We now have a first draft of the ‘Data Protection and Digital Information Bill’ which, if passed in it’s current form’ seems like a bit of a missed opportunity for all those with a vested interest in UK Data Protection (the good, the bad and the ugly).
I’ve mentioned before that I am a proponent of strong & robust controls on the management of data, including Personal Data. Not just because it protects the rights of the citizen (which we all have a vested interest in) but it also ensures that this data culture we find ourselves in is actually fit for purpose.
With that in mind I say this seems like a bill that doesn’t seem to really please any one camp (pro or against Data Protection) for a number of reasons. I’ve read through the bill itself (not easy reading I can assure you) and then consulted a number of blogs on the topic to get a feel for where we are, and where it might head.
1. First and foremost, this is not a repeal of GDPR. So to those saying the UK GDPR is going, in name at least they are incorrect. The UK GDPR and the split regime between UK GDPR, DPA 2018 and Part 3 DPA 2018 (the Law Enforcement Directive) remains. Our first missed opportunity as this could have been harmonised into 1 Data Protection Act for us all.
If anything this Bill makes things worse as we not only keep the current messy arrangement but the Bill also grants the Secretary of State powers to create secondary legislation. And we all know what fun that can be!
2. One of the big things the Bill tampers with (and I’m not really sure why) is the very definition of what is and what is not Personal Data. As outlined in the AmberHawk blog of 04/08/2022, Dr Chris Pounder outlines that the revised (convoluted) definition sets the bar to lower than that of the DPA1984. For all those saying the UK is going backwards in time, well this is another area to add to your argument.
What does this mean in real terms? Well, Chris’ blog is very good at going into the detail of this and to summarise it as best I can, it simply muddies the water. I liked Chris’ CCTV example in where he says that using the Bill’s definition if a CCTV operator never finds who someone is that the CCTV has captured they are not processing any Personal Data at all (on this person or anyone else).
Check out Chris’ other practical examples as I recommend. In short, this definition is unnecessary, confusing and, to another of Chris’ points, is likely to put us in direct conflict with the EU as it can (and probably will) be seen as a watering down of people’s rights over their data.
3. Some are celebrating the changing of ‘excessive’ to ‘vexatious’ where SARs are concerned. For me, I don’t see this as a good thing. Not because I’m on the side of the Data Subject, but because those of you that deal with vexatiousness under FOI knows that it is a difficult thing to prove. Far more difficult than just proving ‘manifestly unfounded or excessive’. I’d say this is another area of a lack of understanding about what excessive means and changing it for the sake of it will just make the problem worse, not better.
4. Changes to PECR are also proposed including loosening the definition of ‘strictly necessary’ on cookies to include things like web analytics etc. On the up side, the Bill also upgrades the fines from £500,000 to match that of GDPR (up to £17.5m or 4% of global annual turnover).
5. I am a big fan of Records of Processing (or at least the function of working out what you are doing) so I am please to see that a “Record of Processing of Personal Data” (clause 15) remains in the Bill. This is heavily watered down from the original (mainly around high risk processing), however doesn’t remove the requirement completely.
6. Clauses 61-77 also create some provisions for the use of ‘Smart Data’. I am still getting my head around exactly what data is and is not in scope, so here is a quote from the summary produced by Mishcon de Reya:
“Customers” would not just be data subjects, but anyone who purchased (or received for free) goods, services or digital content from a trader in a consumer (rather than business) context. “Business data” would include information about goods, services and digital content supplied or provided by a trader. It would also include information about where those goods etc. are supplied, the terms on which they are supplied or provided, prices or performance and information relating to feedback from customers. Customers would potentially have a right to access their data, which might include (as the explanatory notes to the Bill explain) information on the customer’s usage patterns and the price paid to aid personalised price comparisons. Similarly, businesses could potentially be required to publish, or otherwise make available, business data.
7. ICO is proposed to change from a ‘role’ based regulator (the Commissioner) to a ‘body’ based regulator (an information commission). One presumes this will also need to change for other legislation (FOI for example). They are also granted some additional powers around things like audits and witness interviews.
8. Other general changes include;
- Complaints made direct to the Data Controller and a duty to respond in 30 calendar days
- Removal of the need to appoint a representative in the UK (article 27)
- Completion of a “data protection test” for international transfers of personal data
- Addition of scientific & historical research grounds for processing
- Changing of Article 22 (Automated Decision Making) from a right to a series of protection requirements similar to that in Art 22
- DPIAs are renamed to ‘Assessments of High Risk Processing’ (quite why, I have no idea) and at clause 18 controllers will no longer be required to consult the ICO on certain high risk DPIAs – instead, they will merely be permitted to do so.
My thoughts so far:
As with all legislation the devil is in the detail and in the journey the Bill takes. We have several things a-foot at the moment and the new minister (assuming there is one when we get a new Prime Minister) may well make further changes depending on their political leanings or pressures from said new PM.
Is this Bill a nasty reversal of Data Protection law, possibly. Does it remove that ‘pesky EU legislation’ from our law, no not really. To me, it comes across and tampering with a law for the sake of tampering. Keeping the windows the same so it looks like we are playing ball with our EU commitments, while actually moving the furniture and redecorating to make it even more confusing for UK based Data Controllers. If anyone says to you that the UK likes clear and simple laws, this is yet another area where you can say to them, “no we don’t”.