Monday, 9 November 2020

The EU’s draft Data Governance Act: an own goal?


The EU’s draft Data Governance Act is designed to facilitate the greater sharing of non-Personal data within the EU. Such big data ought to provide new insights and benefit the lives of EU citizens, the EU thinking goes. 

 

The Act is also designed to prevent access and use by non-EU based data intermediaries such as those that may be established in the UK, or elsewhere in the world. 

 

Will this prohibition result in UK-based organisations operating at a competitive disadvantage? They won’t be entitled at act as data intermediaries. Conversely, the EU-established data intermediaries will face difficulties in tapping the deep talent pool of non-EU based information experts.  

 

Might this prohibition result in UK-focussed data services operating at a comparative disadvantage? The AI-based service models that will be developed for the benefit of UK citizens won’t be able to take advantage of the training data available to EU-focussed service providers.

 

Why is it in the best interests of the EU to adopt this protectionist model? Isn’t it better for the EU to develop a partnership model with, rather than discriminate against non EU-based entities?

 

Discrimination based on the geographic location of the data intermediary / service provider reinforces the concept of a ‘Fortress Europe’. EU member states will run the risk of operating within a walled garden that delivers fewer benefits to citizens than would be the case if there were no barriers. I remember the direction that populations migrated when the Iron Curtain fell in 1991. They travelled west, towards a society that offered greater choices and a higher quality of services. Very few travelled to the east, further into the Soviet Union.

 

The EU has managed, with the passing of the GDPR, to adopt data protection standards that are virtually impossible for many organisations to fully comply with. Accordingly, I wouldn't be at all surprised if the EU were to follow it up with legislation that made it equally hard for European citizens to be able to take full advantage of the insights that can flow from the processing of non-personal data.



Friday, 16 October 2020

Is it still necessary for data protection laws to have particular processing rules for specific types pf personal data?


I think not.

 

1.    European laws have special rules for the processing of “sensitive data” or “special category data” regardless of the context within which the data will be processed. This has been the case in the UK since the coming into force of the first (1984) Data Protection Act. But, just because it is an established concept, there is no reason not to ask whether the distinction is still appropriate.

 

2.    The existing list of special category data, which has its origins in the types of characteristics that were used in the last century to discriminate against minority groups, does not properly reflect today’s values. It is difficult, say, to justify the exclusion of an individual’s financial details, or their web browsing history, given the increasingly on-line lives that most UK citizens lead. If asked, many people might argue that such information was far more sensitive than information relating to their trade union membership, ethnic origin or religion.

 

3.    Some countries that have already enacted data protection laws that do not recognise the concept of special category data. Indonesia, Hong Kong and Singapore are examples of such countries. I am not aware of calls from citizens of those countries to amend local laws to develop special rules for particular categories of personal data.

 

4.    Some countries have extended their lists of special category data beyond those set out in European law. Some countries include financial information. Kenya’s definition includes an individual’s property details, marital status, family details including the names of their children, parents, spouse or spouses. However, it is not yet clear how this expanded definition actually improves privacy protections for individuals.

 

5.    The key practical impact of the processing of special category data for data controllers is that an additional processing condition needs to be identified – but in my experience, Governments have historically been quite willing to pass secondary legislation to create a new condition to legitimise the processing when it has been too hard to link the processing purpose with an existing condition, and when consent is not an appropriate option. Eliminating this category of personal data will negate the need for secondary legislation to be developed.

 

6.    Eliminating the definition of this category of data will not, of itself, reduce the privacy protections that individuals enjoy. The UK GDPR does not alter the wording of the first half of Article 24 of the GDPR. Data controllers should still be required to take into account “the nature, scope context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.”  Article 24 goes on to provide that controllers must also “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.” In my view, it is entirely possible for the UK to implement appropriate measures which provide robust privacy safeguards even if Article 9 of the GDPR is removed from UK law. 



Tuesday, 13 October 2020

Why have I joined the LinkedIn Data Protection Reform Group?


1.    There is an ongoing debate on the rights that data controllers should have, compared with the rights that private individuals should have. There’s also an ongoing debate on what role our national Data Protection supervisory authority should play in developing and enforcing privacy laws. Opposing views are passionately, genuinely and sincerely held, & I see little prospect of agreement on a middle course. But, I see no reason for declining to contribute to policy discussions just because I know that others will disagree with me.

 

2.    Many opinion formers believe the GDPR is a gold standard containing data protection requirements that all countries should aspire to, and that any deviation from the GDPR necessarily dilutes privacy protections / rights to an unacceptably low level. I disagree. I see the GDPR as a step too far. The provisions impose very considerable administrative burdens on many data controllers, not all of which do much, if anything, to respect legitimate privacy rights.

 

3.    During the long discussions in the early part of the last decade which eventually led to political agreement amongst EU nations that the GDPR should be adopted, the UK’s negotiating team frequently argued against the imposition of onerous and bureaucratic provisions which set out in considerable detail how organisations should be required to run their privacy programmes. The UK now has an opportunity to review these initial reservations and develop laws that allow a more pragmatic approach which still delivers robust privacy protections for individuals. Some commentators do not wish to reopen these discussions. I disagree. Where there is evidence that the current provisions are unduly onerous or unworkable, we should ask whether there a business case exists to alter them.

 

4.    Complexity is costly.  The more complex the rules are, the more resources may be required to provide assurance about the extent the organisation fully complies with the rules. Complexity provides consulting organisations with a stream of work, but it hinders smaller organisations that can’t access tailored compliance advice. Complexity also frustrates individuals who try to exercise information rights, only to learn that obscure exceptions to the rules actually result in them having fewer rights than they realised. 

 

5.    Data protection should be fun. Our relationship to work is one of the most important things in our lives. We should query the motives of those that have used the GDPR to develop vast bureaucracies that are ultimately pointless. While the key to corporate success is convincing people that you are worthwhile, I meet an increasing number of privacy professionals are experiencing burnout. They feel trapped in a system that makes their work seem both joyless and endless.  

 

Sunday, 4 October 2020

Revise the GDPR


We are what we are
We don't want praise, we don't want pity
We bang our own drum
Some think it's noise, we think it's pretty
We promise that your human rights we will not mangle
We're the ones that try to see things from a different angle
Join us we’re going far
Join us and shout out
Revise the GDPR

 

We are what we are
And what we are needs no excuses
We’ll find a new way 
To cut out spam, stop data abuses
Our private lives, there's no consent you get no look in
Our private lives, you can't tell anyone where we’ve been 
Life's not worth a damn till we can shout out
We are what we are


We know what we want

Revise the GDPR

 

 

Thank you for the inspiration: Jerry Herman



 

Friday, 2 October 2020

My (data) fine is enormous


I am he as you are he as you are me and we are all together
See how they stun the world and my mum, see how they fine
I'm crying

 

Sitting in the courthouse, waiting for the man to come
Covid mask and goggles, stupid bloody Tuesday
Man, you been a naughty boy, you set your cookies wrong

 

I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob

 

Mister lead prosecutor sitting
Pretty little lawyers in a row
See how they drone “he should have known,” see how they fine
I'm crying, I'm crying
I'm crying, I'm crying

 

Instagram emojis 

Springing out from every screen
Acting like a fishwife, pornographic poses
Boy, you been a naughty girl you let your knickers down

 

I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob

 

Scrolling through new adult websites waiting for the one
Maria from Leeds, click accept
Far too old, I could have wept

 

I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob g'goo goo g'joob

 

Expert textpert smarmy barmy
Don't you think that lawyer laughs at you?
See how they smile, just fees on their mind
See how they charge
I'm crying

 

Hey Maria Pilchard,

Want a present for your baby shower?
Curtains for your bedroom, buy a family heirloom 
Have another go at blocking Edgar Allan Poe

I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob g'goo goo g'joob
Goo goo g'joob g'goo goo g'joob g'goo

 

 

Thank you for the inspiration: John Lennon, Paul McCartney & John Bowman

 

 


Sunday, 13 September 2020

Breaching the GDPR

 


Early train from Euston, just a croissant and two teas

Didn't get to eat last night

Who today will I see pleading on their knees
Liz, I had a dreadful fright
I've breached the GDPR
You don't know how lucky you are, boys
Breaching the GDPR

 

Been away so long I barely know the place
BC, it's good to be back home
Don't make me pack my case
Honey disconnect the phone
I'm fed up with the GDPR’s ploys
You don't know how lucky you are, boys
Breaching the GD

Breaching the GD

Breaching the GDPR

Well paid lawyers really knock me out
Leaving my team far behind
Privacy geeks make me scream and shout
Max Schrems is always on my my my my my my my mind
Oh, come on
Will I miss you when I’ve gone
Yeah, yeah, yeah, yeah

I'm fed up with the GDPR’s ploys
You don't know how lucky you are, boys
Breaching the GDPR

 

Show me your spreadsheets – all objectives coloured green 
Despite your breach there’s not a red box to be seen
You’re good at compliance – almost visionary
Let them off the hook, a fine isn’t necessary

Walking to the station, need a sandwich and a tea

Shouldn’t get so uptight 
I guess they don’t really care much for me
Wilmslow is not a delight
I’m done with the GDPR’s ploys
Hey, you don't know how lucky you are, boys
Stuff the GDPR

 

Thank you for the inspiration: John Lennon, Paul McCartney

 


Friday, 11 September 2020

Adequacy

 


In data protection law, transfers of personal data must be safeguarded by written contracts between the parties. If the personal data is transferred from the EU to a country which the European Commission has not been recognised as having adequate data protection standards, special clauses, known as SCCs are usually inserted in these contracts. In July 2020, a decision by the European Court of Justice made it virtually impossible for companies to determine whether the SCCs must be supplemented by additional clauses to ensure the personal data is appropriately protected.

 

From the beginning of 2021, the UK Government will have the ability to make it easier for UK data exporters to know what the UK’s data protection rules are. This ode assumes that the UK Government will rise to the challenge.  

 

My my
At Waterloo, Max Shrems we didn’t surrender
Oh yeah
And we will meet our destiny in quite a cunning way
The statute book on our shelf
Is always repeating itself

Adequacy – You were defeated, we won the war
Adequacy - Promise to love us for ever more
Adequacy - Couldn't escape if you wanted to
Adequacy - Knowing our fate is to be with you
Adequacy - Finally facing your Waterloo

 

My my
Noyb tried to hold us back, but we were stronger
Oh yeah
And now it seems your only chance is giving up the fight
How could you ever refuse
Shouldn’t claim that you win when you lose

Adequacy – We are the ones that will make it clear
Adequacy – Saying the words they all want to hear
Adequacy – Contracting with us is such a breeze
Adequacy – Doing away with SCCs
Adequacy - Finally facing your Waterloo

 

How could you ever refuse
Shouldn’t claim that you win when you lose

 

 

Thank you for the inspiration: Benny Goran Bror Andersson, Stig Anderson, Bjoern K. Ulvaeus, Lo-jung Chen, He Cheng, Yi Jia & John Bowman



Friday, 21 August 2020

What mixture of leadership styles should a decent data protection officer display?

 


I was recently asked this question and found it hard to answer. It takes a lot to be a decent DPO.  So much depends on the culture of the organisation and the resources available to the DPO. Notwithstanding the specific obligations that are set out in Section 4 of the General Data Protection Regulation, I’ve known some that operate as one-man-bands, working in virtual isolation from the rest of the organisation. I’ve known others who manage small and, in some cases, larger teams. I’ve also known privacy professionals who have directed or supported short-lived GDPR privacy transformation project teams that were created purely to help the organisation comply more completely with data protection laws and requirements.

 

The organisational psychologist Heather Bingham has drawn my attention to a list of common leadership styles that I'll be referring to in this article.

 

I’ve known privacy professionals who have failed because they have displayed a toxic mixture of some of these styles. 

 

I’ve also known privacy professionals who have felt that they have failed because, when joining a new organisation, they had not altered what was a winning combination in a previous role to the culture that prevailed within their new organisation.

 

Autocratic

Some organisations have a very hierarchical and deferential culture. Job grade is seen as more important than actual technical knowledge, so the purpose of the DPO may be primarily to reduce quite complicated concepts to simple PowerPoint presentations for more senior people with little technical knowledge to skim read and formally approve whatever recommendations the DPO had drafted. The autocratic DPO may exist because virtually no one else in the organisation has sufficient knowledge – or interest – in data protection matters, so their decisions will be very rarely challenged. While competent DPOs may have the technical knowledge and experience to make quick decisions quickly, they can also easily be overwhelmed with requests for advice and support. It’s hard to motivate staff in privacy teams if all the decisions are going to be taken by an autocratic DPO. 

 

Charismatic

Great DPOshave vision and can influence and inspire others. This requires a mixture of technical skills and also a willingness to accept a relatively high privacy risk. What advice or action really is appropriate, given the circumstances? It is not always the best approach simply to reply on every piece of advice that is uttered by staff working for data protection supervisory authorities. Regulatory opinions are what they say they are – only opinions. Ultimately, only the courts can determine the true extent of privacy law. This approach requires DPOs to develop their own ethical approach to key issues of the day, and then sell this approach to the organisation. The late comedian Ken Dodd once remarked that he never took his audience for granted. For each performance he felt he needed to start afresh and woo them. The same approach is often adopted by charismatic DPOs. 

 

Transformational

Some DPOs focus on outcomes. Teams must strive to work harder each year. More Subject Access Requests, for example, must be completed within the statutory time limits. Fewer privacy breaches must be identified. Records of Processing Activities must be regularly audited. A higher proportion of staff must pass the annual privacy learning programme’s knowledge test. Turnarounds for Privacy Impact Assessments must be improved, year on year. The daily grind of privacy work can be relentless, and while privacy metrics might improve, the morale of the staff at the privacy grindstone may not. 

 

Laissez-faire

An important way to promote accountability throughout an organisation is to educate and then devolve privacy decisions to others. This gives them an opportunity to better appreciate the privacy consequences of the decisions they take, particularly if they are then required to accept responsibility – and perhaps even apologise personally to those who have suffered as a result of their misjudgements. I’ve found that this approach also gives individuals a greater sense of pride in their daily work and in the decisions they take.  With effective supervision from the DPO, organisations can develop a strong culture of compliance that stands a good chance of being maintained when said DPO departs for pastures new.

 

Transactional

I’ve met few privacy staff who have job profiles that are supported by comprehensive operating instructions which explain precisely how each privacy task for which they are responsible should be completed. The absence of comprehensive sets of operating instructions can lead to inconsistencies in approach within privacy teams. When Privacy Impact or Privacy Breach Assessments, for example, are carried out by different members of staff, perhaps working in different locations, a lack of clear instructions explaining how to weight particular privacy risks can result in very different sets of privacy recommendations being made. Effective DPOs will ensure that comprehensive manuals exist to safeguard against inconsistent approaches. This approach enables staff to feel more confident that they are doing the right thing when they carry out their privacy tasks. 

 

Supportive

Many DPOs find the time to coach their colleagues and direct reports, which is often the only way that they are eventually able to offload some their privacy work to anyone else within the organisation. Nurturing these supportive relationships takes considerable effort, though. It often takes some time for the privacy message to sink in. Some elements of privacy law, including a good few of the technical requirements that are set out in the GDPR, are not easy to comprehend.  DPOs many also find great value in engaging with support networks created by organisations such as the Data Protection Forum, NADPO and the IAPP KnowledgeNets. There is safety in numbers – or at least safety in appreciating that a DPO’s approach to a particular privacy issue is very similar to that adopted by their professional colleagues. 

 

Democratic

Some DPOs prefer an inclusive approach, where all the key decisions are taken by committees.A weakness with this approach is that key decisions can be delayed until the issues have been considered by the committee members. There is also a risk that other corporate stakeholders, if their personalities are sufficiently strong, can override the reasoned assessments that DPOs make when forming their recommendations. DPOs must always know when to accept that their advice will be ignored. But so long as this has been properly documented, and the advice had correctly interpreted the law, the organisation can’t then lay all the blame on the DPO should a data protection supervisory authority decide to take enforcement action for a privacy transgression that results from the organisation’s failure to act in accordance with the advice.

 

 

I’ve also met privacy professionals who are just too tired to care too much about how they perform their day job. The demands placed upon them by their employers, and by virtue of the GDPR, have in some cases been overwhelming. Burnout certainly exists within the privacy profession.  


 

Wednesday, 19 August 2020

International data transfers: an opinion the EDPB (probably) won’t publish

One of the consequences of the Scherms II decision is that EU organisations need to take greater care in determining how best to protect the flows of personal data outside the EU. This means more than just considering whether Standard Contractual Clauses (SCCs) need to be incorporated in the contracts that the data exporters negotiate with the data importers. Historically, most data flows from the EU to non-adequate countries have been safeguarded though the use of SCCs. 

 

Following the decision, life isn’t as simple as that. The CJEU has said that EU organisations relying on SCCs must also, prior to transferring personal data, evaluate whether there is a an “adequate level of protection” for personal data in the importing jurisdiction, and implement additional safeguards if there is not.  Data exports must cease when there are no additional safeguards that would ensure an “adequate level of protection.” 

 

A non-exhaustive list of elements that should be taken into account by the European Commission (EC) when assessing adequacy is set out in Article 45.2 of the GDPR. Article 45.3 requires each assessment to be regularly reviewed, at least every 4 years. Presumably EU exporting organisations should also adopt this approach.

 

This will cause an immense amount of work for each EU exporting organisation. In reality, it is likely that only the largest organisations will have the resources to commission such work, and each organisation could well use different criteria, in addition to the non-exhaustive list of elements set out in Article 45.2,  to determine what an “adequate level of protection” actually means in practice. Such work will lead to chaos and inconsistency. This is surely not what the creators of the level EU data protection field had in mind. 

 

The decision also highlights the role of EU data protection supervisory authorities in assessing, and where necessary suspending or prohibiting data transfers to importing jurisdictions “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”

 

Given the role the decision requires the supervisory authorities to play, there will be intense interest in understanding precisely how the European Data Protection Board (EDPB) will encourage the supervisory authorities to adopt a consistent approach across the EU.  

 

In particular, the EDPB may be asked to publish an opinion which categorises Non-EU countries as follows:

 

1.    Countries that provide an adequate level of protection and where additional safeguards are not required;

2.    Countries that that provide an adequate level of protection when SCCs are put in place;

3.    Countries that that provide an adequate level of protection when SCCs and other specified safeguards are put in place;

4.    Countries that do not have provide an adequate level of protection even when SCCs and other specified safeguards are put in place.

 

There are more than 100 countries that have enacted data protection laws. But what work has been commissioned by the EC (or the EDPB or its predecessor body, the Article 29 Working Party) to determine which laws are of an ‘adequate’ standard? In the past 20 years, the EC has managed to reach adequacy decisions on a pathetically small proportion (perhaps some 15%) of the non-EU countries that have data protection laws: 

 

            2000    Switzerland

            2001    Canada

            2003    Argentina & Guernsey

            2004    Isle of Man

            2008    Jersey

            2010    Andorra & the Faroe Islands 

            2011    Israel 

            2012    New Zealand & Uruguay

            2019      Japan 

 

Almost half of the decisions relate to tiny countries with relatively small volumes of personal data flows: Andorra (population 78,000); Faroe Islands (population 52,000); Guernsey (population 63k); Isle of Man (population 83,000); and Jersey (population 107,000). Work on carrying out assessments of the data protection laws of many of the EC’s key trading partners does not appear to have commenced.

 

Such an opinion would be of immense value to EU organisations in helping them develop a consistent approach to transborder data flows, but it would be political dynamite. Which countries would the EDPB dare describe as not providing an adequate level of protection even when SCCs and other specified safeguards are put in place? Given the international trade repercussions for the EC, it would be a brave decision to put any country into that category. 

 

But what additional safeguards are necessary to supplement SCCs and when need they be put in place? Given how inflexible so many parts of the GDPR are, it would be surprising that there was not a demand from some stakeholders for new rules to be established to address the privacy risks of the countries that fell within these categories.

 

If it is left to the EDPB to recommend an approach and to categorise non-EU countries as I have suggested, I suspect that political considerations will result in EU organisations waiting a very long time before such an opinion would emerge. 

 

 

 

[Image credit: thanks to the CNIL for their helpful guide to data protection laws around the world. Other organisations, such as DLAPiper, have great on-line resources, too] 



 

Monday, 17 August 2020

Data Protection: Where’s the Brexit Privacy Dividend?

One of the Government's core objectives throughout the Brexit negotiations has been to respect data protection rights, slash Brussels' red tape and allow the United Kingdom to be a competitive safe haven for businesses all over the world. With that in mind, how could the Government reduce its ties to the EU's 'data protection level playing field' while continuing to maintain a robust and effective data protection regime? 

 

If the EU’s ‘level data protection playing field’ means continuing to fully implement all aspects of European data protection law, including all aspects of the two-year-old General Data Protection Regulation (GDPR), then what was the point of Brexit? Is it really necessary for the UK to commit to continue to observe unnecessarily complex rules that so many organisations have struggled with, when so few benefits have been realised? 

 

The GDPR is meant to be a ‘living instrument’ – so committing to harmonising to GDPR standards would mean adopting European Data Protection Board (EDPB) decisions (over which the UK will have no say) and EU jurisprudence (ditto) going forward. This is a process that would never end.

 

Some UK organisations will inevitably have to follow all the EU’s data protection rules because they will continue to process the personal data of individuals in the EU. But these organisations are likely to form a small minority of the 738,769 data controllers that registered to pay data protection fees to the Information Commissioner’s Office (ICO) as at 31 March 2020. 

 

Removing the UK from the decision-making structures of the EDPB and its associated consistency mechanisms should result in the ICO (a) being able to better protect the UK public by reacting much faster to privacy breaches that affect people in the UK as well as those in the EU, and (b) quickly publishing appropriate guidance on matters of public concern. No longer might UK privacy pros feel obliged to wait for the publication of weirdly worded EDPB opinions. 

 

Removing the UK from the decision-making structures of the EU should also result in the UK Government feeling able to update other privacy legislation, such as the outdated Privacy & Electronic Communications Regulations, without having to delay for years and years until  EU countries managed to reach a political consensus on the way ahead.    

 

The GDPR has had a profound impact on many organisations. Enormous amounts of money have been spent in a belated acknowledgement of, in many cases, decades of under investment on privacy issues. Whether all this money has been spent wisely by the GDPR implementation programmes is quite another matter.

 

Money spent on improving information security controls is always appropriate – and such expenditure should have been made, regardless of the GDPR. But organisations have also, for example, been required to create unknown numbers of ‘Records of Processing,’ many of which are totally useless in terms of providing an organisation with information that is actually relevant to its day-to-day business operations. 

 

Organisations have also spent many hours working out what legal basis each business process should rely on when personal data is processed. Who would have thought it likely that a supervisory authority would so quickly issue a €150k fine for using a privacy statement that referred to the wrong legal basis?  But this has already happened - in Greece. Was such a fine really appropriate?  I’ve never met anyone outside the privacy community who thought that privacy statements should include such details in the first place. It isn't easy to explain the concept that the exercise of a particular information right depends on the precise legal basis the organisation relies upon to process personal data. I’m mystified as to why the GDPR deliberately created such a complex web of rights. 

 

As Lee Bygrave, Professor of Law, Director of the Norwegian Research Centre for Computers and Law, University of Oslo, recently commented:“EU data protection law has taken a byzantine turn … All up, the EU data protection system has become a huge sprawling structure – a Kafkaesque castle full of semantic mazes, winding procedural alleys, subterranean cross-passages and conceptual echo chambers.”    

 

Brexit provides the UK with an amazing opportunity to review its current privacy laws and create standards that provide individuals and organisations with robust but simpler, more meaningful, data protection standards. 

 

Many European data protection opinion formers consider any UK divergence from the strict GDPR regime to be heresy. 

 

I think it’s worth the effort, though.

 

With the departure of the UK from the EU, the Government should exercise its own margin of appreciation about the extent to which it promotes and protects the ‘fundamental right’ of data protection. Should all aspects of data protection remain a fundamental right? Who, for example, ever thought that data portability should be a fundamental right until it appeared in a GDPR draft?

 

The UK should not feel obliged to embrace the entire EU privacy acquis when, on reflection, parts of some laws do not work as intended, or when some legal interpretations have perverse implications that unnecessarily paint everyone into a corner. 

 

Consider, for example, the mayhem that has just been caused by the Schrems II decision. The Court of Justice of the European Union took 7 months to review the Advocate General’s non-binding opinion. Yet, its final decision failed to provide sufficient practical guidance on precisely what controls are appropriate when personal data is exported from the EU to countries other than the 11 countries that apparently have ‘adequate’ privacy laws. A cursory glance at the immediate reactions published by EU data protection supervisory authorities indicates that, collectively, they haven't yet got a clue as to what to do. Some consulting firms have taken this opportunity to offer their own (untested) solutions to this almighty problem. 

 

The organisations that export personal data from the EU remain in a legal limbo. As do the organisations in the USA - and elsewhere - that import the personal data. Evidently, it is their responsibility to assess whether non-EU countries have adequate laws that guarantee appropriate data protection standards. If they don't, additional measures to enhance the protections provided by the EC’s Standard Contractual Clauses (SCCs) must be implemented. But what these are, and whether they would be sufficient: well, nobody knows.

 

Who in their right mind would want transborder data flows to be such a difficult issue for so many organisations to deal with? Notwithstanding the decision, which had immediate effect, I predict that almost all of European data protection supervisory authorities will exercise a large degree of regulatory forbearance about these data flows for a good few months, or at least until they are provoked by pressure groups such as noyb.  

 

In future, why should the UK expect UK organisations to continue to use the EC’s SCCs to safeguard transborder data flows? A UK free from the constraints of the GDPR could commend its own set of SCCs for use by UK-established organisations when data was exported from the UK. This set could comprise recommended, rather than mandatory clauses, allowing the parties a degree of flexibility over what would be agreed. 

 

In future, why should the UK rely on the EC to determine when or whether SCCs would be appropriate? If a test of adequacy needs to be set to determine when the UK SCCs should be used,  rather than rely on a country’s membership of the EU or an EC adequacy assessment as the determining factor, the UK could simply recognise the 11 existing adequacy assessments and, in future, allow unimpeded data flows to and from all countries that sign the Council of Europe 108+ convention[Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data].  This approach would not be too heretical, as there are currently only 36 signatories to this convention, and of the EU countries that are also members of the CoE, only Denmark has not yet signed it.

 

One final point. The UK’s data protection supervisory authority is undergoing the fastest expansion in its history. With such expansion should come a greater focus on ensuring that it delivers value for money. It is not an insignificant organisation. However, my twitter feed doesn’t contain many tweets that praise the ICO’s work.  UK data controllers paid registration fees totalling £48.7m to the ICO in 2018/19, a 24% increase on the previous year. Most may well have had virtually no engagement with any of the ICO’s 768 (720.3 FTE equivalent) staff. Only a decade ago, the ICO had just 282 staff and an operating income of £11.3m; its annual report illustrates how much it achieved even on that budget. 

 

All UK organisations will, by now, have heard of the GDPR, but how many know enough about privacy laws to be able to explain how fully they comply?

 

And, does it really matter if the majority of them can’t fully comply?

 

Rather than clinging so tightly to the privacy rules that have been embedded within the GDPR, the Government could develop an alternative approach in a post Brexit world which ensures that: 

  • people in the UK benefit from robust and effective data protection standards;
  • UK organisations can demonstrate that appropriate data protection controls are in place; and 
  • the ICO delivers regulatory value for the money it spends. 

 

Heresy aside, Brexit ought to be capable of providing the UK with a data protection dividend.