These slides, based on a talk given to the Society of Legal Scholars’ Conference 2022, finds that the current Data Protection and Digital Information Bill is substantively wide-ranging but not radical. Many of the changes could be considered a plausible gloss on the General Data Protection Regulation (GDPR) or achieve a result which could be justified under its restrictions/derogations clause. Those which go further such as the changes to the solely automated decision-making rights remain well within the parameters of the Data Protection Convention 108+. There is a danger that the Bill’s substantive modifications may be insufficiently innovative to address concerns about the scope and depth of the GDPR’s rules. On the other hand, the Bill’s regulatory changes do little to confront the limited enforcement of data protection and the new de jure flexibility offered to the Information Commissioner may further entrench the existing “soft” supervisory approach.
3. Current Bill: Broad Not Radical in Substance
Scope
(Personal
Data
Processing)
DP Principles
• Fair, lawful,
transparent
• Purpose quality
& compatibility
• Information
quality & limits
Legality
• Legal grounds
Sensitive Data
• Categorical
definition
• Default
prohibition
absent waiver
Integrity
• Demo compliance
• Security
• DP by design &
default
• Joint controllers
• Personal data
breaches
• Processor
engagement
• Recording keeping
• DP Officer
• Impact Assessment
• Export Control
Transparency &
Control
• Proactive Notice
• Subject Access
• Rights to Erasure,
Rectification,
Object,
Restriction & over
Solely Automated
Decisions
4. Many Changes Largely Within GDPR Regime
Some Plausible Gloss on GDPR Text:
Identifiability: Any means “reasonably likely” to be used by person
with access to the data.
Security: “Appropriate technical and organisational measures”
“appropriate measures, including technical and organisational
measures”
Others could be Justified under National Discretion :
Research etc.: Repurposing derogation from individual notice but no
repurposing when legal basis consent & strict necessity for any use.
(Ambiguous outcome & shows need for academic expression priority).
5. Recognized Legitimate Interest & Repurposing
Partial peremptory lists set out in Annexes 1 and 2.
Not as broad as mooted in Data: A New Direction e.g. AI bias
detection, democratic engagement (although secondary law may add to
later).
Concerns about ensuring proportionality (although DP principles
still apply).
Key issue is that could attempt much same the result within GDPR
under law for public interest task.
6. Solely Automated Decisions
Same threshold as EU GDPR: “Legal or similarly significant effects”
But prohibition (absent consent) significantly narrowed.
Greater emphasis on safeguards of intervention, human intervention &
contestation.
This approach remains within DP Convention 108+ parameters and still
significantly challenges emerging practices within artificial intelligence
and machine learning.
7. Modifications But New Approach
Partial New Approach: A “light” regime for unstructured
information even if electronic (quite common outside Europe).
General New Approach: A risk-based “harms” rather than
“processing”-based threshold across-the-board.
8. Credible Approach? ICO Track-Record (2021-22)
Staff Numbers (for DP): +800
DP Complaints “Handled”: +41,000
DP Enforcement Notices: ?None
DP Criminal Convictions: ?None
DP Fines: Four – all concern security & total only £633K.
9. DPDI Bill: Regulatory Changes
From Information Commissioner Information Commission
Slightly More Specific Generic Reporting & PECR fused in DP scheme.
De Jure Refocusing Away from Data Protection Emphasis.
Even statutory Codes of Practice require Secretary of State approval.
Greater De Jure Right to Refuse to Deal with Complaints.
10. Will Changes Ensure Effective Enforcement?
“In our view, the Regulator is failing to properly enforce data
protection rules. Something is very wrong, and it is needs
addressing … the ICO is failing to use their powers and
responsibilities to deliver GPDR’s regulatory expectations.”
(Open Rights Group, 2020)
“The Information Commissioner’s reporting shows little evidence
that objectives are being met … reports to the DCMS Committee.
However, in practice this committee has focused on newsworthy
campaigns … rather than more prosaic scrutiny of the ICO’s
performance against its statutory functions”
(Victoria Heuston, IEA Head of Regulatory Affairs, 2020)
11. Summing Up & Way Ahead
Concerns that current DPDI Bill insufficient on innovation and also
effective regulation.
Strong case for a bolder substantive approach given cogent
criticisms of GPDR model.
Also strong case for ensuring robust & consistent regulation e.g.
through oversight through Tribunal regulation.
In principle, could marry these two together to ensure UK achieves
both adequacy and a bold new direction.