Summary introduction
The DCMS propose to change the duties of the Information Commissioner (ICO) in such a way that they decrease the prospect of enforcement on data protection grounds; in this way the changes reduce the protection afforded to data subjects.
This prospect arises as the Commissioner will have a duty to consider factors relating to the economy, public safety or the Government’s international agenda prior, for example, to exercising the ICO’s powers of enforcement against a controller.
The Secretary of State is also seeking powers to determine the Commissioner’s priorities. These include vetting the ICO’s Guidance to ensure it is appropriate for a business friendly, data protection era in the UK.
Apart from minor adjustments to compel witnesses to appear and longer timescales for an ICO investigation, there is no corresponding strengthening of the Commissioner’s powers.
So, if the Commissioner were to make a misjudgement (e.g. decide that the economic objectives take precedence over the data subject’s privacy) and failed to enforce the DPA2018, there would be no appeal to the Tribunal available to affected data subjects.
However, there would be an appeal to the Tribunal in the reverse situation (e.g. if a controller thinks that the ICO has placed too much emphasis on individual privacy rather than economic objectives when enforcing the DPA2018).
Make no bones about it: the proposals for “Reform of the Information Commissioner’s Office” comprise a power grab to influence (or determine) what the Commissioner’s duties and priorities should be.
Finally, the independence of the UK’s data protection regulator is wholly undermined by these proposals (as shown below). This has the potential to have a knock on effect with respect to the Adequacy Agreement signed with the European Commission.
The proposals can be found at Chapter 5 of the DCMS Consultation document “Data: a new direction” (the “Consultation”).
Wider role for ICO
The ICO’s mission statement on its website reads: the ICO is “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. Notice the wider factors mentioned in the Summary Introduction (e.g. economic considerations) are not mentioned as part of the current mission statement.
So, I was a bit shocked when I read in the ICO’s response to the Consultation, that she already considers her role to be a “whole economy and public sector regulator with extensive domestic and international responsibilities”. First impression: this was a very grandiose and self-inflated job description especially when all the ICO’s powers (if they were actually used) relate to the data protection regime in the UK.
I have subsequently discovered the Government designated the ICO as having a duty to consider the desirability to promote economic growth four years ago, using powers under Section 108 of the Deregulation Act 2015. The detail can be found in “The Economic Growth (Regulatory Functions) Order 2017”; the ICO was one of over a hundred regulators identified in the Order.
Only the data protection functions of the Commissioner are subject to the new economic consideration (i.e. the FOI functions of the ICO are not so constrained); the Equality and Human Rights Commissioner is not constrained at all.
The latter is curious given that data protection is linked to A.8 of the European Convention on Human Rights; so I suspect there may be legal arguments based on the degradation of that A.8 right, that the ICO should not have been included in the list of Regulators subject to S.108.
Neither debate nor discussion
As is usual when Ministers use such powers, Parliament does not debate the main issues; the debate approving the change to a hundred regulators’ duties lasted half an hour and did not specifically mention the ICO.
However, it did cover the important issue of what happens if a Regulator is challenged by an individual if the Regulator considers the duty to consider economic factors prevail over the objective of protecting an individual. Which one takes precedence? Economy or protection?
I have put in [square brackets] the data protection context to show what the Minister said:
“We want to see regulators balance their regulatory purpose with their duty to promote growth. …. While, in principle, it is possible for a legal challenge to be brought [e.g. by an individual using Judicial Review (JR) to claim that the ICO has the balance between economy and privacy wrong], the statute and the regulations require that regulators have regard to the desirability of promoting economic growth”.
“Providing a regulator does so, a legal challenge [i.e. the JR action taken by the data subject] would fail, so there is no real prospect of a court being asked to consider the particular balance being struck by a regulator.”
“That balance is up to the regulator [e.g. the ICO] and if they have good reason for their decision—if they have considered their duty to promote economic growth but concluded that, on that occasion, it is trumped by another of their other duties [e.g. to protect the data subject] they will merely have to demonstrate that reasoning” (column 10 of the debate; see references).
So even before we look at the Consultation’s provisions, it can be seen that in data protection terms the protection of the data subject has to trump the duty with respect of the economy.
The convoluted wording (“A person exercising a regulatory function [e.g. the ICO] to which this section applies must, in the exercise of the function, have regard to the desirability of promoting economic growth”) is not an accident. It is also employed in the Consultation and deliberately designed to reduce the prospect of the ICO being subject to a successful Judicial Review challenge.
Additionally, there is no Appeal to the Tribunal by a data subject against the ICO’s actions; this is thanks to S.166 of the DPA2018 which the ICO relies on if challenged. The data subject is thus effectively limited to Court action in relation to data subject’s rights (i.e. a Compliance Order) or maladministration on the part of the ICO via the Parliamentary Ombudsman.
In other words, the data subject is almost bereft of options under the data protection regime if the ICO gets it totally wrong.
New duties and powers
When reading the following list of duties and powers, remember the Minister has already told Parliament that the ICO’s new duties trump the data protection ones.
First, “the government proposes to introduce a new, statutory framework that sets out the strategic objectives and duties that the ICO must fulfil when exercising its functions” (para 321; my emphasis on must). Evidently the UK’s supposedly “independent” ICO must fulfil the objectives and duties set by Ministers.
The Consultation explains how Ministers will set the ICO’s agenda: “As the ICO's role becomes increasingly important for competition, innovation and economic growth, this strategic framework should empower the ICO to take greater account of impacts in these other domains as it supervises and enforces the UK's data protection regime” (para 321; my emphasis).
The use of the word “empower” is classic doublespeak: it means the ICO is required by law to consider issues unrelated to data protection (e.g. “competition”). For example, suppose the ICO finds another industry (e.g. like Adtech) that is flagrantly breaking the data protection law (which Adtech has), the “empowerment” to consider “competition, innovation and economic growth” could well prevent the ICO from taking enforcement action to protect data subjects on these grounds.
Secondly, “the government proposes to introduce a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.” (para 322). This spells out how the ICO has to follow the Government’s strategic priorities rather than the ICO’s own regulatory practices.
This is reinforced in para 345 which is unequivocable: “The government proposes to introduce a new power for the Secretary of State for DCMS to periodically prepare a statement of strategic priorities to which the ICO must have regard when discharging its functions”. These powers exist to ensure the ICO “toes the line”.
Thirdly, “the government proposes to strengthen the ICO’s existing obligations by placing a new duty on it to have regard for economic growth and innovation when discharging its functions.”. As the Minister explained to Parliament (see above), these duties to consider “economic growth and innovation” can determine that powers to protect privacy are not exercised.
Fourthly, “the government proposes to introduce a duty for the ICO to have regard to competition when discharging its functions”. For example, suppose a controller would be put at a significant competitive disadvantage by having received an Enforcement Notice that requires the deletion of personal data. Such a controller would be able to Appeal to the Tribunal that the Notice did not properly take into account the economic, innovation or competition grounds (none of which relate to data protection).
As a reminder, even if the ICO makes a catastrophic error in performing the balancing act between competition and privacy, the data subject cannot appeal to the Tribunal concerning the ICO’s outcome of that balancing act (thanks to S.166 of the DPA2018).
Fifthly, “the government proposes to include, as part of the new framework of objectives and duties, a new statutory objective for the ICO to consider the government's wider international priorities when prioritising and conducting its own international activities” (para 349). Rough translation: as the UK is seeking trade deals with certain countries, the ICO should not rock the enforcement boat if there were to be some dodgy transfers to such countries.
Sixthly, “the government is proposing …the need for the ICO to have due regard to public safety when carrying out its functions”. So suppose an UK controller (e.g. police; local authority) is processing of CCTV images in breach of data protection obligations. The duty to consider public safety factors might mean that the breach of the data protection law caused by CCTV surveillance system might not be enforced on public safety grounds.
Degrading the ICO’s mission statement
The degradation of the ICO’s enforcement role is illustrated by the government proposals “to introduce a new overarching objective for the ICO, in addition to its other functions, tasks and duties”. These “overarching objectives” omit important data protection considerations from the data subjects’ perspective.
The two elements of this “overarching objective“ read like a new mission statement for the ICO; they comprise an attempt to wallpaper over the cracks caused by weakening the ICO. The Consultation says that the ICO’s objectives are:
- Upholding data rights: this ensures “the ICO can monitor the application of data protection legislation, uphold the data rights of individuals, and safeguard personal data from misuse”.
- Encouraging trustworthy and responsible data use: this ensures “the ICO will uphold the public's trust and confidence in use of personal data”.
The best thing I can do, is edit the above to remove the obvious omissions so you can appreciate the gaps.
These editorial changes are mainly to do with the words “objectives” (it is not clear whether “objectives” trump a “duty”?), the limitations associated with the word “misuse” (this should refer to the word “processing” which is far broader in scope) and the absence of any mention of an objective to explicitly protect data subjects.
My reworded overarching objectives (with added words underlined or [deleted]) reads as follows:
- Upholding data rights: this ensures “the ICO has a duty to monitor and enforce the application of data protection legislation, uphold the data rights of individuals, and to safeguard the privacy interests of data subjects [personal data from misuse] ”.
- Encouraging trustworthy and responsible data processing [use]: this ensures “the ICO has a duty to [will] uphold the public's trust and confidence in [use] the processing of personal data”.
Anything less than the above change to the text of the overarching objectives is not worth considering.
Further fettering the ICO’s role
The government “proposes to give the Secretary of State for DCMS a …power to give the Secretary of State a 40-day period to approve a code of practice or complex or novel guidance. If the Secretary of State does not approve it, the ICO must not issue it and another version must be prepared” (my emphasis).
Put bluntly, if ICO guidance contains, for example, too much data protection and not enough economy and innovation it can be refused approval; and has to be re-written. This equates ICO guidance on data protection with school homework which has not been done properly; the Minister marks it for acceptability. In short, the ICO is not even in control of its own Guidance.
Additionally, to ensure the ICO comes to the “correct” conclusions (e.g. about the economy and innovation), the government “proposes to establish an independent board and a chief executive officer at the ICO”; these are intended “to create greater clarity and certainty” in the ICO’s decision making process (which includes the new duties).
The Board and CEO is not appointed by the ICO but by Ministers “via the Public Appointment process”. The detail in the Governance Code on Public Appointments (Dec. 2016; section 3) explains how Ministers make all the key decisions. For example:
- Ministers must agree the composition of Advisory Assessment Panels (i.e. Ministers chose the members of the Panel that choses the CEO or Board Members).
- Ministers must be consulted before a competition opens to agree the job description for the role, the length of tenure and remuneration (Ministers set the job spec) and agree how the post will be advertised and the selection process to be used.
- Ministers may choose to appoint someone who is not deemed “appointable” by the Advisory Assessment Panel or decide to appoint a candidate without a competition.
In other words, these new powerful positions (e.g. CEO) could easily be filled by Party apparatchiks, chosen by Ministers for their loyalty to the cause.
Adequacy undermined?
With respect to the ICO’s independence, the Adequacy Agreement with the European Commission states:
The independence of the Commissioner is explicitly established in Article 52 of the UK GDPR which does not make any substantive changes to Article 52(1)-(3) GDPR. The Commissioner must act with complete independence in performing her tasks and exercising her powers in accordance with the UK GDPR, remain free from external influence, whether direct or indirect, in relation to those tasks and powers, and neither seek nor take instructions from anyone. (Para 87: Adequacy Agreement).
So three YES/NO questions to conclude with:
- Is there a “substantive change” to the ICO’s role?
- Is the ICO “free of external influence” from the Secretary of State?
- Can the ICO act with “complete independence”?
My answers are: YES to 1; NO to 2 and 3 – and that is why Adequacy could be an issue.
Is this discussed in the Consultation? Of course not.
Practitioner Data Protection Courses
Because of continued COVID uncertainty, fuel crisis, or the results at Barnsley FC the course can be attended in person, or via Zoom, or as a mixture if you something untoward happens: it's up to you.
- The Data Protection Foundation Course is in London, and starts Tuesday, November 16 (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
- The Data Protection Practitioner Course is in London, and starts Monday, December 6 (5 days); Full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
References
Details of the ICO’s wider “economic” role were spotted via the Information Rights blog of Jon Baines: https://informationrightsandwrongs.com/2021/02/06/ico-statutory-duty-to-promote-economic-growth/
Parliamentary Report from the Delegated Legislation Committee on the Draft Economic Growth (Regulatory Functions) Order 2017 (28 Feb 2017): https://hansard.parliament.uk/Commons/2017-02-28/debates/720823d2-233c-4ece-921a-0069ca0e2c9e/details
A bonus: the DCMS did not telling the CCTV Surveillance Commissioner about the Consultation: amusing but angry response on https://www.gov.uk/government/publications/data-a-new-direction-commissioners-response/dcms-consultation-data-a-new-direction-response-by-the-biometrics-and-surveillance-camera-commissioner-accessible-version
Comments
You can follow this conversation by subscribing to the comment feed for this post.