When the first Data Protection Act was passed in 1984, it was estimated that there were 200,000 computers in the UK holding personal data, defined in the legislation as information relating to a living individual that could identify them. The Act stipulated that any computer holding such data would have to be registered by a newly appointed data protection registrar. When Parliament was asked to agree the registrar’s salary, the MP for Wrexham remarked that £35,000 was a lot of money: ‘I doubt whether many people are worth that much.’ Today, his successor, the information commissioner, is paid £180,000 a year, more than the prime minister, and we are way past the point of being able to count, let alone attempt to register, all the computers, apps and storage systems that hold personal data. The new Data Protection Act passed in May defines personal data as any information relating to an identified or identifiable living individual; as well as our names, addresses and dates of birth, this now includes markers of our digital identities, such as IP addresses and biometric data. The new legislation brings into law the General Data Protection Regulation (GDPR) that came into force across the EU in May.
GDPR replaces the Data Protection Directive 1995, which was the first attempt to harmonise EU law in this area. Data controllers, who decide the purposes for which and manner in which people’s personal data will be used, and data processors, who deal with the data – collect it, store it, amend it, implement its use – on behalf of the controller, must observe certain principles. Among other things, the data they control and process ‘must be accurate and, where necessary, kept up to date’; it must be ‘adequate, relevant and limited to what is necessary’ to the purpose for which it is used; it must be ‘kept in a form which permits identification of data subjects for no longer than is necessary’. Consent, transparency and accountability are the watchwords, and the threshold is especially high for categories of data classed as ‘sensitive’: a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs; whether or not they belong to a trade union; their health records and details of their sex lives. Unlike the 1995 directive, GDPR is legally binding. Not only do we now have to ‘opt in’, to give explicit consent for the use of our data (no more ending up on mailing lists because you didn’t notice the opt-out box), but both data controllers and processors will be liable to fines for breaches. (The Data Protection Act makes company directors personally liable: EU member states were allowed to determine the penalties under the GDPR.) The maximum fine in the UK used to be £500,000 (the Crown Prosecution Service was fined £325,000 in May for losing unencrypted DVDs containing recordings of police interviews), but under GDPR it will be €20 million, or 4 per cent of annual worldwide turnover, whichever is higher.
The Facebook-Cambridge Analytica scandal was a reminder, were it needed, of how easily our data can be obtained and misused. It is vulnerable to companies, hackers, blaggers, the media, advertisers, public authorities, the intelligence services and the police. The new legislation gives us, in our parallel identity as ‘data subjects’, extensive control over our personal information. Following the introduction of the ‘right to be forgotten’ by the Court of Justice of the European Union in the Google Spain case of 2014, GDPR also enshrines the right to demand the erasure of personal data; if a request is upheld, the data controller will have to ensure that third parties with whom they have shared it delete it too. But such rights come at a price. There are concerns about the consequences for freedom of expression.
Personal information and human stories are the raw material of journalism. The right to privacy is often in tension with journalistic inquiry. But in recent years there have been several cases, brought into the spotlight by the Leveson Inquiry, where journalists’ acquisition and use of personal data has been in outright violation of the law. In 2003 the Information Commissioner’s Office (ICO) carried out Operation Motorman, which uncovered an extensive illegal trade in confidential personal data. The main player was a private investigator Steve Whittamore, who had access through his contacts to DVLA records and BT accounts, and had supplied information to 305 journalists – the Observer, the Daily Mirror and the Daily Mail were among the newspapers that used his services. In March this year, the self-confessed blagger turned whistleblower John Ford revealed the tactics he had used over a period of 15 years up to 2010 to obtain information illegally for newspapers; on one occasion he impersonated William Hague on the phone to get access to his bank account. Many believe that such malpractice continues.
But the new laws are not intended to impede the business of legitimate daily journalism. The Data Protection Act recognises the ‘special importance of the public interest in the freedom of expression and information’, and allows exemptions for journalistic, literary, artistic and academic expression where data is processed with a view to publication, where there is a reasonable belief that publication is in the public interest and that compliance would be ‘incompatible with the special purposes’. At the same time, the Act makes no distinction between personal and private data, between information that many of us might reveal in the course of our daily lives and the most intimate details that we might only share with our partner or doctor. In its guidelines for journalists (due to be replaced by a statutory code), the ICO states that ‘anything about a person can be personal data, even if it is innocuous or widely known.’ That might include a person’s job, education, the town they live in and the organisations they belong to.
The strength of the journalistic exemption has yet to be properly tested in litigation. ‘That can pose difficulties,’ according to Nicola Cain, a leading media lawyer ‘both prior to publication and when faced with a complaint, as the boundaries may be unclear, especially to those who are unfamiliar with the area.’ The very lack of certainty, in other words, might have a chilling effect. Over the past few years, data protection claims against the media have increased. It appears that they are being deployed as a new form of reputation management: there is no time limitation on claims, no defence for truth or honest opinion, and no requirement to demonstrate serious harm, as there is with libel. Every stage in the practice of journalism is potentially vulnerable to challenge under data protection laws – from researching a story to maintaining archives. Challenges can range from a request that a wedding announcement be removed (this is an actual instance), not because it was inaccurate, but simply because one of the parties no longer wished it to be public, to a ‘subject access request’ for all the information that a newspaper holds about an individual. ‘It can be used to seize up an organisation, halt you and distract you,’ one lawyer said to me. In another recent instance, an individual asked that their name be removed from a story in which they were identified. The story itself was of substantial public interest, but the newspaper found it hard to argue that the reference to the individual was itself in the public interest, since they were incidental to the story, included primarily to add context and colour. One media lawyer told me that newspapers often now self-censor rather than risk potentially costly legal battles; some are reassessing the limits of public interest and the parameters of reporting.
Lord Leveson proposed significantly limiting the scope of the exemption for journalism and giving the information commissioner stronger enforcement powers. Conducted in the long wake of his inquiry, the passage through Parliament of the new Data Protection Act became the occasion for further battles over press regulation. The Lords made two attempts to vote through costs provisions that would have severely penalised media organisations prosecuted for data protection violations – even if they ended up winning the case – if they weren’t signed up to a recognised regulator. They also voted for an inquiry into unlawful data processing and other improper conduct by news publishers. (The inquiry was rejected in the Commons by a narrow majority, while the costs provisions were ultimately withdrawn from the bill.) An earlier draft of the bill dropped an extension to the role of the information commissioner: there were concerns that the commissioner would acquire the power to censor articles before publication. In the last stages before the bill was passed, the government made concessions – including a five-yearly review by the ICO of media compliance with data protection laws and a report by the secretary of state every three years on the effectiveness of the press’s procedures for alternative dispute resolution – which once again raised concerns about the potential for state interference in the regulation of the media.
Archives are vulnerable. A newspaper report, for example, that may have been of significant public interest when it was published ten years ago might be open to challenge regarding its continuing relevance, accuracy or public interest. The government has given assurances that archives will be protected, but the Data Protection Act leaves room for doubt: the exemptions made may not apply to material that is likely to cause data subjects ‘substantial damage or substantial distress’.
In 2008 Max Mosley took the News of the World to court for invading his privacy after the newspaper published photographs – and, online, video footage – from a sex party it had secretly filmed, and which it described in the accompanying story as a Nazi orgy. The court awarded Mosley unprecedented damages of £60,000, having found no evidence to support the paper’s allegation that the party had a Nazi theme (the NoW had given this as the basis of its claim that the story was in the public interest). The same year, Mosley went to the European Court of Human Rights arguing that the media should have to give advance notice when they intend to publish stories about people’s private lives – the case was rejected. And in February this year, Mosley sought the removal of stories referring to the party from the online archives of the Daily Mail, the Daily Mirror, the Sun and the Times. The now notorious story has been so widely reported and referred to that it would be all but impossible to wipe from the public domain. The irony is that Mosley’s pursuit of the press over the past decade has ensured not only that the News of the World’s story remains in the news, but that it is now of greater public interest than when it was first published.
Mosley has also taken issue with reports that he has personally financed and exerts influence on the press regulator Impress, an independent body set up in the wake of the Leveson Inquiry and the first to be recognised under the Royal Charter. It has 106 members – Ipso, the dominant, industry-funded regulator, has 1500 – and no national newspaper has joined. Impress has underlined the importance of placing a firewall between itself and its donors to guarantee its independence. It is funded by the Independent Press Regulation Trust, whose donations come solely from the Alexander Mosley Charitable Trust. The News Media Association is currently challenging the state-backed recognition of Impress in the Court of Appeal (after losing in the High Court last year); it’s the latest stage in a face-off between the media and the press regulation lobby represented by Hacked Off, which is taking the government to court this autumn over its decision to cancel the second part of the Leveson Inquiry.
Perhaps the most significant of Mosley’s legal successes have been in the suits he brought against Google in the French and German courts to prevent it returning search results in those countries linking to the photographs published by the News of the World. Many categories of online content are not covered by the exemptions for freedom of expression under GDPR, including search engine indexing (the service provided by Google and others that answers our searches for information), social networking, general self-expression by individuals, evaluation sites and rating sites. Daphne Keller of Stanford Law School has warned that the ambiguity of the law on these matters will lead to the censorship of legitimate content. Data subjects can, for example, require controllers to restrict access to online content by making an allegation of its inaccuracy, even before it has been determined whether or not their claim is valid. Data protection law is, as Keller sees it, ‘a powerful new tool for abusive claimants to hide information from the public’.
Google, in its most recent transparency report, recorded that since the ‘right to be forgotten’ case in 2014, it has received requests that it delist more than 2.5 million URLs. It has accepted and acted on 44 per cent of these requests; 18 per cent of the URLs delisted since January 2016 are categorised as news. Earlier this year, Google tried (and failed) to take advantage of the journalistic exemption in its argument at the first ‘right to be forgotten’ case to be heard in the UK. The media is concerned that claimants will be able to bypass the protections for journalism by getting Google to delist stories that may be of public interest. While Google informs the media of stories that will be delisted, it does not provide the grounds of the complaint; the original publisher isn’t informed when delisting claims against Google are heard by the ICO.
Newspapers are already reporting a rise in requests for the removal of content since the passage of the new legislation. It is now nearly a decade since the European Commission launched its data protection strategy, but it is the courts that will have to continue to weigh the balance between privacy and freedom of expression. Meanwhile, the government is committed to retaining the principles of GDPR after Brexit, but that hasn’t stopped the Home Affairs Select Committee issuing an alarming report detailing the potential for problems after we leave the EU. Certain items in the Data Protection Act, among them an exemption that may deny individuals access to Home Office data on their immigration cases, may not meet EU standards. The failure to include the EU Charter of Fundamental Rights in the withdrawal bill is likely to affect not only data protection but other essential rights too. Freedom of expression may turn out to be the least of our worries.