- Email: [email protected]
Revoking consent: A ‘blind spot’ in data protection law?
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Revoking consent: A ‘blind spot’ in data protection law? Liam Curren 1, Jane Kaye 2 Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford, Old Road Campus, Oxford OX3 7LF, UK
abstract Keywords:
The flow of personal data throughout the public and private sectors is central to the func-
Data protection
tioning of modern society. The processing of these data is, however, increasingly being viewed
Privacy
as a major concern, particularly in light of many recent high profile data losses. It is generally
Consent
assumed that individuals have a right to withdraw, or revoke, their consent to the processing
Revocation
of their personal data by others; however this may not be straightforward in practice, or
Article 8 ECHR
addressed adequately by the law. Examination of the creation of data protection legislation in Europe and the UK, and its relationship with human rights law, suggests that such a general right to withdraw consent was assumed to be inbuilt, despite the lack of express provisions in both the European Data Protection Directive and UK Data Protection Act. In this article we highlight potential shortcomings in the provisions that most closely relate to this right in the UK Act. These raise questions as to the extent of meaningful rights of revocation, and thus rights of informational privacy, afforded to individuals in a democratic society. ª 2010 Liam Curren & Jane Kaye. Published by Elsevier Ltd. All rights reserved.
The Data Protection Directive 95/46/EC (the Directive) is clear that the principal aim of national data protection laws should be to ensure the protection of individuals’ privacy when their personal data are handled by third parties.3 The reference to privacy is present because of the intended links between the Directive and Article 8 of the European Convention of Human Rights (ECHR) e the right to respect for private and family life. The Data Protection Act 1998 (the DPA), the primary piece of legislation to implement the Directive in the UK, fails to mention the word privacy, however it must still be considered as seeking to fulfil that particular aim.4 Despite the problems with establishing a workable legal definition of privacy, or indeed any succinct conceptual definition, there is a consistently held view 1
that it is linked to the personal autonomy of individuals. When considered in terms of personal data, such autonomy can be seen as the control that individuals could, or should, exert over how such data are used by others. This perspective was summarised neatly by Laws LJ in a Court of Appeal5 case in 2009: subject to [certain] qualifications . an individual’s personal autonomy makes him e should make him e master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image . and also of the ‘zone of interaction’ . between himself and others. He is the presumed owner of these aspects of his own self; his control of them can only be loosened, abrogated, if the State shows an objective justification for doing so.
Researcher in Law & Solicitor, Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford, Old Road Campus, Oxford OX3 7LF, UK, funded by the EPSRC as part of the EnCoRe Project, under grant code EP/G002541/1. 2 Wellcome Trust Research Fellow, Director of Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford, Old Road Campus, Oxford OX3 7LF, UK, funded under grant code WT 081407/Z/06/Z. 3 Directive, Article 1(1). 4 For example, see Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 as per Hope LJ at 7 (in relation to the Directive); and more generally (in relation to the consistent interpretation of EC law by national courts) Case C-106/89 Marleasing SA v. La Commercial Internacional de Alimentacion SA [1990] EUECJ C-106/89, [1990] ECR 1-4135 at 8, and Joined Cases C-397/01 to C-403/01 Pfeiffer (Social policy) [2004] EUECJ C-397/01, [2004] ECR I-8835 at 112e116. 5 Wood v Commissioner of Police for the Metropolis [2009] EWCA Civ 414 at 21. 0267-3649/$ e see front matter ª 2010 Liam Curren & Jane Kaye. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.03.001
274
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
With this in mind, an individual’s consent to use their personal information is the primary means for individuals to exercise their autonomy and to protect their privacy. If individuals are given the opportunity to grant consent, then is it logical to assume that, in the context of the use of personal data by others, there must be a corresponding option to withdraw or revoke that consent, or to make subsequent changes to that consent? As will be discussed, there is some evidence to suggest that this is how data protection legislation could, quite legitimately, be interpreted.
1.
Consent and its revocation
Consent is a common, almost ubiquitous, feature of the law. On one, wholly general, level it can be described as the making of a voluntary decision, by a competent individual, to allow an act to occur that may have been impermissible, absent the consent. This is of course an oversimplification and, as lengthier analyses of consent have commented, there are ‘uncomfortable questions’ lurking behind what could be considered a ‘fairly unproblematic . doctrinal mainstay’.6 Taking just two legal landscapes, much of the law of contract resonates with the operation of a variety of notions of consent, and consent plays a crucial role in any discussion pertaining to medical law and bioethics.7 This article does not draw extensively on the wider debate that has gone before on the legal and philosophical nature of consent, rather it focuses on the specific example of consent as it applies in data protection law. Despite its prominent impact on the workings of data protection law, consent is, of course, not actually defined in the DPA. One has to look to the Directive for a definition, but in neither piece of legislation will one find an express general right to revoke such consent. In the Directive consent is defined as: “Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.8 A significant feature of consent in this context is that it serves as merely one of a group of legitimising conditions; that which is seeking to be legitimised being the processing of personal data by others. Whilst a good lawyer will advise a data controller not to rely on consent as a means of legitimising processing (because of the dangers of proving that consent has been ‘freely given’ in an ‘informed’ manner), the notable absence of any express provisions referring to the ability to reverse or alter consent will be comforting to those controllers who rely on consent and wish to legitimise their processing. Thus interpreting the Directive and/or the DPA as including a tacit right for the data subject to withdraw consent is potentially unwise, entirely because, unlike other legal instruments9 and some subsidiary data protection legislation,10 6
’D. Beyleveld & R. Brownsword, Consent in the law (1st edn, Hart, Oxford 2007). 7 See, for example, O. O’Neill. Autonomy and Trust in Bioethics (1st edn. Cambridge University Press, 2002) and N.C. Manson & O. O’Neill. Rethinking Informed Consent in Bioethics (1st edn. Cambridge University Press, 2007). 8 Directive, Article 2(h). 9 For example, see UNESCO Universal Declaration on Bioethics and Human Rights 2005, Article 6. 10 See section 2.2.3 below.
a right of withdrawal is not explicitly stated. Clearly, matters of interpretation of laws will be pertinent in this regard, and whilst our research has necessitated analysis of the interesting relationships between the three relevant legal orders in this context e English/UK law (ie the DPA and the Human Rights Act 1998); EC law (ie the Directive); and the law relating to the ECHR (ie Article 8) e the focus of this article is on the extent to which revocation exists in the operation of data protection law in the UK. Matters akin to a personality right, such as that present in jurisdictions such as Germany,11 are not considered here on the basis of there being no equivalent rights under English law. Early work (albeit not in a legal context),12 as part of the EnCoRe Project,13 has described revocation as a process that permits an individual to invalidate or modify previously given consent relating to the use, ie processing, of their personal data by others.14 Revocation can thus be seen as a fine-grained process that can be qualified by specific attributes, in that it might not just be a matter of ‘turning off’ the entire consent given on a set of personal data, but there could be degrees of revocation, affecting specific data.15 This is useful, conceptually, but what of data protection law; what are the potential triggers for revocation; and how would this be achieved in practice? These questions have formed the basis of our initial research as part of the EnCoRe project, and the focus of this article. Before examining the DPA and Directive in more detail in this regard, we stress that in this article we are assuming that a revocation works with respect to a valid consent that has been given by a data subject. We are, put simply, investigating what right a data subject has to change their mind. If it can be proved that there was never any valid consent as between a quarrelling data subject and a data controller, then a data subject will not be concerned with changing their minddthere being no consent to revokedrather, their concern will be in remedying the potentially illegitimate and harmful processing that is the subject of the quarrel. We have investigated the legal right of revoking an existing consent in data protection law on the grounds that there is apparent confusion as to whether this
11 Based on The Grundgesetz (Basic Law for the Federal Republic of Germany) Art 2(1) e Every person shall have the right to free development of his personality insofar as he does not violate the rights of others or offend against the constitutional order or the moral law. 12 M. Casassa Mont and others, ‘On the Management of Consent and Revocation in Enterprises: Setting the Context’ (2009) HPL2009-49 HP Laboratories Technical Reports. 13 The EnCoRe Project is a multi-disciplinary research project, spanning across a number of IT and social science specialisms that is researching how to improve the rigour and ease with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal data by others. See www.encore-project.info for details. EnCoRe receives funding from the UK Government’s Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council. 14 Data controllers, data processors, and potentially other third parties. 15 See also I. Agrafiotis, S. Creese, M. Goldsmith, and N. Papanikolaou, ‘Reaching for Informed Revocation: Shutting Off the Tap on Personal Data’, Proceedings of Fifth International Summer School on Privacy and Identity Management for Life, Nice, France, 7e11 September 2009. Available at http://www.warwick.ac.uk/ wessiai/publications/0000009c6a0a76620.html.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
is an option assumed to be available to data subjects. There may, it seems, be a potential blind spot in the law in this regard.
2.
Searching for a legal basis for revocation
The closest we get to a general right of revocation in the DPA is under section 14 and under section 10 of the Act, which together give limited rights of control over personal data. A specific right exists under section 11(1) of the DPA, to object and prevent the processing of data for direct marketing purposes.16 The first general right, a right to rectify inaccurate data17 under section 14, is a cumbersome right which requires a court order to be effective, and is thus not considered as a right that could be used easily by the vast majority of data subjects.18 The second right, also cumbersome in nature and not without conceptual difficulties, is essentially a right of objection. This latter right will be the focus of this article because it does not require a court order in all circumstances, and would prima facie appear to be the most accessible course of action for the majority of people.
2.1.
Section 10 e a right of revocation?
Article 14(a) of the Directive provides data subjects with a general right of objection, to prevent processing of personal data at any time so long as it is based on ‘compelling legitimate grounds’. This article makes it clear that an objection can be raised even if the processing complained of is considered lawful. Member states do have the option to legislate against such a right of objection; an option not taken by the UK in its implementation of Article 14 in the DPA, as we see in section 10(1): an individual is entitled at any time by notice in writing to a data controller to require the data controller . to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons . the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and . that damage or distress is or would be unwarranted. This right of objection (the Section 10 Right)19 is subject to various qualifications, and is quite limited in its application (as 16
Derived from Directive, Article 14(b). That is, data which ‘are inaccurate if they are incorrect or misleading as to any matter of fact’, as per Data Protection Act, s 70(2). 18 Related to this matter is the question as to whether data subjects actually have a right to request that old or redundant data are not kept by a data controller. Is it the case that maintenance of this aspect of data e its inherent accuracy e can only be achieved under the DPA by the data controller complying with the data protection principles (in particular the fifth principle) or is there an implied right for data subjects to take control and demand that this is done? 19 Data Protection Act, s 10 is entitled ‘Right to prevent processing likely to cause damage or distress’. For such prevention to be achieved, a data subject must initially make an objection, and thus we refer to the Section 10 Right as a right of objection, rather than prevention. 20 Data Protection Act, Part II, ss7e15. 17
275
are most of the rights afforded to individuals under the DPA).20 The clear differences in the language used in the Directive (‘compelling legitimate grounds’) and the DPA (‘specified reasons’ that cause ‘unwarranted’ and ‘substantial damage or substantial distress’) appear to make the right in the DPA more restrictive in scope than the Directive intended,21 however when debated at the House of Lords, the alternative wording was justified on the basis that European expression was not ‘satisfactory’ in terms of statutory language. Their Lordships’ view was that for a data subject to establish compelling grounds, a case would need to be made where some form of damage (either financial or otherwise ie some form of distress) could be shown to arise as a result of the processing.22
2.2.
Problems with the section 10 right
Relying on the Section 10 Right to object to otherwise lawful processing of personal data raises a number of problems for the data subject. The problems arise in the form of a two-stage test: firstly, there is a high threshold for a demonstrable harm to the data subject23; secondly, certain features must not be present in order for the data subject to be able to object. There must not be an existing consent to the processing on the behalf of the data subject or an existing contractual relationship governing the data subject’s personal data.24 These problems are summarised in Fig. 1 and will be discussed in detail below.
2.2.1.
Thresholds
Data controllers, particularly those that are not public authorities, can and often do rely on the ‘legitimate interests’ condition in Schedule 2 of the DPA25 to justify processing of the personal data of data subjects. This condition is most commonly used to negate the need to rely on the consent of the data subject in order to legitimise the processing. As a useful first step in attempting to exercise their Section 10 Right such a justification by a data controller ought to be challenged by a data subject. To do this successfully, a data subject will somehow have to demonstrate that their rights e and notably their right to privacy as encapsulated by Article 8 e have been prejudiced by the processing.26 How this would be done, however, is not entirely clear, as there is not clear direction from the courts or the Information Commissioner’s Office (ICO) as how this balance should be determined. 21 This was raised briefly in the debate of the DPA in Parliament, however the Government contended that the effect of the section 10 was consistent with the Directive, despite submissions from the Data Protection Registrar that the ‘damages and distress’ elements were not required by the Directive. HC Standing Committee D amendment No. 258 14 May 1998. 22 HL Deb vol 587 col 497e499 16 March 1998. 23 Data Protection Act, s 10(1)(a)-(b). 24 Data Protection Act, s 10(2)(a). 25 Data Protection Act, Sched 2, 6(1). 26 To make an objection under section 10, the data subject must provide the data controller with a written data subject notice, specifying the reasons why the processing will cause them harm or damage. The data controller then has 21 days to respond, by way of a written statement setting out what action they propose to take to comply with the notice, or which parts of the notice it considers unjustified. If there are issues regarding compliance after the data controller has responded to the data subject, the data subject can seek a court order.
276
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
Fig. 1 e The Section 10 right: an unworkable revocation of consent?
Matters of disputed legitimacy aside, the Section 10 Right is exercisable only if a data subject can demonstrate unwarranted, substantial damages or distress caused by the processing: clearly a difficult threshold to reach. Guidance from the courts, though welcome, has not provided much in the way of useful advice about the practical application of this right by individuals.27 A pertinent example of the difficulties concerning attempted reliance on the Section 10 Right is the case of individuals seeking to object to the proposed processing of their health data in a central NHS database.28 The
27 The High Court in Douglas & Ors v Hello! Ltd & Ors [2003] EWHC 786 (Ch) held that the ‘legitimate interests’ condition for fair processing ‘denies legitimacy to the processing . if it is unwarranted by reason of prejudice to the rights and legitimate interests of the data subjects. The provision is not, it seems, one that requires some general balance between freedom of expression and rights to privacy or confidence . the question is more simply whether the [processing] is unwarranted by reason of the prejudice to [the data subjects’] legal rights [it] does not provide, as it so easily could have done, how serious has to be the prejudice before the processing becomes unwarranted and in point of language any prejudice beyond the trivial would seem to suffice’ as per Lindsay J. at 238. 28 A 2006 campaign led by The Guardian newspaper encouraged members of the public to request, in letters to the Chief Medical Officer, that their sensitive personal data (in the form of an ‘NHS Summary Care Record’) were not included on a centralised NHS database e created as part of the NHS Connecting for Health initiative e known as the ‘spine’. A pro-forma letter included the line ‘I require you not to begin processing my sensitive personal data to the proposed NHS Summary Care Record on the Spine. It is likely to cause me substantial unwarranted distress because .’ (our emphasis) (D. Leigh and R. Evans, ‘Warning over privacy of 50m patient files: What can patients do?’ The Guardian (1 November 2006)).
result of this processing would be that patients’ individual ‘summary care records’ would be made available to certain bodies, nationally, on that database.29 In 2006, the GPs of those who objected were told by the Chief Medical Officer to inform such patients that the proposed availability of the summary care records was unlikely to cause substantial harm or distress because of the protections (ie data security provisions) that were in place. In a more recent development, the NHS has subsequently confirmed that, following negotiations with the ICO, patients will be able to choose whether their summary care record is made available.30 This example illustrates that the Section 10 Right may be all too easily dismissed by certain public authorities31 and has, despite the intervention of the ICO in this case, been largely ignored by
29
The access of researchers to medical data stored by the NHS, and the consent of patients to allow such access, is a related, and still contentious, issue see C. Dyer, ‘Researchers have failed to ease access to patients’ data for research’ (2009) 338 British Medical Journal 1961. 30 O. Bowcott, ‘NHS patients given right to delete electronic record’ The Guardian (26 May 2009). 31 The Department of Health, in an open letter to The Guardian and those individuals seeking to opt out, set out in detail why it did not consider that the processing objected to would result in such distress. Department of Health, Letter to patients expressing concern over electronic care records (2006) available at http://www.connectingforhealth.nhs.uk/newsroom/ media/guardian-letter.pdf (accessed on 28 January 2010). See also M. Cross, ‘Impasse over patient consent may delay NHS computerisation’ (2006) 333 British Medical Journal 1140.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
the regulators as a workable right for individuals.32 Surely it cannot be the case that the ICO needs to intervene in every case where individuals seek to object to processing that does not relate to direct marketing?
2.2.2.
Consent condition
Notwithstanding the threshold difficulties, perhaps the most problematic aspect arises in relation to the consent of a data subject seeking to object/revoke. Consent itself implies some kind of awareness of the proposed processing on behalf of the data subject. There will, however, be instances where a data subject may not actually know how, or indeed if, their personal data are being processed by others. This could be as a result of poorly drafted privacy notices by data controllers known to a data subject, or other data controllers acquiring personal data unbeknownst to the data subjects. There may therefore be instances where consent e perhaps long-since forgotten expressions by a data subject, and thus arguably invalid e is assumed to be valid by data controllers. Such awareness issues aside, it is the consent aspect of the DPA, and section 10 in particular, that represents an apparent ‘blind spot’: the right that most closely represents revocation may actually preclude the ability of a data subject to revoke their consent. The Section 10 Right will not apply when any of the first four processing conditions listed in Schedule 2 of the DPA are met. Broadly, these four conditions state that processing will be considered fair if: (i) it is processed with the consent of the data subject (ii) it is required by contract, or pre-contractual negotiations, with data subject (iii) a legal obligation exists for a data controller to process the personal data; or (iv) the processing is necessary to protect the ‘vital interests’ of the data subject.33 Therefore, if the Section 10 Right is to apply there must be no consent to processing, nor must there be any related contract (see below), nor must the data controller have an obligation (to process the data) that is outside of the control of the data subject. This brings to a light an apparent conceptual difficulty in fitting revocation within the ambit of the Section 10 Right. This is that section 10 can only be relied on if there is no consent. If revocation is considered as a withdrawal or amendment of an existing consent and the section 10 Right is considered as a form of revocation, an obstacle to the exercise of the right is apparent: that which is sought to be revoked e ie consent e cannot exist if the Section 10 Right is to be used. The Section 10 Right cannot then be considered as a right to revocation, as a right of revocation
32 The ICO 2007 report of its ongoing review of the NHS Connecting for Health initiative did not refer to section 10 of the DPA. Information Commissioner’s Office, The Information Commissioner’s view of NHS Electronic Care Records (2007). The same would appear to be true of the most recent intervention by the ICO in the case of the summary care records, which focussed on ‘restricting the access’ to records, rather than an objection as such J. Leyden, ‘Patients gain right to scrub e-records from NHS database’ The Register (26 May 2009) accessed 28 January 2010. 33 Data Protection Act, Sched 2, also contains a processing condition that relates to parliamentary/judicial involvement in the processing of personal data. This condition, together with the ‘vital interests’ condition, is not in the control of the data subject, and neither will be considered here in detail.
277
cannot only logically exist if there is consent in the first place that can be revoked. But why look to section 10 to try and find a right of revocation in the first place? The answer is found in the debates prior to the enactment of the Directive and DPA. It is clear that the UK Parliament considered that there was an inherent right to withdraw a previously given consent in the DPA, despite the fact that no such right is articulated in the Act. This matter was addressed in relation to the intended scope of section 10 when debated at the House of Lords,34 where the Government’s position was put quite clearly: Specific questions have been raised; for instance, whether under Clause [10](2)(a) any consent given under paragraph 1 of Schedule 2 is not capable of being withdrawn? Any consent given in any part of the Bill may be withdrawn at any time and there is nothing to prevent that. Later debates, this time in Europe, regarding the proposed ‘EPrivacy Directive’35 e a subsidiary piece of data protection legislation e bring to light potential issues regarding the availability of a right of revocation in the overriding Directive. The EPrivacy Directive is also relevant to our discussion as it contains provisions more akin to the concept of revocation than exist elsewhere in data protection legislation. Briefly, certain provisions expressly permit an individual to withdraw a previously given consent,36 but only to prevent the processing of certain personal data for particular purposes. These data take two forms: traffic data (eg the duration and destination of phone calls) processed for the purposes of marketing services or the provision of certain ‘value-added services’; and location data (eg geographical data communicated by a mobile phone) processed for any purposes.37 Crucially, all of this type of processing must be confined to the context of electronic communications.38 In the early stages of the European Parliament’s debates on the E-Privacy Directive, inclusion of a right for individuals to withdraw their consent to the processing of traffic data was initially rejected on the basis that such a right was ‘already guaranteed by Article 14 of [the Directive] on the data subject’s right to object’39 (on the assumption that national legislators
34
HL Deb vol 587 col 500 16 March 1998. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 36 The consent referred to in the E-Privacy Directive is the same as that defined in the Directive. 37 Neither of these provisions is affected by the proposed amendments to the E-Privacy Directive in the Common Position (EC) No 16/2009 of 16 February 2009 (Official Journal 2009/C 103 E/ 02). 38 The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) also provide that the mechanism by which individuals can withdraw consent for the provision of value-added services must be free of charge and achieved using a simple means (Regulation 14(4)(b)). 39 Report on the proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (A5-0270/2001) as per Amendment 31, Article 6, paragraph 3, page 24 (13 July 2001). 35
278
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
chose not to preclude such a right). Looking back further still at the debates of the Directive itself in the early 1990s, the evolution of the right of objection in Article 14 highlights the potential erosion of a robust right to withdraw consent, which was assumed to be present in the Directive at the time of the E-Privacy Directive debates. The European Parliament’s first suggested amendments to the Council’s proposal for the first data protection directive40 included a specific and express opportunity to object,41 at any time,42 to processing which required the data subject’s consent. Furthermore, the Council’s proposal had made it clear that consent could be withdrawn by a data subject ‘at any time’, though without any retroactive effect.43 A subsequent amended draft proposal from the Commission44 included a right to withdraw consent as part of the definition of consent in the draft Directive. By the time of a common position, approved shortly before the formal adoption of the first Directive, this express right of withdrawal of consent had been removed. Rather confusingly perhaps, the Council commented in the statement of reasons accompanying the common position document that the rights of data subjects had actually been ‘strengthened and clarified’ because the general right of objection could be exercised at any time, particularly in respect of processing for marketing purposes.45 However, it seems to be the case that this perceived strengthening and clarification occurred despite the removal of an express general right for data subjects to withdraw their consent to personal data being processed. The end result being limited rights to object, coupled with no clear right to withdraw. The subsequent re-emergence of a right of withdrawal of consent in the E-Privacy Directive raises the possibility that the Directive should not be interpreted as including such a right. Alternatively, it may uncover an oversight on the part of the legislators. The lack of judicial interpretation of this specific point by the ECJ and UK courts, however, means the matter remains uncertain. Established EC law would suggest that because the DPA was enacted for the purpose of transposing the Directive, the UK courts, when interpreting any of the DPA’s provisions, would be bound to conclude that the intention of the UK parliament was to fulfil entirely the
40 Official Journal C-94/173 1992, Proposal for a Council directive concerning the protection of individuals in relation to the processing of personal data (COM (1990) 0314) e Amendments of European Parliament (11 March 1992). 41 Amendment No 42; altering Article 12(b). 42 Amendment No 145; new Article 12 (2). 43 Article 12(c) of the Proposal for a Council directive concerning the protection of individuals in relation to the processing of personal data (COM (1990) 0314). 44 Official Journal C-311/30 1992, COM(92) 422 final e SYN 287 Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and free movement of such data (Submitted by Commission on 16 October 1992) see Article 2(g). 45 Official Journal C-93/1 1995, Common Position (EC) No 1/95 With a view to adopting Directive 95/./EC of the European Parliament and of the Council of . on the protection of individuals with regard to the processing of personal data and free movement of such data (Adopted by the Council on 20 February 1995). 46 Pfeiffer (Social policy) at 112.
obligations arising from the Directive.46 The fact remains, however, that the scope of the obligations in the Directive are unclear. Returning to the Section 10 Right e a section of the DPA whose history is clearly steeped in parliamentary debate about withdrawal of consent e the fact remains that there is a catch: if an individual has given consent to processing then they do not have a right to object under section 10; however, if they have not given consent, and there are no contractual complications, then they do have a right under section 10. This difficult state of affairs persists, despite judicial interpretation seemingly backing up this apparently illogical feature of the DPA.47
2.2.3.
Contractual condition
For section 10 to apply, the personal data in question must not be necessary for the performance of a contract. This is problematic, as the vast majority of relationships between a data subject and a data controller will, certainly in a commercial context, be based on some form of contract. So, assuming there is no contractual right of variation or termination (which could amount to a revocation), why should the formation of a contract prevent a data subject from relying on the Section 10 Right? After all, this exception is not present in Article 14 of the Directive. Related to this potential dilemma is the clash between contract and statute. As Sanders discusses in her 2002 article, there are no provisions in the DPA that prevent contracting out of the DPA Rights conferred on data subjects.48 The House of Lords, in Johnson v Moreton,49 ruled that a party can only renounce a right conferred by statute if it is ‘exclusively for his benefit and there is no element of public interest’.50 So where a matter cannot be governed by a contract because of certain statutory provisions for its regulation, the parties must defer to those provisions and any remedies inherent in them. As such, a contract involving a data subject can only seek to limit any of the rights if such rights are considered to be exclusively private rights. If the rights are public in nature, a court is likely to find any contractual clause limiting these rights as being unenforceable; if the rights are considered private, then such contractual clauses could (in the context of consumer and trader relationships) still fall down on the basis of fairness as 47 In Mahon, R (On The Application of) v Taunton County Court [2001] EWHC Admin 1078, [2002] A.C.D. 30, 2001 WL 1560831 a somewhat misguided attempt by a serial vexatious litigant to issue a section 10 Notice on a variety of district councils was refused by the High Court, albeit almost in passing, on the grounds that, inter alia, the individual in question had previously consented to those councils processing his personal data for the purposes of considering his application for a Hackney Carriage Driver’s Licence, as per Hooper J. at 30. We would argue, however, that this part of the judgment was ill-conceived, and would most likely be overturned on a more thorough analysis of the Section 10 Right, particularly if Parliament’s intention as regards the ability to withdraw a consent was considered. 48 J. Sanders, ‘Personal Data as Currency’ (2002) 2 Privacy and Data Protection 7. 49 Johnson v Moreton [1980] AC 37. 50 An equitable maxim, known as quilibet potest renunciare juri pro se introducto.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
defined by the Unfair Terms in Consumer Contracts Regulations 199951 (the Regulations), which the ICO is empowered to enforce. Article 5 of the Regulations renders terms unfair if, contrary to good faith, the rights and obligations arising under the contract act to the detriment of the consumer. Thus if a contractual clause denies a data subject any of their rights under the DPA, it runs the risk of being unfair.52 The problem with the Section 10 Right, however, is that a contract cannot limit the application of this right by a data subject. Rather, it is the converse: the Section 10 Right cannot be relied on if the data subject is a party to a contract in relation to the objectionable processing that is sought to be prevented. Fig. 2 sets out an example of this problem when applied to a hypothetical data controller/subject relationship.
3.
Solutions?
Only the E-Privacy Directive includes express provisions that allow consent to be revoked in particular situations. Are we therefore to infer that the absence of such provisions in the overriding data protection legislation means that data subjects are denied the right to revoke a previously given consent to allow others to process their personal data aside from in relation to marketing? Or is such a right inherent due to the scope of Article 8 ECHR when applied in the context of data protection? Are we also to assume that data subjects entering into contracts relating to the processing of their personal data are denying themselves any right of objection, so long as the data controller is not in breach of any such contracts and those contracts were not manifestly unfair? If no express contractual right for making an objection/ revocation exists, the options available to a data subject would appear to be either: to argue that, on the basis of parliamentary intentions, an implicit right of objection/revocation does exist under the DPA when viewed in the light of Article 8 of the ECHR; or seek to somehow dispense with any relevant contract e and thus make the Section 10 Right available e on the basis of equity or law. The first option is fraught with 51
Statutory Instrument 1999 No. 2083. Office of Fair Trading Guidance on the application of the Regulations states that: A term or statement which could be understood as permitting the supplier to pass on information about the consumer more freely and widely than would otherwise be allowed under the [DPA] is likely to be open to challenge. A term about the use or disclosure of personal information that does not inform consumers how their information may be processed is likely to be unfair too . Provisions of this kind may be acceptable if they are modified so as not to diminish the protection offered by the law or where there is a free choice to agree to them or not e for example, via an option separate from the rest of the contract. But note that fairness is much more likely if consumers have positively to ‘opt in’ to lose their legal protection. A chance to ‘opt out’ in small print may be missed or misunderstood. In any case the chances of fairness will be increased if the significance of the choice is indicated and drawn to the consumer’s attention. - Guidance for the Unfair Terms in Consumer Contracts Regulations 1999 (September 2008) (OFT311) at 18.6.2. 52
279
difficulties given the UK courts’ reluctance to make considerable departures from the existing law53 (section 10 would perhaps need to be re-interpreted)54 requiring as it would do the creation a new cause of action.55 The other option, also far from straightforward, would most likely require input from a court or regulatory authority (be it the Office of Fair Trading or the ICO). It is an unworkable situation: it does not seem to be what the UK Parliament intended; and it too may also conflict with the rights inherent in Article 8.
3.1.
Is Article 8 the answer?
Data protection law protects a fundamental right (privacy) and indeed may itself equate to something more fundamental.56 The lack of an express general right of revocation e a potential legislative blind spot e could amount to a major shortcoming if individuals should actually be empowered to exercise control of their privacy in a meaningful way. If this is the case, could individuals nonetheless revoke consent e and manage 53 Judicial interpretation of section 6 of the Human Rights Act 1998 as to the application of the ECHR in the UK has necessitated the existence of a pre-existing right to act as a vehicle to permit ECHR rights - in this case Article 8 - being conferred upon individuals. For example, see Hale LJ at 132 in Campbell v MGN Ltd [2004] UKHL 22 ‘The 1998 Act does not create any new cause of action between private persons. But if there is a relevant cause of action applicable, the court as a public authority must act compatibly with both parties’ Convention rights’. 54 The House of Lords has held that when interpreting national law in light of the ECHR, the cardinal features of the national law cannot be departed from, even if the language is interpreted in a more flexible manner. This raises interesting questions in the case of the DPA, as it seeks to implement EC law (the Directive) which itself seeks to enforce the ECHR (Article 8) Ghaidan v. GodinMendoza [2004] UKHL 30 at 128. See too the Court of Appeal’s reasoning in Revenue and Customs v IDT Card Services Ireland Ltd [2006] EWCA Civ 29 at 90. 55 If such an approach constituted a development of the common law in a manner compatible with the ECHR, this could fit with the model ‘Strong Indirect Horizontality þ Incremental New Cause of Action’ in AL Young, ‘Horizontality and the Human Rights Act 1998’ in KS Ziegler (ed) Human Rights and Private Law: Privacy as Autonomy (1st edn, Hart, Oxford 2007). 56 Chapter II of the EU Charter contains separate provisions for both the respect for private life (effectively identical to Article 8 of the ECHR) and the protection of personal data (Article 8, EU Charter). The Article 29 Working Party considers this separate right as an indication that data protection is itself a broader concept than that of Article 8 of the ECHR ‘On the one hand, it has to be considered that the concept of private and family life is a wide one, as the European Court on Human Rights has made clear. On the other hand, the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life. It should be noted that the [EU] Charter enshrines the protection of personal data . as an autonomous right, separate and different from the right to private life . and the same is the case at national level in some Member States’. Article 29 Working Party,‘Opinion 4/2007 on the concept of personal data’ (WP 136, 2007) Subsequent international proclamations, such as the 2005 Montreux Declaration (Data Protection and Privacy Commissioners, The Protection of Personal Data and Privacy in a Globalised World: A Universal Right Respecting Diversities (Montreux 2005), which called for the United Nations to ‘prepare a legal [sic] binding instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights’.
280
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
Fig. 2 e Contractual problems.
their informational privacy57 e by relying instead on the betterestablished, but more nebulous ECHR rights?58 With this in mind, the suitability of Article 8 and data protection legislation for protecting information privacy must be considered. The ECHR is over half a century old, and was conceived at a time when today’s information society could not possibly have been imagined. We would contend that Article 8 is fit for purpose: its breadth is apparent from Strasbourg jurisprudence, and increasingly in the decisions of the UK courts59; and it is difficult to see how rights of informational privacy could not form part, perhaps even the core, of such an overall broader right. The UK courts are, after all, obliged to interpret legislation in line with the aims of the ECHR.60 Related to this e and on the same basis that the UK courts perceive a general tort of privacy to be too nebulous to be enforced adequately by way of a specific cause of action under the common law e we would further contend that the informational strand of privacy should be enforced by data protection legislation, as to do so would not
57
One definition of which is ‘the claim of individuals . to determine for themselves when, how and to what extent information about them is to be communicated to others’ see AF Westin, ‘Public Government for Private People, Report of the Commission on Freedom of Information and Individual Privacy’ (1980). 58 This route takes us back to the origins of data protection law in Europe. As early as 1970, the Committee of Experts on Human Rights of the Council of Europe deemed that the ECHR alone was not a suitable vehicle for dealing with the rights of individuals subject to the technology-aided processing of their personal data. 59 R (on the application of Purdy) v Director of Public Prosecutions [2009] UKHL 45. 60 Human Rights Act, s. 3(1).
result in any conflict with the ECHR, UK or EC law.61 Furthermore, in the absence of data protection legislation, the rights of individuals under both EC62 and ECHR law63 may be limited to the extent that they are denied a remedy64 in private actions concerning their informational privacy. But are such remedies actually achievable at present? A logical analysis of the DPA implies that seeking to revoke one’s consent, impliedly based upon the ‘legitimate interests’ condition e regardless of whether the Section 10 Right applied e would constitute an objection to processing on the basis of perceived prejudice to a data subject’s rights; most likely on the basis of an interference with their Article 8 rights. As the NHS example discussed above demonstrates, this is not easily done even in the case of sensitive personal data. The assumed large number of relationships between private individuals in which no legal right of action 61 The ECJ has held that EC law, when transposed into national law, should be done in such a way so as to allow a ‘fair balance to be struck’ between fundamental rights, such as Article 8 (ECHR) and Article 8 (EU Charter) and in so doing avoid any conflict C275/06 Promusicae (Intellectual property) [2008] EUECJ C-275/06 at 6, and Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapo¨rssi Oy & Satamedia Oy [2008] EUECJ C-73/07 at 50e56. 62 It is not clear if the ECJ would be willing to disapply national law that it held to be inconsistent with the aims of a directive, see C-144/04 Mangold (Social policy) [2005] EUECJ C-144/04, [2005] ECR I9981 at 74e77. 63 Ghaidan v. Godin-Mendoza at 112. 64 It is established that national courts must take all appropriate measures to ensure the fulfilment of EC legal obligations in order to protect individuals who may not have remedy in private actions. See, for example, Case C-14/83 Von Colson & Anor v Land Nordrhein-Westfalen. [1984] EUECJ R-14/83, [1984] ECR 1891 at 26.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
(and thus no prescribed mechanism) relating to informational privacy in respect of which the courts could apply Article 8, and indeed would have a duty to do so,65 appears problematic to say the least. That said, the courts could interpret the DPA in line with the apparent intention of the UK Parliament as regards the withdrawal of consent and hold that a right of revocation was made available to data subjects under section 10 or otherwise. Such an approach would represent the adoption of one of the stricter forms of the categories of ‘indirect horizontality’ of the ECHR as regards application of the Human Rights Act formulated by Young,66 though this would seem an unlikely route to be taken by the courts. Is it therefore the case that the ability to regulate effectively one’s informational privacy e an ideal which is clearly within the scope of Article 867 e is restricted, in terms of consent and revocation, only to those circumstances foreseen by the EPrivacy Directive or in relation to opting in and out of direct marketing from third parties? It is difficult to conceive an adequate justification for the sacrifice of an ongoing right to alter consent given to a third party dealing with the personal data of an individual. The thorniest issue with this matter is the fact that the seemingly insurmountable obstacle denying access to this right of self-regulation is the consent or contractual agreement of a data subject to allow processing to occur in this first place. The right of withdrawal of consent could thus effectively be signed away by a data subject in most cases.68 It is not easy to reconcile the apparent state of affairs with one of the stated aims of the Directive ie that national data protection laws should ensure a high level of protection of individual’s privacy.69 Is the DPA inherently faulty in this regard?
3.2.
Faulty legislation?
Broadly speaking, the most significant of the rights available to individuals under the DPA e in terms of their relation to the fundamental right of privacy e are threefold: the right to know about personal data processed by third parties; the right to have inaccurate personal data processed by others resolved in some way; and the right to object to specific types of processing70 that have particular consequences. The basis for each of these rights appears clear when viewed in light of Article 8: individuals should, as part of their personal autonomy, be allowed to choose how their personal data are dealt with.71 But how could, or should, the
281
unwritten concept of revocation e itself the exercise of a choice regarding the use of personal data e fit into this scheme? The data protection principles are indisputably clear and sensible, and are a good set of tools for dealing with privacy in a liberal society; however factors working against these principles are the often-cited clumsiness of the DPA,72 coupled with the ideological clash with private contracts discussed above. But are these competing factors enough to deny individuals an adequate level of self-determination of privacy? This matter has not been addressed in any UK court case: only matters relating to the fairness of processing,73 the scope of personal data74 and more procedural matters have been opined upon. Looking to Strasbourg provides no real assistance either: here one finds useful guidance on the breadth of Article 8, and some more specific assistance on how personal data and informational privacy fit within this breadth.75 In no case, however, does one see a data subject asserting any supposed right of informational privacy by saying: ‘I wish to revoke my consent!’.
4.
Conclusion
Even in the fledgling era of European data protection legislation in the early 1970s, the extent to which huge volumes of data flow now form part of everyday life could not have been foreseen or comprehended. This ‘informatisation’ of society means that almost every facet of an individual’s dealings with others is based on the use of data relevant to the particular interaction. These data can be described as static e a person’s name, address and date of birth e or the more dynamic, ‘social’ data that the Internet is increasingly facilitating the exchange of.76 More and more, such data are being compiled by the public and private sectors in more individual-specific ways. For example, the NHS desires centralised patient records to streamline the provision of healthcare; the UK Government appears keen to collect, retain and rely on huge amounts of communication data with the primary motive of ensuring a safe and secure society,77 but also to achieve a more efficiently operating state; and companies providing any conceivable type of commercial goods and services strive for the personal preferences of their customers to allow refinement of that which they can offer via targeted advertising.
65
Human Rights Act, s 6(1). Young, n 55 above. 67 For example, see Z v Finland App 22009/93 [1997] ECHR 10 I v Finland App 20511/03 [2008] ECHR 623 Amann v Switzerland App 27798/95 [2000] ECHR 88 and Torbay Borough Council v News Group Newspapers [2003] EWHC 2927 (Fam). 68 As discussed above, it is assumed that the majority of agreements between data subjects and data controllers (be they formal, written contracts, or other less formal, yet equally valid, expressions of consent) do not include express provisions allowing a data subject to change their mind and revoke e ie alter, or withdraw e a previously given consent. 69 Directive, Recital 10. 70 For instance, direct marketing. 71 For example, see the comments in Wood v Commissioner of Police for the Metropolis n 5 above. 66
72 For example, the DPA was described by Phillips MR as a ‘cumbersome and inelegant piece of legislation’ in Naomi Campbell v MGN Ltd. [2002] EWCA Civ 1373 at 72. 73 Johnson v Medical Defence Union [2007] EWCA Civ 262. 74 Durant v Financial Services Authority [2003] EWCA Civ 1746. 75 For example see Leander v Sweden App 9248/81 [1987] ECHR 4, Amann v Switzerland App 27798/95 [2000] ECHR 88, Peck v The United Kingdom App 44647/98 [2003] ECHR 44, S. and Marper v The United Kingdom App 30562/04 [2008] ECHR 1581, Copland v The United Kingdom 62617/00 [2007] ECHR 253. 76 A Lukas, ‘Talking VRM talk at Being Digital’ (2009) accessed 28 January 2010. 77 Home Office, Protecting the Public in a Changing Communications Environment (Cm 7586, 2009).
282
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
The E-Privacy Directive addresses particular concerns brought about by the surge in the use of electronic communications to deal with personal data; however it alone does not provide an adequate ‘revocation solution’, conferring as it does only limited rights on individuals to prevent types of processing by withdrawing consent to such processing. The apparent danger that the legislation may deny data subjects a right of selfcontrol over their personal data is concerning. Further, consent is not actually a pre-requisite for processing e and is considered by data controllers as being a problematic option,78 less favourable than others79 when seeking to legitimise processing e a fact that the further highlights the weakness of any existing right of revocation. Given these factors, and the breadth of informational privacy that data protection legislation seeks to protect, it appears that there may not actually be an adequate foundation upon which such protection can be built. Seeking compliance by data controllers is only one facet of the protection of privacy; empowering individuals to take control of their own affairs is another. While it is true that those responsible for dealing with others’ data are compelled to treat the data with respect, the penalties for non-compliance remain relatively weak80 and the other side of the equation e the empowering of individuals e remains limited. The current 78 For example, in its opinion on the processing of data in the employment context, the Article 29 Working Party adopted the following position that ‘. where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data it is misleading if it seeks to legitimise this processing through consent. Reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment’. Article 29 Working Party, ‘Opinion 8/2001 on the processing of personal data in the employment context’ (WP 48, 2001). A similar position was adopted in later working document: ‘. where as a necessary and unavoidable consequence of the medical situation a health professional has to process personal data in an EHR system it is misleading if he seeks to legitimise this processing through consent. Reliance on consent should be confined to cases where the individual data subject has a genuine free choice and is subsequently able to withdraw the consent without detriment’ Article 29 Working Party, ‘Working Document on the processing of personal data relating to health in electronic health records (EHR)’ (WP 131, 2008). 79 By way of example, The Joint Information Systems Committee Legal Information Service (JISC Legal), Code of Practice for the Further and Higher Education Sectors on the Data Protection Act 1998 (2008) states that: ‘. consent may be withdrawn by the Data Subject at any point, a fact that may prove problematic for Data Controllers where consents are obtained for data processing purposes without which the Data Controller cannot provide an essential service. In such circumstances, reliance on another Sch.2 criterion, such as the legitimate interests of the Data Controller or a third party, would be more practical.’ 80 New fining powers for the ICO for serious breaches of the Data Protection Act were expected to be enacted in April 2010. See Data Protection Act s.55A (as amended by Criminal Justice and Immigration Act 2008 and Coroners and Justice Act 2009). 81 Despite recommending increased ‘data subject participation’ to ensure effective exercising of their rights, addressing the nature of the rights available to data subjects was not a perspective given any countenance in the recent ICO-commissioned ‘RAND review’ of the Directive N Robinson and others, ‘Review of the European Data Protection Directive’ (RAND Europe, sponsored by the Information Commissioner’s Office, 2009).
legislation and thinking seems to ignore this latter aspect,81 or skirt around the issue with extreme caution.82 In the UK, the most recent code of practice from the ICO, published in June 2009, goes no further than encouraging data controllers to provide more information to data subjects in suitably clear privacy policies,83 and the next code of practice (still under consultation) contains no references to ways in which consent can be modified by data subjects.84 There are, however, some encouraging signs from two recent, more general, ICO publications: the latest data protection guide states that it is possible for consent to be withdrawn ‘depending on the nature of the consent given and the circumstances in which [the data controller is] collecting or using the information’85; and the very recent guide to the ‘business case’ for better privacy protection states that ‘Empowering individuals to take control of their data can produce benefits to the [data controller]’.86 Despite both these documents only discussing data subject control of personal data in vague terms, it can perhaps be seen as proof that, in the UK at least, these matters are beginning to be taken seriously by the regulator. The continuing advances in technology that power today’s information society do still need to be regulated in terms of seeking compliance by the data controller, as is evidenced by the focus of the majority of regulatory guidance documents. This technology could, if combined with a reorientation of the approach to data protection guidance and current practice, also be used to give meaningful power to the data subjects. It is not inconceivable that technology similar to that which allows data controllers to control data should be able to be utilised by data subjects to keep the controllers in check. Indeed, this is what the EnCoRe project is trying to achieve. However, it is with some concern that this is not supported by a right of revocation in law. Giving individuals more rights to control their own data would not mean impacting on the retention of personal data by the state for (sometimes) justifiable reasons, but rather it could provide opportunities for individuals to exercise the option to be made more aware of where their personal data are, and also to exert some form of positive influence over how those data are dealt with. We are not proposing that individuals should be handed unfettered rights to determine how
82 The ICO’s response to the European Commission Consultation on the legal framework for the fundamental right to protection of personal data commented that: ‘In many cases it is not clear where consent is necessary or where transparency suffices. This can lead to [data protection authorities] making unrealistic statements about the degree of control that individuals should enjoy, in cases where choice may not be a realistic option and where individuals may neither expect nor want to choose. . Any future legal framework should be realistic about the amount of choice that individuals can actually have and the degree of choice they actually want’. Available online at http://ec. europa.eu/justice_home/news/consulting_public/news_ consulting_0003_en.htm (accessed on 28 January 2010). 83 Information Commissioner’s Office, Privacy notice codes of practice (June 2009). 84 Information Commissioner’s Office, Personal information online code of practice (December 2009eMarch 2010). 85 Information Commissioner’s Office, The Guide to Data Protection (December 2009) e paragraphs B8/42, B9/19, B9/24, C1b/4. 86 Information Commissioner’s Office, The Privacy Dividend: the business case for investing in proactive privacy protection (March 2010).
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
their data are dealt with, rather we believe that individuals should be better informed, facilitated by technology if possible, as to the expectations of how their data should, and should not, be used in different contexts, coupled with more robust methods to take action when the processing of data is not acceptable to them. Currently, individuals are not provided with workable rights to take such action. The assumption that the legislation bestows an effective right of withdrawal of consent has seemingly continued unchecked until the present day; an age where we have a hugely pervasive flow of personal data throughout society and increased concerns about understanding and maintaining privacy. This would not appear to be a satisfactory state of affairs given the aims and fundamental underpinnings of data
283
protection legislation. Now, perhaps more than ever before, there needs to be an effective right of control to allow individuals to better manage their personal data. The shortcomings we have identified appear to prevent such rights being exercised at present. If this is to be changed, then suitably clear and robust guidance is required, unless a more dramatic, and seemingly unlikely, step of introducing an express right of revocation in the legislation at European and national level is adopted. Liam Curren ([email protected]) Researcher in Law & Solicitor, Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford & Jane Kaye (jane.kaye@law. ox.ac.uk) Wellcome Trust Research Fellow, Director of Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford.
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Revoking consent: A ‘blind spot’ in data protection law? Liam Curren 1, Jane Kaye 2 Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford, Old Road Campus, Oxford OX3 7LF, UK
abstract Keywords:
The flow of personal data throughout the public and private sectors is central to the func-
Data protection
tioning of modern society. The processing of these data is, however, increasingly being viewed
Privacy
as a major concern, particularly in light of many recent high profile data losses. It is generally
Consent
assumed that individuals have a right to withdraw, or revoke, their consent to the processing
Revocation
of their personal data by others; however this may not be straightforward in practice, or
Article 8 ECHR
addressed adequately by the law. Examination of the creation of data protection legislation in Europe and the UK, and its relationship with human rights law, suggests that such a general right to withdraw consent was assumed to be inbuilt, despite the lack of express provisions in both the European Data Protection Directive and UK Data Protection Act. In this article we highlight potential shortcomings in the provisions that most closely relate to this right in the UK Act. These raise questions as to the extent of meaningful rights of revocation, and thus rights of informational privacy, afforded to individuals in a democratic society. ª 2010 Liam Curren & Jane Kaye. Published by Elsevier Ltd. All rights reserved.
The Data Protection Directive 95/46/EC (the Directive) is clear that the principal aim of national data protection laws should be to ensure the protection of individuals’ privacy when their personal data are handled by third parties.3 The reference to privacy is present because of the intended links between the Directive and Article 8 of the European Convention of Human Rights (ECHR) e the right to respect for private and family life. The Data Protection Act 1998 (the DPA), the primary piece of legislation to implement the Directive in the UK, fails to mention the word privacy, however it must still be considered as seeking to fulfil that particular aim.4 Despite the problems with establishing a workable legal definition of privacy, or indeed any succinct conceptual definition, there is a consistently held view 1
that it is linked to the personal autonomy of individuals. When considered in terms of personal data, such autonomy can be seen as the control that individuals could, or should, exert over how such data are used by others. This perspective was summarised neatly by Laws LJ in a Court of Appeal5 case in 2009: subject to [certain] qualifications . an individual’s personal autonomy makes him e should make him e master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image . and also of the ‘zone of interaction’ . between himself and others. He is the presumed owner of these aspects of his own self; his control of them can only be loosened, abrogated, if the State shows an objective justification for doing so.
Researcher in Law & Solicitor, Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford, Old Road Campus, Oxford OX3 7LF, UK, funded by the EPSRC as part of the EnCoRe Project, under grant code EP/G002541/1. 2 Wellcome Trust Research Fellow, Director of Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford, Old Road Campus, Oxford OX3 7LF, UK, funded under grant code WT 081407/Z/06/Z. 3 Directive, Article 1(1). 4 For example, see Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 as per Hope LJ at 7 (in relation to the Directive); and more generally (in relation to the consistent interpretation of EC law by national courts) Case C-106/89 Marleasing SA v. La Commercial Internacional de Alimentacion SA [1990] EUECJ C-106/89, [1990] ECR 1-4135 at 8, and Joined Cases C-397/01 to C-403/01 Pfeiffer (Social policy) [2004] EUECJ C-397/01, [2004] ECR I-8835 at 112e116. 5 Wood v Commissioner of Police for the Metropolis [2009] EWCA Civ 414 at 21. 0267-3649/$ e see front matter ª 2010 Liam Curren & Jane Kaye. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.03.001
274
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
With this in mind, an individual’s consent to use their personal information is the primary means for individuals to exercise their autonomy and to protect their privacy. If individuals are given the opportunity to grant consent, then is it logical to assume that, in the context of the use of personal data by others, there must be a corresponding option to withdraw or revoke that consent, or to make subsequent changes to that consent? As will be discussed, there is some evidence to suggest that this is how data protection legislation could, quite legitimately, be interpreted.
1.
Consent and its revocation
Consent is a common, almost ubiquitous, feature of the law. On one, wholly general, level it can be described as the making of a voluntary decision, by a competent individual, to allow an act to occur that may have been impermissible, absent the consent. This is of course an oversimplification and, as lengthier analyses of consent have commented, there are ‘uncomfortable questions’ lurking behind what could be considered a ‘fairly unproblematic . doctrinal mainstay’.6 Taking just two legal landscapes, much of the law of contract resonates with the operation of a variety of notions of consent, and consent plays a crucial role in any discussion pertaining to medical law and bioethics.7 This article does not draw extensively on the wider debate that has gone before on the legal and philosophical nature of consent, rather it focuses on the specific example of consent as it applies in data protection law. Despite its prominent impact on the workings of data protection law, consent is, of course, not actually defined in the DPA. One has to look to the Directive for a definition, but in neither piece of legislation will one find an express general right to revoke such consent. In the Directive consent is defined as: “Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.8 A significant feature of consent in this context is that it serves as merely one of a group of legitimising conditions; that which is seeking to be legitimised being the processing of personal data by others. Whilst a good lawyer will advise a data controller not to rely on consent as a means of legitimising processing (because of the dangers of proving that consent has been ‘freely given’ in an ‘informed’ manner), the notable absence of any express provisions referring to the ability to reverse or alter consent will be comforting to those controllers who rely on consent and wish to legitimise their processing. Thus interpreting the Directive and/or the DPA as including a tacit right for the data subject to withdraw consent is potentially unwise, entirely because, unlike other legal instruments9 and some subsidiary data protection legislation,10 6
’D. Beyleveld & R. Brownsword, Consent in the law (1st edn, Hart, Oxford 2007). 7 See, for example, O. O’Neill. Autonomy and Trust in Bioethics (1st edn. Cambridge University Press, 2002) and N.C. Manson & O. O’Neill. Rethinking Informed Consent in Bioethics (1st edn. Cambridge University Press, 2007). 8 Directive, Article 2(h). 9 For example, see UNESCO Universal Declaration on Bioethics and Human Rights 2005, Article 6. 10 See section 2.2.3 below.
a right of withdrawal is not explicitly stated. Clearly, matters of interpretation of laws will be pertinent in this regard, and whilst our research has necessitated analysis of the interesting relationships between the three relevant legal orders in this context e English/UK law (ie the DPA and the Human Rights Act 1998); EC law (ie the Directive); and the law relating to the ECHR (ie Article 8) e the focus of this article is on the extent to which revocation exists in the operation of data protection law in the UK. Matters akin to a personality right, such as that present in jurisdictions such as Germany,11 are not considered here on the basis of there being no equivalent rights under English law. Early work (albeit not in a legal context),12 as part of the EnCoRe Project,13 has described revocation as a process that permits an individual to invalidate or modify previously given consent relating to the use, ie processing, of their personal data by others.14 Revocation can thus be seen as a fine-grained process that can be qualified by specific attributes, in that it might not just be a matter of ‘turning off’ the entire consent given on a set of personal data, but there could be degrees of revocation, affecting specific data.15 This is useful, conceptually, but what of data protection law; what are the potential triggers for revocation; and how would this be achieved in practice? These questions have formed the basis of our initial research as part of the EnCoRe project, and the focus of this article. Before examining the DPA and Directive in more detail in this regard, we stress that in this article we are assuming that a revocation works with respect to a valid consent that has been given by a data subject. We are, put simply, investigating what right a data subject has to change their mind. If it can be proved that there was never any valid consent as between a quarrelling data subject and a data controller, then a data subject will not be concerned with changing their minddthere being no consent to revokedrather, their concern will be in remedying the potentially illegitimate and harmful processing that is the subject of the quarrel. We have investigated the legal right of revoking an existing consent in data protection law on the grounds that there is apparent confusion as to whether this
11 Based on The Grundgesetz (Basic Law for the Federal Republic of Germany) Art 2(1) e Every person shall have the right to free development of his personality insofar as he does not violate the rights of others or offend against the constitutional order or the moral law. 12 M. Casassa Mont and others, ‘On the Management of Consent and Revocation in Enterprises: Setting the Context’ (2009) HPL2009-49 HP Laboratories Technical Reports. 13 The EnCoRe Project is a multi-disciplinary research project, spanning across a number of IT and social science specialisms that is researching how to improve the rigour and ease with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal data by others. See www.encore-project.info for details. EnCoRe receives funding from the UK Government’s Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council. 14 Data controllers, data processors, and potentially other third parties. 15 See also I. Agrafiotis, S. Creese, M. Goldsmith, and N. Papanikolaou, ‘Reaching for Informed Revocation: Shutting Off the Tap on Personal Data’, Proceedings of Fifth International Summer School on Privacy and Identity Management for Life, Nice, France, 7e11 September 2009. Available at http://www.warwick.ac.uk/ wessiai/publications/0000009c6a0a76620.html.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
is an option assumed to be available to data subjects. There may, it seems, be a potential blind spot in the law in this regard.
2.
Searching for a legal basis for revocation
The closest we get to a general right of revocation in the DPA is under section 14 and under section 10 of the Act, which together give limited rights of control over personal data. A specific right exists under section 11(1) of the DPA, to object and prevent the processing of data for direct marketing purposes.16 The first general right, a right to rectify inaccurate data17 under section 14, is a cumbersome right which requires a court order to be effective, and is thus not considered as a right that could be used easily by the vast majority of data subjects.18 The second right, also cumbersome in nature and not without conceptual difficulties, is essentially a right of objection. This latter right will be the focus of this article because it does not require a court order in all circumstances, and would prima facie appear to be the most accessible course of action for the majority of people.
2.1.
Section 10 e a right of revocation?
Article 14(a) of the Directive provides data subjects with a general right of objection, to prevent processing of personal data at any time so long as it is based on ‘compelling legitimate grounds’. This article makes it clear that an objection can be raised even if the processing complained of is considered lawful. Member states do have the option to legislate against such a right of objection; an option not taken by the UK in its implementation of Article 14 in the DPA, as we see in section 10(1): an individual is entitled at any time by notice in writing to a data controller to require the data controller . to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons . the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and . that damage or distress is or would be unwarranted. This right of objection (the Section 10 Right)19 is subject to various qualifications, and is quite limited in its application (as 16
Derived from Directive, Article 14(b). That is, data which ‘are inaccurate if they are incorrect or misleading as to any matter of fact’, as per Data Protection Act, s 70(2). 18 Related to this matter is the question as to whether data subjects actually have a right to request that old or redundant data are not kept by a data controller. Is it the case that maintenance of this aspect of data e its inherent accuracy e can only be achieved under the DPA by the data controller complying with the data protection principles (in particular the fifth principle) or is there an implied right for data subjects to take control and demand that this is done? 19 Data Protection Act, s 10 is entitled ‘Right to prevent processing likely to cause damage or distress’. For such prevention to be achieved, a data subject must initially make an objection, and thus we refer to the Section 10 Right as a right of objection, rather than prevention. 20 Data Protection Act, Part II, ss7e15. 17
275
are most of the rights afforded to individuals under the DPA).20 The clear differences in the language used in the Directive (‘compelling legitimate grounds’) and the DPA (‘specified reasons’ that cause ‘unwarranted’ and ‘substantial damage or substantial distress’) appear to make the right in the DPA more restrictive in scope than the Directive intended,21 however when debated at the House of Lords, the alternative wording was justified on the basis that European expression was not ‘satisfactory’ in terms of statutory language. Their Lordships’ view was that for a data subject to establish compelling grounds, a case would need to be made where some form of damage (either financial or otherwise ie some form of distress) could be shown to arise as a result of the processing.22
2.2.
Problems with the section 10 right
Relying on the Section 10 Right to object to otherwise lawful processing of personal data raises a number of problems for the data subject. The problems arise in the form of a two-stage test: firstly, there is a high threshold for a demonstrable harm to the data subject23; secondly, certain features must not be present in order for the data subject to be able to object. There must not be an existing consent to the processing on the behalf of the data subject or an existing contractual relationship governing the data subject’s personal data.24 These problems are summarised in Fig. 1 and will be discussed in detail below.
2.2.1.
Thresholds
Data controllers, particularly those that are not public authorities, can and often do rely on the ‘legitimate interests’ condition in Schedule 2 of the DPA25 to justify processing of the personal data of data subjects. This condition is most commonly used to negate the need to rely on the consent of the data subject in order to legitimise the processing. As a useful first step in attempting to exercise their Section 10 Right such a justification by a data controller ought to be challenged by a data subject. To do this successfully, a data subject will somehow have to demonstrate that their rights e and notably their right to privacy as encapsulated by Article 8 e have been prejudiced by the processing.26 How this would be done, however, is not entirely clear, as there is not clear direction from the courts or the Information Commissioner’s Office (ICO) as how this balance should be determined. 21 This was raised briefly in the debate of the DPA in Parliament, however the Government contended that the effect of the section 10 was consistent with the Directive, despite submissions from the Data Protection Registrar that the ‘damages and distress’ elements were not required by the Directive. HC Standing Committee D amendment No. 258 14 May 1998. 22 HL Deb vol 587 col 497e499 16 March 1998. 23 Data Protection Act, s 10(1)(a)-(b). 24 Data Protection Act, s 10(2)(a). 25 Data Protection Act, Sched 2, 6(1). 26 To make an objection under section 10, the data subject must provide the data controller with a written data subject notice, specifying the reasons why the processing will cause them harm or damage. The data controller then has 21 days to respond, by way of a written statement setting out what action they propose to take to comply with the notice, or which parts of the notice it considers unjustified. If there are issues regarding compliance after the data controller has responded to the data subject, the data subject can seek a court order.
276
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
Fig. 1 e The Section 10 right: an unworkable revocation of consent?
Matters of disputed legitimacy aside, the Section 10 Right is exercisable only if a data subject can demonstrate unwarranted, substantial damages or distress caused by the processing: clearly a difficult threshold to reach. Guidance from the courts, though welcome, has not provided much in the way of useful advice about the practical application of this right by individuals.27 A pertinent example of the difficulties concerning attempted reliance on the Section 10 Right is the case of individuals seeking to object to the proposed processing of their health data in a central NHS database.28 The
27 The High Court in Douglas & Ors v Hello! Ltd & Ors [2003] EWHC 786 (Ch) held that the ‘legitimate interests’ condition for fair processing ‘denies legitimacy to the processing . if it is unwarranted by reason of prejudice to the rights and legitimate interests of the data subjects. The provision is not, it seems, one that requires some general balance between freedom of expression and rights to privacy or confidence . the question is more simply whether the [processing] is unwarranted by reason of the prejudice to [the data subjects’] legal rights [it] does not provide, as it so easily could have done, how serious has to be the prejudice before the processing becomes unwarranted and in point of language any prejudice beyond the trivial would seem to suffice’ as per Lindsay J. at 238. 28 A 2006 campaign led by The Guardian newspaper encouraged members of the public to request, in letters to the Chief Medical Officer, that their sensitive personal data (in the form of an ‘NHS Summary Care Record’) were not included on a centralised NHS database e created as part of the NHS Connecting for Health initiative e known as the ‘spine’. A pro-forma letter included the line ‘I require you not to begin processing my sensitive personal data to the proposed NHS Summary Care Record on the Spine. It is likely to cause me substantial unwarranted distress because .’ (our emphasis) (D. Leigh and R. Evans, ‘Warning over privacy of 50m patient files: What can patients do?’ The Guardian (1 November 2006)).
result of this processing would be that patients’ individual ‘summary care records’ would be made available to certain bodies, nationally, on that database.29 In 2006, the GPs of those who objected were told by the Chief Medical Officer to inform such patients that the proposed availability of the summary care records was unlikely to cause substantial harm or distress because of the protections (ie data security provisions) that were in place. In a more recent development, the NHS has subsequently confirmed that, following negotiations with the ICO, patients will be able to choose whether their summary care record is made available.30 This example illustrates that the Section 10 Right may be all too easily dismissed by certain public authorities31 and has, despite the intervention of the ICO in this case, been largely ignored by
29
The access of researchers to medical data stored by the NHS, and the consent of patients to allow such access, is a related, and still contentious, issue see C. Dyer, ‘Researchers have failed to ease access to patients’ data for research’ (2009) 338 British Medical Journal 1961. 30 O. Bowcott, ‘NHS patients given right to delete electronic record’ The Guardian (26 May 2009). 31 The Department of Health, in an open letter to The Guardian and those individuals seeking to opt out, set out in detail why it did not consider that the processing objected to would result in such distress. Department of Health, Letter to patients expressing concern over electronic care records (2006) available at http://www.connectingforhealth.nhs.uk/newsroom/ media/guardian-letter.pdf (accessed on 28 January 2010). See also M. Cross, ‘Impasse over patient consent may delay NHS computerisation’ (2006) 333 British Medical Journal 1140.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
the regulators as a workable right for individuals.32 Surely it cannot be the case that the ICO needs to intervene in every case where individuals seek to object to processing that does not relate to direct marketing?
2.2.2.
Consent condition
Notwithstanding the threshold difficulties, perhaps the most problematic aspect arises in relation to the consent of a data subject seeking to object/revoke. Consent itself implies some kind of awareness of the proposed processing on behalf of the data subject. There will, however, be instances where a data subject may not actually know how, or indeed if, their personal data are being processed by others. This could be as a result of poorly drafted privacy notices by data controllers known to a data subject, or other data controllers acquiring personal data unbeknownst to the data subjects. There may therefore be instances where consent e perhaps long-since forgotten expressions by a data subject, and thus arguably invalid e is assumed to be valid by data controllers. Such awareness issues aside, it is the consent aspect of the DPA, and section 10 in particular, that represents an apparent ‘blind spot’: the right that most closely represents revocation may actually preclude the ability of a data subject to revoke their consent. The Section 10 Right will not apply when any of the first four processing conditions listed in Schedule 2 of the DPA are met. Broadly, these four conditions state that processing will be considered fair if: (i) it is processed with the consent of the data subject (ii) it is required by contract, or pre-contractual negotiations, with data subject (iii) a legal obligation exists for a data controller to process the personal data; or (iv) the processing is necessary to protect the ‘vital interests’ of the data subject.33 Therefore, if the Section 10 Right is to apply there must be no consent to processing, nor must there be any related contract (see below), nor must the data controller have an obligation (to process the data) that is outside of the control of the data subject. This brings to a light an apparent conceptual difficulty in fitting revocation within the ambit of the Section 10 Right. This is that section 10 can only be relied on if there is no consent. If revocation is considered as a withdrawal or amendment of an existing consent and the section 10 Right is considered as a form of revocation, an obstacle to the exercise of the right is apparent: that which is sought to be revoked e ie consent e cannot exist if the Section 10 Right is to be used. The Section 10 Right cannot then be considered as a right to revocation, as a right of revocation
32 The ICO 2007 report of its ongoing review of the NHS Connecting for Health initiative did not refer to section 10 of the DPA. Information Commissioner’s Office, The Information Commissioner’s view of NHS Electronic Care Records (2007). The same would appear to be true of the most recent intervention by the ICO in the case of the summary care records, which focussed on ‘restricting the access’ to records, rather than an objection as such J. Leyden, ‘Patients gain right to scrub e-records from NHS database’ The Register (26 May 2009)
277
cannot only logically exist if there is consent in the first place that can be revoked. But why look to section 10 to try and find a right of revocation in the first place? The answer is found in the debates prior to the enactment of the Directive and DPA. It is clear that the UK Parliament considered that there was an inherent right to withdraw a previously given consent in the DPA, despite the fact that no such right is articulated in the Act. This matter was addressed in relation to the intended scope of section 10 when debated at the House of Lords,34 where the Government’s position was put quite clearly: Specific questions have been raised; for instance, whether under Clause [10](2)(a) any consent given under paragraph 1 of Schedule 2 is not capable of being withdrawn? Any consent given in any part of the Bill may be withdrawn at any time and there is nothing to prevent that. Later debates, this time in Europe, regarding the proposed ‘EPrivacy Directive’35 e a subsidiary piece of data protection legislation e bring to light potential issues regarding the availability of a right of revocation in the overriding Directive. The EPrivacy Directive is also relevant to our discussion as it contains provisions more akin to the concept of revocation than exist elsewhere in data protection legislation. Briefly, certain provisions expressly permit an individual to withdraw a previously given consent,36 but only to prevent the processing of certain personal data for particular purposes. These data take two forms: traffic data (eg the duration and destination of phone calls) processed for the purposes of marketing services or the provision of certain ‘value-added services’; and location data (eg geographical data communicated by a mobile phone) processed for any purposes.37 Crucially, all of this type of processing must be confined to the context of electronic communications.38 In the early stages of the European Parliament’s debates on the E-Privacy Directive, inclusion of a right for individuals to withdraw their consent to the processing of traffic data was initially rejected on the basis that such a right was ‘already guaranteed by Article 14 of [the Directive] on the data subject’s right to object’39 (on the assumption that national legislators
34
HL Deb vol 587 col 500 16 March 1998. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 36 The consent referred to in the E-Privacy Directive is the same as that defined in the Directive. 37 Neither of these provisions is affected by the proposed amendments to the E-Privacy Directive in the Common Position (EC) No 16/2009 of 16 February 2009 (Official Journal 2009/C 103 E/ 02). 38 The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) also provide that the mechanism by which individuals can withdraw consent for the provision of value-added services must be free of charge and achieved using a simple means (Regulation 14(4)(b)). 39 Report on the proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (A5-0270/2001) as per Amendment 31, Article 6, paragraph 3, page 24 (13 July 2001). 35
278
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
chose not to preclude such a right). Looking back further still at the debates of the Directive itself in the early 1990s, the evolution of the right of objection in Article 14 highlights the potential erosion of a robust right to withdraw consent, which was assumed to be present in the Directive at the time of the E-Privacy Directive debates. The European Parliament’s first suggested amendments to the Council’s proposal for the first data protection directive40 included a specific and express opportunity to object,41 at any time,42 to processing which required the data subject’s consent. Furthermore, the Council’s proposal had made it clear that consent could be withdrawn by a data subject ‘at any time’, though without any retroactive effect.43 A subsequent amended draft proposal from the Commission44 included a right to withdraw consent as part of the definition of consent in the draft Directive. By the time of a common position, approved shortly before the formal adoption of the first Directive, this express right of withdrawal of consent had been removed. Rather confusingly perhaps, the Council commented in the statement of reasons accompanying the common position document that the rights of data subjects had actually been ‘strengthened and clarified’ because the general right of objection could be exercised at any time, particularly in respect of processing for marketing purposes.45 However, it seems to be the case that this perceived strengthening and clarification occurred despite the removal of an express general right for data subjects to withdraw their consent to personal data being processed. The end result being limited rights to object, coupled with no clear right to withdraw. The subsequent re-emergence of a right of withdrawal of consent in the E-Privacy Directive raises the possibility that the Directive should not be interpreted as including such a right. Alternatively, it may uncover an oversight on the part of the legislators. The lack of judicial interpretation of this specific point by the ECJ and UK courts, however, means the matter remains uncertain. Established EC law would suggest that because the DPA was enacted for the purpose of transposing the Directive, the UK courts, when interpreting any of the DPA’s provisions, would be bound to conclude that the intention of the UK parliament was to fulfil entirely the
40 Official Journal C-94/173 1992, Proposal for a Council directive concerning the protection of individuals in relation to the processing of personal data (COM (1990) 0314) e Amendments of European Parliament (11 March 1992). 41 Amendment No 42; altering Article 12(b). 42 Amendment No 145; new Article 12 (2). 43 Article 12(c) of the Proposal for a Council directive concerning the protection of individuals in relation to the processing of personal data (COM (1990) 0314). 44 Official Journal C-311/30 1992, COM(92) 422 final e SYN 287 Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and free movement of such data (Submitted by Commission on 16 October 1992) see Article 2(g). 45 Official Journal C-93/1 1995, Common Position (EC) No 1/95 With a view to adopting Directive 95/./EC of the European Parliament and of the Council of . on the protection of individuals with regard to the processing of personal data and free movement of such data (Adopted by the Council on 20 February 1995). 46 Pfeiffer (Social policy) at 112.
obligations arising from the Directive.46 The fact remains, however, that the scope of the obligations in the Directive are unclear. Returning to the Section 10 Right e a section of the DPA whose history is clearly steeped in parliamentary debate about withdrawal of consent e the fact remains that there is a catch: if an individual has given consent to processing then they do not have a right to object under section 10; however, if they have not given consent, and there are no contractual complications, then they do have a right under section 10. This difficult state of affairs persists, despite judicial interpretation seemingly backing up this apparently illogical feature of the DPA.47
2.2.3.
Contractual condition
For section 10 to apply, the personal data in question must not be necessary for the performance of a contract. This is problematic, as the vast majority of relationships between a data subject and a data controller will, certainly in a commercial context, be based on some form of contract. So, assuming there is no contractual right of variation or termination (which could amount to a revocation), why should the formation of a contract prevent a data subject from relying on the Section 10 Right? After all, this exception is not present in Article 14 of the Directive. Related to this potential dilemma is the clash between contract and statute. As Sanders discusses in her 2002 article, there are no provisions in the DPA that prevent contracting out of the DPA Rights conferred on data subjects.48 The House of Lords, in Johnson v Moreton,49 ruled that a party can only renounce a right conferred by statute if it is ‘exclusively for his benefit and there is no element of public interest’.50 So where a matter cannot be governed by a contract because of certain statutory provisions for its regulation, the parties must defer to those provisions and any remedies inherent in them. As such, a contract involving a data subject can only seek to limit any of the rights if such rights are considered to be exclusively private rights. If the rights are public in nature, a court is likely to find any contractual clause limiting these rights as being unenforceable; if the rights are considered private, then such contractual clauses could (in the context of consumer and trader relationships) still fall down on the basis of fairness as 47 In Mahon, R (On The Application of) v Taunton County Court [2001] EWHC Admin 1078, [2002] A.C.D. 30, 2001 WL 1560831 a somewhat misguided attempt by a serial vexatious litigant to issue a section 10 Notice on a variety of district councils was refused by the High Court, albeit almost in passing, on the grounds that, inter alia, the individual in question had previously consented to those councils processing his personal data for the purposes of considering his application for a Hackney Carriage Driver’s Licence, as per Hooper J. at 30. We would argue, however, that this part of the judgment was ill-conceived, and would most likely be overturned on a more thorough analysis of the Section 10 Right, particularly if Parliament’s intention as regards the ability to withdraw a consent was considered. 48 J. Sanders, ‘Personal Data as Currency’ (2002) 2 Privacy and Data Protection 7. 49 Johnson v Moreton [1980] AC 37. 50 An equitable maxim, known as quilibet potest renunciare juri pro se introducto.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
defined by the Unfair Terms in Consumer Contracts Regulations 199951 (the Regulations), which the ICO is empowered to enforce. Article 5 of the Regulations renders terms unfair if, contrary to good faith, the rights and obligations arising under the contract act to the detriment of the consumer. Thus if a contractual clause denies a data subject any of their rights under the DPA, it runs the risk of being unfair.52 The problem with the Section 10 Right, however, is that a contract cannot limit the application of this right by a data subject. Rather, it is the converse: the Section 10 Right cannot be relied on if the data subject is a party to a contract in relation to the objectionable processing that is sought to be prevented. Fig. 2 sets out an example of this problem when applied to a hypothetical data controller/subject relationship.
3.
Solutions?
Only the E-Privacy Directive includes express provisions that allow consent to be revoked in particular situations. Are we therefore to infer that the absence of such provisions in the overriding data protection legislation means that data subjects are denied the right to revoke a previously given consent to allow others to process their personal data aside from in relation to marketing? Or is such a right inherent due to the scope of Article 8 ECHR when applied in the context of data protection? Are we also to assume that data subjects entering into contracts relating to the processing of their personal data are denying themselves any right of objection, so long as the data controller is not in breach of any such contracts and those contracts were not manifestly unfair? If no express contractual right for making an objection/ revocation exists, the options available to a data subject would appear to be either: to argue that, on the basis of parliamentary intentions, an implicit right of objection/revocation does exist under the DPA when viewed in the light of Article 8 of the ECHR; or seek to somehow dispense with any relevant contract e and thus make the Section 10 Right available e on the basis of equity or law. The first option is fraught with 51
Statutory Instrument 1999 No. 2083. Office of Fair Trading Guidance on the application of the Regulations states that: A term or statement which could be understood as permitting the supplier to pass on information about the consumer more freely and widely than would otherwise be allowed under the [DPA] is likely to be open to challenge. A term about the use or disclosure of personal information that does not inform consumers how their information may be processed is likely to be unfair too . Provisions of this kind may be acceptable if they are modified so as not to diminish the protection offered by the law or where there is a free choice to agree to them or not e for example, via an option separate from the rest of the contract. But note that fairness is much more likely if consumers have positively to ‘opt in’ to lose their legal protection. A chance to ‘opt out’ in small print may be missed or misunderstood. In any case the chances of fairness will be increased if the significance of the choice is indicated and drawn to the consumer’s attention. - Guidance for the Unfair Terms in Consumer Contracts Regulations 1999 (September 2008) (OFT311) at 18.6.2. 52
279
difficulties given the UK courts’ reluctance to make considerable departures from the existing law53 (section 10 would perhaps need to be re-interpreted)54 requiring as it would do the creation a new cause of action.55 The other option, also far from straightforward, would most likely require input from a court or regulatory authority (be it the Office of Fair Trading or the ICO). It is an unworkable situation: it does not seem to be what the UK Parliament intended; and it too may also conflict with the rights inherent in Article 8.
3.1.
Is Article 8 the answer?
Data protection law protects a fundamental right (privacy) and indeed may itself equate to something more fundamental.56 The lack of an express general right of revocation e a potential legislative blind spot e could amount to a major shortcoming if individuals should actually be empowered to exercise control of their privacy in a meaningful way. If this is the case, could individuals nonetheless revoke consent e and manage 53 Judicial interpretation of section 6 of the Human Rights Act 1998 as to the application of the ECHR in the UK has necessitated the existence of a pre-existing right to act as a vehicle to permit ECHR rights - in this case Article 8 - being conferred upon individuals. For example, see Hale LJ at 132 in Campbell v MGN Ltd [2004] UKHL 22 ‘The 1998 Act does not create any new cause of action between private persons. But if there is a relevant cause of action applicable, the court as a public authority must act compatibly with both parties’ Convention rights’. 54 The House of Lords has held that when interpreting national law in light of the ECHR, the cardinal features of the national law cannot be departed from, even if the language is interpreted in a more flexible manner. This raises interesting questions in the case of the DPA, as it seeks to implement EC law (the Directive) which itself seeks to enforce the ECHR (Article 8) Ghaidan v. GodinMendoza [2004] UKHL 30 at 128. See too the Court of Appeal’s reasoning in Revenue and Customs v IDT Card Services Ireland Ltd [2006] EWCA Civ 29 at 90. 55 If such an approach constituted a development of the common law in a manner compatible with the ECHR, this could fit with the model ‘Strong Indirect Horizontality þ Incremental New Cause of Action’ in AL Young, ‘Horizontality and the Human Rights Act 1998’ in KS Ziegler (ed) Human Rights and Private Law: Privacy as Autonomy (1st edn, Hart, Oxford 2007). 56 Chapter II of the EU Charter contains separate provisions for both the respect for private life (effectively identical to Article 8 of the ECHR) and the protection of personal data (Article 8, EU Charter). The Article 29 Working Party considers this separate right as an indication that data protection is itself a broader concept than that of Article 8 of the ECHR ‘On the one hand, it has to be considered that the concept of private and family life is a wide one, as the European Court on Human Rights has made clear. On the other hand, the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life. It should be noted that the [EU] Charter enshrines the protection of personal data . as an autonomous right, separate and different from the right to private life . and the same is the case at national level in some Member States’. Article 29 Working Party,‘Opinion 4/2007 on the concept of personal data’ (WP 136, 2007) Subsequent international proclamations, such as the 2005 Montreux Declaration (Data Protection and Privacy Commissioners, The Protection of Personal Data and Privacy in a Globalised World: A Universal Right Respecting Diversities (Montreux 2005), which called for the United Nations to ‘prepare a legal [sic] binding instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights’.
280
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
Fig. 2 e Contractual problems.
their informational privacy57 e by relying instead on the betterestablished, but more nebulous ECHR rights?58 With this in mind, the suitability of Article 8 and data protection legislation for protecting information privacy must be considered. The ECHR is over half a century old, and was conceived at a time when today’s information society could not possibly have been imagined. We would contend that Article 8 is fit for purpose: its breadth is apparent from Strasbourg jurisprudence, and increasingly in the decisions of the UK courts59; and it is difficult to see how rights of informational privacy could not form part, perhaps even the core, of such an overall broader right. The UK courts are, after all, obliged to interpret legislation in line with the aims of the ECHR.60 Related to this e and on the same basis that the UK courts perceive a general tort of privacy to be too nebulous to be enforced adequately by way of a specific cause of action under the common law e we would further contend that the informational strand of privacy should be enforced by data protection legislation, as to do so would not
57
One definition of which is ‘the claim of individuals . to determine for themselves when, how and to what extent information about them is to be communicated to others’ see AF Westin, ‘Public Government for Private People, Report of the Commission on Freedom of Information and Individual Privacy’ (1980). 58 This route takes us back to the origins of data protection law in Europe. As early as 1970, the Committee of Experts on Human Rights of the Council of Europe deemed that the ECHR alone was not a suitable vehicle for dealing with the rights of individuals subject to the technology-aided processing of their personal data. 59 R (on the application of Purdy) v Director of Public Prosecutions [2009] UKHL 45. 60 Human Rights Act, s. 3(1).
result in any conflict with the ECHR, UK or EC law.61 Furthermore, in the absence of data protection legislation, the rights of individuals under both EC62 and ECHR law63 may be limited to the extent that they are denied a remedy64 in private actions concerning their informational privacy. But are such remedies actually achievable at present? A logical analysis of the DPA implies that seeking to revoke one’s consent, impliedly based upon the ‘legitimate interests’ condition e regardless of whether the Section 10 Right applied e would constitute an objection to processing on the basis of perceived prejudice to a data subject’s rights; most likely on the basis of an interference with their Article 8 rights. As the NHS example discussed above demonstrates, this is not easily done even in the case of sensitive personal data. The assumed large number of relationships between private individuals in which no legal right of action 61 The ECJ has held that EC law, when transposed into national law, should be done in such a way so as to allow a ‘fair balance to be struck’ between fundamental rights, such as Article 8 (ECHR) and Article 8 (EU Charter) and in so doing avoid any conflict C275/06 Promusicae (Intellectual property) [2008] EUECJ C-275/06 at 6, and Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapo¨rssi Oy & Satamedia Oy [2008] EUECJ C-73/07 at 50e56. 62 It is not clear if the ECJ would be willing to disapply national law that it held to be inconsistent with the aims of a directive, see C-144/04 Mangold (Social policy) [2005] EUECJ C-144/04, [2005] ECR I9981 at 74e77. 63 Ghaidan v. Godin-Mendoza at 112. 64 It is established that national courts must take all appropriate measures to ensure the fulfilment of EC legal obligations in order to protect individuals who may not have remedy in private actions. See, for example, Case C-14/83 Von Colson & Anor v Land Nordrhein-Westfalen. [1984] EUECJ R-14/83, [1984] ECR 1891 at 26.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
(and thus no prescribed mechanism) relating to informational privacy in respect of which the courts could apply Article 8, and indeed would have a duty to do so,65 appears problematic to say the least. That said, the courts could interpret the DPA in line with the apparent intention of the UK Parliament as regards the withdrawal of consent and hold that a right of revocation was made available to data subjects under section 10 or otherwise. Such an approach would represent the adoption of one of the stricter forms of the categories of ‘indirect horizontality’ of the ECHR as regards application of the Human Rights Act formulated by Young,66 though this would seem an unlikely route to be taken by the courts. Is it therefore the case that the ability to regulate effectively one’s informational privacy e an ideal which is clearly within the scope of Article 867 e is restricted, in terms of consent and revocation, only to those circumstances foreseen by the EPrivacy Directive or in relation to opting in and out of direct marketing from third parties? It is difficult to conceive an adequate justification for the sacrifice of an ongoing right to alter consent given to a third party dealing with the personal data of an individual. The thorniest issue with this matter is the fact that the seemingly insurmountable obstacle denying access to this right of self-regulation is the consent or contractual agreement of a data subject to allow processing to occur in this first place. The right of withdrawal of consent could thus effectively be signed away by a data subject in most cases.68 It is not easy to reconcile the apparent state of affairs with one of the stated aims of the Directive ie that national data protection laws should ensure a high level of protection of individual’s privacy.69 Is the DPA inherently faulty in this regard?
3.2.
Faulty legislation?
Broadly speaking, the most significant of the rights available to individuals under the DPA e in terms of their relation to the fundamental right of privacy e are threefold: the right to know about personal data processed by third parties; the right to have inaccurate personal data processed by others resolved in some way; and the right to object to specific types of processing70 that have particular consequences. The basis for each of these rights appears clear when viewed in light of Article 8: individuals should, as part of their personal autonomy, be allowed to choose how their personal data are dealt with.71 But how could, or should, the
281
unwritten concept of revocation e itself the exercise of a choice regarding the use of personal data e fit into this scheme? The data protection principles are indisputably clear and sensible, and are a good set of tools for dealing with privacy in a liberal society; however factors working against these principles are the often-cited clumsiness of the DPA,72 coupled with the ideological clash with private contracts discussed above. But are these competing factors enough to deny individuals an adequate level of self-determination of privacy? This matter has not been addressed in any UK court case: only matters relating to the fairness of processing,73 the scope of personal data74 and more procedural matters have been opined upon. Looking to Strasbourg provides no real assistance either: here one finds useful guidance on the breadth of Article 8, and some more specific assistance on how personal data and informational privacy fit within this breadth.75 In no case, however, does one see a data subject asserting any supposed right of informational privacy by saying: ‘I wish to revoke my consent!’.
4.
Conclusion
Even in the fledgling era of European data protection legislation in the early 1970s, the extent to which huge volumes of data flow now form part of everyday life could not have been foreseen or comprehended. This ‘informatisation’ of society means that almost every facet of an individual’s dealings with others is based on the use of data relevant to the particular interaction. These data can be described as static e a person’s name, address and date of birth e or the more dynamic, ‘social’ data that the Internet is increasingly facilitating the exchange of.76 More and more, such data are being compiled by the public and private sectors in more individual-specific ways. For example, the NHS desires centralised patient records to streamline the provision of healthcare; the UK Government appears keen to collect, retain and rely on huge amounts of communication data with the primary motive of ensuring a safe and secure society,77 but also to achieve a more efficiently operating state; and companies providing any conceivable type of commercial goods and services strive for the personal preferences of their customers to allow refinement of that which they can offer via targeted advertising.
65
Human Rights Act, s 6(1). Young, n 55 above. 67 For example, see Z v Finland App 22009/93 [1997] ECHR 10 I v Finland App 20511/03 [2008] ECHR 623 Amann v Switzerland App 27798/95 [2000] ECHR 88 and Torbay Borough Council v News Group Newspapers [2003] EWHC 2927 (Fam). 68 As discussed above, it is assumed that the majority of agreements between data subjects and data controllers (be they formal, written contracts, or other less formal, yet equally valid, expressions of consent) do not include express provisions allowing a data subject to change their mind and revoke e ie alter, or withdraw e a previously given consent. 69 Directive, Recital 10. 70 For instance, direct marketing. 71 For example, see the comments in Wood v Commissioner of Police for the Metropolis n 5 above. 66
72 For example, the DPA was described by Phillips MR as a ‘cumbersome and inelegant piece of legislation’ in Naomi Campbell v MGN Ltd. [2002] EWCA Civ 1373 at 72. 73 Johnson v Medical Defence Union [2007] EWCA Civ 262. 74 Durant v Financial Services Authority [2003] EWCA Civ 1746. 75 For example see Leander v Sweden App 9248/81 [1987] ECHR 4, Amann v Switzerland App 27798/95 [2000] ECHR 88, Peck v The United Kingdom App 44647/98 [2003] ECHR 44, S. and Marper v The United Kingdom App 30562/04 [2008] ECHR 1581, Copland v The United Kingdom 62617/00 [2007] ECHR 253. 76 A Lukas, ‘Talking VRM talk at Being Digital’ (2009)
282
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
The E-Privacy Directive addresses particular concerns brought about by the surge in the use of electronic communications to deal with personal data; however it alone does not provide an adequate ‘revocation solution’, conferring as it does only limited rights on individuals to prevent types of processing by withdrawing consent to such processing. The apparent danger that the legislation may deny data subjects a right of selfcontrol over their personal data is concerning. Further, consent is not actually a pre-requisite for processing e and is considered by data controllers as being a problematic option,78 less favourable than others79 when seeking to legitimise processing e a fact that the further highlights the weakness of any existing right of revocation. Given these factors, and the breadth of informational privacy that data protection legislation seeks to protect, it appears that there may not actually be an adequate foundation upon which such protection can be built. Seeking compliance by data controllers is only one facet of the protection of privacy; empowering individuals to take control of their own affairs is another. While it is true that those responsible for dealing with others’ data are compelled to treat the data with respect, the penalties for non-compliance remain relatively weak80 and the other side of the equation e the empowering of individuals e remains limited. The current 78 For example, in its opinion on the processing of data in the employment context, the Article 29 Working Party adopted the following position that ‘. where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data it is misleading if it seeks to legitimise this processing through consent. Reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment’. Article 29 Working Party, ‘Opinion 8/2001 on the processing of personal data in the employment context’ (WP 48, 2001). A similar position was adopted in later working document: ‘. where as a necessary and unavoidable consequence of the medical situation a health professional has to process personal data in an EHR system it is misleading if he seeks to legitimise this processing through consent. Reliance on consent should be confined to cases where the individual data subject has a genuine free choice and is subsequently able to withdraw the consent without detriment’ Article 29 Working Party, ‘Working Document on the processing of personal data relating to health in electronic health records (EHR)’ (WP 131, 2008). 79 By way of example, The Joint Information Systems Committee Legal Information Service (JISC Legal), Code of Practice for the Further and Higher Education Sectors on the Data Protection Act 1998 (2008) states that: ‘. consent may be withdrawn by the Data Subject at any point, a fact that may prove problematic for Data Controllers where consents are obtained for data processing purposes without which the Data Controller cannot provide an essential service. In such circumstances, reliance on another Sch.2 criterion, such as the legitimate interests of the Data Controller or a third party, would be more practical.’ 80 New fining powers for the ICO for serious breaches of the Data Protection Act were expected to be enacted in April 2010. See Data Protection Act s.55A (as amended by Criminal Justice and Immigration Act 2008 and Coroners and Justice Act 2009). 81 Despite recommending increased ‘data subject participation’ to ensure effective exercising of their rights, addressing the nature of the rights available to data subjects was not a perspective given any countenance in the recent ICO-commissioned ‘RAND review’ of the Directive N Robinson and others, ‘Review of the European Data Protection Directive’ (RAND Europe, sponsored by the Information Commissioner’s Office, 2009).
legislation and thinking seems to ignore this latter aspect,81 or skirt around the issue with extreme caution.82 In the UK, the most recent code of practice from the ICO, published in June 2009, goes no further than encouraging data controllers to provide more information to data subjects in suitably clear privacy policies,83 and the next code of practice (still under consultation) contains no references to ways in which consent can be modified by data subjects.84 There are, however, some encouraging signs from two recent, more general, ICO publications: the latest data protection guide states that it is possible for consent to be withdrawn ‘depending on the nature of the consent given and the circumstances in which [the data controller is] collecting or using the information’85; and the very recent guide to the ‘business case’ for better privacy protection states that ‘Empowering individuals to take control of their data can produce benefits to the [data controller]’.86 Despite both these documents only discussing data subject control of personal data in vague terms, it can perhaps be seen as proof that, in the UK at least, these matters are beginning to be taken seriously by the regulator. The continuing advances in technology that power today’s information society do still need to be regulated in terms of seeking compliance by the data controller, as is evidenced by the focus of the majority of regulatory guidance documents. This technology could, if combined with a reorientation of the approach to data protection guidance and current practice, also be used to give meaningful power to the data subjects. It is not inconceivable that technology similar to that which allows data controllers to control data should be able to be utilised by data subjects to keep the controllers in check. Indeed, this is what the EnCoRe project is trying to achieve. However, it is with some concern that this is not supported by a right of revocation in law. Giving individuals more rights to control their own data would not mean impacting on the retention of personal data by the state for (sometimes) justifiable reasons, but rather it could provide opportunities for individuals to exercise the option to be made more aware of where their personal data are, and also to exert some form of positive influence over how those data are dealt with. We are not proposing that individuals should be handed unfettered rights to determine how
82 The ICO’s response to the European Commission Consultation on the legal framework for the fundamental right to protection of personal data commented that: ‘In many cases it is not clear where consent is necessary or where transparency suffices. This can lead to [data protection authorities] making unrealistic statements about the degree of control that individuals should enjoy, in cases where choice may not be a realistic option and where individuals may neither expect nor want to choose. . Any future legal framework should be realistic about the amount of choice that individuals can actually have and the degree of choice they actually want’. Available online at http://ec. europa.eu/justice_home/news/consulting_public/news_ consulting_0003_en.htm (accessed on 28 January 2010). 83 Information Commissioner’s Office, Privacy notice codes of practice (June 2009). 84 Information Commissioner’s Office, Personal information online code of practice (December 2009eMarch 2010). 85 Information Commissioner’s Office, The Guide to Data Protection (December 2009) e paragraphs B8/42, B9/19, B9/24, C1b/4. 86 Information Commissioner’s Office, The Privacy Dividend: the business case for investing in proactive privacy protection (March 2010).
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 2 7 3 e2 8 3
their data are dealt with, rather we believe that individuals should be better informed, facilitated by technology if possible, as to the expectations of how their data should, and should not, be used in different contexts, coupled with more robust methods to take action when the processing of data is not acceptable to them. Currently, individuals are not provided with workable rights to take such action. The assumption that the legislation bestows an effective right of withdrawal of consent has seemingly continued unchecked until the present day; an age where we have a hugely pervasive flow of personal data throughout society and increased concerns about understanding and maintaining privacy. This would not appear to be a satisfactory state of affairs given the aims and fundamental underpinnings of data
283
protection legislation. Now, perhaps more than ever before, there needs to be an effective right of control to allow individuals to better manage their personal data. The shortcomings we have identified appear to prevent such rights being exercised at present. If this is to be changed, then suitably clear and robust guidance is required, unless a more dramatic, and seemingly unlikely, step of introducing an express right of revocation in the legislation at European and national level is adopted. Liam Curren ([email protected]) Researcher in Law & Solicitor, Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford & Jane Kaye (jane.kaye@law. ox.ac.uk) Wellcome Trust Research Fellow, Director of Centre for Health, Law and Emerging Technologies at Oxford (HeLEX), University of Oxford.