Friday 16 October 2020

Is it still necessary for data protection laws to have particular processing rules for specific types pf personal data?

I think not.


1.    European laws have special rules for the processing of “sensitive data” or “special category data” regardless of the context within which the data will be processed. This has been the case in the UK since the coming into force of the first (1984) Data Protection Act. But, just because it is an established concept, there is no reason not to ask whether the distinction is still appropriate.


2.    The existing list of special category data, which has its origins in the types of characteristics that were used in the last century to discriminate against minority groups, does not properly reflect today’s values. It is difficult, say, to justify the exclusion of an individual’s financial details, or their web browsing history, given the increasingly on-line lives that most UK citizens lead. If asked, many people might argue that such information was far more sensitive than information relating to their trade union membership, ethnic origin or religion.


3.    Some countries that have already enacted data protection laws that do not recognise the concept of special category data. Indonesia, Hong Kong and Singapore are examples of such countries. I am not aware of calls from citizens of those countries to amend local laws to develop special rules for particular categories of personal data.


4.    Some countries have extended their lists of special category data beyond those set out in European law. Some countries include financial information. Kenya’s definition includes an individual’s property details, marital status, family details including the names of their children, parents, spouse or spouses. However, it is not yet clear how this expanded definition actually improves privacy protections for individuals.


5.    The key practical impact of the processing of special category data for data controllers is that an additional processing condition needs to be identified – but in my experience, Governments have historically been quite willing to pass secondary legislation to create a new condition to legitimise the processing when it has been too hard to link the processing purpose with an existing condition, and when consent is not an appropriate option. Eliminating this category of personal data will negate the need for secondary legislation to be developed.


6.    Eliminating the definition of this category of data will not, of itself, reduce the privacy protections that individuals enjoy. The UK GDPR does not alter the wording of the first half of Article 24 of the GDPR. Data controllers should still be required to take into account “the nature, scope context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.”  Article 24 goes on to provide that controllers must also “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.” In my view, it is entirely possible for the UK to implement appropriate measures which provide robust privacy safeguards even if Article 9 of the GDPR is removed from UK law.