Cracking the Code

Photic sneezing, solar retinopathy,
photokeratatis, pterygium, or, if you prefer the vernacular, snow blindness,
arc eye, welder’s flash, bake eye, corneal flash burn, sand man’s eye, potato
eye, surfer’s eye….

Too much exposure to bright lights can
interfere with normal functioning. Prolonged exposure to the GDPR seems to have
had a similar effect. However, now we are more used to the dazzle of the new,
the time has come to look at some of the more mundane aspects of compliance
with the Data Protection Act 2018.

Overview

Before diving into the detail a quick overview
for those who are not yet familiar with the Act.

The DPA 2018:

• implements the Law Enforcement Data
  Protection Directive (LED), which covers the processing of personal data by
  competent authorities in the criminal justice area – the regime under the LED
  is, in effect, GDPR as applied to criminal justice bodies;
• legislates for a data protection regime to
  cover the processing of personal data by the UK intelligence services – this
  regime is based on the Council of Europe Data Protection Convention 108 and,
  although not as detailed or prescriptive as the GDPR, applies the same
  fundamental rules;
• extends the GDPR to those areas of UK
  activity which fall outside EU competence but are not covered by either the law
  enforcement or intelligence service provisions – the ‘applied GDPR’, which is
  the same as the GDPR subject only to a few minor modifications;
•  implements those elements of the GDPR and LED
  which must be implemented by Member States, for example the establishment of a
  supervisory authority;
•  implements those elements of the GDPR and LED
  which offer Member States some discretion, for example the application of
  exemptions; and
•  legislates for a range of provisions
  additional to the GDPR and LED.

The combination of the GDPR and the Act
effectively provide for four data protection regimes, albeit that the GDPR and
applied GDPR are almost identical. The Information Commissioner is the
supervisory authority for all four regimes; her duties and powers apply across
the board. These powers cover:

• those mandated under the GDPR – these
  powers require no additional UK legislation but must be subject to safeguards
  and procedural provisions which are applied under Member State law (in our case
  the DPA 2018);
• those imposed under the applied GDPR – the
  applied GDPR powers are the GDPR powers applied to areas outside EU competence
  (ie it does what it says on the tin). They are subject to the same safeguards
  and procedural provisions as GDPR powers;
• those required by the LED, which gives the
  supervisory authority broadly the same powers and the GDPR – these are set out
  in the Act; and
• those imposed in respect of the
  intelligence services – the Act gives the supervisory authority broadly the
  same powers as in the GDPR.

Under all four regimes the Commissioner has
strong enforcement powers. She can conduct investigations, impose fines and
issue mandatory orders in relation to any processing which breaches the rules.

The introduction of a strong enforcement
regime has been a key aim in the data protection reform programme. The European
Commission included stronger enforcement as one of the half a dozen key changes
in data protection in its summary of the main changes following 25 May 2018,
noting that:

‘The 28 data protection authorities will
have harmonised powers and will be able to impose fines to businesses up to 20
million EUR or 4% of a company’s worldwide turnover’

The UK government has taken a similar line.
In announcing the Data Protection Bill, Matt Hancock, then Minister of State
for Digital, said,

‘Our measures are designed to support
businesses in their use of data, and give consumers the confidence that their
data is protected and those who misuse it will be held to account’.

This focus on enforcing the rules and
holding data controllers to account is, however, accompanied by provisions
which require the Commissioner to develop and apply a number of ‘soft law’
tools, in particular, codes of practice.

There are two types of codes of practice in
the GDPR and the Act. Neither of them are the equivalent of the Commissioner’s
codes which have been developed over the past 20 years.

Codes of practice under the GDPR

The GDPR provides for a specific type of
codes of practice. Articles 40 and 41 GDPR provide for industry sponsored
codes. These are to be prepared by industry or trade groups and submitted to
regulators for approval. There is no barrier on public bodies preparing such
codes but they cannot be submitted to the supervisory authority for formal
approval. Article 40(4) makes it mandatory for codes which are submitted to the
supervisory authority to include mechanisms for monitoring by an independent
organisation under art 41(1). However, art 41(6) states that art 41 does not
apply to public bodies. All GDPR codes must be subject to mandatory
self-regulation by accredited bodies. These codes are to be prepared and run by
associations and other bodies representing categories of controllers and
processors, not supervisory authorities. It follows that not only will such
codes exclude public bodies but they will also be confined to industries which
have the scale, scope and expertise to produce and monitor the codes.
Inevitably there will be a cost associated with the development, maintenance
and supervision of such codes.

The GDPR codes are a far cry therefore from
the Commissioner’s codes developed under s 51 of the DPA 1998.

Codes of practice under the 1998 Act

The use of codes of practice to assist
compliance has been a gradual development in UK data protection. The early
codes under the 1984 Act tended to be industry-led. However, under the 1998
Act, the role of codes gradually became more significant. The Commissioner
started to use the power to produce Commissioner’s codes under s 51 of the 1998
Act early in the application of the Act. The first code of real significance
was the Employment Practices code, issued in March 2002 after a lengthy
gestation period. The code was subsequently revised, the final edition being
issued in 2011 under Chris Graham’s tenure as Commissioner. It was followed by
codes of practice on Personal Information Online (2010), Subject Access
(revised 2017), Privacy Impact Assessments (2013), Anonymisation (2012), Privacy
Notices (2016), Direct Marketing (2017) and Data Sharing (2011).

These codes share a number of elements in
common. They were developed as a result of market demand. The codes came about
as a response by the Commissioner’s office to having to deal with repeated
queries about specific issues. They follow a common practice of extensive
consultation which has given them a particular kind of authority. They include
practical examples and cover issues that affect all data controllers. The codes
apply equally across all industries and areas, public and private sector, small
and large businesses, charities and commercial entities. Their use has been
free.

Interestingly enough there appears to be no
hard research about the use of the Commissioner’s codes but anecdotally it
seems that DPOs, lawyers and other DP practitioners use them frequently.

Statutory codes

As well as the codes developed by the
Commissioner as a result of market demand and interest there were two codes
developed in response to a statutory obligation. Only the codes on direct
marketing and data sharing had a specific statutory basis under the 1998 Act.[1]

The data-sharing code followed the failure
of the Government to introduce wide sharing powers in the Coroners and Justice
Act 2009.[2] Having failed in
its bid to provide for a very wide set of powers, the government amended the DPA
1998 in order to provide for a code of practice covering the area. The direct
marketing code was introduced by an amendment to the DPA 1998 by the Digital
Economy Act 2017 as a method of additional regulation of the area, albeit a
‘light touch’ one.

Codes under the DPA 2018

The new codes are specific to the UK, owing
nothing to the GDPR or LED. The DPA 2018 mandates the Commissioner to prepare
four specific codes, with a power for the Secretary of State to require further
codes. The Commissioner has no independent power to initiate or produce codes
of practice. In addition to the codes, the Act requires the Commissioner to
prepare guidance for individuals on how to seek redress against media
organisations.[3] More soft law is
to be produced by the Secretary of State in the Framework for Data Processing
by Government which will give guidance about the processing of personal data by
government departments and other specified persons.

The codes also intersect with a series of
codes under other legislation being codes on:

• the disclosure of information by civil
  registration officers[4]
• the disclosure of information to improve
  public service delivery[5]
• the disclosure of information to reduce
  debt in the public sector[6]
• the disclosure of information to reduce
  fraud in the public sector[7]and
• the disclosure of information for research
  purposes.[8]

The four mandatory DP codes are to cover:

• direct marketing[9]
• data–sharing[10]
• age appropriate design[11]
  and
• data protection and journalism.[12]

Status of codes

The codes will not impose legally binding
requirements but will be admissible in evidence in legal proceedings. Where the
provisions of a code are in force at the time the issue for adjudication arises
and are relevant to that issue, they must be taken into account by a court or
tribunal.[13]

Procedure for approval of codes

In preparing the codes the Commissioner
must consult those who have expertise in the area. The code must be submitted
to the Secretary of State who, in turn, must lay the code before Parliament. If
neither House of Parliament objects to the code for a period of 40 days it is
to be issued by the Commissioner and comes into effect after a further 21 days.

Nature of the codes

The codes on direct marketing, data sharing
and journalism must provide both practical guidance to help compliance with the
data protection legislation (which includes the Privacy and Electronic
Communications Regulations 2003) and guidance to promote good practice, ie
practices which are desirable having regard to the interests of data subjects
and others. In the journalism code, the Commissioner must also have regard to
the ‘special importance’ of the public interest in freedom of expression.

The provisions on the new code on
age-appropriate design are of a different nature. The code will apply to data
controllers and, where relevant, data processors, who provide information
society services which are likely to be accessed by children. The Commissioner
must formulate guidance on the design of such services so that they are
presented in a way appropriate for children up to the age of 18, recognising
that children have different needs at different ages. The standards must be
those which appear to the Commissioner to be desirable ‘having regard to the
best interests of children’ and taking into account the UK’s obligations under
the UN Convention on the rights of the child. There is a provision for a
transitional period of up to 12 months before the code takes effect.

This is a code with a very specific,
practical remit. There is no reference to compliance with the data protection
legislation and the code is not tied to Articles 12 to 14 GDPR (transparency
and notice). A breach of the code will still not, of itself, be a breach of the
law, but the code can be taken into account in an action on any aspect of the
data protection legislation where it is relevant to the issue. Clearly it will
be relevant to whether processing is transparent and whether notices are
compliant with the GDPR or equivalent provisions of the 2018 Act. It may also
go to a consideration of whether a purported consent given by a child is valid
or other grounds for processing are valid, depending on how effectively and
appropriately the grounds on which the controller relies have been explained.

The new codes on data sharing and on direct
marketing will replace the previous codes. These remain effective only for the
purposes of actions relevant to the codes which were started under the 1998 Act
and continue to be dealt with under transitional provisions.[14] The Information
Commissioner has issued a consultation on the update of the data sharing code
under the GDPR.[15] The code of
practice on journalism is likely to follow the guidance for journalists issued
by the Commissioner in 2014. Consultations on the direct marketing code and the
journalism code have not yet been issued.

Background to the new codes

The two new mandatory codes under the 2018
Act have similar backgrounds to the data sharing and direct marketing codes.
The introduction of good practice guidance on data protection and journalism
was one of the Leveson Inquiry recommendations to the Information Commissioner.
The parallel recommendations to government included a raft of other, tougher,
recommended changes to the exemptions available for journalistic purposes in
the 1998 Act, such as narrowing the journalistic exemption and removing the
procedural restrictions on actions where journalism is involved.[16] It should be
noted that the government did not follow any of these recommendations in its
drafting of the 2018 Act and the journalistic exemptions remain as generous and
as procedurally difficult as they ever were.

In 2014 the Commissioner produced guidance
for journalists. This did not take the form of a code and was not admissible in
legal proceedings. During the Parliamentary debates on the 2018 Bill, efforts
were made to resurrect Leveson Part 2. The government resisted but finally
agreed to the addition of the code of practice on data protection and
journalism, plus a regular review of the code, the accompanying guidance on
redress mechanisms and a separate Secretary of State review of the media’s
dispute resolution procedures.[17]

The new code on age-appropriate design was
inserted into the 2018 Act after an unsuccessful attempt by opposition peers to
make age-appropriate design a mandatory requirement before a data controller
could rely on the consent of a child to processing.

Further review

In addition the Commissioner has two
further and related duties in respect of journalism. Under s 178, she is given
a new duty to review compliance with the s 124 code of practice. The first
review is to be in 2020. The review must cover compliance with the data
protection legislation and with the good practice recommended in the code. This
is backed up by power to obtain relevant information. Schedule 17 lifts the
various prohibitions on the use of the Commissioner’s powers to obtain
information from the press by the use of information notices or mandatory
audits during the 18 months before the first review date and 12 months for
subsequent reviews. This means that the Commissioner can use her legal powers
to demand the provision of information and cooperation for the purposes of the
review.

Guidance on redress

The Commissioner must also produce and
publish guidance about the steps that may be taken:

Where an individual considers that a media
organisation is failing or has failed to comply with the data protection
legislation.

The guidance must include information about
the rights to complain, the powers of the Commissioner and other forms of
dispute resolution. The guidance must include information on the Commissioner’s
powers to provide assistance in cases which concern processing for journalistic
purposes. The power is not new but has never been widely publicised by
subsequent Commissioners, nor ever used in the UK.

Can the Commissioner prepare her own codes?

As noted above the Commissioner’s codes
have covered a range of practical areas such as dealing with personal data in
employment, subject access, anonymisation and privacy notices. There does not
appear to be any available research on the effectiveness of codes of practice
but the fact that the codes cover issues of everyday compliance which affect
almost all data controllers plus the fact that several of the codes have been
revised and re-issued over the years, argues that they have been useful tools
for data controllers. The employment code was first issued in 2002 and last
revised and reissued in 2011.

It is notable that none of the mandated
codes or guidance appear to owe their being to industry or consumer need.
Rather they result from pressures in the political environment. They are a
result of political negotiation, not perceived user need. With such reluctant
parentage it is not unreasonable to wonder how much, if any, impact they are
likely to have. To the extent that past performance is a guide to the future,
the answer would appear to be, not much.

The data-sharing code does not appear to
have been cited in any legal proceedings that the writer has been able to
trace,[18] nor has the
direct marketing code. Its predecessor document, the Commissioner’s guidance on
direct marketing, was referred to by the Information Tribunal in Xerpla Ltd v
Information Commissioner.[19] In that case
the guidance was cited as relevant by the Commissioner. The Tribunal appears to
have accepted it as relevant, although the Commissioner lost the appeal, in effect
because she had not applied her own guidance correctly.

The Commissioner’s guidance on data
protection and journalism does not appear to have been cited in any cases
before the courts. The relevant provisions in the 1998 Act were considered most
recently in the cases of Stunt v Associated Newspapers Ltd[20]
and Stube v NGN and Express Newspapers[21]however
there is no reference to the Commissioner’s guidance in either report.

Of course the impact of a code of practice
is not limited to its role in legal proceedings. However, to the extent this is
a guide, it does not bode well for the future efficacy of the new mandatory
codes. It should also be noted that the codes of practice on journalism and on
age-appropriate design cover only specialist and limited areas. The codes will
not be relevant to most data controllers or processors.

The Commissioner’s role and relationship
with data controllers and understanding of data subject concerns would, one
assumes, give her a unique insight into those areas where detailed and
authoritative guidance is needed by data controllers. Nevertheless, under the
GDPR, LED and DPA 2018, the Commissioner has no specific authority to develop
additional codes of practice, without the authority of the Secretary of State.

A rose by any other name?

It can be argued that the general powers
under art. 57 GDPR to promote public awareness, as well as awareness among data
controllers and data processors, can be used as the basis for robust long-lasting
guidance which is no different in reality to a code. However, the fact that
guidance has been developed as a code brings a clear element of status to it. A
code has gravitas. The term signifies that this is a thoughtful and detailed
resource. It has been developed with users and other stakeholders. It is likely
to be an enduring, authoritative piece of guidance.

The removal of the specific power to issue
a document as a code may lead to a reluctance on the part of the Commissioner
to use the title. There are also practical considerations. To update the
current codes for the new regime will take real resource, whatever they are
called. The pressures on the Office from other duties will be considerable and
once codes no longer have a statutory backing they may move down the order of
priority.

We must hope that despite these pressure
the Commissioner’s practical, wide-ranging codes on issues of general concern,
such as employment, subject access and privacy notices, will not become a thing
of the past.

Rosemary Jay is a senior consultant
attorney at Hunton Andrews Kurth and perhaps best known as author of Data
Protection Law & Practice.