Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

UK’s Data Protection Act might not meet European Union standards

Last December, a ruling by the Court of Appeal – known as the Durant decision – narrowed the scope of the UK's Data Protection Act. Today, privacy experts at Masons warn that it is based on "faulty reasoning" and calls into question the UK's implementation of the EU's Data Protection Directive.19 May 2004

The case, a dispute between the Financial Services Authority and Michael John Durant, narrowed the scope of data protection to such an extent that, on a subject access request, it applied only to computerised personal information which focused on a living individual in a biographically significant way.

The editors of Data Protection and Privacy Practice, a newsletter published by Masons, said: "The Durant decision is based on faulty reasoning which could result in the Data Protection Act of 1998 being found to be an inadequate implementation of the Data Protection Directive of 1995."

Last week, Mr Durant filed papers with the European Commission in Brussels, claiming that the UK Government had not implemented the Data Protection Directive properly. The detailed analysis published in Data Protection and Privacy Practice has been attached to substantiate that claim.

In addition, the Editors say that certain aspects of the Information Commissioner's published advice in relation to the impact of the Durant decision on certain CCTV systems, and on the recording of a name, does not stand up to detailed scrutiny.

Dr. Chris Pounder, one of the editors of Data Protection and Privacy Practice, explained why the UK could be in breach of its Directive commitments: "In our view, the Directive's guarantee of the data subject's right of access is seriously undermined by the breadth of judicial discretion assumed by the English Courts in relation to section 7(9) of the Data Protection Act 1998. We are also of the view that there are arguments that the implementation of the Directive's provisions in respect of the meaning of personal data, can also be challenged."

Section 7 of the 1998 Act deals with an individual's right of access to personal data. Section 7(9) states:

"If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request."

Dr. Pounder continued: "In the judgment, the Court of Appeal has interpreted the 'may' in section 7(9) of the Act to claim a general and untrammelled discretion not to enforce the right of access. By contrast, the 1995 Directive requires Member States to guarantee the right of access – this means that the 'may' must be narrowly construed."

Dr Pounder said: "One cannot have a requirement to guarantee rights of access on the one hand and have the courts having wide discretion not to back up the guarantee on the other. There is a major inconsistency here."

In relation to the Court of Appeal decision itself, Dr. Pounder identified several major problems with the reasoning displayed in the judgment. Dr. Pounder said: "In our analysis we show that all the arguments that have been used to narrow the scope of personal data are based on a misunderstanding of the provisions of the Act, and/or of its predecessor, the Data Protection Act 1984. In one case, the reasons given by the Court of Appeal for its judgment directly contradict the reason the Government gave Parliament when it enacted the legislation. This fact is plain to see in the Parliamentary record published in Hansard."

Dr Pounder added: "It is interesting to note that it was the discretion issue which unlocked Mr. Durant's route to the Court of Appeal. By challenging discretion successfully, Mr. Durant was able to raise doubts on the more substantive issues. History could now repeat itself."

Dr. Pounder concluded: "Without the discretion point, the arguments for compliance or non-compliance are not clear-cut and, on their own, might even not be worth exploring. However, given that the court's interpretation of its discretion to order a data controller to give access is, in our view, wholly non-compliant with the objectives of the 1995 Directive, it could be that this is the issue which brings the whole of the UK's implementation into sharp focus."

Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.