Thursday, August 24, 2006

Ministers plan to overturn key data protection principle

Douwe KorffTony Blair is threatening to abolish data protection rules within government, moving to a presumption that personal data will be shared between departments. My colleague Douwe Korff, a professor of human rights law, has written the following pungent analysis of this plan:

I already passed this on to German colleagues as an example of what happens if you don't have a constitutional base for data protection.

Of course, this proposal, if implemented, would basically throw data protection in the public sector out of the window: purpose-limitation is a (perhaps the) core principle of data protection. If implemented as reported, it would manifestly — indeed almost expressly and explicitly — violate the Council of Europe convention on data protection, the EU framework directive on data protection, various data protection guidelines adopted in the third pillar, etc.

I would argue that it would also violate article 8 of the European Convention on Human Rights and thus the Human Rights Act that incorporates the convention in UK law. However, that is a more complex line of reasoning, in that data protection is to be read into that article, which protects "private life" (among other things). The European Court of Human Rights is increasingly doing just that, and a manifest violation of the purpose-limitation principle is therefore likely to be held to also violate article 8. UK judges might do that too under the Human Rights Act, so it wouldn't have to wait to go all the way to Strasbourg.

My guess is that the government's own lawyers will be pointing all this out, and that when the proposal gets written up, it'll all be more subtle: they'll build tests into the law that would seem to restrict data sharing but that will in practice be so loosely applied as to make the purpose-limitation principle meaningless in the public sector (and will be deliberately drafted to allow for such lax application). Legal drafters in the UK are good at this, and often manage to persuade the court in Strasbourg that the law in some area is fine, even when practitioners know this is rubbish and the law is not applied in the way the government says it is.

In many other countries, the national data protection authority would issue an opinion on such a matter (indeed, is often required to issue such an opinion), but the Information Commissioner here is rather reluctant to do so…

No comments: