The Glorious Twelfth is the date when land-owners of moorland estates celebrate the start of the grouse shooting season; August 12 this year was about the time the Information Commissioner (IC) became “fair game” for many commentators.
The IC’s detractors fall into two groups. In the blue corner is the Conservative supporting Press (e.g. Daily Mail, Telegraph and The Sun); Newspapers that have been critical of the IC’s prolonged absence from the UK. Also in the blue corner (but silent on the IC’s absence), is a Government planning for a data protection regime that is likely to diverge from the GDPR in the near future (see references).
In the red corner are NGOs, privacy activists and many prominent data protection academics and consultants who point to inactivity on the part of the IC in enforcing the current GDPR. They are calling for changes to the IC’s approach (or for a change of IC) at a time when her job as IC is up for possible renewal next year.
This blog explores this development. In summary, I suspect the red corner is missing the bigger picture.
The blue corner
The blue corner’s reason for replacing the IC can be summarised as follows. If there is a “no deal” and no adequacy agreement with the European Union at the end of the year, then the UK is on its own.
What better way to demonstrate to the EU that the UK really has “taken back control”, than by using the powers in the European Withdrawal Act 2018 (that created the UK_GDPR) to modify the UK’s data protection law in a more “sensible” direction, away from the GDPR (without recourse to any detailed Parliamentary debate or scrutiny – because that is how these EWA powers work).
This prospect is already Government Policy; in a Written Statement to Parliament, the Prime Minister wrote: “The UK will in future develop separate and independent policies in areas such as …. data protection, maintaining high standards as we do so.” (HCWS86; 3 February 2020).
It is reasonable to assume that civil servants are already working on these plans which will have to be explained to the European Commission if there is to be an adequacy determination. So the Government and Commission will know the extent of these plans to change the data protection regime in the UK; I assume the Government already has a range of options.
UK’s data controllers and data subjects, of course, will be the last to know. The Government can easily publish a list of its GDPR concerns; it has failed to do so.
Many elements of the Conservative Party have always seen data protection as some bureaucratic nonsense made for Europeans. I remember that even in 1984 politicians (e.g. Sir Teddy Taylor) saw data protection (i.e. the DPA1984) as a morass of incomprehensible rules that tie businesses in knots with little benefit for data subjects.
The pro-Brexit view of a post-Brexit Britain is one where the UK is a haven for business and digital economy start-ups (as well as for major multi-national players such as Google and Facebook). Low corporation tax, reduced regulation and a “flexible” workforce are all promoted to encourage the establishment of a Britain ready to do business.
Hence the need for a pragmatic data protection regime that works for Britain; the unanswered question is, of course, ‘pragmatic for whom?’.
The governing Conservative Party also seeks to withdraw the UK from the European Convention of Human Rights (ECHR) and to restrict Judicial Reviews (JR) of Governmental action, as both are being used to “interfere” in politics (see references).
For example, “interference” via JR was used to challenge the lawfulness of the immigration exemption in the DPA2018 and of the use of Facial Recognition CCTV by the police. Another example of such “interference” would be the indefinite retention of personal data relating to innocent data subjects on the UK’s DNA database; this was tested in cases such as UK v Marper under A.8 of the ECHR.
The supporting press have an additional reason; the IC is tasked with preparing a Code of Practice for Journalists. Having seen off Leveson II (this is a “thank you for your support” policy from the last Conservative Manifesto; see references), the last thing papers like The Sun and Daily Mail want is, to put it crudely, a “bloody foreigner” supervising the drafting of the text Code of Practice for British Journalism as required by Section 124 of the DPA2018.
This helps to explain why the Mail and Sun portrayed the IC’s prolonged absence in Canada as a serious case of AWOL which, according to their tabloid jingoism, left distraught A-level students at the mercy of a Kafkaesque algorithm invented by Ofqual’s unaccountable bureaucrats.
In my view, this kind of coverage contains a great deal of “white noise” that will be resurrected to justify the changes to the UK’s data protection regime (e.g. coverage on the lines of: “the GDPR is so difficult, even the IC had difficulty in acting – we must simplify it to protect data subjects in a different way”).
The red corner
I think it fair to say that many data protection colleagues, concerned with the state of data protection in the UK, have lost patience with the IC. For them the IC is not engaging with current DP issues or providing assurance that the GDPR applies (e.g. Ofqual’s algorithm is “unfair”; retention times for COVID track and trace personal data are too long; DPIA’s relating to surveillance are not published or challenged).
In summary, they believe the IC is simply not enforcing GDPR standards when required. In their view, she has left her enforcement “stick” in the cupboard (e.g. against Adtech and the issues already identified) and instead has focused on “carrot issues” (e.g. expanding her international reputation, Sandbox engagement, endless policy discussion on ethics).
This group expects a retreat on the mega-fines she had been “minded” to impose (e.g. on Marriott Hotel chain and British Airways); the only question is when and how this “change of mind” is announced.
Consider the wider perspective
My own view is that I was not expecting too much in the way of GDPR enforcement for 18 months (i.e. until January 2020) to give the GDPR and the DPA2018 time to settle down; then COVID got in the way. As the UK returns from its COVID induced slumber, any grace period, in my view, ends very shortly.
The controversial Code of Practice in Marketing has been left hanging; the lack of comprehensive advice in this area is a priority. The abandonment of AdTech enforcement is a disappointment especially as there are there are two marketing areas which do not need much in the way of complex legal analysis.
For example:
- AdTech marketing using personal data that infers a data subject’s health condition or a political views. The use of such special category of personal data requires an A.9 condition which is likely to be “explicit consent of the data subject” in many instances. Hence one can enforce this requirement and avoid the more difficult subject of whether the A.6 lawful basis is “consent” or “legitimate interests”.
- The A.7(3) requirement that “It shall be as easy to withdraw as to give consent” which applies to cookies. How many websites have you visited where giving consent is easy but doing the opposite needs a lengthy search of the website? Note that enforcing this characteristic of data subject consent does not need any consideration of what “consent” means in the first place.
The non-completion of the data sharing Code is another urgent priority; its absence gives many controllers a “get out of jail card free”, especially for those Government Departments that intend to engage in extensive data sharing (and this includes the comprehensive patient-records held by the NHS). Such controllers have been handed on a plate the defence of: “there is no detailed guidance; so how can we comply?”.
Finally, the fact that it takes three months to assign a case-worker to a data protection complaint is just plain wrong. Such undue delay with respect to the exercise of data subject rights (e.g. of access, completion, objection etc) can defeat the purpose of having these rights in the first place (especially if there is a three to six month deadline for the data subject to make an appeal against some kind of service).
However, also at the back of my mind is the Government’s policy to make changes to the GDPR regime; the IC’s lack of enforcement could be used to cover the Government’s changes to a more “pragmatic level”.
In other words, if the IC continues her inactive stance with respect to enforcement, the easier it will be for the Government to justify the reduction in the protection afforded to data subjects by the GDPR.
IC’s contract ends in June next year
I understand that the IC’s five year term ends on June 28 next year; there is an option of an one year’s extension which might not happen; the IC herself might decide to “call it a day”. This means that by December, as the UK cuts all ties with the EU, the search for a new Information Commissioner could well commence.
So who is that person? Answer: the new IC has to be a reliable person who will not make too much of a fuss as the UK data protection regime significantly diverges from the GDPR.
Additionally, the Government is centralising powers in the Prime Minister’s Office. Will Dominic Cummings be interested who is appointed, given the new Commissioner will be in post when he scrapes bulk Social Media personal data for the Conservative’s marketing purpose before the next General Election campaign? Well, I think you know the answer to that one.
Remember that Mr. Cummings is not particularly trustworthy with respect to personal data; his Vote Leave campaign was fined by the ICO and Vote Leave's agents (which had close links with Cambridge Analytica) had to be ordered to delete the personal data they had scraped from Social Media.
Mr. Cummings has been reprimanded by Parliament because he failed to appear before Parliament to explain the extent to which the Russian State influenced or assisted his Vote Leave Campaign in 2016. There are several Russian oligarch-donors to the Conservative Party and Vote Leave’s CEO co-founded the Conservative Friends of Russia (see references).
Nice to know that Mr. Cummings is likely to be behind the direction of UK data protection policy.
That is why I think the appointment of a data protection supremo like Chris Grayling MP, as the new Information Commissioner, makes sense. He is available and his track record in Government will ensure the IC will perform exactly how the Government intends.
If, however, the next IC is sadly not Chris Grayling, the appointment of an apparatchik with Brexit credentials from the Conservative nomenklatura, is inevitable.
Upcoming Data Protection Courses (in Autumn)
All courses lead to the relevant BCS qualification: September’s course is full ☹
- Data Protection Foundation: London, Oct 13-15 (3 days)
- Data Protection Upgrade Practitioner: London, Nov 3-4 (2 days)<LAST ONE
- Data Protection Practitioner: Edinburgh, Starts Nov 23 (5 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
Dominic Cummings fails to explain to Parliament Vote Leave’s links with Russia: (2nd half of): https://amberhawk.typepad.com/amberhawk/2020/07/valid-or-dodgy-eu-referendum-result-the-misuse-of-personal-data-is-a-constant-factor.html
Conservative Manifesto: withdrawal from ECHR, no Leveson II and reduction of JR: https://amberhawk.typepad.com/amberhawk/2019/11/human-rights-data-protection-and-whats-in-the-political-manifestos.html
Cross section of critical press on IC’s absence from the UK
https://www.openrightsgroup.org/press-releases/cross-party-group-of-mps-challenge-information-commissioner-over-data-protection-failure/ (Open Rights group)
https://www.dailymail.co.uk/news/article-8638629/Anger-data-watchdog-Elizabeth-Denham-spends-three-months-working-home-CANADA.html (Daily Mail article).
https://www.telegraph.co.uk/politics/2020/08/17/information-commissioner-elizabeth-denham-has-working-canada/ (Daily Telegraph)
https://news.sky.com/story/head-of-uks-data-watchdog-working-from-home-in-canada-12049493 (Sky news)
UK DP regime and divergence from GDPR on Brexit
https://diginomica.com/will-brexit-britain-diverge-global-trend-towards-gdpr-data-protection
PM’s Written Statement on https://www.parliament.uk/business/publications/written-questions-answers-statements/written-statement/Commons/2020-02-03/HCWS86/
Comments
You can follow this conversation by subscribing to the comment feed for this post.