According to press leaks, tomorrow’s Queen’s Speech is likely to contain two pieces of legislation that impacts on the current UK’s data protection regime. Evidently they will form part of the Great Brexit Dividend which, surprisingly, has yet to reveal itself to the general public.
According to the leaks, there is to be a Data Reform Bill, which is intended to implement the DCMS proposals, post its consultation (“Data: a new direction”). There will also be legislation intended to implement the MoJ proposals outlined in its consultation (“Human Rights Act Reform: a Modern Bill of Rights”).
This blog covers the ICO submission to the latter consultation; it was published last Friday and is limited to ICO responsibilities relating to the processing of personal data in the context of A.8 and A.10 ECHR.
The ICO’s 18 page submission explains, on each page, how the UK’s data protection regime is likely to be severely impaired by the MoJ proposals. This contrasts with the 123 page MoJ consultation document which is devoid of any data protection content.
This probably explains why the ICO has devoted a whole section of his response to the history of “The relationship between ECHR and UK data protection law”. There is now no excuse for the ignorance displayed by the MoJ (and the DCMS) in relation to the omission of this important relationship in their respective consultation documents.
The MoJ consultation also ignored the impact of the Human Rights changes on the UK’s Adequacy Agreement with the European Commission. The ICO comments that “..the UK’s domestic and international commitments to human rights were particularly important elements for its adequacy decisions in respect of the UK” adding that “The Human Rights Act 1998 and the European Convention on Human Rights (ECHR) are referenced extensively” (para 4.21).
Indeed, I counted about 80 references to “human rights” in this Agreement. That is why, I think that if the UK’s Adequacy Agreement were to collapse, it would be the proposed changes to the UK’s human rights regime that would be the root cause.
A lack of trust
The first point to make is that the ICO complains about the insufficient clarity or detail with respect to the MoJ proposals. He writes that “It is difficult to accurately foresee the full practical implications of any changes” as they are presented to the public “in the abstract” (para 3.01). The ICO adds that further engagement is needed in “understanding the impacts”.
So if the ICO cannot clearly see what the MoJ is proposing, what hope is there for us “lesser mortals”? I should also add the previous ICO made exactly the same criticism of the DCMS proposals (see references).
The second point is that (as is well known) the ICO supports the “government’s ambitious National Data Strategy with its first two key missions being ‘to unlock the value of data held across the economy’ and ‘securing a pro-growth and trusted data regime’ ”.
However, before economic nirvana is attained, the ICO states that UK citizens have to be convinced that there is “A trusted data regime [that] relies on having comprehensive and robust data protection law and regulation” (paras 1.23 and 1.24).
Having posited the need for “trust”, the ICO then puts the boot in. He writes that “implementing some of the government’s proposals risks weakening this [A.8] right as it applies in practice” and that “This in turn could affect individuals’ and wider society’s trust and confidence in the data regime, ultimately affecting the UK’s data driven economy”.
In other words, the MoJ proposals create a significant risk of adding further to the loss of public trust in this Government.
ICO explains the lack of trust
The ICO states that he “has significant concerns about the potential impact of these (proposed) changes” and that the “…practical repercussions of this [potential impact] could be significant for the application of the data protection regime“
For instance, “Changes in how the concepts of necessity and the public interest are assessed in human rights law will inevitably have an knock on effect on their assessment in data protection law”.
In further detail, “The concept of necessity is fundamental across the DPA/UK_GDPR (Article 5 principles, Article 6 lawful bases, Article 9 conditions for processing special category data, Article 23 exemptions, and Schedule 1)”.
The ICO’s conclusion is that the “…likely impact could make it more difficult for the ICO to protect individuals data” (e.g. “if public authorities are be able to rely on public interest grounds in a presumptive way”: para 3.27).
Finally, the ICO points to a circular irrationality in the MoJ’s arguments. If “’necessity’ and ‘the public interest’ are given ‘great weight’ as per Parliament’s intention then “any legal duty or permission” placed on a controller “will pre-empt any assessment by the regulator and make it very difficult to argue that a measure was either not necessary or not in the public interest”.
In other words, the enforcement of data protection in the above circumstances could well become almost impossible especially against a public sector controller that claims its processing is “necessary” for its public task or in “the public interest”(i.e. A.6(1)(e)).
Balancing Articles 8&10 ECHR
The ICO states that “Cases involving both Article 8 and 10 are often unique in their nature and have wide and deep implications for both individuals and wider society. Tipping the balance too far in the favour of freedom of expression could reduce protection given by public authorities, including the ICO, to privacy rights” (para 3.43).
The ICO continues “The right to private and family life is a condition precedent to the enjoyment of other rights including freedom of expression, freedom of assembly and freedom of religion. In addition to fully extrapolating the direct impacts on privacy (related to data protection) set out above, the government should carefully consider how the impacts on privacy and data protection will have causal effects on other fundamental rights”.
For example, the proposal would make it easier for the tabloid press to publish salacious personal details prior to a trial or where the press decide someone is a target for innuendo or derision (e.g. the Bristol landlord wrongly linked by the tabloids to the murder of Joanna Yeates).
In addition, the “…move away from balancing the qualified rights against each other to place constraints or to weight one interest more heavily than another” could also have “a significant impact in relation to the principle of proportionality" (para 3.24).
At this point, it is worth repeating a similar warning from the Report of the Joint Parliamentary Committee on Human Rights (see previous blog). It stated: “Giving undue priority to freedom of expression in primary legislation could undermine the ability of individuals to enforce their rights to privacy, a fair trial and freedom of assembly and upset the balancing exercise the courts currently undertake when competing rights are engaged” (para 210 of the Report).
Concluding comment
As stated in previous blogs, both the MoJ and DCMS consultations are seriously defective (see references for chapter and verse). In both cases, the ICO response has called for a further round of “engagement” prior to any legislation being enacted (e.g. to clarify the omissions and errors). This call for further consultation, I suspect, will fall on deaf ears.
Indeed, I have yet to see any proposal, in either the DCMS of MoJ consultation, that is well argued, supported by evidence and which improves the data protection lot of controllers or data subjects. Indeed, the DCMS requested respondents to provide the evidence it needed, whereas the MoJ consultation justified its arguments by wholly misrepresenting the relevant case law.
However, the political fact is that Government has a majority and is intent on pushing changes through, irrespective of the arguments, evidence or dissent.
So, at the end of this legislative process each of us will be faced a simple question: “Do you trust a Boris Johnson Government to protect your personal data to high ethical and legal standards, especially your medical records or your electronic identity details?”.
I confess, I already know my answer to this question.
Summer Data Protection Courses
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection PRACTITIONER Courses is in London on Tuesday July 5-7; July 19-21 (6 days); full details by emailing info AT amberhawk.com
- The next Data Protection FOUNDATION Course is in London on Tuesday, July 12-14 (3 days); full details by emailing info AT amberhawk.com
References
Link to ICO’s Human Rights response: https://ico.org.uk/about-the-ico/consultations/ministry-of-justice-consultation-human-rights-act-reform-a-modern-bill-of-rights/
The Joint Committee of Human Rights Report into the MoJ proposals: link available from https://committees.parliament.uk/work/6404/human-rights-act-reform/publications/
My response to the DCMS Consultation (with links to my 7 blogs on different parts of the DCMS Consultation at the end of this blog): https://amberhawk.typepad.com/amberhawk/2021/11/data-a-new-direction-amberhawks-response-to-the-dcms-consultation.html
My response to the MoJ human rights Consultation (with links to my 4 blogs on different parts of the MoJ Consultation at the end of this link): https://amberhawk.typepad.com/amberhawk/2022/03/omissions-in-human-rights-proposals-degrade-privacy-and-freedom-of-expression.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.