Category Archives: Data Protection Bill

October 3, 2022 · 8:21 pm

Certainly uncertain – data protection reform developments

In recent weeks the future of data protection law in the UK has been not just hard to predict, but also hard to keep up with.

Since Brexit, the UK has had its own version of the EU’s GDPR, called, obviously enough, the “UK GDPR“. Then, on 18 July, a Data Protection and Digital Information Bill was presented in Parliament – it proposed some significant (but possibly not hugely so) changes to the current regime, but it retained the UK GDPR. It was scheduled to have its second reading in the House of Commons on 5 September, but this was postponed “to allow Ministers to consider the legislation further”.  

Following this, on 22 September, the Retained EU Law (Revocation and Reform) Bill was introduced. This appeared to propose the “sunsetting” (i.e. the repeal) of multiple data and information laws, including the UK GDPR, by the end of 2023.

The next development, on the first day of the Conservative Party conference, is the announcement by the Culture Secretary, Michelle Donelan, that

we will be replacing GDPR with our own business and consumer-friendly data protection system… Many…smaller organisations and businesses only in fact employ a few people. They don’t have the resources or money to negotiate the regulatory minefield that is GDPR. Yet right now, in the main, they’re forced to follow this one-size-fits-all approach.

She also suggested that businesses had suffered from an 8% reduction in profit from GDPR. It is not immediately clear where this figure comes from, although some have suggested that an Oxford Martin School paper is the source. This paper contains some remarkably complex equations. I have no competence in assessing, and no reason to doubt, the authors’ economic and statistical prowess, but I can say (with a nod to the ageless concept of “garbage in, garbage out”) that their understanding of data protection law is so flawed as to compromise the whole paper. They say, for instance

websites are prohibited from sharing user data with third parties, without the consent from each user

and

companies that target EU residents are required to encrypt and anonymise any personal data it [sic] stores

and (probably most bizarrely)

as users incur a cost when prompted to give consent to using their data, they might reduce online purchases, leading to lower sales

To be quite clear (as politicians are fond of saying): websites are not prohibited from sharing data without the consent from “users” (if they were, most ecommerce would grind to a halt, and the internet economy would collapse); companies subject to GDPR are not required to anonymise personal data they store (if they did, they would no longer be able to operate, leading to the collapse of the economy in general); and “users” do not have to consent to the use of their data, and I am still scratching my head at why even if they did they would incur a cost.

If the authors base their findings on the economic cost of GDPR on these bases, then there are some very big questions for them to answer from anyone reviewing their paper.

I may have the wrong paper: I actually really hope the government will back up its 8% figure with something more sensible.

But regardless of the economic thinking this paper, or underpinning the developments in the statutory regime, it is possible that all the developments cohere: that the Data Protection and Digital Information Bill, when it re-emerges, will have been amended so as to have the effect of removing references to “GDPR” or the “UK GDPR”, and that this will mean that, in substance, if not in name, the principles of the UK GDPR are assimilated into a new piece of domestic legislation.

But (given that the government’s focus is on it) business, just as nature, abhors a vacuum – many business owners (and indeed many data protection practitioners) must be hoping that there is a clear route forward so that the UK’s data protection regime can be considered, and applied, with at least a degree of certainty.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, consent, Data Protection, Data Protection Act 2018, Data Protection Bill, GDPR, parliament, UK GDPR

Tagged as ,

September 6, 2022 · 11:18 am

Data Protection reform Bill on ice

A piece by me on the Mishcon de Reya website on yesterday’s news that the Data Protection and Digital Information Bill has been paused

https://www.mishcon.com/news/data-protection-reform-progress-paused

Leave a comment

Filed under Data Protection, Data Protection Bill

Tagged as ,

July 19, 2022 · 12:16 pm

Data Protection reform bill – all that? or not all that?

I’ve written an “initial thoughts” analysis on the Mishcon de Reya website of the some of the key provisions of the Data Protection and Digital Information Bill:

The Data Protection and Digital Information Bill – an (mishcon.com)

Leave a comment

Filed under adequacy, Data Protection, Data Protection Act 2018, Data Protection Bill, DPO, GDPR, Information Commissioner, PECR, UK GDPR

Tagged as , , ,

January 22, 2018 · 6:34 pm

On the breach

Failure to notify the ICO in a timely manner of a personal data breach under PECR carries a £1000 fixed penalty notice – why not something similar under wider data protection law?

When the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were amended in 2011 to implement the Citizens’ Rights Directive, an obligation was placed upon providers of a public electronic communications service  (“service providers”) to notify personal data breaches to the Information Commissioner’s Office (ICO) “without undue delay”, and in 2013 article 2(2) of European Commission Regulation 611/2013 provided , in terms, that “without undue delay” would mean “no later than 24 hours after the detection of the personal data breach, where feasible”. The 2011 amendment regulations also gave the ICO the power to serve a fixed penalty notice of £1000 on a service provider which failed to comply with notification obligations.

Thus it was that in 2016 both EE and Talk Talk were served with such penalties, with the latter subsequently unsuccessfully appealing to the Information Tribunal, and thus it was that, last week, SSE Energy Supply were served with one. The SSE notice is interesting reading – the personal data breach in question (defined in amended regulation 2 of PECR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”) consisted solely of the sending of one customer email (containing name and account number) to the wrong email address, and it appears that it was reported to the ICO two days after SSE realised (so, effectively, 24 hours too late). If this appears harsh, it is worth noting that the ICO has discretion over whether to impose the penalty or not, and, in determining that she should, the Commissioner took into account a pour encourager les autres argument that

the underlying objective in imposing a monetary penalty is to promote compliance with PECR. The requirement to notify…provides an important opportunity…to assess whether a service provider is complying with its obligations under PECR…A monetary penalty in this case would act as a general encouragement towards compliance…

As any fule kno, the looming General Data Protection Regulation (“GDPR”) expands to all data controllers this obligation to notify the ICO of qualifying personal data breaches. Under GDPR the definition is broadly similar to that in PECR (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) and a breach qualifies for the notification requirements in all cases unless it is “unlikely to result in a risk to the rights and freedoms of natural persons”. Under GDPR, the window for notification is 72 hours.

But under GDPR, and under the Data Protection Bill currently in Parliament, there is no provision for similar fixed penalty notices for notification failures (although, of course, a failure to notify a breach could constitute a general infringement under article 83, attracting a theoretical non-fixed maximum fine of €10m or 2% of global annual turnover). Is Parliament missing a trick here? If the objective of the PECR fixed penalty notice is to promote compliance with PECR, then why not a similar fixed penalty notice to promote compliance with wider data protection legislation? In 2016/17 the ICO received 1005 notifications by service providers of PECR breaches (up 63% on the previous year) and analysing/investigating these will be no small task. The figure under GDPR will no doubt be much higher, but that is surely not a reason not to provide for a punitive fixed penalty scheme for those who fail to comply with the notification requirements (given what the underlying objective of notification is)?

I would be interested to know if anyone is aware of discussions on this, and whether, as it reaches the Commons, there is any prospect of the Data Protection Bill changing to incorporate fixed penalties for notification failures.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, Data Protection Bill, enforcement, GDPR, Information Commissioner, monetary penalty notice, PECR

Tagged as , , ,