The blog provides a summary of seven areas where the proposed Data Protection and Digital Information No. 2 Bill (“No.2 Bill”) undermines privacy issues; these should be debated by Parliament. Some area, such as ICO independence and research, are left unexplored in this Blog.
1. Absence of Keeling Schedules
It is difficult to comment on legislation that significantly modifies existing legislation if the relevant Keeling Schedules, which detail the proposed legislative changes, are unavailable (perhaps deliberately so). The No.2 Bill makes 100+ pages of changes to the DPA2018 and the UK_GDPR (as did the No.1 Bill).
Ministers have had over a year from the publication of the No.1 Bill to organise the preparation of Keeling Schedules for the No.2 Bill but have failed to do so. I cannot see how the Committee (or anybody else) can scrutinise this legislation properly without these Schedules.
Hopefully, the Committee will reprimand the absence of a Keeling Schedules covering the interaction between the No.2 Bill and the DPA2018 or UK_GDPR and demand they are published even at this late stage.
2. Omission of Human Rights
Although the Information Commissioner (ICO) is welcoming towards the No.2 Bill, this is not the case with respect to the Government’s proposed changes to the UK’s Human Rights Act. Although Mr. Raab has resigned, his Bill of Rights (BoR) remains ready for its Second Reading, and other Ministers have indulged in tinkering (e.g. the Illegal Immigration Bill allows Ministers to ignore Strasbourg jurisprudence).
If anything is going to impact on the European Commission’s Adequacy Decision it is the UK’s approach to Human Rights; the Adequacy Decision itself mentions “human rights” over 80 times and compliance with Strasbourg jurisprudence is expected by the Agreement. Such compliance is the exact opposite of Government policy.
The No.2 Bill is integrally linked to the proposed BoR via Articles 8 and 10 of the Human Rights Act 1998. However, there has been no consideration of the BoR and the related No.2 Bill interaction nor on the impact on the application of lawful processing.
The ICO is on the record as stating that the impact of the BoR is extensive:
- “The concept of necessity is fundamental across the DPA/UK_GDPR (Article 5 principles, Article 6 lawful bases, Article 9 conditions for processing special category data, Article 23 exemptions, and Schedule 1)”.
- “…likely impact could make it more difficult for the ICO to protect individuals data” (e.g. “if public authorities are be able to rely on public interest grounds in a presumptive way”: (para 3.27).
The Government should make a statement about the future of the BoR and appreciate, the more they tinker, the greater the risk to Adequacy. Further detail can be found in my blogs:
“UK Bill of Rights set to undermine UK_GDPR and Adequacy”; https://amberhawk.typepad.com/amberhawk/2022/07/uk-bill-of-rights-set-to-undermine-uk_gdpr-and-adequacy.html and
“DPDI No.2 Bill should be paused until the UK Bill of Rights position is resolved”: https://amberhawk.typepad.com/amberhawk/2023/03/dpdi-no-2-bill-should-be-paused-until-the-uk-bill-of-rights-position-is-resolved.html.
3. Dubious cost savings
The Government’s figures, if analysed properly, show the savings associated with this Bill are insignificant. For instance, as there are 67.1 million data subjects in the UK so the cost of maintaining current UK_GDPR standards is calculated as £7.00 per year per data subject. This equates to 13.5 pence per data subject per week, or just under 2p per day.
As there are 1.07 million controllers, the average saving for each controller can be calculated at £439 per year per controller. This is about £8.40 per week per controller; about the price of a bottle of plonk.
The Question has to be asked: “are the proposed cost savings associated with these legislative changes really worth the candle?”.
A full financial analysis can be found on “New DPDI Bill savings inflated by 324%” (from the No. 1 Bill): https://amberhawk.typepad.com/amberhawk/2023/03/new-dpdi-bill-savings-inflated-by-324-loss-of-adequacy-costs-uk-over-2-billion.html
4. Defective re-definition of personal data
The definition of “personal data” in the No.2 Bill is defective; it certainly does not comply with data protection standards established in 1981 let alone the definition of “personal data” in the GDPR. This undermines the substantive provisions in the UK_GDPR/DPA2018 as they are all defined in terms of personal data.
The problem arises as the No.2 Bill definition brings into the statutory definition only a selective part of the interpretation in Recital 26 of the GDPR (e.g. it does not bring into the new definition, the Recital 26 interpretations concerning “anonymous data” or “singling out”). The latter defect explains why the definition does not fully cover personal data captured by facial recognition cameras; the former allows for the existence of “not quite personal data”.
Further detail of the definition’s defects are discussed in my two blogs.
“DPDI No.2 Bill defines “personal data” below the international standards established in 1981” https://amberhawk.typepad.com/amberhawk/2023/04/definition-of-personal-data-in-dpdi-no-2-bill-results-in-non-compliance-with-coe-convention-no108.html) and
“Facial recognition CCTV is excluded by DPDI No2 Bill’s definition of personal data”: https://amberhawk.typepad.com/amberhawk/2023/04/facial-recognition-cctv-excluded-from-new-data-protection-law-by-definition-of-personal-data.html).
5. Voluntary data sharing undermining Parliament
The Digital Economy Act 2017 provides Ministerial powers to set up voluntary data sharing arrangements between public bodies; these arrangement are being expanded in the No.2 Bill.
The direction of travel is for more voluntary data sharing, under the assumption is that such data sharing is for a public good. There is very little in the way of redress if this assumption is wrong and the data sharing goes pear shaped.
For instance, the Bill provides for a lawful basis for voluntary data sharing between pubic bodies, and declares the related processing purposes to be compatible. Thus, informing the data subject about the sharing is largely irrelevant if the data subject cannot do anything with this transparency information and disagrees with the data sharing.
The data subject is placed in the same position as being blackmailed in that the data subject is fully informed as to what is going on, but the options for acting on this information are somewhat limited.
Another serious unexplored issue is the conflict between this expanded voluntary disclosure mechanism and the circumstances when Parliament has given powers (e.g. to national security, law enforcement and HMRC) to demand personal data.
For instance, should a voluntary approach for disclosure to a public body be permitted when Parliament has already provided explicit statutory powers to that public body so it can demand the same personal data?
Expansion of the voluntary approach towards data sharing avoids the statutory safeguards insisted by Parliament. This raises the question of “What is the point of Parliament providing statutory powers to demand personal data to specific bodies, subject to detailed statutory safeguards, if both statutory requirements and safeguards can be avoided by using a voluntary approach towards data sharing?”.
For instance, as explained in relation to voluntary disclosures to HMRC as proposed in this Bill, disclosures to HMRC by-pass statutory powers, by pass the exemption in the DPA2018 that covers such disclosures, and can make data sharing lawful in the absence of any “public interest” test.
See: “DPDI Bill removes “public interest” test in push to legitimise general public sector data sharing”; https://amberhawk.typepad.com/amberhawk/2022/08/dpdi-bill-removes-public-interest-test-in-push-to-legitimise-general-public-sector-data-sharing.html
6. Excessive Marketing made legal
The proposed use of the “legitimate interests” lawful basis to support marketing activities overturns nearly 40 years of data protection law when applied to Third Party marketing. Seeking consent for Third Party marketing has been the norm ever since the early Tribunal Decisions under the DPA1984.
Additionally, the Government has not reproduced in the Bill, the safeguards that were associated with consent for Third Party marketing (e.g. it should be as easy to withdraw consent as to give it).
Under the No 2 Bill, there is no statutory ability for data subjects to change their mind re Third Party marketing in an easy way (e.g. if they miss the opt-out box), if it falls within “legitimate interests” (as it does with B2B email marketing).
The result is that the marketing arrangements could be open to considerable abuse, especially in relation to email addresses of employees, unless
- legitimate interest is limited to the controller’s lawful basis (and not expanded to include Third Party marketing) and
- controllers who rely on legitimate interests for their own marketing have to provide an easy and simple way for those who did not see the “opt-out” to change their mind (which includes any Third Party marketing).
This will be the subject of a future blog, so readers can appreciated how this Government “really cares”.
7. Omission of Identity Assurance Principles
As background to the Digital Identity parts of the Bill, I refer to the “Nine Identity Assurance Principles” that were published in 2015 by Government for inclusion in any future digital identity projects. The Nine Identity Assurance Principles can be found on the Government website at: https://www.gov.uk/government/publications/govuk-verify-identity-assurance-principles/identity-assurance-principles).
The objective was to avoid a repeat of the ID Card debacle a decade earlier. The Government asked a number of privacy experts (including the ICO) to debate and draft a set of objectives for a safe ID system. As a result, these Identity Assurance Principles emerged to provide a benchmark for a privacy compliant digital identity scheme.
In summary, consideration of the Identity Assurance Principles allows the identification of which Principle is not being incorporated and assess the consequences of that lack of consideration.
In the No.2 Bill none of the Identity Assurance Principles have been considered, even though the Secretary of State has to produce something called a “DVS Trust Framework”.
It is difficult to see how such a Trust Framework that excludes these Principles, is indeed to be trusted.
Further detail on: https://amberhawk.typepad.com/amberhawk/2023/02/governments-digital-identity-proposals-ignore-obvious-privacy-concerns.html
Data Protection Courses (Summer 2023)
An all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill. Will be held on Thursday 13 July 2023 hopefully to include changes made during the Committee stage of the Bill. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The next Data Protection FOUNDATION Course is on Zoom only (June 20-22, 2023 (Tuesday to Thursday, 3 days: 45am to 5.00pm).
- The next Data Protection PRACTITIONER Course is in London on Monday, 24 July 2023 to Friday, 28 July 2023 (5 days: 9.30am to 5.30pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing [email protected].
Comments
You can follow this conversation by subscribing to the comment feed for this post.