Data Protection used to be as geeky as the clunky Information Technology to which it related; but just as Apple has made computing cool, so data protection and privacy law has become all the rage these days, and rightfully so. Data hacks such as the recent Talk Talk disaster will still be fresh in many users’ minds. As our lives happen more and more online and become ever more interconnected, the law must keep up to protect the basic rights and freedoms which define liberal constitutional democracies. The law seems at long last to move into the right direction, albeit slowly.
In fact, there is so much happening in data protection and privacy at the moment, not a day appears to pass without some new development hitting the headlines. Here is a snapshot of just the last few weeks: first, there was the call by the Information Commissioner’s Office (ICO) (that is, basically, the best privacy guardian angel we have got for the time being in the UK) for tougher sentencing for people convicted of stealing personal data, including custodial sentences.
Next, as for the bigger picture, we had the announcement on the EU-US Privacy Shield for data transfers which was politically agreed last week. It is too early to say whether the new Privacy Shield now provides adequate protection for personal data passed from the EU to the US. However, one effect which the European Court of Justice’s ruling on Safe Harbor has certainly had is that companies’ privacy policies are under scrutiny more than ever before. As regards enforcement action in light of the declaration of invalidity of Safe Harbor, the ICO will continue to consider complaints under its regulatory policy but is clearly not rushing off its feet to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome. Contrast this with the CNIL, the French data protection authority, which seems rather more pro-active and issued a formal notice against Facebook earlier this week, including on the basis that it was still transferring data to the US under the now invalid Safe Harbor regime.
Also this week, a number of bodies went public with their reports on the draft Investigatory Powers Bill published on 4 November of last year. The consensus which emerges is that there are concerns. Rather fundamentally, the Bill does not cover all the agencies’ intrusive capabilities. This failure means that their various powers and authorisations remain scattered throughout different pieces of legislation; and that, as a result, the draft Bill is limited from the outset in the extent to which it can provide a clear and comprehensive legal framework to govern the use and oversight of investigatory powers. Furthermore, the provisions in relation to three of the key agency capabilities: equipment interference, bulk personal data-sets and communications data, are too broad and lack sufficient clarity. There is a need to ensure that the proposed new system of judicial oversight delivers the increased independence and oversight which have been promised; and vital protections for communications of lawyers and journalists must be safeguarded. But in reality the Bill should go further in strengthening privacy protections and provide universal privacy protections, not just those that apply to sensitive professions. The UK (and Europe) can and must do better by their citizens.
This article was originally published in Discover Germany and can be found here.
Hunters incorporating May, May & Merrimans