On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.
From left to right: former Registrar Eric Howe, former Registrar Elizabeth France, Hunton & Williams Senior Attorney Rosemary Jay, Hunton & Williams Partner Bridget Treacy, former Commissioner Richard Thomas, UK Information Commissioner Christopher Graham.
The Early Years – 1984 to 1994
The Data Protection Registrar was the first UK data protection regulator, and Eric Howe CBE served in this role from September 1984 to September 1994. Howe’s appointment pre-dated the European Data Protection Directive (Directive 95/46/EC), and as Registrar he oversaw the introduction of the UK Data Protection Act 1984, promoted better understanding of the Act, and handled inquiries and complaints relating to the Act. Howe set up the first system of registration for data users (as they were then called), encouraged the development of sectoral codes of practice, provided education, raised awareness of data protection and managed privacy-related complaints. He initiated several major enforcement actions, including actions against the credit reference agencies and an action to enforce the use of the first “fair processing” notices.
Howe explained the challenges he faced in establishing the Registrar and employing the first staff. In setting up the registration system for data users, his office focused on major UK data controllers. The system required controllers to complete lengthy questionnaires, reflecting the fact that, at that time, data processing took place on a handful of large mainframe computers.
Howe’s office worked with industry bodies to create voluntary codes of practice. In general, he said he does not believe that self-regulatory systems without statutory enforcement are successful; he believes, however, that the direct marketing code of practice launched during his tenure was a notable success.
A Period of Significant Legislative Change - 1994 to 2002
Elizabeth France CBE became the second Data Protection Registrar in September 1994. She served until December 2002. At the start of her tenure, there were approximately 100 staff dealing with data protection matters across the UK. The EU Data Protection Directive was formally adopted by the EU in 1995. The Data Protection Act 1998, which implemented the Directive in the UK, received Royal Assent in 1999, with the majority of the Act becoming effective in 2000. France oversaw significant changes in the law as the 1998 Act was significantly more stringent than the 1984 Act. She also oversaw the introduction of the Freedom of Information Act 2000 in January 2001, for which the Commissioner’s office became responsible. The name of the office was changed to its current name (the ICO) in 2001.
France noted that many of the issues that arose during her time in office are the same issues that we face today, yet there are differences in our understanding of the issues as well as in the rapidly changing technology. She also noted that the most significant technological advancement during her time as Registrar was the widespread use of PCs. This meant that processing activities could be undertaken throughout organizations by all employees, rather than being limited to individual mainframe computers in isolated silos, to which only a limited number of employees had access. Consequently, data protection became an issue that every employee needed to understand.
France oversaw the introduction of the Freedom of Information Act 2000 and praised the fact that data protection and freedom of information are regulated by a single regulator in the UK. France suggested that a single responsible regulator takes data protection and freedom of information into account at one time and balances the needs and requirements of both sets of issues. In her view, bifurcating these issues between separate regulators could result in skewed or contradictory decisions.
Prior to her appointment as the second Data Protection Registrar, France worked at the Home Office, and she was aware of some skepticism about the ability of the regulator to regulate independently. She had the opportunity to demonstrate her willingness to challenge the Home Office during the early days of her tenure, when the Government sought to introduce national ID cards.
Finally, France noted that during her period in office, the language of data protection changed. Under the 1984 Act, the language was fairly technical and was limited to “data protection.” Over time, language relating to human rights was borrowed and developed. During her tenure, people began to speak of “privacy.”
The Emergence of the “Surveillance Society” – 2002 to 2009
Richard Thomas CBE headed the office from November 2002 until 2009, during which time it was named the ICO. In 2003, the ICO set up regional offices in Northern Ireland, Scotland and Wales. The role of the Commissioner expanded to manage the increased responsibilities set forth under the 1998 Act and Freedom of Information Act which came into full effect in 2005. During his time in office, Thomas campaigned actively for the Commissioner to be granted stronger enforcement powers. He oversaw a number of high-profile cases and issues, including the investigation into the Construction Industry blacklist. He led the ICO’s response to the proposals for a National Identity Register and instituted a report on the surveillance society.
Each of the Commissioners commended the work of their office and paid tribute to the diligent and creative staff who worked with them over the years. Thomas acknowledged that his famous phrase “sleepwalking into a surveillance state” was the inspiration of a colleague.
During Thomas’ tenure, he resisted the introduction of a number of national databases. These included biometric national ID cards, ContactPoint (a proposed database of every child in the UK) and the electronic register of national health records.
He also developed the ICO’s approach to enforcement, taking a strategic, risk-based approach. He campaigned for the introduction of monetary penalties for serious breaches of the 1998 Act, and also campaigned for the introduction of custodial sentences for Section 55 offenses (unlawfully obtaining personal data).
Present Day – 2009 to Today
In 2009, the current Information Commissioner, Christopher Graham, succeeded Richard Thomas. In 2010, the Commissioner was granted new powers to issue monetary penalties of up to £500,000, as well as audit powers in relation to parts of the public sector. The Commissioner has made significant use of these powers, particularly in response to security breaches. The ICO today has 350 staff and an annual budget of nearly £20 million.
During his address, Commissioner Graham announced a new pilot scheme to raise data protection awareness in schools, which he hopes will become national. This initiative continues the ICO’s work to educate and inform, not only data controllers, but also individuals who must bear some responsibility for the protection of their personal data. Commissioner Graham also spoke of the ICO’s current push to ensure that it impacts all communities equally and provides equal opportunities with respect to information rights.
In relation to the proposed revised EU data protection framework, Commissioner Graham emphasized that regulation should concentrate on the “what” and not the “how,” and cautioned against overly prescribed details at the risk of losing sight of the fundamental rights to be protected.
View of the Government
Minister of State for Justice Lord McNally welcomed the independence of the ICO and the invaluable advice it has provided to the Government over the years. The ICO is currently advising the Government on the European Commission’s proposed reforms. With respect to those proposals, Lord McNally similarly cautioned against a “tick-box” approach to regulation, and emphasized the importance of weighing individual rights against the empowering potential of new technologies.
This Hunton & Williams event on European Data Privacy Day was the first time the current and each of the former Commissioners formally gathered together. Their comments highlighted both the changes in UK data protection over the last 30 years, as well as the traditional themes of protection, education and enforcement.
View the ICO’s exclusive video on the Commissioners’ views on how “information rights changed over the past 29 years.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code