Data Protection in the UK

Data Protection in the UK
(Photo Credits: -12°C)

Data protection law is the law that protects personal information about living individuals in the UK from being processed in anyway by commercial entities. This is governed by the Data Protection Act 1998 in the UK. Members of the EU have country-specific legislation implemented through the Directive 95/46/EC (the Data Protection Directive).

Though technically about data, the data protection law in effect is a privacy legislation that is meant to ensure that private information about people is not misused when collected by companies. 

The provisions of the DPA 1996 apply when personal information relating to an identifiable individual is processed by a data controller.

Personal data is defined by the act as “data which relate to a living individual”. This can be ANY data which relates to a person such as name and address, health conditions,  religious beliefs, or any form of recorded information whether textual, visual, etc.  The exact meaning of “relate” is not explained in the act, but it was discussed in the case of Duran v Financial Services Authority [2003] EWCA Civ 1746, where the court held that it “is information that affects [the person’s] privacy, whether in his personal or family life, business or professional capacity'” and that it the person must be “the focus rather than some other person” with home the information is concerned.

The personal information must be related to an “identifiable” person who can be identified (a) from the data or (b) from those data and other information which is in possession of, or is likely to come into the possession of, the data controller. Unlike the EU Directive, the UK act doesn’t cover the incidents where the processed personal data is used along with information held by a 3rd party is combined to identify the person.

 The personal data will only be regulated when it is ‘processed’ by  data controller. This is a very wide term that means obtaining, recording, or holding information or carrying out any operation or set of operations on the information or data, including organisation, retrieval, disclosure, or alignment. The definition used in the act is wide to include every imaginable action you may perform in relationship to data. 

The law imposes obligations on all “data controllers” – these are natural or legal persons who determine the purpose and means for prosesing the personal data. The law also imposes some additional obligations on a “data processor” – which is the natural or legal persons who processes the data on behalf of the data controller.

Rights for Individuals

If an individual’s personal data has been processed by a data collector, then he has the following rights:

  1. Right to access the personal information stored about him to have inaccurate data rectified.
  2. Right to to request an assessement of processing.
  3. Right to prevent processing of data if it causes substantial unwarranted damage or distress.
  4. Right to object to direct marketing.

It is possible to claim compensation for the breach of some of the rights mentioned above.

The Data Protection Principles

The act requires all data controllers to abide by eight data protection principles:

  1. Data must be fairly and lawfully processed and in accordance with one of the conditions in Schedule 2 of the act.
  2. It must be processed for limited purposes and not used for any purposes other than these.
  3. It must be adequate and relevant for the purpose and not excessive.
  4. It must be accurate and up to date.
  5. It must not be kept for longer than is necessary.
  6. It must be processed in line with the rights of data subjects.
  7. It must be processed using appropriate secure measures.
  8. It must not transferred outside the EEA without adequate protection.

The Information Commissioner’s Office is the body responsible for superivsing the adequate compliance by data controllers with the DPA.

Internet Defamation – Comparison Between British and Omani Law


(Photo credits: Assbach)

Defamation and insults are some of the most controversial issues on the Internet. Most people think that they have an absolute right of freedom of speech to say whatever they want, but the reality is that your freedom of speech is subject to several restrictions, one of which is the right of others not to be defamed or insulted without any justification.

The anonymous nature of the Internet makes it tempting to think that defamation rules do not apply to online speech because of the difficulty to enforcing the law, but as we have seen, that is not the case, and even in Oman, people were prosecuted, fined, and even jailed for defamation related offences.

If you run a blog, a forum, or a website, or if you post comments anywhere on the Internet you have to be aware of the possible consequences of what you write. I will try to explain the differences between the defamation law in the UK and Oman and the difference in liability limits of website owners in both countries.

First of all, defamation in the UK is a civil action while in Oman it is a criminal offence. This makes it worse in Oman because the penalties for it will be criminal penalties, while in the UK it is mostly a matter of payment of financial damages.

In the UK, defamation occurs when a person makes a statement about a person and that statement lowers the opinion of that person in the mind of right thinking members of society. Only living people can be defamed, and a person can defend himself if he can prove (a) that what he said is true, or (b) that what he said was an opinion/comment and not a statement of fact. This is governed by the Defamation Act 1996.

The concept of defamation in Oman is completely different because it is considered a criminal offence. A person will be guilty of an offence if he ‘insults the dignity of any person’ through a public act, speech, shouting, writings, drawings, photography, videography, or the use of any sign. There is no definition in the law of what an ‘insult’ to someone’s dignity means. It is possible for the relatives of an insulted person to complain, even if that person was dead. A defendant may have a defence if he can prove that the other person provocated the defendant or if both parties exchanged insults.

In addition to the basic insult offence, Omani law also creates an special offence for insulting an employee in his professional capacity so that a person commits an offence is he ‘insults an employee through the speech, public acts, or publication while the employee performs his job or on the basis of his job’. �Both forms of insults are�governed by the Criminal Law 7/74.

Both of the Omani and British law are subject to changing moral values as what ‘will constitute a degradation of opinion in the mind of right thinking people’ will vary from time to time as will an insult under the Omani law. However, under British law it is clear that the matter is not subjective to what the defamed person though, but what society thought of the issue, however, under Omani law it is not clear if an insult is a subjective or objective issue. I do not have access to cases or court decisions to identify how this issue is decided in Oman.

Now that you have an idea of what is defamatory or not, you might want to know for how of much of this will you be liable for online. If you are a blogger or a website owner, defamation can occur on you website via one of two methods, the first one is when you post defamatory content on your blog, the second is when you someone posts a defamatory comment (defaming a third party, not necessarily you) as a response to a post you wrote.

If you wrote the post yourself on your own blog or website, you will be held liable for it. It is something you wrote yourself and if that post can be linked to you as an individual then you are liable, under both British and Omani law. To escape liability, you should try to use a defence such as ‘justification’ under British law or ‘provocation’ under Omani law.

However, if somebody else wrote a comment on your blog, then there is a chance that you might be liable for it even if you did not write it yourself. British and Omani laws differ completely in how this treat this liability.

British law generally realises that at many times website owners are genuinely innocent and have no control over content written by other people. They also realise that increasing the risk of liability of website owners can stifle the pace of innovation. For this purpose, the Defamation Act provides a defence for website owners if they can satisfy the following:

  1. he was not the author, editor, or publisher of the statement complained of.
  2. he took reasonable care in relation to its publication.
  3. he did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement.

Not all websites will be able to use this defence because only certain websites will be not considered publishers (websites that have no effective control over actions of their visitors). An easy example of the use of this defence would be in the case of a forum moderator, who cannot practicaly monitor each single post made by the members, however, he will only succeed if he shows that he took reasonable care and did not just leave the forum without any moderation. This will obviously depend largely on the facts.

The case in Oman is very different, first of all, there is no general defence for website owners in the Criminal Law, but the Telecommunication Law makes the website owners, managers, and supervisors responsible for any statement published on their website if they incite or agree to publish that if it is contrary to public order and morality (Article 61(4)). This is NOT the same as an insult under the Criminal Law, it is a different criminal offence that does not require a defamed person and has a very wide scope. There are no defences under this section, but the requirement for consent might save a website owner if the event when someone hacks his website and puts a defamatory statement on it. In that case he obviously did not consent to that statement.

This article was clearly introduced to hold website owners liable for the content written by anonymous people regardless of whether or not the web master knew about it or not. It makes sense for a website owner to be liable because he has control over the website, but the law does not provide any defence for innocent web masters and the law does not seem to care about stifling the development of local web content.

A very interesting development happened through the passing of the Electronic Transactions Law in Oman, this law provides websites that fall under the definition of a “Network Agent” with a defence found under Article 14 to protect the Network Agent against any criminal or civil liability arising out of information included in an electronic record if the Network Agent (1) did not know any facts which could indicate the liability of this record and (2) instantly removed this information from all his systems once he knows about the liability arising out of this information.

The definition of an electronic record is very wide as it includes a “contract, record or message”, the definition of a network agent includes any legal or natural person who provides any services related to an electronic transaction, and an ‘electronic transaction’ is any procedure or contract concluded or performed fully or partially through electronic messages’.

The purpose of the Electronic Transactions Law is to provide certainty and protection e-commerce. It is based on a couple of UNCITRAL model laws and was drafted with the help of international consultants who realise the importance of such protection for businesses to operate, unlike the Telecom Law which introduced Article 61(4) explicitly to conclusively hold website owners liable without any thought to the impact of this web culture.

However, the wide scope of the nature of the Electronic Transactions Law means that any website that has a commercial nature can be covered by it. Surely an advertisement is a service related to an electronic transaction. This can make any website monetized by advertisement capable of being considered as a network agent, and from there you can argue that you should be able to use the defences under the Article 14 claiming that you are not the source of content written by other people and you merely provided access to it.

The fact that the Electronic Transactions Law came after the Telecom Law means that in areas of conflict the newer law will apply, so it does not matter that the Telecom Law says something else.

This is relatively a long shot, it has not been tested by the court and I am creatively interpreting the law in attempt to establish a defence. The court might have a completely different opinion on the matter. We will not know how it will be interpreted until somebody actually gets sued.