1). The very wide definition of 'processing' will cover virtually any operation with the image data. A possible limitation is if the data are not processed automatically. To be caught by the Act, they would have to be in a relevant filing system, that is, structured by reference to the individual in such a way as to allow easy access to the data. However, given the widespread use of information technology by the media it is almost certain that automatic processing would be involved at some stage of the process of preparing and printing the newspaper in which the images appeared.
58. Article 2(a) defines personal data as 'any information relating to an identified or identifiable natural person ...'. A deceased person may be described as unnatural or, perhaps, supernatural. Recital 10 to the Directive refers to Article 8 of the European Convention on Human Rights (right to respect for private and family life) but this does not seem to countenance deceased persons. This Convention will soon be incorporated into law in the United Kingdom by virtue of the Human Rights Act 1998. In the copyright case of Cummins v Bond  1 Ch 167, the judge declined to widen his inquiry as to the proper author a work created during a séance to persons who were long since deceased.
59. Section 84 of the Copyright, Designs and Patents Act 1988.
60. Section 95(5) of the Copyright, Designs and Patents Act 1988.
61. Member States are required to take necessary measures to ensure that data subjects were aware of the existence of their rights in respect of direct marketing; Article 14.
62. Which is a voluntary scheme whereby list of persons who do not wish to receive direct marketing are circulated amongst organisations. An equivalent scheme exists for 'tele-sales', the Telephone Preference Scheme.
63. As in Equifax Europe Ltd v Data Protection Registrar, supra.
64. 'Sensitive personal data' is defined in section 2 as meaning personal data consisting of information as to the racial or ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union (within the meaning of the Trade Unions and Labour Relations (Consolidation) Act 1992), his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
65. A third country is one outside the European Economic Area. The term 'third country' is not used in the Act but derives from the Directive, see Articles 25 and 26.
66. Data Protection Registrar, Fourteenth Annual Report, (London: Stationery Office, 1998).
67. Section 3(2)(a) Human Rights Act 1998.
68. The Convention came into force in Scotland during May 1999. Article 6 requires that everyone is entitled to a fair trial before an independent and impartial tribunal established by law. Some sheriffs in Scotland are appointed on short term contracts by the Lord Advocate and consequently their impartiality is questionable, The Economist, 20 November 1999. The same issue will apply in England and Wales in respect of some recorders and stipendiaries.
69. By the time the Directive was adopted, few people realised the impact the Internet would have. It poses all sorts of problems in relation to the capture and transfer of personal data and the Directive's provisions on transfers to countries outside the European Economic Area not having adequate protection for personal data look particularly dated and ineffective, especially in the context of global e-commerce.
70. For example, by making use of the provisions on Data Protection Supervisors employed by data controller. The power to make provisions for these under section 23 of the Data Protection Act 1998 has not yet been exercised and is unlikely to be used in the immediate future.
71. A serious omission from the Act (and Directive) is that data controllers are not required to notify transfers within the European Economic Area. It is probable that most individuals would wish to know if data relating to them are to be transferred to another European country, even if there are no barriers to such transfers.
72. Until the register under the 1984 Act was made available on the Internet, inspecting the register required a trip to the Office of the Data Protection Registrar in Wilmslow. Certified entries from the register could be obtained for £2 each. It is unlikely that the register is consulted very frequently.
73. See, for example, MS v Sweden  ERLR 115 (transfer of medical data), Leander v Sweden (1987) 9 EHRR ## (release of secret police information) and Malone v United Kingdom (1982) 5 EHRR 385 (telephone tap).
74. Data Protection Registrar, Fifteenth Annual Report (London: Stationery Office, 1999) at 34. Unfortunately, there are no figures available as to the number of court actions brought by individuals under the 1984 Act although it is reasonable to assume that the numbers were very small.
75. Data Protection Registrar, Fifteenth Annual Report (London: Stationery Office, 1999) at 43.