Sunday, 21 March 2021

My Top Tips for the UK’s Next Information Commissioner


The UK’s data protection community isn't easy to please. Privacy is big business these days, and many of its opinion formers take to social media platforms to generate noise and controversy. 




Because noise and controversy sells. It sells seats at privacy conferences and it sells consulting time – which can be dangerous when there are no entry barriers to the privacy consulting trade. Noise and controversy are also the lifeblood of the privacy NGOs. Most exist to please their funders, so expect fireworks from these folks, too. 


Amidst the privacy hype and noise, here are my top tips to make your life less challenging than it otherwise will be:


1.    Work from Wilmslow. Many privacy pros may work remotely, but you've been selected to set an example and to lead from the front. You will have a huge team at your disposal and they need to know that you’re as committed to Wilmslow as they are.

2.    Embrace conflict. Whatever you try, you’re likely to be opposed, either from the privacy pragmatists or the privacy Taliban. Don’t take conflict personally. You’re just doing your job.

3.    Expect to be opposed from within the ICO, as well as from without. The organisation has grown so fast that it’s impossible to expect everyone in it to share the same outlook as you. You may not even realise how you are being undermined you until some brave DPO quietly shares with you their experiences of working with your staff.

4.    Don't think you will get it right all the time. Key parts of privacy laws are in a right mess, and any attempt to help clarify or simplify the law can easily backfire, especially if it requires primary legislation.

5.    The UK may have left the EU, but it hasn't (yet) escaped from the acquis of European privacy law. In helping deliver the Government’s National Data Strategy, it’s OK to embrace a ‘UK First’ approach. You are the UK’s Information Commissioner. You are not someone who has been parachuted in to challenge British values.

6.    Relax. The £200,000 salary won’t adequately compensate you for what you will experience, but you’ll only serve a single seven-year term in office. By the end, you’ll (probably) have received a nice gong and a lucrative offer from another organisation.  






Monday, 9 November 2020

The EU’s draft Data Governance Act: an own goal?

The EU’s draft Data Governance Act is designed to facilitate the greater sharing of non-Personal data within the EU. Such big data ought to provide new insights and benefit the lives of EU citizens, the EU thinking goes. 


The Act is also designed to prevent access and use by non-EU based data intermediaries such as those that may be established in the UK, or elsewhere in the world. 


Will this prohibition result in UK-based organisations operating at a competitive disadvantage? They won’t be entitled at act as data intermediaries. Conversely, the EU-established data intermediaries will face difficulties in tapping the deep talent pool of non-EU based information experts.  


Might this prohibition result in UK-focussed data services operating at a comparative disadvantage? The AI-based service models that will be developed for the benefit of UK citizens won’t be able to take advantage of the training data available to EU-focussed service providers.


Why is it in the best interests of the EU to adopt this protectionist model? Isn’t it better for the EU to develop a partnership model with, rather than discriminate against non EU-based entities?


Discrimination based on the geographic location of the data intermediary / service provider reinforces the concept of a ‘Fortress Europe’. EU member states will run the risk of operating within a walled garden that delivers fewer benefits to citizens than would be the case if there were no barriers. I remember the direction that populations migrated when the Iron Curtain fell in 1991. They travelled west, towards a society that offered greater choices and a higher quality of services. Very few travelled to the east, further into the Soviet Union.


The EU has managed, with the passing of the GDPR, to adopt data protection standards that are virtually impossible for many organisations to fully comply with. Accordingly, I wouldn't be at all surprised if the EU were to follow it up with legislation that made it equally hard for European citizens to be able to take full advantage of the insights that can flow from the processing of non-personal data.

Friday, 16 October 2020

Is it still necessary for data protection laws to have particular processing rules for specific types pf personal data?

I think not.


1.    European laws have special rules for the processing of “sensitive data” or “special category data” regardless of the context within which the data will be processed. This has been the case in the UK since the coming into force of the first (1984) Data Protection Act. But, just because it is an established concept, there is no reason not to ask whether the distinction is still appropriate.


2.    The existing list of special category data, which has its origins in the types of characteristics that were used in the last century to discriminate against minority groups, does not properly reflect today’s values. It is difficult, say, to justify the exclusion of an individual’s financial details, or their web browsing history, given the increasingly on-line lives that most UK citizens lead. If asked, many people might argue that such information was far more sensitive than information relating to their trade union membership, ethnic origin or religion.


3.    Some countries that have already enacted data protection laws that do not recognise the concept of special category data. Indonesia, Hong Kong and Singapore are examples of such countries. I am not aware of calls from citizens of those countries to amend local laws to develop special rules for particular categories of personal data.


4.    Some countries have extended their lists of special category data beyond those set out in European law. Some countries include financial information. Kenya’s definition includes an individual’s property details, marital status, family details including the names of their children, parents, spouse or spouses. However, it is not yet clear how this expanded definition actually improves privacy protections for individuals.


5.    The key practical impact of the processing of special category data for data controllers is that an additional processing condition needs to be identified – but in my experience, Governments have historically been quite willing to pass secondary legislation to create a new condition to legitimise the processing when it has been too hard to link the processing purpose with an existing condition, and when consent is not an appropriate option. Eliminating this category of personal data will negate the need for secondary legislation to be developed.


6.    Eliminating the definition of this category of data will not, of itself, reduce the privacy protections that individuals enjoy. The UK GDPR does not alter the wording of the first half of Article 24 of the GDPR. Data controllers should still be required to take into account “the nature, scope context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.”  Article 24 goes on to provide that controllers must also “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.” In my view, it is entirely possible for the UK to implement appropriate measures which provide robust privacy safeguards even if Article 9 of the GDPR is removed from UK law. 

Tuesday, 13 October 2020

Why have I joined the LinkedIn Data Protection Reform Group?

1.    There is an ongoing debate on the rights that data controllers should have, compared with the rights that private individuals should have. There’s also an ongoing debate on what role our national Data Protection supervisory authority should play in developing and enforcing privacy laws. Opposing views are passionately, genuinely and sincerely held, & I see little prospect of agreement on a middle course. But, I see no reason for declining to contribute to policy discussions just because I know that others will disagree with me.


2.    Many opinion formers believe the GDPR is a gold standard containing data protection requirements that all countries should aspire to, and that any deviation from the GDPR necessarily dilutes privacy protections / rights to an unacceptably low level. I disagree. I see the GDPR as a step too far. The provisions impose very considerable administrative burdens on many data controllers, not all of which do much, if anything, to respect legitimate privacy rights.


3.    During the long discussions in the early part of the last decade which eventually led to political agreement amongst EU nations that the GDPR should be adopted, the UK’s negotiating team frequently argued against the imposition of onerous and bureaucratic provisions which set out in considerable detail how organisations should be required to run their privacy programmes. The UK now has an opportunity to review these initial reservations and develop laws that allow a more pragmatic approach which still delivers robust privacy protections for individuals. Some commentators do not wish to reopen these discussions. I disagree. Where there is evidence that the current provisions are unduly onerous or unworkable, we should ask whether there a business case exists to alter them.


4.    Complexity is costly.  The more complex the rules are, the more resources may be required to provide assurance about the extent the organisation fully complies with the rules. Complexity provides consulting organisations with a stream of work, but it hinders smaller organisations that can’t access tailored compliance advice. Complexity also frustrates individuals who try to exercise information rights, only to learn that obscure exceptions to the rules actually result in them having fewer rights than they realised. 


5.    Data protection should be fun. Our relationship to work is one of the most important things in our lives. We should query the motives of those that have used the GDPR to develop vast bureaucracies that are ultimately pointless. While the key to corporate success is convincing people that you are worthwhile, I meet an increasing number of privacy professionals are experiencing burnout. They feel trapped in a system that makes their work seem both joyless and endless.  


Sunday, 4 October 2020

Revise the GDPR

We are what we are
We don't want praise, we don't want pity
We bang our own drum
Some think it's noise, we think it's pretty
We promise that your human rights we will not mangle
We're the ones that try to see things from a different angle
Join us we’re going far
Join us and shout out
Revise the GDPR


We are what we are
And what we are needs no excuses
We’ll find a new way 
To cut out spam, stop data abuses
Our private lives, there's no consent you get no look in
Our private lives, you can't tell anyone where we’ve been 
Life's not worth a damn till we can shout out
We are what we are

We know what we want

Revise the GDPR



Thank you for the inspiration: Jerry Herman


Friday, 2 October 2020

My (data) fine is enormous

I am he as you are he as you are me and we are all together
See how they stun the world and my mum, see how they fine
I'm crying


Sitting in the courthouse, waiting for the man to come
Covid mask and goggles, stupid bloody Tuesday
Man, you been a naughty boy, you set your cookies wrong


I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob


Mister lead prosecutor sitting
Pretty little lawyers in a row
See how they drone “he should have known,” see how they fine
I'm crying, I'm crying
I'm crying, I'm crying


Instagram emojis 

Springing out from every screen
Acting like a fishwife, pornographic poses
Boy, you been a naughty girl you let your knickers down


I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob


Scrolling through new adult websites waiting for the one
Maria from Leeds, click accept
Far too old, I could have wept


I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob g'goo goo g'joob


Expert textpert smarmy barmy
Don't you think that lawyer laughs at you?
See how they smile, just fees on their mind
See how they charge
I'm crying


Hey Maria Pilchard,

Want a present for your baby shower?
Curtains for your bedroom, buy a family heirloom 
Have another go at blocking Edgar Allan Poe

I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob g'goo goo g'joob
Goo goo g'joob g'goo goo g'joob g'goo



Thank you for the inspiration: John Lennon, Paul McCartney & John Bowman



Sunday, 13 September 2020

Breaching the GDPR


Early train from Euston, just a croissant and two teas

Didn't get to eat last night

Who today will I see pleading on their knees
Liz, I had a dreadful fright
I've breached the GDPR
You don't know how lucky you are, boys
Breaching the GDPR


Been away so long I barely know the place
BC, it's good to be back home
Don't make me pack my case
Honey disconnect the phone
I'm fed up with the GDPR’s ploys
You don't know how lucky you are, boys
Breaching the GD

Breaching the GD

Breaching the GDPR

Well paid lawyers really knock me out
Leaving my team far behind
Privacy geeks make me scream and shout
Max Schrems is always on my my my my my my my mind
Oh, come on
Will I miss you when I’ve gone
Yeah, yeah, yeah, yeah

I'm fed up with the GDPR’s ploys
You don't know how lucky you are, boys
Breaching the GDPR


Show me your spreadsheets – all objectives coloured green 
Despite your breach there’s not a red box to be seen
You’re good at compliance – almost visionary
Let them off the hook, a fine isn’t necessary

Walking to the station, need a sandwich and a tea

Shouldn’t get so uptight 
I guess they don’t really care much for me
Wilmslow is not a delight
I’m done with the GDPR’s ploys
Hey, you don't know how lucky you are, boys
Stuff the GDPR


Thank you for the inspiration: John Lennon, Paul McCartney