The press release associated with the DPDI No.2 Bill proudly states that the Bill ensures “that the new regime [is] built on the UK’s high standards for data protection and privacy”.
These new “high standards”, evidently, includes adopting a definition of “personal data” that fails to meet the data protection standards established by the text of the Council of Europe (CoE) Convention No. 108, as published in January 1981.
In other words, the most enduring international binding agreement on data protection is likely to be breached by the enactment of the No.2 Bill’s definition of personal data, some 42 years later.
Because this definition of personal data is deficient (see below), it follows all the substantive provisions (e.g. data subject’s rights, Principles, obligations) changed by the No.2 Bill also breach CoE No.108 requirements (as they are all couched in terms of this defective definition).
Additionally, as the No.2 Bill is at odds with CoE No.108, it follows that the No.2 Bill definition of personal data is also inconsistent with the GDPR (and perhaps has a knock-on impact with the Adequacy Agreement – not discussed here).
Note that meddling with the definition of personal data (in the way the No.2 Bill does) creates fundamental changes across ALL of the DP regime. Quite simply, if the information is not personal data, then none of the UK_GDPR obligations apply.
Changes to “personal data” definition
The new definition of personal data distinguishes between two types of personal data depending on whether identification of a living individual is “direct” or “indirect” at “the time of the processing”.
With indirect identification, there is an additional “reasonable means” test to be passed before the information is treated as personal data (e.g. “the living individual is identifiable … by the controller or processor by reasonable means at the time of the processing”).
The two types of personal data, involving direct and indirect identification, mentioned above are:
- Direct “personal data” which relates to a living individual where, at the time of the processing, identification of the individual is by a controller or a processor without the use of any other information (e.g. the identification is directly contained in a database).
If you think about it, there is no need for a “reasonable means” test if there is direct identification of the data subject (as the identification information is sitting in the database!).
- Indirect “personal data” which relates to an identifiable living individual where the identification of the individual is by a controller or a processor but requires other information to be available to the controller or processor, using “reasonable means”, at the time of the processing.
In this case, the identification is indirect as other additional information is needed to complete any identification of a living individual (e.g. pseudonymisation of personal data creates an example of indirect identification).
By implication there are two types of information are not personal data. These are:
- “not quite-personal data” which is my term for information which concerns a living individual but where identification of that individual at the time of the processing cannot be undertaken by a controller or by a processor without the expenditure of unreasonable effort to obtain the other additional information to complete the identification.
- anonymous data which is data or information that cannot be attributed to any specific living individual.
For anonymous data, the UK_GDPR recognises that because the living individual is not identifiable (i.e. attributable) in anyway, there are no obligations arising from the UK_GDPR, apart from the limited transparency requirements in Article 11.
The definitional change to personal data extends the “no obligations” approach of anonymous data to “not quite-personal data”. This is made clear in the Explanatory Notes to the No.2 Bill “the legislation does not apply to non-personal or anonymous data” (paragraph 101). The important point here is that the Notes clearly separate anonymous data from non-personal data.
No examples of “non-personal data” (or not quite personal data to use my term for these data) are provided in the Explanatory Notes, nor in the Press Release mentioned above. This kind of omission is unforgivable; the public should not be left guessing what Government means here when its proposals put their privacy at risk.
Hence, my best guess for not quite-personal data is something like the following. Imagine a set of pseudonymised personal data where the pseudonymising personal data linked to the identification details are removed from the set.
This leaves a set of attributes, each of which is derived from a specific living individual, but where that individual cannot be re-identified without, so the theory goes, the expenditure of unreasonable means. (But of course in my guess example, one can keep details to reverse this process quite easily).
Definition of “anonymous data”
The No.2 Bill definition of personal data overlooks the fact that Recital 26 of the GDPR explicitly contains a definition of “anonymous information” (e.g. “information which does not relate to an identified or identifiable natural person”).
In further detail, Recital 26 states “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information.”. (My emphasis to bring out the definition of anonymous information).
“Not quite personal data” could be equated with “anonymous data” if, for example, Recital 26 had stated something like: “This Regulation does not apply to data where identification of an individual is only possible by the expenditure of unreasonable effort on the part of the controller or processor at the time of the processing”.
But Recital 26 makes no such statement, so anonymous data and not quite personal data are different species of data (which, importantly, are also not personal data according to the No.2 Bill).
“Reasonable means”
Major problems arise from the definition of “reasonable means” as applied to the definition of personal data.
“Reasonable means” is defined as a non-exhaustive (illustrative) list which includes “among other things: (a) the time, effort and costs involved in identifying the individual by that means, and (b) the technology and other resources available to the person”.
Note that if an organisation (e.g. one that has few resources) assesses that there are no “reasonable means” are available to it, then that organisation can process that information as if it were not personal data (i.e. no UK_GDPR obligations such as transparency, security or rights etc).
However, at the same time, a well-resourced organisation (e.g. perhaps an organisation that has benefited immensely from the obvious Brexit dividends) can come to the opposite conclusion.
Thus a set of not quite personal data in the hands of one organisation could be personal data in the hands of another organisation as a controller or processor, both at the [same] time of the processing.
By contrast, at any particular time, anonymous data by the Recital’s definition remains anonymous irrespective of the nature of the organisation processing the data, because the data cannot be attributed to an identifiable living individual.
So if a “resources poor” organisation and a “resources rich” organisation used the same pool of “not quite personal data”, the latter is likely to be a controller processing personal data whilst the former would not. This inconsistent position is extolled by the Explanatory Notes as “providing greater clarity” about the definition of personal data.
Also note that if an organisation gets its assessment of reasonable means wrong (e.g. it assesses that the identification of living individuals needs unreasonable means), the default position is that the organisation is not a controller and the data are not personal data. This is the position of greatest risk for data subjects because the data are not subject to the UK_GDPR.
This partly explains why the No.2 Bill’s ill-conceived meddling with the definition of personal data is likely to be detrimental to the interests of all data subjects.
The Bill's default position is not the privacy enhancing one (e.g. as espoused in data protection by design and by default); it’s the privacy busting one (e.g. as practiced by Facebook or Clearview AI Inc).
“At the time of the processing”
As already stated, indirect identification of the data subject for the No.2 Bill has to be at “the time of the processing” (e.g. “the living individual is identifiable … by the controller or processor by reasonable means at the time of the processing”).
Suppose personal data are processed at the time of the processing then a controller can inform the data subject of the intended future processing purposes of his/her personal data and the relevant A.6 lawful basis as required by A.13(1)(c) and A.14(1)(c) of the UK_GDPR. So far, so good.
However, suppose at the time of the processing an organisation is processing not quite personal data. Then there is no obligation at the time of the processing to be transparent to any data subject as the data are not personal data and the organisation is not a controller. A.13 and A.14 only apply when actual personal data are processed (e.g. when indirect identification is completed).
So it can be now be seen that sets of not quite personal data can be legitimately processed without any data protection obligation (e.g. perhaps transferred to the USA, or possibly to Russia or China).
Suppose an organisation has obtained not quite personal data and transferred such data to the USA (for example) and re-identification occurs in the USA (perhaps via a number of other organisations dotted around the world to confuse any audit trail).
As such organisations are established well outside the jurisdiction of the UK_GDPR (or any EU version of the GDPR), then data subjects and regulators would be powerless with respect to such personal data once re-identification has occurred.
Such a loophole is only possible by changing the current definition of personal data so that it depends on the time of the processing (and in the case of indirect identification, the reasonable means needed to identify a living individual).
It is interesting to note that the definition of personal data in the GDPR does not contain these qualifications (e.g. “at the time of the processing”) so the definition in the No.2 Bill does not meet GDPR standards.
As stated above, the Government claims that there are “high standards for data protection and privacy”. In practice, any consideration of the Bill’s new definition of personal data exposes that claim as highly suspect.
Identification by “controller or processor”
Now consider why the definition of personal data specifies that the identification of a living individual has to be “by the controller or a processor”. To explain this, consider the processor definition: “the natural or legal person … which processes personal data on behalf of the controller”.
Note that to be a processor, an organisation has to process personal data (as defined in the No.2 Bill) on behalf of a controller. Hence the organisation is not a processor when it processes not quite personal data.
It follows that for not quite personal data there are no contractual conditions, security or transfer obligations, no data breach procedures or reporting (even when the risk of re-identification could be potentially high) and minimal risk of effective sanction from the UK’s ICO (not even a Reprimand!).
So if an organisation based in the USA somehow obtains a copy of a set of not quite personal data and then re-identifies the data to become personal data, such an organisation becomes a controller outside the jurisdiction of the GDPR (the No.2 Bill negates the need for a Representative in the UK).
Quite simply, the words “by the controller or a processor” appear in the definition of personal data is to ensure that not quite personal data can be shared with anybody without interference by the UK’s data protection regime.
Surprisingly, this is left unexplained in the Explanatory Notes that accompanies the No.2 Bill.
Comparison with CoE No 108
The text of the 1981 Council of Europe Convention 108 on data protection states in Article 2(a) that “personal data” means “any information relating to an identified or identifiable individual (“data subject”). Article 3(1) requires “The Parties [e.g. UK Government) undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors.”
I contend that the No.2 Bill’s definition of personal data is in clear breach of the text of CoE No. 108 as published in 1981; the same clear breach goes for the definition of personal data in the latest version of 2018 (CoE No. 108+).
This is because there is no concept of “direct” or “indirect” identification of individuals, “reasonable means of identification” and “at the time of the processing” in the CoE’s definition of personal data.
It follows that the definition of personal data in the No.2 Bill does not meet the CoE requirements and that, if enacted, the UK will “fail to undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors” (as all the substantive protection for data subjects is couched in terms of CoE’s definition of personal data).
Question: if the above happens, would you advise the transfer of personal data to the UK?
Concluding comment
CoE No. 108 was first published on 28 January 1981, a date now celebrated annually as Data Protection Day. The No.2 Bill, if enacted as described above, would make such celebrations unique for UK data protection people.
Instead of organising a party, they will organise a wake.
Data Protection Courses (Summer 2023)
An all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill. Will be held on Thursday 13 July 2023 hopefully to include changes made during the Committee stage of the Bill. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The next Data Protection PRACTITIONERCourse is in London on Monday, 22 May 2023 to Friday, 26 May 2023 (5 days: 9.30am to 5.30pm).
- The next Data Protection FOUNDATION Course is on Zoom only (June 20-22, 2023 (Tuesday to Thursday, 3 days: 45am to 5.00pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing [email protected].
Comments