The principal issue in this case is whether s. 55 of the Data Protection Act 1998 ("the DPA 1998") imposes a legal or evidential burden of proof on a defendant; and, if the former, whether the outcome is compatible with article 6 of the Convention. Although similar issues have arisen in other statutory contexts, this is the first occasion on which the point has arisen in this court. The DPA 1998 has been repealed by the Data Protection Act 2018 ("the DPA 2018"), but we have been asked by the Information Commissioner to provide appropriate guidance on the new provisions.
The judge gave a separate ruling on the two issues arising in connection with s.55(2). He upheld Ms Spearing's argument that the subsection conferred a legal burden on the defence. He held that "as a matter of plain language" the statutory wording does not define the limits of the offence but carves out an exception to it: i.e. "the offence is committed unless the defendant is within that exception provided by the defences being shown".
Approaching the question of statutory construction as we have done thus far without reference to authority has led us to the clear conclusion that s.55(2) imposes no more than an evidential burden. In our judgment, relevant jurisprudence does not lead us to a different conclusion; rather, it tends to support the conclusion we have reached.
Although this can only be a forensic point, it is to be noted that in s.170 of the DPA 2018 the Parliamentary draftsperson, perhaps responsive to public concerns about "blagging", phone hacking and data protection breaches generally, has selected the archetypal wording of a reverse onus provision... It is sufficient to say that we agree with the opinion that the new section imposes a legal burden of proof on the defendant. We express no view on whether s.170(2) is compatible with the defendant's article 6 rights.