In 2003, I happened to speak to an ICO officer the day after the Durant judgement was published. Durant, as you probably know, was a Court of Appeal judgement which appeared to turn Data Protection on its head. Some elements (like the insistence that a person had to be the focus of information for it to be their personal data) were entirely sensible; other bits (like the idea that a manual file is only covered by the DPA if it works in all respects like a computer) were bloody stupid. Anyway, I asked my former colleague what the atmosphere was like in the office.
“Panic” he replied.
This panic typified the Commissioner’s response to Durant for several years. The authors of some absurd pieces of ICO guidance clearly inhaled Durant’s fumes with gusto – the one that ruled most small CCTV systems out of the DPA was my favourite. In time, and with cooler heads (and presumably pressure from a Government facing infraction proceedings from an unimpressed EU), the Commissioner returned to sanity, effectively repudiating Durant in 2007 in a long and robust piece of work called ‘Determining What Is Personal Data’. It’s the one with the reference to “industrial spies” (which supports my theory that some people in Wilmslow must be on something). Many FOI decisions on personal data now read as if this guidance was never written, but that’s one for another time.
Anyway, whatever you think of the ICO’s response to Durant, no-one can deny that there was one. The ICO’s reaction to another landmark case delivered just one month earlier, however, is a singular example of what Sherlock Holmes identified as ‘the curious incident of the dog in the night-time’ – i.e. the dog that didn’t bark. Given the massive inconvenience that the Lindqvist judgement presents, it’s easy to see why the ICO pretends it didn’t happen. The only reference to Lindqvist on the ICO website is in a policy paper submitted to it by the IPPR, despite it being a European Court precedent on Data Protection.
The facts of Linqvist are relatively simple; Mrs Bodil Lindqvist ran a church webpage. To quote the ECJ judgment: “The pages in question contained information about Mrs Lindqvist and 18 colleagues in the parish, sometimes including their full names and in other cases only their first names. Mrs Lindqvist also described, in a mildly humorous manner, the jobs held by her colleagues and their hobbies. In many cases family circumstances and telephone numbers and other matters were mentioned. She also stated that one colleague had injured her foot and was on half-time on medical grounds” She was prosecuted for breaching Swedish DP law and appealed to the ECJ when she was found guilty: see judgement here
One of Mrs Lindqvist’s arguments was that she wasn’t covered by EU Data Protection law because her website was purely personal – the UK DPA gives effect to this principle of private citizens being exempt under Section 36, where uses of data for “personal, family or household affairs (including recreational purposes)”. are excluded. The Swedish DP authorities submitted that the use of a website could not meet this definition and in the most eye-catching feature of the ECJ decision is the – as yet unchallenged – finding that this was correct. People who publish personal information on the internet are subject to Data Protection law, regardless of the context.
Oh, God! Oh, Jesus Christ!
Oh, my God! Christ!
No, no, dear God!
This quote is from the climax of ‘The Wicker Man’, but I think it sums up general feelings in the ICO as they imagine what it would be like to have to regulate what Pete Townshend this week accurately described as the ‘Wild West’ of the internet. The Lindqvist judgement is pre-Facebook, and even MySpace was only just being launched when it was delivered. The world in which we live – where putting HD video of your friends vomitting on each other onto the internet for all to see is pretty much a Human Right – makes Lindqvist seem rather quaint, a telegram from a prelapserian age. The idea that the law might take an interest in our online activities, that we might have to take some responsibility for what we do, that – heaven forfend – we might have to take the views of the people whose data we are using into account, is anathema to the twenty-first century, plugged-in hep-cat.
The ICO’s default position is that any use of the internet by an individual is exempt under Section 36. This is exemplified (See here) by this week’s revelation that Barnet Council complained to them about the activities of a blogger. Barnet argued (rightly) that Lindqvist meant that the blogger couldn’t rely on domestic purposes. To add fuel to Barnet’s argument, even if Lindqvist was wrong, none of the Barnet bloggers I have seen and enjoyed could remotely be described as processing data for personal, family or household affairs. By the standards of today, they are journalism, pure and simple (and I thank my lucky stars that I didn’t have to deal with their like when I worked in local government). Barnet argued that the journalism exemption in DPA Section 32 doesn’t apply because the publication is not in the public interest. Given the appalling intrusions that our national press commit on a daily basis, if they can rely on Section 32, some determined bloggers will make the grade. Even though I think the ICO was wrong, I also think that Barnet have to live with freedom of expression at its most robust unless they or their people are libelled or defamed.
I know many people will disagree with my fidelity to Lindqvist on purely practical grounds. If the judgement stands, anyone who publishes data on a Facebook page will potentially have to notify, comply with the Data Protection principles, respond to subject access requests and Section 10 notices. The ICO would have to start regulating every blogger and lunatic with a web page. Where would it end?
My problem with all this is that the Commissioner shouldn’t get a free pass to ignore the law because it’s difficult to make it work. Of course it’s difficult. Of course it will make them unpopular to do it properly, and they’ll get endless stick from Facebook and other American corporations who want to make money in the EU without obeying EU law. But Chris Graham doesn’t get between £140000 and £145000 per annum just to look solemn on the telly, and his staff shouldn’t earn their crust by hitting arbitrary targets. If you don’t want a difficult job, don’t work on one of the most complex and perplexing areas of UK law. There is a large Tesco on the Handforth bypass a few miles out of Wilmslow if you don’t want an intellectual challenge. The difficulties are what makes it fun. And if you don’t think Data Protection is fun, you don’t deserve to work at the ICO.
I have a modest proposal. For social media and similar websites and publications, compliance with the DPA should be contingent on privacy settings. Close your Facebook page or website to strangers, and you are sending a clear signal to everyone that this is an area for you and your friends. Even if your friends include invited strangers who live in Ulan-Bator, there really is no way of policing that. You should be entitled to rely on Section 36. Leave your page open, and you are publishing to the world, and you should take formal responsibility for your activities, especially as they relate to other people.
For bloggers, Section 32 will protect them – even those who blog about the minutiae of their personal lives can claim it, because otherwise what is Liz Jones’s excuse? We no longer live in a world where the media is restricted to newspapers registered with the Post Office and a polite man in a tailcoat declaiming on the Home Service. For example, I am not entitled to call myself a journalist because I do not get paid for writing this blog, but it is written for journalistic purposes, however modest. Any claim to this being a hobby is undermined by the fact that I plug my business website prominently on it.
As always, it’s easy to sit on the sidelines. I can understand that wading into regulation of what people believe to be their own personal playground is extremely unappealing. But the problem began when the ICO chose not to engage with Lindqvist in 2003, and it has got steadily worse. Lindqvist has great merit as a bulwark against the excesses of the internet age, and as long as the ICO ignores it, they do themselves little credit.