I am the Editor of Data Protection and Privacy Practice, published by Masons Solicitors, and have been working in the field of privacy for 20 years.

  I apologise for the lateness of this submission, but I hope that the material is of interest. The views expressed here are my own and do not reflect the views of the law firm as a whole; they are condensed into two main recommendations:

  Recommendation one: The Committee should recommend that there should be the right to privacy as stipulated in the Data Protection Directive 95/46/EC, and that the Government should implement this element of the Directive. This is because of emerging technologies which most individuals are likely to possess. These technologies will make it easy to invade privacy in circumstances where existing laws, without an explicit reference to the right to privacy, are ill suited to protect privacy.

  Recommendation two: All Codes of Practice which balance Privacy with other objectives (eg anti-fraud activities, freedom of speech) should be subject to an independent mechanism where changes to the Code can be mandated in the light of privacy cases heard before the Courts/Information Tribunals. The Information Commissioner should be able to approach the Courts/Information Tribunals seeking a modification of any Code of Practice dealing with privacy matters. This includes the Press Complaints Commission Code of Practice.

  Recommendation one: The Committee should recommend that there should be the right to privacy as stipulated in the Data Protection Directive 95/46/EC, and that the Government should implement this element of the Directive. This is because of emerging technologies which most individuals are likely to possess. These technologies will make it easy to invade privacy in circumstances where existing laws, without an explicit reference to the right to privacy, are ill suited to protect privacy.

  The main reason why there should be a right to privacy is illustrated in Annex 1: Camera phone sales boom raises privacy concerns (Out-law.com 19/02/2003) From: http://www.out-law.com/php/page.php?page id=cameraphonesalesb1045672070&area=news—one simply does not expect most members of the public to carry a camera. Indeed, in a few years time everyone with a mobile phone could be considered a member of the paparazzi!

  It could be that in five years time, most mobile phones will have a camera supported by a technology which can instantaneously transmit the photograph. Indeed, the ubiquitous nature of mobile phones could eventually mean that digital (or even video) cameras will be held by 70% of the population. This is somewhat different that as of now.

  Annex 2: BBC encourages phone users to become paparazzi (10 March 2003) From: http://news.bbc.co.uk/1/hi/talking—point/2780295.stm—shows that news agencies (in this case the BBC) are encouraging members of the public to submit photographs—it is easy to imagine other newspapers running "Snap a celebrity" or "record that smash in the street" and "get £100 if we publish" types of promotion.

  In many cases, the digital photograph will be personal data and subject to the Data Protection Act 1998. However, Section 36 of the DPA provides that "personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles." This would in most cases, exempt from the Act, any personal data (eg photography of a celebrity) in order to show the photograph to friends; for example, if I were a member of a private gym and took a digital photograph of a celebrity working-out and transmitted it to friends via the phone.

  In this example, the Press Complaints Commission Code should preclude publication of photographs taken where there is expectation of privacy—however, change the scenario to "the celebrity having an accident in the gym" then "public interest" arguments could be used to legitimise publication. The PCC Code defines "public interest" to include "Protecting public health and safety", and it is obvious that the tabloid press should warn gym users not to fall into the same trap as our hypothetical celebrity! Additionally, in the Data Protection Act there is a wide exclusion for the journalistic purposes. This is before the House of Lords (Naomi Campbell) at the moment and I have been advised that it would be inappropriate to comment.

  Action in terms of confidentiality seems uncertain, as the individual who takes the photograph in the gym does not have an obligation of confidence to the subject of the photograph. Of course there might be breach of contractual terms between the photographer and the gym—however, where privacy is concerned, contractual conditions do not form an appropriate way of enforcing privacy protection.

  The Human Rights Act 1998 does not appear to create an appropriate remedy in the situation identified above. The Courts have already declared, in relation to the press, that they are reluctant to act as censors or arbiters of taste. Additionally, individuals who take photographs are not public authorities—the main focus of the HRA.

  Hence the conclusion that there is a need for a right to privacy, enforceable by the courts. To make the right accessible to the ordinary member of the public, the Data Protection Act 1998 should be modified so that Information Commissioner can use the mechanisms in that Act to protect the right to privacy. The Sixth Principle, for example, could be modified to reflect the words in Article 1 of the Data Protection Directive 95/46/EC as shown below.

Article 1: Object of the Directive

  1.  In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

  2.  Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph one.

  It is clear from the text of Article 1 of this Directive that Member States are assumed to have an explicit "right to privacy"—and it is this right which has not been enacted by the Government.

  This right is omitted in the Data Protection Act. Instead the Act places no obligations on Data Controllers (ie organisations which process personal data) to protect personal data—this does not amount to an explicit right to privacy which is focused on Data Subjects (ie individuals). The rights in the Act do not relate to privacy—instead they relate to the right of access, objection to processing, compensation and correction. Finally, the Act does not even use the word "privacy".

  In short, a simple "right to privacy" should be enshrined in the Data Protection Act 1998.

  Recommendation two: All Codes of Practice which balance privacy with other objectives (eg anti-fraud activities, freedom of speech) should be subject to an independent mechanism where changes to the Code can be mandated in the light of privacy cases heard before the Courts/Information Tribunals. The Information Commissioner should be able to approach the Courts/Information Tribunals seeking a modification of any Code of Practice dealing with privacy matters. This includes the Press Complaints Commission Code of Practice.

  Reason: There is a trend to use statutory and voluntary Codes of Practice to balance individual privacy with the interference in that private life by public authorities and others (eg the press). For instance there are statutory Codes for policing, benefit fraud, interception of communications, and voluntary Codes such as those produced by the Direct Marketing Association (marketing) or the banking industry ("Good Banking") or even the Press Complaints Commission in relation to the press.

  The main problem with Codes of Practice is a structural one. For instance, in relation to statutory Codes, the Secretary of State producing the Code of Practice is also largely responsible for the public bodies which wants to interfere with private life—consequently, there is always an in-built bias in favour of interference. This structural deficiency is common to all Codes of Practice produced by any Secretary of State. This is one reason why the Lindop Committee on Data Protection (Cmnd 7341, 1979) recommended that Codes of Practice should be produced by the Data Protection Authority for the approval of the Secretary of State.

  The Press Complaints Commission's Code of Practice suffers from the same problem as it is effectively produced and policed by the Press.

  In cases of dispute as to content, all Codes of Practice should be capable of modification in the light of experience; it should not be left to the whim of Secretaries of State and others to produce modifications on their terms. An independent element must be introduced.

  For example, the Courts (or the Information Commissioner via action before a Court/Information Tribunal) should be able to require any Code of Practice dealing with the right to privacy to be changed where such changes are needed to preserve the balance between privacy and the interference with privacy. The insertion of such changes in this way would be subject to an appeals procedure through the higher Courts.

  In the case of the Press, the problems associated with a statutory Code can be avoided by allowing the Courts, in suitable cases, to make a "Code of Practice Recommendation" where the Press Complaints Commission would be obliged to make the suggested modification to the Code. The appeals process through the Courts permits the decision of a Code of Practice recommendation to be subject to review—and balancing arguments to be fully considered. This approach has the advantage since it does not impose a statutory Code of Practice—the PCC still draft the Code and its modifications; how the PCC deals with a "Code of Practice Recommendation" would be for it.

  The same kind of mechanism utilising a "Code of Practice Recommendation" should apply to all statutory Codes produced by any Secretary of State which relates to the interference of privacy.

  In this way, the balance struck by the Codes authors can be independently modified by the Courts or Information Commissioner in the light of experience. Appeals in the Courts/Information Tribunal permit all relevant legal and technical factors to be considered. The fact that the Information Commissioner can instigate the action (eg to the Information Tribunal) should allow arguments which relate to the Code be raised by ordinary members of the public at no expense to themselves.

  In this way, Codes of Practice gain an independent element which is focused on the privacy of an individual.