A guest post by Dr David Erdos, University Lecturer in Law and the Open Society, University of Cambridge
In the run up to Christmas, the Information Commissioner’s Office (ICO) published a document entitled “Our new approach to data protection concerns”, which set out on a consultation basis how from 1 April 2014 it intends to deal with the concerns/complaints it receives vis-à-vis the Data Protection Act 1998.
It has been clear for some time that, rather in contrast to how it deals with complaints under the Freedom of Information Act 2000, the ICO’s approach to many of the approximately 40,000 Data Protection complaints it receives has been cursory. The proposals forwarded in the Consultation Document are nevertheless (to my mind at least) rather startling. In sum (and without any April Foolery intended!), the document states that from 1 April, the Office proposes to decide on its own account whether or not to assess the merits of a concern validly sent to it for assessment under the Data Protection framework. A quote on page 6 of the document is particularly enlightening. This states that in the future the ICO will respond to such concerns in the following fashion:
We may make an assessment under section 42 of the DPA where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client’s concern. We will decide how we can best tackle each concern on a case by case basis. (emphasis added)
(Relatedly, it also seems to be no accident that the consultation is squarely aimed at those who are regulated by the ICO i.e. Data Controllers (indeed all the discrete questions asked could only be answered by them!) even though such a radical proposal obviously has serious implications for Data Subjects as well).
The ICO’s suggested approach is hugely problematic from a rule of law point of view. Section 42 of the Data Protection Act is crystal clear that “any person who is, or believes himself to be, directly affect by any processing of personal data” may make a request for assessment to the ICO “as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions” of the Act. On receiving such a request the Commissioner “shall make an assessment” (s. 42 (1)) (emphasis added). This duty is an absolute one and whether it has been carried out must also be communicated to the person who made the request (s. 42 (4)). All this is a transposition of Article 28(4) of the Directive which states that
Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of persona data. The person concerned shall be informed of the outcome of the claim.
The Directive particularly emphasises that the authority must hear claims for checks on the lawfulness of any restriction on Data Protection rights adopted by Member States under Article 13 of the Directive and that the person who made the claim shall “be informed that a check has taken place”. It is true that the UK legislation includes some language granting a degree of discretion to the Commissioner as to how he goes about making assessments. However, the obligation to carry out a legal assessment of processing vis-à-vis the Data Protection framework is mandatory. In contrast the ICO’s Consultation Document sees responding to concerns/complaints from the public with such an assessment as discretionary. From now on, it is suggested, a very large number of concerns/complaints will only be treated as a “source of intelligence” (p. 8) for the Office.
It is, of course, possible to have some sympathy for the ICO’s fear of being over-burdened by complaints, especially those which appear to be frivolous or vexatious. Even if this was accepted, however, one might reasonably worry about giving a regulatory agency, particularly one concerned with human rights, the sort of carte blanche discretion the ICO are envisaging in this Consultation. This discretion sits particularly uneasily with the pan-European commitment in the EU’s Charter of Fundamental Rights to recognise Data Protection as a discrete fundamental individual right, the duties arising from which are to be “subject to control” by the data protection agencies (Article 8). In any case, what is far more relevant from a rule of law perspective is that such a wide discretion is not part of the current legislative framework at either the national or the pan-EU level. To the contrary, the ICO has a statutory duty to consider all bona fide requests for assessment. This is a key right given to data subjects under the current Data Protection scheme. The ICO should not be seeking to unilaterally resile from it.
The ICO’s Consultation Document can be accessed here (http://www.ico.org.uk/about_us/consultations/our_consultations) and responses should be sent to email@example.com by 31 January 2014.