During the recent announcement of a new Data Protection Bill by the UK Department for Digital, Culture, Media & Sport (DCMS), the Minister for Digital – Matt Hancock – stated that the bill would “give us one of the most robust, yet dynamic, sets of data laws in the world.”
In this post, Orla Lynskey, Assistant Professor of Law at LSE, explains how the perceived novelty of the bill is hiding the fact that it mainly implements EU data protection frameworks, and gives an assessment of the measures set out in the bill.
We awoke on Monday 7 August 2017 to news that details of plans for a new Data Protection Bill would be published by the Department for Digital, Culture, Media & Sport (DCMS). These details were duly made available in a ‘statement of intent’ preceded by a ministerial foreword by Matt Hancock, Minister of State for Digital. One noteworthy feature of this ministerial foreword is that it presents the Data Protection Bill, first and foremost, as a measure of Government policy (“The Data Protection Bill, promised in our manifesto and announced in the Queen’s speech, will bring our data protection laws up to date”) and only subsequently implicitly acknowledges that the Bill is designed to implement EU data protection law (“The Bill will also bring EU law into our domestic law”). The media’s emphasis on the novelty of the measures contained in the Bill (most evidently, the ‘right to be forgotten’) reinforced this impression, a fact that did not go unnoticed by those with data protection expertise.
Implementation of EU data protection frameworks
Yet, on closer inspection of the DCMS statement of intent, it is clear that the measures proposed therein primarily serve the purpose of implementing the EU’s new legislative framework for data protection – the General Data Protection Regulation (GDPR) as well as the EU’s Data Protection Law Enforcement Directive (DPLED). Both of these legislative measures were enacted over a year ago, and will enter into force on 25 May 2018. The GDPR, as a regulation, will enter directly into force in the legal systems of EU Member States. However, unlike many other regulations, the GDPR gives member states some leeway in the implementation of some of its provisions, hence the need for domestic UK legislation on data protection. In this light, it is clear that yesterday’s announcement was more of a rebranding exercise than a radical new government initiative. Moreover, it is also worth bearing in mind that while the GDPR itself contains some noteworthy innovations – for instance, the emphasis on accountability mechanisms for data controllers; the introduction of a new right to data portability; and, the strengthening of enforcement mechanisms – it too is more about continuity than change. The Government’s new Data Protection Bill will therefore building on existing EU data protection legislation, implemented in the UK by the 1998 Data Protection Act.
Benefits and drawbacks of the Bill
This is not to say, however, that there was nothing of note in the DCMS statement.
The overall emphasis in the document on giving individuals more control over their personal data is to be welcomed. Moreover, while the precise content of the legislative measures is not yet known, the focus on the rights of children is a notable development that affirms statements made on the campaign trail by Theresa May. For instance, the statement clarifies that children over the age of 13 will be able to consent to the processing of their personal data and will be given the right to have their data “held about them at the age of 18” deleted, upon request, from social media platforms. Further clarity on this point will, of course, be needed as many questions remain unclear: for instance, whether this right applies to childhood data posted after an 18th birthday, whether it is confined to social media companies and what exceptions it will entail.
The statement also suggests that the Bill will introduce new criminal offences, including an offence of intentionally or recklessly re-identifying individuals from anonymised or psudonymised data, or knowingly processing such data, and an offence of altering records with intent to prevent disclosure following a request from an individual for that data. Furthermore, while the statement indicates the government’s support for the existing balance between data protection and freedom of expression rights, it suggests that it will strengthen the regulator’s ability to enforce the relevant provision effectively by “amend[ing] provisions relating to the ICO’s enforcement powers”. Again, it is unclear whether the amendment in question would go beyond the enhanced enforcement mechanisms envisaged by the GDPR for regulators.
Right to be forgotten?
Finally, the statement emphasises a ‘right to be forgotten’, beyond that mentioned above for childhood social media posts. Article 17 GDPR contains such a right to be forgotten which can be triggered in certain prescribed circumstances (for instance, when the data processing is unlawful). This right is however also subject to exceptions, most notably that it will not apply when the processing is necessary for the exercise of the rights of freedom of expression and information. While occasionally referred to in broader terms (“in certain circumstances, individuals will have the ability to ask social media companies to delete any or all of their posts”), it would appear that the right envisaged by DCMS is the Article 17 GDPR right to be forgotten: DCMS states that “individuals will be able to ask for their personal data to be erased” but notes that “this general right may be subject to some exemptions in some circumstances”. Indeed, any attempts to expand the right beyond the EU right are likely to face resistance. It is noteworthy that a House of Lords Committee report described this right in 2014 as “misguided in principle and unworkable in practice”.
On a less positive note, the document also lays bare two home truths regarding the Government’s digital policy. The first is the lack of ideological coherence underpinning this policy. An example of this is its ambiguous views on data security. On the one hand, this statement lauds the notion of granting individuals more control over their personal data and ensuring enhanced data security through data protection reform. On the other hand, the government is seeking to undermine this control and data security by challenging the need for end-to-end encryption on the dubious basis that ‘real people’ do not need such high levels of data security.
A second issue the document reveals is a troubling misunderstanding of existing and proposed data protection provisions. Some of these errors may be put down to a loose use of language (for instance, the idea of empowering people to ‘take ownership’ of their data therefore implying – erroneously – that the legal framework confers ownership rights in personal data). Others however are less easy to explain. For instance, the document states that the “principle difference” between the existing right to erasure and the GDPR right is:
a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.
Not only does this mischaracterise the current law – the application of which is not contingent on “damage or distress”, as confirmed by the EU Court of Justice when it stated in Google Spain that prejudice to the individual is not necessary for the exercise of the right (para 96) – it also mischaracterises the Article 17 GDPR right as the withdrawal of consent may be neither a necessary nor a sufficient basis for the exercise of the right, depending on the circumstances.
A further glaring error in the document is the definition provided of ‘privacy by design and by default’. This concept is – bizarrely – explained as “giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and, also by offering them a clearer right of address”. As has been highlighted by other commentators, this is a far cry from what ‘privacy by design and default’ actually entails: namely, an approach to systems engineering that takes privacy considerations into account throughout the entire lifecycle of the system.
These errors are lamentable, particularly given that the statement and the ministerial foreword, are keen to assert that the UK regulatory framework is a global ‘gold standard’. Moreover, if international data transfers to the EU are going to continue post-Brexit, a lot more attention to detail will be required in the wording of the draft bill. For now however, this statement should be treated for what it is: a rebranding exercise for domestic data protection law.
This post originally appeared on the LSE Media Policy Project Blog and is reproduced with permission and thanks