The Prime Minister, David Cameron, has expressed “serious concerns and misgivings” over bringing in laws to underpin any new body to regulate the press. Mr Cameron told MPs that legislation backing a regulatory body underpinned by statute would “cross the Rubicon” by writing elements of press regulation into the law for the “first time“. Because of this, Mr Cameron, is “not convinced at this stage that statute is necessary to achieve Lord Justice Leveson’s objectives”.
In my view the Rubicon has been already crossed and the press are already subject to a statutory framework and a statutory regulator. There is no “first time”. Mr Cameron has, like President George Bush, “mis-spoke” and the stated reason for not implementing Leveson’s requirement (i.e. that any new Press Regulator should also be underpinned by statute), simply does not wash.
Firstly, the statutory framework. In the Data Protection Act (“DPA”) there are the Special Purposes (e.g. journalism) and a Special Purpose enforcement mechanism (enforced by a statutory regulator – the ICO) underpinned by a statutory appeals mechanism (the Tribunal). Although the press don’t take much notice of the DPA because (wrongly) they think they are wholly exempt (via Section 32), there is a regulatory structure that applies to the personal data they process.
For instance, the Seventh Principle is not exempt from Section 32 and fully applies to all processing by the press. So, if the press lost personal data relating to “an exclusive exposure of a celebrity’s peccadillos” (say, for example, after a heavy liquid lunch on expenses that are not subject to FOI requests), that security breach would be a reportable data loss under the current data protection arrangements. Such a loss might even attract a Monetary Penalty Notice (a statutory penalty) as Sensitive Personal Data would have been lost.
In addition, the Section 32 exemption applies to those personal data processed “with a view to publication”. So those personal data not subject to a “view to publication” are fully subject to the Act (in other words, the section 32 exemption does not apply). For example, when the press unlawfully obtained ex-directory numbers, they had no intention to publish these numbers, so these personal data were not held “with a view to publication” (and the First Principle would apply fully).
Even with the Section 32 exemption the rest of the exemption was only meant to apply up to the point of publication. There are numerous cases involving judges applying the data protection principles to press activities. The point being made is that processing by the press is already subject to a statutory framework which is legally tested.
Indeed, in the post Leveson era, one can expect that much more processing by the press (that is, those things that are not going to be published) are identified as fully subject to the statutory-based DPA.
Even the existing Press Commission’s Code of Practice has already a statutory status under the DPA in exactly the same form as the “Ofcom Broadcasting Code” (originally published by the Broadcasting Standards Commission under section 107 of the Broadcasting Act 1996). Both these Codes, one voluntary the other statutory regulated, are equated by the “Data Protection (Designated Codes of Practice) (No. 2) Order 2000”
The explanatory memorandum for this Order states that both Codes have been designated “for the purposes of section 32(3) of the Data Protection Act 1998” and that
“Compliance with any of the designated codes may be taken into account when considering for the purposes of section 32(1)(b) of the Act whether the belief of a data controller that the publication of any journalistic, literary or artistic material would be in the public interest was reasonable”.
In other words, the personal data processed by the press are subject to a detailed statutory regime and the current Press Commission’s Code of Practice has a statutory underpinning in relation to that processing “in the public interest“.
So whatever the reason for not having a statutory provision that requires the independent regulator to be created, it is not “first time?”.
That is why my urgent telegram message to Mr Cameron is quite simple: “Rubicon crossed. Not “first time”. Valid excuse needed“.
This post originally appeared on the Hawktalk Blog and is reproduced with permission and thanks
But none of this solves the problem of how to decide whether something was in the public interest? The Data Protection Act doesn’t provide a definition, which makes it a pretty weak defence really – despite being critical to what the press does.
In fact, at a talk at UCL Martin Moore, director of the Media Standards Trust (which is now calling for statutory underpinning of independent press regulation) made this point: nowhere is a definition of the public interest spelt out in either common law or statute.
We have laws for privacy, we have laws for how intrusive the press can be. Enforce these and the excesses exposed by Leveson (on the privacy front, at least) are dealt with. But we don’t have laws which make it clear on what grounds the press can legitimately compromise privacy.