Digital identity, privacy and the rule of law

In the twenty-first century the most valuable of all fundamental rights is, in my view, the right to privacy. In a recent tete-a-tete (courtesy of The Times) the Information Commissioner John Edwards and I exchanged ideas in a public disagreement about the effectiveness of the role of the Information Commissioner's Office (ICO), in particular in the context of regulating public bodies and digital IDs.

I believe the ICO has regressed into a regulator which rarely, if ever, issues a penalty that is effective, proportionate and dissuasive. In the vast majority of cases, the ICO takes little to no meaningful action against data breaches caused by public bodies. 

It is now rare for a public body to be fined for losing your personal data, however much injury, harm or upset that breach may cause you. Instead they are most likely to just receive a written reprimand with no threat of further action. In his response to my challenge, Mr Edwards suggested that the ICO was helping to deliver better results by implementing positive changes across government which prevent mistakes before they lead to fines. I think the evidence for this claim is dubious and debatable at best – a debate which will have to wait for another day.

The foundation of all fundamental rights is a belief in the rule of law. In this context, where data protection (and other) laws are broken vis-à-vis your digital ID, the rule of law means that you believe digital IDs can be safely administered by the government and you need to be sure that the law will be upheld and that wrongdoers will be punished should the laws be broken. Here is the problem: however clearly articulated and well-drafted those laws are, they are meaningless if they are breached without fear of enforcement, without remedy or redress to victims. The first fly in the digital ID ointment is the ineffectiveness of the ICO.

The Legal Perspective

Some in favour of digital IDs will rightly point out that the right to privacy is not unfettered. It exists in a regime where nation states are permitted to interfere with that right only where necessary in a democratic society. The government’s primary aim for the digital ID card is to prevent illegal immigration, particularly via small boats crossing the English channel. I suggest that the government has failed to make the case that digital IDs are necessary to achieve the stated aim. Other options are available, but they are not politically expedient. The British public will need to make up their mind about the effectiveness of any digital ID scheme to prevent this activity. Perhaps the most authoritative moral argument I have encountered is, quite simply, that those who are willing to break the law (for whatever reason) to cross the channel in small boats and arrive in the UK having risked life and limb are not likely to be perturbed by a further administrative restriction in the form of a digital ID. And therein lies the second fly in the ointment: the digital ID is not necessary in law nor effective in tackling the government’s objective. 

Collecting the personal data of all citizens in one central data repository creates significant risk. The potential for loss and harm arising from compromised personal data from digital IDs is high. It is arguably more so when the entity in control of it is a government in a world where state-based espionage and cyber warfare are on the rise. 

When Social Justice Matters Less Than, Well, Stopping Small Boats?

At the time of writing, the majority of polls indicate that the British public do not support digital ID cards, although it does depend on which poll you read. One consistent theme is that they are more popular amongst the elderly and less popular amongst the younger generations. There is also widespread concern about how the scheme would be administered, with polls suggesting over 60% of UK adults do not believe the government could implement a digital ID scheme effectively.

The mandatory nature of the government’s proposed scheme is the main cause of potential injustice. Not everyone wishes to be online and not everyone can afford to be. It is estimated that 2 million people in the UK do not have access to the internet. Those who are not able or willing to be online but still wish to work will be placed in an impossible position: either get online so you can lawfully work, or face breaking the law to earn. Not earning is unlikely to be an option. 

But Everything Is Online Already – So Why Care? 

Some say that the digital ID is of little consequence to them because most of their personal data is online anyway, thanks to social media, internet banking and the new digital universe we daily inhabit. Why worry about one more digital intrusion into your personal life when so many are already allowed to persist? I believe that is hollow logic. To quote Edward Snowden, “Ultimately, saying that you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.” One day you may need your right to privacy and find that it has been reduced to a dried-out riverbed where a great river once flowed. I am all for technological progress but I am opposed to pointless or ineffective erosions of rights. In a digital world, where the creeping shadow of surveillance feels increasingly hard to shake off, it is very understandable that British citizens feel concerned about - and are willing to defend – their right to privacy in the face of digital IDs. 

Matthew Holman is a partner in Cripps’ London office. He specialises in technology, data and AI. Any views and opinions are his own.