Over the next few months, lawyers from Kingsley Napley will be blogging about how data protection law will change in their respective practice areas following the coming into effect in the UK of the EU’s General Data Protection Regulation (the “GDPR”) in May 2018.
As will be explained over the coming months, although the UK has voted to leave the EU individuals and businesses in the UK still need to have regard to the provisions of the GDPR and how it will change data protection law.
This first blog post will outline the history of the GDPR.
History of the GDPR
The protection of “personal data” – and in particular the corollary right to privacy – has long been regarded as an essential cornerstone of the laws making up the majority of the constituent states of Europe*. The legal measures protecting personal data rights date back to 1950 when the Council of Europe adopted the European Convention of Human Rights which, under Article 8, provides for a right to protection against the unlawful collection and use of personal data as part of a right to a private and family life. Further legal measures where adopted in subsequent decades to provide for more specific personal data protection rights.
In 1980, the Organisation for Economic Cooperation and Development (the “OECD”) issued guidelines on “the Protection of Privacy and Transborder Flows of Personal Data”. The OECD’s guidelines outlined a number of basic principles which OECD member states should adhere to in legislation to safeguard the data rights of citizens. These principles included the “use limitation principle” – that “[p]ersonal data should not be disclosed, made available or otherwise without the consent of the data subject or by the authority of law – and the “collection limitation principle” – that “[t]here should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject”.
The OECD’s guidelines were non-binding. However, the Council of Europe intervened in 1981 by agreeing a treaty for the “Protection of Individuals with regard to Automatic Processing of Personal Data”. This treaty, in effect from 1985, was the first binding international instrument which sought to protect the individual against the “abuses which may accompany the collection and processing of personal data” and which sought to “regulate … the transfrontier flow of personal data”.
Following the creation of the EU in 1993 (after the signing of the Treaty of Maastricht (a.k.a. the Treaty on European Union)) and the consequential increase in the European integration process, it was perhaps inevitable that the EU institutions (including in particular the European Commission (the “Commission”)) would seek to legislate in this area. Discussions on a possible data protection “directive” began in the early 1990s and were centred on the further protection of individual rights and the achievement of the internal market. These discussions culminated in the passing of the 1995 Data Protection Directive (Directive 95/46/EC) which came into effect on 13 December 1995.
Under EU law, a directive is a legislative provision that is “directed” at EU Member States to provide for a particular result without dictating the means of achieving that result. In the case of the Data Protection Directive, EU Member States had to implement the provisions of the Directive in their domestic legal systems by 24 October 1998. In the UK, the Directive was given effect by the Data Protection Act 1998 (the “DPA 1998”) which to this day remains the basis of UK domestic data protection law.
As noted above, the DPA 1998 was meant to give effect to the 1995 Data Protection Directive in domestic law. However, in certain respects the DPA 1998 has fallen short. The most notable and important example of this is section 13 of the DPA 1998.
Under section 13 of the DPA 1998 a data subject has a right to claim damages for a breach of his rights provided for by the DPA 1998. Section 13 creates two heads for a damages claim – section 13(1) says that compensation may be recovered for “damages”; section 13(2) says that damages may be recovered for “distress” but only in more limited circumstances, these being if “(a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes” (“special purposes” here meaning for artistic, literary and journalistic purposes).
The effect of the drafting of section 13(2) was that in many cases “distress” could only be compensated where damage was also suffered under section 13(1). The concept of “distress” does not appear in the 1995 Data Protection Directive. In implementing the 1995 Directive, the UK had – through the DPA 1998 – seemingly failed to provide UK citizens with the protections they should had enjoyed had the Directive been implemented precisely. This lacuna in the law was not rectified until the judgment of the Court of Appeal in Google Inc v Vidal-Hall and others  EWCA Civ 311 in which the Court dis-applied section 13(2) so as to give proper effect to the Directive in domestic law. Now, an individual does not (if claiming damages for distress under section 13 following a DPA 1998 breach) have to demonstrate pecuniary loss.
The above issue points to a problem with the 1995 Data Protection Directive. Since EU Member States enjoyed discretion as to the implementation of the Directive in their own jurisdictions, data protection laws differ in practice across the EU. From the perspective of EU integration (and in particular the further achievement of the single market) this was unsatisfactory and, in 2009, the Commission began the process of considering a replacement framework for the 1995 Data Protection Directive.
In addition to the disharmony of data protection laws across the EU, a 2010 Commission paper recognised also how changing technology, increased cross-border data transfers, and a growing reliance on data more generally meant that the 1995 Data Protection Directive was becoming increasingly out of date. In 2012, the Commission therefore proposed that a new legislative framework should replace the Data Protection Directive.
The Commission argued that a “regulation” should replace the 1995 Directive. A regulation – a legal act of the EU that becomes immediately enforceable as law in all EU Member States simultaneously – was regarded as advantageous for reasons alluded to above. The Regulation would (by virtue of its legal status) contain measures that would harmonise data protection procedures and enforcement across the EU.
The UK Government, by contrast, argued from the outset that the Regulation should have been recast as a directive. This would have allowed for flexibility for Member States where required. Moreover, the Regulation would place to many prescriptive (and apparently onerous) obligations upon data controllers (for example, small businesses).
Ultimately, of course, the UK Government did not succeed in securing its aims and in April 2016, the European Parliament and the EU Council adopted the final version of the Regulation, bringing the legislative process to an end. The GDPR will come into force across the EU in May 2018.
This blog post began by asserting that the “protection of “personal data” – and in particular the corollary right to privacy – has long been regarded as an essential cornerstone of the laws making up the majority of the constituent states of Europe”. Truth be told, this was an oversimplification, particularly so when one considers this area of law from a UK perspective.
Under English law, neither the common law nor statute has ever recognised a free-standing “right to privacy”. Instead, the law has developed a series of related-actions under, amongst other things, the equitable doctrine of breach of confidence. This approach had an impact on domestic data protection law. The UK has always been reluctant to provide its citizens with positive data protection rights. Indeed, this attitude may explain the drafting behind section 13 of the DPA 1998. What, however, this blog post has tried to explain is that the UK has, in large part because of our political connections with Europe, been forced to bring its data protection law into line with the rest of Europe. The passing and enactment of the GDPR represents the culmination of this process, or at least it was until the UK voted to leave the EU. Further blog posts will therefore explore in detail how UK data protection law will change with the GDPR and Brexit.