On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.
The Early Years – 1984 to 1994
The Data Protection Registrar was the first UK data protection regulator, and Eric Howe CBE served in this role from September 1984 to September 1994. Howe’s appointment pre-dated the European Data Protection Directive (Directive 95/46/EC), and as Registrar he oversaw the introduction of the UK Data Protection Act 1984, promoted better understanding of the Act, and handled inquiries and complaints relating to the Act. Howe set up the first system of registration for data users (as they were then called), encouraged the development of sectoral codes of practice, provided education, raised awareness of data protection and managed privacy-related complaints. He initiated several major enforcement actions, including actions against the credit reference agencies and an action to enforce the use of the first “fair processing” notices.
Howe explained the challenges he faced in establishing the Registrar and employing the first staff. In setting up the registration system for data users, his office focused on major UK data controllers. The system required controllers to complete lengthy questionnaires, reflecting the fact that, at that time, data processing took place on a handful of large mainframe computers.
Howe’s office worked with industry bodies to create voluntary codes of practice. In general, he said he does not believe that self-regulatory systems without statutory enforcement are successful; he believes, however, that the direct marketing code of practice launched during his tenure was a notable success.
A Period of Significant Legislative Change – 1994 to 2002
Elizabeth France CBE became the second Data Protection Registrar in September 1994. She served until December 2002. At the start of her tenure, there were approximately 100 staff dealing with data protection matters across the UK. The EU Data Protection Directive was formally adopted by the EU in 1995. The Data Protection Act 1998, which implemented the Directive in the UK, received Royal Assent in 1999, with the majority of the Act becoming effective in 2000. France oversaw significant changes in the law as the 1998 Act was significantly more stringent than the 1984 Act. She also oversaw the introduction of the Freedom of Information Act 2000 in January 2001, for which the Commissioner’s office became responsible. The name of the office was changed to its current name (the ICO) in 2001.
France noted that many of the issues that arose during her time in office are the same issues that we face today, yet there are differences in our understanding of the issues as well as in the rapidly changing technology. She also noted that the most significant technological advancement during her time as Registrar was the widespread use of PCs. This meant that processing activities could be undertaken throughout organizations by all employees, rather than being limited to individual mainframe computers in isolated silos, to which only a limited number of employees had access. Consequently, data protection became an issue that every employee needed to understand.
France oversaw the introduction of the Freedom of Information Act 2000 and praised the fact that data protection and freedom of information are regulated by a single regulator in the UK. France suggested that a single responsible regulator takes data protection and freedom of information into account at one time and balances the needs and requirements of both sets of issues. In her view, bifurcating these issues between separate regulators could result in skewed or contradictory decisions.
Prior to her appointment as the second Data Protection Registrar, France worked at the Home Office, and she was aware of some skepticism about the ability of the regulator to regulate independently. She had the opportunity to demonstrate her willingness to challenge the Home Office during the early days of her tenure, when the Government sought to introduce national ID cards.
Finally, France noted that during her period in office, the language of data protection changed. Under the 1984 Act, the language was fairly technical and was limited to “data protection.” Over time, language relating to human rights was borrowed and developed. During her tenure, people began to speak of “privacy.”
The Emergence of the “Surveillance Society” – 2002 to 2009
Richard Thomas CBE headed the office from November 2002 until 2009, during which time it was named the ICO. In 2003, the ICO set up regional offices in Northern Ireland, Scotland and Wales. The role of the Commissioner expanded to manage the increased responsibilities set forth under the 1998 Act and Freedom of Information Act which came into full effect in 2005. During his time in office, Thomas campaigned actively for the Commissioner to be granted stronger enforcement powers. He oversaw a number of high-profile cases and issues, including the investigation into the Construction Industry blacklist. He led the ICO’s response to the proposals for a National Identity Register and instituted a report on the surveillance society.
Each of the Commissioners commended the work of their office and paid tribute to the diligent and creative staff who worked with them over the years. Thomas acknowledged that his famous phrase “sleepwalking into a surveillance state” was the inspiration of a colleague.
During Thomas’ tenure, he resisted the introduction of a number of national databases. These included biometric national ID cards, ContactPoint (a proposed database of every child in the UK) and the electronic register of national health records.
He also developed the ICO’s approach to enforcement, taking a strategic, risk-based approach. He campaigned for the introduction of monetary penalties for serious breaches of the 1998 Act, and also campaigned for the introduction of custodial sentences for Section 55 offenses (unlawfully obtaining personal data).
Present Day – 2009 to Today
In 2009, the current Information Commissioner, Christopher Graham, succeeded Richard Thomas. In 2010, the Commissioner was granted new powers to issue monetary penalties of up to £500,000, as well as audit powers in relation to parts of the public sector. The Commissioner has made significant use of these powers, particularly in response to security breaches. The ICO today has 350 staff and an annual budget of nearly £20 million.
During his address, Commissioner Graham announced a new pilot scheme to raise data protection awareness in schools, which he hopes will become national. This initiative continues the ICO’s work to educate and inform, not only data controllers, but also individuals who must bear some responsibility for the protection of their personal data. Commissioner Graham also spoke of the ICO’s current push to ensure that it impacts all communities equally and provides equal opportunities with respect to information rights.
In relation to the proposed revised EU data protection framework, Commissioner Graham emphasized that regulation should concentrate on the “what” and not the “how,” and cautioned against overly prescribed details at the risk of losing sight of the fundamental rights to be protected.
View of the Government
Minister of State for Justice Lord McNally welcomed the independence of the ICO and the invaluable advice it has provided to the Government over the years. The ICO is currently advising the Government on the European Commission’s proposed reforms. With respect to those proposals, Lord McNally similarly cautioned against a “tick-box” approach to regulation, and emphasized the importance of weighing individual rights against the empowering potential of new technologies.
This Hunton & Williams event on European Data Privacy Day was the first time the current and each of the former Commissioners formally gathered together. Their comments highlighted both the changes in UK data protection over the last 30 years, as well as the traditional themes of protection, education and enforcement.