I have atoned for not delivering a blog for two months by reading Schedule 13 of the Data Protection and Digital Information No 2 Bill (the “Bill”). As readers know, the Information Commissioner (ICO) is to be replaced by an Information Commission, and Schedule 13 outlines the procedural arrangements for the operation of the Commission.
Schedule 13 is not “a gripping read”. With all its provisions about voting, quorums, Committees, Board Members, Chairs and Chief Executives, the text can be described in two words: one is a swear word and the other is “boring”.
However, this Schedule has the potential to transfer data protection power to the Secretary of State (“S.o.S”) through the appointment of (“trusted”) Non-Executive Members to the Commission. The proposed Commission’s voting structure, from the direction of data protection policy to the appointment of the Chief Executive and other Committee Members, are all subject to the approval of these Ministerial appointees.
For example, new Clause 120B to the DPA2018 says the Commission (once established) has to have regard to a number of factors (e.g. innovation, competition, crime reduction, national security) as well as protecting personal data. The S.o.S can influence which of these factors prevail through the ability to appoint Non-Executive Members to the Commission.
In this Blog, I give several examples to highlight the risks to data subjects. The references relate to the Bill at Second Reading (Commons) if readers want to follow the points being made.
ICO becomes Chair NOT Chief Exec
When the Commission is established in about 2 years’ time, the current ICO becomes the Chair of the Board and not the Chief Executive (see Schedule 13, page 204, para 2(2)(sic)). This is a surprise since it is usually the Chief Executive who is responsible for all day-to-day executive actions (e.g. detail of enforcement, strategy, policies).
The Chair is not usually involved in such mundane day to day activity and its role is usually limited to a reassuring figurehead role and ensuring the Board runs smoothly.
Just think of your organisation and the roles of Chief Executive and Board Chair. The Chief Executive has the real day to day power; the Chair stays aloof from the fray and only gets involved when an issue is huge, or the Board fails to operate properly. And so it will be for this Commission.
As can be appreciated, the current ICO acts more like a Chief Executive and not a Chair (e.g. deciding on whether to enforce, issuing Codes of Practice, deciding on Guidance, making public statements). In future. such actions are likely become the responsibility of the Chief Executive and Non-Executive Members of the Commission and not the Chair.
So who becomes Chief Executive becomes very important. This lucky person is appointed by the Non-Executive Members of the Commission, all of whom are appointed by the S.o.S. There is no Parliamentary involvement in this selection.
In other words, the Chief Executive is indirectly chosen by the S.o.S, as the Non-Executive Members of the Commission who appoint the Chief Exec are all appointed by the S.o.S.
In addition, to make sure that the Non-Executive Members of the Commission make the “right” Chief Executive choice, they must consult the S.o.S prior to appointment (so that the S.o.S. can signify approval of their choice: para 3(4)).
The current ICO as Chair
So what will Mr. Edwards do when the Commission comes into being? As the current ICO’s 5 year term is scheduled to end on 3 January 2027, he is likely to become Chair in the last year of his tenure. It will probably take this last year to embed the new Commission’s governance arrangements.
If one assumes a two-year lead in time from the initial enactment of the Bill (likely in May-July 2024) and for the substantial provisions of a revised DPA2018 to come into effect (e.g. establishment of the Commission), then we are looking at Spring 2026 for the commencement of the Commission.
This two year delay is a reasonable assumption. Such a delay occurred with the DPA1984 (commenced in 1986), the DPA1998 (commenced in 2000) and GDPR Regulation passed in 2016 (commenced with the DPA2018). The delay is needed to rewrite the necessary Guidance on the revised DPA2018.
In other words, by 2026, the Government has to wait about 9 months or so before the current ICO rides off into the sunset (suitable gong in hand).
I suspect in practice that the current ICO will try and act in the same way as he does now. However, it may come as a surprise to him (and future Chairs) that the real power lies with the Chief Executive and the other Non-Executive Members of the Commission chosen by the S.o.S.
There is the potential for conflict; for instance, suppose the Chair wanted to “do something” contrary to the views of the Chief Executive and Non-Executive Members of the Commission. If this happens, any conflict is likely to be resolved by the votes of other Non-Executive Members of the Commission (all of whom have been chosen by the S.o.S.). In this way, the Chair easily loses out.
In this management structure, the Chair is not free to develop UK data protection policy as the current ICO has done. Instead of the Chair being the UK’s data protection leader (the current position), the risk is that the Chair becomes a “prisoner ” of the Commission’s management structures, as controlled by chosen S.o.S. acolytes.
Members of the Commission
The Commission consists of Executive and Non-Executive Members. The Non-Executive Members of the Commission are only appointed by the S.o.S (Sched 13, para 3(2)(b)). There is no Parliamentary involvement.
These Non-Executive Members do not get involved in day to day activities which are the responsibility of Executive Members. Non-Executive Members, however, can be expected to be involved in approving overall policymaking as well as monitoring the activities of Executive Members.
Executive Members of the Commission can be appointed by other Non-Executive Members (para 3(3)) or by the S.o.S. (para 9).
Although there is “fair and open” competition for all Members of the Commission (para 5(2)), it has to be remembered that the S.o.S can influence who is on the shortlist; the risk of only choosing between “trusted potential appointees” is not eliminated. This risk would be much reduced if, for example, there was a specific requirement to have Members who are mandated to look out for the interests of data subjects.
At any time, Schedule 13, para 4 requires the number of Non-Executive Members to be greater than the number of Executive Members. This means that there are skewed voting arrangements. The Non-Executive appointees (chosen by the S.o.S) have a vote; all Executive Members (e.g. those chosen by Non-Executive Members) do not have a vote.
The Committees
The Commission is free to establish committees that contain “other persons” who are not Members of the Commission or employees (para 13). Indeed, the Commission can delegate any of its functions (e.g. enforcement) to that Committee or indeed to those “other persons” (para 14) whoever they may be.
There is no obligation for these “other persons” to possess suitable qualifications, or to apply for advertised positions, or to be subject to Parliamentary scrutiny.
Worst case scenario: Non Executive Members (i.e. “S.o.S. chosen cronies”) vote for like-minded Executive Members (i.e. more cronies) and “really trusted” members of all important Committees (e.g.perhaps semi-cronies) to generate and approve all “appropriate” data protection policy.
Of course, many may argue that this worst case of cronyism won’t happen. However, that misses the point. The fact that this worst case position can be constructed from the comitology specified in this Bill shows that any guarantee that the Commission is 100% independent of S.o.S. influence is demonstrably false.
A set of worst case scenarios
This lack of independence is reinforced by other provisions in the Bill. I give three examples, but to understand what I am driving at, assume the Commission is controlled by (or contains) a set of S.o.S approved, Non-Executive, “friends”. All of the examples below give rise to a potential conflict of interest that is likely to be detrimental to the interests of data subjects.
Example 1: Clause 19 of the Bill (Law enforcement Codes of Conduct) specifies that Codes of Conduct can “demonstrate compliance with the requirements of this Part” (i.e. the law enforcement Part 3 of DPA2018). In other words, the law enforcement provisions of Part 3 are satisfied if the processing meets the requirement of a Code of Conduct.
Sounds reasonable until one considers how a Code of Conduct is produced?
Well, the Commission (via its Non-Executive Members chosen by the S.o.S.) identifies an expert public body to draft a Code of Conduct (e.g. how about the Home Office? What a surprise!) which then submits its text, eventually to the same Non-Executive Members for approval on behalf of the Commission.
In this way, there is a potential conflict of interest if a Code of Conduct permits the Home Office to determine lawful processing for the controllers under its own departmental remit. This conflict of interest would be reduced if there were Members charged with looking after the interest of data subjects.
Example 2: Clause 25(3) which introduces Section 82A(8) into the DPA2018 which allows Part 3 personal data to be designated as being subject to national security processing rules. Before issuing a designation notice, the S.o.S. “must consult the Commission”.
In practice, this means the S.o.S. consulting a Commission controlled by Non-Executive Members where the S.o.S. has appointed these Members to the Commission. This more or less repeats the conflict of interest re law enforcement, as there is unlikely to be much disagreement about a designation notice.
The result of this conflict of interest is that national security compliance with the DPA2018 becomes even weaker; again an argument for the existence of Members charged with looking after the interest of data subjects.
Example 3: Clause 30 which includes reference to the panel that is formed to consider any draft Code of Practice (e.g. on data sharing). If this panel were to become a Committee of the Commission, this in turn means that the members of that Committee and the draft of a Code of Practice would be signed off by Non-Executive Members chosen by the S.o.S. This mechanism risks skewing Code of Practice content in favour of a text that is favourable to the S.o.S.
Note I have not mentioned a role for the Chair in any of the above. By a miracle of Comintern comitology, devised by this Bill, the Chair has no defining role.
Conclusion
The ICO often states that he is satisfied that regulatory independence is guaranteed under the DPDI No 2 Bill. In evidence to the Bill’s Standing Committee he said: “I do not believe it [the Bill] will undermine our independence at all. What I think it will do is to further enhance and promote our accountability”.
I hope the ICO now appreciates that he risks being profoundly wrong.
Forthcoming Data Protection Courses
Our well received, all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill will be held on Thursday 7 December 2023. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course is in London on Monday, 20 November 2023 to Friday, 24 November 2023 (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London on (December 12-14, 2023: Tuesday to Thursday, 3 days: 9.45am to 5.00pm) or
Full details on Amberhawk’s website (www.amberhawk.com) or obtained by emailing [email protected].
Comments
You can follow this conversation by subscribing to the comment feed for this post.