“Operation Save Big Dog” is the name given to the effort expended to ensure the Prime Minister survives, despite several after-hours, alcohol-fuelled, “office-gatherings” at 10 Downing Street during COVID-lockdown. This Operation has coincided with the need to remind the British public of the pure brilliance of the Brexit decision.
Hence last week’s announcement of a ‘Brexit Freedoms’ Bill” (with the promise to use Ministerial powers push through major change) and the publication of a policy document entitled “The Benefits of Brexit” (in case you missed them). The publication also marks the two-year anniversary of “Getting Brexit Done” and the passage of that not-so-ready, “oven ready” Brexit deal.
The policy document also spells out that the outcome of the DCMS Consultation “Data: a new direction”, concerning changes to the UK_GDPR regime, has been pre-determined; it does not matter what the consultees have written.
It follows that further data protection legislation which provides for weakened privacy protection for data subjects, looser data protection obligations for controllers, and a reduction in the independence of the ICO appears to be inevitable.
Coupled with the changes to the Human Rights regime and the new hurdles facing those who seek judicial review, the UK’s data protection regime is being dissembled.
Pre-determination
The pre-determination of outcome is self-evident from the following quotations from the Benefits of Brexit document. Firstly:
…the “UK Government consulted in the autumn on proposals that seek to create an ambitious, pro-growth and innovation-friendly UK data protection regime that underpins the trustworthy use of data. The Government will be publishing its response in Spring this year ahead of introducing legislation on reforms to the UK’s data protection regime”. (my emphasis).
Note the UK Government has “consulted”, an outcome will be published and then legislation will be enacted. There is to be no second round of consultation.
According to The Benefits of Brexit document these reforms:
“… will help to drive growth, innovation and competition across the country and enhance the UK’s global reputation as a hub for responsible data-driven businesses, trusted by consumers to deliver high standards of data protection” (my emphasis).
[will] “…make the UK an innovation-friendly hub for responsible data-driven business that respects high standards of data protection. Removing barriers to those data flows will boost trade, investment and scientific and technological innovation”. (my emphasis).
Note that both paragraphs repeat the DCMS assertion that “trusted” or “high standard” of data protection can be delivered by reducing or removing controller obligations (e.g.in accountability, doing a DPIA before embarking on high risk processing, having a DPO to monitor compliance, in mandatory data breach reporting, charging for subject access, compatibility and transfer requirements, skewing legitimate interest in favour of the controller, diminishing data subject rights).
Note also the Benefits of Brexit describe the controller obligations as “barriers” not understanding that such barriers exist to protect data subjects.
Finally, the Press Release accompanying the Benefits of Brexit adds that new legislation will create a “less burdensome data rights regime compared to the EU’s GDPR”. Note that the data subject’s right of access, right to be informed, right to correct, right to object, right not to be profiled etc are all viewed as “burdensome” to controllers and not considered to be valuable safeguards for data subjects.
It is clear that the above conclusions have been reached irrespective of any evidence provided by the consultees to the DCMS Consultation.
Introduction to the ICO comments
I don’t want to spend too much time going over (again) the DCMS Consultation. My blogs explain that in far too many areas, the DCMS proposals were littered with mistakes, omissions and misunderstandings about the data protection regime (see references at end of blog). The quality of the DCMS consultation is, at best, very questionable.
In addition, as Rosemary Jay points out, the protection afforded to data subjects is significantly reduced and the risks of breaching the European Adequacy Agreement is high (see references). Her evidence also points to errors, omissions and difficulties in understanding the DCMS proposals for change.
Finally, there is the ICO’s response to the DCMS Consultation (see references). There are at least 34 pages where the ICO fails to comment in substance on the DCMS proposals because there is insufficient detail in the DCMS plans. I am not expecting you to read all of the list below, but you will quickly get the gist with a scan.
Together the responses identified above demonstrate that the DCMS Consultation cannot be trusted to substantiate the changes to the data protection regime that is to be imposed on the UK’s data subjects (probably using Ministerial powers to minimise public and Parliamentary debate).
ICO seeks clarity on DCMS proposals
- “As the proposals are developed, the devil will be in the detail we believe there remains more work for Government to demonstrate in sufficient detail how the remainder of the proposals achieve these objectives. (Page 2; ICO consultation)
- “We believe there remains more work for Government to demonstrate in sufficient detail how the remainder of the proposals achieve these objectives”…. (Page 12)
- “In order for Government and Parliament to have the required confidence, the nature, context and detail of the processing would need to be set out clearly”… (Page 13)
- “We would also welcome more detail on how this proposal will interact with the exercise of people’s rights.” (Page 13)
- “We think Government still needs to provide more detail on the proposals to allow organisations to use data more freely “….(Page 20)
- “More detail is needed on these and on the proposed role of the ICO”. (Page 20)
- “We look forward to seeing more detail, particularly on those areas where the policy proposals are more high level”. (Page 24)
- “We look forward to seeing more detail on the impact on people’s data protection rights …as the Government’s impact assessment and analysis is further developed.” (Page 24).
- “We would like to see more explanation of the proposals and detailed analysis of the collective impact on the types and volumes of personal data being processed” (Page 28)
- “We would also like more detail of how the Government plans to make sure this information is protected and that transparency is ensured”. (Page 28)
- “We would also welcome more detail on how this proposal will interact with the exercise of people’s rights” (Page 30)
- “We will be looking for Government to set out the nature of the specific types of processing in more detail and how it has assured itself that those included in the list would not have a disproportionate impact on people”.(Page 30).
- “[The proposal] would need to set out the nature, context and detail of the processing, given that this is all relevant to assessing where the balance lies.” (Page 31)
- “It is important that Government clearly sets out more detail about how such an approach would work and what safeguards would be in place” (Page 33).
- “We would like to see more detailed analysis of the thinking Government has done as part of its assessment that the legitimate interests of the organisation undertaking this kind of processing would always outweigh the potential risks to people's rights and freedoms…” (Page 34)
- “This [proposed change] should be based on detailed analysis and evidence”. (Page 35)
- “It is also important to understand in more detail from Government how the PMP proposal would ensure a risk based approach”. (Page 42)
- “This includes how it [the proposed change] would ensure that those organisations with the highest volumes, greatest complexity or most privacy intrusive data have the most robust approaches to accountability and risk identification, mitigation and management”.(Page 42)
- “We would also welcome more detail from Government about how these proposals would enable businesses to assess the risks of harm to people that arise from new or novel processing, particularly where these involve new technology”.(Page 43)
- “We would like to see further detailed consideration about how safeguards will work in practice, including how any rights of appeal may need to be amended and how potential equality issues will be addressed”. (Page 49)
- “we are concerned about the lack of consideration of the impact on people and the potential for these changes to reduce people’s ability to access their fundamental rights” (Page 49)
- “We are interested in understanding more detail about how this would work in practice.”(Page 49)
- “The consultation does not go into detail about which elements of these rules would be relaxed.” (Page 55)
- “While we recognise that these proposals are still in development more detail is needed for respondents to fully understand how a risk-based approach would work in practice”. (Page 60)
- “We look forward to Government providing more detail on ….”(Page 61)
- “As above, we look forward to seeing more details or examples of how these proposals would work in practice.”(Page 61)
- “It would be helpful to have more detail about how the Government proposes to deploy this approach to fully understand the risks and benefits involved.” (Page 61)
- “It is important that the Government provides more detail on how they would assess whether redress mechanisms are effective.” (Page 61)
- “More detail on the proposed approach would be helpful in exploring where this might be the case.” (Page 65)
- “We therefore look forward to seeing further detail on how the Government would ensure the right balance is found between flexibility and assurance to create the appropriate regulatory oversight of this proposal…” (Page 65)
- “We look forward to seeing further detail on this proposal as it develops. In any more detailed proposals, we would want to guard against weakening the data protection regimes for policing and the intelligence services” (Page 77)
- “In these areas, more detail on the specific checks and balances in place to ensure the ICO’s continued effective delivery of this role would be helpful”. (Page 79)
- “We are open to this expansion of our regulatory remit, subject to appropriate funding, and await further detail on how any transfer of functions would work in practice”. (Page 88)
- “We would welcome a more detailed impact assessment on the overall cost to the ICO, and therefore fee payers, of any changes to the services the ICO is required to deliver (Page 89)
Concluding comment
It is important to understand that the paucity of evidence, the lack of detail, all the omissions and the erroneous analysis in data protection are unimportant to this Government.
Afterall, the political imperative is to “Save Big Dog” by demonstrating that Brexit works. What better route than by lowering UK data protection standards to the standards adopted by other non-European countries so Ministers can use their powers to state that their data protection law are adequate.
Spring Data Protection Courses
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection Practitioner Course is in London, and starts Tuesday, March 22 (6 days); full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
- The next Data Protection Foundation Course is in London, and starts Tuesday, May 9-11 (3 days); full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
References
The Adequacy Agreement with the UK: https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.
The Benefits of Brexit: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1052148/benefits-of-brexit-document.pdf
Rosemary Jay’s Independent evidence that the DCMS data proposals could undermine adequacy (and the like the ICO, when the DCMS Consultation is unclear or wrong-headed) https://amberhawk.typepad.com/amberhawk/2022/01/independent-evidence-that-the-dcms-data-proposals-could-undermine-adequacy.html
My response to the DCMS Consultation (with links to my 7 blogs on different parts of the DCMS Consultation at the end of this link): https://amberhawk.typepad.com/amberhawk/2021/11/data-a-new-direction-amberhawks-response-to-the-dcms-consultation.html
ICO response to the DCMS Consultation: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/10/response-to-dcms-consultation-foreword/