TUESDAY 9 MARCH 1999

MRS ELIZABETH FRANCE AND MR DAVID SMITH

464  Good morning, Mrs France, we are very pleased you and Mr Smith can join us this morning. I would like to start this morning by talking about the question of the privacy enhancing software, which allows individuals to decide how much information they want to provide to a web site. I see you have argued that the success of such software depends on ensuring that consumers are educated about the risks of using the internet, the benefits of using such software and about data protection generally. One of our concerns is social exclusion, but before we even go down that road, how can consumers be better educated about data protection; what do you see as your role in this area?

  (Mrs France) I have a statutory role in this area to raise awareness about these issues: indeed under the new legislation which is not yet in force, the 1998 Act, those responsibilities are increased. You will understand, however, what I can do is somewhat dependent on the resources made available to me; so I would not want to pretend to you I could promise you single-handed that I could educate everybody about their rights under data protection law. Having said that, there are a number of things we can do, and our attempt is always to try to get some gearing, to get other people to pass on messages, and sometimes that will mean working with the data users—those who actually process information, and that is what we have talked about when we have talked about what can be done in this context, and in my evidence where I have talked about things like privacy statements on web sites. There are then things like advice for those who are already using the internet, which my opposite numbers have begun to do and we are starting to do as well—not only to work with those making privacy statements, but also to make education available electronically. My opposite numbers in France, for example, have a very good web site which explains in English and French what a cookie is and how to find out how your information is used. We also have other longer-term strategies—educating school children for example through understanding their rights. Increasingly there is an awareness in members of the public, and it is spreading, about the risk to their privacy involved in the processing of their personal data, simply because in the workplace and in their private lives (and it need not necessarily be on the internet) they are, more and more, coming across examples of the processing of their personal data and they ask questions and become aware of the situation. It is an iterative process and is not something which can be done suddenly. There are all sorts of opportunities open to us, and we would say the opportunities on-line for educating people are greater than the opportunities in more traditional media, because you can in fact encourage data users to make messages available in a way that cannot be bypassed before you go beyond. That does not address your social exclusion issue which is about access to the whole internet environment anyway.

465  We are often concerned with social exclusion, but in this area virtually everybody is excluded. I have to say, we have people who have suggested that everybody should be excluded, in the sense that the law enforcement agency seem to want to have powers which should be of a slightly different order. This is between the rights of privacy and the dangers of anonymity—where do you think the balance lies here? Have you had discussions with the security services, or whatever shadowy names they might choose to operate under?

  (Mrs France) Can I just go back a step before answering that, in that you say there are those who believe in excluding everybody. Of course, that is an impossibility, and I perhaps should mention that as far as we are concerned our belief is that interactive television will see the huge mass breakthrough in this. While there might be those excluded from what we believe now to be the desktop approach to internet access, once we have interactive television there are all sorts of opportunities, both for the individual, and indeed at the same time increased risks. Yes, the balance between the dangers of invasion of privacy and the risks to the state come up in my work all the time, and I am tasked with looking at the proper balance. What I would like to say as a starting point is this: data protection, as I see it, is part of the human rights agenda; we have to see it as such for it to make sense; it is about the right to respect for your private life in respect to the processing of personal information—it is a little corner coloured in by the Data Protection Act. We now have on the statute book in the United Kingdom the Human Rights Act. While my officers always talked about Article 8 as the one we look to, we now actually have it on the United Kingdom statute book. Our starting point is always Article 8 of the Convention on Human Rights when we look at the balance between what the state needs and the rights of the individual. You have to understand that we come from a point of view which says privacy is a fundamental right, and if you are going to invade that you only invade it as far as it can be justified in the interests of the democratic state (and I am not quoting at length Article 8(2) of the Convention). That is where you look to the balance. Whenever you are going to invade an individual's privacy, you must be able to justify it. The balancing line, therefore, in our view is always on a case-by-case basis; you do not have blanket rights to invade people's privacy, even in the name of law and order. The Data Protection Act 1998, carrying on from the 1984 Act, makes it clear that any exemption for law enforcement purposes from the Act, whether we are talking about the internet or other processing of personal data, is on a case-by-case basis. We would also say that for good privacy reasons encryption should be widely available, both for confidentiality and authentication—both of which are important in data protection terms; and that any rights to override that should be carefully considered and, we would say, should be the subject of judicial warrant. We certainly would want to see that much more seriously considered than has been the case so far.

466  This is yet another problem for you. Are you satisfied that you have been winning up until e-commerce raised its head? If you have not been winning so far, how do you expect to protect privacy and anonymity in the future?

  (Mrs France) When you say "are we winning", I think this is not a unique area, in that wherever you have a legal structure there will be those who are determined to circumvent it. You have to look at two things: the extent to which we can encourage those who are responsible processors of personal data to comply with the law; and there I would say I think we are winning; that over 14 years of existence of the Data Protection Act we work well with the big data users, with the financial institutions, with government departments; that does not mean there are not problems, but we are in direct communication with them and we do work with them; the education process is a longer one. Yes, there are signs that over time we can change the attitude, but it would be naive to suggest there are not problems; we try to highlight those by concentrating on particular abuses and bringing them to attention, but we are also keen to be involved at the outset. If the majority of people (as they generally are) are keen to understand how to get this balance right then we can work with them at the design stage of systems; we can work with them so that they educate their own customers because it is in their interests. Surveys, particularly from the United States and Hong Kong, show that e-commerce in the individual market (as opposed to the company-to-company market) is faltering because of lack of individual confidence about what is happening to personal data. We do not have to ask for private sector altruism—it is in their business interests to listen to us when we talk about the importance of respecting personal information. There are all sorts of signs that we can go forward. The law on its own will never be enough, but it is important it is there and with enough teeth. Education needs everybody to help but we can try throwing our stones into the pool and hope that the ripples eventually are sufficient, but it is a long-term process. Design is incredibly important, and increasingly we are spending time talking to software developers, talking to academics about how, between us, we can have a common view on the way to design systems which enhance privacy while allowing the exploitation of IT systems for the benefit of commerce and the citizen.

467  The scale of this problem is growing exponentially at the moment, and therefore the demands on your office must be growing at a very rapid rate. Are you satisfied you have got adequate resources to deal with both the existing problem and what you anticipate you will have to deal with in the future?

  (Mrs France) One would never have enough resources. I am sure if you talked to anybody with a statutory responsibility for trying to enforce a piece of law they would say you do as much as you can within the resources Parliament thinks are appropriate. I think we have to rely on gearing, we have to rely on working with other people. We have to take every opportunity we can to raise the profile. I think what is going to be fascinating for the future is the inter-relationship between the Human Rights Act and the Data Protection Act in terms of its profile in jurisprudence in the United Kingdom, and only time will tell how much effect that has.

468  Are you say you are being forced to rely on the resources of people you are supposed to be regulating?

  (Mrs France) Our resources come from grant in aid—I am answerable directly to Parliament; the whole idea of our independence, and the fact I report directly to Parliament, is that I am not beholden to any data user. Having said that, of course I have to bid for my grant in aid to the Secretary of State for the Home Department, and that bid for resources is looked at along with everybody else's.

469  Have you recently submitted a bid?

  (Mrs France) I submit bids every time I am invited to do so, and I am waiting to hear what my budget for next year is at the moment. I do take a registration fee from all those who process personal data; that fee is submitted to the Treasury. As things stand at the moment, complex calculations, which go back to 1984 and the recovery of start-up costs, mean that from about 2001 (assuming that the level of fee remains largely unchanged by the change in the law) I shall be substantially over recovering for the state. There is money coming in from data users which I pray in aid when I make my bid for resources.

470  When was the level of registration fee last reviewed?

  (Mrs France) We think it was seven or eight years ago; it was before I took up the post of Registrar.

471  At the moment it is creating a surplus for you which you are handing over to the Treasury?

  (Mrs France) It is creating a year-on-year surplus; but the calculations which the Treasury use suggest I will not have recovered the 1984 start-up costs for another couple of years. From 2001 there is no argument between us (assuming a register of a similar size to the size we have now and a fee which is not reduced), that we should be over recovering. We are in fact waiting for the fees regulation under the 1998 Act, so at the moment we do not know what the structure or level of the fee will be.

472  How many staff do you have?

  (Mrs France) I have about 100 staff.

473  How many of those are technical IT staff?

  (Mrs France) I do not tend to keep technical IT staff inhouse, because with a small staff the expertise is soon out of date.

474  You out-source them?

  (Mrs France) Our view is the law is not technology-specific. We do not need to be technical experts on a day-to-day basis to apply the law, but we need to work with technical experts in certain circumstances; and that depends how and when we work with various groups of people.
  (Mr Smith) We have done some work in the past on banking security for example. We would not pretend to have expertise in the office on that, but we would employ consultants in the field to advise us and take their work forward in that area into guidance to data users.
  (Mrs France) At the moment on internet issues we are working with the OECD and various other groups. Our expertise has to be in looking at high level principles and how they would apply regardless of the technology, and then using technical experts in the field. Indeed, it is some of the people at the leading edge in technology who come to us and talk to us about the risks they see, and we find that a very helpful relationship.

475  You are not finding at the moment you are being inhibited by financial constraints?

  (Mrs France) It is always very difficult, is it not? If I were to say I had adequate resources that would not be the case. You always cut your coat according to your cloth, and the cloth I have at the moment means I use these various devices to try and get other people to help and give expertise, and we try to concentrate on working with umbrella bodies, with sector groups, so that the message is one we do not have to repeat as often as we would otherwise. Yes, of course, I could use well additional resources.

476  You expressed in your submission the worry about certain kinds of software that could track what web sites a user had logged into and even what key words they had used in their search. Have you actually had any complaints about that kind of collection of personal data? Have you any reason to think it will become a problem?

  (Mrs France) We have not had complaints about that particular issue because it was caught in the bud by privacy advocates and data protection commissioners across a wide number of jurisdictions. When the particular issue came to light that you are referring to, which was the INTEL Pentium III release, the United States were the first to realise what had happened; the privacy advocates made that known, and certainly I am aware that data protection commissioners collectively in Europe, as well as commissioners like myself individually, saw representatives of the companies—my opposite number in Hong Kong and New Zealand did the same—and, as a result of that, changes have been made to the way that product is issued, which have shown a welcome response from the company and have at least made sure that the default position is a privacy-friendly default position. That was an example where early action, across a range of people who hold the same principles to be important, had an impact; and, therefore, certainly in that case we were able to anticipate complaints.

477  If a similar problem were to occur in the future are you happy you have sufficient powers? Surely part of the problem is that the problem may occur in another jurisdiction. Some of these other jurisdictions rely on a voluntary system, so how do you handle that?

  (Mrs France) There will always be a difficulty with cultural approaches to these things. We now have harmonised law in Europe; but even with harmonisation, that harmonisation necessarily will be at a fairly high level. There are circumstances where in some countries something is a criminal offence but it will not be in other members of the European Union. There is a harmonised approach with a legislative framework, which does give teeth to the commissioners in the various European countries. That same approach is followed in New Zealand; Australia is just extending its law to the private sector; federal Canada, which already has an extension to the private sector in the Province of Quebec, is extending it at federal level; a number of countries in Eastern European and Asia are also taking the legislative route; and you will always find very similar principles enshrined in law. Probably the best place to look for a generic statement is in the OECD principles, which are reflected in law throughout the world. I assume the major exception you are talking about is the United States, which takes a self-regulatory approach. That does not necessarily mean we cannot work with them; and you are probably aware in this Committee there are political level discussions in progress between the European Commission and the United States Department of Commerce about how we can reach an agreement as to what are adequate safeguards when talking about exporting personal data from Europe to the United States; and those discussions are still in train at the moment. They propose something which is being referred to as a "safe harbors proposal, where a package of measures might be considered to equate to the European approach to a legal framework. There is a lot of work going on to ensure some sort of harmonisation. At the end of the day we have to look to all accepting that something like the OECD principles (which the United States along with the European countries have signed up to) provide the framework which we can all use and refer to. Then you have to look to see whether you use self-regulation, whether you allow individuals to litigate, or whether you look at the legal approach we use to enforce those principles.

478  Are you happy that the self-regulatory approach of the United States is going to give sufficient protection to people in this country in terms of personal data?

  (Mrs France) I am not entirely happy at the moment. The European Union Commissioners have produced a paper in which we have laid down some criteria we would expect to see before we accepted there was adequacy. My view is that you have to look at it in different contexts, and that you will never be able to look across at the United States and simply say the export of personal data to the United States is something which enjoys the same sort of legislated protection as we have in Europe; but there will be certain sectors that benefit from statutory controls; there will be the use of contract; there will be the involvement in certain circumstances of the Federal Trade Commission; I think there will be a package of measures which will give us some comfort, but it is always something we are going to have to keep an eye on.

479  At the end of the day, if my rights in respect of my personal data are infringed by a company working in the United States is there anything you can do about it?

  (Mrs France) That will depend on the way in which that data arrived in the United States. If you passed it yourself to the United States, or indeed you did a business transaction in the United States, then it is likely only their law or their framework of rights will apply. If, however, it was exported by a processor based in the United Kingdom then I would have to look at the way in which it was exported to see whether that export complied with United Kingdom law and European Union law.
  (Mr Smith) Essentially the United Kingdom law as it stands only bites on data where the data are in the United Kingdom, or where the decisions about the use of data are taken in the United Kingdom. If both the data are in the States and the decisionmaking is in the States then essentially that would fall outside our jurisdiction.