During the recent announcement of a new Data Protection Bill by the UK Department for Digital, Culture, Media & Sport (DCMS), the Minister for Digital – Matt Hancock – stated that the bill would “give us one of the most robust, yet dynamic, sets of data laws in the world.” In this post, Orla Lynskey, Assistant Professor of Law at LSE, explains how the perceived novelty of the bill is hiding the fact that it mainly implements EU data protection frameworks, and gives an assessment of the measures set out in the bill.
We awoke on Monday 7 August 2017 to news that details of plans for a new Data Protection Bill would be published by the Department for Digital, Culture, Media & Sport (DCMS). These details were duly made available in a ‘statement of intent’ preceded by a ministerial foreword by Matt Hancock, Minister of State for Digital. One noteworthy feature of this ministerial foreword is that it presents the Data Protection Bill, first and foremost, as a measure of Government policy (“The Data Protection Bill, promised in our manifesto and announced in the Queen’s speech, will bring our data protection laws up to date”) and only subsequently implicitly acknowledges that the Bill is designed to implement EU data protection law (“The Bill will also bring EU law into our domestic law”). The media’s emphasis on the novelty of the measures contained in the Bill (most evidently, the ‘right to be forgotten’) reinforced this impression, a fact that did not go unnoticed by those with data protection expertise.
Implementation of EU data protection frameworks
Yet, on closer inspection of the DCMS statement of intent, it is clear that the measures proposed therein primarily serve the purpose of implementing the EU’s new legislative framework for data protection – the General Data Protection Regulation (GDPR) as well as the EU’s Data Protection Law Enforcement Directive (DPLED). Both of these legislative measures were enacted over a year ago, and will enter into force on 25 May 2018. The GDPR, as a regulation, will enter directly into force in the legal systems of EU Member States. However, unlike many other regulations, the GDPR gives member states some leeway in the implementation of some of its provisions, hence the need for domestic UK legislation on data protection. In this light, it is clear that yesterday’s announcement was more of a rebranding exercise than a radical new government initiative. Moreover, it is also worth bearing in mind that while the GDPR itself contains some noteworthy innovations – for instance, the emphasis on accountability mechanisms for data controllers; the introduction of a new right to data portability; and, the strengthening of enforcement mechanisms – it too is more about continuity than change. The Government’s new Data Protection Bill will therefore building on existing EU data protection legislation, implemented in the UK by the 1998 Data Protection Act.
Benefits and drawbacks of the Bill
This is not to say, however, that there was nothing of note in the DCMS statement.
The overall emphasis in the document on giving individuals more control over their personal data is to be welcomed. Moreover, while the precise content of the legislative measures is not yet known, the focus on the rights of children is a notable development that affirms statements made on the campaign trail by Theresa May. For instance, the statement clarifies that children over the age of 13 will be able to consent to the processing of their personal data and will be given the right to have their data “held about them at the age of 18” deleted, upon request, from social media platforms. Further clarity on this point will, of course, be needed as many questions remain unclear: for instance, whether this right applies to childhood data posted after an 18th birthday, whether it is confined to social media companies and what exceptions it will entail.
The statement also suggests that the Bill will introduce new criminal offences, including an offence of intentionally or recklessly re-identifying individuals from anonymised or psudonymised data, or knowingly processing such data, and an offence of altering records with intent to prevent disclosure following a request from an individual for that data. Furthermore, while the statement indicates the government’s support for the existing balance between data protection and freedom of expression rights, it suggests that it will strengthen the regulator’s ability to enforce the relevant provision effectively by “amend[ing] provisions relating to the ICO’s enforcement powers”. Again, it is unclear whether the amendment in question would go beyond the enhanced enforcement mechanisms envisaged by the GDPR for regulators.
Right to be forgotten?
Finally, the statement emphasises a ‘right to be forgotten’, beyond that mentioned above for childhood social media posts. Article 17 GDPR contains such a right to be forgotten which can be triggered in certain prescribed circumstances (for instance, when the data processing is unlawful). This right is however also subject to exceptions, most notably that it will not apply when the processing is necessary for the exercise of the rights of freedom of expression and information. While occasionally referred to in broader terms (“in certain circumstances, individuals will have the ability to ask social media companies to delete any or all of their posts”), it would appear that the right envisaged by DCMS is the Article 17 GDPR right to be forgotten: DCMS states that “individuals will be able to ask for their personal data to be erased” but notes that “this general right may be subject to some exemptions in some circumstances”. Indeed, any attempts to expand the right beyond the EU right are likely to face resistance. It is noteworthy that a House of Lords Committee report described this right in 2014 as “misguided in principle and unworkable in practice”.
On a less positive note, the document also lays bare two home truths regarding the Government’s digital policy. The first is the lack of ideological coherence underpinning this policy. An example of this is its ambiguous views on data security. On the one hand, this statement lauds the notion of granting individuals more control over their personal data and ensuring enhanced data security through data protection reform. On the other hand, the government is seeking to undermine this control and data security by challenging the need for end-to-end encryption on the dubious basis that ‘real people’ do not need such high levels of data security.
A second issue the document reveals is a troubling misunderstanding of existing and proposed data protection provisions. Some of these errors may be put down to a loose use of language (for instance, the idea of empowering people to ‘take ownership’ of their data therefore implying – erroneously – that the legal framework confers ownership rights in personal data). Others however are less easy to explain. For instance, the document states that the “principle difference” between the existing right to erasure and the GDPR right is:
a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.
Not only does this mischaracterise the current law – the application of which is not contingent on “damage or distress”, as confirmed by the EU Court of Justice when it stated in Google Spain that prejudice to the individual is not necessary for the exercise of the right (para 96) – it also mischaracterises the Article 17 GDPR right as the withdrawal of consent may be neither a necessary nor a sufficient basis for the exercise of the right, depending on the circumstances.
A further glaring error in the document is the definition provided of ‘privacy by design and by default’. This concept is – bizarrely – explained as “giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and, also by offering them a clearer right of address”. As has been highlighted by other commentators, this is a far cry from what ‘privacy by design and default’ actually entails: namely, an approach to systems engineering that takes privacy considerations into account throughout the entire lifecycle of the system.
These errors are lamentable, particularly given that the statement and the ministerial foreword, are keen to assert that the UK regulatory framework is a global ‘gold standard’. Moreover, if international data transfers to the EU are going to continue post-Brexit, a lot more attention to detail will be required in the wording of the draft bill. For now however, this statement should be treated for what it is: a rebranding exercise for domestic data protection law.
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.
Thank you for your insightful article. However, although you point out that the proposed bill primarily serves the purpose of implementing EU legislation, you suggest that the proposals include something new regarding children and their personal data.
You write: “For instance, the statement clarifies that children over the age of 13 will be able to consent to the processing of their personal data and will be given the right to have their data “held about them at the age of 18” deleted, upon request, from social media platforms. Further clarity on this point will, of course, be needed as many questions remain unclear: for instance, whether this right applies to childhood data posted after an 18th birthday, whether it is confined to social media companies and what exceptions it will entail.”
Apart from the choice of 13 as the age of independent consent (as most countries are doing), the GDPR gives rights to erasure whatever the age of the person (although noting the particular importance of data entered by children and explicitly making this one of the cases where right of erasure categorically applies). Does this “statement of intent” really add anything new?
Hi Robert, I think the statement of intent seems to suggest that the right to erasure for children will be broader/less qualified than the right to erasure (right to be forgotten) in the GDPR. The reason I say this is that the right to erasure in the GDPR is heavily conditioned: the individual must essentially show that the data processing is unlawful before it can be erased. The way the children’s right seems to be framed in this document and in Government statements on the right is as a subjective right (ie. a child won’t need to show the data processing was unlawful; a subjective desire to remove the content looks like it would be sufficient). This is my reading at least. The devil will be in the detail though!
Orla, you say in your reply to my comment that “the individual must essentially show that the data processing is unlawful before it can be erased”. However, the GDPR, Article 17, gives the following reasons for erasing the data, even when it can be lawfully processed:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
Furthermore, to the specific case of data provided by a child to social media, there is also:
(f) the personal data have been collected in relation to the offer of information society services referred to in
Article 8(1). [Article 8(1) is consent given by a child to personal data processing in relation to information society services.]
It’s hard to see what additional right the new UK DPA will provide.
Hi Robert,
Yes, I was just using ‘unlawful’ for a shorthand for these specific forms of unlawful processing (ie it will be unlawful if the processing is no longer necessary; if consent is withdrawn etc). Moreover, Article 17(d) contains a catch-all provision for ‘unlawfully processed’ data. So, Article 17 itself is quite repetitive and many (most notably Jef Ausloos) have made the valid argument that the data should not be processed anyway if any of these conditions are fulfilled as the data processing is unlawful. The Article 17 GDPR right therefore arguably just provides an ex post additional remedy for individuals. What I have suggested is that the provisions about a children’s right to erasure do not appear to be conditional on illegality – it will be enough to simply ask for the removal of data without showing illegality.
If this is the case, it would be the major ‘additional’ right that the new UK DPA would give children.You might say that the vast majority of children’s data that they post online is based on consent, and so if they withdraw consent, then it would be unlawful. In this case, they would simply be exercising the GDPR right. But data of children is often based on a legal basis that is not consent – legitimate interests; contract etc – and, in these circumstances, the proposed UK right might be broader (everything will hinge on the wording of the new right!).
Orla, thanks for your clarification. As I said on my first comment, I found your post to be insightful and a useful contribution to the information flow and debate on this matter.
As far as the basic ‘re branding’ exercise goes & apart from the ‘notable derogations’ – will it just be renamed the Data Protection Act 2017?
Hi Richard,
It was originally labelled the ‘Data Protection (Exemptions from GDPR) Bill’ (as of June of this year: http://amberhawk.typepad.com/amberhawk/2017/06/queens-speech-and-the-promised-data-protection-exemptions-from-gdpr-bill.html) but it may not simply be Data Protection Act 2017 (or 2018) as you suggest.
Great article, Orla.
There has been so much talk about negatives of GDPR and how much of an effort it will be for organisations to achieve compliance. But if organisations really see it as a cross to bear then they’re missing the point.
Continuing to demonstrate that you care about the data you collect on your customers, employees, supply chain, etc will make you a far more attractive prospect.
Great article and very good points raised. If you get chance, take a look at the blog we have produced around GDPR related myths.