UK privacy laws are fundamentally flawed, report says

Out-Law News | 17 Aug 2011 | 2:56 pm | 4 min. read

UK laws fail to uphold individuals' privacy rights and must be reformed, a report commissioned by the Equality and Human Rights Commission (EHRC) has said.

Individuals' right to privacy is guaranteed in the European Convention on Human Rights and in UK law by the Human Rights Act.

UK laws have a "weak, fractured and piecemeal approach to privacy", researchers Charles Raab and Benjamin Goold said in the EHRC-commissioned report. Growing public and private sector demand for personal information is putting citizens' rights at risk, they said.

"The existing approach to the protection of information privacy in the UK is fundamentally flawed, and that there is a pressing need for widespread legislative reform in order to ensure that the rights contained in [the European Convention on Human Rights] are respected," the researchers' report (105-page / 733KB PDF) said.

"The right to privacy is at risk of being eroded by the growing demand for information by government and the private sector. Unless we start to reform the law and build a regulatory system capable of protecting information privacy, we may soon find that it is a thing of the past".

Privacy in the UK has been "transformed" by UK laws on human rights, data protection and the interception of communications, the report said. The Data Protection Act and the Regulation of Investigatory Powers Act (RIPA) are "riddled with gaps and contradictions" and they do not easily explain to people "what happens to their personal information, or what they should do when that information is misused," it said.

The Data Protection Act gives individuals rights over the use of their personally identifiable information and sets out rules that organisations in possession of personal data must abide by.

RIPA makes it unlawful for communications to be intercepted in most cases. Telecoms firms are allowed to unintentionally intercept communications in line with RIPA if the interception "takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services."

Law enforcement agencies can also force telecoms companies to hand over customers' details in order to tap phone, internet or email communications to protect the UK's national security interests, prevent and detect terrorism and serious crime or to safeguard the UK's economic well-being.

RIPA forces telecoms companies to gain consent from customers to their personal data being processed, however an exception exists that allows police to prevent the companies informing customers if it would jeopordise the aim of preventing or detecting crime.

The state's use of personal information needs to be better regulated, the researchers' report said. The researchers said that too many privacy watchdogs implemented "disjointed" measures and that a "more, flexible, comprehensive approach to privacy" was needed.

"This involves reforming the law and the regulatory system to create a comprehensive privacy protection regime to supersede the piecemeal inventory of measures or ‘tools’ implemented in a disjointed fashion by various agents. The relevant regulatory agencies need to be strengthened," the report said.

"There should be an effort to rationalise and consolidate the current approach to the regulation of surveillance and data collection in the UK, with particular attention paid to the relationship between the various statutory Commissioners responsible for protecting information privacy," the report said.

Data protection watchdog the Information Commissioner's Office (ICO) and surveillance watchdog the Interception of Communications Commissioner (IoCC) are among those responsible for ensuring compliance with privacy aspects of UK laws. Currently the ICO has the power to fine organisations up to £500,000 for serious personal data breaches. The IoCC can issue fines of up to £50,000 for unlawful interceptions of communications.

The researchers recommended that "privacy principles" should be developed to help guide the development of new privacy laws and "the decisions of regulators and government agencies concerned with information privacy and data collection in different contexts".

Existing laws that "[touch] on privacy" should be reformed to reflect new privacy principles and enhance the privacy rights provided by the Human Rights Act, the report said.

"At minimum, such reform should consolidate and improve the existing RIPA and data protection regimes in relation to information privacy and surveillance," the report said.

The Government should promote the development of new technologies that offer better privacy protection, including those that offer 'privacy by design', and this should play an "integral" part of privacy reform, the researchers said.

"The development and use of technological and non-legal solutions to the problem of information privacy protection should be encouraged by government, and more resources devoted to public education and awareness around privacy," the researchers said.

The EHRC, which monitors compliance with human rights laws in the UK, issued recommendations based on the researchers' report. Current laws on information privacy should be streamlined to make it "easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights," an EHRC statement said.

The EHRC also said that public organisations must "properly justify" their need for personal data and explain what it is to be used for. It said organisations that want to use personal data for purposes other than those it originally stated should have to go through a vetting process.

All requests for personal data must be justified and proportionate and public organisations should consider how new policies and practices would impact on the privacy of information, the EHRC said.

“It’s important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it’s accurate or being able to challenge this effectively," Geraldine Van Bueren, a Commissioner for the Equality and Human Rights Commission said.

“This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws,” Van Bueren said.