On 15 August 2011 the Equality and Human Rights Commission published a Research Report entitled “Protecting Information Privacy”, written by Charles Raab (University of Edinburgh) and Benjamin Goold (University of British Columbia). The report examines the threats to information privacy that have emerged in recent years, focusing on the activities of the state. It makes a number of important recommendations. The report has, unfortunately, attracted very limited media attention and discussion – itself a symptom of the lack of attention to privacy issues which it identifies.
The Report argues that current privacy laws and regulation do not adequately uphold human rights, and that fundamental reform is required. The report identifies two principal areas of concern: the state’s handling of personal data, and the use of surveillance by public bodies.
The “key findings” of the report are summarised as follows:
- The privacy landscape has been transformed in recent years by a series of landmark legislative reforms, including the Human Rights Act, the Data Protection Act (“the DPA”) and the Regulation of Investigatory Powers Act (“RIPA”).
- There has also been a dramatic increase in the amount of personal information held by the public sector, due to technological developments and a steady expansion of the role of the state.
- The current system has a weak, fractured and piecemeal approach to privacy. Acts such as the DPA and RIPA are riddled with gaps and contradictions, and are interpreted, administered and overseen by a range of separate regulators, independent tribunals, and courts. As a consequence, it has become very difficult for individuals to understand what happens to their personal information, or what they should do when that information is misused. The current system has failed to protect privacy rights in a number of cases.
- The problem is likely to become more acute. The state’s demands for personal information will continue to grow in relation to national security, law enforcement and citizens’ access to public services. So far, this expansion has been accompanied by only a relatively small increase in the powers or resources available to regulatory authorities such as the Information Commissioner’s Office or the various Commissioners in the field of surveillance.
- A more flexible, comprehensive approach to privacy is needed, based on a firm commitment to Article 8 of the ECHR. This involves reforming the law and theregulatory system to create a comprehensive privacy protection regime tosupersede the piecemeal inventory of measures or ‘tools’ implemented in a disjointed fashion by various agents. The relevant regulatory agencies need to be strengthened.
- Law is essential: without legal specification of privacy rights, other instruments arelikely to be incapable of providing the remedies that individuals may need. The law needs to be flexible enough to respond to the many and varied threats to privacy.
- The principles written into law or underpinning it must be reflected in the specification of other instruments. These are seen as reinforcements andcomplements to the law and not as substitutes for, or weaker versions of, privacy laws.
- There are many ways of protecting privacy in addition to legal provisions, including self-regulatory approaches, ‘privacy-enhancing technologies’, ‘privacy by design’, and public awareness and education. Such complementary, non-legal approaches to the protection of information privacy have an important part to play in upholding information privacy rights.
The report makes four main recommendations:
(1) That a clear set of ‘privacy principles’ should be developed and used as the basis for future legislation, and to guide the decisions of regulators and government agencies concerned with information privacy and data collection in different contexts.
(2) Existing legislation relevant to privacy should be reformed to ensure that it is consistent with the privacy principles and that it enhances the provisions of the Human Rights Act. It is proposed that, at a minimum, such reform should consolidate and improve the existing RIPA and data protection regimes in relation to information privacy and surveillance.
(3) Greater regulatory coherence should be promoted. There should be an effort to rationalise and consolidate the current approach to the regulation of surveillance and data collection in the UK, with particular attention paid to the relationship between the various statutory Commissioners responsible for protecting information privacy.
(4) Improved technological, organisational, and other means of protection should play an integral part in information privacy protection. The development and use of technological and non-legal solutions to the problem of information privacy protection should be encouraged by government, and more resources devoted to public education and awareness around privacy.
Overall, the report concludes that
“the right to privacy is at risk of being eroded by the growing demand for information
by government and the private sector. Unless we start to reform the law and build a regulatory system capable of protecting information privacy, we may soon find that it is a thing of the past“.
Geraldine Van Bueren, a Commissioner for the Equality and Human Rights Commission said:
“ … any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws.”
The Commission’s Press Release about the report can be found here.
The recommendations of the report cover some of the same ground as those of the Home Affairs Select Committee Report on ““Unauthorised tapping into or hacking of mobile telephone communications“ (see, in particular, Recommendations 3, 4 and 5). As already noted, despite the topicality of the issue, the report attracted very little media comment – press comment being confined to “Guardian Professional“, the “Metro” and a short report in the “Independent“.
Privacy issues have been high on the news agenda for several months – from “super-injunctions” to “phone hacking” – but neither the media nor the government appears to have the appetite for the throughgoing reform required to provide effective privacy protection.