You may by now have heard of the ‘Data Protection and Digital Information Bill’ which, is part of the government agenda to “unlock the power of data” in a post Brexit world, and make the UK business friendly to reap the sovereignty it values and escape from EU legislative history.
However those with a vested interest in UK Data Protection are starting to feel that the Bill in its current form is somewhat of an “own goal”, in that diverging from a regime that UK and Global that businesses have already adopted and managed, this in essence just creates further complexity by seeking to add “clarifications and divergences” from the exiting law.
The DCMS (the gov dept in charge of data protection), consistently views the current Data Protection framework as a burden on business, rather than a pathway to good information governance, and takes a dated, zero sum “Privacy vs Business”, “cost of compliance” view, whereas modern and more evolved thinking has shown that a positive sum, win-win approach of using Data Protection to enhance and add data management functionality to a business can bring real dividends to all. Therefore it seems like a bill that doesn’t seem to really please any one camp (for or against Data Protection) for a number of reasons.
Here’s the top things to take away;
- First and foremost, DON’T PANIC. DO NOT CHANGE ANYTHING. NOTHNG HAS CHANGED YET. It is only a Bill, with its second reading due in September, where we will end up with a new Prime Minister, and then it needs to transition through readings in Lords and Commons – anything can change at this point.
- This is not a repeal of GDPR, just further amendments to existing law. The UK GDPR and the split regime between UK GDPR, DPA 2018, PECR, Human Rights Acts and Part 3 DPA 2018 (the Law Enforcement Directive) remains. A missed opportunity as this could have been harmonised into a single Data Protection Act. If anything this Bill makes things worse as we not only keep the current messy arrangement but creating further mess amendments throughout many small amendments in the name of clarity.
- The Bill also grants the Secretary of State powers to create secondary legislation to do their own thing in a scary amount of places without further legislative scrutiny – a scary thing indeed.
- The the very definition of what is and what is not Personal Data changes. As outlined in the AmberHawk blog, Dr Chris Pounder outlines that the revised definition sets the bar to lower than that of the DPA1984 (three UK laws ago!). Check out his blog for more, but it calls for direct identification for the law to apply, in his example Dr Pounder says that using the Bill’s definition if a CCTV operator never finds who someone is that the CCTV has captured they are not processing any Personal Data at all (on this person or anyone else).
- Subject Access requests exemptions changing from “manifestly unfounded” to “vexatious”- Anyone who deals with vexatiousness under FOI knows that it is a difficult thing to prove. Far more difficult than just proving ‘manifestly unfounded or excessive.
- PECR changes include trying to get rid of cookie banners to be transparent around ‘strictly necessary’ online trackers and making things like web analytics less obvious and hidden to the user. Again this takes the view that complex Cookie consent banners are a bad effect of the GDPR, rather than trickery on behalf of companies that have been trying to include deceptive design practices to trick individuals into online surveillance tracking and marketing.
- In a welcome move, PECR fines for poor marketing practices the fines from £500,000 to match that of GDPR (up to £17.5m or 4% of global annual turnover). In a less welcome move they want to include charities and political parties in the “soft opt-in rule” previously only available under the EU EPrivacy directive to commercial context of sale relationships.
- I am completely bemused by the efforts to get rid of the administrative burden on business. Four areas are looked at DPOs, ROPAs, DPIAs and International Transfers. Each seems to be swapped in almost name alone (DPOs for Senior Responsible Individual, DPIAs for High Risk Processing Assessments, ROPAs for Data Inventories, International transfers to require data Protection tests), having read through the text these almost seem like for like changes, and it is difficult to see where any reduction in administrative burden would be – or if this is just further flexibility and complexity combined? The only area that looks to be repealed completely is the requirements to have a UK representative for non UK controllers – which does beg the question of how enforcement action for extra territorial extent could ever occur?
- It introduces rules around Digital identity providers and ‘Smart Data’. Here is an interesting new area around rights of access to non-personal data around businesses sales processes or fees , for more information see the summary produced by Mishcon de Reya:
- ICO itself is proposed to change from an individual (the Commissioner) to a ‘body corporate’ based regulator (an information commission). There is a worrying amount of limitations on its independence proposed, including as KPis and reporting back to government and seeking their approval of codes of practices and guidance.. They are also granted some additional powers around things like audits and witness interviews.
The Bill to me feels like a failure all round in all its objectives.
- Does it free UK business from the “administrative burden” GDPR and ePrivacy regimes of the EU – NO.
- Does it help Data Subjects with enforcing their rights – NO.
- Does it help the Information Commissioner to create trust by enforcing on bad actors – NO.
- Does it create further complexity and a dual regime for businesses to ave to deal with – YES
- Does it make individuals’ data rights harder to achieve, and more “wiggle room” for businesses to abuse them – YES
- Does it make it harder for the regulator to enforce on bad actors – YES.
- Does it create broad exemptions for the UK government to do what it likes without further scrutiny – YES.
In taking a halfway house of trying to amend the existing law to create subtle changes it fails on all counts. The law could have for example;
- Been a brave departure and trying something new complete and cohesive,
- or strengthening what we had existing and achieve closer harmonisation and individual protections.
This is possibly to safeguard the current UK data adequacy agreement with the EU, which may be in trouble anyway if our own adequacy targets (including the US, Australia and Dubai Financial Zone) are achieved where the EU has not granted these the same.
As I previously commented, anything can change. But whilst the UK government and the DCMS maintains a fundamentally flawed view on Data Protection initially, and tries to hedge its bets by staying close enough to EU GDPR to be “adequate”, but far enough away to please Brexiteers – the future of Data Protection in the UK will be a complex and convoluted affair, and both businesses and individuals will be worse off as a result.