Are UK Data Protection Regulations Next In Line To Be Attacked?

By OpenRightsGroup: DCMS consultation on data privacy fails to explain why it matters – New data privacy rights under the General Data protection Regulation depend on a UK consultation which tells readers nothing about its implications

The General Data Protection Regulation (GDPR) sets out many new rights for UK citizens, including better notions of consent, the right to obtain and download your information, and to delete it at a company. You can also find out more about profiling and automated decision-making. There are big fines available when companies don’t comply after it comes into force in mid 2018.

However, many of the new rights will depend on enforcement. One of the better ideas in the regulation is to allow privacy groups to represent citizens in complaints, without having to find specific people who have been directly affected. The GDPR requires member states to choose to allow this, or not, in Article 80(2). We of course very much believe this should be legislated for.

There is a consultation being run by DCMS until Wednesday 10 May on all the different options allowed under the GDPR—and there are quite a few.

However, this consultation is another very disappointing piece of work. Shoddy, even, because it calls for evidence and views, but sets out no background at all for the consultation, so only experts can practically respond. It merely states:

Theme 9 – Rights and Remedies

Rights and Remedies

The derogations related to Rights and Remedies include articles:

Article 17 – Right to erasure (‘right to be forgotten’)

Article 22 – Automated individual decision-making, including profiling Article 26 – Joint controllers

Article 80 – representation of data subjects

Government would welcome your views on the derogations contained in the articles above. Please ensure that you refer to specific articles/derogations.

There is no way that an average reader could understand the implications of this consultation, which, just like the recent Home office consultation on the IP Act Codes of Practice, means that the consultation appears to breach Cabinet Office guidelines, which state that consultations should:

Give enough information to ensure that those consulted understand the issues and can give informed responses.

This consultation provides exactly no background information whatsoever. You wouldn’t begin to understand that they want to know if you are in favour of privacy organisations being able to make complaints to the ICO under Article 80, or not.

We feel sympathy for the staff at DCMS who have been asked to set out this consultation, and presumably have been prevented from spending time developing background documents due to capacity constraints. This should serve as a warning to us.

Once Brexit kicks in, DCMS staff will need to be able not just to recycle existing policy advice from EU and other organisations on legislation prepared elsewhere, but also to have the expertise to evaluate it and recommend changes. Under the Great Repeal Bill, they may have to advise ministers about things to remove, with little Parliamentary involvement — potentially including aspects of the GDPR of course.

Right now, however, DCMS officials appear to lack the capacity to even produce decent consultation documents for key privacy laws like the GDPR. Ministers should be demanding more resources, or we will start to see serious policy mistakes being made.

---