Friday 16 October 2020

Is it still necessary for data protection laws to have particular processing rules for specific types pf personal data?

I think not.


1.    European laws have special rules for the processing of “sensitive data” or “special category data” regardless of the context within which the data will be processed. This has been the case in the UK since the coming into force of the first (1984) Data Protection Act. But, just because it is an established concept, there is no reason not to ask whether the distinction is still appropriate.


2.    The existing list of special category data, which has its origins in the types of characteristics that were used in the last century to discriminate against minority groups, does not properly reflect today’s values. It is difficult, say, to justify the exclusion of an individual’s financial details, or their web browsing history, given the increasingly on-line lives that most UK citizens lead. If asked, many people might argue that such information was far more sensitive than information relating to their trade union membership, ethnic origin or religion.


3.    Some countries that have already enacted data protection laws that do not recognise the concept of special category data. Indonesia, Hong Kong and Singapore are examples of such countries. I am not aware of calls from citizens of those countries to amend local laws to develop special rules for particular categories of personal data.


4.    Some countries have extended their lists of special category data beyond those set out in European law. Some countries include financial information. Kenya’s definition includes an individual’s property details, marital status, family details including the names of their children, parents, spouse or spouses. However, it is not yet clear how this expanded definition actually improves privacy protections for individuals.


5.    The key practical impact of the processing of special category data for data controllers is that an additional processing condition needs to be identified – but in my experience, Governments have historically been quite willing to pass secondary legislation to create a new condition to legitimise the processing when it has been too hard to link the processing purpose with an existing condition, and when consent is not an appropriate option. Eliminating this category of personal data will negate the need for secondary legislation to be developed.


6.    Eliminating the definition of this category of data will not, of itself, reduce the privacy protections that individuals enjoy. The UK GDPR does not alter the wording of the first half of Article 24 of the GDPR. Data controllers should still be required to take into account “the nature, scope context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.”  Article 24 goes on to provide that controllers must also “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.” In my view, it is entirely possible for the UK to implement appropriate measures which provide robust privacy safeguards even if Article 9 of the GDPR is removed from UK law. 

Tuesday 13 October 2020

Why have I joined the LinkedIn Data Protection Reform Group?

1.    There is an ongoing debate on the rights that data controllers should have, compared with the rights that private individuals should have. There’s also an ongoing debate on what role our national Data Protection supervisory authority should play in developing and enforcing privacy laws. Opposing views are passionately, genuinely and sincerely held, & I see little prospect of agreement on a middle course. But, I see no reason for declining to contribute to policy discussions just because I know that others will disagree with me.


2.    Many opinion formers believe the GDPR is a gold standard containing data protection requirements that all countries should aspire to, and that any deviation from the GDPR necessarily dilutes privacy protections / rights to an unacceptably low level. I disagree. I see the GDPR as a step too far. The provisions impose very considerable administrative burdens on many data controllers, not all of which do much, if anything, to respect legitimate privacy rights.


3.    During the long discussions in the early part of the last decade which eventually led to political agreement amongst EU nations that the GDPR should be adopted, the UK’s negotiating team frequently argued against the imposition of onerous and bureaucratic provisions which set out in considerable detail how organisations should be required to run their privacy programmes. The UK now has an opportunity to review these initial reservations and develop laws that allow a more pragmatic approach which still delivers robust privacy protections for individuals. Some commentators do not wish to reopen these discussions. I disagree. Where there is evidence that the current provisions are unduly onerous or unworkable, we should ask whether there a business case exists to alter them.


4.    Complexity is costly.  The more complex the rules are, the more resources may be required to provide assurance about the extent the organisation fully complies with the rules. Complexity provides consulting organisations with a stream of work, but it hinders smaller organisations that can’t access tailored compliance advice. Complexity also frustrates individuals who try to exercise information rights, only to learn that obscure exceptions to the rules actually result in them having fewer rights than they realised. 


5.    Data protection should be fun. Our relationship to work is one of the most important things in our lives. We should query the motives of those that have used the GDPR to develop vast bureaucracies that are ultimately pointless. While the key to corporate success is convincing people that you are worthwhile, I meet an increasing number of privacy professionals are experiencing burnout. They feel trapped in a system that makes their work seem both joyless and endless.  


Sunday 4 October 2020

Revise the GDPR

We are what we are
We don't want praise, we don't want pity
We bang our own drum
Some think it's noise, we think it's pretty
We promise that your human rights we will not mangle
We're the ones that try to see things from a different angle
Join us we’re going far
Join us and shout out
Revise the GDPR


We are what we are
And what we are needs no excuses
We’ll find a new way 
To cut out spam, stop data abuses
Our private lives, there's no consent you get no look in
Our private lives, you can't tell anyone where we’ve been 
Life's not worth a damn till we can shout out
We are what we are

We know what we want

Revise the GDPR



Thank you for the inspiration: Jerry Herman


Friday 2 October 2020

My (data) fine is enormous

I am he as you are he as you are me and we are all together
See how they stun the world and my mum, see how they fine
I'm crying


Sitting in the courthouse, waiting for the man to come
Covid mask and goggles, stupid bloody Tuesday
Man, you been a naughty boy, you set your cookies wrong


I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob


Mister lead prosecutor sitting
Pretty little lawyers in a row
See how they drone “he should have known,” see how they fine
I'm crying, I'm crying
I'm crying, I'm crying


Instagram emojis 

Springing out from every screen
Acting like a fishwife, pornographic poses
Boy, you been a naughty girl you let your knickers down


I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob


Scrolling through new adult websites waiting for the one
Maria from Leeds, click accept
Far too old, I could have wept


I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob g'goo goo g'joob


Expert textpert smarmy barmy
Don't you think that lawyer laughs at you?
See how they smile, just fees on their mind
See how they charge
I'm crying


Hey Maria Pilchard,

Want a present for your baby shower?
Curtains for your bedroom, buy a family heirloom 
Have another go at blocking Edgar Allan Poe

I am the bad man, I spammed some good men
My fine is enormous, goo goo g'joob g'goo goo g'joob
Goo goo g'joob g'goo goo g'joob g'goo



Thank you for the inspiration: John Lennon, Paul McCartney & John Bowman