A major announcement earlier this month of a consultation on overhauling current data legislation made by the former Digital Secretary Oliver Dowden, has been questioned by a leading expert in data privacy regulation. Privacy expert Nigel Jones (pictured), Co-Founder of the Privacy Compliance Hub and ex-head of legal for Google in EMEA, urges against ripping up the UK’s privacy rules…
The stated aim of the consultation is to drive greater innovation and growth in the UK’s data sector and better protect the public from major data threats. However, there are a number of issues with the announcement. While I broadly welcome some aspects of the consultation, there is actually little by way of explanation in the announcement as to why the UK’s current data rules and regulations are insufficient to enable all these things to be addressed without the planned reforms.
The stated aims of the proposed reforms – to boost international trade; reduce burdens on business; deliver better public services; drive economic growth; boost innovation including reducing barriers to responsible innovation; protect the public; and strengthen public trust in use of data are ones that most organisations – as well as the general public – would agree with.
However, my view is that there is little, if anything, in the current legal framework that is stopping the UK from executing the aims of this consultation now, and there is insufficient detail in last week’s announcement to explain why such a consultation is necessary. Changes to the current agreement may threaten the very important adequacy decision that the UK has with the EU.
The announcement last week contains many references to science, healthcare and research and how the use of data in these areas needs to be simplified. It is unclear what the Government feels is wrong with the current rules as they apply to science, healthcare and research. It refers to advances made by Moorfield’s Eye Hospital and University College London in identifying eye disease by making use of AI, but those advances were successfully made under the current data framework using the power of Google Deepmind. What exactly do they think is wrong with the status quo?”
The announcement also claims that there are plans to impose tougher penalties and fines for nuisance calls and text messages. My view is that there is nothing in the announcement that explains why this is necessary as current penalties are already very stringent. Under the UK GDPR, the current maximum fine is already up to £17.5 million or 4% of worldwide turnover – that this is sufficient deterrent.
The announcement refers to disproportionate burdens for compliance on many organisations. While it is logical for the announcement to claim that a hairdresser shouldn’t have the same data protection processes as a multimillion pound tech firm, this ignores the fact that the current regime doesn’t require a hairdresser to have the same processes as Facebook. Also, how many hairdressers do we hear complaining about the burdens that the current UK data framework places on their business?
The consultation states that a shakeup of the Information Commissioner’s Office (ICO) is proposed, to include an independent board and chief executive.
The tenure of Elizabeth Denham, the current Information Commissioner, comes to an end this year. She has come in for criticism during her time in charge from those that feel that, as a heavily funded regulator, the ICO should be able to achieve much more, especially in the area of enforcement. Perhaps the government feels that by taking power away from the Commissioner and putting it in the hands of an independent board which it can appoint, it will be able to ‘take back control’ of data regulation.
However, I’m very much in favour of the statement in last week’s press release that the government plans to “replace box ticking with common sense.”
We couldn’t agree more. Data protection has never been about box ticking and it never should be. It is about creating a culture of continuous compliance and we take great heart from the government’s apparent enthusiasm for what it calls ‘Privacy Management Programmes’. All companies that process data should build a culture using such a Privacy Management Programme which makes all its staff understand privacy, care about it and do their bit to use data wisely and securely.”
I also agree with the aim outlined in the plan to mitigate the risk of bias in algorithmic systems. This is a hugely important objective but it will be interesting to see how the government proposes to improve the current framework which exists under the UK GDPR.
It is intriguing that the government feels that the UK’s current data legislation is in some way holding the country back in areas such as international trade, public services, innovation, research, healthcare and hairdressing. While of course any improvements in these areas are to be welcomed, we should bear in mind that the current rules are based upon a framework that has been in place for a very long time and that those rules already allow for much flexibility.
The government should make changes at its peril, and be careful to make sure that any planned amendments don’t threaten the very important adequacy decision that we have in place with the EU, our largest trading partner. In our view, it would be better to make use of the existing flexibility we have than to suggest ripping up existing rules and starting again.