ICO indicates that (non-recreational) bloggers must register with them

I think I am liable to register with the ICO, and so are countless others. But I also think this means there needs to be a debate about what this, and future plans for levying a fee on data controllers, mean for freedom of expression

Recently I wrote about whether I, as a blogger, had a legal obligation to register with the Information Commissioner’s Office (ICO) the fact that I was processing personal data (and the purposes for which it was processed). As I said at the time, I asked the ICO whether I had such an obligation, and they said

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets

However, I asked them for clarification on this point. I noted that I couldn’t see any exemption from the obligation to register, unless it was the general exemption (at section 36) from the Data Protection Act 1998 (DPA) where the processing is only for “domestic purposes”, which include “recreational purposes”. I noted that, as someone writing a semi-professional blog, I could hardly rely on the fact I do this only for recreational purposes. The ICO’s reply is illuminating

if you were blogging only for your own recreational purposes, it would be unlikely that you would need to register as a data controller. However, you have explained that your blogging is not just for recreational purposes. If you are sharing your views in order to further some other purpose, and this is likely to impact on third parties, then you should consider registering.

I know this is couched in rather vague terms – “if”…”likely”…”consider” – but it certainly suggests that merely being a non-professional blogger does not exempt me from having to register with a statutory regulator.

Those paying careful attention might understand the implications of this: millions of people every day share their views online, in order to further some purpose, in a way that “is likely to impact on third parties”. When poor Bodil Lindqvist got convicted in the Swedish courts in 2003 that is just what she was doing, and the Court of Justice of the European Union held that, under the European Data Protection Directive, she was processing personal data as a data controller, and consequently had legal obligations under data protection law to process data fairly, i.e. by not writing about a fellow churchgoer’s broken leg etc. without informing them/giving them an opportunity to object.

And there, in my last paragraph, you have an example of me processing personal data – I have published (i.e. processed) sensitive (i.e. criminal conviction) personal data (i.e. of an identifiable individual). I am a data controller. Surely I have to register with the ICO? Section 17 of the DPA says that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the ICO, unless an exemption applies. The “domestic purposes” exemption doesn’t wash – the ICO has confirmed that1, and none of the exemptions apply. I have to register.

But if I have to register (and I will, because if I continue to process personal data without a registration I am potentially committing a criminal offence) then so, surely, do the millions of other people throughout the country, and throughout the jurisdiction of the data protection directive, who publish personal data on the internet not solely for recreational purposes – all the citizen bloggers, campaigning tweeters, community facebookers and many, many others…

To single people out would be unfair, so I’m not going to identify individuals who I think potentially fall into these categories, with the following exception. In 2011 Barnet Council was roundly ridiculed for complaining to the ICO about the activities of a blogger who regularly criticised the council and its staff on his blog2. The Council asked the ICO to determine whether the blogger in question had failed in his legal obligation to register with the ICO in order to legitimise his processing of personal data. The ICO’s response was

If the ICO were to take the approach of requiring all individuals running a blog to notify as a data controller … it would lead to a situation where the ICO is expected to rule on what is acceptable for one individual to say about another. Requiring all bloggers to register with this office and comply with the parts of the DPA exempted under Section 36 (of the Act) would, in our view, have a hugely disproportionate impact on freedom of expression.

But subsequently, the ICO was taken to task in the High Court on this general stance (but in unrelated proceedings) about being “expected to rule on what is acceptable for one individual to say about another”, with the judge saying

I do not find it possible to reconcile the views on the law expressed [by the ICO] with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully

And if now the ICO accepts that, at least those bloggers (like the one in the Camden case) who are not solely blogging for recreational purposes, might be required to register, it possibly indicates a fundamental change.

In response to my last blog post on this subject someone asked “why ruffle feathers?”. But I think this should lead to a societal debate: is it an unacceptable infringement of the principles of freedom of expression for the law to require registration with a state regulator before one can share one’s (non-recreational) views about individuals online? Or is it necessary for this legal restraint to be in place, to seek to protect individuals’ privacy rights?European data protection reforms propose the removal of the general obligation for a data controller to register with a data protection authority, but in the UK proposals are being made (because of the loss of ICO fee income that would come with this removal) that there be a levy on data controllers.

If such proposals come into effect it is profoundly important that there is indeed a debate about the terms on which the levy is made – or else we could all end up being liable to pay a tax to allow us to talk online.

1On a strict reading of the law, and the CJEU judgment in Lindqvist, the distinction between recreational and non-recreational expressions online does not exist, and any online expression about an identifiable individual would constitute processing of personal data. The “recreational” distinction does not exist in the data protection directive, and is solely a domestic provision

2A confession: I joined in the ridicule, but was disabused of my error by the much better-informed Tim Turner. Not that I don’t think the Council’s actions were ill-judged.



Filed under Data Protection, Directive 95/46/EC, Information Commissioner, social media

10 responses to “ICO indicates that (non-recreational) bloggers must register with them

  1. Food for thought. Given your paragraph on Bodil Lindqvist as an example of processing personal data, then only fiction is exempt? So we should all register simply to protect our backs or collectively refuse to do so, but be prepared to put a coin in the hat for a fellow blogger prosecuted for not registering?

    • I think I should perhaps stress that I’m going to register because in my role I think it would be hypocritical not to. But I’m also writing this piece to promote debate about the potential absurdity and societal nightmare of effectively everyone having to register with a regulator in order to make online utterances. I think the chance of a blogger/social media user being prosecuted is vanishingly small.

  2. Could the fact of non-registration be used by a third party in support of the argument that the blogger is not following the law and engaged in deliberate defamation? Given various threats that have come my way from my blogging on misconduct and fraud in science, I am somewhat sensitive to these issues…

    • That is an extraordinarily good question. And I’m afraid the answer could be “yes”. The first data protection principle requires that personal data be processed fairly *and lawfully*. If it is processed by a data controller who is not registered it is probably prima facie being processed unlawfully.

      BUT – if the personal data is processed for journalistic purposes there is an exemption from the first data protection principle (and all the others, except the 7th). So someone processing without a registration, but for journalistic purposes, does not have to comply with the first principle.

      As a non-lawyer I’m rather out of my depth here on the implications, but it’s a subject I’m hugely interested in. I may post further in due course.

  3. Alan M Dransfield

    If the ICO had their way we would all wear a VEXATIOUS electronic tag.

    Maybe Tool Time Timmy Turner will get the ICO snitches job and keep us all under control.

    • Tim Turner

      Mr Dransfield is, needless to say, one of the people who is probably breaking the law by blogging for a campaigning purpose without notifying the Information Commissioner.

      • Alan M Dransfield

        Timmy Turner is a big believer in the ICO and is always quick to point the finger at me and this time ,by stating I am a LAW BREAKER?!?
        It is not me who is breaking the Law, it’s the ICO.
        It’s not me who is being vexatious, it is the ICO.
        Be patient TTT because the Court of Appeal case is still ongoing.

    • Alan – I’ve just deleted an offensive comment by you. Please don’t post abusive remarks.

  4. Pingback: ICO indicates that (non-recreational) bloggers must register with them | informationrightsandwrongs | Richard's Kingdom

  5. Pingback: No Information Rights Levy for ICO – where now for funding? | informationrightsandwrongs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s