OVERVIEW AND HISTORY OF DATA PROTECTION LAWS

The DPA forms part of a comprehensive and harmonized European legal framework for the regulation of the processing of personal data. This framework is a consequence of work done by the Council of Europe and the EC. Of course, data protection laws can be found outside of Europe too.

The two principal aims of data protection laws

Wherever they are found, data protection laws have two principal aims. These are:

• The protection of privacy during the processing of personal data.

• The maintenance of free flows of personal data between countries. This requires the elimination of obstacles to the free flow of personal data between countries that are based solely on the protection of privacy.

These dual aims certainly appear to be in conflict (privacy of personal information v. the free flow of it), but data protection laws have to deal with the realities of modern life, which include the fact that free flows of personal information are vital to the economy and to the effective performance of public functions, hence they must be maintained. Maintaining free flows of personal data obviously interferes with personal privacy, so the law compensates for the interference by requiring a high level of protection for the privacy of personal data undergoing processing. The high level of protection is that prescribed by data protection laws themselves, which put in place strong mechanisms to prevent unfair or unlawful processing. Ensuring a high level of protection for the privacy of personal data that is undergoing processing is a prerequisite to the continuance of free flows of personal data.

Putting the same point differently, the law will allow a person to transfer data to another person or to another country provided that the transferor meets the minimum standards prescribed by the law.

Laws in Europe should be in harmony – the reason for Council of Europe and EC activity

The Council of Europe and the EC are the two organizations responsible for the development of data protection laws in Europe. These organizations are separate and distinct. The Council of Europe, founded in 1949, is essentially a human rights organization consisting of 46 European Member States. The other organization, the EC, started life as the European Economic Community in 1957 and it currently has 25 Member States. The UK, like all other EC Member States, is a member of both organizations and the DPA gives effect to the requirements of the data protection laws of both organizations, namely the Data Protection Convention and the Data Protection Directive.

The Council of Europe and the EC have taken the lead in the development of data protection laws within Europe due to the fact that European governments recognize that there need to be harmonized data protection laws across Europe in order to achieve the two principal aims of data protection, namely the protection of privacy and the maintenance of free flows of personal data.

The need for harmonization of laws is explained by the fact that a key theory within data protection laws is that differences in the levels of protection for privacy offered by national laws can cause obstacles to the free flow of personal data between countries, that is, a country with a high level of protection for privacy could impede the flow of personal data to a country with weaker protection. The harmonization of laws addresses this problem, because where laws are harmonized the scope for differences between countries on fundamental issues is removed.

It would be a mistake to fall into the trap of thinking that the harmonization process requires the national laws of the countries within the area of harmonization to be exactly the same. Harmonization is not meant to achieve exactness in the laws of each participating country. In fact, despite harmonization, participating countries have a wide margin for manoeuvre, with the result that differences in national laws are still being detected. For instance, penalties for breach of data protection laws differ from country to country.

The protection of privacy

Privacy is a very wide concept. It includes the private space (such as the home), private items (such as letters and photographs), private relationships (such as sexual relationships) and private information (such as information about people).

The right to respect for personal privacy is a recognized human right. Within Europe the principal human rights law is the European Convention for the Protection of Human Rights and Fundamental Freedoms of 1950 (or the ‘ECHR’ for short). The ECHR has been incorporated into UK law by the Human Rights Act 1998.

Article 8 of the ECHR protects the right to privacy and provides the founding principles upon which European data protection laws are built. It says:

Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

It often comes as a surprise to learn that neither the DPA, nor the Data Protection Convention or the Data Protection Directive have tried to define the meaning of the word privacy. Thus, we need to look elsewhere for a definition.

Concepts within privacy – informational and substantive privacy

One early definition of privacy that still holds well is that it is a ‘right to be let alone’.⁵ This definition is supported by two newer concepts, ‘substantive privacy’ and ‘informational privacy’. The theory behind substantive privacy is that people should be free to make substantive decisions about how they lead their lives, free from interference by the State or by others. The theory behind informational privacy is that people should be able to control the flow of information about them. These two concepts are interconnected and a state of informational privacy is often a prerequisite to enjoyment of substantive privacy.

To illustrate, imagine a country passing a law to ban the practice of a particular religion. Such a ban interferes with substantive privacy, that is, the freedom of individuals to choose to practice the religion. The State’s interference with substantive privacy will not be enough to completely eradicate the religion, however, as devotees will practice in private, out of view of the State. If the State really wants to eradicate the religion, it will also need to identify who is practising the religion, which means interfering with informational privacy.

Privacy versus other rights and interests

The right to privacy is not an absolute right in the sense that it does not transcend all other rights and interests. Instead, the right to privacy is one of many competing interests and it is the law’s job to find an appropriate balance between them. This is why Article 8.2. of the ECHR allows interference with the right to privacy by public authorities where the interference ‘is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others’.

Another competing interest is freedom of expression, which is also a human right. Freedom of expression is a powerful friend of journalists and publishers who rely upon its terms to justify the publication of personal information, with the justification being that a free press is in the public interest. Article 10 of the ECHR says the following about freedom of expression:

Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.

Recent cases on the meaning of privacy

Although there is no universally agreed definition of privacy, in most cases the difficulty does not lie in deciding whether information is private, but, rather, whether the interference with privacy was lawful. Indeed, in a very important case, A v. B & C,⁶ Lord Woolf said:

the question of whether there is an interest capable of being the subject of a claim for privacy should not be allowed to be the subject of detailed argument … In those cases in which the answer is not obvious, an answer will often be unnecessary.

The difficult issue, whether the interference with privacy is lawful, is the issue to which data protection laws are addressed; that is, they seek to strike a balance between the privacy rights of the individual and the rights and interests of data controllers as far as the processing of personal data is concerned.

The following series of recent cases stand to illustrate the fact that a wide variety of information can be said to be private:

• In 2003 the European Court of Human Rights decided in the case of Peck v. United Kingdom ⁷ that CCTV footage showing Mr Peck attempting to commit suicide in the street contained private information. This was despite the fact that his suicide attempt was in a public place.

• In 2004 the UK House of Lords decided in the case of Campbell v. Mirror Group Newspapers ⁸ that covertly taken photographs showing the claimant outside premises where a Narcotics Anonymous meeting was held contained private information. This was despite the fact that the defendant enjoyed a legitimate press right to publish a story about the claimant’s attendance at Narcotics Anonymous in light of her previous denials of drug abuse.

• In 2004 the European Court of Human Rights decided in the case of Von Hannover v. Germany ⁹ that covertly taken photographs of the claimant in a French restaurant with a companion contained private information.

• In 2005 the UK Court of Appeal held in the case of Douglas v. Hello! Ltd (No 2) ¹⁰ that covertly taken photographs at the claimants’ wedding contained private information, despite the fact that the claimants were under contract with a magazine for publication of wedding photographs.

In the case of Douglas v. Hello! Ltd (No 2) Lord Phillips addressed the question ‘what is the nature of private information’. His answer was:

What is the nature of ‘private information’? It seems to us that it must include information that is personal to the person who possesses it and that he does not intend shall be imparted to the general public. The nature of the information, or the form in which it is kept, may suffice to make it plain that the information satisfies these criteria.

The relationship between the ECHR and the DPA, including protections for manual data

It is important to recognize that the connection between the ECHR and European data protection laws is inviolable. Data protection laws are best regarded as modified privacy laws, in the sense that they build upon the right to respect for privacy contained in Article 8 of the ECHR, in order to provide clearer protections for the privacy of personal data undergoing processing. In the UK because of the Human Rights Act 1998, the courts and the Information Commissioner are obliged when interpreting the DPA to ensure that their interpretations are compatible with the ECHR. Every court case commenced under the DPA can also be brought under the Human Rights Act.

If data protection laws are viewed in their wider context it will be seen that despite the limitation they place on the protections for the manual processing of personal data, privacy in manual data is generally protected due to the right to privacy within Article 8 of the ECHR. In the UK a breach of confidence action can be used to protect the right to privacy if in the circumstances of the case the data subject has a reasonable expectation of privacy. UK law has moved on significantly since the introduction of the Human Rights Act and clarification of the fact that the protections in Article 8 of the ECHR extend to threats from the private sector.

The emergence of European data protection laws – law making to protect privacy

The first European data protection law was a regional law passed by the German State of Hesse in 1970 (the first national data protection law was introduced by Sweden in 1973), but the movement towards European data protection laws actually began in the late 1960s after it had become appreciated that scientific and technological advances, particularly the invention of the semi-conductor chip and increasing computerization within the private sector, posed new threats to personal privacy; it was foreseen that computers would be able to automatically process personal data in unprecedented ways, in unprecedented volumes and at unprecedented speeds. The passage below, taken from a Council of Europe Recommendation from 1968¹¹ provides a fascinating insight into the nature of the concerns at the beginning of the development of data protection laws:

newly developed techniques such as phone-tapping, eavesdropping, surreptitious observation, the illegitimate use of official statistical and similar surveys to obtain private information, and subliminal advertising and propaganda are a threat to the rights and freedoms of individuals and, in particular, to the right to privacy …

These new threats led to calls for new laws to protect privacy within the context of the automated processing of personal data stemming from worries about the adequacy of the protection for privacy afforded by Article 8 of the ECHR. To explain, while it is clear that Article 8 guarantees respect for private and family life, the home and correspondence, in the late 1960s, governments were not sure that the wording of Article 8 extended to computer processing or to threats to privacy emerging from the private sector. A Resolution issued by the Council of Europe in 1974¹² reported that:

A survey, conducted in 1968–70 by the Committee of Experts on Human Rights of the Council of Europe, on the legislation of the Member States with regard to human rights and modern scientific and technological developments has shown that the existing law does not provide sufficient protection for the citizen against intrusions on privacy by technical devices. Generally, the existing laws touch upon the protection of privacy only from a limited point of view, such as secrecy of correspondence and telecommunications, inviolability of the domicile, and so on. Moreover, the ramifications of the concept of privacy have never been established. It is also doubtful whether the European Convention on Human Rights, of which Article 8 (1) guarantees to everyone ‘the right to respect for his private and family life, his home and his correspondence’, offers satisfactory safeguards against technological intrusions into privacy. The Committee of Experts on Human Rights has noted, for example, that the Convention takes into account only interferences with private life by public authorities, not by private parties.

Privacy and the private sector

It is now settled that the right to privacy contained in the ECHR does apply to the private sector as well as to activities of the State and the public sector. This is despite the fears expressed in the early years of development of data protection laws. For example, in the case of Douglas v. Hello! Ltd (No 2) Lord Phillips explained that:

the European court has recognised an obligation on Member States to protect one individual from an unjustified invasion of private life by another individual and an obligation on the courts of a Member State to interpret legislation in a way which will achieve that result.

Thus, the State will protect an individual’s right to privacy from invasion by another individual, which includes private sector and voluntary sector companies and organizations. This is the effect of the decisions in Campbell v. Mirror Group Newspapers and Von Hannover v. Germany.

The late 1960s and early 1970s – the initial work undertaken by the Council of Europe: Data protection rules to protect privacy

The Council of Europe is an intergovernmental human rights organization that was established after the end of the Second World War. Its most famous legal instrument is the ECHR. The Council of Europe commenced its work in the field of data protection in 1968, at a time when a small number of its Member States were considering the introduction of national laws on data protection. In this year a Council of Europe Parliamentary Assembly issued Recommendation 509, which required the Council’s Committee of Experts on Human Rights to examine whether ‘having regard to Article 8 of the Convention on Human Rights, the national legislation in the Member States adequately protects the right to privacy against violations which may be committed by the use of modern scientific and technical methods’ and, if not, ‘to make recommendations for the better protection of the right of privacy.’

The efforts of the Committee of Experts on Human Rights resulted in the Council’s Committee of Ministers addressing two Resolutions to the Member States on the protection of privacy. The first Resolution, in 1973,¹³ concerned the protection of privacy in the context of private sector ‘electronic data banks’. The second Resolution,¹⁴ in 1974, concerned public sector electronic data banks.

Both of these Resolutions are based around a series of ‘principles’ that address the key privacy concerns within data protection, such as the accuracy of electronic personal data, the security of electronic personal data, the purposes for which electronic personal data are processed and the right of access. These principles have remained remarkably stable and consistent over the years and they can now be found, almost unchanged, within Schedule 1 of the DPA.

The Resolutions required the Council of Europe Member States to take all necessary steps to give effect to the principles. These Resolutions therefore represent the true beginnings of European data protection laws.

The UK’s first tentative steps towards data protection – the 1970s

The UK was one of the Council of Europe Member States that considered data protection at this initial stage of development of the law. In 1972 the ‘Report of the Committee on Privacy’ (sometime called the ‘Younger Report’, after its Chair, Kenneth Younger), published 10 principles for the handling of personal information by computers. In 1975 this Report was followed by two government white papers, which indicated plans for legislation on private sector and public sector computer use. These white papers were followed by the establishment of the Data Protection Committee in 1976, chaired by Sir Norman Lindop. The ‘Report of the Committee on Data Protection’ was published in 1978, recommending rules that mirror modern data protection laws.

Data protection between 1980 and 1990 – from privacy to maintaining free flows of personal data (transborder data flows)

The 10 years between 1980 and 1990 saw thinking on data protection laws develop and mature. While the primary focus of concerns in the late 1960s and early 1970s was the protection of privacy within the context of automated processing of personal data, the 1980s saw the emergence of the second aim of data protection laws, the removal of obstacles to the free flow of personal data between countries (sometimes called ‘transborder data flows’).

The transborder flow of personal data is of fundamental economic and societal importance. The global economy cannot survive without the movement of personal data between countries and across continents and the effective performance of vital public functions, such as law enforcement and the prevention and detection of crime, is often totally reliant upon data sharing between different countries.

Although the transborder flow of personal data is of fundamental economic and societal importance, it involves very obvious privacy implications arising from the fact that the person’s personal data leaves the borders of their country of residence, making it much harder to protect.

One foreseeable consequence of the drive to protect the privacy of personal data undergoing processing is that transborder data flows could be hindered, or prevented altogether, because of understandable fears that personal data will not be adequately protected when processed abroad. This consequence was addressed during the second phase of data protection laws, with the accepted solution being that once data protection laws were harmonized between countries it would be unlawful for one country to hinder or prevent data flows to another country within the harmonized area on the sole ground of protection of privacy; within the area of harmonization the right to privacy is adequately protected.

1980 – the OECD deals with transborder data flows

The first organization to address this issue was the Organisation for Economic Co-operation and Development (OECD). The OECD, which was originally established in 1947 as the Organisation for European Economic Co-operation, provides a forum for the governments of 30 leading market democracies to discuss and develop policies to meet the challenges of globaliza tion. One of these challenges is the maintenance of transborder flows of personal data.

In 1980 the OECD published its own data protection guidelines.¹⁵ The preface to these guidelines is highly illuminating of the issues:

The development of automatic data processing, which enables vast quantities of data to be transmitted within seconds across national frontiers, and indeed across continents, has made it necessary to consider privacy protection in relation to personal data. Privacy protection laws have been introduced, or will be introduced shortly, in approximately one half of OECD Member countries (Austria, Canada, Denmark, France, Germany, Luxembourg, Norway, Sweden and the United States have passed legislation. Belgium, Iceland, the Netherlands, Spain and Switzerland have prepared draft bills) to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data. On the other hand, there is a danger that disparities in national legislations could hamper the free flow of personal data across frontiers; these flows have greatly increased in recent years and are bound to grow further with the widespread introduction of new computer and communications technology. Restrictions on these flows could cause serious disruption in important sectors of the economy, such as banking and insurance. For this reason OECD Member countries considered it necessary to develop Guidelines which would help to harmonise national privacy legislation and, while upholding such human rights, would at the same time prevent interruptions in international flows of data.

The Guidelines contain a series of principles that echo those found in the Council of Europe’s initial 1973 and 1974 Resolutions, addressing issues such as the lawfulness of processing, the accuracy and security of personal data and transparency in processing. In respect of transborder flows of personal data, the Guidelines prefer a test of ‘equivalent protection’ saying that:

a Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.

1981 – the Council of Europe’s Data Protection Convention (Europe gets serious)

In 1981 the Council of Europe opened for signature the Data Protection Convention,16 the first and only European Treaty on data protection. The principal reason for the Data Protection Convention was the Member States’ failure to respond to the 1973 and 1974 Resolutions in a consistent manner.

The Data Protection Convention represents a watershed for European data protection laws, being the moment when data protection moved from an aspiration to a fundamental goal. Like the OECD Guidelines, the Data Protection Convention echoed the principles contained in the 1973 and 1974 Resolutions and preserved the importance of free flows of personal data, saying that the Member States ‘shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization transborder flows of personal data going to the territory of another Party’. Thus, the Data Protection Convention cemented the second principal aim of data protection laws within Europe, namely the removal of obstacles to the free flow of personal data between countries.

1984 – the UK’s first Data Protection Act

In 1984 the UK Parliament passed the Data Protection Act 1984, to give effect to the UK’s obligations under the Data Protection Convention. The 1984 Act regulated the ‘processing’ and the ‘disclosure’ of ‘personal data’ ‘recorded in a form in which it can be processed by equipment operating automatically’, that is, the processing of personal data by computers. Manual files were not regulated, a substantial omission rectified by the DPA.

From 1990 – the rise to prominence of the EC

In 1957 a small group of European countries created the European Economic Community (EEC) through the signing of the Treaty Establishing the European Economic Community, otherwise known as the Treaty of Rome. In 1997 the EEC was renamed the EC. The EC forms part of the European Union (EU) and it currently consists of 25 Member States. As stated earlier, the EC and the Council of Europe are separate entities.

During the first phase in the development of European data protection laws, from the late 1960s to the mid 1970s, the EEC played only a peripheral role. This was because the thinking behind the law in the first stage was focused upon the protection of privacy, which, as a human right, fell more naturally within the sphere of competence of the Council of Europe. However, the EEC was supportive of the developments in the field and in 1981 the European Commission issued a Recommendation¹⁷ addressed to the EEC Member States saying:

The Commission recommends those Member States of the Community which have not already done so to sign, during the course of 1981, the Council of Europe convention for the protection of individuals with regard to automatic processing of personal data, and to ratify it before the end of 1982.

While the EEC was content to let the Council of Europe take the lead, its 1981 Recommendation also contained a statement of future intent, warning the EEC member states that if they did not act promptly in signing and ratifying the Data Protection Convention, an EEC instrument could follow. This is what the Recommendation said:

The Commission of the European Communities accordingly welcomes the Council of Europe convention for the protection of individuals with regard to automatic processing of personal data. It is of the opinion that this convention is appropriate for the purpose of creating a uniform level of data-protection in Europe. If, however, all the Member States do not within a reasonable time sign and ratify the convention, the Commission reserves the right to propose that the Council adopt an instrument on the basis of the EEC Treaty.

Unfortunately, by the end of the 1980s only a few of the EEC Member States had ratified the Data Protection Convention. Therefore, in 1990 the European Commission formally proposed the introduction of the Data Protection Directive.¹⁸ This proposal marked the starting point of the EC’s leadership in European data protection and the relative downgrading of the importance of the Data Protection Convention. The Data Protection Directive was formally approved in 1995.¹⁹

The EC, the Data Protection Directive and free movement

The Data Protection Directive is a very important harmonization measure that was introduced under the Internal Market provisions of the Treaty of Rome, to protect human rights and to maintain transborder flows of personal data. A recent report by the European Commission²⁰ has said:

[The Data Protection] Directive … enshrines two of the oldest ambitions of the European integration project: the achievement of an Internal Market (in this case the free movement of personal information) and the protection of fundamental rights and freedoms of individuals. In the Directive, both objectives are equally important.

By way of background, the Treaty of Rome sets out the legal powers of the EC and at this moment in time the EC is unable to make standalone human rights laws, unlike the Council of Europe. Instead, it must base its laws on a specific power within the Treaty, hence the reason for the introduction of the Data Protection Directive as a harmonization measure under the Treaty’s Internal Market provisions, as is now explained.

The Treaty of Rome describes the Internal Market as ‘an area without internal frontiers in which the free movement of goods, persons, services and capital is ensured’. In order to create the Internal Market, the Treaty requires ‘the abolition, as between Member States, of obstacles to the free movement of goods, persons, services and capital’. If it is not already clear, free movement is one of the principal goals of the EC, highly cherished by politicians, businesses and EU citizens. Free movement entails many powerful rights and entitlements allowing, for example, workers to take up offers of employment from other EC Member States and enabling companies to set up offices abroad. Free movement improves the competitiveness of the European economy and benefits the consumer.

EXAMPLE A London-based company wants to open an office in Paris. The ability to do this is based upon the free movement of services, capital and workers. It is highly likely that in this scenario there will be movement of persons, as the London-based company will no doubt want to send key management personnel to Paris to oversee the opening, which requires movement of information about these persons. Indeed, in the present scenario the movement of personal information between the London and Paris offices is inevitable. Typical incidents of transfer of personal information between the two offices will occur in the transfer of personnel records. However, if privacy laws could prevent the transfer of personal data from one country to the other, the business would soon grind to a halt and the rights of free movement would fail.

By 1990, when the creation of the Data Protection Directive was formally proposed, the EC (like the Council of Europe and the OECD) had long realized that differences (actual and potential) in the Member States’ national laws for the protection of privacy with respect to the processing of personal data could act as obstacles to free movement; a Member State with a high level of protection for privacy could ban the flow of personal data from within its borders to a Member State that provided a low level of protection for privacy, which would have obvious implications for free movement in the example.

Therefore, the EC decided that it was necessary to take action to bring the Member States’ national laws into line, based upon the provisions contained in the Data Protection Directive, a process known as harmonization. As mentioned earlier, the Directive’s provisions were designed to ensure a high level of protection for the fundamental rights and freedoms of natural persons, particularly the right to privacy. In addition, the Directive outlawed all national measures that restricted or prohibited the free flow of personal data between EC Member States for reasons connected with the protection of fundamental rights and freedoms. Based on this reasoning, the EC has been able to introduce the Data Protection Directive, which is clearly a human rights law, under the guise of protecting the Internal Market. Article 1 of the Directive, which describes its objectives, says:

In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.

The EC has been able to overcome the prohibition against standalone human rights law making due to a number of factors. In addition to the factual connection between the protection of human rights and the proper functioning of the Internal Market, respect for human rights forms part of the general principles of EC law as well as part of the national laws of the EC Member States (the UK has the Human Rights Act 1998). It is also noteworthy that the EC is a signatory to the ECHR.

In conclusion, the thinking at the very heart of the Data Protection Directive connects the protection of privacy with free movement. The essence of the thinking is:

• Free movement of goods, persons, services and capital is impossible without free movement of personal data.

• Differences in national laws for the protection of privacy in personal data undergoing processing can act as obstacles to free movement.

• Differences in national laws can be overcome through a process of harmonization.

• Once national laws are harmonized, obstacles to free movement disappear.

The structure of the Data Protection Directive

The Data Protection Directive consists of 72 recitals and 34 articles. The recitals explain the theories behind the law and the motivations of the law makers, providing a vital aid to interpretation. The articles are arranged in seven chapters. The chapters are titled:

As it is a harmonization measure the Data Protection Directive’s provisions leave EC Member States with much room for manoeuvre. Instead of prescribing in detail the obligations of the Member States, the Directive sets general principles and leaves the Member States to implement national measures in the form and manner of their choosing. Due to this wide margin of discretion vested in the Member States there are still many differences in national laws and between national views and the EC’s view of how data protection laws should be.

Because it sticks to the general principles it is not surprising to see that certain concepts and phrases keep reappearing throughout the Directive. These will be encountered time and time again during an analysis of data protection laws and data protection in practice.

A very prominent concept within the Directive is ‘necessity’. This is because many of the grounds for making processing lawful are prefaced by the requirement that the processing should be necessary. Another prominent concept is ‘adequacy’, as the Directive prevents the flow of personal data from the EC Member States to other countries that do not offer adequate protection for personal data. A third prominent concept is ‘suitability’, as the Directive requires EC Member States to adopt ‘suitable measures’ to ensure the full implementation of its provisions. Collectively, these concepts provide the Member States with considerable discretion over the detail of their national laws.

The Data Protection Directive and the processing of manual data

A major advance made by the Data Protection Directive when compared to the Data Protection Convention was the extension of the law to cover manual data. While the Data Protection Convention gave Council of Europe Member States the option to regulate the manual processing of personal data, this was not compulsory. The Data Protection Directive changed this for EC Member States, making the regulation of manual processing compulsory where personal data are held in a ‘personal filing system’ (the DPA calls these ‘relevant filing systems’).

The Data Protection Directive and the European Economic Area

The Data Protection Directive is a legal instrument of the EC, but its protections extend to an area known as the ‘European Economic Area’ (EEA). The EEA is the combined area of the EC Member States and Iceland, Liechtenstein and Norway. The EEA was created by the Agreement on the European Economic Area in 1992.

The right to privacy in the UK

It has already been explained that the right to respect for privacy contained in Article 8 of the ECHR has been incorporated into UK law by the Human Rights Act 1998 (HRA). Due to the obligations placed on Member States by the ECHR it can now be said with certainty that the right to privacy will be protected by the UK courts, both from interferences by the State and by other individuals.

The HRA contains two key provisions that are central to the development of the law in this area. First, section 2 of the HRA requires courts and tribunals to take into account decisions of the ECHR when determining a question that has arisen in connection with an ECHR right. Second, because of section 6 it is unlawful for courts and tribunals in their capacity as public bodies to act in a way that is incompatible with an ECHR right.

In the case of Campbell v. Mirror Group Newspapers ²¹ Baroness Hale explained the court’s position. She said:

The 1998 Act does not create any new cause of action between private persons. But if there is a relevant cause of action applicable, the court as a public authority must act compatibly with both parties' Convention rights.

The court’s obligation is to do justice between the parties and as a public authority it must perform this duty in a manner that is compatible with the Convention rights. The logical effect of these obligations is that the court should consider always whether a Convention right, like the right to privacy, is engaged in the case before it and this may often require a more detailed enquiry than merely asking the parties for their views. If the right to privacy is engaged the court will have to protect it and, if necessary, balance it against other interests, such as freedom of expression.

If an individual wishes to start a court action to protect their privacy, their claim is determined in accordance with the law of confidence, with private information being treated as confidential information. The individual will be successful if they can show that the person threatening their privacy knows or ought to know that the individual has a reasonable expectation that their information will remain private. In the case of Douglas v. Hello! Ltd (No 2) ²² Lord Philips explained the law following a decision of Lord Woolf in A v. B & C:²³

Lord Woolf then laid down guidelines which a court should follow when considering a similar application. These include the proposition that in the great majority of, if not all, situations where the protection of privacy is justified in relation to events after the 1998 Act came into force, an action for breach of confidence will provide the necessary protection. As to interests capable of being subject to a claim for privacy, these will usually be obvious. A duty of confidence will arise whenever a party subject to the duty is in a situation where he knows or ought to know that the other person can reasonably expect his privacy to be protected. If there is an intrusion in a situation where a person can reasonably expect his privacy to be respected then that intrusion will be capable of giving rise to an action for breach of confidence unless the intrusion can be justified.

The state of the UK law concerning the right to privacy is that this will be protected by the courts in a claim for breach of confidence. A data subject claiming a breach of the DPA may also rely upon the law of confidence in a court action to enforce their rights.

The future of data protection laws

The Data Protection Directive is now 10 years old, which represents nearly one-third of the total lifespan of data protection laws. The key thinking upon which the Directive itself is built will soon reach its 40th anniversary.

The nature of the threats to privacy has changed substantially since the Council of Europe took its first steps, which presents new challenges. Furthermore, experience of the laws in action, plus some unusual court decisions, have led to calls for revision of the Data Protection Directive. Two important areas of concern are:

• the omnibus approach to regulation favoured by the Data Protection Directive;

• the failure to eradicate divergences in national laws.

Problems with the omnibus approach and alternative solutions, including the Lindqvist case

Subject to some exemptions the Data Protection Directive requires regulation of every act of data processing irrespective of the extent of the threat to privacy or the threat to the Internal Market. The fact that this can lead to harsh results was revealed in a recent case heard by the European Court of Justice, Bodil Lindqvist v. å klagarkammaren i Jönköping.²⁴ The case in question concerned the activities of a Swedish lady, Bodil Lindqvist, who built a website to help her fellow parishioners who were preparing for their confirmation. Mrs Lindqvist’s website contained information about parishioners living in her village, Alseda, including names and other personal data, such as the fact that one person was off work with an injured foot. Mrs Lindqvist published this information without consent and without having notified under the Swedish law. She was prosecuted and convicted, receiving a criminal record and a fine. The Swedish appeal court referred the case to the European Court of Justice for a determination as to whether the Data Protection Directive applied to Mrs Lindqvist’s activities. The European Court of Justice held that the Directive did apply, despite making a finding that Mrs Lindqvist’s activities were ‘not economic but charitable and religious’.

Regarding the nature of the information published by Mrs Lindqvist, while it fell within the categories of private information identified earlier, there was no evidence that the publication of this information caused any negative effect for the persons concerned. As regards the link with the Internal Market, the best that can be said is that the link was indirect.

Lindqvist is the type of case that could bring the law into disrepute; it might be thought that it trivializes the subject matter, causes a drain on the scarce resources of the regulators and the courts and places an unjustifiable burden on ordinary persons. However, potentially harsh results are the natural consequences of the omnibus approach, where nearly everything is regulated.

An alternative to the omnibus approach is the sectoral approach favoured in the US. Rather than regulating everything, the sectoral approach identifies the areas of utmost concern and prioritizes regulatory action by reference to seriousness. For these reasons the US has introduced data protection and privacy legislation in the medical field (see the Health Insurance Portability and Accountability Act 1996), in the financial services field (see the Financial Services Modernization Act 1999), to prevent spam (see the Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003) and to protect the privacy of children using the internet (see the Children’s Online Privacy Protection Act 1998) as well as in other key areas. However, there is no general privacy law in the US.

There is evidence that the EC is becoming more favourably disposed to the sectoral approach and it remains possible that the law will develop more along the lines of the US model rather than continue along the current path. For instance, in 1997 the EC approved a separate Directive on data protection in the telecommunications sector,²⁵ which was replaced in 2002 by the Directive on Privacy and Electronic Communications.²⁶ The EC has also periodically considered a possible Directive on worker’s data protection and in December 2005 the European Parliament approved a Directive on the Retention of Communications Data,²⁷ which was endorsed by the Ministers of Justice and Home Affairs in February 2006. In addition, the Working Party constituted under Article 29 of the Data Protection Directive regularly issues opinions and working documents on sectoral issues within data protection, which have addressed many diverse issues, such as data protection and genetic research,²⁸ data protection and direct marketing,²⁹ data protection and use of the internet³⁰ and data protection and the use of airline passenger information by law enforcement agencies.³¹

Another alternative might be to require evidence of a substantial negative privacy effect or evidence of a substantial negative Internal Market effect before serious sanctions can be imposed, an approach that may weed out trivial cases from the full scope of the regulatory regime.

The beginnings of this approach have already been detected within domestic law. In a landmark case in 2002, Durant v. Financial Services Authority,³² the Court of Appeal delivered a judgment that is widely considered to have significantly curtailed the DPA. By way of background, the Court of Appeal was asked to rule on the meaning of personal data. It has effectively introduced a privacy filter into domestic law, saying that for information to be personal data it has to be information that ‘affects (the data subject’s) privacy’, with the implication being that there is a threshold level of negative effect that is required before the DPA applies. Of course, the problem with this approach is that the data subject might be unable to learn the extent of the privacy effect without having a guaranteed legal right of access to information about processing, the use of which is not conditional upon prior proof of a negative effect. Durant almost creates a chicken and egg circular argument about which comes first, the right of access in section 7 or the need to satisfy the Durant definition of personal data?

Continuing divergences – the failure of harmonization?

The EU introduced the Data Protection Directive in order to harmonize the national laws of the EU Member States. Although all of the Member States have introduced national data protection laws, worrying differences still exist, as a recent report by the EC has identified.³³ The continuance of differences stems from the fact that the Directive gives the Member States a very wide margin for manoeuvre. It does not specify the precise detail required of national laws.

This very wide margin for manoeuvre enables the UK to take a rather lax attitude to sanctions, penalties and enforcement with the result that a prosecution in the circumstances described in the Lindqvist ³⁴ case is inconceivable in this country. Even now, 10 years after the introduction of the Data Protection Directive, there is very little legal action commenced against data controllers in this country. This is not because domestic data controllers are particularly fastidious about legal compliance. Rather, it is a result of a weak legal regime and, perhaps, a cultural resistance to privacy issues.

The potential for continuing divergences was fully revealed by Durant v. FSA.³⁵ The Court of Appeal’s ‘privacy filter’, discussed above, surprised commentators and is considered to have put the UK out of kilter with mainland Europe. Indeed, the decision is so problematic that the European Commission is reported to have asked the UK government to justify certain aspects of the DPA, particularly whether, in light of Durant, the right of access is guaranteed within the UK as the Data Protection Directive requires.

Future direction, including the Charter of Fundamental Rights of the European Union

An important distinction has already been made between the human rights law-making powers of the Council of Europe and those of the EC, with the core point being that the EC does not currently have standalone human rights law-making powers. For this reason the Data Protection Directive is constructed as an Internal Market measure. Of course, the reality of the situation is that the EC embraces human rights law making and it wishes to see its competence grow in this field.

Thus, in 2000 the EU ‘proclaimed’ the Charter of Fundamental Rights of the European Union. At the moment the legal status of the Charter is ambiguous, but if the proposal for an EU Constitution is adopted, the Charter will be directly incorporated into the Constitution, making it part of EU law. Articles 7 and 8 of the Charter provide as follows:

Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 Protection of personal data Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.

It is moot whether the Charter will make much difference to the law in the UK, but it does send out a very important message about the relative importance of privacy laws and data protection laws.