A new definition of “personal data” (the one most likely to be applied in the UK’s version of the GDPR) can be found in the new clauses (Clauses 112-115) just incorporated into Digital Economy Bill (DEB), now in its final Parliamentary stages. It is unlike the current definition of “personal data” in the Data Protection Act (DPA).
As an aside, it is the DEB Bill which proposes a hefty annual notification fee-hike for controllers; this was accurately and fully reported in my last blog.
However, the Clauses that allow Ministers to establish the new notification fees regime also run the risk of being interpreted in a way that will fail to meet the European Commission’s test of adequacy, needed by the UK, in its brave new Brexit world.
Quite simply, there is no guarantee of independence for the Information Commissioner (ICO) because the Government controls the cash-flow.
This blog covers the new definition of “personal data” and explains how the proposed notification fees regime adds to the risks of a negative adequacy determination.
Personal data definition
The definition of “personal data” in the current DPA requires personal data to relate to an identifiable data subject where the identification of the data subject is undertaken only by the data controller.
Previous blogs have pointed out that this definition of “personal data” takes no account of Recital 26 of Directive 95/46/EC which suggests identification can be undertaken by the controller and, within reason, persons other than the controller.
The UK Act definition of personal data is therefore unduly restrictive and defective; this has been the case since 1998 and is one of the elements of the “top secret” infraction dispute between the UK and Commission (see references).
However, Clauses 112-115 of DEB establish a new notification scheme in outline; as it is “personal data” that have to be notified to the ICO, the DEB defines what “personal data” needs to be notified.
Clause 112(9) states that: ‘ “personal data” means any information relating to an identified or identifiable individual’.
Clause 112(10) then states that: “...an individual is ‘identifiable’ if the individual can be identified, directly or indirectly, in particular by reference to—
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual”.
Note that the definition no longer requires explicitly require identification to be only by the data controller. It therefore satisfies the requirement of Recital 26 of the GDPR below:
“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”(my emphasis).
Just a final comment here: the new definition of "personal data" only applies to the DEB's new notification scheme.
Why the notification scheme threatens adequacy
In my long FOI saga (to find out why the DP Act is deficient), an issue that has surfaced time and time again is the lack of guaranteed independence of the Information Commissioner.
Article 52 of the GDPR requires:
“1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation…
4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers….
6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence …”
Now consider the DEB and some apparently innocuous text in a Clause 115 which bears the boring title “Amendments relating to section 112” (yawn).
Clause 115(6) states that “In Part 1 of Schedule 5 (the Information Commissioner) in paragraph 9(1) (destination of fees etc) after “the Freedom of Information Act 2000” insert “and all charges received by the Commissioner under regulations under section 112(1) of the Digital Economy Act 2017”.(yawn again)
Clause 115(6) refers to Schedule 5, Para 9(1) of the DPA which states:
(1) “All fees and other sums received by the Commissioner in the exercise of his functions under this Act … shall be paid by him to the Secretary of State
(2) Sub-paragraph (1) shall not apply where the Secretary of State, with the consent of the Treasury, otherwise directs.
(3) Any sums received by the Secretary of State under sub-paragraph (1) shall be paid into the Consolidated Fund”.
So all notification fees go into the Consolidated Fund unless the Treasury agrees otherwise. If the Treasury does not agree, the ICO does not receive any notification fees and is dependent on a Treasury hand-out for its finances. Hmmm!
So contrary to what has been asserted or assumed, it is not certain that under the new notification regime the ICO controls her financial arrangements. According to the DEB, any future Government can set the notification fees or change the fee arrangements at any time. Any increase in notification fees in future depends on the Secretary of State’s say so.
In addition, I cannot find in the House of Lords debate on these amendments any explicit Government commitment on the line of: “the ICO controls the notification fees”.
I therefore conclude that independence of the Supervisory Authority as required by Article 52 is not guaranteed, as the ICO does not have, in law, control of her revenue stream.
To put it bluntly, the financial settlement that allows the ICO to manage data protection obligations under the GDPR is at the behest of “Treasury consent” or dependent on the whim of any future Secretary of State.
“Cry Freedom” for the ICO?
This lack of financial guarantees and operational independence has already given rise to concerns in Parliament and the Commission; both these could become highly relevant to any adequacy determination by the Commission as the UK approaches the Brexit door.
In a recent Report into the resourcing of the ICO, the Justice Committee of the House of Commons addressed directly the independence issue (see references). The Committee stated:
“We reject the argument that it is inappropriate to make the Information Commissioner a parliamentary body because his work does not relate primarily to that of Parliament. It is independence of the Executive which parliamentary status can provide”.
“We continue to believe that the Information Commissioner will face significant difficulties in functioning effectively unless he becomes more closely accountable to Parliament instead of Government”…. (paras 30 and 31; my emphasis)
This risk that the ICO will not “function effectively” has been the subject of a Press Release from the Commission (see references) concerning the need for stronger powers for the ICO in the context of those “top secret” infraction proceedings against the UK.
Here the Commission said:
"Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity”.
The Press Statement continued: the UK should “change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement."
Do you get the impression that there are real and official concerns over the lack of a guarantee concerning ICO independence? I do.
Now answer the following questions in a post Brexit UK (possibly hard-Brexit cliff-edge).
- Do you agree with the proposition that if the Government holds the financial reins at the ICO then there can be no true independence for the Supervisory Authority as required by Article 52?
- Can the Commission make an adequacy determination under the GDPR, if GDPR data protection obligations cannot be enforced by a Supervisory Authority because that Authority has no guarantee of sufficient resources to do the job?
Or to use the terminology of Commission’s Press Release: “if the Treasury hold the purse strings, the guard dog can, at any time, be starved in the basement”.
In my view, the Government has to change the DEB legislation so that the ICO manages all the revenues from notification (subject to provisions preventing the ICO from imposing unrealistic or unfair fees) from the one put into DEB where the ICO is merely “consulted” about the level of fees.
Until that happens, an adequacy determination for UK is at risk.
Forthcoming Amberhawk’s courses in early summer
- Next GDPR Workshop: 19 April (London)
- DP Practitioner Course: Starts 8 May (BCS syllabus; Edinburgh)
- DP Practitioner Course: Starts 6 June (BCS syllabus; Leeds
Digital Economy Bill (Report; Lords) https://www.publications.parliament.uk/pa/bills/lbill/2016-2017/0122/17122.pdf
Hefty hike in controller’s annual notification fees: https://amberhawk.typepad.com/amberhawk/2017/04/large-business-registration-fee-could-increase-to-7k-per-year-as-a-result-of-the-gdpr.html
Parliamentary debate (Lords) about Clauses 112-115 at column 694, 29 March 2017 https://hansard.parliament.uk/Lords/2017-03-29/debates/399F6682-6341-42BF-B095-7C6A36E3F01E/DigitalEconomyBill
Parliamentary Report into “The functions, powers and resources of the Information Commissioner” (9th Report; Justice Committee, HC 962, 21 March 2013) https://www.publications.parliament.uk/pa/cm201213/cmselect/cmjust/962/962.pdf
Press Release: Data protection: Commission requests UK to strengthen powers of national data protection authority, as required by EU law” https://europa.eu/rapid/press-release_IP-10-811_en.htm
My blog summarising the infraction saga to date: “UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate” https://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html