Robust and Comprehensive – Commitment versus Reality
This purportedly strong and forward-looking Review process successfully replaced a House of Lords’ demand for a review into past unlawful or improper conduct by the media under the Inquiries Act 2005 (or, in other words, a version of Part 2 of the Leveson Inquiry as had initially been promised). The Government stressed that, in contrast to Leveson’s Press remit, the Review would not only also take in broadcasters but also address ‘how we make sure that what happens online is properly regulated as well’. Moreover, since Leveson had not focused on Northern Ireland, it was confirmed that there would be ‘an independent named reviewer for Northern Ireland’. It also stated that, prior to the first Review, the ICO would produce a statutory ‘code of practice for those who process data for the purposes of journalism’ – another important part of the DPA 2018’s journalism package.
The period for the First Review ran from 23 May 2018, when the GDPR and DPA 2018 came into force, up until 24 May 2022. The ICO was subsequently obliged to start the Review itself within 6 months, did so in July 2022 and then had 18 months to complete the Review and send an Outcomes Report to the Secretary of State. It did so in January 2024 and the Report was tabled before the House of Commons on 14 March 2024. The ICO had initially indicated that a Journalism Code of Practice would be laid before Parliament by the end of 2019. However, significant delays (partly effected by Covid) meant that a final draft was only sent to Secretary of State in July 2023, was not laid until 27 November 2023 and only came into force on 22 February 2024 (after having been issued by the ICO at the start of that month). As a result, and in contrast to the timetable as initially envisaged, the Code could not play any role in this Review.
Alongside the process of standards specification envisaged by the Code, the extensive investigatory powers set down in Schedule 17 were critical to the commitment that the Review would be ‘as comprehensive and robust as it can be’. In reality, during the entire 18-month Review process, the ICO did not use any of these powers. Instead, it elected only to analyse two types of published information, namely, reports on ‘data protection related complaints’ produced by Independent Press Standards Organisation (IPSO) and Impress (between 23 March 2018 and 24 March 2022) and also Ofcom (between 1 April 2018 and 31 March 2022). To a very limited extent, it also drew on internal ICO records (but, even then, only for the period from 1 February 2020 to 24 March 2022). Beyond this, the only other evidence deployed were two voluntary surveys answered by just 11 people (one being me), with respondents being told that this should take no more than 10 to 15 minutes to complete. The entire Outcomes Report (including the frontispiece, contents, appendices and executive summary) was just 34 pages. Its release in March 2024 was also not accompanied by any ICO press release, social media coverage or informing of survey respondents and, as a result, the Report remained undiscovered for many months. To place this in some context, even the general or First Part of the Leveson Inquiry (which took approximately 16 months) resulted in (oral or written) evidence being taken from over 600 persons and a public report of approximately 2,000 pages which was launched with a blaze of publicity including a livestreamed press conference.
Although the ICO Outcomes Report recognised that the meaning of journalism included within its Review encompassed ‘citizen journalism such as bloggers, eyewitnesses, social networkers or members of the public’, there is no indication that any of the data collected provided concrete evidence of the practices of such actors even though that this was obviously necessary if the Review was to help ensure ‘that what happens online is properly regulated as well’. Nor was there any ‘independent named reviewer for Northern Ireland’. (The Report’s analysis of devolution/national aspects was limited to a reproduction of the number of accuracy and privacy complaints against specific UK nation outlets investigated by IPSO which, despite showing significant per capita divergences, was analysed only to the extent of noting that English outlets had the largest number of complaints – and since England was ‘the larger of the nations’ and so had more publications ‘this is to be expected’).
ICO Internal Data
Turning to the evidence explored in the Report, its analysis of ICO internal records was confined to less than one page. Despite indicating that it had reviewed ‘the existence’ of a wider range of data, the concrete evidence presented was limited to stating that 488 journalism-related complaints had been received by the ICO between 1 February 2020 and 24 March 2022, indicating the 3-4 ‘top reasons’ for these complaints and highlighting that the number represented 0.7% of all complaints received. It also confirmed that the ICO had undertaken ‘[n]o enforcement action’ in respect of journalism in the Review period whatsoever. However, no information at all was provided on the merits (or otherwise) of the complaints themselves, whether these had been robustly investigated by ICO in terms of law and fact or whether the ICO had provided any useful outcome for those raising valid complaints. In the absence of this, it cannot even be assumed that people with well-founded concerns about the extent of journalistic compliance even with the law itself, let alone good practice, would have had a clear incentive to engage with the ICO and, thereby, create a data pool which would be strongly probative to the assessments which the Review mandated.
Ofcom Data and IPSO and Impress Statistics
Under 10 pages in the Report explored complaint data ‘relevant to data protection – for example, complaints related to accuracy, privacy and fairness’ published by Ofcom, IPSO and Impress. (No attempt was made to examine complaints information from the many entities even within the traditional media which are not associated with these bodies, despite this including several national broadsheets as well as numerous smaller publications.) Unfortunately, even the data which was set out was often not comparable and lacked any clear relevance to the specific assessments which the Review needed to focus on. As regards Ofcom, the figures at least included the number of complaints lodged about both the BBC and others as regards fairness and privacy and a summary of Ofcom fines against specific broadcasters. Nevertheless, whilst acknowledging the relevance of ‘due accuracy’ to data protection, the Report failed to set out any systematic data here on the sole ground (which given the availability of information notice powers appears frankly astonishing) that ‘due impartiality and due accuracy complaints are [proactively] reported by Ofcom as one’ and ‘[d]ue impartiality [unlike due accuracy] does not directly intersect with data protection regulation’.
In contrast, the information set out regarding IPSO – a body responsible for a far larger number of publications (the Report says 2,100) – was limited to basic statistical data on the complaints which IPSO actually investigated. (This was also true of the much less significant alternative press body, Impress). However, IPSO only investigates only a tiny percentage of complaints received which, according to Press Recognition Panel (PRP) – a Royal Charter body set up in the wake of Leveson Part One, ‘would suggest an approach of quickly rejecting complaints wherever possible’. Moreover, figures set out by the PRP show that proportion of complaints subject to investigation fell from 6.38% in 2018 to 3.25% in 2021 and just 0.92% in 2022. Despite this, the Report did not analyse the number of complaints IPSO (or Impress) received at all and its reference to ‘[t]he low number of data protection complaints received by … press monitoring bodies’ highlights that the vital distinction between received and investigated complaints was entirely missed.
Many other concerns about IPSO have been repeatedly raised including an alleged absence of sufficient funding to properly handle complaints, an absence of effective sanctions and remedies which appears to be worsening over time (especially as IPSO has never issued a single fine) and the limited independence from publishers who fund IPSO including as regards the articulation of standards. At the least, these concerns demonstrate that simply setting out IPSO’s numbers on accuracy and privacy investigations and their outcome over time could have little or no probative value to an assessment of journalism’s compliance with data protection itself. However, at no stage did the ICO Report attempt to analyse the robustness of IPSO’s approach to complaints against the standards of data protection good practice or even bare legal compliance. In some contrast, despite lacking any such statutory powers or duties to investigate, the PRP was able to point to a determination within an IPSO adjudication that ‘allegations that the publisher had allegedly published a spent conviction in breach of the Rehabilitation of Offenders Act 1974 [and thus potentially unlawfully under data protection rules as well] did not fall within its remit’ (emphasis added). If ICO had properly analysed even a sample of relevant IPSO (as well as Ofcom and Impress) complaints and their handling, using its extensive statutory review powers as necessary, then much of value may have been revealed. In the event, however, there was no analysis even of the IPSO adjudication data freely available in the public domain.
Results from the 2022 Surveys
The last section of the Report was devoted to a summary of the results of two consultation surveys which were made available at various points during the second half of 2022. Since participation was entirely voluntary and given that it was indicated that responses should take no more than 10 to 15 minutes to complete, the survey data could never have provided truly robust and comprehensive information. Moreover, although this was not noted in the summary set out, the fact that it could in no way substitute for a systematic Review using the special powers which Parliament had provided was pointed out within the consultation itself (at least in my own response).
In the event, these surveys were responded to by just 11 people which, as the Outcomes Report did acknowledge, meant that the ICO was ‘limited in the extent to which we can draw any firm conclusions, analyse, interpret and use the responses’. Indeed, if all respondents spent a full 15 minutes of time on their responses then these combined survey responses would still have only amounted to around 3 hours of direct effort. Nevertheless, despite the ICO being fully aware of these severe limitations just six months into an 18-month Review process, the largest portion of its Outcomes Report (approximately 11½ pages) was dedicated to a summary of the responses received. Strong emphasis was given to just two of these, namely, that of the Media Lawyers’ Association (MLA) and, to a lesser extent, the National Union of Journalists (NUJ). However, even the MLA response was stated to ‘lac[k] clarity and detail in some areas’, which can hardly be considered surprising given the wide-ranging subject matter and the very limited time indicated to spend on a response. Meanwhile, the NUJ response clearly focused on its own data processing which, given that it is not a significant media actor itself, raises question marks over whether all of its response was focused principally on journalistic activity as opposed to general data processing.
Notwithstanding its clear limitations, the Review’s Executive Summary did helpfully acknowledge that the survey responses indicated ‘[s]ome misconceptions’ in a wide range of areas ‘including, governance and accountability, training and awareness, lawful bases, DPIAs [Data Protection Impact Assessments], data sharing and individual rights’. The survey was therefore a helpful exercise and its (admittedly anecdotal) results could have provided a useful starting point for the genuinely robust and comprehensive investigation which should have eventuated.
Final Outcome in Wider Context
The Report as submitted to the Secretary of State in January 2024 (and thereafter to Parliament in March 2024) stated both that the Review had found ‘no evidence of widespread poor data protection practices or non-compliance with data protection legislation in journalism’ and that ‘[o]n the basis of the information received we are unable for a [sic] view that “journalism” is meeting its legal obligations or have established good data protection practices across journalism’. Given the extremely limited nature of the information which the ICO chose to collect and analyse, the first statement may be correct. Nevertheless, at the least, the survey responses did put ICO on clear notice by the end of 2022 that a wide range of issues required further robust and comprehensive investigation. However, it is patent that this was not carried out. Meanwhile, notwithstanding the typo, the second statement reveals that as a result of these severe limitations the ICO’s Review and Report was unable to come to a view on ‘the extent to which, during [the] review period, the processing of journalism complied with – (i) the data protection legislation, and (ii) good practice in the processing of personal data for the purposes of journalism’. However, this was precisely the obligation laid down in legislation. Given this, it is impossible to avoid the conclusion that an important statutory duty was far from fully carried out. Since the ICO decided not to proactively publicise the Report in any way (which, as previously noted, resulted in its availability being missed for many months), the Report’s release also did not provide any opportunity for a wider debate on journalism’s compliance (or otherwise) with data protection.
One possible perspective may be that the deficiencies in this First Review principally arose from the planned publication of the final draft of the Data Protection and Journalism Code of Practice being delayed (partly due to Covid) from 2019 to 2023. The new Code can certainly help in the benchmarking of standards and, given the rolling nature of these Reviews (the next Review will commence in 2027), it is to be hoped that this optimistic perspective is correct. Nevertheless, there are clear reasons to remain doubtful. Firstly, the ICO’s extremely low and inconsistent use of its formal data protection powers is manifest in all areas and not just journalism. Secondly, it must be recognised that taking action in relation to journalism raises acute sensitivities for ICO both in terms of the severe tensions arising between competing human rights and the risk of unwelcome ‘headlines’ and controversy.
Over ten years ago, Lord Leveson stated that the ICO’s function and duties ‘do add up to a significant potential role in guaranteeing public confidence in the culture, practices and ethics of the press in relation to personal information’ but that that ‘the ICO has not been keen to exercise the powers and functions reposed to it by Parliament in the public interest’. He further held that this constituted ‘a regulatory failure’ and stressed that this ‘is not simply a historical matter; it is perceptible in its approach today’. At least in relation to its formal Review obligations, it is sadly apparent that this failure encompasses the journalistic field as a whole and remains manifest today. Absent further pressure, it will likely continue. Following on from Parliament’s strong interest in this issue during the enactment of the Data Protection Act 2018, the current Parliamentary passage of the Data (Use and Access) Bill could provide an opportunity for some useful intervention.
David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge. He is also an associate member of Matrix Chambers.
This blog has also been posted on Inforrm’s Blog.
(Suggested citation: D. Erdos, ‘A Clear Oversight? Inquiring into the Information Commissioner’s 2024 Statutory Review of Journalism’, U.K. Const. L. Blog (17th December 2024) (available at https://ukconstitutionallaw.org/))
