Yesterday, the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) reported to the Prime Minister on how the UK could, in general, reshape its approach to regulation and seize new opportunities from Brexit with its newfound regulatory freedom. Unsurprisingly, changes to the UK_GDPR are high on TIGRR’s list.
In summary, under the heading “Replace GDPR with a new UK framework for data protection”, perhaps with a “UK Framework for Citizen Data Rights”, TIGRR propose: a Common Law approach towards enforcement; diminishing the application of the Data Minimisation and Purpose Limitation DP Principles; putting the data subject in control of the processing by “strengthening” any data subject consent requirements, and reducing the data subject’s right not to be profiled by automated means.
The proposal for a “UK Framework for Citizen Data Rights” has a real problem; it infers that if one is not a Citizen, there are no Citizen Data Rights to protect. Whilst such a restriction is likely to attract the current Home Secretary (who is not appealing the recent striking down of her immigration exemption in the Court of Appeal), any such limitation to “Citizen Data Rights” would render the processing of personal data unlawful.
This is because the processing would breach Article 8 of the ECHR which is independent from any concept of citizenship; after all the Human Rights convention exists to protect all humans and not just UK citizens.
Overall, it is clear that the TIGRR’s authors have little understanding of the relevant the GDPR provisions and most of its GDPR recommendations are accompanied by an incorrect analysis. However, such errors can be corrected, and it will not the first time that the foundations of future Governmental Policy has been built on a false prospectus.
In any event, the recommendations are clearly in sympathy with those ideas promoted in the National Data Strategy. In other words, something on the lines of the TIGRR recommendations well could be proposed; consider them as an extra helping of that “oven ready” Brexit deal.
For the record Members of the taskforce were three Brexiteer MPs to the right of the Party with a preference for the UK to become the Singapore of Europe: Iain Duncan Smith, Theresa Villiers and George Freeman.
Errors in TIGRR
To set the scene, I start with a few examples of TIGRR's impoverished data protection analysis.
TIGRR states that the “GDPR is centred around the principle of citizen-owned data”. This is wrong. Data subjects do not “own” their personal data under data protection law; they are provided certain levers that can protect their interests (e.g. data subject rights; obligations placed on controllers towards the Principles etc) but all of these interests are balanced with exemptions to protect the interests of controllers.
However other legislation can introduce the concept of ownership (e.g. when celebrities protect the Intellectual Property vested in their image or name).
TIGRR also say that the GDPR leaves “…organisations generally needing a person’s ‘consent’ to process their data”. This also is clearly wrong as there are six lawful bases in A.6 of the GDPR which most readers will already know?
The Report acknowledges this and states that there “are alternative ways to process data that do not require consent, but these are not well defined or understood, causing confusion amongst data processors and controllers.” Note that data processors are “confused” as to what Article 6 lawful basis to choose for their processing activities, when choice of lawful basis is a solely a controller’s responsibility.
TIGRR states that certain Principles in A.5 “…prohibit organisations from using data for any purposes other than those for which they collected it”. This is also incorrect. Any prohibited further purpose has to be “incompatible” with the purpose of collection; processing for purposes which are not incompatible are not prohibited.
The Report illustrates its commentary on consent under the GDPR with an example which is purely PECR (e.g. “An illustration of this is the cookie consent banner that appears every time you visit a website”). If TIGRR had looked at the ICO website, they would have found “The Privacy and Electronic Communications Regulations (PECR) cover the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device”.
TIGRR is wrong with respect to Article 22 (e.g. “Article 22 of GDPR applies solely to automated decision-making. It does not apply when the output of algorithms is subject to meaningful human review”). In practice, the human review is a safeguard, which is available to a data subject if automated profiling occurs and a problem results. In other words, the right to a human review is to resolve issues that impact on a data subject who has been profiled; it DOES NOT negate the A.22 right not to be profiled as described by TIGRR.
The A.22 right also does NOT interfere with “proof of concept” innovative profiling if the profiling has no legal effect or impact on the data subject. So once a controller has proved the profiling concept, the options open are: seek data subject consent for the profling, argue that the profiling is necessary for a contract with the data subject, or ask the Government to allow such innovative automated profiling to be authorised by UK law (as specified in A.22(2)(b) and Section 14 of DPA2018).
This latter option is what TIGRR wants to achieve; it's already there. It follows that TIGRR’s claim that the “GDPR is already out of date and needs to be revised for AI and growth sectors if we want to enable innovation in the UK” is incorrect.
Having made many errors, TIGRR’s data protection analysis often leaves Earth for Planet Zog – so I will not comment further.
TIGRR and the GDPR
TIGRR’s view of the GDPR is that “it overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes”.
This is not my view. I think that where many high tech companies have relied on consent, they have unnecessarily made these consent requirements difficult for data subjects to operate. For example the requirement in A.7(3) that “it shall be as easy to withdraw consent as to give it” is often ignored.
In my view, the A.7(3) requirement concerning consent is something that the ICO could have, and should have, remedied some months ago (see references), and in my view her inaction to enforce this requirement has encouraged proposals, such as those expressed by TIGRR, to emerge.
However, TIGRR “propose reform to give stronger rights and powers to consumers and citizens, place proper responsibility on companies using data, and free up data for innovation and in the public interest”. So can these “stronger rights” for data subjects be stronger than GDPR consent? Or is the intent is to process personal data “in the public interest” in the absence of consent?
No prizes for guessing the answer!
Common Law approach
Underpinning the whole document is what TIGRR calls “The Common Law” approach to regulation. This is because “Uncodified systems such as common law have historically been and continue to be the systems of choice for many successful jurisdictions. The clear trend for new financial free zones - bespoke jurisdictions designed to be magnets for economic activity - is to opt for a common law approach”.
In addition “A common law approach allows more forward-looking, judgement-based regulation without needing such complex and exhaustive rules for every situation set out in advance”.
With respect to the GDPR, TIGRR state “The Government should use an approach to data based more in common law, so case law can adapt to new and evolving technologies such as artificial intelligence and blockchain.” This contrasts with an approach which is more “Napoleonic, code-based, civil law approach traditionally seen on the Continent” (e.g. as in the GDPR).
So what’s the difference? In summary, a Common Law approach offers redress to data subjects after the processing goes wrong; by contrast a rules based approach requires the Controller to take action (i.e. follow the rules) to protect data subjects before any processing occurs.
So which protection is preferable? TIGRR clearly suggests it is the former.
Enforcement in action
So let’s take a worked example. TIGRR complains that Article 5 of GDPR requires personal data to be “adequate, relevant and limited to what is necessary” (for the purpose). These restrictions “limit AI because they prevent AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes”.
So let us suppose a data subject complains that a controller is keeping irrelevant personal data for longer than is necessary for unspecified purposes merely because it has AI interests? Suppose further the Controller does not respond?
When enforcing the proposed Common Law approach, TIGRR states that the ICO “should seek to enable success, not create unnecessary obstacles”. The ICO “should support innovation, improve safety for consumers and workers, ensure the long-term protection of the environment and drive UK competitiveness, productivity and growth”. Finally the ICO should implement “effective and proportionate regulation …. to boost economic competitiveness”.
In other words, TIGRR’s Common Law approach requires the ICO to consider matters irrelevant to the data protection issues. For instance, is the controller a start-up? Could the AI processing produce a competitive advantage for the UK? Should data protection controls be imposed only when the controller is profitable?
These Common Law considerations could clearly influence the outcome of any enforcement action.
Data ownership is already here
The concept of “data ownership” has already been employed by Government and it appears that the idea has taken root in Government.
For example, Matt Hancock (see references) told a Parliamentary Committee exploring COVID that “The final thing I will say on this… is that the data on your personal health and your health record belongs emphatically to you…. It does not belong to your GP; it does not belong to the NHS. That is your data” (as in ownership). The “you” here is the Chair of the Committee -to avoid confusion.
And “If you want it to be used for research purposes, that is your decision”. “Your decision” is made via the exercise of a largely unpublicised, opt-out whereas the use of Ministerial Powers determines what is in the “public interest”. Or to use TIGRR’s terminology, the “stronger rights” that data subjects have to opt-out also “free up data for innovation … in the public interest”.
Finally, the use of language about economics and pragmatism has been appeared before; text like TIGRR’s could easily have been lifted from the job-specification of the next ICO (see my blog; references). It confirms that the next Commissioner could well be expected to include such economic questions and, if so, the independence of the UK’s data protection regulator is jeopardised.
In conclusion, TIGRR’s ideas are not going away soon even though their analysis is wrong; they are likely to be repackaged and like a game of Pooh Sticks, emerge on the downstream side of the bridge.
What is scary is that such major change to data protection law can be introduced using powers under the European Union (Withdrawal) Act 2018 which may not even be debated by Parliament.
One therefore gets the sense that in the next year, data protection could well be at a cross roads (with a 80 seat majority Government that has 43% minority popular vote in the driving seat).
Upcoming Data Protection Course
Because of Indian variant and the consequent COVID lockdown uncertainty, the following course can be attended in person or via Zoom or a mixture (it's up to you). The Data Protection Practitioner Course is in London, and starts July 13 (6 days).
Full details on www.amberhawk.com/StandardDP.asp or by emailing [email protected]
References
TIGRR report: https://www.gov.uk/government/publications/taskforce-on-innovation-growth-and-regulatory-reform-independent-report
Matt Hancock on data ownership. Oral Evidence to Health & Social Care Committee at Q1459 on https://committees.parliament.uk/oralevidence/2318/html/ (COVID: HC 95: 10 June 2021)
I think the lack of action by the ICO has rebounded: see under the heading “Consider the wider perspective” on https://amberhawk.typepad.com/amberhawk/2020/08/why-chris-grayling-mp-could-become-the-next-information-commissioner.html
The ICO job spec: https://amberhawk.typepad.com/amberhawk/2021/03/the-next-information-commissioner-likely-to-dance-to-the-governments-tune-and-thereby-lack-credibili.html
Excellent blog, Chris! It links to my first comments on the final draft EU Adequacy Decision on the UK, here:
https://www.ianbrown.tech/2021/06/17/initial-comments-on-the-eu-commissions-final-gdpr-adequacy-decision-on-the-uk/ It is incredible that the Commission has no worries about UK divergence and intended further divergence (read: watering down of data protection and human rights law).
The authors have quaint ideas about the common law and continental "Napoleonic, code-based, civil law" approaches. In fact, these have been getting closer for decades, with the common law increasingly hedged in with statute law and continental code-based law increasingly dependent on judge-made interpretations of broad principles ("fairness", "faut", etc.).
The Brexiteers cling to romantic, 19th Century notions without taking the trouble to look at reality (again).
Posted by: Douwe Korff | 17/06/2021 at 04:26 PM