EU data reform long overdue, says information commissioner

The European directive that led to the UK’s 1988 Data Protection Act is “scarcely fit for purpose”, says Christopher Graham

The 20-year-old European directive that led to the UK’s 1988 Data Protection Act is “scarcely fit for purpose”, says information commissioner Christopher Graham.

“Technology and the uses of data have raced further ahead of anything the law makers envisaged,” he told attendees of the 125th Roscoe lecture at Liverpool University.

Despite this fact, Graham said the institutions of the European Union are moving at “a snail’s pace” to approve reforms in a draft regulation that will apply uniformly across all member states.

This means data protection bodies, such as the UK’s Information Commissioner’s Office (ICO), have to face modern challenges without the support of modern legislation.

There is “no use sitting around complacently in some kind of Fortress Europe when a Russian website, registered in an Australian territory, with a domain name acquired in the USA, is streaming around the world live pictures from UK domestic webcams with inadequate password protection,” he said.

Safeguarding data privacy is a shared responsibility

Graham said the almost universal adoption of online communications, smartphones and other mobile devices, and the development of new applications to service the growing market, is raising all sorts of questions about the control people have over their own data.

“It has also encouraged governments to get involved – wanting to deliver services online by default and sometimes wanting access, in the name of security, to what we thought was private,” he said.

Sensible laws and sensible citizens can protect privacy and still enable good things to happen online

Christopher Graham, information commissioner

Graham warned that whatever individuals do online, they are leaving a trail of personal data which can be analysed, leading to ever-increasing compromises of privacy.

“Some people say, 'hey, that’s the modern world. Get over it.' But it doesn’t have to be like that. Sensible laws and sensible citizens can protect privacy and still enable good things to happen online,” he said.

Graham said “sensible data controllers” understand that customers will not support companies and brands that do not respect either their privacy or their intelligence.

“You can have the good things of digital services without the bad things, but we have to be realistic about what the law should do and what individuals should do to safeguard their own privacy,” he said.

For this reason, Graham said the laws have to be practical and realistic, and not require data protection authorities such as the ICO to enforce procedural obligations when the emphasis should be on promotion of good practice for data controllers and consumers.

He called instead for “proportionate, risk-based enforcement” where things go wrong.

But Graham said citizens and consumers need to be much more savvy about what is really going on when they access online services.

“There’s a major piece of work for the ICO going forward, raising awareness, providing advice, promoting privacy by design and privacy by default,” he said.

Graham said it was important at all times to balance the right to privacy with the right to know.

Thorough risk assessment essential

More extensive data sharing between public authorities to drive efficiencies is only a good idea, he said, if the privacy risks have been assessed.

He cited the plan for uploading patient information from GP surgeries to the Health and Social Care Information Centre as an example of a good idea that has been executed poorly.

“This depends crucially on citizen confidence – which, following last year’s botched communications exercise, is in short supply,” said Graham.

Another example, he said, is the continued uncertainty around the proper supervision of the surveillance activities of the security services following the Snowden revelations of 2013.

In cases such as the shootings in Paris, “we need cool heads to analyse carefully what information the security services had access to and how they used it before necessarily concluding that we must give them access to more and more of our private information”, he said.

“We must avoid knee-jerk reactions. In particular, I am concerned about any compromising of effective encryption for consumers of online services,” he added.

Finding the right balance between security and privacy

Graham said that while it is undesirable to have a situation where privacy is so absolute that it allows terrorists to operate without fear, it is equally undesirable to have a situation where the security imperative closes down every debate about rights and obligations.

While nobody said privacy was an absolute right, in matters of security we surely need an effective American style Privacy and Civil Liberties Oversight Board or the equivalent to find the right balance, he said.

Graham lamented that he is still waiting for a response from the Intelligence and Security Committee of Parliament a year after making his submission on the subject of consumer encryption and oversight arrangements.

However, he said it was encouraging to see the oversight issue is at least being addressed in the Counter Terrorism and Security Bill, and that the government is currently consulting on setting up a Privacy and Civil Liberties Board.

“We will need to be sure that what is proposed really would provide effective and balanced oversight,” said Graham. “The debates around the right to privacy and the right to know are of central importance to the way we live in the 21st century in a modern liberal democracy.”

Graham said finding the balance when those rights are in conflict is a key part of the information commissioner’s role.

Read more on Privacy and data protection