This blog reviews the new Information Commissioner’s speech at the end of March to a group of IAPP data protection specialists. The speech contained statements that I don’t recognise as being consistent with the DCMS proposals for changing the UK_GDPR.
One passage in the speech related to the general importance of the need for a lawful basis for many actions; whether that lawful basis relates to stop and search by the police, or the processing of personal data by a controller. The Commissioner also stressed the importance of maintaining strong data subject rights and stated that this is a commitment found in the DCMS proposals.
Sadly, this and other blogs have pointed out (see references), the importance for a lawful basis is likely to be much degraded by the DCMS proposals to change the UK_GDPR; further significant degradation arises from the MoJ’s proposals to change the UK’s human rights regime.
Similarly, rights of data subjects could well be significantly diminished if the DCMS proposals are enacted whilst the MoJ proposals offer diminished respect for private and family life.
I have also come across published information from the Human Rights and Equality Commission, which indicates that the MoJ’s proposals for changes in the UK’s Human Rights Act is very likely to place the Adequacy Agreement with the European Community at considerable risk.
Human Rights and Adequacy
Like most commentators on the DCMS proposals, the Commissioner’s speech does not mention how the MoJ proposals, for changing the UK’s human rights regime, impacts on data protection. This omission does not surprise as the MoJ itself makes no reference to data protection in its consultation document.
This is despite the fact that data protection is integrally linked to Article 8 of the European Convention on Human Rights (explicitly stated in Recital 1 of the old Directive 95/46/EC) and the fact that UK has signed an international agreement to submit to the judgements of the European Court of Human Rights (ECHR).
By contrast, the MoJ’s consultation document explains that submission to ECHR judgements is NOT on the menu (see references). However, such submission is assumed by the Adequacy Agreement that guarantees the free flow of personal data from the European Union to the UK. It follows that the Adequacy Agreement, which mentions the term “human rights” more than 80 times, is at risk if this standoff is enacted as part of UK law.
This risk is confirmed by the Equality and Human Rights Commission. In it its evidence to the MoJ, the Commission states that its proposed changes that impact on data protection also comprise a “likely breach” of international human rights law (see full quote below) including that Adequacy Agreement.
The risk is not only to data subjects. For instance, would your company purchase “GDPR compliant” software or IT services from an organisation, established in the UK, when the UK has had its Adequacy Agreement withdrawn by the European Commission?
I suspect that, like the hedge fund associated with Mr. Jacob Rees-Mogg, such a software or IT services company would relocate to within the EU – thus reducing the attractiveness of the UK as a technology base.
Lawful basis
In his speech, the Commissioner referred to the case of Entick and Carrington from 1765, although the legal principles can be traced back to paragraphs 39 and 40 of Magna Carta 1215.
In Entick and Carrington, bailiffs from the king, without lawful authority, entered the plaintiff’s house looking for seditious material; they conducted a thorough search of private papers,. The Court found in favour of the plaintiff, finding that for such an intrusion, the King himself, and his agents needed a clear legal authority that was absent in their search.
The Commissioner concluded: “…These concepts, that form the basis of our law, that you must have a lawful basis for rifling through my papers and information, that an individual is entitled to assert and exercise agency, and autonomy over his or her domain and personal affairs …”.
The MoJ’s human rights proposals (if enacted) would undermine the lawful basis for processing personal data. They require the Courts to give “great weight” to the fact that Parliament enacts legislation that states that the processing is “necessary” or that the processing is in the “public interest”. This requirement (e.g. to give great weight), will also applies to the Commissioner when enforcing relevant parts of the DPA2018 or the UK_GDPR.
As these words (especially necessary) are used in three Principles in A.5, A.6, A.9, A.23 (of the UK_GDPR) and Schedules 1 to 4 (of the DPA2018), it follows that enforcement of those provisions (e.g. the lawful bases in A.6) becomes far more difficult for the ICO. A regulator whose enforcement (e.g. of lawful basis) which is fettered in this way has to be in a weaker position to protect data subject rights or interests.
The Equality and Human Rights Commission, in its evidence to the MoJ (see references), criticises this fettering in the following way. It states (my emphasis):
- “The proposed reform would require the courts to accept that the existence of the law is “determinative of Parliament’s view that the legislation is necessary in a democratic society” (as in Option 1) or “give great weight to the fact that Parliament was acting in the public interest in passing the legislation” (as in Option 2). “…We do not consider it necessary or appropriate to bind the courts in these ways…” and “….Courts are best placed to make such considerations on a case-by-case basis”.
- “We do not support Options 1 or 2 of the proposed clauses, and recommend that the Government avoid legislating in this area. An attempt to prescribe how UK courts should balance competing interests across different situations is likely to breach Article 1 and/or Article 13 of the ECHR and therefore fail to comply with the UK’s international legal obligations. Balancing human rights requires careful consideration of various factors”. (Answer to Q23 of the MoJ Consultation).
Note the Equality and Human Rights Commission strongly infer that the MoJ proposals would also comprise a “likely breach” of the Adequacy Agreement which is dependent on UK “submission” to the ECHR judgements.
In addition, the Commission infer that provisions that “bind” the Courts will also “bind” the ICO enforcement of provisions that depend on “necessary” or “in the public interest” (e.g. enforcement of three Principles in A.5, A.6, A.9, A.23 and Schedules 1 to 4 of the DPA2018).
I should add, that under the DCMS proposals, there is something similar: certain processing will be deemed to be necessary in the public interest, or certain processing can be designated to be necessary in the legitimate interests of the controller without consideration of any overriding legitimate interests of the data subject. In other words, the processing is pre-ordained for the lawful basis in A.6(1)(e) or A.6(1)(f) and this position might have to be given “great weight” by the ICO.
In summary, the Commissioner’s comments in support of legal basis are most welcome; however, they do not reflect the Government’s proposals as described above and in the DCMS and MoJ consultation documents.
Weakened data subject rights?
The Commissioner, in his speech, states “If anything, I can see a clear intention to reduce regulatory burdens, in order to create a streamlined law that more effectively protects people’s rights”.
I can see how a streamlined law reduces the regulatory burdens; I have great difficulty seeing how this reduction “effectively protects peoples’ rights”. If anything, with respect to data subject rights, the DCMS (and MoJ) proposals are likely to do the precise opposite.
For example, looking at both consultations together only in relation to data subject rights, they:
- do not consider the chilling effect on the right of subject access (A.15) if an access fee is introduced (e.g. the DCMS consider impoverished data subjects could use the services of unspecified Third Parties); the introduction of a fee is also a clear breach of A.12(5).
- do not consider the how the “right to object” (A.21) works in practice (e.g. when the DCMS Consultation proposes Ministerial powers to determine that processing that was “in the public interest“, “necessary for a public task” or always “necessary” in the controller’s legitimate interest). The right to object is also negated if there were to be a “research lawful basis”; the DCMS fail to consider this link to rights in their consultation.
- do not consider the impact on the right not to be profiled in A.22 (e.g. where the DCMS consultation refers to legislation allowing more profiling and automated decision taking to be undertaken); instead the DCMS refers to the prospect of removing the right not to be profiled.
- do not consider the impact on the right to erasure, as expressed in A.17(3)(a), when there is a need to balance of interests between individual privacy and the freedom of expression and to impart information. In fact the MoJ proposals intend to tilt the current balance in favour of the latter.
- do not consider the impact of the introduction of new exemptions from rights from any UK_GDPR right as being “necessary” or “in the public interest” merely because the exemption has been approved by Parliament in secondary legislation (e.g. an example is provided by “The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022”).
- do not consider the impact of the introduction of new justifications for processing health records, other special category of personal data and criminal offence personal data on the right to respect for private and family life (e.g. any law that states the processing is “in the public interest” (or “necessary”) merely because these terms are found in a law that has been determined by Parliament.
- do not consider the impact of the enforcement of data subject rights in a revised data protection regime, if the Commissioner has to consider issues that have nothing to do with data protection (e.g. the requirement for the Commissioner to consider economic matters or public safety issues on the ability to enforce the rights of data subjects).
By contrast the Commissioner believes that the DCMS proposals, if enacted, would allow a EU data subject to enjoy “the same level of protection in Manchester as it does in Munich” ; he struggles “to see how the legal protections will be less in Cardiff than is afforded to those in Copenhagen”. Given the above, I find it hard to justify such statements.
Concluding comments
In her evidence to the DCMS, Elizabeth Denham pointed out she could not comment in detail on many of the DCMS proposals, because she did not know the detail of what was being proposed. Indeed, I have documented 30+ incidences where the previous Commissioner effectively said – “no comment; I don’t know what the DCMS intend” (see references).
In other words, the previous Commissioner was not in a position to make the claims made by the new incumbent. For instance, when the new Commissioner asserts that “… DCMS have committed to maintaining high standards of protection….”, I have to point out there is a dearth of evidence to support this assertion.
Finally, I should state that is not the position of the Commissioner to campaign against or overtly criticise DCMS and MoJ proposals to change the law; that is the role of Parliament unless there is an invitation to comment as in a public consultation.
Equally, it is not the role of the Commissioner to open himself to the accusation that he is supporting official proposals for change when they are palpably characterised by omission (e.g. Ms. Denham’s evidence), incompleteness (e.g. omitting concerns over A.8 and A.10 human rights) and defective analysis (e.g. see Rosemary Jay’s evidence to the DCMS).
See, you don’t have to take it from me (see references).
BCS Qualification Courses in DP (May/July 2022)
Because of continued COVID uncertainty, the courses below, leading to the relevant BCS qualification in data protection, can be attended in person, or via Zoom, or as a mixture if you something untoward happens (e.g. you have to isolate mid-course).
- The Data Protection Foundation Course is in London, and starts Tuesday, May 9-11 (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
- The Data Protection Practitioner Course is in London, and starts Monday, May 16-20 (5 days each 9.30-5.30); Same syllabus as 6 day course but longer days; details on amberhawk.com/StandardDP.asp or by emailing [email protected]. The next 6 day Data Protection Practitioner Course is in London on 5-7 July and 19-21 July. Details from the links already given.
References
- Entick v Carrington [1765] EWHC KB J98.
- ICO’s speech to the IAPP, 24 March 2022: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2022/03/iapp-data-protection-intensive-uk/
- The Equality and Human Rights Commission evidence to the MoJ on Human Rights in the UK (click 2022): https://www.equalityhumanrights.com/en/legal-responses/consultation-responses
- My MoJ views are based on the text of my blogs:
18 Jan 2022: UK’s human rights proposals significantly weaken protection for all data subjects https://amberhawk.typepad.com/amberhawk/2022/01/uks-human-rights-proposals-significantly-weaken-protection-for-all-data-subjects.html
26 Jan 2022: Human Rights proposals undermine Data Protection and Adequacy https://amberhawk.typepad.com/amberhawk/2022/01/human-rights-proposals-undermine-data-protection-and-adequacy.html
28 Feb 2022: Proposals to strengthen journalists’ freedom to report is based on a fundamental misreading of ECHR judgment https://amberhawk.typepad.com/amberhawk/2022/02/proposals-to-strengthen-journalists-freedom-to-report-is-based-on-a-fundamental-misreading-of-echr-j.html
8 March 2022: Omissions in Human Rights proposals degrade privacy and freedom of expression https://amberhawk.typepad.com/amberhawk/2022/03/omissions-in-human-rights-proposals-degrade-privacy-and-freedom-of-expression.html
- The blog where I identify 30+ proposals where the previous ICO said she did not know what the DCMS was proposing. https://amberhawk.typepad.com/amberhawk/2022/02/outcome-of-dcms-data-protection-consultation-pre-determined-it-helps-to-save-big-dog.html
- My blogs on the DCMS proposals themselves that show many of the DCMS proposals are defective or make serious omissions: see the list of 7 blogs at the end of: https://amberhawk.typepad.com/amberhawk/2021/11/data-a-new-direction-amberhawks-response-to-the-dcms-consultation.html
- Rosemary Jay’s evidence to the DCMS (download at end of): https://amberhawk.typepad.com/amberhawk/2022/01/independent-evidence-that-the-dcms-data-proposals-could-undermine-adequacy.html
- Unlike the Equality and Human Rights Commission, the ICO has yet to publish its response to the MoJ. I will put a URL here when it is published.
As always a detailed and insightful analysis Chris, which if all comes to pass is deeply concerning.
Posted by: Cindy Paul | 13/04/2022 at 05:18 PM