The DCMS Consultation document “Data: a new direction” (the “Consultation”) proposes to tip the balance between the interests of controllers and the interests of data subject in favour of the controller. This blog looks at the proposals, not in the context of how beneficial they are for controllers, but rather in the context of how they weaken the privacy protection afforded to data subjects.
The weakening provisions being mooted include:
- Introducing a fee arrangement for subject access which has a chilling effect on the subject access right. A £10 fee as per the DPA1998, for instance, is likely to disenfranchise the poor from the right of access; having lost £20 in universal credit, post COVID, would impoverished data subjects pay £10 for subject access? It is difficult to fathom how such a proposed fee arrangement forms part of the Government’s “levelling up” agenda.
- A fee arrangement based on FOI Appropriate Limit is likely to apply to complex requests (e.g. where there is personal data relating to more than one individual as is common in education, health and social work). Many of these complex requests risk being refused on the grounds that they are over the equivalent of the FOI Appropriate Limit.
- Effectively removing the A.22 right not to be profiled. As some profiling is to be deemed to be in the legitimate interests of controllers and some profiling deemed to be necessary for public tasks, the original right not to be profiled in A.22 thus only remains for “vital interests” processing.
- Increasing the prospect of unwanted marketing telephone calls unnecessarily. The proposal is for the “soft opt-in” (an “opt-out” in practice) to be extended to all forms of electronic marketing when the unsolicited marketing rules by telephone already allow for the use of an “opt-out” – oops I mean “soft opt-in”.
- Controllers do not work to a unified privacy standard as set out in the UK_GDPR; instead they work to their own data protection standards as set out in their own “privacy management program” (if controllers ever get round to establishing such a program). Unlike the Consultation, I cannot see how letting controllers “do their own thing” (as per DPA1984 and DPA1998) allows for any consistency in the level of data subject protection.
- The ICO can no longer rely on the controller and processor maintaining records that demonstrates compliance with A.24-A.39 (e.g. appointment of DPO, DPIA, Data Breach, Security, Contracts) much to the detriment of data subjects. Even the ICO’s response to the Consultation states that “Keeping good records is a key element of good privacy management and high standards of privacy”.
- Reducing the ability of the ICO to enforce issues which are very important to a specific data subject but which are not common to many data subjects. The ICO is expected to focus on the important issues that impact on a large number of data subjects and not on issues that may seriously impact a single data subject.
- The change of focus mentioned in the previous paragraph (i.e. consideration of issues relevant to a large set of data subjects) leads to the circumstances when there is fettering of the ICO’s independent course of action. This arises by requiring the ICO to consider matters that have nothing to do with data protection (e.g. the ICO’s duty to consider economic or innovation issues or the public interest).
- The ICO can decide how, to what extent, or whether to investigate a complaint; the ICO cannot be challenged on, for example, a decision to close a case because it is too difficult for the ICO for whatever reason. This prospect could leave a data subject who has a complex case out in the cold.
- Requiring the data subject to attempt to resolve issues with the controller before complaining to the ICO. This can be uncontroversial in many circumstances. However, the Consultation’s proposals wholly ignore the circumstances when such contact with the controller could cause detriment to the data subject (e.g. in cases of zero hours contracts, how many such contracts will a controller give a complaining data subject?).
- Extending the exemptions in A.49 so that transfers of personal data can be repetitive (and not occasional as of present). This means that personal data can be transferred to any other country on a bulk basis without reference to the data subjects’ wishes or interests or consideration whether the bulk personal data are safe (e.g. from the authorities) in any destination country.
- Allowing the Secretary of State to assign adequacy to groups of countries (e.g. all countries that implement Convention No. 108 are adequate). This means that there is no individual assessment of the level of protection on a case-by-case basis (e.g. there are 55 countries signed up to this Convention). The Consultation’s pledge to keep each country’s DP law under continual review is simply not credible given that there are more than 100 countries with DP laws.
- The ICO in her response effectively equates the Consultation’s transfer proposals to the data protection equivalent of “Pie in the Sky when you Die”. She states that there are so many unanswered questions (which means the case of change has not been made):
“While we recognise that these proposals are still in development more detail is needed for respondents to fully understand how a risk-based approach would work in practice. It would also be helpful to understand more detail about the proposals for future adequacy decisions to “take into account the different legal and cultural traditions which inform how other countries achieve high standards of data protection”. We look forward to seeing more detail about how these changes would work in practice” (para 120).
- Extending the processing of a data subject’s special category of personal data by specifying certain processing to be in the public interest or legitimate interests of the controller. Such processing could well occur without reference to the data subject’s wishes or interests (who is left bereft of options to protect their interests).
- Allowing for wider data sharing across the public sector and to include data sharing with private sector bodies without reference to the data subject’s wishes or interests (who is also left bereft of options to protect their interests).
Commentary
The Consultation provides no evidence for most of the legislative changes it claims that are needed. That is why the Consultation frequently ask its consultees to provide the necessary evidence to substantiate the Government’s proposed change. This is governance at its very worst; a classic example of making detailed legislative changes before the existence of evidence for the need for such changes.
Given the sometimes basic errors and omissions in the Consultation’s data protection analysis (see references for some examples), one also wonders about the quality such received evidence.
That is why the Consultation asks respondents to answer the same question many times. Roughly speaking, this question goes: “We know that controllers find the following data protection elements a right pain in the arse; please explain your answer, and provide supporting evidence where possible”.
The Consultation is largely drafted from a position where the controller becomes entitled to process the data subject’s personal data (i.e. entitled to use, disclose, retain or transfer the personal data) without consideration of how the data subject’s wishes or interests are protected (usually they will not be protected by the proposals in the Consultation).
If data subjects were to complain to the ICO, they would find that the ICO is fettered by consideration of matters not related to data protection (e.g. a duty to consider the economy, innovation or the public interest). There is simply no commensurate increase in the ways data subjects could protect their own interests.
In addition, there is very little the data subject can do if the ICO makes a mistaken decision. Whereas controllers can appeal against the enforcement actions of the ICO, there is no comparable proposal that allows for an appeal for data subjects to obtain a review of the ICO’s decision. Given the weakening of the ICO’s powers (as described above), the risk is that such mistaken decisions are set to increase.
Indeed, the Consultation makes Judicial Review of the ICO (itself a cumbersome and expensive procedure for data subjects) less likely.
In some circumstances, the proposal is for the substantial public interest or the legitimate interest of the controller to always prevail irrespective of the data subject’s wishes or interests.
Finally, transparency of processing to the data subject is deemed to be sufficient protection; however if the data subject cannot do much with that transparency, then transparency is, of itself, of little value.
The result is rather similar to when someone is blackmailed; those blackmailed are fully informed as to what the blackmailer knows but can do very little about it.
Liz the Departed
All the proposed changes are occurring at the end of the watch of the departing Elizabeth Denham as ICO; one wonders how much the changes to the UK’s data protection regime will become her legacy. Apart from a mere handful of cases over her tenure, she has limited her enforcement action to unsolicited electronic marketing. Picking on spammers is easy; picking on controllers who have disregarded other GDPR marketing norms (e.g. Adtech) is far more difficult.
One gets the impression that instead of taking the lead in tackling difficult data protection issues of concern, the ICO has preferred to jump on the coat-tails of privacy activists who crowdfund Judicial Review (e.g. facial recognition CCTV and Big Brother watch; Immigration exemption and the Open Rights Group).
Indeed, she has strenuously opposed the Information Rights Tribunal looking at specific issues of ICO inaction (e.g. her failure to address Adtech and the Open Rights Group).
In addition, her response to the Consultation contains too many statements of the kind: “We would also welcome more detail from Government about how these proposals would before we can comment ….”.
This approach is far too laid back. Sadly the next ICO will only see the requested “more detail” when it is etched on the face of fresh legislation, likely to enacted by Ministerial edict, and not subject to any meaningful Parliamentary debate.
In conclusion, the Ministerial promise of “maintaining the UK’s world-leading data protection standards” is both dishonest and lacks credibility. I expect the UK’s data protection regime to emerge at a reduced standard somewhere between the DPA1984 and DPA1998.
Data Protection Courses (New Year: 2022)
Because of continued COVID double jab / booster uncertainty, the fuel crisis, or the results at Barnsley FC the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection Foundation Course is in London, and starts Tuesday, February 1st to 3rd (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
- The next Data Protection Practitioner Course is in London, and starts Tuesday, January 25 (6 days); Full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
References
Please feel free to use of previous blogs when responding to the Consultation.
Government propose to reduce DP accountability requirements to OECD standards; https://amberhawk.typepad.com/amberhawk/2021/10/government-propose-to-reduce-dp-accountability-requirements-to-oecd-standards.html
Ministers want to pull the strings and rein-in the ICO’s independence; https://amberhawk.typepad.com/amberhawk/2021/11/ministers-want-to-pull-the-strings-and-rein-in-the-icos-independence.html
Data Protection accountability suffers as a result of an unconvincing attempt to reduce red-tape.; https://amberhawk.typepad.com/amberhawk/2021/11/data-protection-accountability-suffers-as-a-result-of-an-unconvincing-attempt-to-reduce-red-tape.html
Government propose to tip the scales in the controller’s legitimate interests; https://amberhawk.typepad.com/amberhawk/2021/10/government-propose-to-tip-the-scales-in-the-controllers-legitimate-interests.html
UK plans for incompatible processing undermines data protection for individuals; https://amberhawk.typepad.com/amberhawk/2021/10/proposals-for-incompatible-processing-undermine-protection-for-data-subjects.html
Government’s UK_GDPR proposals for research are unethical and unsafe; https://amberhawk.typepad.com/amberhawk/2021/09/governments-uk_gdpr-proposals-for-research-are-unethical-and-unsafe.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.