Law, Justice and Journalism

Posts Tagged ‘data protection’

Open justice in the digital era and data protection

In Events, Journalism, Justice, Research on June 5, 2013 at 10:21 am

By Judith Townend

I had the chance to discuss the Centre’s ‘Open Justice in the Digital Era’ project yesterday, at the first joint seminar of the DP Forum and NADPO (The National Association of Data Protection Officers).

The theme was ‘The challenges of complying with evolving standards’, and the other speakers included: Martin Hoskins, data protection consultant; Judith Jones, Group Manager, Government & Society, Information Commissioner’s Officer; Robert Bond, Head of Data Protection and Information Security at Speechly Bircham; and Lynne Wyeth, Head of Information Governance, Leicester City Council.

It provided a fascinating insight into the regulatory and legal challenges ahead (especially in view of the EC’s draft General Data Protection Regulation*), both in terms of the theoretical framework and practical issues on the ground for DP officers (whose number is set to increase, if EC proposals go ahead).

I introduced the Centre for Law, Justice and Journalism’s ‘Open Justice in the Digital Era’ project and the privacy-related issues we have stumbled upon, in discussing potential recommendations for more efficient and systematic digitisation of courts information. There are important issues to consider around Data Protection, Rehabilitation of Offenders and the ‘Right to be Forgotten’, a concept included in the draft Regulation.

A quick summary can be found on my Meeja Law blog.

*A vote on on the lead rapporteur’s report regarding amendments to the Proposed Regulation, scheduled for 29 May, has been postponed, as a result of the high number of amendments to consider.

Lorna Woods: Leveson, the ICO and Data Protection

In Journalism, Law, Media regulation, Research, Resources on March 25, 2013 at 8:57 am

By Professor Lorna Woods

One aspect of the Leveson recommendations that seems to have escaped the headlines is that relating to data protection, though implementation of his recommendations could give those adversely affected by media treatment of their personal data some tools.

Section 32 Data Protection Act provides an exception to data processing rules in relation to a number of ‘special purposes’, which includes media purposes.  The scope of the exemption is pretty broad: it provides an exemption to non-compliance with any of the Data Protection Principles except the Seventh Principle (security), the right of access and objection (Ss32(2)(a) Data Protection Act).

This exemption is available provided the press-related data controller believes that the special importance of the public interest in freedom of expression is served by the processing of personal data, and that the processing of such data is with a view to publication.

The terms of the Act in this regard are thus vague and potentially subjective; they do not really give any clear steer on when processing of data might be protected.  Section 32(3) specifically provides, however, that when considering whether such belief was reasonable, “regard may be had to [a data controller’s] compliance with any code of practice” and provides that such codes may be designated by statutory instrument.

While there are existing codes for journalists (which are not limited to the PCC Code (SI 2000/1864), but include those put together by other media organisations, e.g. the BBC), they are not sufficiently detailed guidance on data protection obligations either.  Section 51 Data Protection Act empowers the drawing up of codes of good practice, or encouraging trade associations so to do. On this basis the ICO consulted (close date 15th March) on the intention to produce a code of conduct aimed at media organisations, including but not limited to the press, as it proposed in its response to the Leveson Report.

So given that there are existing codes under the system, what is the big deal about a new code?  Well, if it is designated under s.32(3), then this brings into play the (statutory) enforcement procedures under the Data Protection Act.  Given the monetary penalties that the ICO can now apply, this might get some attention.

More generally, the ICO has committed itself –again in response to Leveson – to “provid[ing] regular updates to Parliament on the effectiveness of the measures we are adopting in response to Lord Justice Leveson’s recommendations and more generally on our assessment of the culture, practices and ethics of the press in relation to the processing of personal data”. This may give evidence about whether any new system of regulation is working which, crucially, comes from outside the system.

This then re-emphasises the importance of the scope of the journalistic exception and the meaning of ‘public interest in freedom of expression’, which is presumably tied in to the fourth estate capacity of the media, rather than its capacity for spreading rumour and gossip.

Further, how closely connected must the processing of the data be to the publication of a story to benefit from the exception? Mr Jay made this point at the Leveson Inquiry:  when the press obtains an ex-directory number (for hacking purposes), is it likely that the press would publish the ex-directory number? The answer is “no”, so presumably processing such material cannot benefit from Article 32.

Read the rest of this entry »

Lorna Woods: Google and Data Protection – Again!

In Comment, Law on March 16, 2012 at 9:52 am

By Professor Lorna Woods

A new reference has landed on the ECJ’s desk: Google Spain and Google (Case C-131/12) from the Audiencia Nacional in Spain.

The ECJ official website is a bit thin on details, but this seems to be the same case reported by Reuters. That case concerns the right to be forgotten – implicit in the current data protection regime (but which would be made explicit were the draft Data Protection Regulation ever to come in to being).

While the judge apparently referred a number of questions, including one about jurisdiction, the central issue is whether Google should be obliged to delete data referring to individuals.  The impetus for the cases comes from aggrieved individuals who have applied to the Spanish data protection authority to have information deleted.  This case is likely to be one that is closely watched given the likely stormy passage of the proposed Data Protection Regulation.

Central to the discussion will be the relationship between the e-Commerce Directive (Directive 2000/31/EC) and the Data Protection Directive. While the e-Commerce Directive shields ISPs from liability in a range of circumstances, that directive is expressed not to apply to ‘questions relating to information society services covered by Directives 95/46/EC and 97/66/EC’ (article 1(5)(b) e-Commerce Directive and Recital 14).  Directive 95/46/EC is, of course, the current Data Protection Directive.

Google is, of course, not unfamiliar with the exception to the e-Commerce Directive, as it arose when directors of Google were charged under Italian data protection laws relating to user generated content (UGC) posted on a You-Tube type service operated by Google.  The UGC was a clip from a mobile phone which showed some boys bullying another boy with Downs Syndrome.  The Google executives were given 6 month suspended gaol sentences.  A decision on appeal was due to be handed down by the Court of Appeal in Milan in 2011, though in September the case, according to one of those involved (Peter Fleischer) had not been assigned.  One would hope that in the interests of timely just that this issue is decided before the ECJ hands down its ruling in Case C-131/12.

If the non-availability of the hosting exceptions, then presumably the key issue is the scope of the rights under the DPD.  Therein lies the rub.  While the DPD is set against a privacy (Article 8 ECHR) backdrop, it does not grant any particular right to be forgotten.  Instead, the DPD provides how data should be managed, which includes the archiving and deletion obligations. How far the ECJ is prepared to push this, especially in the light of data protection as a fully fledged right in the EU Charter, remains to be seen.  This is the new contentious issue in the privacy/freedom of expression debate.  For a range of views see: Google’s privacy counsel; a security consultant; and an academic viewpoint [PDF], among, no doubt, many more.

Follow

Get every new post delivered to your Inbox.

Join 587 other followers