Data Protection and the Internet

March 1, 1999

1. Introduction


When data protection laws started to appear in the early 1970s there were relatively few computers in the world and, due to their enormous cost, most were in the public sector. Computers tended to operate on a stand-alone basis and typically were housed in purpose-designed secure facilities. Most processing took place on a ‘batch’ or off-line basis. A government or other regulator that wished to supervise the automated processing of personal data had a good chance of knowing or finding out who was carrying out such processing.


Two developments have transformed that scenario. The first is the personal computer, launched in 1981 and now increasingly pervasive in businesses and homes around the world. The second is the networking of computers and, in particular, the dramatic expansion of the Internet since the early 1990s. It is now impossible for governments or regulators to keep track of even a tiny fraction of the processing and international transfers of personal data which take place on a real-time basis, every minute of every day. A typical pocket computer today has more processing power and storage capacity than the largest mainframe of the 1970s. Connected to a communications device such as a cellular phone, a pocket computer can be used to send personal data to or retrieve such data from anywhere on the planet. In marked contrast to the early stand-alone computer systems, the Internet, as a vast network of networks, is a massively distributed processing system.


Unfortunately, data protection concepts have moved on very little since the early 1970s. For example, the 1995 EU Data Protection Directive (the EU Directive)1 requires the EU member states to impose restrictions on transfers of personal data to countries which lack ‘an adequate level of protection’ for personal data (Art 25(1)). Although the Directive envisages various exceptions to this blanket export ban, there will be numerous instances where prior regulatory clearance should be obtained before a transfer is made. This is not credible in an environment where more than 150 million people worldwide have Internet access and can transfer personal data to other Internet users by merely clicking on a ‘send’ button in an e-mail package.


The UK Data Protection Act 1998 (the 1998 Act), which received the Royal Assent on 16 July 1998, was enacted to implement the EU Directive. The 1998 Act should have been brought into force no later than 24 October 1998 to satisfy the implementation deadline set by the EU Directive. That deadline was not met, however, and full implementation is not now expected until June 1999. Even that target may well slip. The main reason for the delay is that the 1998 Act provides for a large number of matters to be dealt with in detail by way of secondary legislation. Technically speaking, a few provisions in the 1998 Act came into force on 16 July 1998, but the substantive obligations will not be effective until the relevant orders are in force.


The 1998 Act also contains important transitional provisions (Sch 8). Data that are subject to ‘processing which was already under way’ immediately before 24 October 1998 will be exempt from the ‘new’ provisions introduced by the 1998 Act until 24 October 2001. Such data will, however, be subject to a regime created by the 1998 Act which is broadly similar in effect to that under the current Data Protection Act 1984 (the 1984 Act). The Home Office and the Office of the Data Protection Registrar have indicated that the issue of what constitutes ‘processing which was already under way’ should be determined according to the purposes for which the data are processed. On this view, new data which are added to an existing system after 24 October 1998 will still be within the scope of the transitional provisions provided that they are being processed for the same purpose as the existing data. A significantly longer transitional period is available in relation to certain manual records though this is of course of little relevance in the Internet context.


2. Key Concepts in The Data Protection Act 1998


2.1 Data, ‘personal data’ and ‘data subject


The 1998 Act defines ‘data’ extremely broadly as information which is or is intended to be processed electronically, or which forms or is intended to form part of a ‘relevant filing system’ (s 1(1)).2


The definition of ‘personal data’ is ‘data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller’ (s 1(1)).3 This appears to be a narrower concept than the definition of ‘personal data’ in the EU Directive which merely requires the individual concerned to be identifiable ‘directly or indirectly’. In that definition there is no presumption that all the elements necessary to identify an individual are in the possession of a particular data controller.


Under the 1998 Act anonymised data will only be ‘personal data’ in the hands of a data controller if that data controller has, or is likely to obtain, possession of any look-up table or other data necessary to match up anonymised records with particular individuals. In relation to the Internet, this distinction may be significant in various contexts. For example, a Web site operator may only be able to link data relating to a particular visit to a Web site to a dynamically allocated IP (Internet Protocol) address and may have no way of discovering the identity of the visitor. Under the 1998 Act such data would not be personal data. Under the Directive, it is arguable that the data would be personal data if the individual concerned were identifiable ‘indirectly’ from records held by his or her ISP.


A ‘data subject’ is ‘an individual who is the subject of personal data’ (s 1(1)).


`Sensitive personal data’ is defined in the context of the justifications for processing such data (see 4.1 below).


2.2 Processing


The definition of ‘processing’ is also very broad. It covers ‘obtaining, recording, or holding information or data or carrying out any operation or set of operations on the information or data.(s 1(1)). The full definition contains the following examples of activities which will constitute processing: ‘(a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data’. It is difficult to imagine anything which could be done with data which would not constitute ‘processing’. Needless to say, vast quantities of data are processed via the Internet by numerous ‘data controllers’ and ‘data processors’.


2.3 Data controller


A ‘data controller’ is ‘a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed’ (s 1(1)). It is important to identify the controller in relation to any particular processing activity as it is that person who has primary responsibility for compliance with the 1998 Act. In addition to notification requirements, data controllers have an automatic statutory duty to comply with the Data Protection Principles (s 4(4)). Breach of the Principles may give rise to liability to any adversely affected individual, regardless of whether there is any regulatory intervention (s 13).4


The Internet is a massively interconnected community of more than 150 million individuals and organisations. It is likely that there will be many instances of joint or co-control of personal data. In other cases, different individuals or organisations may control different aspects of a particular activity. By way of example, the ‘Recitals, or preamble, in the EU Directive contain the observation that, in relation to a telecommunications or e-mail service, ‘the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service.’ Thus, for data protection purposes, the sender of an e-mail will normally be responsible for the message content whereas the carrier will be responsible for traffic and billing data relating to transmission and storage of that message.


2.4 Data processor


In relation to personal data, a ‘data processor’ is ‘any person (other than an employee of the data controller) who processes the data on behalf of the data controller’ (s 1(1)).5 The Internet is characterised by numerous arrangements which will constitute processor/controller relationships. For example, ISPs process data on behalf of their customers and on behalf of other ISPs with which they have peering (ie interconnection) arrangements. Similarly, many data controllers outsource the hosting of their Web sites to data processors.


In some cases, the provider of a Web hosting service may have sufficient direct control over the processing activities to make it a controller, or possibly joint controller or co-controller, of certain data. For example, a service provider may not merely host a site by providing connectivity but may also have a degree of autonomy in the way it provides additional services such as handling payments or conducting sophisticated traffic analyses.


3. Territorial Application of the 1998 Act


The 1998 Act applies to data controllers in respect of particular data only if the controller is either established in the United Kingdom and the data are processed in the context of that establishment, or the controller is established outside the EEA ‘but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom’ (s 5(1)). A data controller who falls into the second category must nominate a representative in the United Kingdom in relation to its obligations under the 1998 Act.


This apparently straightforward statement of territorial scope is fraught with difficulty in the Internet and online services context. For one thing, due to the breadth of the establishment concept in the 1998 Act, it is possible that an Internet Service Provider will be established in multiple states within the EEA.6 Similarly, a commercial organisation may find that it is subject to multiple, and in certain respects inconsistent, national rules in relation to its internal cross-border intranet. Even where a data controller is not established in multiple EEA states, it may at least use equipment in multiple states. The EU Directive makes it clear (Art 4(1)(a)) that ‘when the controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable.


The second problematic aspect of the territoriality provision in the 1998 Act is the exception for the processing of data using equipment in the United Kingdom which is merely ‘for the purposes of transit through the United Kingdom’ (s 5(1)(b)). What if, for example, a Web site on a server in the United States is ‘mirrored’ by a United Kingdom-based ISP on a server in the United Kingdom to facilitate access to that site by United Kingdom-based customers of the ISP? Will the ISP in the United Kingdom become a data controller in relation to any personal data contained in that Web site? Will the ISP in the United States be treated as established in the United Kingdom merely because an ISP in the United Kingdom has chosen to make a copy of the site (quite possibly without the site controller’s knowledge)? What if a Web site on a server in the United States plants a ‘cookie’ on the PC of a United Kingdom-based visitor to the site and subsequently interrogates that cookie remotely each time the visitor returns to the site? Is the data controller in the United States using equipment in the United Kingdom (ie the visitor’s PC) to process data about that visitor? Given that ‘processing’ includes ‘obtaining, recording or holding… information or data’ such a construction is possible. This would, however, be an absurd result as the Web site operator in the United States would presumably have to appoint the United Kingdom visitor as its representative for the purposes of compliance with the 1998 Act!


4. The Data Protection Principles


4.1 First Principle: Fair and Lawful Processing


The First Data Protection Principle provides that ‘[p]ersonal data shall be processed fairly and lawfully’ (Sch 1, Part I, para 1). The interpretation provisions make it clear that personal data will not be considered to be processed ‘fairly’ unless certain information is provided, or made readily available, to the individual concerned. (Part II, para 2(1)). The information to be given to data subjects must include the identity of the data controller and any nominated representative, the purpose or purposes for which the data are intended to be processed, and ‘any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair’ (para 2(3)).


Where data are obtained directly from the data subject, the requisite information should normally be provided at, or be made available from, the time of data collection (para 2(2)). This is consistent with the approach taken by the Data Protection Registrar under the 1984 Act. In her 1998 Annual Report, the Data Protection Registrar commented that ‘[w]hen information is input onto a form on a website it is immediately capable of being processed as personal data. Notifications of the uses and disclosures of the data should therefore be given at the beginning of the form, so that the individual can decide, on the basis of full information, whether or not to proceed with the transaction.7 In any other case, the information should normally be provided at the time the data are first processed or first disclosed to a third party (1998 Act, Sch 1, Part II, para 2(2)).


In the Internet context, it should in most instances be relatively easy to provide the requisite information via an e-mail message or a notice on a Web page. In any event, the information provision obligation applies only ‘so far as practicable’. Moreover, in the case of data which are not obtained directly from the data subject, the obligation to provide information does not apply where provision ‘would involve a disproportionate effort, or the data controller is required by law to record or disclose the data (Sch 1, Part II, para 3).


Moreover, personal data must not be processed unless one of a number of conditions is satisfied. These are set out in Sch 2 to the 1998 Act. In summary, processing is legitimate if the data subject has given his consent; or if it is necessary for the performance of a contract to which the data subject is a party or for taking steps to enter into a contract, for compliance with a legal obligation (other than contractual), or for certain public sector purposes.8 In addition, processing is justified if it is ‘necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject’. This so-called ‘balance of interests test’ is well established in the data protection laws of some civil law jurisdictions but is new to English data protection law. If interpreted broadly, it would justify many routine business data processing activities. However, until such a time as guidance has been provided in secondary legislation9 or has been published by the Data Protection Commissioner, or the concept has been tested in the courts, it would not be prudent to rely heavily on this rather vague justification for processing data. If a data controller begins processing data in reliance on the balance of interests test and subsequently finds that the test has been failed, it may at that stage be very difficult to establish one of the other grounds for processing.


More stringent conditions apply to the processing of sensitive personal data. These are set out in Sch 3 to the 1998 Act. The 1998 Act defines ‘sensitive personal data’ as ‘personal data consisting of information as to’ a data subject’s racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, sexual life, or commission or alleged commission or proceedings in relation to any offence (s 2).


Processing of sensitive data will be legitimate only if the data subject has given his ‘explicit consent; the processing is necessary in relation to an employment right or obligation; the processing is necessary to protect the vital interests of the data subject or another person in circumstances where consent is not obtainable; the processing is by a charitable body in relation to its members; the data subject has made the data public; the processing is necessary in relation to legal proceedings or advice; or the processing is for certain public sector purposes. In addition, processing of sensitive data may be legitimate in the public or private sectors where it is carried out for medical purposes by a health professional, or where it is carried out, with appropriate safeguards, for ethnic monitoring purposes to promote or maintain equality. Finally, the Secretary of State may, and is likely to, specify other circumstances in which sensitive data may be processed.


In the Internet context, some activities may relate overtly to sensitive data. In other cases, the association may be more subtle or uncertain. For example, does the hosting by an online service provider of a discussion or chat forum relating to a particular medical condition or treatment constitute processing of sensitive personal data? In that case the relevant question would be whether the data consisted of ‘information as to’ the data subject’s ‘physical or mental health or condition.’ The answer would depend on the facts. For example, comments posted by a patient about his or her health probably would be sensitive personal data, whereas comments posted by a surgeon in relation to a particular surgical procedure, without reference to any patient, probably would not be sensitive personal data. What if an airline or Internet travel agency collected data via a Web site relating to the dietary requirements of passengers? Again, whether that would constitute processing of sensitive personal data might depend on the precise facts. For example, a request for a vegetarian meal on a flight would probably not be sensitive personal data, whereas a request for a kosher or diabetic meal on a flight might be.


4.2 Second Principle: Specified and Lawful Purposes


The Second Data Protection Principle provides that ‘[p]ersonal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes (Sch 1, Part I, para 2). This is very similar to the Second Principle in the 1984 Act which has tended to be interpreted narrowly as merely requiring that an appropriate registration, broadly equivalent to a notification under the 1998 Act, be in place and that there be no inherent illegality in the purpose for which data are processed. At the time of writing, secondary legislation containing details of the notification regime has not been published. However, the interpretation of the Second Principle in the 1998 Act states that the purpose or purposes for which data are obtained may be specified in a notice given to the data subject or in a notification to the Commissioner (Sch 1, Part II, para 5).


4.3 Third Principle: Adequacy, Relevance and Proportionality


The Third Data Protection Principle provides that ‘[p]ersonal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed’ (Sch 1, Part I, para 3). This has important implications for data collection via the Internet. Many Web site operators require regular visitors, and in some cases also occasional surfers, to register before gaining access. It is very important that the Web site operator makes it clear precisely why any non-essential questions are being asked and whether a response is optional. For example, capturing an e-mail address may be necessary for the provision of a particular service, whereas collecting information about, for example, gender, marital status, income and age may be irrelevant or excessive. Such data may, of course, assist a Web site operator in building profiles of visitors to the site for its own or third party marketing purposes. If, however, the declared and registered purpose of the processing does not extend to cover processing for that purpose, such processing would probably be unfair, unspecified and excessive and thus in breach of the First, Second and Third Principles.


4.4 Fourth Principle: Accuracy and Timeliness


The Fourth Data Protection Principle provides that ‘[p]ersonal data shall be accurate and, where necessary, kept up to date’ (Sch 1, Part I, para 4). The interpretation provisions state that this Principle will not be contravened where data obtained from the data subject or a third party are inaccurate provided that ‘the data controller has taken reasonable steps to ensure the accuracy of the data’ and the data record any view which the data subject may have expressed to the controller as to their inaccuracy. The reasonableness of any verification steps is to be judged in the light of the purposes for which the data were obtained or further processed (Sch 1, Part II, para 7).


Application of this Principle to Internet-related activities is likely to prove problematic. The Web and the Usenet constitute a vast repository of information of highly variable accuracy and timeliness. For example, a recruitment consultant might use one or more Internet search engines to scour the Web and the Usenet in order to build a dossier on a prospective candidate. Material might well be retrieved which was either inaccurate or out of date. In such a case, the recruitment consultant should consider what steps should be taken to verify the data, especially in relation to any material which might be particularly prejudicial to the candidate concerned.


Christopher Millard may be contacted at christopher.millard@cliffordchance.com.