Wednesday 15 November 2023

Thank you and farewell

After a period of silence it's now time to close this blog.  I've lost the motivation I once had to put my head above the data protection parapet. I'm no longer deeply engaged in issues that filled my working life and these days am much more interested in providing a decent home for my puppy. Others can engage in endless battles with people whose views are so very different to my own. I'm happy with the changes I've managed to make over the years and will remain deeply frustrated that at other times I failed to act in ways that might have made lives easier for other people. Occasionally the stress of dealing with issues that I still find hard to talk about affected me very deeply. But most times I've had a hugely enjoyable career.

I've reached the stage where I no longer want to work as a data protection professional. I can't motivate myself to maintain or even pretend to have an interest in matters that many data protection professionals feel they need to be concerned about. Looking back at my work pattern and output I have realised that so much of the daily grind was so unnecessary.

Thank you for your good wishes and support over the years that the blog has been active. 

Friday 22 July 2022

Personal Data Breach Notification – it's time to scrap the unfair rules that have been imposed on Communication Service providers


In August 2013 the European Commission introduced new rules to require Communication Service Providers to report all personal data breaches, no matter how minor, to local data protection regulators within 24 hours of the incident being detected [Art 2]. Reporting delays would result in providers being subject to ICO fines. Significant breaches were also required to be reported to the impacted individuals [Art 3].

The new rules also required the European Commission to report by 2016 on the effectiveness of these new rules and their impact on providers, subscribers and individuals. On the basis of that report, the Commission would review the rules. I’m not aware that such a report was ever published, however. If it was, I can't find it

This was the European Commission’s first attempt at mandatory breach notification. The coming into force of the GDPR resulted in breach notification rules being extended to organisations in all economic sectors, although these organisations were permitted a longer time to report (within 72 hours of the incident being detected) and they were able to use their discretion not to notify data protection regulators of minor incidents. 

I’m well aware of the huge administrative burdens that these rules imposed on providers, and the awful pressure (and long hours) put on people who often worked late into the night to submit (mostly) pointless breach reports on the ICO’s breach portal every day. Yes, it gives the ICO’s enforcement staff something to do each day, but I trust that the ICO’s new strategy will recognise the futility of this mindless work, and that it can see the value in being able to redeploy staff to more significant tasks.

It’s time for a Brexit dividend. 

It’s time that organisations in all economic sectors are subjected to the same breach notification rules.

It’s time for the Data Protection and Digital Information Bill to be amended to abolish the old rules and require providers to adopt the data breach reporting rules that apply in all other sectors. 

It's time for the DCMS to admit that it was a mistake not to include this provision in the Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019. It's depressing to read the draft SI's Explanatory Memorandum and learn that no formal consultation took place with providers on this specific matter. Evidently the unfair breach reporting rules are deficiencies that are 'minor in nature' - so providers should put up with them.

I say no, these unfair rules should go.

Goodbye and good riddance, Commission Regulation 611/2013!

Sunday 21 March 2021

My Top Tips for the UK’s Next Information Commissioner


The UK’s data protection community isn't easy to please. Privacy is big business these days, and many of its opinion formers take to social media platforms to generate noise and controversy. 




Because noise and controversy sells. It sells seats at privacy conferences and it sells consulting time – which can be dangerous when there are no entry barriers to the privacy consulting trade. Noise and controversy are also the lifeblood of the privacy NGOs. Most exist to please their funders, so expect fireworks from these folks, too. 


Amidst the privacy hype and noise, here are my top tips to make your life less challenging than it otherwise will be:


1.    Work from Wilmslow. Many privacy pros may work remotely, but you've been selected to set an example and to lead from the front. You will have a huge team at your disposal and they need to know that you’re as committed to Wilmslow as they are.

2.    Embrace conflict. Whatever you try, you’re likely to be opposed, either from the privacy pragmatists or the privacy Taliban. Don’t take conflict personally. You’re just doing your job.

3.    Expect to be opposed from within the ICO, as well as from without. The organisation has grown so fast that it’s impossible to expect everyone in it to share the same outlook as you. You may not even realise how you are being undermined you until some brave DPO quietly shares with you their experiences of working with your staff.

4.    Don't think you will get it right all the time. Key parts of privacy laws are in a right mess, and any attempt to help clarify or simplify the law can easily backfire, especially if it requires primary legislation.

5.    The UK may have left the EU, but it hasn't (yet) escaped from the acquis of European privacy law. In helping deliver the Government’s National Data Strategy, it’s OK to embrace a ‘UK First’ approach. You are the UK’s Information Commissioner. You are not someone who has been parachuted in to challenge British values.

6.    Relax. The £200,000 salary won’t adequately compensate you for what you will experience, but you’ll only serve a single seven-year term in office. By the end, you’ll (probably) have received a nice gong and a lucrative offer from another organisation.  






Monday 9 November 2020

The EU’s draft Data Governance Act: an own goal?

The EU’s draft Data Governance Act is designed to facilitate the greater sharing of non-Personal data within the EU. Such big data ought to provide new insights and benefit the lives of EU citizens, the EU thinking goes. 


The Act is also designed to prevent access and use by non-EU based data intermediaries such as those that may be established in the UK, or elsewhere in the world. 


Will this prohibition result in UK-based organisations operating at a competitive disadvantage? They won’t be entitled at act as data intermediaries. Conversely, the EU-established data intermediaries will face difficulties in tapping the deep talent pool of non-EU based information experts.  


Might this prohibition result in UK-focussed data services operating at a comparative disadvantage? The AI-based service models that will be developed for the benefit of UK citizens won’t be able to take advantage of the training data available to EU-focussed service providers.


Why is it in the best interests of the EU to adopt this protectionist model? Isn’t it better for the EU to develop a partnership model with, rather than discriminate against non EU-based entities?


Discrimination based on the geographic location of the data intermediary / service provider reinforces the concept of a ‘Fortress Europe’. EU member states will run the risk of operating within a walled garden that delivers fewer benefits to citizens than would be the case if there were no barriers. I remember the direction that populations migrated when the Iron Curtain fell in 1991. They travelled west, towards a society that offered greater choices and a higher quality of services. Very few travelled to the east, further into the Soviet Union.


The EU has managed, with the passing of the GDPR, to adopt data protection standards that are virtually impossible for many organisations to fully comply with. Accordingly, I wouldn't be at all surprised if the EU were to follow it up with legislation that made it equally hard for European citizens to be able to take full advantage of the insights that can flow from the processing of non-personal data.

Friday 16 October 2020

Is it still necessary for data protection laws to have particular processing rules for specific types pf personal data?

I think not.


1.    European laws have special rules for the processing of “sensitive data” or “special category data” regardless of the context within which the data will be processed. This has been the case in the UK since the coming into force of the first (1984) Data Protection Act. But, just because it is an established concept, there is no reason not to ask whether the distinction is still appropriate.


2.    The existing list of special category data, which has its origins in the types of characteristics that were used in the last century to discriminate against minority groups, does not properly reflect today’s values. It is difficult, say, to justify the exclusion of an individual’s financial details, or their web browsing history, given the increasingly on-line lives that most UK citizens lead. If asked, many people might argue that such information was far more sensitive than information relating to their trade union membership, ethnic origin or religion.


3.    Some countries that have already enacted data protection laws that do not recognise the concept of special category data. Indonesia, Hong Kong and Singapore are examples of such countries. I am not aware of calls from citizens of those countries to amend local laws to develop special rules for particular categories of personal data.


4.    Some countries have extended their lists of special category data beyond those set out in European law. Some countries include financial information. Kenya’s definition includes an individual’s property details, marital status, family details including the names of their children, parents, spouse or spouses. However, it is not yet clear how this expanded definition actually improves privacy protections for individuals.


5.    The key practical impact of the processing of special category data for data controllers is that an additional processing condition needs to be identified – but in my experience, Governments have historically been quite willing to pass secondary legislation to create a new condition to legitimise the processing when it has been too hard to link the processing purpose with an existing condition, and when consent is not an appropriate option. Eliminating this category of personal data will negate the need for secondary legislation to be developed.


6.    Eliminating the definition of this category of data will not, of itself, reduce the privacy protections that individuals enjoy. The UK GDPR does not alter the wording of the first half of Article 24 of the GDPR. Data controllers should still be required to take into account “the nature, scope context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.”  Article 24 goes on to provide that controllers must also “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.” In my view, it is entirely possible for the UK to implement appropriate measures which provide robust privacy safeguards even if Article 9 of the GDPR is removed from UK law. 

Tuesday 13 October 2020

Why have I joined the LinkedIn Data Protection Reform Group?

1.    There is an ongoing debate on the rights that data controllers should have, compared with the rights that private individuals should have. There’s also an ongoing debate on what role our national Data Protection supervisory authority should play in developing and enforcing privacy laws. Opposing views are passionately, genuinely and sincerely held, & I see little prospect of agreement on a middle course. But, I see no reason for declining to contribute to policy discussions just because I know that others will disagree with me.


2.    Many opinion formers believe the GDPR is a gold standard containing data protection requirements that all countries should aspire to, and that any deviation from the GDPR necessarily dilutes privacy protections / rights to an unacceptably low level. I disagree. I see the GDPR as a step too far. The provisions impose very considerable administrative burdens on many data controllers, not all of which do much, if anything, to respect legitimate privacy rights.


3.    During the long discussions in the early part of the last decade which eventually led to political agreement amongst EU nations that the GDPR should be adopted, the UK’s negotiating team frequently argued against the imposition of onerous and bureaucratic provisions which set out in considerable detail how organisations should be required to run their privacy programmes. The UK now has an opportunity to review these initial reservations and develop laws that allow a more pragmatic approach which still delivers robust privacy protections for individuals. Some commentators do not wish to reopen these discussions. I disagree. Where there is evidence that the current provisions are unduly onerous or unworkable, we should ask whether there a business case exists to alter them.


4.    Complexity is costly.  The more complex the rules are, the more resources may be required to provide assurance about the extent the organisation fully complies with the rules. Complexity provides consulting organisations with a stream of work, but it hinders smaller organisations that can’t access tailored compliance advice. Complexity also frustrates individuals who try to exercise information rights, only to learn that obscure exceptions to the rules actually result in them having fewer rights than they realised. 


5.    Data protection should be fun. Our relationship to work is one of the most important things in our lives. We should query the motives of those that have used the GDPR to develop vast bureaucracies that are ultimately pointless. While the key to corporate success is convincing people that you are worthwhile, I meet an increasing number of privacy professionals are experiencing burnout. They feel trapped in a system that makes their work seem both joyless and endless.  


Sunday 4 October 2020

Revise the GDPR

We are what we are
We don't want praise, we don't want pity
We bang our own drum
Some think it's noise, we think it's pretty
We promise that your human rights we will not mangle
We're the ones that try to see things from a different angle
Join us we’re going far
Join us and shout out
Revise the GDPR


We are what we are
And what we are needs no excuses
We’ll find a new way 
To cut out spam, stop data abuses
Our private lives, there's no consent you get no look in
Our private lives, you can't tell anyone where we’ve been 
Life's not worth a damn till we can shout out
We are what we are

We know what we want

Revise the GDPR



Thank you for the inspiration: Jerry Herman