This is my contribution to the Second Reading (Lords) of the Data Protection and Digital Information (DPDI) Bill which is tomorrow.
First there is a legal opinion, just published by defenddigitalme from Stephen Cragg KC of Doughty Street Chambers. This is accessible from https://defenddigitalme.org/2023/11/28/new-legal-opinion-on-the-data-protection-and-digital-information-bill/
This legal opinion reinforces the major concerns raised in my previous blogs on the DPDI Bill. Collectively these concerns weaken data subjects rights and the privacy protection afforded by the current UK_GDPR. They concern the definition of personal data, data sharing, third party marketing and scientific research/AI.
The changes mentioned below have not been debated fully in the Commons because of the strict time limits imposed by Government on these proceedings (e.g. 3hrs to debate 125 pages of Government amendments at Report stage).
Four concerns
The four concerns in the blog that overlap with the legal opinion are:
First, the definition of “personal data” results in a level of protection below that established by the DPA1984 and Council of Europe Convention No 108. This has the potential to result in great divergence from the European standard for data protection and threaten the UK’s adequacy agreement with the EU.
Readers might remember the problems raised by the Durant judgement which narrowed the scope of “personal data” under the DPA1998. Here the European Commission commenced infraction proceedings that the DPA1998 was not a proper implementation of Directive 95/46/EC. I should add that repeated FOI requests to the detail of these proceedings, two decades on, are still being refused.
Messing with the definition of personal data, as the DPDI Bill does, messes with all the data subject rights, Principles and obligations in the UK_GDPR. That is why this undebated definitional change that weakens its scope is so fundamental to the level of data protection afforded by the UK’s DP legislation and the Adequacy Agreement with the EU.
Detail of the definitional changes can be found on https://amberhawk.typepad.com/amberhawk/2023/04/definition-of-personal-data-in-dpdi-no-2-bill-results-in-non-compliance-with-coe-convention-no108.html
Second,The powers that facilitate voluntary data sharing with (or between) any public body that asks for the personal data is a power grab by Ministers to define, that at any future time, any disclosure of personal data to any public body can become is lawful and compatible. It does not matter what the purpose of the processing is, so long as it falls within the official remit of the tasks of the asking public body the disclosure is a “Recognised Legitimate Interest”.
The provisions are so broad that they even encompass the other DWP personal data grab that can demand banking personal data of benefit claimants (including pension and child benefit claimants). These compulsion powers are unnecessary as the DWP could easily use the extensive voluntary route proposed by the Bill.
Additionally, there is no evidence that the voluntary approach, touted by Government has failed. Hence it follows that the DWP’s justification for its major personal data grab is being made in the absence of any evidence that these ominous powers are required.
Grim detail on: https://amberhawk.typepad.com/amberhawk/2022/08/voluntary-disclosure-to-hmrc-always-lawful-and-always-compatible.html
Third, The changes associated with marketing are likely to result in a spammers’ charter for work email addresses. Collections of harvested work email addresses can be used or disclosed (or transferred) for third party marketing on the basis of that third party’s “legitimate interests”. The right to object to marketing is much diminished and the Bill overturns the consent requirements for Third Party marketing that were established thirty years ago.
Fourth, Scientific research is redefined to include AI training and development. The Bill permits large databases of personal data to be used, disclosed and transferred (including outside the UK) for AI training and development without the knowledge of the data subject (let alone their consent).
Grim detail on: https://amberhawk.typepad.com/amberhawk/2023/10/dpdi-no-2-bill-undermines-transparency-of-artificial-intelligence-development-and-training.html
“Brexit bus numbers”
Government Ministers are continuing to spout nonsense numbers about projected savings arising from the DPDI Bill. To show this, I recently asked the ICO for details of notified controllers. The response shows that the current notification figures are as follows:
- Tier 1 – 1,068,221 controllers; maximum turnover of £632,000 or no more than ten members of staff.
- Tier 2 – 108,934 controllers; maximum turnover of £36 million or no more than 250 members of staff.
- Tier 3 – 7,001 – large controllers; more than 250 staff or greater than £36 million turnover.
Now apply the above numbers to recent Ministerial statements given to Parliament that “justify” the legislative proposals.
Minister: “We are expecting micro and small businesses to save nearly £90 million in compliance costs every year: that is £90 million more for higher investment, faster growth and better jobs”. (2nd reading DPDI, Hansard, 17/4/23 at col 69). £90 million per year is £900 million per decade (or £0.9 billion; this figure used later).
However, there are approximately 1.07 million Tier 1 small and medium sized controllers notified with the ICO. This means that the “micro and small businesses to save nearly £90 million in compliance costs every year: comes to just under £90 per year per small business or £1.61 per week per SME”.
Could be wrong, but I don’t think you get much investment and growth for £1.61 per week – except for a half a cappuccino from the local cafe.
The Minister at Report stage in the Commons: “Taken together, we believe these amendments will benefit the economy by £10.6 billion over the next 10 years. That is more than double the estimated impact of the Bill when it was introduced in the spring” (Report DPDI, Hansard, 29/11/23 at col 872).
To get an upper limit of these savings, assume all these savings are concentrated on Tier 2 and Tier 3 controllers (turnover greater than £632,000). The ICO shows that there are 116,000 of them and the projected savings are £1.06 billion per year (but remember to subtract the SME savings of £0.09 billion stated above).
It can be seen that the projected £0.97 billion savings per year (£1.06-£0.09) represents an the average saving per controller of around £9,000 per controller.
In other words, for Tier 2 there is a saving of a maximum of 0.03% of turnover if the controller’s turnover is £32 million. In other words, the touted savings are still insignificant.
Rwanda
Finally, to Rwanda. The Safety of Rwanda (Asylum and Immigration) Bill defines Rwanda as safe for the transfer of migrants who risk their lives to arrive in those small boats.
However, Rwanda has not been identified as a territory that offers adequate level of protection for the transfer of personal data from the UK. Hence Rwanda is unsafe for the general transfer of personal data concerning migrants to Rwanda, but is safe for the transfer of the migrants themselves.
You cannot make this stuff up.
Forthcoming Data Protection Courses in 2024
Our well received, all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information Bill will next be held on Thursday 29 February 2024. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course is in London on Monday, 15 January 2024 to Friday, 19 January 2024 (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London on (April 9-11, 2024: Tuesday to Thursday, 3 days: 9.45am to 5.00pm)
Full details on Amberhawk’s website (www.amberhawk.com) or obtained by emailing [email protected].
Comments
You can follow this conversation by subscribing to the comment feed for this post.