Everyday I’m immersed in the challenges faced by organisations and individuals navigating the complex world of Data Protection. Recently, this has been compounded by the developments surrounding the Data Protection and Digital Information Bill, after the government released a keeling schedule for the bill.
Complications and Considerations
Upon reviewing the keeling schedule of the reform bill, I must admit, my initial impression was one of disappointment. The changes proposed by the UK government seem to complicate matters unnecessarily, leading one to wonder if there might be a touch of superiority complex at play. Let’s take a closer look at some of the key amendments and their potential implications.
- Data Protection Officer (DPO) to “Senior Responsible Individual”: The bill suggests changing the title of DPO to “Senior Responsible Individual.” This alteration may seem insignificant, but it raises questions about the underlying motivations. Renaming the role could inadvertently dilute the importance and expertise associated with the position, potentially undermining the effectiveness of Data Protection practices within organisations.
- Data Protection Impact Assessment (DPIA) to “Assessment of High-Risk Processing”: Similarly, the proposed change from DPIA to “Assessment of High-Risk Processing” introduces unnecessary complexity. The term DPIA is widely recognised and understood within the industry and altering it might create confusion and additional hurdles for compliance.
- Adequacy Decision to “Data Protection Test”: The concept of an adequacy decision is vital when it comes to international data transfers. However, the bill suggests replacing it with the term “Data Protection test.” While it’s commendable to emphasise the need for robust Data Protection laws, the bill’s apparent willingness to grant adequacy to any country as long as they have a “materially lower” set of Data Protection laws raises concerns. We must ensure that data transfers do not compromise individuals’ rights and freedoms. Additionally, the biggest concern in my opinion, is the possible threat to the UK’s adequacy decision with the EU.
- The “watering down” of RoPAs: One of the most baffling changes is the removal of Records of Processing Activities (ROPA), except in cases where personal data processing poses a high risk to individuals’ rights and freedoms. As we discussed extensively on a previous podcast episode (118), ROPAs are the backbone of an organisation’s Data Protection practices. They play a crucial role in shaping and influencing various aspects of an organisation’s data processing activities. Removing the requirement for ROPAs seems counterintuitive and could have unintended consequences.
- Additional lawful basis: There is a potential new lawful basis that has been suggested by the secretary of state. It’s called ‘Recognised Legitimate Interest’ They are as follows:
- processing that is necessary for the purposes of direct marketing,
- intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
- processing that is necessary for the purposes of ensuring the security of network and information systems.
Now, on the face of things this may not seem like such a bad idea, but please bear with me whilst I explain my concerns around this.
The EU Commission has previously expressed concerns about the Dutch data protection authority’s strict interpretation of legitimate interests, considering it not to be in line with the GDPR, guidelines of the Article 29 Working Party/ EDPB and the case law of European Court of Justice (CJEU). The concerns focus on guidance issues by the Autoriteit Persoonsgegevens (Dutch Supervisory Authority) in 2019, stating that purely commercial purposes, such as maximisation of profits would not be considered a legitimate interest.
Essentially, what I’m trying to say is the EU Commission has expressed concerns that purely commercial purposes such as maximising profits would not be considered a ‘legitimate interest’ and yet in the new DPDI bill, there is a suggestion to add “recognised legitimate interests” as an additional lawful basis – one of these being processing necessary for direct marketing. Could you not argue that this is purely commercial purposes?
In my view, this adds to concerns I already have over the UK putting their adequacy decision with the EU at risk if/when the new bill is approved.
Expert Insights
During the examination of the Data Protection and Digital Information Bill at the committee stage, John Edwards, the UK Information Commissioner’s Office commissioner, shared his insights. Here are the key takeaways from his testimony:
- Clarity of Definitions: Edwards highlighted the need for greater clarity around terms such as “high-risk activity” within the bill’s definitions. Ambiguities in these definitions can impede effective implementation and compliance.
- No Threat to Adequacy: The commissioner reassured us that there is “nothing in the bill that threatens adequacy.” While this provides some relief, we must remain vigilant to safeguard individuals’ data when it traverses international borders.
- Importance of Clarity in Legitimate Interest: Edwards stressed the significance of clarity in the term “legitimate interest.” Providing businesses with clear guidelines and circumstances in which legitimate interest can be invoked reduces uncertainty and promotes compliance.
- The ICO’s New Role: Edwards expressed excitement about the ICO’s new role, positioning it as a supporter of the “empowered citizen.” This suggests a commitment to protecting individuals’ rights and promoting transparency in data processing practices.
- Citizen Rights and Access: Importantly, Edwards stated that the bill presents no challenge to citizens’ ability to access their rights, including the possibility of charging them. This reassurance underscores the ongoing commitment to ensuring that individuals can exercise their Data Protection rights effectively.
In conclusion, the Data Protection and Digital Information Bill has generated both praise and concerns within the Data Protection community. As an advocate for Data Protection practices, I must admit that some of the proposed changes appear to complicate rather than simplify matters. Renaming key roles, altering terminology, and removing the requirement for ROPAs all raise valid concerns about the effectiveness and transparency of Data Protection measures.
Remember, Data Protection is a collaborative effort, and your voice matters. Let’s continue to navigate the ever-changing landscape together, empowering individuals and safeguarding their rights in the digital age.
By Joe Kirk, Data Protection Support Desk Consultant – Data Protection People