Like many people, I am ploughing through the new Data Protection Bill (“DPBill”) Bill; when I have enough for a blog, I will write one.
In this blog, I show that some definitions used in the Bill could have significant negative consequences for data subjects. For instance:
- the removal of “Representative” means that the DPBill cannot be enforced against, for example, USA data controllers not established in the UK.
- the treatment of “Accessible Record” and “unstructured manual files” in the DPBill leaves an obvious weakness.
- the “Special Purpose” is being extended to include academic purposes and this could create an alternative to the research purposes exemption.
- the Government has delivered a “Special Purpose thank-you” to the newspaper proprietors that normally support its political views.
In the Naomi Campbell privacy cases, Moreland J. described making conclusions from the Data Protection Act 1998 (“DPA”) was like “weaving his way through a thicket”; Lord Philipps at the Court of Appeal agreed and added: “the Act is certainly a cumbersome and inelegant piece of legislation”. Good job they were not looking at the DPA’s replacement; I find it horrendous.
However, here is a tip. Look at Clause 20(1) as that applies most of the GDPR as UK law, Schedule 6 essentially apply a list of modifications, deletions or additions to the standard GDPR text. Do those changes and hey-presto, you have a copy of the active GDPR provisions as it applies to most data controllers.
Note that as the UK has said that most of the Articles of the GDPR are now part of the DPBill, it has allowed any related Recital which expands on that Article to become relevant. This means the ICO, Tribunals and Courts can use the Recitals in any interpretation of the DPBill implementation in the UK (e.g. in ICO Guidance).
I don’t understand why the DCMS has not released a copy of the GDPR with the changes implemented by the Government in the DPBill; they must have one.
Finally, can I have one caveat; if you think I am mistaken please put a comment in. This Bill does your head in.
Removal of “Representative”
The Government has removed some of the extra-territorial elements in the GDPR in its DPBill (and no reason has been given). Schedule 6, paragraph 9(d) for instance removes all mention of “representative” from the DPBill; this could have very major consequences for data subjects.
In summary, Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the Union by a controller not established in the Union. This happens when a controller is the offering goods or services into the European Union or monitoring of data subjects’ behaviour as far as their behaviour takes place within the European Union.
In such circumstances, Article 27 requires a “representative” to be appointed in a Member State if controller is not in the Union (this Article is removed by paragraph 23 of Schedule 6).
Recital 80 explains the role of the “representative”:
“…The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority…. (and) ... cooperate with the competent supervisory authorities on any action taken in ensuring compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”. (my emphasis).
So, suppose a USA company is not established in the UK (as defined in Clause 168) but still falls within Article 3; such a company could be established in the USA and uses its USA website to offer services to UK citizens.
Suppose something goes wrong; as there is no representative in the UK “the data subject is stuffed” to coin a descriptive phrase. All rights and obligations cannot be enforced through the representative as described in Recital 80.
The provision makes no sense especially as our hypothetical USA company, if it is trading in the UK, is likely to be trading in other EU countries and will need to appoint a representative elsewhere in the EU. Why should the Europeans have a representative and not UK citizens?
Finally, the fact that Clauses 137(9), 138(8), 168 and 185 refers to the removed Article 27 and representative definition; this does not engender confidence that this issue has been thought through.
The demise of “Accessible Records”
Another deficiency in the DPBill that is easy to spot is the treatment of the processing of unstructured manual personal data. The best way to get to this deficiency is to consider the removal of Accessible Record classification of “data” which appears in the DPA but not in the DPBill.
This limb to the definition of “data” was the mechanism through which, the rights of access granted by the Access to Personal Files Act 1987 and by the Access to Health Records Act 1990 to living individuals, could be repealed and incorporated in to DPA’s right of access for data subjects. The definition has no structural or filing system requirements; for instance, a single page from a set of medical notes is an Accessible Record.
By contrast, the DPBill applies to “automated or structured processing of personal data” and “manual unstructured processing of personal data held by an FOI public authority” (Clause 19). It can be seen therefore that manual unstructured processing of personal data held by an organisation that is NOT a FOI public authority is not covered by the DPBill.
So, suppose a private hospital dumps some old manual patient records in a skip. So long as the processing operation of “placing information in the skip” related to a set of unstructured manual records, then the provisions in the DPBill, as far as I can see, do not apply.
This is completely unlike the current DPA, where assuming the patients are alive, unstructured manual health records are Accessible Records containing sensitive personal data; these data are fully subject to the DPA (and where a monetary penalty notice would be the expected penalty if randomised health records were found abandoned in a skip).
With respect to manual unstructured processing of personal data held by a FOI public authority the Principles do not apply (see Clause 22(2)(2)(a)(i) of the DPBill). This provision exempts “Articles 5(1)(a) to (c), (e) and (f)” (principles relating to processing, other than the accuracy principle)”.
As Article 5(1)(f) requires the controller to process personal data “in a manner that ensures appropriate security….” there are no security obligations arise with respect to all manual unstructured processing of personal data. This is an obvious loop-hole.
The Government thus need to explain:
- why the DPBill allows any unstructured personal data held by any controller to be exempt from security obligations?
- if unstructured personal data held by a public sector controller can be subject to the right of access and the correction (via the Accuracy Principle), why can’t the same provisions apply to unstructured personal data processed by the private sector controller?
Academic research could be a “Special Purpose”?
“Academic purposes” is added to the Special Purpose, and as with the current DPA, qualifies for an exemption from all Principles except security and all rights if the personal data are processed with a “view to publication”. In the DP Bill, the ICO cannot use the powers of enforcement as such powers can be stayed by a Court.
The “Explanatory Notes” state that “The inclusion of academic purposes extends the existing special purposes definition under section 3 of the 1998 Act to include academic purposes in line with Article 85 of the GDPR”. This protects, for instance, a controversial academic article about a celebrity politician who is alive and litigious (President Trump comes to mind).
However, much academic processing of personal data will be for a research purpose (i.e. falls within Article 89 of the GDPR). It easy to see that some research of public importance happening in circumstances where the exemption for research was improperly applied. For example, if the research personal data were collected in the absence of proper transparency arrangements or perhaps a ground for the processing.
In such circumstances, if the enforcement occurred, would the lawyers for the researchers explore the public interest in the “freedom of speech exemption for academics” in order to exempt the First Principle? You bet.
There is a need to distinguish processing of personal data that would fall within Article 89 research exemption from that which is subject to Article 85 freedom of speech exemption. This to my mind, this is a rather obvious problem that should have been recognised and resolved in the text of the DPBill.
Special Purpose “thank-you” and journalism
The data protection offence in Clause 161 remains just like Section 55 in the DPA. It is non-custodial and the Government has not followed the pleas of several Parliamentary Committees or of the ICO for over a decade.
It has also ignored the recommendations of the Leveson Inquiry concerning the non-custodial nature of this offence. The Government has not even transcribed the power in Section 77 of the Criminal Justice and Immigration Act 2008 into the DPBill in order to have the option of implementing a custodial sentence.
This in my view also undermines the level of protection afforded to data subjects; it sends the message that journalists can continue blag away to their heart’s content to obtain the lurid stories that sell tabloid newspapers.
I also note that the Government has given recognition to the Independent Press Standards Organisation (IPSO), established by the press proprietors who were opposed to the Leveson recommendations. The Government has legislated to make IPSO’s Code of Practice as creating the correct balance between the freedom of expression and privacy (see Schedule 2, Part 5, paragraph 5 of the DPBill).
The Government has not recognised IMPRESS, the alternative press regulator, whose Code of Practice has gone through all the Leveson hoops.
Has this been explained by Government? Course not – but I am sure the move will get 100% unconditional backing of the Daily Mail, Daily Telegraph and the Murdoch Press.
Final comment
The DPBill is 212 pages of impenetrable reading and I suspect there are several drafting problems lurking within. There is a significant risk that the Courts and Tribunals could interpret the DPBill in a way that was not intended.
By then, of course, it will be too late.
Courses (London, Edinburgh)
- DATA PROTECTION BCS FOUNDATION QUALIFICATION: Edinburgh (3,4 and 5 October).
- GDPR/DP Bill WORKSHOPS: Edinburgh (6 October).
- DATA PROTECTION BCS PRACTITIONER QUALIFICATION: The next intensive DP courses is in London (starts 13 November).
- NEW DATA PROTECTION BILL ALL DAY UPDATE: London (20 November)
Regarding Clause 20 and Schedule 6, it is important to note that these “apply” the GDPR only to the extent that it does not have direct effect. So the “applied GDPR” extends the GDPR (as modified by the schedule) to activities covered by UK law but not covered by EU law. Therefore, in EU terminology, it is not the case that “Clause 20(1)…transposes most of the GDPR into UK law”. The GDPR is an EU regulation which has direct effect without need for transposition (in contrast with an EU directive, such as the 1995 Data Protection Directive which the GDPR replaces). But Chapter 3 of Part 2 of the Bill (including Clause 20 and Schedule 6) creates a similar domestic scheme to avoid the need to constantly consider whether EU law is or is not in scope in any particular circumstance. This also ensures that the UK complies with its non-EU international obligations (in particular, Council of Europe “modernised Convention 108”)
In principle, Part 2 Chapter 3 also provides a model for post-Brexit continuation of the GDPR (mutatis mutandis). But in addition to the possibility of the Data Protection Bill itself being amended before being enacted, there is even more uncertainty as to how powers proposed under the European Union (Withdrawal) Bill might be used to make transitional or permanent modifications to the GDPR’s domestic effect (cf the Bill’s explanatory notes https://services.parliament.uk/bills/2017-19/dataprotection/documents.html at paragraph 35).
Of course that does not necessarily mean that the “applied GDPR” modifications are unimportant. And, frankly, I am not sure what circumstances they cover in practice, given that the Bill provides separate special provisions for national security (the most obvious non-EU field). But only in a very loose sense does the Bill modify the effect of the GDPR itself.
Posted by: Rich Greenhill | 25/09/2017 at 02:12 PM