The Information Commissioner's Office dates back to 1984, when it was set up as the Data Protection Registrar.
Rather an appropriate year, you might think. Since then, its role as the supervisor of the collection and storage of personal data has undergone enormous changes in response to the changing legal framework, and the development of technology. In 1984, organisations and public bodies could gather information about you by asking you directly, through public registers, or, I suppose, in extreme cases by opening your letters and bugging your phone, which didn't happen very often.
Over the past 26 years we have seen all sorts of major developments. Some have been legal – the 1998 Data Protection Act and the 2000 Freedom of Information Act. Some have been technological, principally the invention of the internet and, in a more minor but still interesting way, the spread of loyalty-tracking technology by businesses. That friendly supermarket loyalty card? It knows how much you drink. Other changes have been more nebulous changes of attitude towards privacy. Some have been driven by governments' concerns to trade off elements of personal freedom in favour of tighter national security. Others are more difficult to explain: why do young people narrate the intimate details of their lives to an unlimited audience on social websites, blogs and Twitter, not much caring who is listening in?
These developments present an ongoing challenge to the Information Commissioner, whose job has expanded immensely since 1984. Looking at some of its recent cases, many of them are, true, in areas which the world of 25 years ago would recognise, usually against public bodies of one sort or another. Last month, for instance, a complaint was made to try to discover which of several courts the BBC had applied to for a search warrant to discover whether a television was being used without a licence. The BBC had refused to disclose this information; the ICO said that the information should be given, and upheld the complaint. There are many complaints of this sort.
There are also challenges, however, in a new world of information gathering and privacy. When one goes onto the internet, your searches, the information you gather, your interests are available to a surprising range of people. Data, in the computer age, are much more easily lost, purloined or given away than in the past. A few decades past, you could not lose the records of a couple of million people without leaving a removals lorry unlocked. Now, the same amount of information could fall out of a shirt pocket. In the same way, 30 years ago one would have no idea of any personal details of even quite close neighbours. Now, they volunteer them on Facebook, and you can discover how much they paid for their house with a few taps on the keyboard.
The Information Commissioner, clearly, is within its comfort zone when dealing with public bodies. Blairite moves to expand the official powers of surveillance have focused our attention in this area. It may be, however, that the chief threats to our privacy in future lie not in the Home Office and your local council, but in vast multinational corporations. Can a merely local phenomenon like the ICO do anything about those?
A couple of months ago, we were in Berlin outside a café in Prenzlauer Berg when a Google Street View van with a camera on top drove past slowly. I always rather wanted to be immortalised on Google Street View, and we performed a small but, I hope, memorable gesture. As it turned out, however, the van was not a real one, but driven by two journalists – I'm going to leave aside the ethics of passing themselves off as Google employees. They stopped and we chatted to them; it was surprising to learn that hostility to the Street View project had, they found, been almost universal in Germany. For us, it seemed like a fairly innocuous photograph map of townscapes; to Germans and to other European nations, it seems like a gross invasion of privacy. People, German friends insisted to us later, have a right to privacy even if they are merely walking along in the public street.
I thought this a rather unnecessary insistence at the time, but a development since has made me wonder. It has emerged that Google vans, while touring the streets photographing them, were also registering the presence of Wi-Fi networks – for what reason, I could not tell you. In the course of registering these Wi-Fi areas, unprotected networks had their data soaked up by the vans. These included private information, including bank account details, and, in theory, personal emails could also have been read by the passing labourers in the cause of Google. Google said that it had taken this data by accident; it had not read them, and it had arisen through the mistaken inclusion of a piece of code written for "an experimental Wi-Fi project". Privacy International, the pressure group, claimed that Google did indeed "have intent to systematically intercept and record the content of communications".
As it happens, the Information Commissioner's Office has recently been given the powers to impose a fine of up to £500,000 for a serious breach of personal privacy. Google argued, successfully, that the data were gathered before this power was granted, and there was no power to fine them retrospectively. Nor is there any prospect of a criminal prosecution. Instead, we are told, "Google would have its data protection practices audited by the ICO and sign an undertaking to ensure data protection breaches do not happen again." Yeah, that'll do it.
Half a million is neither here nor there for an internet giant like Google. But it already knows an enormous amount about us, and it must not go any further without our explicit consent. We've drawn a firm line with regards to public bodies. Now the challenge for the ICO is to lead the internet leviathans to an enforceable understanding of where their powers stop.Reuse content