Data privacy and data protection is something that — on paper — European countries take seriously.
Google has found itself in hot water from time to time. There’s a widely publicised complaint to the Irish Data Protection Commissioner about Facebook.
In the wake of the Snowden revelations, it seems everyone is talking about who knows what about whom!
European Data Protection law also provides for something called Data Subject Access. This may differ slightly from country to country. But it essentially means that you can write to someone who is storing and/or processing personal data about you, and they must send you everything they hold on you in a form that is easily understandable.
In the UK it is implemented by Section 7 of the Data Protection Act.
A small fee is allowed to be charged. It is currently £10 in the UK
The controller must
- tell you whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and
- given details of the source of the data (where this is available).
This right is not absolute, of course. There are a number of exceptions (known as exemptions).
It’s very obvious that some data should not be disclosed, particularly where it is about several people, and disclosing it to you will disclose information about someone else.
Medical confidentiality has an impact. So does national security.
Specifically data held for the purposes o the prevention or detection of crime; the capture or prosecution of offenders; and the assessment or collection of tax or duty is exempt from Subject Access.
Data is also exempt from Subject Access for reasons that involve national security or the armed forces.
So on the face of it, GCHQ, MI5, MI6 and “the port office” would appear to be able to do what they like, and store information about you, whether it was obtained by them directly, or was given to them by the NSA.
However, I submit that the true construction carries with it an important implied qualifier: the word “lawfully”.
The right to private and family life guarantee by the constitutions of most European states (with the exception of the UK) and throughout Europe by the EU Charter and the Convention on Rights and Fundamental Freedoms permits privacy to be infringed by the State in certain circumstances.
They are that the infringement is
- necessary in a democratic society
- in accordance with law
- proportionate to the aim to be achieved.
The joint test of necessity, lawfulness and proportionality.
Even if something is necessary, it has to be lawful.
Even if necessary and lawful, it has to be proportionate. (No sledghammers for cracking nuts.)
So, if, theoretically, the State collected all sorts of data about you unlawfully, but that data was sitting there in Government owned computers, I would suggest the national security exemption would not apply, and therefore that data is susceptible to s.7 Subject Access.
Wouldn’t it be something if the courts agreed?