First of all Happy New Year; I hope the recent festive excitement was not too infectious. Indeed, with the risky policy of letting Omicron rip, let us hope there are not too many ex-data subjects, possibly as a result of the collapse of essential services.
I am starting the Year with a real treat; I have been given permission to publish the personal views of Rosemary Jay as submitted to the DCMS consultation “Data: a new direction” (see link at end of the blog). It is a detailed 30 page submission.
I should add that I am a fan of all Rosemary’s writings and publications. They are always well argued and fully referenced; the DCMS would be unwise to ignore her views.
In general, Rosemary thinks it was an error for the Consultation not to deal with the impact of the proposals on the UK’s Adequacy Determination from the European Commission. She also agrees with the ICO that several proposals are unclear as to what is meant.
So if both the ICO and Rosemary are stating that the proposals lack clarity, the question must be asked as to how can the DCMS hold a meaningful public consultation?
Anyway, you don’t need me to prattle on; so to whet your appetite, there follows several quotes from her text.
- “The consultation includes a number of helpful and practical proposals. However the wide scope means that it can be difficult to tease out the useful and/or significant elements. In some cases the impact of the proposals is not clear and in some places it is difficult to work out how different aspects of the proposals fit together”.
- “In addition there are some regrettable omissions…. The most striking omission is the absence of any assessment of the proposals on the UK’s adequacy finding from the EU. , it may mean that many who read the consultation paper will assume that none of these proposals will have a potential impact on adequacy.”
- “It seems that an assumption of legitimate interests is reasonable (a bit like the old registration or notification exemptions – processing widely accepted as low risk) however the categories proposed need to be re-examined. Overall the better approach may be to add a presumption of legitimacy which could be rebutted in specific cases, particularly in the case of internal business purposes”.
- “In relation to cookies this proposal seems nugatory and adds nothing to the impact of PECR and should be removed” [for the reasons set out in Rosemary’s evidence]…“...It is regrettable that cookies have been included in this section on legitimate interests without reference to the section of the paper covering PECR related issues, including the placing of cookies”.
- “The proposals to remove the DPO role, DPIAs and central records of processing; the proposed changes to the position and independence of the ICO; the potential changes to the compatibility regime; the potential removal of the Article 22 rights; the proposal to diminish the test of fairness in relation to AI, and the cookie proposals all raise potentially serious problems with the adequacy assessment”
- “There seems no point in removing the role of the DPO which is now well-understood and utilized, and replacing it by a “suitable individual responsible for the privacy management programme”.
- “As a result the failure to evaluate and discuss the adequacy risks attached to different parts of the proposed changes means an essential element of the relevant policy consideration is missing in every aspect of the proposal”.
- “Secondly there is little clarity over which parts of the proposals would impact on the law enforcement and security provisions in the Data Protection Act 2018 (DPA 2018)”.
- One proposal that a new legal basis for processing is not required for compatible processing (justified in terms of an “odd sentence in Recital 50”) “….is fatally flawed”. It would undermine the UK regime by importing an unjustified liberty to carry out new processing without proper assessment and ensuring the application of adequate grounds for processing in the particular case. As the grounds for processing are a fundamental concept in the GDPR this would amount to a significant undermining of the UK regime”.
- “These proposals are extremely confusing [relating to when further processing may occur when the original lawful ground was consent]. It is difficult to have any real sense of what is being proposed.
- “The conflation of research with non-research further processing is misleading. The proposals need to be clearly re-drafted and set out concisely what is being proposed in each case. In particular the cases where there is a statutory presumption of compatibility need to be distinguished from those where there is no such presumption, therefore re-use for research purposes should be clearly distinguished and it made clear the second section does not cover re-use for research”.
- “Further, the use of the broad, generic term “public interest” needs to be addressed – there is no generic test of public interest and it needs to be considered and applied in specific contexts; re-consent or consent situations should be distinguished from those where there is no consent or no other ground”.
- “It cannot be asserted that there is always a public interest in all research, or that, to the extent there is a public interest, it is always of the same nature or importance. Research into the hair colour of women who buy stiletto heels in not on a par with research into the causes of diabetes. Accordingly there is no justification for removing the rigour of the law from all research and a more appropriate and balanced option needs to be considered”.
- “Irrespective of the purpose of the processing or the purpose of collection, it [the Consultation Document] recommends permitting the re-use of personal data for a new purpose, including an incompatible purpose, where the processing safeguards an important public interest”.
- “ Irrationally (and arguably giving a misleading impression) this also covers where the data subject has “reconsented” to the new purpose which is a wholly different fact set and should be clearly differentiated. In such a case the controller can rely on the consent and the issue of compatibility does not arise”.
Concluding comments
Sometimes, I wonder who actually is driving some of the changes proposed by the DCMS; my nightmare is that it is the same people who wrote that awful TIGRR report (see references).
My blogs before Xmas provide ample evidence of a relatively low standard of data protection knowledge that is inherent in some of the DCMS justifications for its proposals (e.g. especially around consent, incompatibility, research and accountability).
In addition, I think the DCMS proposals:
- put the ICO’s independence at risk.
- in relation to transfer from the UK are far too loose and will be unacceptable in the EU.
- for a privacy management programme to replace accountability obligations is a recipe for inconsistent data protection management on the part of UK controllers.
- are not supported by evidence; that is why the DCMS Consultation asks for evidence.
It is strange that the Government wants to attract high tech industry to the UK whose customers are likely to include many EU controllers; such customers will expect that AI services and software products, produced in the UK, to satisfy the EU_GDPR requirements.
The fact that such products and services are produced in a country that has low data protection standards, as outlined by the DCMS proposals, does not strike me immediately as being a strong USP.
Hence losing that Adequacy Determination is an important factor; Rosemary is absolutely correct to point out that the absence of Adequacy discussion in the DCMS Consultation was a major mistake.
Finally, given the political difficulties of the Prime Minister is in with his own Party, there is a real risk that the GDPR (and the proposed changes to the Human Rights Regime) will be red-meat to be thrown to the right wing of the Conservative Party (e.g. the TIGRR brigade) as an example of the UK “taking back control”.
In practice, the real threat is to UK data subjects losing control and the deliberate undermining of their privacy protection.
Data Protection Courses (Winter 2022)
Because of continued COVID uncertainty, fuel crisis, or the results at Barnsley FC the course can be attended in person, or via Zoom, or as a mixture if you something untoward happens: it's up to you.
- The Data Protection Practitioner Course is in London, and starts Monday, January 25-27; February 8-10 (6 days); Full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
- The Data Protection Foundation Course is in London, and starts Tuesday, February 1st to 3rd (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
References
Load a copy of Rosemary’s personal evidence here: Download RJ personal view on DCMS Data proposals
The blog “TIGRR, Eeyore and Pooh Bear decide to destroy the GDPR”: https://amberhawk.typepad.com/amberhawk/2021/06/tigrr-eeyore-and-pooh-bear-decide-to-destroy-the-gdpr.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.