By Dan Cooper & Fredericka Argent

Following the 2011 News International phone-hacking scandal, the UK government commissioned an in-depth inquiry into the accusations made against the British press to be conducted by Lord Justice Leveson.  The “Leveson Inquiry” was a full-scale investigation, which culminated in an approximately 2000-page report published in November 2012.  The report  recommends significant, wide-ranging changes to the structure and regulation of news media reporting in the UK, including changes to the UK’s Data Protection Act 1998 (the “DPA”) and the role of the UK’s data privacy regulator, the ICO.

On 7 January 2013, the ICO published a response to the Leveson report. The first half of the ICO’s response deals with Leveson’s recommendations concerning the ICO, including the suggestion that the ICO should improve its understanding of the data protection regime regarding the press. In its response, the ICO promises to issue numerous policies and guidance relating to the use of personal data by the press. These include, for example, the introduction of a new dedicated section on the ICO website providing the public with information on their data rights regarding the media, the publication of a Code of Practice to be observed by the press when processing personal data, and an Annual Report to Parliament which provides regular updates on the effectiveness of any ICO guidelines and other measures.

The second half of the response looks at the recommendations concerning the possible reform of the DPA. The ICO’s response includes, among other things, the following points:

  • The ICO is hesitant about widening its press regulator role. While accepting that it plays an important role in ensuring data protection compliance, the ICO is concerned about the impact on its strategy, resources and operations if it becomes a mainstream statutory press regulator, as suggested by the Leveson report. For example, the ICO questions whether its resources and ability to undertake other important work would be unduly burdened if its prosecution powers were extended to include the ability to prosecute any offence which also constitutes a breach of the data protection principles.
  • The ICO questions Leveson’s proposal to narrow the journalistic exemption under the DPA.  The ICO warns of the potential “chilling effect” that could be created on investigative journalism if the scope of the current exemption for journalistic activities under the DPA is restricted and emphasizes that striking the right balance between freedom of the press and the right to individual privacy requires careful consideration.
  • The right to compensation for damage caused by contravention of the DPA should not be restricted to cases where pecuniary loss is suffered but should include compensation for pure distress.  In supporting its view, the ICO points out that the European Commission also supports a wide interpretation of the word “damage”.
  • The amendments to the DPA, which introduce more severe sentences for unlawfully obtaining personal data, should be implemented without further delay. The ICO lauds the benefits of this change as affecting not only the press but also ensuring an effective deterrent to the wider unlawful trade in personal data.
  • The ICO welcomes the recommendation to reconstitute the ICO as an Information Commission led by a Board of Commissioners. However, the ICO questions how the new structure would work in practice — for example, the size of the Board might become unwieldy if the Board Commissioners are drawn from all industry sectors that come within the ICO’s remit.

More generally, the ICO points out that implementing some of the amendments to the DPA may be a pointless exercise in light of the likely future introduction of the EU Data Protection Regulation.

The ICO’s response includes a timetable for the actions the ICO plans to take in order to implement Leveson’s recommendations over the coming months, which is also reflected in the ICO plan outlining its strategy for the period 2013 to 2016.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.