Pile Up Ahead?
In the first part of this blog series, ‘U-turn?’, we summarised the Government’s response to the ‘Data: A New Direction’ consultation, which previews the content of the forthcoming Data Reform Bill, identifying what’s in, what’s out and what to look out for in the future.
In this second part of our blog series, Handley Gill comments on the impact of the Government’s proposals to reform the UK’s data protection framework.
In the third part of the series, we will identify further areas for reform.
Privacy Management Programmes
In principle, we object to the conflation of data protection and privacy inherent in the title of the proposed compliance regime, which is an Americanisation.
In English law, the tort of misuse of private information applies in circumstances where an individual has a reasonable expectation of privacy, whereas data protection law applies to information which is anodyne and legitimately in the public domain. The European Court of Human Rights has recognised that while the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home and correspondence, as guaranteed by Article 8 of the European Convention on Human Rights and imported into UK law by the Human Rights Act 1998, it has also made clear that not all personal data processing will fall within the scope of Article 8 or automatically interfere with the rights thereunder.
We would therefore prefer ‘personal data management programmes’, for example.
Leaving the nomenclature aside, however, controllers and processors would be well advised not to rip up their ROPAs (records of processing activities), dump their DPOs (Data Protection Officers) and destroy their DPIAs (Data Protection Impact Assessments) just yet.
The removal of the ‘prescriptive tickbox list’ of conducting a DPIA, appointing a DPO, and maintaining records of processing, and their replacement with a more flexible and tailored ‘choose your own adventure’ approach, may be welcomed by some, but in practice we anticipate that the removal of these compliance requirements will inevitably make it more difficult to understand, provide guidance on, comply with and enforce data protection law. Since the Government has been clear that these measures will continue to be recognised as legitimate compliance mechanisms under the new regime, and organisations will already have invested significant resource in their existing compliance arrangements, we envisage that many organisations will retain or merely adapt these rather than start afresh.
Contrary to the stated intention of the proposals, we think the changes are likely to lead to a period of uncertainty as to what effective compliance looks like, as organisations await regulatory guidance, enforcement decisions and court judgments which draw the limits of acceptable practice. This uncertainty may make punitive enforcement decisions less likely, however.
The truth of the matter is that cookie compliance is woeful and enforcement non-existent. From automatic setting of cookies, browsing as consent, pre-checked consent boxes and other so-called ‘dark patterns’, non-compliant practices continue to be rife. Yet a search of the ‘Action We’ve Taken’ section of the Information Commissioner’s website reveals that there has been no cookie related enforcement action.
While European supervisory authorities have been busy issuing decisions to the effect that the use of Google Analytics cookies, and the transfer of personal data to the US inherent in their use, fails to comply with data protection law following the Schrems-II judgment, there have been no such decisions issued by the Information Commissioner and nor has any guidance been forthcoming. Indeed, the Information Commissioner’s website cookie policy continues to indicate that it utilises Google Analytics.
In practice, therefore, the existing requirements are theoretical and strict compliance with them puts organisations at a disadvantage to their competitors. The relaxation of the existing consent requirement for ‘non-intrusive’ cookies, coupled with the adoption of a risk-based approach to international data transfers, is likely to legitimise the use of Google Analytics and similar technologies which continue to be prevalent in a departure from the EEA approach. The adverse privacy impact of these measures may be tempered to some extent by Google’s previously announced phasing out third party cookies on its Chrome browser, joining Apple’s Safari and Firefox, but cookies are not the only way in which advertisers track users online with many using device or browser fingerprinting as an alternative and less visible form of processing.
Furthermore, the implications of the Online Safety Bill may well result in users being required to identify themselves to websites in order to enable them to comply with their obligations to protect child users from harmful content, which will remove browsing anonymity and involve significant intrusive collection of personal data and the inevitable personalisation of content and, therefore, advertising.
Right to Refuse to Comply with Data Subject Access Requests
Unless an exemption applies, a data subject access request (DSAR) can currently only be refused if it is “manifestly unfounded or excessive”. This hurdle is proposed to be lowered to permit requests to be refused where they are “vexatious or excessive”. This is stated to be intended to bring data protection provisions in line with those under the Freedom of Information Act 2000. This is a false comparison since a DSAR specifically relates to the individual making the request and the response may indicate whether their personal data has been processed in accordance with the controller’s legal obligations, whereas a request under the Freedom of Information Act 2000 (FOIA) is one for public information. Nevertheless, the Information Commissioner’s guidance under FOIA indicates that the factor determining whether a request is vexatious is “whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation”. DSARs are commonly deployed at the outset or in the context of disputes, such as employment grievances, and where a wide range of data almost inevitably result in significant cost, disruption and irritation. Since only data breaches, and not unlawful processing, are liable to be reported to the regulator, a DSAR is often the only way a data subject is able to ascertain whether their rights have been complied with.
A request might be legitimately considered to be vexatious where it is a repeat request for personal data where a short period of time has elapsed since the previous request and there would not be expected to have been any significant additional processing.
The Information Commissioner’s guidance in the context of FOIA states that “you should not take into account the identity or intentions of a requester when considering whether to comply with a request for information” (although it isn’t clear whether the same guidance would be issued under the data protection legislation), and the courts have also rejected the existence of a collateral purpose, such as a request being made in the context of a dispute, as a basis for a controller to reject a DSAR (see Dawson-Damer v Tayor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens & Ors, and Deer v Oxford University [2017] EWCA Civ 121). Nevertheless, we anticipate that controllers will seek to apply the vexatious label to exactly this type of request on the basis that if procedural rules grant a right to disclosure at some point in time then to effectively have to conduct a disclosure exercise twice is disproportionately disruptive. This would have the effect of at least delaying, if not entirely restricting, the right of access to personal data.
Of course, an entitlement to disclosure under procedural rules and an entitlement to the provision of a copy of personal data under the UK GDPR will not result in the same information being disclosed, and therefore how the peripheral information should be dealt with could also become an area of dispute.
Prior Consultation
The Government has identified that the ability of controllers to identify mitigations to high risk processing, or perhaps an optimistic assessment of risk, have rendered the requirement to consult with the Information Commissioner in advance under Article 36 UK GDPR obsolete.
By way of example, in response to a question we posed at the recent Centre for Research into Information, Surveillance and Privacy event ‘Legitimacy of facial recognition in policing and law enforcement’, a representative of the Information Commissioner’s Office confirmed that no UK police force had engaged in the equivalent mandatory consultation obligation under Part 3 Data Protection Act 2018 in connection with the deployment of facial recognition technology, although voluntary engagement had taken place.
While the recognition of voluntary prior consultation as a factor in any enforcement action may encourage responsible behaviour, in practice we do not anticipate that this will result in any significant increase in engagement.
Anonymity
Limiting personal data to identified individuals and those who can easily be identified by or from data will certainly ease the burden on controllers and processors who are likely to have limited knowledge of the datasets that might be available to, and data matching activities that might be undertaken by, third parties who might come into contact with ‘anonymised’ personal data. As data won’t be subject to protections, it will be capable of being freely transferred around the world, shared with third parties and used for additional purposes.
The relaxation will bring the definition of anonymous data closer to that of pseudonymous data.
This may also have corollary implications for the existing offence under s171 Data Protection Act 2018 of knowingly or recklessly re-identifying de-identified personal data, i.e. personal data processed in such a manner as to prevent its attribution to a data subject without more. Is anonymous data to be treated as de-identified personal data? If not, this is likely to have significant fringe benefits for global data processors who will have access to multiple large scale public and private datasets which they would be entitled to combine and could harm the rights and interests of data subjects.
Adequacy of Third Countries
The thresholds for determining that a third country’s data protection laws are adequate will be reduced, meaning that the UIK could designate countries that the European Commission would not and making it easier for data to be transferred from the UK to entities in those countries without the need for additional safeguards.
Controllers and processors will welcome any changes that remove the need for each individual organisation to have to attempt to undertake wide ranging reviews of the laws and practices of foreign countries, which they are ill-equipped to do without external advice.
To give but one example, as US lawmakers debate the American Data Privacy and Protection Act (‘ADPPA’), which would create a federal data protection law for the first time, there would be scope for the UK to designate the US an adequate country. The Government’s approach to US national security surveillance is likely to be less censorious than that of its European counterpart, not least because of the UK’s participation in the so-called ‘Five Eyes’ alliance and its status as a signatory to the UK-USA agreement for co-operation in signals intelligence, and risk-based decision making would depart from the absolutist approach adopted by supervisory authorities in the EEA. The new ability to take into account the economic benefit of a post-Brexit trade deal would also favour an adequacy decision being reached.
Political Processing
What’s sauce for the goose is sauce for the gander, or so goes the saying, but politicians want to grant themselves exemptions from the obligations they are happy to impose on everyone else.
Proposals to grant exemptions to elected representatives in addition to political parties will favour incumbents and restrict the ability of new, challenger and independent candidates to conduct the same activities for the purpose of democratic engagement.
The introduction of a power to enable the Secretary of State to exempt political communications from the restrictions on sending marketing communications to individuals who have not consented or previously indicated an interest is likely to cause a nuisance at election time but the breadth of the proposed power to provide an exemption from obligations in relation to cookies and tracking could be the dawn of the next Cambridge Analytica scandal and any exercise of the power ought to be subject to the closest scrutiny.
The Name and Structure of the Data Protection Regulator
While the original proposals to introduce a Chair and Board to the Information Commissioner’s Office were criticised for risking the independence of the regulator, the amendments to the proposed appointment process have brought them into line with the arrangements for other statutory regulators, such as Ofcom and the Financial Conduct Authority.
As the leadership and governance arrangements of the Information Commissioner’s Office change, we recognise the need to re-name the regulator, with suitable names including ‘Personal Data Regulator’, the ‘Data Protection Authority’ or the ‘Office for Data Protection’.
Regulation and Enforcement
We consider that the overall impact of the government’s proposals will be to require significant expansion of the Information Commissioner’s resources, which already struggle to meet existing statutory obligations let alone his stated ambitions and the proposals in the Data Reform Bill. The more engaged and consultative approach advocated by the Government requires a shift from a reactive approach, and annual check ins with major data processors are unlikely to be sufficient for effective oversight and regulation.
While the Information Commissioner has recently reached agreement with the Department for Digital, Culture, Media and Sport and HM Treasury that it should be entitled to retain up to £7m per annum of monetary penalties recovered in order to fund external costs, this will be inadequate and additional funding or funding streams will be required.
The alignment of the maximum fine under PECR with that under the UK GDPR should serve to neutralise the cost benefit of conducting nuisance marketing calls.
The utilisation of expert panels will formalise and enhance the existing process by which the Information Commissioner’s Office conducts workshops and direct liaison in addition to its public consultations. The recruitment of those panels, and ensuring that they are diverse, fairly selected and do not merely reflect the Information Commissioner’s own approach, will be critical to their success.
European Commission's Adequacy Decision in Respect of the UK
All of these changes create divergence between the UK’s data protection regime and that of the EEA.
The European Commission’s adequacy decision in respect of the UK was, uniquely, subject to a sunset clause resulting in its automatic expiry after 4 years, in June 2025. Announcing the adequacy decision, Věra Jourová, Vice-President for Values and Transparency, emphasised “…we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework… This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.
The factors taken into account in reaching the decision included multiple areas which are proposed to be revised. In addition, the decision that UK law provided an adequate level of protection was explicitly stated to be “… based on both the relevant UK domestic regime and its international commitments, in particular adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights. Continued adherence to such international obligations is therefore a particularly important element of the assessment on which this Decision is based”. Clause 3(1) of the Bill of Rights which was recently introduced in Parliament would establish the UK’s Supreme Court – and not the European Court of Human Rights – as “the ultimate judicial authority on questions arising under domestic law in connection with the Convention rights”.
There would therefore appear to be a real risk that the UK’s adequacy will not be renewed, or even that the European Commission could intervene in advance of expiry to withdraw its decision and require a fresh analysis.
Find out more about our data protection and data privacy services.