Opinion

Data protection reform: can we do better than GDPR?

Iain Bourne Iain Bourne

At the end of this year, for the first time since the original Data Protection Directive came into force 25 years ago, the UK will have the scope to diverge from EU data protection laws. Iain Bourne looks at the case for change.

The UK’s first national data protection law came into force in 1984. It's not clear when or to what extent the UK’s future data protection regime will deviate from the EU General Data Protection Regulation (GDPR), but the politics here could be interesting.

We have a UK Supervisory Authority (SA), which will probably want to align the UK to GDPR, including implementing European case law and European Data Protection Board (EDPB) decisions. On the other hand, we have a government that wants to diverge from it.

There is a fine line between maintaining regulatory independence and standing against government policy. This could be an interesting period for the Information Commissioner's Office and one to watch.

For help navigating this minefield, feel free to get in touch.

Meanwhile, whatever the future political direction, there is a strong case for the reform of UK data protection law in the short to medium term.

I’ve outlined seven key areas that could be reformed and developed further:

1 The scope of data protection law

The scope of data protection law – ie, personal data - has been stretched so widely that it has gaping holes in it.

In the data protection world, the concept of identifying data subjects now bears little resemblance to its ordinary meaning. SA’s have been on a mission to widen the scope of the law for decades, to include a wider range of activities and prevent any wrongdoing, but it is unclear what this has achieved.

For example, a tourist might take a blurry video on a phone of revellers in Trafalgar Square. The tourist cannot identify any of those people. But, according to the Court of Justice of the European Union case law (see the Rynes case) and the SAs, the tourist takes on full controller responsibility for the data.

Technically, that means they must provide everyone in the video with a privacy notice, give them subject access to their footage and comply with all requirements of data protection law. This is clearly impossible and, ironically, brings an essentially personal activity like making a film on holiday within the ambit of state supervision.

The Irish SA has just put out a statement about drivers with dashcams having full controller responsibility. The ICO tried that one a few years back, but common sense prevailed and they quietly forgot about it.

The current scope of the law is so wide that it can be impossible to comply with it. We need a law where being able to ‘identify’ a party from data means just that, recognising that people can now be identified in a host of different ways.

The law should give rights and protection over data processing activity that has a real and genuine impact on them. Endlessly widening the scope of the law weakens it and makes it less effective.

2 Lawful basis for processing personal data

The approach taken in both the old Directive and GDPR aligns with a codified, continental legal system, but it has never been compatible with a common law system.

In short, in the UK, people or organisations can do something unless a piece of law specifically prohibits it. This is different in most other EU countries, where there are detailed laws stipulating what is allowed.

In data protection terms, this provides a detailed set of legal requirements, allowing the SA to check the lawfulness of an organisation’s data collection, storage, handling and processing in a granular and precise way. But this approach does not work in the UK.

An example of the mismatch between the approaches can be seen when looking at HR records. All firms keep HR records and, under the GDPR, businesses must have a specific legal basis for each new processing activity on that data.

Most UK businesses would find it impossible to explain the legal basis for keeping their HR records, because there isn't one. Unlike in many EU countries, UK firms do not need a specific legal basis to maintain employee records, and this falls under reasonable business need.

The need for firms to identify a specific legal basis for each processing activity has added an unnecessary layer of complexity to compliance. It hasn’t achieved much in terms of protecting individuals’ data and there’s scant evidence to demonstrate that it has prevented any wrongdoing.

3 Special data protection classes

The above problem is compounded by the law’s categorisation of some personal data as "special". This is meant to make it more difficult to process certain high-risk data because an additional legal basis must be identified first.

There are two obvious problems:

First, not all special data is really high risk, and some genuinely high-risk data – financial, for example – is not special. This means any business keeping an employee sick note, which is probably not sensitive in most people's view, is processing special data, and therefore, must maintain a Record of Processing Activity amongst other things. Having to jump through this additional legal hoop does nothing to protect individuals from bad information-handling practices.

Second, the approach can lead to, "the artificial prohibition of otherwise unobjectionable processing", as a former information commissioner put it.

As a result of this legal problem, the government introduced various pieces of legislation to allow organisations to do reasonable things they should have been allowed to do anyway; such as, holding information about disability to protect a vulnerable customer.

It might be better to rely more on the UK’s common law duty of confidentiality, to protect potentially damaging personal information from inappropriate disclosure or misuse.

4 Data minimisation

The primary policy driver for GDPR was greater standardisation of data protection regulation across the EU. This was inspired by a widespread belief that the UK and Irish SAs were being too soft on US tech companies, most of which have head EU offices in London or Dublin.

However, to introduce some new thinking to its data protection reform process, the legislators made certain things mandatory that used to be just best-practice recommendations, issued through SA guidance. The most obvious case of this is data minimisation.

Data minimisation reduces risk for people and for businesses. If you only want to know how many people visited the grocery section of your website last May, do you need to know who those people were?

As a design philosophy, this can have positive effects, but it fails as a legal requirement. Because the area is so grey and incremental, it means organisations can never say with any certainty whether they are complying with the law or not.

How far does data minimisation have to go? It's also impossible for SAs to enforce over this. I don't believe any organisation has minimised personal data as much as is technically possible. This should be taken out of the law and restored as best practice.

5 Data protection transfer rules

Data transfer has been in the news a lot recently, because of the striking down of the Privacy Shield EU to US transfer mechanism.

The whole problem of data transfers arises because of the way the EU is set up. Because its treaties must allow for the free movement of personal data within the EU, this means there has to be prohibition by default on the transfer of personal data outside the EU.

This has led to the mystifying ‘adequate’ and ‘inadequate’ countries system. In fact, the effect of EU international data transfer rules has been negligible. Is it more difficult for a Romanian travel agent to transfer personal data to a hotel in Australia (inadequate) than to one in New Zealand (adequate)? I doubt it.

For the system to work, data protection standards would have to be equally as high across the EU, and the law assumes that they are. As far as I am aware, this has never been systematically checked.

There are certainly organisations with adequate levels of data protection within inadequate countries, and ones with inadequate standards within the EU, otherwise why would we need SAs? A basic third-party data governance issue has been turned into a geopolitical glass-bead game.

An ‘exporter beware’ system would be far more effective and easier to understand. This is where the data exporter has to do its due diligence and put the necessary governance in place regardless of the geographical resting place of the transferred data.

EU data transfer rules have never worked, and are increasingly anachronistic in the context of a rapidly evolving global information economy.

6 Regulation

Returning to the ICO itself. The ICO has maybe 10 times the number of staff it had when I joined in 1996, across its data protection and freedom of information teams, and other responsibilities. It appears to be drowning in complaints and must be finding it impossible to deal with all the issues that arise when attempting to regulate something as ubiquitous as personal data.

Instead of expecting low-risk organisations to comply in full with a highly complicated and onerous piece of law, they should be largely taken out of the regime, including the requirement to pay a data tax to the regulator.

This would allow the ICO to focus on genuinely high-risk organisations and activities. The public could benefit from a revamped version of the Information Tribunal system, making it easier for individuals with genuine grievances to take action directly against an organisation and to be eligible for compensation.

This could also facilitate class actions for cases where a number of people have suffered as a result of bad data processing practices. A move like this could help align data protection policy more closely to the concerns of the public, rather than being influenced by an unrepresentative band of privacy activists, within the ICO and outside it.

7 International outlook

Data protection law is a global phenomenon.

There are well over 100 national data protection laws and some, such as Brazil, follow the GDPR model very closely, while others, such as Israel, do not. State laws are appearing in the US, such as California’s CCPA, and a recent survey showed 91% of Americans want access to their information and control over its disclosure.

A simplified form of UK data protection law would be more compatible with existing and future international data protection laws, many of which will not follow the GDPR model.

Where would that leave us?

There would still be a set of principles and individuals’ rights. Whatever form the UK’s break from the EU takes, it appears that the Council of Europe Data Protection Convention will still apply.

However, this is nowhere near as prescriptive as GDPR. This means that the UK will have a considerable degree of flexibility over the form its future data protection law takes.

Let’s hope the Government can come up with something that avoids the regulatory excesses of GDPR, offers certainty and a proportionate data protection regime for UK businesses, provides meaningful rights and protections for people in the UK, and is international in outlook. This can all be achieved but requires some alternative thinking.

For help with navigating data protection laws, get in touch with Iain Bourne.