June 21, 2008

I would have liked to include coverage in this issue of the new legislation affecting computer lawyers embodied in the Criminal Justice and Immigration Act 2008. But, to be honest, I couldn’t be bothered.


There is s 77 (power to alter penalty for unlawfully obtaining etc. personal data), s 78 (new defence for purposes of journalism and other special purposes), s 144 (power to require data controllers to pay monetary penalty) for the data protection lawyers and there are all the provisions concerning pornography in ss 63 to 71 which have a clear impact for Internet lawyers, especially sch 14 which makes special provision for information society service providers. So there is plenty there really. Indeed I became briefly excited about s 144 and the new monetary penalties. No less a person than Deputy Information Commissioner David Smith welcomed s 144 enthusiastically: ‘This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly’. Except it doesn’t do anything of the sort – it is not in force and not even in the current list of provisions to be brought into force. Section 77, which creates a power for the Secretary of State to do something he clearly does not want to do, is most certainly no more than window-dressing. I fear that s 144 too has been passed merely so as to suggest that the government is doing something about data loss and recklessness when the reality is that it will sit on the statute book unimplemented for years.


Having already substantially ebbed away, my enthusiasm for covering the new provisions disappeared completely when I remembered covering the new legislation to cover denial of service attacks. You may remember that the Police and Justice Act 2006 amended the Computer Misuse Act 1990 so as to clarify the law in this area and make an extra weapon available in the fight against DOS attacks. I write this more than 19 months after that Act received Royal Assent but s 36 of the 2006 Act is still not in force in England and Wales, though it has been implemented in Scotland (although that took nearly a year). What about s 35 of the 2006 Act (unauthorised access to computer material) or s 37 (making, supplying or obtaining articles for use in offence under section 1 or 3 of the 1990 Act)? You guessed it – still not in force in England and Wales. Looking back at the comments made at the time these provisions were passed, it is quite clear that they were thought to be desperately needed and the Parliamanetary process is not exactly a sprint. How come so much effort and so much paper and no change in the law? These provisions should be implemented for England and Wales now and it is a scandal that they have been delayed for so long.


On data protection, it is clear from the public statements from the ICO that preceded the passing of the CJIA that they wanted more, especially radically increased penalties. If, at a time when the government data losses and public concern over privacy meant that the Information Commissioner had more public influence than ever before, he nevertheless had to settle for as little as there is in the final provisions of the CJIA then the chances of any of its bite ever being given teeth are slight. My bet is that s 144 will not be implemented this side of Xmas 2009. Worse still, the provisions may be washed away on a tide of consultation and the investigation of voluntary codes and will slowly drown.


David Ashmore observes elsewhere in this issue that ‘there is very little incentive for UK firms to take their data protection obligations seriously. Indeed, firms that do so risk placing themselves at a competitive disadvantage’. That is a situation that cannot be allowed to continue. I do hope I am wrong about implementation for we do need data protection that works.