Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

The United Kingdom (UK) does not have a written constitution. There is a growing consensus among the political parties that a more formal constitution and bill of rights is necessary.1 In the spring of 2010 the Equality and Human Rights Commission, a non-departmental public body established by the Equality Act 2006, published a detailed report investigating the key principles that should underpin a bill of rights, and the policy implications that this would likely entail. The report notes that the circumstances for creating a UK bill of rights are currently unfavourable, citing lack of understanding and enthusiasm among the general public as major obstacles.2

The Human Rights Act 1998 provides for a limited incorporation of the European Convention on Human Rights (ECHR) into domestic law, including the right of privacy.3 The Act came into force on 2 October 2000. Thus far, the courts have cautiously implemented this legislation. A common law right of privacy is slowly emerging in the courts from the law of confidence that has been used as far back as 1849 to protect the unauthorised disclosure of personal data.4 The UK House of Lords ruled in October 2003 that there is no general common law tort for invasion of privacy and that the ECHR does not require the UK to adopt one.5 However, the Lords ruled in May 2004 that a tabloid newspaper violated model Naomi Campbell's privacy under Article 8 by publishing that she was undergoing drug treatment and printing pictures of her leaving the treatment centre.6 The courts have ruled in a series of cases for privacy rights for public figures in their private lives.7 However, more recently, courts have shown a willingness to rule in favour of the publication of intrusive material if a strong public interest can be shown to exist.8

There is a long history of recognising the right to privacy from government intrusion in the UK. The statesman William Pitt in the 18th century said, "The poorest man may in his cottage bid defiance to all the forces of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storms may enter, the rain may enter - but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement!"9

Although the Conservative-Liberal coalition government has indicated an intention to unveil measures that promote privacy, the overall trend during the past ten years has been a steady encroachment upon privacy rights. The UK has been a leader in adopting intrusive surveillance technologies such as biometrics, surveillance cameras, computer databases, and DNA testing, largely implemented without effective public consultation.10 A recent and widely publicised ranking of 47 countries by the privacy rights watchdog Privacy International found the UK's level of surveillance to be "endemic", worst among EU countries and on par with Russia, China, and Singapore.11 The previous Labour government's tough crime policy and its large parliamentary majority resulted in an unprecedented number of new laws limiting human rights, including freedom of assembly, privacy, freedom of movement, the right of silence, and freedom of speech, leading the former Information Commissioner to warn that the UK was "sleepwalking into a surveillance society".12

The privacy picture has improved somewhat under the newly-instituted Conservative-Liberal coalition government. The coalition has taken steps to roll back many of the former government's initiatives. Most notably, the coalition has published a bill intended to cancel the controversial ID cards program, along with the National Identity Register, a proposed central repository for personal data about every British citizen, and the next generation of biometric passports.13 The bill is currently being debated and is almost certain to become law, given the widespread support it enjoys among members of the coalition, and the fact that both coalition partners appeared clearly committed to its aims in their respective election manifestos.14

Privacy and data protection laws and regulations

Comprehensive law

Parliament approved the Data Protection Act ("DPA") in July 1998 to implement Directive 95/46/EC.15 The legislation, which came into force on 1 March 2000, applies to personal data held by government agencies and private organisations. The obligations for entities subject to the DPA, or "data controllers," are enshrined in eight data protection principles. These principles cover, inter alia, the obligation to (i) ensure that personal data are used for specific and legitimate purposes, (ii) permit individuals access to their personal data, (iii) provide adequate technical and organisational security for personal data, and (iv) prevent the international transfer of personal data to jurisdictions not recognised to have adequate data protection laws, unless legally recognised mechanisms are deployed to protect the personal data both during and following the transfer. Data controllers are also required to register their processing activities with the Information Commissioner’s Office (ICO).

The DPA is quite complex. It has been described by the courts as a "cumbersome and inelegant piece of legislation."16 The former Information Commissioner observed that it "is not the most elegant or easily understood statute" and "is not written for the casual reader."17 Its complexity results in it being often incorrectly (and sometimes cynically) cited as a justification for the mishandling of data by public and private authorities.18 The ICO has criticised organisations for using it as a "duck out" to avoid disclosing information.19 In June 2010, the European Commission issued a "reasoned opinion" to the UK government, which outlined the defects of the UK’s data protection framework. In particular, the opinion criticised the difficulty of enforcing the right to have personal data rectified or erased, and the difficulty of claiming compensation for moral damage arising from inappropriate use of personal data.20 A previous notice issued by the European Commission in 2004 also expressed concerns about the UK’s insufficient implementation of Directive 95/46/EC in a number of areas.21

There has been some confusion about what constitutes "personal data" under UK data protection rules. The UK Court of Appeal issued a controversial decision in December 2003 narrowing the definition of information protected under the Act and limiting individuals' right of access to personal data held in manual files.22 The court took the view that the data must "focus" on a particular individual, and not merely "relate" to an individual in order to constitute personal data protected by the DPA. This decision was criticised by the European Commission in 2004 in the formal notice mentioned above. In 2007, the Article 29 Working Party adopted an opinion setting out a definition of personal data that was clearly wider than the one taken by the UK Court of Appeal.23 Following this, the ICO issued a guidance note attempting to reconcile the decision of the Court of Appeal with the opinion of the Article 29 Working Party.24 Although the ICO guidance note is observed by most practitioners, a 2008 ruling from the Information Tribunal affirmed that the narrower view of personal data taken by the Court of Appeal remains good law.25

The Isle of Man, Guernsey and Jersey each have data protection laws that are based on the Data Protection Act 1998, and their own independent data protection authorities.

The Isle of Man Data Protection Act 2002 came into force in April 2003. The Office of the Data Protection Supervisor is responsible for enforcement and overseeing compliance.26 The European Commission has declared the Isle of Man an adequate data protection regime.27

The Data Protection (Bailiwick of Guernsey) Law of 2001 was approved in March 2002.28 The Isle of Guernsey Data Protection Commissioner is responsible for enforcement and overseeing compliance.29 The European Commission has declared Guernsey an adequate data protection regime.30

In Jersey, the Data Protection (Jersey) Law went into effect in December 2005.31 The Data Protection Commissioner is responsible for enforcement and overseeing compliance.32 The European Commission has also declared Jersey an adequate regime for the protection of personal data.33

In June 2010, the European Commission issued a reasoned opinion that the Data Protection Act 1998 regime should be amended to better implement Directive 95/46/EC (Data Protection Directive), including as regards the monitoring and enforcement powers of the Information Commissioner's Office. One of the areas of criticism is the fact that the ICO does not have the authority to perform random checks on those using or processing personal data, or to enforce penalties following such checks.

The ICO has released a statement confirming that it will discuss the Commission's concerns with the Ministry of Justice and that it plans to provide input into the UK government's response. The UK now has two months to inform the Commission of measures taken to ensure full compliance with the Directive.

Sector-based laws

There are also several other laws that impact privacy, most notably those governing medical records34 and consumer credit information.35 Other laws with privacy components include: the Rehabilitation of Offenders Act 1974, the Police Act 1997, the Broadcasting Act 1996 (Part VI), the Protection from Harassment Act 1997, and the Human Tissue Act 2004. The House of Commons Culture, Media, and Sport Committee recommended the adoption of a privacy law covering the media in June 2003, but the Government immediately rejected the proposal.36 Since then, the court decisions on privacy have led to additional debate on adopting a law but without significant developments.

Data protection authority

The Information Commissioner’s Office is an independent agency that maintains a public register of data controllers and enforces the DPA, the Privacy and Electronic Communication Regulations, and the Freedom of Information Act.37 A new Commissioner, Christopher Graham, was appointed in 2009. As of April 2010, there were 328,164 data controllers registered with the ICO.38 It received 33,234 requests for advice and complaints in 2009-2010, up 30 percent from the previous year. There were nine prosecutions for failure to respond to enforcement notices or for failure to register a database. A significant case from 2009 involved the shutting down of an industry employee blacklist of 3,200 people that had operated for 15 years. However, the conviction resulted in only a £5,000 fine. The ICO has taken enforcement action against 14 companies that paid thousands of pounds for subscription to the blacklist, prohibiting them from using the data for commercial purposes.39

On 6 April 2010, the ICO was granted new powers to impose penalties of up to £500,000 for serious breaches of the data protection principles, strengthening its relatively limited enforcement powers. The ICO has issued guidance on the circumstances under which the new fining powers may be exercised.40 According to the guidance, the ICO will need to be satisfied that there has been a serious breach, meaning it is likely to cause substantial damage or distress to the data subject and was either deliberate or negligent. Moreover, the organisation must have failed to take reasonable steps to prevent it. Additionally, the ICO has been granted new powers to audit government departments without consent.41 There is scope for this audit power to be extended to public authorities and certain private sector data controllers. A code of practice has been published that sets out the new audit powers.42 It remains to be seen whether the ICO’s new powers will translate into more numerous and stringent enforcement actions.

The Information Tribunal (formerly the Data Protection Tribunal) can hear appeals of decisions and notices issued by the ICO. Most tribunal decisions relate to the Freedom of Information Act 2000,43 with only a handful relating to the DPA. Of these, the more recent decisions have considered whether information requested by data subjects is personal data capable of being disclosed under the DPA.44