On 25 May 2018, the General Data Protection Regulations (GDPR) came into force, along with the Data Protection Act 2018, modernising the laws that protect the personal information of individuals and replacing European data protection law that was almost twenty years old.
The new regulations were designed to provide greater protection and rights to individuals and to change how businesses and other organisations handle the information of those that interact with them, at a time when private lives had become increasingly public, with individuals freely sharing their personal information online. There is the potential for large fines and reputational damage for those found in breach of the rules.
Post Brexit, as of 1 January 2021, the UK regained full autonomy over its data protection rules. However, The General Data Protection Regulation (GDPR) was retained in UK law and is now referred to as the UK General Data Protection Regulation (UK GDPR). It will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law.
A little bit of history
GDPR brought big changes but also built on previous data protection principles. In fact data protection laws can be traced back as far as 1890 when two United States lawyers, Samuel D. Warren and Louis Brandeis, published ‘The Right to Privacy’ in the Harvard Law Review, an article that uses the phrase the ‘right to be let alone’, as a definition of privacy. Over a century before the implementation of GDPR, it was argued ‘Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … the right ‘to be let alone’ … Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’ The invention referred to was the portable camera, while the business methods referred to celebrity journalism.
In 1948, The Universal Declaration of Human Rights was adopted, this included the twelfth fundamental right, namely the Right to Privacy; in 1980 the Organisation for Economic Co-operation and Development (OECD) issued guidelines on data protection, reflecting the increased use of computers to process business transactions; and in 1981 The Council of Europe adopted the Data Protection Convention (Treaty 108), rendering the right to privacy a legal imperative.
In 1993 PC Brown was charged under the UK Data Protection Act 1984 offence of using personal data for a purpose other than that described in the Data Protection Register. PC Brown was entitled to use the police national computer database for his duty, however on two occasions he used the database to assist a friend who ran a debt collection agency, making checks on vehicles owned by debtors. On the first occasion, the vehicle was owned by a company and did not reveal any ‘personal’ data. On the second occasion the search revealed personal data, however there was no evidence that any subsequent ‘use’ was made of the information obtained and the case was dismissed, with it being stated the word ‘use’ must be given its ‘natural and ordinary’ meaning. As there was no evidence that PC Brown had not employed the information ‘for a purpose’, he was not guilty of an offence. However, had the case been brought in 1998, PC Brown would have been found guilty, as the act had been changed to have a much wider definition of ‘data’.
In 1995 The European Data Protection Directive was created to reflect technological advances. It also introduced new terms including ‘processing’, ‘sensitive personal data’ and consent and in 2002 the EU adopted the Directive on Privacy and Electronic Communications. On 1 January 2005, the UK Freedom of Information Act 2000 was fully implemented. The Act was intended to improve the public’s understanding of how public authorities carry out their duties, why they make the decisions they do and how they spend their money. Placing more information in the public domain would ensure greater transparency and trust and widen participation in policy debate. In 2009 the EU Electronic Communications Regulations were amended in response to email addresses and mobile numbers becoming prime currency in conducting marketing and sales campaigns.
In 2010 the international non-profit organisation Wikileaks began publishing secret information, news leaks, and classified media provided by anonymous sources. Leaks have been political and diplomatic in nature, but have also included documents from Amazon, the Catholic church, the military and the CIA. In 2011 following the UK News International phone hacking scandal which saw journalists hacking the phones of people from all walks of life to get stories, The Leveson inquiry, a judicial public inquiry into the culture, practices and ethics of the British press saw a series of public hearings held throughout 2011 and 2012. The reforms for independent regulation were endorsed by all parties and at the time ‘Hacked Off’ a campaigning group pushing for meaningful reform of UK press was formed to ensure victims of press abuse have their voices heard and are given protection from continuing intrusions. However the reforms have not been upheld, people, particularly those in the public eye, still suffer abuse and the Hacked Off campaign continues its work. In 2014 a ruling by the Court of Justice of the EU gives people the right to ask internet search engines to remove results for queries that include their name. The concept became known as ‘the right to be forgotten’.
Today, post GDPR and in the wake of the coronavirus pandemic, technology and privacy are at another crossroads, with more people than ever working from home, surveillance of the home in terms of employer concerns about cyber security and conduct at home will become inevitable.
Understanding UK General Data Protection Regulation (UK GDPR) today
The Online Etymology Dictionary records the word data as first being recorded in the 1640s as ‘a fact given or granted,’ the classical plural of the Latin word datum “(thing) given” and neuter past participle of the word dare, meaning ‘to give’. From 1897 data came to mean ‘numerical facts collected for future reference’ and in 1946 it meant ‘transmittable and storable information by which computer operations are performed’. The term data-processing was recorded in 1954, data-base or database meaning a ‘structured collection of data in a computer’ in 1962 and the word data-entry in 1970. Today, personal data, is defined as information that enables a person to be identified.
The body responsible for protecting personal data and enforcing GDPR in the UK is the Information Commissioner’s Office. The law impacts how people can access information and places limits on what organisations can do with the personal data they obtain, that is information that allows a living person to be directly, or indirectly, identified from data that’s available, as per the short animation above. This may be something obvious, say a person’s name, location data, or a clear online username, however, IP addresses and cookie identifiers can be considered as personal data too. Furthermore, there are special categories of sensitive personal data that have greater protection, for example personal data about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person’s sex life or orientation.
For individuals, ultimately GDPR aims to give them control of how their personal data is used, say the ability to opt in and out of marketing material easily and being removed from databases. For organisations GDPR affects any organisation that offers goods and services, irrespective of whether money has been transacted, they have a duty to report data breaches and there are significant fines and legal implications for non-compliance. As such organisations need to recognise the data they hold is personal information about individuals who have a right to know how and why their personal information is being used and stored forcing companies to act transparently and accountability.
Information Commissioner’s Office
- Information Commissioner’s Office
- Guide to data protection regulations
- The principles
- Registration self-assessment
- What is the Freedom of Information Act
- Your data matters
- BBC: Phone hacking trial explained
- BrandeIsNOW: To be let alone
- Gov.UK: Using personal data in your business or other organisation
- International Network of Privacy Law Professionals: brief history of data protection: how did it all start
- Information Commissioner’s Office: our history
- Online Etymology Dictionary
- Privacy Engine: Destination GDPR – how did we arrive here
- The Hill: Could working from home unintentionally lead us to 1984?
- The LSE cyberlaw student blog: The Data Protection Act – Is it too broad?
- Wired: What is GDPR? The summary guide to GDPR compliance in the UK
© Toni Louise Abram at Izzy Wizzy. All Rights Reserved.