Happy 4th Birthday GDPR!
To celebrate 4 years since the GDPR came into effect, we’ve decided to release the first instalment of a blog series, informed by our very own Nigel Gooding’s dissertation, discussing whether or not the English and Welsh courts have diluted the legal right to access personal data. Funnily enough, our first instalment investigates the historical context and political climate which lead to GDPR and subsequent Data Protection Acts.
The prioritisation, development and implementation of the right to access (Article 15 of GDPR) by the English and Welsh courts, does not only reveal institutional attitudes towards our personal data, but towards the protection of our human rights. This is the first instalment of our blog series which discusses whether or not the aforementioned courts diluted the legal right to access data, informed by the dissertation of our very own founder Nigel Gooding.
Comprehension of the historical and statutory journey that brought us the contemporary legislation covering Right of Access, is an important step informing our judgement of English and Welsh court intention for three reasons;
- It develops a chronological footpath of the development of the Right over time, allowing for analysis and examination of the Courts and lawmakers.
- It tracks developments in technology since 1984.
- It can lend weighted evidence to the development of social influences such as the perceived rights of privacy.
Now that we’ve covered why it’s important to consider the historical context of GDPR’s storied evolution, shall we delve a little deeper?
The GDPR Background
At midnight on the 25th of May 2018, the GDPR became law across the 28 Countries of the European Union (the EU). At the same time the UK Data Protection Act 2018 had received royal assent. The 2018 Act acknowledged GDPR in Part 1 and made additions to the data protection regime in part 2. This was the third UK Data Protection Act since 1984 to include the right to access personal data into UK law.
The right of access under Article 15 only applies to personal data. This has always been the case, indeed the first test of any Data Controller or Court is to assess the request and its validity relating to personal data.
GDPR through Article 2 (1) encompasses personal data that is processed through electronic and manual filing systems. Whilst this comprehensive definition may seem obvious to the casual observer, in 1984 when introducing the Data Protection bill to parliament the Home Secretary Leon Brittan declared, ‘It does not apply to those who keep personal information only in manual form — in old-fashioned paper records’.
When a right is not actually a ‘Right’
In the UK, the right of access has been restricted through statute since its inception in 1984. Successive lawmakers have been consistent in articulating that the right of access is not an absolute right, and a balance between the Data Subjects’ rights and the burden on controllers needs to be made. Matt Hancock is the latest in a line of sponsoring ministers who gave the report evidence that their intention is a balance between statutory obligations. This provided clarity in the analysis as it showed a consistent legislative intention on which to base the assessment of the project question.
Prior to the 1981 Act there had been several attempts to introduce the general right to privacy and the right to access. The first attempt was introduced by Jim Callaghan, a Labour home secretary in 1970, who initiated the Younger Committee to review privacy. Efforts to consolidate data etiquette at this time was largely disregarded under Conservative leadership, however three years later a new Labour government (under the guidance of data protection’s original white knight Callaghan) established the Lindop Committee in 1978.
Contemporary Observers of the Lindrop report claimed that; ‘that the DPA should be given the task of striking the right balance between the interests of the Data Subject, user and community at large’. The Lindop report did not give, as Durbin states ‘that subjects should have an absolute right to inspect data about themselves’ but reflected on the view of the committee that discussed the right to access, and how it was a means to an end, rather than as ends in themselves.
In January 1981 The European Council opened the Convention for the Protection of Individuals concerning the Automatic processing; the memorably named ‘Convention 108. Convention 108 developed (in Article 5) a set of core principles for data undergoing automatic processing which bear resemblance to the current set of principles outlined in Article 5 of GDPR. The driver for the Convention was the increased use of technology in processing personal data and the Council of Europe’s recommendation 509. It recognised the need to protect personal data, alongside the rights and freedoms enshrined within Article 8 of the European Convention of Human Rights.
In Article 9 (1)(b) the right of access was firmly established within the convention:
“Every individual shall have a right: to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;”
The right of access, when read in a literal context is absolute. At first glance, when set aside the current Article 15 GDPR rights, they look broadly similar. The concept of the right of access was established, the UK became signatories on the 14th May 1981 and as Philip Coppel notes ‘By signing Convention 108, the United Kingdom had signified its willingness to enact data protection legislation’. The development of legislation took three years to enact, the 1984 Act received Royal Assent in July 1984. The Data Protection Act 1984, section 21 (1) now enshrined the right of access into law.
Analysis of UK Government intention with the 1984 Act
Delayed enactment of the 1984 Act were caused, not only by time constraints (earlier legislation was attempted as the 1983 General Election was approaching), but as A.C.M. Nutger believes, because the subject matter was innately too complex; ‘It appears from the debates that this was due in great part to the complexity of the subject. Members of both Houses were regularly perplexed by the technical subject matter of the Bill and the complexity of its structure.’ Indeed, the sponsoring minister shared the same concerns at the opening of the debate for the second reading of the bill:
“We do not have to be experts in computer technology, or fluent in the jargon of mainframes and minis and micros and optical character readers, to understand the implications of the Bill for the protection of the individual and the enhancement of his rights. I hope, therefore, that hon. Members will not allow the apparently technical nature of the subject matter to obscure the importance of the Bill as a protection both for individuals and for the business community.”
We can logically conclude that if parliamentarians struggled with the ‘technical’ nature of the bill then the legislation drafted is likely to have a minimal effect. This technical challenge is not restricted to the 1984 Act as parliamentarians brought forward similar concerns about their understanding of the 1998 Act. The role of the legislators is to provide scrutiny to enable the bill to pass into law with a clear understanding of the intention of the obligations the law sets on Data Controllers. A valid argument is that if parliamentarians could not grapple with the complexity of legislation in front of them, then how likely is it that Judges would have the same issue? We will return to this issue later in the next instalment of this blog series, when we utilise the ‘Durant’ case study to argue that the lack of clarity in areas of the 1998 Act (because of failure of parliamentary challenge) left judges with a vacuum to fill with judicial licence.
Interestingly, the 1984 Act never once mentions the word ‘privacy’ which was first and foremost at the heart of Article 1 of Convention 108 in 1981. The 1984 Act also contained other points of relevance for the analysis of the development of the current right of access. Data was defined as ‘information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose, excluding manual/paper data from the act. The report found that the 1984 Act’s right of access was not absolute in the minds of the law makers. The law in part 4 of the 1984 Act contained numerous exemptions to the right of access ranging from National Security to Examinations, thus the Act supported the notion of the right of access as a balance between Data Controllers, Data Subjects, and the state. We can therefore conclude that the 1984 Act was a balancing act for the UK government, with numerous (potentially competing) intentions to placate.