Tag Archives: Data Protection Regulation

David Erdos: Mustn’t Ask, Mustn’t Tell: Could New EU Data Laws Ban Historical and Legal Research?

david.erdosEven with the advent of Web 2.0, data protection law is still often seen as technical and only narrowly applicable.  Technical abstruseness aside (and data protection’s reputation here is certainly deserved!), this understanding couldn’t be more wrong.  The existing European data protection framework actually has a breath-taking scope.  It applies to anything done electronically with any information about an identified or identifiable person (possibly even the dead).  According to the EU, even innocuous details already in the public domain are protected (perhaps even the title of an author’s book).  Moreover, if the information reveals in any way, for example, race/ethnic origin, political opinions, religious belief, trade union membership, health or criminality, then it is classed as “sensitive” information and subject to even tighter regulation.  A number of European courts have ruled that all colour images are covered by this as they display racial information.  The European data protection framework (Directive 95/46/EC) is not only broad but often onerous.  Barring a specific exception (including a liberal one (Art. 9) which can be invoked for journalism, literature and the arts), there is a presumption that individuals will be informed about the processing of data about them (Arts. 10-11) and given a right to object (Art. 14), that the processing of “sensitive” personal information will be banned (Art. 8.1) and that no personal information will be transferred outside the European Economic Area without “adequate protection” (Art. 25.1).

So the popular perception of data protection is woefully inaccurate – which leads to a radical underestimation of the threat this regime poses to the enjoyment of other fundamental rights and pursuit of legitimate activities.  Nowhere is this more the case than in relation to social and humanities research.  Since the advent of the EU data protection framework, researchers have witnessed dramatic restrictions on their freedom to use “sensitive” data or to resort to covert methodologies.  Coupled with the growth of sometimes intrusive “ethical” review policies, the barriers and burdens placed in the way even of ordinary, innocuous, yet socially beneficial research and on researchers have become considerable.

It might have been hoped that the proposed EU Data Protection Regulation would provide an opportunity to reverse this.   But if the European Parliament’s just published draft report and amendments are anything to go by, the converse is true.  Prepared by Jan Albrecht MEP, the Rapporteur of the Civil Liberties, Justice and Home Affairs Committee (the lead Committee for considering the Regulation), these stringent proposals would effectively outlaw almost all research in law and in contemporary history as well as a great deal of work in sociology and political science.  Now, any processing for historical, statistical or scientific research purposes would be subject to the following:

  • A complete ban on publishing even the most innocuous personal data in identified form unless the individual in question either has themselves put it into the public domain or has freely given, specific, informed and rescindable consent (Amendment 339, p. 201).  This would deny a historical researcher the right to publish information from a newspaper article accurately reporting the public activities of a public official (e.g. Tony Blair’s involvement in the decision to go to war in Iraq).  It would also prohibit the citation and publication of analyses of already published court judgments since these are full of identifying details which the justice system rather than the individuals concerned have put into the public domain.
  • If the details in question reveal any “special” categories of information (see above), then the restrictions would be even greater.  In the absence of freely given, specific, informed and rescindable consent, all such research would be banned unless Member States, on a purely optionally basis, allow their Data Protection Authority to issue permits for this.  These could however only be granted if the information “be anonymized, or if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures…taken to prevent re-identification of the data subjects”.  The research must also serve “exceptionally high public interests” and be something that “cannot possibly be carried out otherwise” (Amendment 337, p. 200).  Not even information previously published by the individual in question would be exempt.   Thus, for example, a historian would have no right to report that Emma Nicholson, now a Liberal Democrat Peer, used to be Conservative MP despite this being public knowledge freely available on Wikipedia. (According to the  Information Commissioner’s Office the political affiliation of an MP is “sensitive” personal data (p. 8)).
  • We are also told that in all cases “data enabling the attribution of information to an identified or identifiable data subject” must be “kept separately from the other information” (Amendment 335, p. 199).  This would prevent a researcher from saving a court judgment or a newspaper report on a laptop without having first replaced all personal identifiers (such as “David Cameron” or “Lord Hutton”) with a pseudonymised (as above) code, the key to which would then have to be stored elsewhere.
  • Finally, the clause allowing the European Commission to propose delegated legislation to allow for covert research has simply been deleted (Amendment 341, p. 202).  But, subject to suitable safeguards, such research has often been essential in bringing to light important facts including illegal police practices and discriminatory attitudes on the grounds of sex, ethnicity or race.  People are obviously not going to be willing to give consent to their wrongdoing being researched.

Albrecht is candid about the restrictions on research freedom which are being proposed.  Thus we are told baldy that “[r]esearch purposes should not override the interests of the data subject in not having his or her personal data published” (at p. 201).  If the word “journalistic” were substituted for “research”, then it would be obvious to everyone, including of course the Press, just how onerous this censorship is. Ironically, alongside these harsh restrictions on research, Albrecht proposes broadening the protections set out in Article 80 as regards journalism, literature and arts so as to protect freedom of expression per se (Amendment, 324, p. 193).  This is to ensure that “freedom of expression is protected in general, not just for journalists, artists or writers” (p. 52).

Freedom of expression is defined by reference to the EU Charter which includes freedom to “receive and impart information and ideas without interference” (Art. 11), a right similarly protected in Art. 10 of the European Convention on Human Rights.  In creating and disseminating new knowledge, social and humanities research intrinsically instantiates such freedom of expression.  Moreover, the special concern of research to investigate genuinely important issues whilst upholding the qualities of rigour, culmination and precision ensures that social and humanities research will usually constitute ‘high-value’ publicly interested speech which the European Court of Human Rights has correctly stated should generally be free from legal restriction. As Brian Harrison has also correctly argued “there is no distinction in principle between the journalist and the historian:  the historians simply have more time for research and reflection”.  However, the one type of actor whose freedom of expression is not protected by this proposed revision to Article 80 is researchers (historical or otherwise).  This is because, whilst Article 80 does allow for (balanced) derogations from most of the Regulation, Article 83’s stipulations on historical, statistical and scientific research are excluded from this.  Freedom of expression is turned “on its head”!

It is vital that the draft Data Protection Regulation be amended.  We need to ensure that social and humanities research is unequivocally included within Article 80’s freedom of expression protections.  This should also prompt a wider rethink of the over-regulation of research compared with other, often less socially valuable, activities.  The proposals are still being considered by both the European Parliament and the Council of Ministers.  It is not too late to press for the necessary changes.  All who care about the future vitality of academic inquiry need to wake up to the realities of Data Protection.  Universities and other research organizations need to be forthright and assertive in opposing these unjustified and unworkable proposals.  Everyone acknowledges that, in some contexts, genuinely sensitive personal data needs protection.  But when this balloons into wide, and wild, overreaction we find ourselves able to know less and less about the societies we live in – including, paradoxically, about the nature of privacy and about the effects of Data Protection regulation itself.

A version of this article was originally published in Times Higher Education (“Mustn’t ask, mustn’t tell”, 14 February 2013, p. 30).

David Erdos is principal investigator of the Data Protection and the Open Society project and a research fellow at the Centre for Socio-Legal Studies and Balliol College, University of Oxford.

Suggested citation: D. Erdos, ‘Mustn’t Ask, Mustn’t Tell:  Could New EU Data Laws Ban Historical and Legal Research?’ UK Const. L. Blog (14th February 2013) (available at http://ukconstitutionallaw.org)


Filed under Human rights

Tom Hickman: Data Over-Protection

When my central heating boiler stopped working the other day I was expecting exorbitant costs, cold nights huddled around a hot water bottle and possibly a few hours holding on the phone to British Gas. I was not expecting an encounter with the Data Protection Act.

It happened when I was arranging an appointment with a gas boiler ‘engineer’. I was asked for my mobile telephone number so that the engineer could call me if he couldn’t find the house. I duly supplied it. At the conclusion of the call I asked the woman from British Gas if she could read my mobile telephone number back to me to check she had written it down right. “I am sorry” she replied “we can’t give out mobile telephone numbers because of data protection”. I pointed out that I had just given the number to her, but no amount of reason would prevail. The most she would do was read back the last three numbers.

This is by no means my only experience of the irrational effects of data protection laws. Many readers of this blog will have similar tales. But such experiences must not be dismissed as lighthearted examples of corporate idiocy. They are symptoms of a genuine underlying problem that can have consequences far more serious than a boiler engineer failing to turn up for an appointment.

The British Government no less than British Gas is apt to invoke data protection as a reason for not supplying information in obviously sensible circumstances. When the All Party Parliamentary Group on Extraordinary Rendition requested data about the transfer of British-captured insurgents from British forces to Afghan authorities and third nations (but not the names of the individuals concerned), as part of a project to review compliance with diplomatic assurances, the Group was met with a refusal based on the Data Protection Act. The refusal was particularly unfortunate given that the request was made to further the interests of the individuals on whose behalf the British government was invoking data protection concerns.

Yet more extraordinary was that until the morning of a hearing before the Upper Tribunal the Ministry of Defence was asserting that disclosure could not be made without the ‘explicit consent’ of each individual detainee or former detainee because the information sought was ‘sensitive personal data’ on the ground that it would be possible to infer the religious beliefs of those captured from the information: they would almost certainly be Muslim.

Then there is the case of Mr Rahmatullah. Mr Rahmatullah was captured by British forces in Iraq and handed-over to the Americans before being unlawfully rendered to Bagram airbase detention facility, where he remains. The legal charity Reprieve sought to identify him after it was discovered a British captured detainee was held at Bagram, in order to commence habeas corpus proceedings in the US. But the UK Government refused to provide his name or details because, in the absence of him having given his consent, it would breach his rights under the Data Protection Act. And so he languished in incommunicado detention. Fortunately his identity was eventually worked-out by a combination of luck and good detective work by Reprieve. [1]

Even when cases do get on foot, data protection can rear its head to make rights enforcement more difficult. It is recurring problem in litigation against both public authorities and companies that disclosable material will be redacted on ‘data protection grounds’. Moreover, in Smith [2008] EWHC 694 (Admin), Collins J depreciated the practice of public authorities in inquest proceedings to “routinely redact” the names of “any person” shown in documents which “makes it very difficult and sometimes impossible for interested parties to make preparations to deal with the evidence of a particular witness or to understand how that witness fits in to the whole picture.” He went on to note that such redaction is “taken to absurd lengths” such as by the redaction of correspondence with the family or their representatives.

The reasons for this state of affairs are more complicated than that the data protection laws are too tightly drawn. The problems also stem from the fact that the law itself is Byzantine.

Lawyers are accustomed to experiencing a sinking feeling when data protection rears its head in a case; and the first strategy is usually to try and find a way of not having to address it. The Data Protection Act is one of the most poorly drafted pieces of legislation on the statute book. It has tied the UK Courts up in knots. The consequence of the House of Lords’ judgment in Common Services Agency v IC [2008] UKHL 47, for example, is that the disclosure of information about individuals under the Freedom of Information Act constitutes processing personal data and is prima facie unlawful even if the documents are redacted so that no individual is identifiable from the information disclosed (the reason for this being that the disclosing public authority could—obviously—identify the persons from the disclosed redacted material by matching it up with the original material, which in fairness to the House of Lord is, literally, what the legislation says).

In the All Party Parliamentary Group on Extraordinary Rendition case ([2011] UKUT 153) the Upper Tribunal simply refused to follow the majority of the House of Lords in Common Services Agency on the basis that it just couldn’t possibly be right and it wasn’t absolutely on point. In a subsequent case, the High Court preferred to give such close scrutiny to the leading speech in the House of Lords that it was found to mean precisely the opposite of what it actually says: R (Dept of Health) v IC    [2011] EWHC 1430 (Admin). These cases prompt one to reflect that if our highest Courts cannot make head or tail of the data protection laws then the British Government and British Gas ought perhaps to be more lightly censured.

Another problem is that the exceptions permitting processing of personal data are open-textured so that organizations cannot be sure when they are on the right side of the line. Taken together with the risk of criminal sanctions (which always leads to robust corporate compliance) and one has a recipe for irrationality and over-protection.

Let us not forget that data protection laws are supposed to enhance our human rights. They are presented as bulwarks against the surveillance society, by which I mean the ever-greater ability of companies and governments to monitor and analyse information about us.

Such is the status of data protection that the Lisbon Treaty elevated the right of data protection in the EU to the status of treaty right embedded in the EU Charter of Fundamental Rights and Freedoms.

It is thus a perverse effect of data protection laws that they often have opposite effects: negating freedom of information and reducing accountable government.

The EU Commission is currently re-drafting EU data protection laws with the aim of increasing the protection currently afforded to personal data. The restrictions on lawful processing (including disclosure) will become even more tightly framed.

It is proposed to narrow further Article 7(f) of the Data Protection Directive allowing disclosure where “necessary” for the “legitimate the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed” by removing reference to third parties (such as the All Party Parliamentary Group on Extraordinary Rendition or Reprieve). Restrictions are also proposed to the provision allowing processing in the public interest, which will only be lawful where the controller is exercising functions prescribed in legislation (draft Regulation Article 6(1)(e), (f), (3)). The exception relating to disclosure “necessary” to protection the “vital interests” of the data subject is retained but this has been interpreted very narrowly to mean life and death situations such as use of medical records after a life-threatening accident. It is not given any wider compass in the proposals. The upshot will be that work of human rights groups and human rights lawyers working to protect the interests of data subjects will be made even more difficult.

The Information Commissioner has drawn attention to some of these problems in its initial analysis of the Commission’s proposals (February 2012). The IC has stated that the terms of the draft Regulation may,  “stand in the way of processing that is desirable, unobjectionable and helpful to citizens.” And the IC has called for “explicit recognition in the Regulation that processing may take place where it is clearly in the data subject’s interests and does not override his or her fundamental rights and freedoms.” It is to be hoped that such well-founded criticisms will be addressed.

In the current climate of concern about the surveillance society it is important to appreciate that the side effects of the over protection of personal data are not confined to farcical exchanges with public utilities companies: data over-protection can undermine the effective protection of human rights.

 Tom Hickman is a barrister at Blackstone Chambers.

[1] http://www.reprieve.org.uk/press/2011_06_22_Fox_Hague_Yunus/. Presently the subject of habeas corpus proceedings: R (Rahmatullah) v SSFCA  [2012] EWCA Civ 182 on appeal to the Supreme Court. The detective work is described in a witness statement of Clive Stafford-Smith dated 14/04/10


Filed under European Union, Human rights

Paul Bernal: Between a European Rock and an American Hard Place?

Europe and the US have had very different approaches to privacy – and in particular data privacy – for a very long time. Data protection, the centrepiece of European data privacy law, is currently undergoing a reform – and that reform is highlighting the differences in attitude, approach and understanding of privacy and its place in the delicate balance with free expression and business.

The issue that is causing the most contention is the much discussed ‘right to be forgotten’, one of the central planks of the suggested new Data Protection Regulation. It’s being strongly pushed by Commissioner Viviane Reding – but isn’t exactly getting a good press in the US. Apocalyptic pronouncements like “the right to be forgotten could close the internet” and that it is the “biggest threat to free speech on the internet” have appeared in such august journals as the Stanford Law Review.

What is perhaps just as interesting to UK people is the distress that the whole affair is causing to the UK government. They don’t seem to know what to do, or where they stand.

The right to be forgotten

The central thrust of the so called ‘right to be forgotten’ is the idea that people should be able to delete information about them held on the internet. One of the key reasons for its development was the difficulty that people have had in deleting their accounts from social networking sites like Facebook – and the sense that the data being held about people is in some senses ‘theirs’, and that as a consequence they should have the right to delete it. Exactly what the right would mean in practice is somewhat unclear. What kind of data would be covered by the right, and who the right could be enforced against – and how it would or could be enforced in practice – still seems very much up for discussion, and will probably remain so for some time.

From the perspective of the proponents of the right, it is a logical extension of the existing principles of data protection. People already have rights to access information held about them and to correct it when it is erroneous – and to ask for it to be removed if it is being held inappropriately. The ‘right to be forgotten’ takes this a step further – changing the balance so that unless there is a ‘good’ reason for data to be held, the data subject should have the right to delete it. Looked at from this perspective, it is a right that empowers people against the ‘big players’ of the data world – challenging the establishment, and helping to shift the balance of power back towards the individual.

The US perspective

From the US perspective there’s something very different going on: the right to be forgotten seems to be seen primarily as a threat to free speech. The very name ‘the right to be forgotten’ raises a spectre of censorship, or of the rewriting of history – and when Americans look across the Atlantic and back into history and see figures from Stalin and Hitler to the likes of Berlusconi, that impression might be reinforced. It’s for that reason that I’ve been arguing for a while that it would be better to call it the ‘right to delete’ rather than the right to be forgotten – but the latter seems to be what we’re stuck with.

Does the right to be forgotten really threaten free speech? European Commissioner Viviane Reding has done her best to reassure audiences both sides of the pond that it doesn’t. There are exemptions, she has said, for the media, and for free expression:

“It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.”

Those words haven’t reassured many American writers. Jeffrey Rosen in the Stanford Law Review is one of the most often quoted: he has gone into the detail of what has been presented about the right so far, and found enough ammunition to be able to suggest that it might be used precisely as a tool of censorship. Is he right? Well, the way it looks at the moment, at the very least we are in for some protracted arguments from both sides.

What about business?

All of this, however, may well be somewhat beside the point. Some of the more cynical of privacy advocates – myself included – suspect that the US position isn’t quite as principled as it might appear. Free speech is of course fundamental to the US constitution, and prioritised over almost everything else – but free enterprise is in some ways every bit as fundamental to the US, and when looked at in detail the right to be forgotten is far more challenging to free enterprise than it is to free speech. Businesses all over the world – but in the US in particular – have been building business models relying upon the gathering, holding and using of vast quantities of personal data. It is those business models that are under threat. Not only might they have to build in mechanisms to allow people to see and then delete the data held about them but the potential they have for exploiting this data might be much reduced. Those businesses are not likely to be unhappy to have the much-respected advocates of free expression do the hard work of opposing the right to be forgotten for them…

And the UK?

The UK seems to have neither Europe’s enthusiasm for privacy nor the US’s passion for free speech. What it does have is a desire to support business – and not to let anything else get in the way of the freedom for businesses to find ways to make money.  Back when the proposal for the right to be forgotten first started doing the rounds, UK politicians were doing their best to oppose it.

In May 2011 Justice Secretary Ken Clarke gave a speech to the British Chamber of Commerce in Belgium, counselling against too much data protection. He suggested that the right to be forgotten was effectively unworkable, and implied that it should be abandoned. His words weren’t heeded – Viviane Reding in particular has continued to push and push for the right to be forgotten – and the UK government looks as though it’s been squirming ever since.

It’s not the first time that the UK Government has been put in a position of confusion over digital issues, trying to ‘support business’. Back in November 2010, Ed Vaizey came out first against the idea of net neutrality, thinking he was supporting business, and then almost immediately in favour of it when he saw the reactions his first statements produced. In a similar vein, the confusion shown by the Information Commissioner’s Office over the notorious ‘cookies’ directive has been rumbling on for many months and shows no sign of real resolution.

This time, though, the UK Government has taken it a step further. It appears that the UK Government would much rather the ‘right to be forgotten’ disappeared. The Ministry of Justice is undertaking a consultation, ostensibly a ‘Call for Evidence on EU Data Protection Proposals’. The language used is nicely neutral, but the purpose appears clear.  In Hawktalk, the blog of the Amberhawk, the leading information law training providers, headlined their report on the consultation:

“MoJ asks for arguments to oppose the European Commission’s Data Protection Regulation”

Amberhawk suggested that by the nature of their call for evidence – the questions asked, the information provided, and the groups to which the call for evidence was sent – the MoJ was setting up a ‘numbers game’, wanting to say that the vast majority of respondents are opposed to the changes.

Will it work? Will the UK be able to block the regulation, or at least water it down in such a way as to neuter it? Given the persistence with which Commissioner Reding has pushed for the right so far, it seems unlikely. US opposition appears more likely to have an effect, not just because of the power of the US in the internet as a whole, but because their stance is more consistent and principled. Even that, however, cannot be taken for granted, as the US is now taking baby steps towards recognising the importance of privacy on the internet, with Obama putting forward his new  ‘Consumer Bill of Rights’ for privacy on the net.

The UK looks distinctly out of step – seemingly unable to influence Europe and unwilling to accept the views that are coming out of Brussels. For this author at least, the European view is distinctly more palatable, putting the rights of individuals at the heart of their proposals. It would be good if the UK Government began to do the same – and they might find their way out of the awkward position they now find themselves in.

Paul Bernal is a lecturer in the UEA Law School and a member of media@UEA. He blogs at The Symbiotic Web Blog (link tohttp://symbioticweb.blogspot.com/) and tweets as @paulbernalUK.


Filed under Comparative law, Human rights