Data Protection – There is no such thing!
As we were celebrating Data Protection Day on 28 January 2019 by raising awareness of data protection and data subjects’ rights within the local community, in an event aimed at both business owners and individuals, we were surprised to receive a startling comment from one visitor claiming “There is no such thing as data protection.”
How well are the individuals’ privacy rights protected when it comes to infringements of privacy rights by the State, and the hidden (or not so hidden) practices of big business?
The General Data Protection Regulation (‘GDPR’) has shaken up the way organisations process valuable personal data. Under the new law, supervisory authorities (the Information Commissioner’s Office in the UK) are empowered to impose enormous fines and other penalties for non-compliance, and they use these powers, like in the recent case of Google being fined £44 million for the lack of transparency when processing personal data.
But what the question, posed by the visitor, really concerned was our rights as citizens and the legal rights which the State may exercise to access and process our personal data.
Last year’s data protection legislation changes, including GDPR and the Data Protection Act 2018 (DPA ’18), impacted upon the State’s ability to process citizens’ personal data in a number of ways. When looking at these revised State powers in the UK, we need to differentiate between law enforcement processing and intelligence services processing for the purposes of data protection compliance.
Both are governed by the DPA ’18. Law enforcement processing is based on the EU Law Enforcement Directive, which was implemented into UK law via the DPA ’18. Intelligence services processing, regarding national security purposes, falls outside the scope of EU law, is based on international standards provided for in the modernised Convention 108 (The Convention for the Protection of Individuals with Regards to Automatic Processing of Personal Data).
Whilst the DPA ’18 acknowledges the same general six principles of processing personal data for law enforcement processing and intelligence services processing as does GDPR (namely that processing must be lawful, fair and transparent, the purposes must be specified, explicit and legitimate, it must be accurate, it must be kept for no longer than is necessary and it must be processed in a secure manner), there are subtle differences to the general principles under the DPA’18.
One of the differences arises in the case of law enforcement processing of personal data, insofar as such processing does not need to be transparent (s.35 DPA ’18).
This is arguably justified by virtue of the fact that transparency in this type of processing would cause harm to on-going investigations. Interestingly, the principle of transparency is, however, retained in intelligence services processing.
There are also differences regarding data subjects’ rights under these types of processing activities. Regarding law enforcement processing, the right to be informed (transparency principle), the right to data portability and the right to object to processing activities have been removed. Regarding intelligence services processing all rights remain except for the right to data portability.
“Great!” – One might think that the major individual’s rights against the State’s privacy infringement are the same as in GDPR. But the key difference are restrictions regarding rights and exemptions. Law enforcement agencies can restrict the rights, where necessary and proportionate, in order to avoid obstructing an investigation or enquiry, to avoid prejudicing the prevention, the detection, investigation or prosecution of criminal offences, for the execution of criminal penalties, to protect public security, to protect national security and to protect the rights and freedoms of others.
Furthermore, the intelligence services are provided with a national security exemption, which requires a national security certificate to be signed by a Cabinet Minister (or the Attorney General of the Advocate General in Scotland). A further change to previous legislation provides that the Cabinet Minster needs to send a copy of the certificate to the Information Commissioner, who must publish a record of the certificate, unless this is against the interests of national security, contrary to public interest or if it might jeopardise the safety of a person.
So what are our conclusions? Awareness of data protection is certainly growing, which is very important. Individuals need to become aware of their rights before they can exercise them. In answer to our visitor’s question, we would say that there certainly is ‘such a thing as data protection’, but that this has to be restricted in certain circumstances, in order to enable law enforcement and intelligence services to protect citizens and the State. Human rights are subject to exemptions, and it is incumbent on individual countries to define the limits of such exemptions.