Firstly, my thanks goes to Jon Baines for the bullet point summary I’ve used in this blog post. I was going to do a similar thing, but he’s done it much better than I could ever do, so I’ve ‘borrowed’ it for the purposes of this blog summary (with some minor edits) – thanks Jon!.
Now, my view of this consultation response (which is all that it is, it’s not a draft bill) is that basically it’s a ‘we listened, we’ve ignored some things and proceeding with other things that we like’. That’s not to say that I think this is a completely bad thing, however I do think there are missed opportunities here that have not been adequately explained and some changes that, depending on the bill wording, *could* undo all the work we have done since GDPR put Data Protection firmly on the radar.
No new DPA 2023/4
One of the biggest things I’m quite disappointed at is that this isn’t going to create a new ‘Data Protection Act 2023/4, instead it is planned to edit the current DPA2018 and UK GDPR. Some could say that’s helpful where businesses are concerned, I say that’s just yet more post it note legislation – in other words legislation that edits legislation which I really struggle to get my head around. The DPA and UKGDPR do need merging into 1 piece of law so everyone, including those covered by the LED, are all on the same hymn sheet. I also note on that point, PECR will also remain a separate piece of legislation (rather then being merged into one big DPA).
(PS – I also note a lack of comment about merging the Pt3 DPA2018 into a main body of legislation rather than a separate regime. It would have been good to bring everyone back on to the same hymn sheet again, even if Law Enforcement would still need to do some of the extra things in the LED).
So the words ‘UK GDPR’ are here to stay, but the *actual* GDPR seems to be being gutted into a ‘genuinely British version’. Surely the EU would have something to say on that, as it’s not a version of the GDPR, its some butchered version that can you really say is the ‘GDPR’?
No SAR charging but maybe some excessiveness options
Personally, I am pleased that fees for subject access requests will NOT be introduced. They were only ever designed to put people off. For many large orgs and councils it would cost more time in staff time and admin costs to process a £10 fee, so what was the point? There will be no cost ceiling, although we will have a provision for refusing “vexatious or excessive” requests (rather than “manifestly unfounded or excessive”). What this means in practical terms is yet to be seen, but as Jon highlights, excessive and unreasonable is often a lower threshold to prove than ‘vexatious’.
Note, the government is “considering how to address specific sectoral needs as raised in the consultation response (e.g. healthcare) as well as those of small and medium-sized businesses”. What this means is unclear given other access to medical regimes in effect and small orgs will still have issues where it is perfectly reasonable for someone to ask to see their data. If they plan to remove them completely from SAR, or restrict it to a basic search, I think would be a step in the wrong direction.
‘Mandatory’ ROPA, DPIAs and DPOs are removed
In short, the counter proposal do doing these things is to have a ‘privacy management programme’ in place that will do this and manage privacy related risks. While Jon points out there is very little real difference in practice between the 2, the removal of the ‘mandatory’ requirement and instead almost pushing on to the DPO/other role means I can easily see this all being dumped (once again) on the DP person’s shoulders. Once again they are responsible for compliance, and not the organisation.
There is also plans to replace the mandatory DPIA consultation with ICO (Article 36) with a voluntary scheme. While the ICO said that no one really has used it to date, that does give the ICO a bit of a kick in the teeth as even less orgs will engage with them on such things no (can you get lower than very few?).
I’ve said before that I don’t believe in blind allegiance to one method of doing X, it should be about outcomes and ensuring X or Y. However, if this ‘ programme requirement’ does not have any specific requirements within it (like knowing what you’ve got) then this is indeed a watering down of requirements and not ‘maintaining high standards of Data Protection’, as the Government appear to be claiming. Once again, the devil is in the detail so we shall see.
Statutory clarifications and gateways being introduced
One of the biggest “good luck with that” proposals is a statutory clarification of what “anonymous” means. Seriously, good luck with that. Just getting agreement within a large organisation on anonymisation standards is a mission, so a national one? If they get it right, it will be very useful for the above. However, I believe the ICO and others have been attempting this for some time with, lets be honest, limited success on a ‘common’ standard.
Other changes to statutory ‘gateways’ for using data includes (directly quoting Jon Baines here as he puts it so articulately):
- Some absolute nonsense about creating a list of activities that will not require a legitimate interests balancing test (I truly think the authors don’t understand the issues here – they say one example will be where processing is necessary for reasons of public interest, which is already a separate A6 condition, and they say the necessity test of A6(1)(f) will remain (which in itself requires a balancing exercise))
- Legislating to provide clarity around further processing for reasons not compatible with the original purposes (unclear on what that clarity might actually be however)
- Legislating to allow private bodies acting on behalf of public sector to rely in some circumstances on public task condition in A6 (one presumes this is for orgs that are delivering care (for example) where it is often argued they are their own Data Controller, therefore how to they justify delivery of services? Otherwise if you are delivering on behalf of a Data Controller, you are a processor are you not and therefore don’t need separate grounds?).
Artificial Intelligence changes are a bit of a mixed bag
There is some good stuff in there, for example a new condition to Schedule 1 of the DPA 2018 to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems. This means the Government accepts that there is bias in AI systems and *sometimes* I can be very prudent to use Personal Data (and special category data) to route that out and correct it (without the need to get consent of the individual). Providing there are strict rules on it’s use and it’s use is still bound by the other principles of course.
They are going to change Article 22 as a “right to specific safeguards, rather than as a general prohibition on solely automated decision-making”. As Jon points out, it’s not clear if this is part of the immediate reforms or something to come over time.
Research purposes get some specific changes
Firstly, the proposal is to tweak Article 13 (right to be informed) to provide an exemption for disproportionate effort but only in relation to “research purposes” and recital 62 will be amended to further define what “disproportionate effort” means.
They will also seek to move recital 159 into statute to provide a definition of “scientific research” as well bringing recital 33 (on broad consent in medical research) into the statute.
Marketing & Cookies are going to change – it’s not ePrivacy Regulation though!
With regards to Cookies, non-essential Cookies will be allowed without consent, with a plan to move to a general opt-out model, although not for sites likely to be accessed by children. The Government has also said it would work with industry to develop a common opt-out model. Hasn’t this been attempted before within limited/no success? With no enforcement behind it, companies will just ignore it if its just the UK market only.
The current soft opt in for electronic direct marketing will be extended to non-commercial organisations (which is a shame, I’d rather they just reformed it completely to just be an opt-out model rather than an ‘assumed consent’ model. This is a missed opportunity in my opinion, but hey-ho.
They also make reference to some possible future plans to remove political eMarketing from the PECR regime completely. Given the public do not like it when they receive unsolicited messages from local parties, this will be interesting how they introduce this.
Adequacy and the ICO get some, interesting, changes…
In what appears to be ‘tinkering for tinkering sake’, there are talks of proposals for a ‘permissive adequacy regime’ but not much that’s concrete. However, the need to review adequacy every 4 years is removed and instead the Secretary of State can create other solutions and frameworks. As everyone knows in Government & Politics, 4 years is a long time, so to remove it seems like a watering down of adequacy controls to me.
The ICO doesn’t come of this scot-free either. Not only are some of their key areas now watered down, but there are proposed reforms to the structure and governance of the ICO, including removing a ‘named commissioner’, and just having it as regulatory office. Providing the ICO gets the funding and teeth it needs to be effective, structure it how you like in my book. However, I suspect this another attempt to ‘dumb down’ the regulator’s position and power, so we shall see!
Things I’d like to have seen in there:
- Removal of the policy document requirement – I still don’t see the point of it.
- Allowing extensions to the 30 calendar days timeframe for handling rights requests under the LED – quite why this isn’t the same as GDPR still baffles me.
- Bringing the fee charging regime to within the DPA (rather than a separate piece of legislation).
I’m sure there was more on my wish list, but it’s Friday afternoon and the sunshine is calling!
Overall, it’s neither a good or bad thing in my opinion. There are some good things in there, they are also some things that, depending on the wording of the proposed bill, could send Data Protection in the UK back to a 1998 act level. Something that the public sector took seriously, but very limited other others (unless they worked across Europe or were forced to via some other regulatory oversight).
I look forward to seeing the draft bill when it comes. I suspect that won’t arrive until the autumn/winter at the earliest.