What will be the impact of the new EU Data Protection Regulation on the UK's Freedom of Information Act?
Undoubtedly one of the more mind-bending exemptions to apply under the Freedom of Information Act 2000 (FOIA) is the exemption for personal information (s.40) (although sections 30 and 36 are also up there!). This is partly due to s. 40's close link with the Data Protection Act 1998 (DPA). Not one to hog the limelight, the DPA has typically been cited in past litigation as a secondary or even tertiary issue to the main action when there is a claim for breach of confidence or breach of privacy. This led to a scarcity of judicial rulings on the DPA prior to the FOIA. However, in the Tribunal and higher court decisions flowing from the FOIA, certain aspects of the DPA have frequently been examined when public authorities seek to rely on the s. 40 exemption. Consequently there have been a number of rulings on the scope of personal data and on the 'legitimate interests' ground as a legal basis for disclosing such information. These rulings have been based on the DPA which itself implements the EU Data Protection Directive 95/46/EC. But the Directive is due to be replaced by an EU Regulation in the next few years. What will this mean for how the s. 40 exemption under FOIA is interpreted?
The new EU Data Protection Regulation
The final text of the EU Data Protection Regulation is not yet agreed and discussions are on-going within the EU. However, we can be fairly sure of a number of implications at this stage. In particular, the new EU Data Protection regulatory framework will be presented as a Regulation and not a Directive. A Regulation has direct applicability in UK law which will almost certainly lead to the repeal of the DPA. Therefore, it is likely that the FOIA will need to be amended to reflect the repeal of the DPA and refer to the new law – the Regulation.
Additionally, it seems certain that the new Regulation will be more prescriptive than the DPA and there will be reduced scope for national particularisation. This means that the interpretation of certain key concepts of data protection may change from those commonly understood in the context of the s. 40 exemption. At the moment, the Information Commissioner (ICO), Information Tribunal and other courts are bound by UK court decisions on the interpretation of the DPA when considering s.40. So, for instance, when the courts examined whether abortion statistics were personal data as part of the Department of Health v ICO litigation, they considered a previous House of Lords decision on the meaning of personal data under the DPA. The repeal of the DPA will require the ICO, Tribunal and courts to interpret s. 40 in the light of rulings on the Regulation. Where there are no rulings on the Regulation in the UK, they may potentially look at rulings on the Regulation in other Member States as well as previous rulings on similar provisions in the DPA. But this latter course could become problematic if the underlying principles in the Regulation differ from the DPA.
What will this mean for the definition of personal data?
The UK has been criticised over the years for not properly implementing the Data Protection Directive into UK law. Indeed, judicial decisions such as the 2003 Court of Appeal Durant decision which advocated a narrower definition of personal data are generally considered to be anomalous. Understanding the different limbs of what comprises personal data with any precision under current law can itself be a tortuous exercise. The DPA defines personal data as data which is identifiable by the data controller but does not refer to identification by another party. However, the latest drafts of the Regulation (echoing the position under the Directive) state that 'to determine whether a person is identifiable, account should be taken of all the means likely to be used either by the controller or by any other person to identify the individual directly or indirectly' (my emphasis). Consequently, in applying the Regulation in the context of s. 40, the UK regulator and courts would be required to take account of this broader definition of personal data (which was the original intention of the Directive).
What will this mean for reliance on the legitimate interest ground?
Once personal data has been identified as the subject of a FOI request, the next step under the current s. 40 exemption (and assuming the request is not a subject access request) is to consider whether disclosure of the personal data under FOIA would contravene any of the data protection principles under the DPA. In most instances this is the limb that will trigger the application of s. 40 rather than the other limbs - including the right to object under s. 10 DPA or the SAR exemptions – which are rarely relied on. If disclosure would contravene the principles (and in reality, only the first principle – fair and lawful processing is in the picture) then the s. 40 exemption applies and disclosure is not required. In examining whether disclosure of the personal data under FOIA is fair and lawful, public authorities consult Schedule 2 of the DPA to consider whether it can rely on any of the listed lawful grounds and 'legitimate interests' is the ground usually relied upon.
Now, replace the DPA with the Regulation. The equivalent of Schedule 2 of the DPA in the Regulation is currently Article 6 (Lawfulness of processing). In order to argue that a disclosure of personal data is lawful under FOIA in the context of the Regulation, the public authority would need to be able to rely on one of the lawful grounds listed - with consent and legitimate interest being the most likely candidates. Consent is for various reasons always a tough nut to crack and so, as is the case currently, most public authorities would still primarily examine the legitimate interests ground in order to consider whether the s. 40 exemption is available.
However, there has been some uncertainty over whether the legitimate interest ground will be available for public authorities to rely on at all under the Regulation. The EU Commission's initial draft of the Regulation in January 2012 stated specifically that the legitimate interest ground would not apply to processing carried out by public authorities in the performance of their tasks. This more restrictive approach to the legitimate interest ground partly reflects different attitudes in other Member States. For instance, in the past, Spain, Hungary and Italy have adopted stricter approaches to the availability of legitimate interests. This restriction understandably alarmed the ICO who, in their February 2013 analysis paper of the Regulation, argued that there should be a gateway for legitimate processing triggered by access to information or freedom of information laws. Without this gateway it would become difficult (if not impossible) for a public authority to ever disclose personal data under FOIA since there would be no available lawful ground to do so and s. 40 would apply in every case.
Have the concerns of the ICO been heard by the EU institutions? Well, the latest EU Council draft of the Regulation from December 2014 continues to restrict public authorities from relying on the legitimate interests ground. However the draft indicates that a number of Member States (including the UK) wish to delete this restriction from Article 6. Since the status of the public sector has been a matter of sensitivity in the debates on the Regulation, it is not yet clear what the final position on this provision will be.
A possible solution
The latest draft of the Regulation proposed by the Council may provide another way through the problem. It acknowledges that personal data in documents held by a public authority should be publicly disclosable if provided for by Member State law. Additionally, amendments to Article 80 dealing with freedom of expression to include freedom of information indicates that Member States may be given discretion to adapt their national law to reconcile freedom of information with the Regulation. Likewise, there is a new Article dealing with public access to official documents which also suggests it will be for the Member State to determine how to reconcile the two sets of rules. These developments (if retained) should give the UK Government some flexibility to adapt the s. 40 exemption in a way that reflects its current use while not falling foul of the Regulation. In any event, the repeal of the DPA may provide the UK Government with an opportunity to simplify the s. 40 exemption under the Freedom of Information Act 2000 and dispose of those elements which are rarely used.