United Kingdom of Great Britain and Northern Ireland

The United Kingdom does not have a written constitution. In 1998, the Parliament approved the Human Rights Act to incorporate the European Convention on Human Rights into domestic law, a process that establishes an enforceable right of privacy.[1] The Act came into force on October 2, 2000. A number of cases, many related to celebrity privacy, have been decided or are pending in the courts.[2]

The Parliament approved the Data Protection Act in July 1998.[3] The legislation, which came into force on March 1, 2000, updates the 1984 Data Protection Act in accordance with the requirements of the European UnionÕs Data Protection Directive.[4] The Act covers records held by government agencies and private entities. It provides for limitations on the use of personal information, access to and correction of records and requires that entities that maintain records register with the Information Commissioner.

The Office of the Information Commissioner is an independent agency that maintains the register and enforces the Act.[5] As of March 31, 2002, there were 198,519 databases registered with the Commission.[6] The agency received 12, 479 requests for assessment and inquiries in 2001-2002.  There were 106 cases forwarded for prosecution resulting in 66 prosecutions and 33 convictions. The Commissioner has also issued a number of comprehensive reports for the public. She has published a Code of Practice for the use of Closed Circuit Television (CCTV)[7] and a study of the availability and use of personal information in public registers.[8] In October 2000, the Commissioner issued a draft code of guidance for employer/employee relationships.[9] In March 2002, the first part of this code, on data protection in recruitment and selection of employees was issued.[10] A second, on employee monitoring was released for public comment in April 2002.[11] Two further parts on employment records and medical information and testing will be issued over the next few months. The Commissioner is also responsible for enforcing the Telecommunications (Data Protection and Privacy) Regulations. These regulations came into force on March 1, 2000, and implement the 1997 European Union Telecommunications Directive.[12] They replaced the Telecommunications (Data Protection and Privacy) (Direct Marketing) Regulations 1998 which came into effect on May 1, 1999.  The current Commissioner, Elizabeth France announced in 2002 that she was not asking to be reappointed. In July 2002, Mr Richard Thomas was appointed as her successor. In September 2002, the 24th International Conference of Data Protection and Privacy Commissioners will be hosted by the British, Irish, Guernsey, Jersey and Isle of Man data protection authorities in Cardiff, Wales.[13]

The Regulation of Investigatory Powers Act became law in July 2000,[14] superceding the Interception of Communications Act of 1985.[15]  It authorizes the Home Secretary to issue warrants for the interception of communications and requires Communications Service Providers to provide a Òreasonable interception capabilityÓ in their networks. Telephone taps for national security purposes are authorized by the Foreign Minister. It further allows any public authority designated by the Home Secretary to access Òcommunications dataÓ without a warrant. This data includes the source, destination and type of any communication, such as mobile phone location information and web browsing logs. Finally, it allows senior members of the civilian and military police, Customs, and members of the judiciary to demand that users hand over the plaintext of encrypted material, or in certain circumstances decryption keys themselves. It also sets rules on other types of investigatory powers that had not been previously regulated under United Kingdom law. Many legal experts, including the Data Protection Commissioner, believe that many of the provisions violate the European Convention on Human Rights and a legal challenge to the lawfulness of the Act is likely.

A number of draft codes and regulations have been issued by the Home Office.[16] In June 2002, the Home Office announced that the list of  government agencies allowed under the act to intercept web traffic and mobile location information without a warrant was being extended to over 1,000 different government departments including local authorities, health, environmental, trade and many other agencies. This resulted in a substantial controversy over the dramatic expansion of power, especially after the Surveillance Commissioner admitted in his annual report that ÒI clearly cannot carry out meaningful oversight of so many bodies without assistance" even before the proposed expansion.[17] Home Secretary David Blunkett announced a few weeks later that he had ÒblunderedÓ and withdrew the order.[18]

In 2000, there were 1,711 interceptions allowed under the IOCA 1985 and 661 approved under the RIPA.[19]  The Interception of Communications Minister found that there were Òa significant number of errors and breaches reported Ð26Ó in 2000. These including tapping the wrong numbers and technical errors such as a telecommunications companies who Òinadvertently routed product [intercepted communications]Ó to the intelligence service.  There were 2,565 authorizations including 371 for ÒintrusiveÓ authorizations for breakins  into homes under the Police Act 1997 and 310 under Part II of the RIPA between April 2000 and March 2001. There were 18 reported errors including wrong addresses and failures to obtain authorization or overly broad requests.[20]

In December 2001, the Parliament approved the Anti-terrorism, Crime and Security Act 2001.[21] The law allows the Secretary of State to issue a code of practice for Òthe retention of communications data by communications providersÓ for the purpose of protecting national security or preventing or detecting crime that relates to national security.  A leaked submission by the police and intelligence services to the Home Office in 2000 proposed a 7 year data retention scheme. In September 1998, it was revealed that there were secret talks between the Association of Chief Police Officers (ACPO) and representatives for Internet Service Providers (ISPs) with the aim of reaching a Òmemorandum of understandingÓ to give the police access to private data held by ISPs.[22] The High Court issued an injunction against the Mail on Sunday preventing the publication of further revelations.

There is a long history of illegal wiretapping of political opponents, labor unions and others in the United Kingdom.[23] In 1985, the European Court of Human Rights ruled that police interception of individualsÕ communications was a violation of Article 8 of the European Convention on Human Rights.[24] The decision resulted in the adoption of the Interception of Communications Act 1985. Most recently, the European Court of Human Rights ruled in 1997 that police eavesdropping of a policewoman violated Article 8.[25] In the late 1970s and 80s, MI5, BritainÕs security service, tapped the phones of many left-leaning activists including the future Secretary of State for Trade and Industry Peter Mandelson, and kept files on Jack Straw, now Foreign Secretary, and Harriet Harman, former Social Security Secretary, as well as Guardian journalist Victoria Britain.

In late 1997, a report commissioned by the European Parliament and prepared by the United Kingdom-based research group Omega Foundation, confirmed that Britain was a key player in a vast global signals intelligence operation controlled by the United States National Security Agency (NSA).[26] According to the report, the United States and its United Kingdom partner, GCHQ, Òroutinely and indiscriminatelyÓ intercepted large amounts of sensitive data that had been identified through keyword searching. The eavesdropping was carried out from a number of spy bases in the United Kingdom, most notably the Menwith Hill base in the north of England. The European Parliament created a one-year temporary committee to investigate allegations that the Echelon surveillance system violates individual privacy rights and is used to conduct industrial espionage.[27]

There are also a number of other laws containing privacy components, most notably those governing medical records[28] and consumer credit information.[29] Other laws with privacy components include, the Rehabilitation of Offenders Act of 1974, the Telecommunications Act of 1984 (as amended by the Telecommunications Regulations of 1999), the Police Act of 1997, the Broadcasting Act of 1996, Part VI and the Protection from Harassment Act of 1997. Some of these acts are amended and may be repealed in part by the 1998 Data Protection Act. The Police and Criminal Evidence Act (1984) allows police to enter and search homes without a warrant following an arrest for any offense. And while police may demand identification before arrest only in limited circumstances, they have the right to stop and search any person on the street on grounds of suspicion. Following arrest, a body sample will be taken for inclusion in the national DNA database.[30]The Crime and Disorder Act of 1998 provides for information sharing and data matching among public bodies in order to reduce crime and disorder. The Data Protection Commissioner issued a report on the privacy implications of the Act.[31]

The privacy picture in the United Kingdom is mixed.[32] There is, at some levels, a strong public recognition and defense of privacy. Proposals to establish a national identity card, for example, have routinely failed to achieve broad political support. On the other hand, crime and public order laws passed in recent years have placed substantial limitations on numerous rights, including freedom of assembly, privacy, freedom of movement, the right of silence, and freedom of speech.[33]

There has been a proliferation of CCTV cameras in hundreds of towns and cities in Britain. The camera networks can be operated by police, local authorities or private companies, and are partly funded by a Home Office grant. Their original purpose was crime prevention and detection, though in recent years the cameras have become important tools for city center management and the control of Òanti-social behavior.Ó Between 250 million and 400 million pounds a year is spent expanding the web of 1,500,000 cameras covering public spaces in Britain,[34] but despite the ubiquity of the technology, successive governments have been reluctant to pass specific laws to govern their use. Their use has come under greater criticism recently and recent research by the Scottish Centre for Criminology found that the cameras did not reduce crime, nor improved public perception of crime problems.[35] As mentioned above, the Information Commission has also issued a code of practice for the use of these cameras. A new study announced in June 2002 found that in many areas with CCTV that crime increased and that street lighting was a more effective deterrent.[36]

Home Secretary David Blunkett announced on July 3 a six month consultation period on Òentitlement cards,Ó a new name for a national ID card proposal.[37] The cards would be mandatory for all persons over 16 and would be required to obtain heath care, jobs and other services. The proposal has already been widely criticized by politicians and major media across the political spectrum and is not expected to be approved. Blunkett first proposed the card shortly after September 11 but was forced to back away after it was also severely criticized.

In July 2002, Privacy International announced a campaign against the use of new finger print scanners in school libraries across the country.[38] The electronic finger printing is being conducted in an effort to cut costs and increase the efficiency of libraries. Privacy International specificially criticized the role of the Office of the Information Commisioner in reviewing and endorsing the system.

The Freedom of Information Act was enacted in November 2000.[39] The government announced in 2001 that implementation on the right to access provisions was being delayed until 2005. The Act has received considerable criticism from by many politicians across the political spectrum and NGOs as being insufficient and weaker than the existing code of practice. In June 2002, the Scottish Parliament approved a Freedom of Information bill[40] that is regarded as stronger than the English FOIA Act. It also will not go into effect until 2005.

The United Kingdom is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)[41] and the European Convention for the Protection of Human Rights and Fundamental Freedoms.[42] In November 2001, the United Kingdom signed the Council of Europe Convention on Cybercrime.[43] The United Kingdom is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Territories

The Isle of Man Data Protection Act of 1986 is based on the 1984 United Kingdom Data Protection Act. The Office of the Data Protection Registrar enforces the Act.[44] A new data protection bill was introduced in the House of Keys in March 2002.[45]

The Data Protection (Bailiwick of Guernsey) Law 2001 was approved in March 2002.[46] It is expected to go into force in late 2002, replacing the 1986 law. The Isle of Guernsey Data Protection Commissioner enforces the Act.[47]

The Data Protection (Jersey) Law came into force in 1987. The law is equivalent to the 1984 United Kingdom Data Protection Act. The Data Protection Registry who registers databases and conducts investigations oversees the Act.[48] The Registry is currently drafting a new law.