The United Kingdom Equality and Human Rights Commission (EHRC) published this week a report, “Protecting information privacy,” written by Charles Raab and Benjamin Goold, from the University of Edinburgh and the University of British Columbia. The report represents the views of the two authors and do not necessarily represent the views of the Commission.
The report claims that current U.K. privacy laws and regulation do not adequately protect human rights, and that fundamental reform is needed, especially as data security breaches happen regularly (see p. 9-10 for examples). Such breaches are bound to happen more frequently, as demand for personal information increases, and new technology facilitates its collection. Indeed, “personal information privacy is under particular threat in today’s ‘information economy’ and ‘information-age government’” (p.10).
The public sector has increased its use of personal information, and the state plays an expanded role. The U.K. legal framework has “a weak, fractured and piecemeal approach to [privacy] regulation” (p.12), and it is more and more difficult for individuals to understand how their personal information is used, and what they should do when it is misused.
The 1984 Data Protection Act (DPA) was the first statutory information privacy protection law. Also, Article 8 of the European Convention on Human Rights (ECHR) protects an individual’s ‘right to respect for his private and family life, his home and his correspondence.’ The ECHR is incorporated into U.K. law by the Human Rights Act (HRA) of 1998 (for an overview of current laws, see p. 25 and following).
According to the report, U.K legislation has not kept pace with technology changes, and that the state has failed to adequately protect the right to privacy. The report states that “[n]ew strategies must continually be developed to cope with the increasingly novel ways in which privacy, including information privacy, is at risk” (p.75).
The report makes four main recommendations:
(1) The government should develop a clear set of ‘privacy principles’ to be used as a basis for future legislation, and as a guide to regulators and governments agencies concerned with information privacy and data collection.
(2) Existing privacy legislation should be reformed to be consistent with ‘privacy principles’ in order to enhance existing provisions of the HRA.
(3) There should be greater regulatory coherence, that is, the U.K. needs to rationalize and consolidate its current approach to the regulation of surveillance and data collection.
(4) Technological, organizational, and other ways to protect privacy should be improved, and the development and use of technological and non-legal solutions to the problem of information privacy protection should be encouraged by government.