tag:blogger.com,1999:blog-75200122758931372852024-02-21T00:04:30.775-08:00Data ProtectorData Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comBlogger759125tag:blogger.com,1999:blog-7520012275893137285.post-28031088164100073412023-11-15T10:17:00.000-08:002023-11-15T10:17:32.364-08:00Thank you and farewell<p>After a period of silence it's now time to close this blog. I've lost the motivation I once had to put my head above the data protection parapet. I'm no longer deeply engaged in issues that filled my working life and these days am much more interested in providing a decent home for my puppy. Others can engage in endless battles with people whose views are so very different to my own. I'm happy with the changes I've managed to make over the years and will remain deeply frustrated that at other times I failed to act in ways that might have made lives easier for other people. Occasionally the stress of dealing with issues that I still find hard to talk about affected me very deeply. But most times I've had a hugely enjoyable career.</p><p>I've reached the stage where I no longer want to work as a data protection professional. I can't motivate myself to maintain or even pretend to have an interest in matters that many data protection professionals feel they need to be concerned about. Looking back at my work pattern and output I have realised that so much of the daily grind was so unnecessary.</p><p>Thank you for your good wishes and support over the years that the blog has been active. </p><p><br /></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-22089669278882602032022-07-22T04:31:00.000-07:002022-07-22T04:31:22.106-07:00Personal Data Breach Notification – it's time to scrap the unfair rules that have been imposed on Communication Service providers<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCqc44QUBW_fjfkSMnqHByMJn0hJwqGQcd8wde4LuV7umsL9hQP2nld7U7tcarlsZRyxdbTWlp_X8QCO-jY_4mFhVODE1Rjb6ovXm53P13tRoQoF5fhnwCha1bdzZMMjDeMRRXfJm6Cs37UiRGSDubcwJGqqma8Me66O63xyqieZ8DZBJ1Rgi8yBNA/s1064/Screenshot%202022-07-22%20at%2010.41.07.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="309" data-original-width="1064" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCqc44QUBW_fjfkSMnqHByMJn0hJwqGQcd8wde4LuV7umsL9hQP2nld7U7tcarlsZRyxdbTWlp_X8QCO-jY_4mFhVODE1Rjb6ovXm53P13tRoQoF5fhnwCha1bdzZMMjDeMRRXfJm6Cs37UiRGSDubcwJGqqma8Me66O63xyqieZ8DZBJ1Rgi8yBNA/s320/Screenshot%202022-07-22%20at%2010.41.07.png" width="320" /></a></div>In <span style="font-family: Calibri, sans-serif; font-size: 11pt;">August 2013 the European Commission introduced <a href="https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:EN:PDF">new rules</a> to require Communication Service Providers to report all personal data breaches, no matter how minor, to local data protection regulators within 24 hours of the incident being detected [Art 2]. Reporting delays would result in providers being subject to ICO fines. Significant breaches were also required to be reported to the impacted individuals [Art 3].</span><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">The new rules also required the European Commission to report by 2016 on the effectiveness of these new rules and their impact on providers, subscribers and individuals. On the basis of that report, the Commission would review the rules. I’m not aware that such a report was ever published, however. If it was, I can't find it</span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">This was the European Commission’s first attempt at mandatory breach notification. The coming into force of the GDPR resulted in breach notification rules being extended to organisations in all economic sectors, although these organisations were permitted a longer time to report (within 72 hours of the incident being detected) and they were able to use their discretion not to notify data protection regulators of minor incidents. </span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">I’m well aware of the huge administrative burdens that these rules imposed on providers, and the awful pressure (and long hours) put on people who often worked late into the night to submit (mostly) pointless breach reports on the ICO’s breach portal every day. Yes, it gives the ICO’s enforcement staff something to do each day, but I trust that the ICO’s new strategy will recognise the futility of this mindless work, and that it can see the value in being able to redeploy staff to more significant tasks.</span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">It’s time for a Brexit dividend. </span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">It’s time that organisations in all economic sectors are subjected to the same breach notification rules.</span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">It’s time for the Data Protection and Digital Information Bill to be amended to abolish the old rules and require providers to adopt the data breach reporting rules that apply in all other sectors. </span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">It's time for the DCMS to admit that it was a mistake not to include this provision in the Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019. It's depressing to read the draft SI's <a href="https://assets.publishing.service.gov.uk/media/5c6ab004ed915d4a3506ad58/EM_to_the_Electronic_Communications__Amendment_etc___EU_Exit__Regulations_2019.pdf">Explanatory Memorandum</a> and learn that no formal consultation took place with providers on this specific matter. Evidently the unfair breach reporting rules are deficiencies that are 'minor in nature' - so providers should put up with them.</span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">I say no, these unfair rules should go.</span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></div><div><span style="background: var(--artdeco-reset-base-background-transparent); caret-color: rgba(0, 0, 0, 0.9); color: rgba(0, 0, 0, 0.9); font-family: Calibri, sans-serif; font-size: 11pt;">Goodbye and good riddance, Commission Regulation 611/2013!</span><p></p></div>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-23701961491169893852021-03-21T08:27:00.003-07:002021-03-21T08:27:31.691-07:00My Top Tips for the UK’s Next Information Commissioner<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFvcBaW0GKpy2sLpEQ9nv6GeuPFzv9z7J4hF923Q3erwaXvEXW2_XcXzukIizU8plxQ9VtaQTNh6ArhQo6YZuM0PClLqRi7Q3GkEpfONg-Vr_BuBlg5ABKI8CwC5ka0s6KzcQxigvLuA/s966/Screen+Shot+2021-03-21+at+15.21.34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="700" data-original-width="966" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFvcBaW0GKpy2sLpEQ9nv6GeuPFzv9z7J4hF923Q3erwaXvEXW2_XcXzukIizU8plxQ9VtaQTNh6ArhQo6YZuM0PClLqRi7Q3GkEpfONg-Vr_BuBlg5ABKI8CwC5ka0s6KzcQxigvLuA/s320/Screen+Shot+2021-03-21+at+15.21.34.png" width="320" /></a></div><br /><p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">The UK’s data protection community isn't easy to please. Privacy is big business these days, and many of its opinion formers take to social media platforms to generate noise and controversy. <o:p></o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Why? <o:p></o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Because noise and controversy sells. It sells seats at privacy conferences and it sells consulting time – which can be dangerous when there are no entry barriers to the privacy consulting trade. Noise and controversy are also the lifeblood of the privacy NGOs. Most exist to please their funders, so expect fireworks from these folks, too. <o:p></o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Amidst the privacy hype and noise, here are my top tips to make your life less challenging than it otherwise will be:<o:p></o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">1.<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->Work from Wilmslow. Many privacy pros may work remotely, but you've been selected to set an example and to lead from the front. You will have a huge team at your disposal and they need to know that you’re as committed to Wilmslow as they are.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">2.<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->Embrace conflict. Whatever you try, you’re likely to be opposed, either from the privacy pragmatists or the privacy Taliban. Don’t take conflict personally. You’re just doing your job.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">3.<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->Expect to be opposed from within the ICO, as well as from without. The organisation has grown so fast that it’s impossible to expect everyone in it to share the same outlook as you. You may not even realise how you are being undermined you until some brave DPO quietly shares with you their experiences of working with your staff.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">4.<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->Don't think you will get it right all the time. Key parts of privacy laws are in a right mess, and any attempt to help clarify or simplify the law can easily backfire, especially if it requires primary legislation.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">5.<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->The UK may have left the EU, but it hasn't (yet) escaped from the acquis of European privacy law. In helping deliver the Government’s National Data Strategy, it’s OK to embrace a ‘UK First’ approach. You are the UK’s Information Commissioner. You are not someone who has been parachuted in to challenge British values.<o:p></o:p></p><p class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;">6.<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->Relax. The £200,000 salary won’t adequately compensate you for what you will experience, but you’ll only serve a single seven-year term in office. By the end, you’ll (probably) have received a nice gong and a lucrative offer from another organisation. <span> </span><o:p></o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p></o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><o:p> </o:p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: Calibri, sans-serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">source:<o:p></o:p></p><p><style class="WebKit-mso-list-quirks-style">
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
mso-themecolor:hyperlink;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:#954F72;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1053238381;
mso-list-type:hybrid;
mso-list-template-ids:1545345520 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
-->
</style></p><p class="MsoNormal" style="font-size: medium;">https://tinyurl.com/5x635y55<o:p></o:p></p><p class="MsoNormal" style="font-size: medium;"><br /></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-89417578318511139572020-11-09T07:36:00.002-08:002020-11-09T07:36:44.480-08:00The EU’s draft Data Governance Act: an own goal?<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYpRHJkvykBLRRH5cL2-5o3MLLP-BuFkOqi_jcrfsFTdaKgEwoUKqVuEyFR7JcHA8mpRYtU-zyka27s-AwRS5gkL6ZOZoP9YkRaPL9on5ge_dydwiyzrONHvAlMMDVkAgoobXQadkXK54/s875/Screen+Shot+2020-11-09+at+15.33.54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="664" data-original-width="875" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYpRHJkvykBLRRH5cL2-5o3MLLP-BuFkOqi_jcrfsFTdaKgEwoUKqVuEyFR7JcHA8mpRYtU-zyka27s-AwRS5gkL6ZOZoP9YkRaPL9on5ge_dydwiyzrONHvAlMMDVkAgoobXQadkXK54/s320/Screen+Shot+2020-11-09+at+15.33.54.png" width="320" /></a></div><br /><p></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">The EU’s draft Data Governance Act is designed to facilitate the greater sharing of non-Personal data within the EU. Such big data ought to provide new insights and benefit the lives of EU citizens, the EU thinking goes. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">The Act is also designed to prevent access and use by non-EU based data intermediaries such as those that may be established in the UK, or elsewhere in the world. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Will this prohibition result in UK-based organisations operating at a competitive disadvantage? They won’t be entitled at act as data intermediaries. Conversely, the EU-established data intermediaries will face difficulties in tapping the deep talent pool of non-EU based information experts. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Might this prohibition result in UK-focussed data services operating at a comparative disadvantage? The AI-based service models that will be developed for the benefit of UK citizens won’t be able to take advantage of the training data available to EU-focussed service providers.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Why is it in the best interests of the EU to adopt this protectionist model? Isn’t it better for the EU to develop a partnership model with, rather than discriminate against non EU-based entities?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Discrimination based on the geographic location of the data intermediary / service provider reinforces the concept of a ‘Fortress Europe’. EU member states will run the risk of operating within a walled garden that delivers fewer benefits to citizens than would be the case if there were no barriers. I remember the direction that populations migrated when the Iron Curtain fell in 1991. They travelled west, towards a society that offered greater choices and a higher quality of services. Very few travelled to the east, further into the Soviet Union.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">The EU has managed, with the passing of the GDPR, to adopt data protection standards that are virtually impossible for many organisations to fully comply with. Accordingly, I wouldn't be at all surprised if the EU were to follow it up with legislation that made it equally hard for European citizens to be able to take full advantage of the insights that can flow from the processing of non-personal data.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"><br /></span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-33862881782509143752020-10-16T06:49:00.000-07:002020-10-16T06:49:16.323-07:00Is it still necessary for data protection laws to have particular processing rules for specific types pf personal data?<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZUWLQHFv6qorX1rq8eKu28Ubil7_EPiu-lsNoDcxY0F2j8hRd8n5ddJ7qBHdehtjLv_h1aO7cos32jt6Rn1Pyoq0LgH6IUqIsJOPbvz0sKbuDi9kpwnQavVBEP5bIhSXD6S14xPFKi7A/s329/DPRG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="154" data-original-width="329" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZUWLQHFv6qorX1rq8eKu28Ubil7_EPiu-lsNoDcxY0F2j8hRd8n5ddJ7qBHdehtjLv_h1aO7cos32jt6Rn1Pyoq0LgH6IUqIsJOPbvz0sKbuDi9kpwnQavVBEP5bIhSXD6S14xPFKi7A/s320/DPRG.jpg" width="320" /></a></div><br /><style class="WebKit-mso-list-quirks-style">
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1029797869;
mso-list-type:hybrid;
mso-list-template-ids:1620882734 67698703 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
-->
</style><p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-size: 11pt;">I think not.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-size: 11pt;"> </span></p><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="font-size: 11.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">1.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span></span><!--[endif]--><span style="font-size: 11pt;">European laws have special rules for the processing of “sensitive data” or “special category data” regardless of the context within which the data will be processed. This has been the case in the UK since the coming into force of the first (1984) Data Protection Act. But, just because it is an established concept, there is no reason not to ask whether the distinction is still appropriate.<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><span style="font-size: 11pt;"> </span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="font-size: 11.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">2.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span></span><!--[endif]--><span style="font-size: 11pt;">The existing list of special category data, which has its origins in the types of characteristics that were used in the last century to discriminate against minority groups, does not properly reflect today’s values. It is difficult, say, to justify the exclusion of an individual’s financial details, or their web browsing history, given the increasingly on-line lives that most UK citizens lead. If asked, many people might argue that such information was far more sensitive than information relating to their trade union membership, ethnic origin or religion.<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><span style="font-size: 11pt;"> </span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="font-size: 11.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">3.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span></span><!--[endif]--><span style="font-size: 11pt;">Some countries that have already enacted data protection laws that do not recognise the concept of special category data. Indonesia, Hong Kong and Singapore are examples of such countries. I am not aware of calls from citizens of those countries to amend local laws to develop special rules for particular categories of personal data.<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><span style="font-size: 11pt;"> </span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="font-size: 11.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">4.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span></span><!--[endif]--><span style="font-size: 11pt;">Some countries have extended their lists of special category data beyond those set out in European law. Some countries include financial information. Kenya’s definition includes an individual’s property details, marital status, family details including the names of their children, parents, spouse or spouses. However, it is not yet clear how this expanded definition actually improves privacy protections for individuals.<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><span style="font-size: 11pt;"> </span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="font-size: 11.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">5.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span></span><!--[endif]--><span style="font-size: 11pt;">The key practical impact of the processing of special category data for data controllers is that an additional processing condition needs to be identified – but in my experience, Governments have historically been quite willing to pass secondary legislation to create a new condition to legitimise the processing when it has been too hard to link the processing purpose with an existing condition, and when consent is not an appropriate option. Eliminating this category of personal data will negate the need for secondary legislation to be developed.<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><span style="font-size: 11pt;"> </span></p><p class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]--><span style="font-size: 11.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">6.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span></span><!--[endif]--><span style="font-size: 11pt;">Eliminating the definition of this category of data will not, of itself, reduce the privacy protections that individuals enjoy. The UK GDPR does not alter the wording of the first half of Article 24 of the GDPR. Data controllers should still be required to take into account “<i>the nature, scope context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons</i>.” Article 24 goes on to provide that controllers must also “<i>implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation</i>.” In my view, it is entirely possible for the UK to implement appropriate measures which provide robust privacy safeguards even if Article 9 of the GDPR is removed from UK law. <o:p></o:p></span></p><p class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><span style="font-size: 11pt;"><br /></span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-70921015027352635982020-10-13T08:21:00.002-07:002020-10-13T08:23:27.470-07:00Why have I joined the LinkedIn Data Protection Reform Group? <p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD58Zm-NSNb2xhQuzQsQIJD4Lzbtr0j9tMwIW2IOh_SccKNz1Y2UsknlCx-gBhk_oaE5yG-flmmi37xjW1Zr0w52wwwrh72Mf-Xd1rBMaK34WsKVut1wq5KZbD7Yr3zxUQHFl_FEdZfg0/s329/DPRG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="154" data-original-width="329" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD58Zm-NSNb2xhQuzQsQIJD4Lzbtr0j9tMwIW2IOh_SccKNz1Y2UsknlCx-gBhk_oaE5yG-flmmi37xjW1Zr0w52wwwrh72Mf-Xd1rBMaK34WsKVut1wq5KZbD7Yr3zxUQHFl_FEdZfg0/s320/DPRG.jpg" width="320" /></a></div><br /><style class="WebKit-mso-list-quirks-style">
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:898442220;
mso-list-type:hybrid;
mso-list-template-ids:-499249880 67698703 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
-->
</style><p></p><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]-->1.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->There is an ongoing debate on the rights that data controllers should have, compared with the rights that private individuals should have. There’s also an ongoing debate on what role our national Data Protection supervisory authority should play in developing and enforcing privacy laws. Opposing views are passionately, genuinely and sincerely held, & I see little prospect of agreement on a middle course. But, I see no reason for declining to contribute to policy discussions just because I know that others will disagree with me.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><o:p> </o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]-->2.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Many opinion formers believe the GDPR is a gold standard containing data protection requirements that all countries should aspire to, and that any deviation from the GDPR necessarily dilutes privacy protections / rights to an unacceptably low level. I disagree. I see the GDPR as a step too far. The provisions impose very considerable administrative burdens on many data controllers, not all of which do much, if anything, to respect legitimate privacy rights.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><o:p> </o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]-->3.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->During the long discussions in the early part of the last decade which eventually led to political agreement amongst EU nations that the GDPR should be adopted, the UK’s negotiating team frequently argued against the imposition of onerous and bureaucratic provisions which set out in considerable detail how organisations should be required to run their privacy programmes. The UK now has an opportunity to review these initial reservations and develop laws that allow a more pragmatic approach which still delivers robust privacy protections for individuals. Some commentators do not wish to reopen these discussions. I disagree. Where there is evidence that the current provisions are unduly onerous or unworkable, we should ask whether there a business case exists to alter them.<o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><o:p> </o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]-->4.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Complexity is costly. The more complex the rules are, the more resources may be required to provide assurance about the extent the organisation fully complies with the rules. Complexity provides consulting organisations with a stream of work, but it hinders smaller organisations that can’t access tailored compliance advice. Complexity also frustrates individuals who try to exercise information rights, only to learn that obscure exceptions to the rules actually result in them having fewer rights than they realised. <o:p></o:p></p><p class="MsoListParagraphCxSpMiddle" style="font-size: medium;"><o:p> </o:p></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;"><!--[if !supportLists]-->5.<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Data protection should be fun. Our relationship to work is one of the most important things in our lives. We should query the motives of those that have used the GDPR to develop vast bureaucracies that are ultimately pointless. While the key to corporate success is convincing people that you are worthwhile, I meet an increasing number of privacy professionals are experiencing burnout. They feel trapped in a system that makes their work seem both joyless and endless. <o:p></o:p></p><p class="MsoListParagraphCxSpLast" style="font-size: medium;"><o:p> </o:p></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-53568773984168903112020-10-04T08:54:00.002-07:002020-10-04T08:54:52.152-07:00Revise the GDPR<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGGcbyaLlG22eQgjJM0zc434tOAl2p6t9sPQZXibJ1k6aoIjrU1TFMXPDdgiW7K2ZsvThs1Q5e4Nvu_MhZg53bdH025cjtplDkA27xJqbDlIyaD01GJMyGtSPkQZZoZ3e_sP7A5jh11Zs/s2000/iStock_000021405196XLarge-glitter-ball.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1333" data-original-width="2000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGGcbyaLlG22eQgjJM0zc434tOAl2p6t9sPQZXibJ1k6aoIjrU1TFMXPDdgiW7K2ZsvThs1Q5e4Nvu_MhZg53bdH025cjtplDkA27xJqbDlIyaD01GJMyGtSPkQZZoZ3e_sP7A5jh11Zs/s320/iStock_000021405196XLarge-glitter-ball.jpg" width="320" /></a></div><br /><p></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">We are what we are<br />We don't want praise, we don't want pity<br />We bang our own drum<br />Some think it's noise, we think it's pretty<br />We promise that your human rights we will not mangle<br />We're the ones that try to see things from a different angle<br />Join us we’re going far<br />Join us and shout out<br />Revise the GDPR<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">We are what we are<br />And what we are needs no excuses<br />We’ll find a new way <br />To cut out spam, stop data abuses<br />Our private lives, there's no consent you get no look in<br />Our private lives, you can't tell anyone where we’ve been <br />Life's not worth a damn till we can shout out<br />We are what we are<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">We know what we want<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Revise the GDPR<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Thank you for the inspiration: Jerry Herman<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-87934760943863477622020-10-02T05:51:00.003-07:002020-10-05T06:28:24.451-07:00My (data) fine is enormous<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIWtN2NAo9OZd07OuXrlRfE04LuL3-jwb2NeI4T_LudQifTtzGmoxU-ckTkdYOCCnqoJaNP3BWD1amTysAI_8Ietpw1kAtljIG28HUCrNnpNyBSk2Sa9V8zm7cMSCnlnkna7ZZD5NFs0A/s875/walrus2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="875" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIWtN2NAo9OZd07OuXrlRfE04LuL3-jwb2NeI4T_LudQifTtzGmoxU-ckTkdYOCCnqoJaNP3BWD1amTysAI_8Ietpw1kAtljIG28HUCrNnpNyBSk2Sa9V8zm7cMSCnlnkna7ZZD5NFs0A/s320/walrus2.jpg" width="320" /></a></div><br /><p></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 15pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">I am he as you are he as you are me and we are all together<br />See how they stun the world and my mum, see how they fine<br />I'm crying<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Sitting in the courthouse, waiting for the man to come<br />Covid mask and goggles, stupid bloody Tuesday<br />Man, you been a naughty boy, you set your cookies wrong<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">I am the bad man, I spammed some good men<br />My fine is enormous, goo goo g'joob<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Mister lead prosecutor sitting<br />Pretty little lawyers in a row<br />See how they drone “he should have known,” see how they fine<br />I'm crying, I'm crying<br />I'm crying, I'm crying<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Instagram emojis <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Springing out from every screen<br />Acting like a fishwife, pornographic poses<br />Boy, you been a naughty girl you let your knickers down<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">I am the bad man, I spammed some good men<br />My fine is enormous, goo goo g'joob<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Scrolling through new adult websites waiting for the one<br />Maria from Leeds, click accept<br />Far too old, I could have wept<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">I am the bad man, I spammed some good men<br />My fine is enormous, goo goo g'joob g'goo goo g'joob<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Expert textpert smarmy barmy<br />Don't you think that lawyer laughs at you?<br />See how they smile, just fees on their mind<br />See how they charge<br />I'm crying<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Hey Maria Pilchard,<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Want a present for your baby shower?<br />Curtains for your bedroom, buy a family heirloom <br />Have another go at blocking Edgar Allan Poe<br /><br /><o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">I am the bad man, I spammed some good men<br />My fine is enormous, goo goo g'joob g'goo goo g'joob<br />Goo goo g'joob g'goo goo g'joob g'goo<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;">Thank you for the inspiration: John Lennon, Paul McCartney & John Bowman<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span face="Arial, sans-serif" style="color: #111111; font-size: 18pt;"> </span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt;"><span face="Arial, sans-serif" style="color: #111111; font-size: 18pt;"><br /></span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-83914546977794175182020-09-13T04:47:00.014-07:002020-09-13T06:22:20.877-07:00Breaching the GDPR<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vhN_vUqz1nD64mc6r7WYZ0aEwt0OFPg4gx0Fl_QmzljCCYl0pRCk8Y5y8XnwzKdUoTf7_nI3CBx0CXj_G79nvE5n_H4ldFh9pql52-8UnwZDOoq-A_TsLSE-GQn3kBxUgxnDwhNnmx8/s700/s-l1000.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="419" data-original-width="700" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vhN_vUqz1nD64mc6r7WYZ0aEwt0OFPg4gx0Fl_QmzljCCYl0pRCk8Y5y8XnwzKdUoTf7_nI3CBx0CXj_G79nvE5n_H4ldFh9pql52-8UnwZDOoq-A_TsLSE-GQn3kBxUgxnDwhNnmx8/s320/s-l1000.jpg" width="320" /></a></div><br /><p></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Early train from Euston, just a croissant and two teas<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Didn't get to eat last night<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Who today will I see pleading on their knees<br />Liz, I had a dreadful fright<br />I've breached the GDPR<br />You don't know how lucky you are, boys<br />Breaching the GDPR<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Been away so long I barely know the place<br />BC, it's good to be back home<br />Don't make me pack my case<br />Honey disconnect the phone<br />I'm fed up with the GDPR’s ploys<br />You don't know how lucky you are, boys<br />Breaching the GD<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Breaching the GD<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Breaching the GDPR<br /><br /><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Well paid lawyers really knock me out<br />Leaving my team far behind<br />Privacy geeks make me scream and shout<br />Max Schrems is always on my my my my my my my mind<br />Oh, come on<br />Will I miss you when I’ve gone<br />Yeah, yeah, yeah, yeah<br /><br /><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">I'm fed up with the GDPR’s ploys<br />You don't know how lucky you are, boys<br />Breaching the GDPR<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Show me your spreadsheets – all objectives coloured green <br />Despite your breach there’s not a red box to be seen<br />You’re good at compliance – almost visionary<br />Let them off the hook, a fine isn’t necessary<br /><br /><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Walking to the station, need a sandwich and a tea<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Shouldn’t get so uptight <br />I guess they don’t really care much for me<br />Wilmslow is not a delight<br />I’m done with the GDPR’s ploys<br />Hey, you don't know how lucky you are, boys<br />Stuff the GDPR<br /><br /><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Thank you for the inspiration: John Lennon, Paul McCartney<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; margin: 0cm 0cm 0.0001pt;"><o:p> </o:p></p><p class="MsoNormal" style="font-family: "times new roman", serif; margin: 0cm 0cm 0.0001pt;"><o:p><br /></o:p></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-91024859059814139982020-09-11T03:10:00.001-07:002020-09-11T03:16:07.189-07:00Adequacy<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3bNtTTK02jivQoPS_ju6VGEkePmhAX81IF4zPxFLifOPoDVCEfCJ-IbGppUFGOU6dmY2H8Kx74MOEDx3wZLnFVOHhg9corSirxkLlKt2fXsPQLkS2AHaaFvONqFNx1Ct4XzDNXuZ6VVA/s595/Screen+Shot+2020-09-11+at+10.54.15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="592" data-original-width="595" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3bNtTTK02jivQoPS_ju6VGEkePmhAX81IF4zPxFLifOPoDVCEfCJ-IbGppUFGOU6dmY2H8Kx74MOEDx3wZLnFVOHhg9corSirxkLlKt2fXsPQLkS2AHaaFvONqFNx1Ct4XzDNXuZ6VVA/s320/Screen+Shot+2020-09-11+at+10.54.15.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">In data protection law, transfers of personal data must be safeguarded by written contracts between the parties. If the personal data is transferred from the EU to a country which the European Commission has not been recognised as having adequate data protection standards, special clauses, known as SCCs are usually inserted in these contracts. In July 2020, a <a href="https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf" style="color: #954f72;">decision</a> by the European Court of Justice made it virtually impossible for companies to determine whether the SCCs must be supplemented by additional clauses to ensure the personal data is appropriately protected.<o:p></o:p></span></p><div class="separator" style="clear: both;"><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">From the beginning of 2021, the UK Government will have the ability to make it easier for UK data exporters to know what the UK’s data protection rules are. This ode assumes that the UK Government will rise to the challenge. <o:p></o:p></span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">My my<br />At Waterloo, Max Shrems we didn’t surrender<br />Oh yeah<br />And we will meet our destiny in quite a cunning way<br />The statute book on our shelf<br />Is always repeating itself<br /><br /><o:p></o:p></span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Adequacy – You were defeated, we won the war<br />Adequacy - Promise to love us for ever more<br />Adequacy - Couldn't escape if you wanted to<br />Adequacy - Knowing our fate is to be with you<br />Adequacy - Finally facing your Waterloo<o:p></o:p></span></p><p class="bparactl" style="border-spacing: 0px; caret-color: rgb(68, 68, 68); font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">My my<br />Noyb tried to hold us back, but we were stronger<br />Oh yeah<br />And now it seems your only chance is giving up the fight<br />How could you ever refuse<br />Shouldn’t claim that you win when you lose<br /><br /><o:p></o:p></span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Adequacy – We are the ones that will make it clear<br />Adequacy – Saying the words they all want to hear<br />Adequacy – Contracting with us is such a breeze<br />Adequacy – Doing away with SCCs<br />Adequacy - Finally facing your Waterloo<o:p></o:p></span></p><p class="bparactl" style="border-spacing: 0px; caret-color: rgb(68, 68, 68); font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="bparactl" style="font-family: "times new roman", serif; line-height: 18pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">How could you ever refuse<br />Shouldn’t claim that you win when you lose<br /><br /><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;">Thank you for the inspiration: Benny Goran Bror Andersson, Stig Anderson, Bjoern K. Ulvaeus, Lo-jung Chen, He Cheng, Yi Jia & John Bowman<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: "times new roman", serif; line-height: 12pt; margin: 0cm 0cm 0.0001pt;"><span face="Calibri, sans-serif" style="font-size: 11pt;"><br /></span></p></div>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-83741004278065069122020-08-21T07:54:00.008-07:002020-08-25T02:03:23.124-07:00What mixture of leadership styles should a decent data protection officer display?<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkLnyM92LWZdHOmkrIeBxpAd7cn9dqwlkzzkyInhjFBJBpoH6XXz6b9sXoWMAQu3XqBJR-QSsSyeaUQNPITGxk_g8XJrWhDPzZ28ZW_RxLpLaMXQ2JS5ct7kC0MCDaROAQU9tASgoY2i8/s2048/467319533-56a9da1b5f9b58b7d0ff8c9c.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1366" data-original-width="2048" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkLnyM92LWZdHOmkrIeBxpAd7cn9dqwlkzzkyInhjFBJBpoH6XXz6b9sXoWMAQu3XqBJR-QSsSyeaUQNPITGxk_g8XJrWhDPzZ28ZW_RxLpLaMXQ2JS5ct7kC0MCDaROAQU9tASgoY2i8/s640/467319533-56a9da1b5f9b58b7d0ff8c9c.jpg" width="640" /></a></div><p></p><p class="MsoNormal" style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: "times new roman", serif; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0cm 0cm 0.0001pt; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><br /></p><div class="separator" style="clear: both; text-align: left;"><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">I was recently asked this question and found it hard to answer. It takes a lot to be a decent DPO. So much depends on the culture of the organisation and the resources available to the DPO. Notwithstanding the specific obligations that are set out in Section 4 of the General Data Protection Regulation, I’ve known some that operate as one-man-bands, working in virtual isolation from the rest of the organisation. I’ve known others who manage small and, in some cases, larger teams. I’ve also known privacy professionals who have directed or supported short-lived GDPR privacy transformation project teams that were created purely to help the organisation comply more completely with data protection laws and requirements.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">The organisational psychologist Heather Bingham has drawn my <a href="https://boostandco.com/seven-leadership-style-covid-19/?utm_campaign=CBILS&utm_medium=Social_Media&utm_source=linkedin_paid&utm_term=cbils" style="color: #954f72;">attention</a> to </span><span style="font-family: Calibri, sans-serif; font-size: 11pt;">a list of common leadership styles that I'll be referring to in this article.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">I’ve known privacy professionals who have failed because they have displayed a toxic mixture of some of these styles. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">I’ve also known privacy professionals who have felt that they have failed because, when joining a new organisation, they had not altered what was a winning combination in a previous role to the culture that prevailed within their new organisation.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Autocratic</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;">Some organisations have a very hierarchical and deferential culture. Job grade is seen as more important than actual technical knowledge, so the purpose of the DPO may be primarily to reduce quite complicated concepts to simple PowerPoint presentations for more senior people with little technical knowledge to skim read and formally approve whatever recommendations the DPO had drafted. The autocratic DPO may exist because virtually no one else in the organisation has sufficient knowledge – or interest – in data protection matters, so their decisions will be very rarely challenged. While competent DPOs may have the technical knowledge and experience to make quick decisions quickly, they can also easily be overwhelmed with requests for advice and support. It’s hard to motivate staff in privacy teams if all the decisions are going to be taken by an autocratic DPO. <o:p></o:p></span></strong></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;"> </span></strong><b><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></b></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Charismatic</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;">Great DPOs</span></strong><strong><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;"></span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;">have vision and can influence and inspire others. This requires a mixture of technical skills and also a willingness to accept a relatively high privacy risk. What advice or action really is appropriate, given the circumstances? It is not always the best approach simply to reply on every piece of advice that is uttered by staff working for data protection supervisory authorities. Regulatory opinions are what they say they are – only opinions. Ultimately, only the courts can determine the true extent of privacy law. This approach requires DPOs to develop their own ethical approach to key issues of the day, and then sell this approach to the organisation. The late comedian Ken Dodd once remarked that he never took his audience for granted. For each performance he felt he needed to start afresh and woo them. The same approach is often adopted by charismatic DPOs. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Transformational</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;">Some DPOs focus on outcomes. Teams must strive to work harder each year. More Subject Access Requests, for example, must be completed within the statutory time limits. Fewer privacy breaches must be identified. Records of Processing Activities must be regularly audited. A higher proportion of staff must pass the annual privacy learning programme’s knowledge test. Turnarounds for Privacy Impact Assessments must be improved, year on year. The daily grind of privacy work can be relentless, and while privacy metrics might improve, the morale of the staff at the privacy grindstone may not. <o:p></o:p></span></strong></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Laissez-faire</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;">An important way to promote accountability throughout an organisation is to educate and then devolve privacy decisions to others. This gives them an opportunity to better appreciate the privacy consequences of the decisions they take, particularly if they are then required to accept responsibility – and perhaps even apologise personally to those who have suffered as a result of their misjudgements. I’ve found that this approach also gives individuals a greater sense of pride in their daily work and in the decisions they take. With effective supervision from the DPO, organisations can develop a strong culture of compliance that stands a good chance of being maintained when said DPO departs for pastures new.<o:p></o:p></span></strong></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;"> </span></strong><b><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></b></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Transactional</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;">I’ve met few privacy staff who have job profiles that are supported by comprehensive operating instructions which explain precisely how each privacy task for which they are responsible should be completed. The absence of comprehensive sets of operating instructions can lead to inconsistencies in approach within privacy teams. When Privacy Impact or Privacy Breach Assessments, for example, are carried out by different members of staff, perhaps working in different locations, a lack of clear instructions explaining how to weight particular privacy risks can result in very different sets of privacy recommendations being made. Effective DPOs will ensure that comprehensive manuals exist to safeguard against inconsistent approaches. This approach enables staff to feel more confident that they are doing the right thing when they carry out their privacy tasks. <o:p></o:p></span></strong></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Supportive</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Many DPOs find the time to coach their colleagues and direct reports, which is often the only way that they are eventually able to offload some their privacy work to anyone else within the organisation. Nurturing these supportive relationships takes considerable effort, though. It often takes some time for the privacy message to sink in. Some elements of privacy law, including a good few of the technical requirements that are set out in the GDPR, are not easy to comprehend. DPOs many also find great value in engaging with support networks created by organisations such as the Data Protection Forum, NADPO and the IAPP KnowledgeNets. There is safety in numbers – or at least safety in appreciating that a DPO’s approach to a particular privacy issue is very similar to that adopted by their professional colleagues. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><strong style="box-sizing: border-box; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; line-height: inherit; outline: none;"><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; padding: 0cm;">Democratic</span></strong><span style="font-family: Calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="box-sizing: border-box; font-family: "Times New Roman", serif; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant-caps: inherit; margin: 0cm 0cm 0.0001pt; outline: none; vertical-align: baseline;"><strong><span style="border: 1pt none windowtext; font-family: Calibri, sans-serif; font-size: 11pt; font-weight: normal; padding: 0cm;">Some DPOs prefer an inclusive approach, where all the key decisions are taken by committees</span></strong><b><span style="font-family: Calibri, sans-serif; font-size: 11pt;">.</span></b><b><span style="font-family: Calibri, sans-serif; font-size: 11pt;"></span></b><span style="font-family: Calibri, sans-serif; font-size: 11pt;">A weakness with this approach is that key decisions can be delayed until the issues have been considered by the committee members. There is also a risk that other corporate stakeholders, if their personalities are sufficiently strong, can override the reasoned assessments that DPOs make when forming their recommendations. DPOs must always know when to accept that their advice will be ignored. But so long as this has been properly documented, and the advice had correctly interpreted the law, the organisation can’t then lay all the blame on the DPO should a data protection supervisory authority decide to take enforcement action for a privacy transgression that results from the organisation’s failure to act in accordance with the advice.<b><o:p></o:p></b></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">I’ve also met privacy professionals who are just too tired to care too much about how they perform their day job. The demands placed upon them by their employers, and by virtue of the GDPR, have in some cases been overwhelming. Burnout certainly exists within the privacy profession. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><br /></p><p class="MsoNormal" style="font-family: "times new roman", serif; margin: 0cm 0cm 0.0001pt;"><span face=""></span></p><p class="MsoNormal" style="font-family: "Times New Roman", serif; margin: 0cm 0cm 0.0001pt;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></p></div>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-591517125431453202020-08-19T08:05:00.004-07:002020-08-19T09:48:26.812-07:00International data transfers: an opinion the EDPB (probably) won’t publish<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ_Nw_hezZuh0Zalm6Qx5p6M61M_sc-RGsO-8NJICTnzoLGXmcShsTgZrC2ZrCKNeEloLwNRVpNODYfcUR0Iu4EvVKlZRq8cvwS1M9osGJSCMZahfeFHXs6TO_GDD3L6ZfV5R83cDPt_Y/s978/Screen+Shot+2020-08-19+at+15.01.37.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="978" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ_Nw_hezZuh0Zalm6Qx5p6M61M_sc-RGsO-8NJICTnzoLGXmcShsTgZrC2ZrCKNeEloLwNRVpNODYfcUR0Iu4EvVKlZRq8cvwS1M9osGJSCMZahfeFHXs6TO_GDD3L6ZfV5R83cDPt_Y/s640/Screen+Shot+2020-08-19+at+15.01.37.png" width="640" /></a></div><style class="WebKit-mso-list-quirks-style">
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:#954F72;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:118686794;
mso-list-type:hybrid;
mso-list-template-ids:2064149452 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:882594344;
mso-list-type:hybrid;
mso-list-template-ids:380921984 685957414 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l1:level1
{mso-level-start-at:2019;
mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:60.0pt;
text-indent:-24.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:90.0pt;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0pt;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:198.0pt;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:234.0pt;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:306.0pt;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:342.0pt;
text-indent:-9.0pt;}
-->
</style><p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">One of the consequences of the <a href="https://noyb.eu/files/CJEU/judgment.pdf">Scherms II decision</a> is that EU organisations need to take greater care in determining how best to protect the flows of personal data outside the EU. This means more than just considering whether Standard Contractual Clauses (SCCs) need to be incorporated in the contracts that the data exporters negotiate with the data importers. Historically, most data flows from the EU to non-adequate countries have been safeguarded though the use of SCCs. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">Following the decision, life isn’t as simple as that. The CJEU has said that EU organisations relying on SCCs must also, prior to transferring personal data, evaluate whether there is a an “adequate level of protection” for personal data in the importing jurisdiction, and implement additional safeguards if there is not. Data exports must cease when there are no additional safeguards that would ensure an “adequate level of protection.” <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">A non-exhaustive list of elements that should be taken into account by the European Commission (EC) when assessing adequacy is set out in Article 45.2 of the GDPR. Article 45.3 requires each assessment to be regularly reviewed, at least every 4 years. Presumably EU exporting organisations should also adopt this approach.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">This will cause an immense amount of work for each EU exporting organisation. In reality, it is likely that only the largest organisations will have the resources to commission such work, and each organisation could well use different criteria, in addition to the non-exhaustive list of elements set out in Article 45.2, to determine what an “adequate level of protection” actually means in practice. Such work will lead to chaos and inconsistency. This is surely not what the creators of the level EU data protection field had in mind. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">The decision also highlights the role of EU data protection supervisory authorities in assessing, and where necessary suspending or prohibiting data transfers to importing jurisdictions “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">Given the role the decision requires the supervisory authorities to play, there will be intense interest in understanding precisely how the European Data Protection Board (EDPB) will encourage the supervisory authorities to adopt a consistent approach across the EU. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">In particular, the EDPB may be asked to publish an opinion which categorises Non-EU countries as follows:<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><span style="font-family: inherit;"><!--[if !supportLists]-->1.<span face="" style="font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Countries that provide an adequate level of protection and where additional safeguards are not required;<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><span style="font-family: inherit;"><!--[if !supportLists]-->2.<span face="" style="font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Countries that that provide an adequate level of protection when SCCs are put in place;<o:p></o:p></span></p><p class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><span style="font-family: inherit;"><!--[if !supportLists]-->3.<span face="" style="font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Countries that that provide an adequate level of protection when SCCs and other specified safeguards are put in place;<o:p></o:p></span></p><p class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -18pt;"><span style="font-family: inherit;"><!--[if !supportLists]-->4.<span face="" style="font-size: 7pt; font-stretch: normal; line-height: normal;"> </span><!--[endif]-->Countries that do not have provide an adequate level of protection even when SCCs and other specified safeguards are put in place.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">There are more than 100 countries that have enacted data protection laws. But what work has been commissioned by the EC (or the EDPB or its predecessor body, the Article 29 Working Party) to determine which laws are of an ‘adequate’ standard? In the past 20 years, the EC has managed to reach <a href="https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#:~:text=The%20European%20Commission%20has%20the%20power%20to%20determine%2C,protection.%20The%20adoption%20of%20an%20adequacy%20decision%20involves">adequacy decisions</a> on a pathetically small proportion (perhaps some 15%) of the non-EU countries that have data protection laws: <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2000 Switzerland<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2001 Canada<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2003 Argentina & Guernsey<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2004 Isle of Man<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2008 Jersey<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2010 Andorra & the Faroe Islands <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2011 Israel <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;"> 2012 New Zealand & Uruguay</span></p><p class="MsoNormal" style="text-indent: 0px;"><span style="font-family: inherit;"><span style="text-indent: -24pt;"><span style="font-size: medium;"> </span></span><span style="font-size: 12pt; text-indent: -24pt;">2019</span><span face="" style="font-size: 7pt; font-stretch: normal; line-height: normal; text-indent: -24pt;"> </span><span style="font-size: 12pt; text-indent: -24pt;">Japan</span><span style="font-size: 12pt; text-indent: -24pt;"> </span></span></p><p class="MsoListParagraph" style="margin-left: 60pt; mso-add-space: auto; mso-list: l1 level1 lfo2; text-indent: -24pt;"><span style="font-family: inherit;"><o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">Almost half of the decisions relate to tiny countries with relatively small volumes of personal data flows: Andorra (population 78,000); Faroe Islands (population 52,000); Guernsey (population 63k); Isle of Man (population 83,000); and Jersey (population 107,000). Work on carrying out assessments of the data protection laws of many of the EC’s key trading partners does not appear to have commenced.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">Such an opinion would be of immense value to EU organisations in helping them develop a consistent approach to transborder data flows, but it would be political dynamite. Which countries would the EDPB dare describe as not providing an adequate level of protection even when SCCs and other specified safeguards are put in place? Given the international trade repercussions for the EC, it would be a brave decision to put any country into that category. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">But what additional safeguards are necessary to supplement SCCs and when need they be put in place? Given how inflexible so many parts of the GDPR are, it would be surprising that there was not a demand from some stakeholders for new rules to be established to address the privacy risks of the countries that fell within these categories.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">If it is left to the EDPB to recommend an approach and to categorise non-EU countries as I have suggested, I suspect that political considerations will result in EU organisations waiting a very long time before such an opinion would emerge. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><o:p><span style="font-family: inherit;"> </span></o:p></p><p class="MsoNormal" style="font-size: medium;"><span style="font-family: inherit;">[<b>Image credit</b>: thanks to the <a href="https://www.cnil.fr/en/data-protection-around-the-world">CNIL</a> for their helpful guide to data protection laws around the world. Other organisations, such as <a href="https://www.dlapiperdataprotection.com/">DLAPiper</a>, have great on-line resources, too] </span><o:p></o:p></p><p class="MsoNormal" style="font-size: medium;"><br /></p><p class="MsoNormal" style="font-size: medium;"><br /></p><p class="MsoNormal" style="font-size: medium;"><o:p> </o:p></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-66564385188081927062020-08-17T05:14:00.004-07:002020-08-17T05:18:09.907-07:00Data Protection: Where’s the Brexit Privacy Dividend?<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggI9foxJzCu48-uEXNevK3GIsFppEBgof7jeE52XIZSvBuiQV_LnCSx8fKPvvW-mnUoI8VPAvIIWRWie-BYdyycI2_ItapOMLwy1eG44HQ-ArRA39inhh4cyWpSwWpASdZ2aH6KhJApDw/s615/200815+-+European-Union-and-the-Union-flag-sit-on-top-of-a-sand-castle.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="409" data-original-width="615" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggI9foxJzCu48-uEXNevK3GIsFppEBgof7jeE52XIZSvBuiQV_LnCSx8fKPvvW-mnUoI8VPAvIIWRWie-BYdyycI2_ItapOMLwy1eG44HQ-ArRA39inhh4cyWpSwWpASdZ2aH6KhJApDw/s0/200815+-+European-Union-and-the-Union-flag-sit-on-top-of-a-sand-castle.jpg" /></a></div><style class="WebKit-mso-list-quirks-style">
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
mso-themecolor:hyperlink;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:#954F72;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1987271107;
mso-list-type:hybrid;
mso-list-template-ids:-1546644488 134807553 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
-->
</style><p></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;">One of the Government's core objectives throughout the Brexit negotiations has been to respect data protection rights, slash Brussels' red tape and allow the United Kingdom to be a competitive safe haven for businesses all over the world. With that in mind, how could the Government reduce its ties to the EU's 'data protection level playing field' while continuing to maintain a robust and effective data protection regime? <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;"><o:p> </o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;">If the EU’s ‘level data protection playing field’ means continuing to fully implement all aspects of European data protection law, including all aspects of the two-year-old General Data Protection Regulation (GDPR), then what was the point of Brexit? Is it really necessary for the UK to commit to continue to observe unnecessarily complex rules that so many organisations have struggled with, when so few benefits have been realised? <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;"><o:p> </o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" lang="" style="font-family: calibri, sans-serif; font-size: 11pt;">The GDPR is meant to be a ‘living instrument’ – so committing to harmonising to GDPR standards would mean adopting European Data Protection Board (EDPB) decisions (over which the UK will have no say) and EU jurisprudence (ditto) going forward. This is a process that would never end.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;"><o:p> </o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;">Some UK organisations will inevitably have to follow all the EU’s data protection rules because they will continue to process the personal data of individuals in the EU. But these organisations are likely to form a small minority of the 738,769 data controllers that <a href="https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf">registered</a> to pay data protection fees to the Information Commissioner’s Office (ICO) as at 31 March 2020. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" lang="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Removing the UK from the decision-making structures of the EDPB and its associated consistency mechanisms should result in the ICO (a) being able to better protect the UK public by reacting much faster to privacy breaches that affect people in the UK as well as those in the EU, and (b) quickly publishing appropriate guidance on matters of public concern. No longer might UK privacy pros feel obliged to wait for the publication of weirdly worded EDPB opinions. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Removing the UK from the decision-making structures of the EU should also result in the UK Government feeling able to update other privacy legislation, such as the outdated Privacy & Electronic Communications Regulations, without having to delay for years and years until EU countries managed to reach a political consensus on the way ahead. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">The GDPR has had a profound impact on many organisations. Enormous amounts of money have been spent in a belated acknowledgement of, in many cases, decades of under investment on privacy issues. Whether all this money has been spent wisely by the GDPR implementation programmes is quite another matter.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Money spent on improving information security controls is always appropriate – and such expenditure should have been made, regardless of the GDPR. But organisations have also, for example, been required to create unknown numbers of ‘Records of Processing,’ many of which are totally useless in terms of providing an organisation with information that is actually relevant to its day-to-day business operations. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Organisations have also spent many hours working out what legal basis each business process should rely on when personal data is processed. Who would have thought it likely that a supervisory authority would so quickly issue a <a href="https://www.lexology.com/library/detail.aspx?g=0043039d-2cf0-4647-ba26-7a78e53b67bd#:~:text=%E2%82%AC150%2C000%20GDPR%20fine%20for%20wrongly%20using%20%E2%80%9Cconsent%E2%80%9D%20as,European%20Union%20%2C%20United%20Kingdom%20August%209%202019">€150k fine </a>for using a privacy statement that referred to the wrong legal basis? But this has already happened - in Greece. Was such a fine really appropriate? I’ve never met anyone outside the privacy community who thought that privacy statements should include such details in the first place. It isn't easy to explain the concept that the exercise of a particular information right depends on the precise legal basis the organisation relies upon to process personal data. I’m mystified as to why the GDPR deliberately created such a complex web of rights. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">As Lee Bygrave, <em>Professor of Law, Director of the Norwegian Research Centre for Computers and Law, University of Oslo, </em><em><span style="font-style: normal;">recently </span></em><em><a href="https://iapp.org/resources/article/gdpr-at-two-expert-perspectives/"><span style="color: black; font-style: normal;">commented</span></a>:</em>“EU data protection law has taken a byzantine turn … All up, the EU data protection system has become a huge sprawling structure – a Kafkaesque castle full of semantic mazes, winding procedural alleys, subterranean cross-passages and conceptual echo chambers.” <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Brexit provides the UK with an amazing opportunity to review its current privacy laws and create standards that provide individuals and organisations with robust but simpler, more meaningful, data protection standards. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Many European data protection opinion formers consider any UK divergence from the strict GDPR regime to be heresy. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">I think it’s worth the effort, though.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">With the departure of the UK from the EU, the Government should exercise its own margin of appreciation about the extent to which it promotes and protects the ‘fundamental right’ of data protection. Should all aspects of data protection remain a fundamental right? Who, for example, ever thought that data portability should be a fundamental right until it appeared in a GDPR draft?<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">The UK should not feel obliged to embrace the entire EU privacy acquis when, on reflection, parts of some laws do not work as intended, or when some legal interpretations have perverse implications that unnecessarily paint everyone into a corner. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Consider, for example, the mayhem that has just been caused by the <a href="https://noyb.eu/files/CJEU/judgment.pdf">Schrems II decision</a>. The Court of Justice of the European Union took 7 months to review the Advocate General’s non-binding <a href="http://curia.europa.eu/juris/document/document.jsf?text=&docid=221826&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=9056858">opinion</a>. Yet, its final decision failed to provide sufficient practical guidance on precisely what controls are appropriate when personal data is exported from the EU to countries other than the 11 countries that apparently have ‘adequate’ privacy laws. A cursory glance at the immediate reactions published by EU data protection supervisory authorities indicates that, collectively, they haven't yet got a clue as to what to do. Some consulting firms have taken this opportunity to offer their own (untested) solutions to this almighty problem. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">The organisations that export personal data from the EU remain in a legal <a href="https://panopticonblog.com/2020/07/17/further-unhappy-thoughts-on-schrems-ii/#more-3899">limbo</a>. As do the organisations in the USA - and elsewhere - that import the personal data. Evidently, it is their responsibility to assess whether non-EU countries have adequate laws that guarantee appropriate data protection standards. If they don't, additional measures to enhance the protections provided by the EC’s Standard Contractual Clauses (SCCs) must be implemented. But what these are, and whether they would be sufficient: well, nobody knows.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Who in their right mind would want transborder data flows to be such a difficult issue for so many organisations to deal with? Notwithstanding the decision, which had immediate effect, I predict that almost all of European data protection supervisory authorities will exercise a large degree of regulatory forbearance about these data flows for a good few months, or at least until they are provoked by pressure groups such as <a href="https://noyb.eu/en">noyb</a>. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">In future, why should the UK expect UK organisations to continue to use the EC’s SCCs to safeguard transborder data flows? A UK free from the constraints of the GDPR could commend its own set of SCCs for use by UK-established organisations when data was exported from the UK. This set could comprise recommended, rather than mandatory clauses, allowing the parties a degree of flexibility over what would be agreed. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">In future, why should the UK rely on the EC to determine when or whether SCCs would be appropriate? If a test of adequacy needs to be set to determine when the UK SCCs should be used, rather than rely on a country’s membership of the EU or an EC adequacy assessment as the determining factor, the UK could simply recognise the 11 existing adequacy assessments and, in future, allow unimpeded data flows to and from all countries that sign the Council of Europe 108+ convention[<i><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;"><a href="https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/223/signatures">Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data</a>]. </span></i>This approach would not be too heretical, as there are currently only 36 signatories to this convention, and of the EU countries that are also members of the CoE, only Denmark has not yet signed it.<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">One final point. The UK’s data protection supervisory authority is undergoing the fastest expansion in its history. With such expansion should come a greater focus on ensuring that it delivers value for money. It is not an insignificant organisation. However, my twitter feed doesn’t contain many tweets that praise the ICO’s work. UK data controllers paid registration fees totalling £48.7m to the ICO in <a href="https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf">2018/19</a>, a 24% increase on the previous year. Most may well have had virtually no engagement with any of the ICO’s 768 (720.3 FTE equivalent) staff. Only a <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/250505/0619.pdf"></a>decade ago, the ICO had just 282 staff and an operating income of £11.3m; its annual <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/250505/0619.pdf">report</a> illustrates how much it achieved even on that budget. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">All UK organisations will, by now, have heard of the GDPR, but how many know enough about privacy laws to be able to explain how fully they comply?<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">And, does it really matter if the majority of them can’t fully comply?<o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; background-position: initial initial; background-repeat: initial initial; font-family: calibri, sans-serif; font-size: 11pt;"><o:p> </o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="background-color: white; font-family: calibri, sans-serif; font-size: 11pt;">Rather than clinging so tightly to the privacy rules that have been embedded within the GDPR, the Government could develop an alternative approach in a post Brexit world which ensures that: </span><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal"></p><ul style="text-align: left;"><li><span style="font-family: calibri, sans-serif; font-size: 11pt; text-indent: -18pt;">people in the UK benefit from robust and effective data protection standards;</span></li><li><span style="font-family: calibri, sans-serif; font-size: 11pt; text-indent: -18pt;">UK organisations can demonstrate that appropriate data protection controls are in place; and </span></li><li><span style="font-family: calibri, sans-serif; font-size: 11pt; text-indent: -18pt;">the ICO delivers regulatory value for the money it spends. </span></li></ul><p></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Heresy aside, Brexit ought to be capable of providing the UK with a data protection dividend. <o:p></o:p></span></p><p class="MsoNormal" style="font-size: medium;"><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"><br /></span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-72675845357032112022020-08-17T05:09:00.001-07:002020-08-17T05:19:10.911-07:00Data Protection: Whither the EU’s SCCs …<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivgRg6gbhe9Iq-XMT_VqaM3vzmdyA46UAcDVPeReuq6vUTmFngiyH3IPUXbBjI399VhXCrRzgyMcDsBwt9uf6QUHcd5WSqR18C172lJhIm3YaPjNFG3FMIVMaddmBU1BpNB0c_4Um8Jbs/s784/200817+scc+image.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="123" data-original-width="784" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivgRg6gbhe9Iq-XMT_VqaM3vzmdyA46UAcDVPeReuq6vUTmFngiyH3IPUXbBjI399VhXCrRzgyMcDsBwt9uf6QUHcd5WSqR18C172lJhIm3YaPjNFG3FMIVMaddmBU1BpNB0c_4Um8Jbs/s640/200817+scc+image.png" width="640" /></a></div><p></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">It is possible that the European Commission will fail to provide the UK with a data protection adequacy assessment by the end of the year. It is also possible that, in the near future, the EU will publish revised sets of <a href="https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en" target="_blank"><span style="border: 1pt none; color: #665ed0; padding: 0cm;">Standard Contractual Clauses</span></a> to replace the existing SCCs in a bold effort to ensure that flows of personal data outside the European Union remain suitably protected.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">So what?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">If the UK receives an EU adequacy assessment, presumably the UK Government will simply anglicise the new EU SCCs and ask UK organisations to use the new versions for the Non-EU, UK - Rest of the World data flows.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">But, if the UK does not get an EU adequacy assessment, some commentators will suggest that this is the time either to leave the existing SCCs alone, or to adopt a very different approach. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The Conservative Party won the General Election in December 2019 on the manifesto promise that it would get Brexit done.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">If the point of Brexit is for the UK to remove itself from the <s><span style="border: 1pt none; padding: 0cm;"><span class="msoDel" style="color: red;"><del>straightjacket </del></span></span></s> embrace of the European Union, it is surely now up to the UK to determine for itself what contractual clauses are really necessary, in today’s world, to safeguard personal data flows outside the UK. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">My experience of using SCCs over the past few decades is that few organisations take much, if any, notice of the clauses once they have been incorporated into a data processing contract. They are part of the non—negotiable legal boilerplating text that is slipped into a schedule towards the end of the contract. The very few occasions I’ve noted the processor’s lawyers raising an issue with any of the clauses have been the times when they had realised that “my side” had a right to (1) audit “their” processes, or (2) be consulted and provide prior consent to the use of sub-processors. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">What evidence is there that SCCs are of any value? I’ve never been involved in a contractual dispute with a processor that has required the parties to rely on the SCCs to address or resolve an issue. And, in the past 20 years of attending data protection conferences (with the exception of presentations on the never-ending Schrems cases) I’ve never knowingly come across anyone who has.</span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"> <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">So, if I were to take an evidence-based approach, I would ask why it was necessary for the UK Government to change the existing SCCs, or why it was necessary to have them at all. What evidence is available to justify their existence, or at least to justify their existence in their current form? Why can’t any of the current clauses be capable of being negotiated between the parties on a risk basis? Why not give UK data controllers more flexibility?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Whatever tweaks are proposed by the European Commission will invariably require EU-based organisations to undertake an absolutely enormous repapering exercise. It could take years to complete. Many of my privacy colleagues are only now recovering from the repapering rigmarole that was required to meet the GDPR Article 28 requirements. To expect them to commission a similar exercise so soon is cruel (and costly). <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">No doubt some EU-based organisations will want to ‘simplify’ their contractual arrangements by requiring contracts with all processors, regardless of whether the underlying personal data is within the scope of the GDPR, to be changed to reflect the new SCCs.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">But why should the UK Government tell UK organisations to follow the EU’s approach if the EU had decided that the UK doesn’t have sufficiently adequate data protection standards in the first place? Would the UK really want to copy a GDPR regime that did not properly respect the UK’s privacy standards? <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Isn't there a better approach?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I’m looking forward to a passionate debate. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-39737770173187850792020-08-17T05:03:00.001-07:002020-08-17T05:03:27.099-07:00In praise of ... the Investigatory Powers Act 2016<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAFWKWTT0eOpuhUMLqNZpgf_tfyT77NrTfofoOgOkgpJkNDirF-TrJH8BlZTGXSY7OEgJwjld82io1NPIl-3jcYl_BAWmqGmoio9OiBK_qFBHiSK1TulkhHNcBhTx0MggLq24poBjoAPM/s412/180817+-+IPA+image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAFWKWTT0eOpuhUMLqNZpgf_tfyT77NrTfofoOgOkgpJkNDirF-TrJH8BlZTGXSY7OEgJwjld82io1NPIl-3jcYl_BAWmqGmoio9OiBK_qFBHiSK1TulkhHNcBhTx0MggLq24poBjoAPM/s0/180817+-+IPA+image.png" /></a></div><p></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">A number of commentators will assume that, should the UK not receive an adequacy assessment by the European Commission with regard to its data protection standards, a key reason will be the impact of the UK’s Investigatory Powers Act (IPA) which prescribes how UK public authorities obtain personal data for national security and law enforcement purposes. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I see the IPA as an outstanding example that Governments of all countries should adopt to ensure that public authorities act transparently and put effective mechanisms in place to ensure that human rights are appropriately respected. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">To recap, in 2016 the IPA brought together all the existing covert and overt statutory powers that were then available to enable the UK’s intelligence agencies, police and other investigatory authorities obtain intelligence and communications data. This included introducing new safeguards in the approval of the use of investigatory powers use and created a single independent <a href="https://www.ipco.org.uk/default.aspx?mid=13.11" target="_blank"><span style="border: 1pt none windowtext; color: #665ed0; padding: 0cm;">Investigatory Powers Commissioner</span></a> responsible for oversight.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">In 2019 the Investigatory Powers Commissioner established the Office for Communications Data Authorisation. This body is responsible for safeguarding an individual’s right to privacy under the Human Rights Act 1998. It makes independent decisions on whether to grant or refuse communications data requests, ensuring that all requests are lawful, necessary and proportionate.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">In terms of transparency, a great deal of information about how the IPA has worked in practice is available from the annual reports that have been published by the Investigatory Powers Commissioner. The <a href="https://www.ipco.org.uk/docs/IPCO%20Annual%20Report%202017%20Web%20Accessible%20Version%2020190131.pdf" target="_blank"><span style="border: 1pt none windowtext; color: #665ed0; padding: 0cm;">first annual report</span></a>, published in January 2019, was organised into chapters which reflected each of the powers the Commissioner oversaw and (its 129 pages) contained a significant level of detail as to how each of these powers were used. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The <a href="https://www.ipco.org.uk/docs/IPCO%20Annual%20Report%202018%20final.pdf" target="_blank"><span style="border: 1pt none windowtext; color: #665ed0; padding: 0cm;">second annual report</span></a>, published in March 2020, has a different structure, with chapters on each of the types of organisations that are inspected and (its 138 pages) focused on the key findings from the inspections. This gives a clear sense of the range of issues that impact the different bodies. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Many people will never be satisfied with the way the UK’s intelligence and investigative communities operate. But they should be reassured to some extent by appreciating the great care that is taken by the Commissioner and his staff, including the Judicial Commissioners, to authorise warrants using the ‘double-lock’ method (so decisions made initially by politicians and senior public officials must also be authorised by a judge before the warrant is effected); to conduct regular inspections of the agencies that have been authorised to use investigatory powers; and, when errors are reported, to carry out ad-hoc investigations into to determine the root causes. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Additionally, some people may also be reassured through the work that is carried out by the Commissioner’s communications and policy staff, who engage with a wide range of opinion formers to enhance public confidence in the use of investigatory powers and improve understanding of the Commissioner’s independent oversight. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Before the coming into force of the IPA, the Home Office and the UK's intelligence agencies spent much less time engaging with representatives of civil society and other opinion formers. Important lessons were learnt following the failure of the IPA’s predecessor, the Communications Data Bill, to reach the Statute Book and replace the Regulation of Investigatory Powers Act 2000. It was realised that, actually, the Government had a good story to tell about the care it took to respect human rights in the context of exercising powers to obtain communications data. Engagement with stakeholders outside the closed investigative world was something that should not be feared but embraced. Where opinion formers had concerns, these issues should be addressed. With more transparency, and more resources devoted to explaining how transparent the new processes were, the Government would have an even greater story to tell. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">In my experience, no UK intelligence, police or investigations officer has ever wanted to have had their reputations traduced by being unfairly accused of trampling over human rights. The Investigatory Powers Act has set out what behaviours are acceptable, and the Commissioner’s annual reports have evidenced compliance with these behaviours. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">As a specialist advisor to the Joint Parliamentary Committees that reviewed both the ill-fated Communications Data Bill in 2012, and the Investigatory Powers Bill in 2016, I’m honoured to have played a small part developing legislation and promoting investigative practices that ought to be the envy of the world.<o:p></o:p></span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-10036416436601193052020-08-17T04:54:00.002-07:002020-08-17T04:54:26.180-07:00The Schrems II decision – some EU data exporters will face a huge task to work out whether SCCs are sufficient<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglJvODt7PBvfMg6j_aJ2BuN3gD62kw1qHSrh3_ZXK1umHhEZJCwDJGzeV0y058gBDC2b2u3j4IAEOOdkuojQNaMN05BUoRCyY-oB6vs4ESwB3a28zpt7AWerfV7qwIEK41H3Q4WzZjFx0/s651/200817+-+CJEU+decision.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="651" data-original-width="558" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglJvODt7PBvfMg6j_aJ2BuN3gD62kw1qHSrh3_ZXK1umHhEZJCwDJGzeV0y058gBDC2b2u3j4IAEOOdkuojQNaMN05BUoRCyY-oB6vs4ESwB3a28zpt7AWerfV7qwIEK41H3Q4WzZjFx0/s640/200817+-+CJEU+decision.png" /></a></div><p></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Many privacy professionals will be shocked to learn that, in terms of safeguarding personal data flows from an EU to a non-EU country, in the absence of an adequacy decision, more is required than simply slipping the right set of SCCs into a vendor contract. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The CEJU has <a href="https://noyb.eu/files/CJEU/judgment.pdf" target="_blank"><span style="border: 1pt none windowtext; color: #665ed0; padding: 0cm;">clarified</span></a>that one of the key tasks facing data exporters, when considering whether SCCs are appropriate, is to consider whether there is a conflict between the protections afforded by the SCCs and other local laws, particularly those laws that enable public authorities to access the data. If a conflict is discovered, data exporters will need to do something about it. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The key paragraphs in the decision are: <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;">Although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates. [para 126]</span></i><span style="font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;"><br /></span></i></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;">In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available…Those safeguards may be provided by standard data protection clauses drawn up by the Commission. However, those [GDPR] provisions do not state that all safeguards must necessarily be provided for in a Commission decision such as the SCC Decision. [para 127]</span></i><span style="font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;"><br /></span></i></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;">In the absence of a Commission adequacy decision, it is for the controller or processor established in the European Union to provide, inter alia, appropriate safeguards. Recitals 108 and 114 of the GDPR confirm that, where the Commission has not adopted a decision on the adequacy of the level of data protection in a third country, the controller or, where relevant, the processor ‘should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject’ and that ‘those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies ... in the Union or in a third country’. [para 131]</span></i><span style="font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;"><br /></span></i></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;">The contractual mechanism provided for in … the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. [para 134]</span></i><span style="font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;"><br /></span></i></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;">Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data. [para 135]</span></i><span style="font-size: 11pt;"><o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><i><span style="border: 1pt none windowtext; font-size: 11pt; padding: 0cm;"><br /></span></i></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I recommend 6 steps that privacy officers should take to assure stakeholders that the CJEU’s decision is being respected:<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"></p><ol style="text-align: left;"><li><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Document the data flows so it is clear what data is exported to what country.</span></li><li><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Identity the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in those countries.</span></li><li><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Consider how the GDPR rights of in-scope individuals may be adversely impacted by these laws and practices.</span></li><li><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights.</span></li><li><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Discuss and agree the additional contractual measures with the data importer.</span></li><li><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Return to step 2 at regular intervals to check whether the laws or practices have changed.</span></li></ol><p></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">From a practical perspective however, the problems start at step 2. It can be hard, when a large number of data importers are engaged, to maintain a list of the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in non-EU countries. Will it always be possible to rely on the explanations and assurances provided by third parties, including the data importer, who might possibly have a vested interest in ensuring the correct spin is placed on any explanations they provide about local practices?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Let’s be clear. The CEJU’s decision does not only affect EU - US data flows. Personal data flows from the EU to just about every other country on the planet. And the majority of these countries will have their own national security and other regulatory laws. Official or unofficial English translations of these laws will have to be read and understood.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Unfortunately, life doesn’t get any easier after that.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Turning to step 3, it may well be challenging to document a comprehensive statement which explains how the GDPR rights of in-scope individuals may be adversely impacted by each of these laws and practices. As many organisations may lack the capacity to complete this task themselves, perhaps it could be carried out on their behalf by their trade associations.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">With step 4, it may be even more challenging to identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights. Given that even the European Commission’s decisions on what contractual measures are appropriate have been quashed, twice, by the CEJU in the context of the US Safe Harbor & the Privacy Shield data transfer mechanisms, what hope is there for a significantly less-well resourced data controller to successfully identify all the right measures? Is this a task that even individual members of the European Data Protection Board are capable of completing?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The difficulty is compounded by the tight timescales that apply to many commercial contract negotiations. Assessments on the impact of the relevant laws in a particular country can’t take months, or years, to compete. If an organisation’s data protection team is unable to provide their contract negotiators with appropriate information and support within a matter of days or weeks, there’s a real risk that any advice from the data protection team will be ignored. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">On the matter of reaching agreement on any additional controls that should be applied to the data importer, where do you start? Given the poor understanding by many organisations of the context within which SCCs are currently used, it would be a brave commentator to forecast that it would be easy, or even practicable, to agree any additional contractual measures. This may particularly be the case when the data importer had not yet found it necessary to accept any new clauses to supplement the SCCS in contracts that importer had signed with other EU data exporters.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Alternatively, organisations might revisit their rationale for relying on SCCs in the first place, rather than any of the other complex data transfer mechanisms that are set out in Chapter 5 of the GDPR.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">However, we are where we are. European data protection standards are high – and for a good reason. European politicians demanded a gold standard and that is what exists. In theory, anyway. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The CEJU’s decision has moved a large number of contracts into a data protection wilderness. Precisely how many are there? Which can be remediated? If so, how? By when? And how active will the supervisory authorities be in requiring organisations to address this issue?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The peak summer holiday season has started. Even so, I hope that European data protection supervisory authorities will soon reach a common agreement on what the decision means, and explain how they expect, or will help, organisations to address privacy gaps that many thought the SCCs alone existed to fill. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-family: "Times New Roman", serif;"> </span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-6068242697206250762020-08-17T04:41:00.002-07:002020-08-17T04:44:59.751-07:00Privacy Shield shafted – but do SCCs really deliver better privacy protections?<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLMiFv9RAEPccn1BzIRCVQdGkYbunazprAuTYEql3r0RqSkoJm8dtUXshyJAKWPEZVlwsRsIwc_4mNPmtH3ZYSGAoQ2MfPberUOk-i9OpWgyNPge6Jiq3vBiF_G5ps07xCgHpeIPl9Kow/s651/200817+-+CJEU+decision.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="651" data-original-width="558" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLMiFv9RAEPccn1BzIRCVQdGkYbunazprAuTYEql3r0RqSkoJm8dtUXshyJAKWPEZVlwsRsIwc_4mNPmtH3ZYSGAoQ2MfPberUOk-i9OpWgyNPge6Jiq3vBiF_G5ps07xCgHpeIPl9Kow/s640/200817+-+CJEU+decision.png" /></a></div><p></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Here we go again.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The compulsory Sunday morning church services for all Anglicans at my boarding school served as an opportunity for The Reverend James Culross, (or Druid, as we boys affectionately called him), to churn out stuff from the Book of Common Prayer. It was stuff designed to cleanse our souls and provide us with helpful words of comfort, to prepare us for the horrors that would be inflicted upon each and every one of us during the school week ahead. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Was I, or were my school tormentors, better Christians at the end of each service? </span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I think not. </span><span style="font-size: 11pt;">But we had all heard and we had all recited the required words, and that was evidently what mattered.</span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">A couple of years into my boarding school experience, Druid updated the format of the Sunday service. The language was slightly more modern, and (most importantly) the Sunday sermon was shortened to 10 minutes.</span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"> <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">But was I, or were my school tormentors, better Christians as a result of the revised format? </span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I think not. </span><span style="font-size: 11pt;">But, again, we had all heard and we had all recited the required words, and that was evidently what mattered.</span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">So, with that in mind, what are we to do with the CEJU’s <a href="https://noyb.eu/files/CJEU/judgment.pdf" target="_blank"><span style="border: 1pt none; color: #665ed0; padding: 0cm;">decision</span></a>, published today?<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">Presumably, most of the companies that have used the Privacy Shield will decide to adopt the SCC approach. Then, they can wait nervously for the European Commission to tweak the texts of the SCCs, and embark on another repapering exercise. Also, they can wait, perhaps less nervously, for some European organisations (or European data protection supervisory authorities) to decide that, in data protection terms, transfers to the USA is a lost cause because the recipients can’t offer sufficient guarantees. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">But will these companies, when religiously adopting the new SCC language, really deliver better data protection protections for the individuals whose data is in scope? I think not. But they will be using all the right words in their contracts, and that, to many people, is evidently what matters.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I doubt whether a shift from the Privacy Shield to the SCCs will fundamentally change the protections that are afforded to the relevant individuals. To be honest, I’ve not dealt with many companies that have relied on the Privacy Shield. But my experience of using SCCs to address the privacy risks associated with transborder data flows over the past two decades is that, in practical terms, they do little to protect privacy standards. I’ve found that:<o:p></o:p></span></p><p class="MsoNormal" style="margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"></p><ol style="text-align: left;"><li><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Few organisations have staff who have much (if any) experience in knowing what SCCs are and when they should be used. </span></li><li><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">It can be challenging to reach agreement with the other party on the role they play when they use “my organisation’s” personal data. To what extent are they a processor, a controller, or are they a combination of the two? Answering this question incorrectly leads to the wrong set of SCCs being used. </span></li><li><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> </span><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">It can be challenging to determine whether there is a meaningful transfer of personal data in the first place (i.e. one that would require SCCs). The other organisation may be collecting personal data in a manner that would not trigger the requirement to use SCCs.</span></li><li><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">Different views exist on whether enough personal data is in scope to trigger the requirement to use SCCs in particular cases.</span></li><li><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;">It can be unclear as to who is accountable should a risk-based decision be taken not to use the relevant set of SCCs. It could be a range of people, including the person who owns the relationship with the third party, the contracts manager, the lawyer, the head of compliance or the privacy officer. </span></li><li><span face="" style="font-family: calibri, sans-serif; font-size: 11pt;"> Once the contracts have been signed and stored in a safe place, accessible to just a few key staff, most people don’t actually realise that they contain SCCs.</span></li></ol><p></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">The outcome of today’s decision is that lots of privacy professionals will have lots to think about in the months ahead. Battalions of consultants will help organisations find the right contracts and change the words. Legal and privacy budgets will either soar or be stretched to deprioritise other privacy work. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">However, as I’ve asked before, and might well ask again, will a shift from the Privacy Shield to the SCCs result in organisations delivering better data protection protections for anyone? <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">I think not. <o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"><br /></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;">But, these organisations will be using all the right words in their contracts, and that, to many people, is evidently what matters.<o:p></o:p></span></p><p class="MsoNormal" style="font-family: calibri, sans-serif; margin: 0cm 0cm 0.0001pt; vertical-align: baseline;"><span style="font-size: 11pt;"> </span></p>Martin Hoskinshttp://www.blogger.com/profile/01303323397666762350noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-40468432013789604012018-07-01T05:19:00.001-07:002018-07-01T05:55:43.430-07:00Warm words for the UK's intelligence privacy practices from the UN<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit0sf5j2Mkn_91WyCejmatals_D2Qz2OYcqAdq1y394viDsucxIAdbCxJQS6SLXU14L3eJSa0hggDanM1bBD2bngxncnmATB_ufdEz-sHeSv0pL7gKkyiPLzw0om1ynCRzT-0k1HenNm6A/s1600/Screen+Shot+2018-07-01+at+12.16.34.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="1007" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit0sf5j2Mkn_91WyCejmatals_D2Qz2OYcqAdq1y394viDsucxIAdbCxJQS6SLXU14L3eJSa0hggDanM1bBD2bngxncnmATB_ufdEz-sHeSv0pL7gKkyiPLzw0om1ynCRzT-0k1HenNm6A/s320/Screen+Shot+2018-07-01+at+12.16.34.png" width="320" /></a></div>
<div class="MsoNormal" style="line-height: 18.399999618530273px; margin: 0cm 0cm 0.0001pt;">
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<span lang="EN-US" style="font-family: "helvetica neue"; font-size: 11pt;">I</span><span lang="EN-US" style="font-family: "helvetica neue"; font-size: 10pt;">t’s not often that the UK is praised for the manner in which its intelligence agencies adopt appropriate data protection standards. So let's give due acknowledgement to </span><span style="font-family: "helvetica neue"; font-size: 10pt;">Joe Cannataci, the UN’s Special Rapporteur on the right to privacy, who has recently used some very warm words to <a href="https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=23297&LangID=E"><span style="color: windowtext;">comment </span></a>on these privacy practices. </span><span style="font-family: "trebuchet ms"; font-size: 10pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<span style="font-family: "helvetica neue"; font-size: 10pt;">Of the Investigatory Powers Act, he proclaimed: <i>"I am satisfied that the UK systematically employs multiple safeguards which go to great lengths to ensure that unauthorised surveillance does not take place, and that when authorization is sought it is granted only after the necessity and proportionality of the surveillance measures are justified on a case-by-case basis ... Moreover from a UN perspective, I am greatly encouraged that the UK has translated its commitment to human rights globally into procedures which do not discriminate between UK citizens and non-UK citizens when it comes to safeguards and remedies available." </i>And: <i>"While the new set-up may still contain a number of imperfections, the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security." </i></span><br />
<span style="font-family: "helvetica neue"; font-size: 10pt;"><br /></span></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<span lang="EN-US" style="font-family: "helvetica neue"; font-size: 10pt;">Of course nothing is ever perfect, so of course he recommended additional improvements. Why? Principally because he was not confident that the UK’s system could be replicated in other countries <i>"where the culture many be different and not sufficiently robust in key aspects such as judicial integrity."</i> </span></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<span style="background-color: white; font-family: "helvetica neue"; font-size: 10pt;">Mr </span><span style="font-family: "helvetica neue"; font-size: 10pt;">Cannataci’s intervention at this stage is timely as it provides helpful briefing material for those who will need to argue that, come Brexit, the UK’s data protection standards are essentially equivalent to those of the EU, and that, therefore, the data flows between the UK and the EU should be permitted to continue without the need for additional protections in the guise of mostly incomprehensible (and stomach churning) data processing contracts. </span><span style="font-family: "trebuchet ms"; font-size: 10pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="font-family: Cambria; line-height: 13.8pt; margin: 0cm 0cm 12pt;">
<span style="font-family: "helvetica neue"; font-size: 10pt;">Given that Mr Cannataci acknowledges that only "a tiny minority of EU states ... have made a successful effort to update their legislative and oversight frameworks deaing with surveillance," I say that, overall, and certainly in the areas where it really matters, the UK's data protection controls are actually better than those that exist in other EU countries. </span><br />
<span style="font-family: "helvetica neue"; font-size: 10pt;"><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;"><br /></span></span>
<span style="font-family: "helvetica neue"; font-size: 10pt;"><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;">Reference:</span></span><br />
<span style="font-family: "helvetica neue"; font-size: 10pt;"><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;">https://www.ohchr.org.uk/EN/NewsEvents/Pages?DisplayNews.aspx?NewsID+23297&LangID=E</span></span><br />
<span style="font-family: "helvetica neue"; font-size: 10pt;"><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;"><br /></span></span>
<span style="font-family: "helvetica neue"; font-size: 10pt;"><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;">.</span></span></div>
</div>
Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-25190689944097550542018-07-01T02:59:00.000-07:002018-07-01T03:17:53.882-07:00Resuming the blog<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhumuMvYtUMNVcGTRcdT955F1J7nM0KZFK49yzGjxpmSTuoLi0CIS9oRafbGkuWq3GQ2t515BErOGCc183ehnoPjD7h4ObSCYoldP1kFyLUCaUhRpCOeDVmAJZBDrqRNcZ31_x1a-eV9mJ5/s1600/Admire-your-paper-quill-Step-8.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1072" data-original-width="1600" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhumuMvYtUMNVcGTRcdT955F1J7nM0KZFK49yzGjxpmSTuoLi0CIS9oRafbGkuWq3GQ2t515BErOGCc183ehnoPjD7h4ObSCYoldP1kFyLUCaUhRpCOeDVmAJZBDrqRNcZ31_x1a-eV9mJ5/s320/Admire-your-paper-quill-Step-8.jpg" width="320" /></a></div>
Time to start blogging again. Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-76722160369936612442017-11-26T14:38:00.000-08:002017-11-26T14:40:46.199-08:00In praise of ... Elizabeth Stafford<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5L9dPv7gQOnmgFXaYTxblGQBXKASqXDxUwh6tMM5jRIuD9dhLG0Lxlo5tvQLq3RQU4Dgk6BZZpRukuQdWPykzhlty50lDSUjDUEXZlh3RKxIgmkgZsN5AR7mwoXDtwYFddr9ADhamQguw/s1600/Screen+Shot+2017-11-26+at+22.39.38.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="175" data-original-width="351" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5L9dPv7gQOnmgFXaYTxblGQBXKASqXDxUwh6tMM5jRIuD9dhLG0Lxlo5tvQLq3RQU4Dgk6BZZpRukuQdWPykzhlty50lDSUjDUEXZlh3RKxIgmkgZsN5AR7mwoXDtwYFddr9ADhamQguw/s320/Screen+Shot+2017-11-26+at+22.39.38.png" width="320" /></a></div>
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Many of even the most dedicated members of the UK’s data
protection fraternity may not have heard of Elizabeth Stafford.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">And that’s a shame.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Why?<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Because she, along with a small band of colleagues in the
Department of Digital, Culture, Media & Sport are doing great things.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">How?<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Because, as Head if EU Data Flows, not only is she working on
ensuring UK businesses can rely on unencumbered data flows between the UK and
the EU post Brexit, she’s also one of the key DDCMS officials working hard
behind the scenes to fashion a new set of Privacy & Electronic
Communications Regulations that are truly fit for purpose.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Whether she will succeed is another matter – after all, with
regard to the PECR deliberations, the UK delegation is just one of the talking
heads around an extremely large negotiating table. 28 very different EU Member
States need to reach an agreement as to what the real problems are, and
therefore what proper solutions, should be developed. <o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">What I am certain of is that she understands the issues that
occupy the minds of the British stakeholders in these debates.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">And, in her patient, pragmatic and insightful manner, she has
explained the key issues to the DDCMS decision makers, and has helped develop a
policy positions which, as far as I can judge, reflect the requirements of most
sensible data controllers with in the UK.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Whether the DDCMS will be able to “sell” pragmatic British PECR solutions
to a majority of the other 28 Member Sates around the table is an entirely
different matter.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">But it might not matter.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">By the time the European institutions will have reached agreement
on the precise form of the new PECR regulations and the precise date that the
new rules will come into force, Brexit could have happened and the UK will have
left the EU.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">And then, UK policymakers will be faced with a choice.<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">Should they follow all the new PECR rules, or should they reserve
the right to adopt a different approach?<o:p></o:p></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">While I’ve no idea what the final decisions will be (nor, who will
actually be the DDCMS minister who will have to recommend said decisions to the
Cabinet), I’ve no doubt that the UK will have developed a series of pragmatic
options that will have been shaped by the great policy work that Elizabeth has
recently been heading.<span class="apple-converted-space"> <o:p></o:p></span></span></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<span style="color: black; font-family: "calibri"; font-size: 11.0pt;">So, Elizabeth, you almost certainly won’t get a gong for your
great work - nor, any other form of official recognition, for that matter - but
please be assured that there is a small band of privacy folk that do appreciate
what you’re working to achieve.<o:p></o:p></span></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>379</o:Words>
<o:Characters>2165</o:Characters>
<o:Company>Privacy Consulting</o:Company>
<o:Lines>18</o:Lines>
<o:Paragraphs>5</o:Paragraphs>
<o:CharactersWithSpaces>2539</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="ox-f5023e25a7-msonormal" style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-41588063299022659392017-10-29T08:06:00.001-07:002017-10-29T08:26:12.131-07:00Briefing paper to Peers in advance of the Committee Stage of the Data Protection Bill in the House of Lords [30 October 2017]<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc9DH8VU1nSyiep1wk8fDT3-caqcDBJeXJi_1NCHWJyTnd9dBukAEf06oL7BTNMm32uls2fNtqMRFW7FMGo4ohoBYKTtGuI6RYPGQ2UuzvAFLpk3EkulzQ52-W8v8mSneFGZui7lVNMHeF/s1600/160211+-+PArliament+.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="287" data-original-width="668" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc9DH8VU1nSyiep1wk8fDT3-caqcDBJeXJi_1NCHWJyTnd9dBukAEf06oL7BTNMm32uls2fNtqMRFW7FMGo4ohoBYKTtGuI6RYPGQ2UuzvAFLpk3EkulzQ52-W8v8mSneFGZui7lVNMHeF/s320/160211+-+PArliament+.png" width="320" /></a></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Your
Lordships<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">This
bill has been eagerly awaited by data protection professionals, whose careers
depend on its successful passage.<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Please
don’t worry too much that the bill is so very hard to understand. It's the
Government’s way of ensuring that a select band of privacy professionals will
be offered very significant salaries to decipher its contents and recommend
ways of complying with the key provisions.<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">The
General Data Protection Regulation, which this Bill aims to compliment, but
dare not copy out, was also a wasted opportunity to develop laws that the majority
of those who were to be affected by them might understand. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Its
complexity will also fuel countless debates over the coming years in obscure
(data protection-related) internet chat rooms over precisely what the text
means, and whether data protection regulators (in the UK’s case, it’s the
Information Commissioner) have (a) agreed with their view and (b) bothered to
embark on any enforcement action against those that disagree with their view.<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Many
organisations will not realise just how the legislation affects them, so they
will not take steps to develop or improve their data protection practices. To
be frank, most organisations I know will not be able to comply with all the
requirements even by the end of 2018, even if they’ve already commended their
compliance programme. </span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">And, with regard to those that have not commenced their
preparations yet, even if their management were to take the decision today that
they should take steps to comply, there’s no way that they could meet the May
2018 deadline (the date when regulators are able to commence enforcement action
against offenders). This is because the vast majority of experienced data
protection professionals (those that have a reasonable understanding of the
requirements) are already fully engaged with other clients. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Regardless
of what amendments are accepted today, in a few months time the focus will move
from what the statute will say to how it will be enforced. The legislation in
itself is unlikely to influence to a significant extent how many data controllers
will change their current behaviours. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">What
will really matter is what guidance will be issued by the ICO, and what
enforcement action will be taken against the miscreants. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Just
as the value of an investment can rise or fall, the fact that the ICO has been
seen by many data protection professionals as a pragmatic, open and engaged
regulator in the past does not guarantee that it will continue to adopt a
pragmatic and engaged stance in the future. The personality of the person
occupying the post of Information Commissioner will be key, as will the
resources that are available to the ICO to meet the demands that will be placed
on it.<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Using
a phrase adopted by a previous Information Commissioner, the ICO has, in the
past, aimed to be selective to be effective. Whether, in times of extreme
public sector cuts, it can continue to recruit and retain the right calibre of
staff to enable it to continue to be as effective is an open question. In the
short term, I doubt it. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">If
the new legislation is to have much credibility, it needs to be enforced. It is
my hope that the legislation will be enforced, because that will highlight the
fault lines that exist. It will expose the difficulty that so many
organisations will have in evidencing how they comply with all aspects of the
law. It will clarify the areas where compliance is unduly burdensome and, in
most respects, a practical impossibility. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">Because
it is only when the faults in this bill are exposed that a coherent business
case will be developed to replace it with proposals that are far fitter for
purpose.<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">The
UK has passed data protection legislation in 1984, and 1998, and it will do so
again in 2018. <o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">I
would not be surprised to see another Data Protection Bill before Parliament by
2024.<o:p></o:p></span></div>
<div style="background-position: initial initial; background-repeat: initial initial; margin: 0cm 0cm 7.5pt;">
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10.5pt;">….<o:p></o:p></span></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>578</o:Words>
<o:Characters>3300</o:Characters>
<o:Company>Privacy Consulting</o:Company>
<o:Lines>27</o:Lines>
<o:Paragraphs>7</o:Paragraphs>
<o:CharactersWithSpaces>3871</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal">
<br /></div>
Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-4058032027049386112017-10-11T13:47:00.000-07:002017-10-11T13:47:31.158-07:00The debate on the Data Protection Bill in the House of Lords<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc9DH8VU1nSyiep1wk8fDT3-caqcDBJeXJi_1NCHWJyTnd9dBukAEf06oL7BTNMm32uls2fNtqMRFW7FMGo4ohoBYKTtGuI6RYPGQ2UuzvAFLpk3EkulzQ52-W8v8mSneFGZui7lVNMHeF/s1600/160211+-+PArliament+.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="287" data-original-width="668" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc9DH8VU1nSyiep1wk8fDT3-caqcDBJeXJi_1NCHWJyTnd9dBukAEf06oL7BTNMm32uls2fNtqMRFW7FMGo4ohoBYKTtGuI6RYPGQ2UuzvAFLpk3EkulzQ52-W8v8mSneFGZui7lVNMHeF/s320/160211+-+PArliament+.png" width="320" /></a></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">What follows below is an edited version of the
debate in the House of Lords of the Second Reading of the Data Protection
Bill,<span style="mso-spacerun: yes;"> </span>held on 10 October.<span style="mso-spacerun: yes;"> </span>Colleagues that prefer not to read the entire
(46,709 word) transcript of the 5 hour debate will get an impression of the key
interventions in this (16,000 word) summary:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4247" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">The Parliamentary Under-Secretary of
State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde)
(Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> </span><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"><o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">My Lords, I am delighted to be moving the Second
Reading today.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">New technologies have started innumerable
economic revolutions, and the pace of change continues to accelerate. Data is
not just a resource for better marketing, better service and delivery. Data is
used to build products themselves. It has become a cliché that data is the new
oil.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In our manifesto at the general election we
committed to provide people with the ability to require major social media
platforms to delete information held about them, especially when that
information related to their childhood. The new right to be forgotten will
allow children to enjoy their childhood without having every personal event,
achievement, failure, antic or prank that they posted online to be digitally
recorded for ever more. Of course, as new rights like this are created, the
Bill will ensure that they cannot be taken too far. It will ensure that
libraries can continue to archive material, that journalists can continue to
enjoy the freedoms that we cherish in this country, and that the criminal
justice system can continue to keep us safe.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The new right to data portability—also a
manifesto commitment—should bring significant economic benefits. This will
allow individuals to transfer data from one place to another. When a consumer
wants to move to a new energy supplier, they should be able to take their usage
history with them rather than guess and pay over the odds. When we do the
weekly supermarket shop online, we should be able to move our shopping list
electronically. In the digital world that we are building, these are not just
nice-to-haves; they are the changes that will drive innovation and quality, and
keep our economy competitive.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Bill will amend our law to bring us these
new rights and will support businesses and others through the changes. We want
businesses to ensure that their customers and future customers have consented
to having their personal data processed, but we also need to ensure that the
enormous potential for new data rights and freedoms does not open us up to new
threats. Banks must still be allowed to process data to prevent fraud;
regulators must still be allowed to process data to investigate malpractice and
corruption; sports governing bodies must be allowed to process data to keep the
cheats out; and journalists must still be able to investigate scandal and
malpractice. The Bill, borrowing heavily from the Data Protection Act that has
served us so well, will ensure that essential data processing can continue.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Noble Lords will be familiar with the role of
the Information Commissioner, whose role is to uphold information rights in the
public interest, promoting openness by public bodies and data privacy for
individuals. The Bill provides for her to continue to provide independent
oversight, supervising our systems of data protection, but we are also
significantly enhancing her powers. Where the Information Commissioner gives
notices to data controllers, she can now secure compliance, with the power to
issue substantial administrative penalties of up to 4% of global turnover. Where
she finds criminality, she can prosecute.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4175" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Stevenson of Balmacara (Lab)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I congratulate the Bill team on the excellence
of the paperwork that we have received—I am sure everybody has read it, word
for word, all the way through; it is worth it. They are obviously ahead early
in the “Bill team of the year” stakes, a prize which they won easily last time
on the Digital Economy Bill, and they are building on that.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">This is a tricky Bill to get hold of, first
because of its size and volume. It is a bulky package and it is not even
complete because we are told to expect a large number of amendments still being
processed and not yet available which may—who knows?—change it substantially.
Even without that, it has 300 paragraphs and 18 schedules, one of which
helpfully signposts the way that the Government intend to make changes to the
Bill so that the GDPR becomes domestic law when we leave the EU, even though
the amendments to make that happen will actually be made by secondary
legislation. This is “Hamlet” without the prince.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The GDPR itself, which runs to 98 paragraphs—or
articles, as it calls them—and which will be the new data-processing law that
comes into force in May 2018 whether or not we in Parliament have agreed it, is
not actually printed in the Bill. That therefore raises the concern that—post
Brexit, courtesy of another, separate Bill, probably by secondary legislation—the
regulations will become UK law without ever having been scrutinised by either
House of Parliament. I wonder if other noble Lords share my feeling that this
is a bad precedent and, if so, what we might do about it. I suspect that this
decision might have made sense were we to stay in the EU but we are going to
leave, so there is a gap in our procedures here. That is compounded by the fact
that this is a Lords starter Bill that comes to us without the benefit of
consideration in the other place, and particularly without the usual
evidence-taking sessions that ensure that a Bill meets the needs of those
affected by it.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I have a suggestion: could the authorities look
carefully at the Bill and at the GDPR in its printed form and arrange for that
committee to bring forward either a report or simply a testimony about what the
GDPR contains, how it is reflected in the Bill and how it works? It would help
the House to do the job that we ought to be doing of scrutinising this
legislation. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In his opening remarks, the Minister said all
the right things about the Government’s commitment to unhindered and
uninterrupted flows of data post Brexit, but the Bill comprehensively fails to
set out how they plan to deliver that outcome. Worse, it may contain measures
in Parts 3 and 4 that make it impossible to achieve the “adequacy” agreement,
which is the only card that they have left to play post Brexit. You could not
make it up.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Some 43% of EU tech companies are based in the
UK and 75% of the UK’s data transfers are with EU member states. Even if the
Bill successfully aligns UK law with the EU data protection framework as at 25
May 2018, that does not mean that the Bill makes proper provision for the
future. On the UK’s exit from the EU, the UK will need to satisfy the European
Commission that our legislative framework ensures an “adequate level of
protection”, but achieving a positive adequacy decision for the UK is not as
uncontentious as the Government think. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">On more concrete issues about the rights of data
subjects, we have a number of issues to pursue, although today I shall
concentrate on only three: children and the “age of consent”, the rights of
data subjects in relation to third-party use of their data, and the proper
representation of data subjects. I shall end with some thoughts on the Leveson
report and its implications for this Bill.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Bill proposes to set the age at which
children can consent to the processing of their data through “information
society services” which include websites and social media platforms at 13
years. That is a surprising decision and no credible evidence has been adduced
to support it. Understandably, there is much concern about this low age limit,
particularly as the general data protection regulation gives discretion in a
range up to 16 years of age. Last month, the Children’s Commissioner for
England said:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“The social media giants have … not done enough
to make children aware of what they are signing up to when they install an app
or open an account”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">These are often the first contracts a child
signs in their life, yet,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“terms and conditions are impenetrable, even to
most adults”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I think we can all say “Hear, hear” to that. The
commissioner also said:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“Children have absolutely no idea that they are
giving away the right to privacy or the ownership of their data or the material
they post online”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Setting an age limit of 13, or even 16, would
almost certainly be illegal under the UN Convention on the Rights of the Child,
to which the UK is a signatory. Perhaps the Government could respond on that
point.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Children’s Society argues that if companies
continue to rely on their current practices—whereby they allow only over-13s to
have an account but have no age verification process to check that children who
are consenting are the age they state themselves to be—then there will continue
to be widespread breaches of both the companies’ own rules and this new Data
Protection Act. In the Bill, it is unclear how breaches will be handled by the
Information Commissioner and what penalties will be put in place for those
companies failing to verify age properly.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There is also no consideration in the Bill about
capacity, rather than simply age, or protection for vulnerable children.
Although there are arguments for setting the age limit higher—or indeed
lower—there is surely a need both for proper evidence to be gathered and for a
minimum requirement for companies to have robust age verification systems and
other safeguards in place before any such legislation is passed. We will pursue
that. There is also the question of the overlap this derogation has with the
right to be forgotten, which the Minister mentioned. That right kicks in only
at age 18; we need to probe why that is the case and how that will work in
practice.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Concern about the increasing use of algorithms
and automatic data processing needs to be addressed, perhaps requiring
recording, testing and some level of disclosure about the use of algorithms and
data analysis, particularly when algorithms might affect employment or are
used in a public policy context. Related to that is the question of the
restriction on data subjects’ rights in relation to processing data contained
in documents relating to criminal investigations. Here, we agree with the Information
Commissioner that the provision, as drafted, restricts not just access rights
but the right to rectification, the right to erasure and the restriction of
processing. We welcome greater clarification on the policy intent behind this
as we go into Committee.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">We welcome the Government’s proposal for an
offence of knowingly or recklessly re-identifying de-identified personal data
without the data controller’s consent. The rapid evolution of technology and
growth in the digital economy has led to a vast increase in the availability
and value of data. There is a clear need for robust safeguards against misuse
in this area.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">On representation, we welcome the provision in
article 80(1) of the GDPR which gives greater ability for civil society and
other representative bodies to act on behalf of citizens and mirrors consumer
rights in goods and services. However, article 80(2) contains a provision that
the Government have chosen not to implement, under which consumer groups that
operate in the privacy field can act on behalf of data subjects without a
particular complainant. We think that this super-complainant system would help
to protect anonymity and create a stronger enforcement framework. We know we
are supported in that belief by the Information Commissioner.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The wider question here is perhaps whether data
subjects in general, particularly vulnerable ones, have sufficient support in
relation to the power of media companies that want access and use their data.
Does any of us know what really happens to our data? The Information
Commissioner’s Office already has a huge area of work to cover and may struggle
to cover all its new responsibilities. Having a better system for dealing with
complaints submitted by civil society bodies may be a good first step, but I
wonder whether we might think harder about how this will be organised—perhaps
modelled on the Caldicott data guidelines.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I give notice that we will probe whether the
Government intend to implement amendments previously made to Section 55 of the
Data Protection Act by virtue of Section 77 of the Criminal Justice and
Immigration Act 2008, which would allow terms of imprisonment of up to two
years to be imposed for offences of unlawfully obtaining disclosure of personal
data. As the Information Commissioner has previously noted, this has much wider
application than just to the press, because there is an increasing number of
cases of blagging and unauthorised use of personal data which must be stopped.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Government have set themselves a very tight
timetable to pass this Bill into law before the end of April 2018. We will
support the main principles of the Bill, but, as indicated above, many areas
need to be scrutinised in depth before we can agree to them. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=919" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord McNally (LD)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">It is clear that the Brexit decision and
timetable will cast a long shadow as we debate the Bill. The Information
Commissioner, Elizabeth Denham, has already warned that data adequacy status
with the EU will be difficult to achieve within the Government’s Brexit
timetable and a major obstacle has been erected by the Government themselves.
The European withdrawal Bill makes it clear that the EU Charter of Fundamental
Rights will not become part of UK law as part of the replication process, yet
Article 8 of the charter relating to personal data underpins the GDPR. How then
will we secure adequacy without adhering to the charter?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">While referring to the Information Commissioner,
I put on record our view that the Information Commissioner’s Office must
continue to be adequately funded and staffed during this period of great
uncertainty. The biggest changes since our debates on the Data Protection Act
1998, or even the early stages of the GDPR, which I was involved in as a
Minister at the MoJ from 2010 to 2013, is that the threat to civil liberties
and personal freedoms now comes not only from agencies of the state but from
corporate power as well.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">We have become accustomed to the idea that some
financial institutions are too big to fail. Are we approaching a situation
where these global tech giants are too big to regulate? We have to devise
legislation and have the political courage to bring the global tech giants within
the compass of the rule of law.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">These modern tech giants operate in a world
where the sense of privacy which was almost part of the DNA of my own and my
parents’ generation is ignored with gay abandon by a generation quite willing
to trade their privacy for the benefits, material and social, that the new
technology provides. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The elephant in the room always in discussing a
Bill such as this is how we get the balance right between protecting the
freedoms and civil liberties that underpin our functioning liberal democracy
while protecting that democracy from the various threats to our safety and
well-being. The sophisticated use of new technologies by terrorist groups and
organised crime means that we have to make a sober assessment of exactly what
powers our police and security services need to combat the terrorist attack and
disrupt the drug or people trafficker or the money launderer. The fact that
those threats are often overlapping and interconnected makes granting powers
and achieving appropriate checks and balances ever more difficult.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">On the issue of crime fighting, one point was
made with particular vigour by Thomson Reuters. With offerings such as
World-Check, it plays a key role in Europe and globally in helping many private
sector firms and public authorities identify potential risks in their supply
chains, customers and business relationships. It made it clear that it will be
needing a number of clarifications in the Bill so that it will be able to
continue to provide its important services, and we will probe those concerns
and the concerns of others in the private sector in Committee.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There is no doubt that the greater transparency
and availability of data provided by government has contributed to citizens’
better understanding of and access to government information and services, but
public concerns remain about the use of data in certain sectors. For example,
although there are clear benefits to medical research from giving researchers
access to anonymised medical data, it remains a matter of concern to the
public, the media and the profession itself. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I do not believe that sprinkling Bills with
Henry VIII clauses is an answer to the challenge of future-proofing. Perhaps
there is a case for expanding the remit of the National Data Guardian to act as
an early warning system on wider data abuse—or that of the Information Commissioner
or our own Select Committee—but there is a need. I fear that without some
permanent mechanism in place, we will be for ever running up the down escalator
trying to match legal protections to technical capacity. But that is no excuse
for not trying to improve the Bill before us. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=3818" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Jay of Ewelme (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">My Lords, as chairman of the EU Home Affairs
Sub-Committee, I will speak mainly about the EU Committee’s report on the EU
data protection package, which we are debating alongside the Second Reading of
the Data Protection Bill.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In their recent Brexit position paper, <i>The
Exchange and Protection of Personal Data—A Future Partnership Paper</i>, the
Government said that they wanted to maintain free and uninterrupted data flows
with the EU after we leave; and in proposing a new security and criminal
justice treaty between the UK and the EU in her recent Florence speech, the Prime
Minister laid out her ambition for a model underpinned by, among other things,
high standards of data protection. Our report supports this objective: free and
uninterrupted data flows matter to us all. But the committee was struck by the
absence of clear and concrete proposals for how the Government plan to deliver
that objective. The stakes are high, not least because the introduction of
greater friction in data transfers could present a real barrier to future
trade. It is hard to overstate the importance of cross-border data flows to the
UK economy. Getting on for half of all large EU digital companies are based in
the UK, and three-quarters of the UK’s cross-border data flows are with EU
countries. What is more, any impediments to data flows following our withdrawal
from the EU could seriously hinder police and security co-operation, and that
means that lives, not just money, are at stake.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In our report, we considered four elements of
the EU’s data protection package: the general data protection regulation—the
GDPR—which the Data Protection Bill seeks to transpose into UK law; the police
and criminal justice directive; the EU-US privacy shield, and the EU-US
umbrella agreement. Both the regulation and the directive will enter into force
in May 2018, while we are still a member of the EU. The agreements with the US
are already in force, but will cease to apply to the UK after our withdrawal.
Our report considers the Government’s policy options both short and long term.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The committee wanted first to look at possible
data protection arrangements once the UK becomes a third country outside the
EU, and we heard evidence on two broad options. The first option is for the UK
Government to secure a so-called adequacy decision from the European Commission
which would certify that the UK offered a standard of protection that was
“essentially equivalent” to EU data protection standards. To date, the
Commission has adopted 12 such decisions. The second option would be for
individual data controllers and processors to adopt their own safeguards using
tools such as standard contractual clauses and binding corporate rules. Our
report comes to a clear conclusion that this second option would be less
effective. The tools available to individual data controllers, including small
businesses, are bureaucratic and would be vulnerable to legal challenges. We
therefore agree with the Information Commissioner that the Government should
seek an adequacy decision for the UK as a whole. This should offer certainty
for businesses, particularly SMEs. It would also follow the approach taken by
Switzerland, which has secured an adequacy decision from the EU. I am therefore
pleased that the Government’s position paper also calls for a future
relationship that builds on the adequacy model.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">But there is a fly in this particular ointment.
The general data protection regulation only provides for adequacy decisions for
third countries, not countries leaving the EU. Decisions also follow a lengthy
procedure, so the chances of having an adequacy decision in place by March 2019
are small. So to avoid a cliff edge, we will need transitional arrangements.
The Government’s position paper acknowledges this but lacks detail. I hope that
in responding to this debate the Minister will update us on the Government’s
thinking on transition and perhaps provide some more of that detail. In
particular, I hope that as a Home Office Minister she can comment on the risks
facing law enforcement. One of the most striking findings in our inquiry was
that as a third country the UK could find itself held to higher standards of
data protection than as a member state. This will be the case both when the
European Commission considers an adequacy decision and when the UK’s data
retention and surveillance regime is tested before the Court of Justice, at
which point we will no longer be able to rely on the national security
exemption enjoyed by member states under the EU treaties. The United States has
fallen foul of EU data protection law in the past, and it is not impossible that
the United Kingdom will do the same when it is no longer a member state.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">On a related theme, the committee also
considered whether the UK’s data protection regime would continue to be
influenced by EU legislation after withdrawal. What we found was that the
general data protection regulation will continue to apply to transfers of
personal data from the EU to the UK, significantly affecting UK businesses that
handle EU data. If we obtain an adequacy decision, the rulings of the new
European Data Protection Board and the Court of Justice will have an effect,
albeit indirectly, by altering the standards that the UK will need to maintain
an adequate level of protection. This means that there will be no clean break.
We will also continue to be affected by EU rules on the onward transfer of
personal data to third countries. This could be a particular problem in the
field of security, whereby our approach to sharing personal data with, say, the
United States could put any adequacy decision at risk. In summary, it seems
likely that EU and UK data protection practices will need to remain alive long
after we leave the EU.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Bill that we are debating today reflects a
comprehensive EU data protection regime which has been heavily influenced over
the years by the United Kingdom. Withdrawal from the EU means that we stand to
lose the institutional platform from which we have exercised that influence.
The committee’s report therefore concludes that the Government must aim to
retain the UK’s influence wherever possible, starting by securing a continuing
role for the Information Commissioner’s Office on the European Data Protection
Board. I am glad that the Government’s data protection position paper spells
out our aim to do just that, but in the longer term, the Government will also
need to find a way to work in partnership with the EU to influence the
development of data protection standards at both the EU and the global level.
The continued success of our commercial and security relations with the EU will
depend on that.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4315" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">The Lord Bishop of Chelmsford</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Although I also welcome the rights and
protections for children that the Bill offers, not least the right to be
forgotten, there is one very important point of detail where reconsideration is
urgently needed, namely the age of consent for children to give their personal
information away online in exchange for products and services without a parent
or guardian needing to give their permission. The proposals in Clause 8, as we
have already heard, set this age of consent at 13. However, a recent YouGov
survey of the public commissioned by the BCS, the Chartered Institute for IT,
shows very little support for this. Indeed, a whopping majority of 81% thought
the age should be set at either 16 or 18. The Bill’s Explanatory Notes state
that the Government have chosen this age—the youngest possible allowed under
the incoming GDPR rules—because it is,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“in line with the minimum age set as a matter of
contract by some of the most popular information society services which
currently offer services to children (e.g. Facebook, Whatsapp, Instagram)”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In other words, a de facto standard age of
consent for children providing their personal information online has emerged,
and that age has been set by the very companies that profit from providing
these services to children. It might be that 13 is an appropriate age for
consent by children to give their information away online, but surely that
should be decided in other ways and with much greater reference to the public,
and I do not think this has happened. It is certainly at odds with the results
of this recent survey.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Moreover, <i>Growing Up with the Internet</i>,
the recently published report of the Select Committee on Communications, on
which I am privileged to serve, examined the different ways in which children
use the internet through the different stages of childhood. We received lots of
evidence that lumping together all young people between the ages of 13 and 18
was really not helpful, and that much more research was needed. To bow to the
commercial interests of Facebook and others therefore feels at the very least
premature, and the example of its usefulness given in the Explanatory
Notes—that this would somehow ease access to,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“educational websites and research resources”,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">so that children could “complete their
homework”—somewhat naïve, particularly in the light of otherconclusions and recommendations
from the <i>Growing Up with the Internet</i> report, not least that digital
literacy, alongside reading, writing and arithmetic, should be considered a
“fourth R”; that the Government should establish the post of a children’s
digital champion at the centre of government; that children must be treated
online with the same rights, respect and care that has been established through
regulation offline; and that all too often commercial considerations seem to be
put first. So 13 might be the right age but it might not, and at the very
least, further consultation with the public and with parents is needed.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=3840" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Neville-Jones (Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">As the UK leaves the EU, it will be essential—I
use the word “essential”—for the UK to be able to demonstrate adequacy. I hope
the Government will assure us on that point and produce the necessary
regulatory framework to enable it to happen. Adequacy does not mean that the UK
should simply cut and paste all EU legal provisions where reliance on national
law and derogations are real options in front of us. There are some where we
should be availing themselves of them. Nor do we need to make privacy
safeguards—which are very important—so demanding that they become
self-defeating, standing in the way of benefiting patients, in the case of
medicine, and the community more generally.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Government have made it clear that they want
the Bill to support research, which is extraordinarily welcome. I hope that
when she replies, the Minister will be able to say something about how the
Government will approach the changes that will be needed to deal with research
issues in the UK. The Bill classes universities as public bodies, and
universities lie at the core of the research community. It is fair enough for
universities to be classed as public bodies—that is what they are—but the
legislation then denies them the right to invoke public interest, or even legitimate
interest, as a basis for their research, and thus obliges them to seek explicit
consent when using data at every stage of processing. This becomes very onerous
if you are doing a long study. That may on the face of it seem reasonable but,
in practice, it can do real harm. The whole point of research is that often at
the outset it cannot be 100% certain where it may lead or whether further
processing or trials may be necessary. You can get a situation in which
unexpected and unplanned-for research is available and could yield real
dividends. That is especially true of interventional research. If, as a result
of wanting to take it to a further stage, the data processing demands that
there should be another round of explicit consent, you get into a situation
whereby universities—unlike some of the public bodies in government, which do
not have to follow this procedure—have to go round again to all those who
offered their personal data in the first place. Seeking the consent of holders
of the data anew may simply not be possible, especially in long-term research
projects. People move house or become incapable; they also die.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Even if those problems can be overcome—and I
think they are real—there is a question of proportionality. Why make consent so
onerous that it makes research too difficult in practice and too costly to
engage in? There needs to be greater proportionality on this issue and greater
alignment between the various bodies that use data in this way, and there needs
to be some alternative to consent as the basis for engaging in some kinds of
research. Numerous government mechanisms are available, not least ethics
committees, which are a key component of modern research and could provide the
necessary safeguards against abuse. I recognise that there need to be
safeguards, but I suggest that we should use some imagination in how they could
be brought about.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I am involved with an organisation called
Unique, which deals with rare genetic disorders, whereby datasets to be useful
have to be gathered globally. The number of people with those afflictions is so
tiny in any given population that you have to go across the globe to connect
useful datasets, which means in turn that you come up against some of the
provisions that govern transnational transmission of data. However, the rarity
of such individual disorders also makes every patient’s data precious to other
affected individuals, because it is potentially a very tight community. No
other organisation is dealing with that affliction in that way, and Unique can
give support and advice to otherwise lonely parents and their equally isolated
medics, who turn to Unique for information about alike cases. There is a
network there.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">By insisting on onerous consent regimes, we are
in danger of disabling such organisations from continuing their pioneering
work. In Unique, it is not uncommon for parents who have not been in touch for
a long time suddenly to turn to it with a request for help. Try telling
families, many of whom are not in the UK but are in third countries, who are
coping with the daily stress of caring for a disabled child or adult, that they
must be sure to keep up online with the stringent requirements of UK data
legislation and that failing to do so will mean that they run the severe risk
of no longer being able to get the kind of individualised attention and support
that they seek from the very organisations set up to help them. The problem is
that the law will lay down the need for the regular reconsultation and
re-consent of individuals in very precise ways, and that such individuals might
not reply, not understanding the potential hazards involved in failing to do
so. One might say that data anonymisation might solve the problem. It solves
some problems, but it creates new ones in an organisation set up for certain
purposes where the idea is that one fellow sufferer can help another. So piling
difficulties on small organisations—there are other difficulties that I have
not even mentioned—might lead ultimately to an unwanted outcome, which will be
a reduction in effectiveness.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I would like the Government to think about the
possibility that they should allow for the creation of governance and
accountability regimes that will fit special circumstances—and I am sure that
we will come across others as we go through this legislation. The existence of
the Information Commissioner should not result just in enforcing the law
effectively and well; it should provide an opportunity for creativity under her
auspices and the ability to create variations on governance regimes where they
are needed.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<a href="https://hansard.parliament.uk/Lords/2017-10-10/debates/22188EC1-6BAB-4F06-BE64-5831ABAF78E2/DataProtectionBill(HL)#contribution-9B7AAFF0-5B27-4D96-81DC-A43ADAB28B94"></a><a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=1867" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Ludford (LD)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> </span><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"><o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I am rather concerned about the clarity of this
very substantial Bill. It is explained that the format is chosen to provide
continuity with the Data Protection Act 1998, but whether or not as a result of
this innocent, no doubt valuable, choice, it seems to me that some confusion is
thereby created.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">First, there is the fact that the GDPR is the
elephant in the room—unseen and yet the main show in town. You could call it
Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet
without the Prince. Traces exist without the GDPR being visible. Is the
consequent cross-referencing to an absent document the best that can be done? I
realise that there are constraints while we are in the EU, but it detracts from
the aims of simplicity and coherence. Apparently, things are predicted to be
simpler post Brexit, at least in this regard, when the GDPR will be
incorporated into domestic law under the withdrawal Bill in a “single domestic
legal basis”, according to the Explanatory Memorandum. Does that mean that this
Bill—by then it will be an Act—will be amended to incorporate the regulation?
It seems odd to have more clarity post Brexit than pre-Brexit. It would no
doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse
the fact of the centrality of EU law now and in the future.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Secondly, we seem to have some verbal gymnastics
regarding what “apply” means. The departmental briefing says that the Bill will
apply GDPR standards, but then we have the so-called “applied GDPR” scheme,
which is an extension of the regulation in part 2, chapter III. Can the
Minister elaborate on precisely what activities part 2, chapter III covers?
The Bill says that manual unstructured files come within that category. I do
not know how “structured” and “unstructured” are defined, but what other data
processing activities or sectors are outside the scope of EU law and the
regulation, and are they significant enough to justify putting them in a
different part?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I will highlight, rather at random, some other
examples which need reflection. We may need seriously to look at the lack of
definition of “substantial public interest” as a basis for processing sensitive
data, or even of public interest. I think the noble Lord, Lord Stevenson,
mentioned the failure or the non-taking-up of the option under Article 80(2) of
the regulation to confer on non-profit organisations the right to take action
pursuing infringements with the regulator or court. This omission is rather
surprising given that a similar right exists for NGOs, for instance, for breach
of other consumer rights, including financial rights. Perhaps the Minister
could explain that omission.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There is also concern that the safeguards for
profiling and other forms of automated decision-making in the Bill are not
strong enough to reflect the provisions of Article 22 of the GDPR. There is no
mention of “similar effects” to a legal decision, which is the wording in the
regulation, or of remedies such as the right of complaint or judicial redress.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Very significant is the power for the Government
under Clause 15 to confer exemptions from the GDPR by regulation rather than
put them in primary legislation. That will need to be examined very carefully,
not only for domestic reasons but also because it could undermine significantly
an adequacy assessment in the future.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=2443" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Patel (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Clause 7 refers to alternatives to consent. The
noble Baroness, Lady Neville-Jones, referred briefly to the problems that
arise. For many uses of personal data, explicit consent is absolutely the right
legal basis for processing that data, and it is positive that, with the GDPR,
data subjects’ rights have been strengthened. Medical research will usually
rely on a person providing informed consent for ethical reasons, but it is
essential that there are alternatives to consent as a legal basis. That is
because GDPR-compliant explicit consent sets a high bar for information
provision that it may not always be feasible to meet. In many research
resources, such as biobanks—I hope that my noble friend Lady Manningham-Buller
will refer to that as the chairman of the Wellcome Trust, which is responsible
for initiating the UK Biobank—the participants give consent for their
pseudonymised data to be used.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In some studies it is not possible to seek
consent, either because a very large sample size is needed to generate a robust
result, and that would be practically difficult to obtain, or because seeking
consent would introduce bias. The use of personal health data without specific
explicit consent is sometimes essential for research for the health of the
population. If researchers could not process medical records for research
without specific explicit patient consent, they could not run cancer
registries, which are extremely important in recording all cases of cancer; they
could not monitor the hazards of medical procedures, such as the recently
discovered implications of CT scans for long-term disease development; they
could not assess the unexpected side-effects of routinely prescribed medicines;
and they could not identify sufficiently large numbers of people with a
particular disease to invite them to take part in trials for the treatment of
that disease. The example I would give is the recruitment of 20,000 suitable
people for the Heart Protection Study on statins, which has helped transform
medical practice throughout the world. I am sure that many noble Lords use
statins. This began with the identification of 400,000 patients with a hospital
record of arterial disease and that information could not have been accessed
without their permission. There are good examples of how this provision would
cause a problem as it is enunciated in Clause 7.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">We have a well-established, robust system of
governance and oversight for non-consensual medical research in the UK; for
example, through the Health Research Authority, a confidentiality advisory
group, advising on Section 251 approvals to override the common law duty of
confidentiality. Patient groups actively advocated for research exemptions
during the passage of the GDPR—for example, through the Data Saves Lives
campaign. I hope that, in Committee, we might get an opportunity to explore
this further to see whether we can somehow modify the Bill to make this
possible.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I come now to the public interest issues in the
same clause. I understand that the Government intend the functions listed in
Clause 7 not to be exhaustive, and to allow, for example, research conducted by
universities or NHS trusts to use the public interest legal basis. Again, the
noble Baroness, Lady Neville-Jones, briefly touched on that. It would provide
much-needed clarity and assurance to the research community, particularly to
those in the universities, if this could be made explicit in the Bill. A huge
amount of research will rely on public interest as a legal basis. The
Government have recognised the value of making better use of data for research,
and the recent life sciences industrial strategy confirms the tremendous
potential benefits for patients and the public if we can unlock the value of
data held by public authorities and promote its use in the public interest.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There is currently a highly risk-averse culture
in data protection, driven in part because people are unclear about the rules
and what they can or cannot do with data for their purposes—hence I referred to
the need for better governance of the data. This is why the public interest
legal basis matters so much for research. The DP Bill is an opportunity to set
out very clearly what the legitimate basis for processing personal data can be.
Setting out a clear public interest function for research will give researchers
confidence to know when they are operating within the law. If necessary, any
specification of research in Clause 7 could be qualified by safeguards to
ensure that the legal basis is used only when appropriate.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=56" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Arbuthnot of Edrom (Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">This is a welcome and necessary Bill. It is not
perfect, but I leap to its defence in at least one respect—namely; the absence
of the GDPR regulations themselves from the Bill. On the Government’s website,
there is a truly helpful document, the Keeling schedule, which sets out how the
GDPR intersects with the text of this Bill. After noble Lords have read it a
few times, it comes close to being comprehensible.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Commission has estimated that this [GDPR] would
lead to savings of around €2.3 billion a year for businesses. But while the
rules might make things simpler for businesses in that respect, it is possible
that they will also make it easier for citizens to demand to know what
information is held on them in paper form as well as in digital form. In fact,
that is one of the main purposes of the Bill. So we might find that businesses
have more rather than less to do. I wonder whether that has been costed. It is
a good thing that citizens should find out what information people hold on
them, but we should not pretend that the exercise will be free of cost to
businesses. The Federation of Small Businesses estimates an additional cost of
£75,000 per year for small businesses, and obviously much more for larger ones.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Bill contains a bespoke regime for the
processing of personal data by the police, prosecutors and other criminal
justice agencies for law enforcement purposes. The aim of this, which is
laudable, is to,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“ensure that there is a single domestic and
trans-national regime for the processing of personal data for law enforcement
purposes across the whole of the law enforcement sector”,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">but what is the law enforcement sector? To what
extent do banks, for example, fall into the law enforcement sector? They have
obligations under the anti-money laundering rules to pull suspicions together
and to share those across borders—not just across European borders but
globally. How are those obligations tied in with the GDPR obligations in the
Bill? Businesses, especially banks, will need to understand the interplay
between the GDPR regulations, the anti-money laundering regulations and all of
the others. The Government would not, I know, want to create the smallest risk
that by obeying one set of laws you disobey another.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">That sort of legal understanding and pulling
things together will take time. It will take money and training for all
organisations. There is a real concern that too many organisations are simply
hoping for the best and thinking that they will muddle through if they behave
sensibly. But that is not behaving sensibly. They need to start now if they
have not started already. The Federation of Small Businesses says that:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“For almost all smaller firms, the scope of the
changes have not even registered on their radar. They simply aren’t aware of
what they will need to do”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Yet it goes on to say that,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“full guidance for businesses will not be
available until next year, potentially as late as spring. The regulator cannot
issue their guidance until the European Data Protection Board issue theirs”,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">so there is a lot of work to be done.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">My final point echoes one raised by the noble
Lord, Lord McNally, relating to the issue of the re-identification of personal
data which has been de-identified, as set out in Clause 162. The clause makes
it a crime to work out to whom the data is referring. The very fact that this
clause exists tells us something: namely, that whatever you do online creates
some sort of risk. If you think that your data has been anonymised, according
to the computational privacy group at Imperial College, you will be wrong. It
says:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“We have currently no reason to believe that an
efficient enough, yet general, anonymization method will ever exist for
high-dimensional data, as all the evidence so far points to the contrary”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">If that is right, and I believe it is, then
de-identification does not really exist. And if that is right, what is it in
terms of re-identification that we are criminalising under this clause? In a
sense, it is an oxymoron which I think needs very careful consideration. The
group at Imperial College goes on to suggest that making re-identification a
criminal offence would make things worse because those working to anonymise
data will feel that they do not have to do a particularly good job. After all,
re-identifying it would be a criminal offence, so no one will do it.
Unfortunately, in my experience that is not entirely the way the world works.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=3610" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Howe of Idlicote (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I hope that the Minister will set out some
clarification of the intentions of the Bill in relation to the consent of
children. Clause 8(b) includes an exemption for “preventive or counselling
services”. Does that mean that a child could give their consent to these
websites before the age of 13 or not at all? What is defined as a “preventive
or counselling service”?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Clause 187 gives further criteria for the
consent of children, but only children in Scotland where a child’s capacity to
exercise their consent should be taken into account, with the expectation that
a child aged 12 or over is,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“presumed to be of sufficient age and maturity
to have such an understanding”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Explanatory Notes to the Bill state that
this clause must be read with Clause 8, which provides that the age limit is
13. Is Clause 187 intended to say that the age of digital consent cannot go
below 13, which is the position of Article 8(1) of the GDPR, or that there
might be circumstances when a child who is 13 cannot consent for genuine
reasons? Either of these scenarios seem to give rise to confusion for children,
parents and the websites that children access.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">After all the detailed discussions about age
verification that we had earlier in the year, there is an argument for age
verification to apply to Clause 8. How will websites that require a child to
verify that they are 13 years old ensure that the child is the age that they
say they are without some requirement for the site to prove the age of the
child? This is surely a meaningless provision. I hope that when the Minister comes
to reply, he will set out the Government’s position on this matter and explain
what penalties a website which breaches this age requirement will face..<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4275" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Lane-Fox of Soho (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There is much that is good in the Bill, but I do
not believe that it is yet the best that it can be.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I must start with a confession. Despite the kind
references today to my career and supposed expertise, I found this Bill
incredibly hard to read and even harder to understand. I fear that we will not
do enough to stop the notion, referred to by the noble Lord, Lord McNally, that
we are sleepwalking into a dystopian future if we do not work hard to simplify
the Bill and make it accessible to more people, the people to whom I feel sure
the Government must want to give power in this updated legislation. Let us
ensure that the Bill is a step forward for individual power in the rapidly
changing landscape in which we sit, a power that people understand and,
importantly, use. Let us make it an indicator to the world that the UK balances
the importance of tech start-ups, innovation, foreign investment and big
businesses with consumer and citizen rights.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Government should be commended for getting
ahead of movements that are growing all over the world to free our data from
the tech giants of our age. As data becomes one of our most valuable
resources—as we have heard, the new oil—individuals have begun to want a stake
in determining for themselves when, how and to what extent information about
them is held and communicated to others. So I welcome the clear data
frameworks, which are important not only for the best digital economy but for
the best digital society.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I agree with much that has been said today but
want to make three specific points on the Bill. First, from any perspective,
the GDPR is difficult to comprehend, comprising sweeping regulations with 99
articles and 173 recitals. The Bill contains some wonderful provisions, of
which my favourite is:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“Chapter 2 of this Part applies for the purposes
of the applied GDPR as it applies for the purposes of the GDPR … In this
Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied by
this Chapter”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Giving people rights is meaningful only if they
know that they have them, what they mean, how to exercise them, what
infringement looks like and how to seek redress for it. There are questions
about the practical workability of a lot of these rights. For example, on the
right to portability, how would the average person know what to do with their
ported data? How would they get it? Where would they keep it? There was a funny
example in a newspaper recently where a journalist asked Facebook to send them
all the data that it had collected over the previous eight years and received a
printed copy of 800 pages of data—extremely useful, as I think you will agree.
What about your right to erase your social media history? I should declare my
interest as a director of Twitter at this point. How can you remove content
featuring you that you did not post and in which people may have mentioned you?
What happens as the complexity of the algorithm becomes so sophisticated that
it is hard to separate out your data? How does the immense amount of machine
learning deployed already affect your rights, let alone in the future?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Awareness among the public about the GDPR is
very low—the Open Data Institute has done a lot of work on this which is soon
to be published. It is very unlikely that ordinary people understand this
legislation. They will have no understanding of how their rights affect them. A
lot of education work needs to be done.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">For businesses, too, the learning curve is
steep, especially for foreign investors in European companies. Some are betting
that the sheer scope of the GDPR means that the European regulators will
struggle to enforce it. When the GDPR came up at a recent industry start-up
event, one industry source said that none of the people to whom they had spoken
could confidently say that they had a plan. Every online publisher and
advertiser should ensure that they do, but none of them is taking steps to
prepare.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">So much has been done by this Government on
building a strong digital economy that it is important to ensure that small and
start-up businesses do not feel overwhelmed by the changes. What substantial
help could be planned and what education offered? What help is there with
compliance? By way of example, under Clause 13, companies have 21 days to show
bias from algorithms, but what does this mean for a small AI start-up which may
be using anonymised intelligence data to build a new transport or health app?
What do they have to think about to make good legal decisions? As my noble
friend Lord Jay so brilliantly argued, how can we ensure post-Brexit
legislative certainty for them in building global successful businesses?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">This brings me to my second question: why has
the right of civil groups to take action on behalf of individuals been removed
from the UK context for the GDPR? Instead, the Bill places a huge onus on
individuals, who may lack the know-how and the ability to fight for their
rights. As has been mentioned, article 80(1) of the GDPR allows for
representative bodies—for example, consumer groups—to bring complaints at the
initiation of data subjects.. This omission is worrying, given how stretched
the ICO’s resources are and the impact this could have on its support for the
public. Granting rights over data to individuals is meaningless if individuals
lack the understanding to exercise those rights and there is no infrastructure
within civic society to help them exercise those rights. There does not seem to
be any good reason why the UK has chosen not to take up the option in EU law to
allow consumer privacy groups to lodge independent data protection complaints
as they can currently do under consumer rights laws.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Resourcing the ICO, Part 5 of the Bill, is
essential and my third main area of interest. The ICO has considerable
responsibilities and duties under the Bill towards both business and
individuals: upholding rights, investigating reactively, informing and
educating to improve standards, educating people and consumer groups, and
maintaining international relationships. I feel exhausted thinking about it.
The ICO’s workload is vast and increasing. It lacks sufficient resources
currently. In March 2017, the Information Commissioner asked Parliament if it
could recruit 200 more staff but the salaries it offers are significantly below
those offered by the private sector for roles requiring extremely high levels
of skills and experience. These staff are going to become ever more important
and more difficult to recruit in the future.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The ICO currently funds its data protection work
by charging fees to data controllers. It receives ring-fenced funding for its
freedom of information request work from the Government. This income can
increase the number of data controllers only as it increases: it is not in line
with the volume or complexity of work, and certainly not with that in the Bill.
Perhaps it is time for another method of funding, such as statutory funding.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Finally, I would like briefly to add my thoughts
on how the Bill affects children. As many noble Lords have said, the YouGov
poll does indeed say that 80% of the public support raising the age to
18—currently it is 13, as detailed by the Government. However, there are many
other surveys, particularly one by the Children’s Society, which show that 80%
of 13 year-olds currently have a social media account and 80% of people under
13 have lied or twisted their age in order to establish one. This is the
realpolitik in the war of understanding the internet with our children. I
respectfully disagree with the noble Baroness, Lady Howe, and others in the
Chamber: I feel strongly that it is wrong to place policing at the heart of how
we deal with relationships between children and the internet. We need to take a
systems-based approach. I have seen my godchildren set up fake accounts and
whizz around the internet at a speed I find alarming. We have to deal on their
terms. We have to help educators, parents and people supporting children, not
use the long arm of the law.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=2652" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Hamwee (LD)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Like other noble Lords, I am concerned about
public trust and confidence in the system. At the moment there is a need for
guidance on preparation for the new regime. I visited a charity last week and
asked about the availability and accessibility of advice. The immediate, almost
knee-jerk response was, “It’s pretty dire”—followed by comments that most of
what is available is about fundraising and that there is a particular lack of
advice on how to deal with data relating to children. The comment was made,
too, that the legislation is tougher on charities than on the private sector. I
have not pinned down whether that is the case, but I do not disbelieve it. The
Federation of Small Businesses has made similar points about support for small
businesses.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Part of our job is to ensure that the Bill is as
clear as possible. I was interested that the report of the committee of the
noble Lord, Lord Jay, referred to “white space” and language. It quoted the
Information Commissioner, who noted trigger terms such as “high-risk”, “large
scale” and “systematic”. Her evidence was that until the new European Data
Protection Board and the courts start interpreting the terms,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“it is not clear what the GDPR will look like in
practice”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I found that some of the language of the Bill
raised questions in my mind. For instance—I am not asking for a response now;
we can do this by way of an amendment later—the term “legitimate” is used in a
couple of clauses. Is that wider than “legal”? What is the difference between
“necessary” and “strictly necessary”? I do not think that I have ever come
across “strictly necessary” in legislation. There are also judgment calls
implicit in many of the provisions, including the “appropriate” level of
security and processing that is “unwarranted”. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Finally, I return to the committee report, which
has not had as much attention as the Bill. That is a shame, but I am sure we
will come back to it as source material. I noted the observation that, post
Brexit, there is a risk that, in the Information Commissioner’s words, the UK
could find itself,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“outside, pressing our faces on the glass …
without influence”,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">and yet having,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“adopted fulsomely the GDPR”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">That image could be applied more widely.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=3857" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Manningham-Buller (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">For the public interest, terminology should be
extended so that we can look at issues of safeguards beyond consent and make
sure that it is possible to do clinical trials and interventional work. Why is
that the case? It is because health data offers the most exciting opportunities
to do things which we have only recently been able to do, understand the causes
of disease in detail over populations and have a much better chance of getting
to diagnosis early. We could deal with many things if we could only diagnose
them far earlier and develop treatments for them—indeed, prevent some of them
ever materialising. Health data also helps us to measure the efficacy of
treatment. We all know of plenty of treatments that over years have proved to
be useless, or unexpected ones that have proved to be outstanding. Looking at
big-scale data helps us to do that. That data helps in precision medicine,
which we are all moving towards having, where the drugs we receive are for us,
not our neighbour, although we apparently both have the same illness. Health
data can also help with safety as you can collect the side-effects that people
are suffering from for particular drugs. It helps us evaluate policy and, of
course, should help the NHS in planning.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I know that the Government want to support
scientists to process data with confidence and safety. The industrial strategy
comments that data should be “appropriately accessed by researchers”.
“Appropriate” is a hopeless word; we do not know what it means, but still. The
document also states that access for researchers to,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“currently available national datasets should be
accelerated by streamlining legal and ethical approvals”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">We are not there yet.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I want to say a word about public support. The
Wellcome Trust commissioned an Ipsos MORI poll last year before the Caldicott
review to assess public support for the collection of data. In many cases,
there is significant public support for that provided it is anonymised—although
I know there are questions about that—but what people are fussed about is that
their data is sold on for commercial purposes, that it is used for marketing
or, worst of all, that it is used to affect their insurance policies and life
insurance. Therefore, we need to give reassurance on that. However, it has
certainly been the case in our experience, and that of many universities, that
you can recruit many people for trials and studies if they believe that their
data will help others with similar diseases or indeed themselves.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=1879" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Lucas (Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I agreed with the noble Lord, Lord McNally, and
his worries about standing up to the tech giants. They are not our friends.
They are big, powerful companies that are not citizens of this country. They
pay as little tax here as possible and several of them actively help tax
evaders in order that they can make more profits out of the transactions that
that involves. They control what we see on the internet through algorithms and
extract vast quantities of data and know more about us than we know ourselves.
In the interests of democracy we really must stand up to them and say, “No, we
are the people who matter. It is great you are doing well, but we are the
people who matter”. Bills like this are part of that, and it is important that
we stand up for ourselves and our citizens.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">My noble friend Lord Arbuthnot referred to a
Keeling schedule. It would be wonderful to receive it. For some reason I cannot
pick it up on the email. It is not in the documents listed on the Parliament
website, not in any location, and it does not Google or come up on GOV.UK. One
way or another, I think the simplest thing to ask is: please can we put it on
the parliamentary website in the list of documents related to the Bill? I know
that it exists, but I just cannot find it. It would be nice if it appeared on
the departmental website too.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">It seems to me that bits are missing in a number
of areas. Where are Articles 3, 27, 22(2)(b) and 35(4) to 35(6)? Where is
Article 80(2), as the noble Baroness, Lady Lane-Fox, mentioned? That is an
absolutely crucial article. Why has it gone missing? How exactly is recital 71
implemented? I cannot see how the protections for children in that recital are
picked up in the Bill. There are a lot of things that Keeling schedules are
important for. In a detailed Bill like this, they help us to understand how the
underlying European legislation will be reflected, which will be crucial for
the acceptance of this Bill by the European Union—I pick up the point made by
the noble Lord, Lord Stevenson—and what bits are missing.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">And what has been added? Where does paragraph 8
of Schedule 11 come from? It is a very large, loose power. Where are its edges?
What is an example of that? I would be very grateful if my noble friend could
drop me a note on that before we reach Committee. What is an arguable point
under that provision? Where are the limits of our economic interest so far as
its influence on this Bill is concerned?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Paragraph 4 of Schedule 10 is another place that
worries me. We all make our personal data public, but a lot of the time we do
it in a particular context. If I take a photograph with my
parliamentary-supplied iPhone, on which there is an app that I have granted the
power to look at my photographs for some purpose that I use that app for, I
have made that photograph and all the metadata public. That is not what I
intended; I made it public for a particular purpose in a particular
context—that of social media. A lot of people use things like dating websites.
They do not put information on there which is intended to be totally public.
Therefore, the wording of paragraph 4 of Schedule 10 seems to be far too wide
in the context of the way people use the internet. Principle 2 of the Data
Protection Act covers this. It gives us protection against the use of
information for purposes which it clearly has not been released for. There does
not appear to be any equivalent in the Bill—although I have not picked up the
Keeling schedule, so perhaps it is there. However, I would like to know where
it is.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">On other little bits and pieces, I would like to
see the public policy documents under Clause 33(4) and Clause 33(5) made
public; at the moment they are not. How is age verification supposed to work?
Does it involve the release of data by parents to prove that the child is the
necessary age to permit the child access, and if so, what happens to that data?
Paragraph 23 of Schedule 2 addresses exam scripts. Why are these suddenly being
made things that you cannot retrieve? What are the Government up to here?
Paragraph 4 of Schedule 2, on immigration, takes away rights immigrants have at
the moment under the Data Protection Act. Why? What is going on?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There are lots of bits and pieces which I hope
we can pick up in Committee. I look forward to going through the Bill with a
very fine-toothed comb—it is an important piece of legislation.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=3838" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Janvrin (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In order to support archiving activities, it is
essential that this legislation provide a strong and robust legal basis to
support public and private organisations which are undertaking archiving in the
public interest. As I understand it, this new legislation confirms the
exemptions currently available in the UK Data Protection Act 1998: safeguarding
data processing necessary for archiving purposes in the public interest and
archiving for scientific, historical and statistical purposes. This is welcome,
but there may perhaps be issues around definitions of who and what is covered
by the phrase “archiving in the public interest”. I look forward to further
discussion and, hopefully, further reassurances on whether the work of public
archiving institutions such as our libraries and museums is adequately
safeguarded in the Bill.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The new Bill seeks to replicate the approach of
the Data Protection Act 1998, whereby there have been well-established
exemptions to safeguard national security. It is obviously vital that the
intelligence services be able to continue to operate effectively at home and
with our European and other partners, and I look forward to our further
discussion during the passage of the Bill on whether this draft legislation
gives the intelligence services the safeguards they require to operate
effectively.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4160" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Knight of Weymouth (Lab)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">This Bill attempts to help us tackle some big
moral and ethical dilemmas, and we as parliamentarians have a real struggle to
be sufficiently informed in a rapidly changing and innovative environment. I welcome
the certainty that the Bill gives us in implementing the GDPR in this country
in a form that anticipates Brexit and the need to continue to comply with EU
data law regardless of membership of the EU in the future.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">But ultimately I believe that the GDPR is an
answer to the past. It is a long-overdue response to past and current data
practice, but it is a long way from what the Information Commissioner’s
briefing describes as,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“one of the final pieces of much needed data
protection reform”. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I am grateful to Nicholas Oliver, the founder of
people.io, and to Gi Fernando from Freeformers for helping my thinking on these
very difficult issues.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The Bill addresses issues of consent, erasure
and portability to help protect us as citizens. I shall start with consent. A
tougher consent regime is important but how do we make it informed? Even if 13
is the right age for consent, how do we inform that consent with young people,
with parents, with adults generally, with vulnerable people and with small
businesses which have to comply with this law? Which education campaigns will
cut through in a nation where 11 million of us are already digitally excluded
and where digital exclusion does not exclude significant amounts of personal
data being held about you? And what is the extent of that consent?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">As an early adopter of Facebook 10 years ago, I
would have blindly agreed to its terms and conditions that required its users
to grant it,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“a non-exclusive, transferable, sub-licensable,
royalty-free, worldwide license to use any IP content”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I posted on the site. It effectively required me
to give it the right to use my family photos and videos for marketing purposes
and to resell them to anybody. Thanks to this Bill, it will be easier for me to
ask it to delete that personal data and it will make it easier for me to take
it away and put it goodness knows where else with whatever level of security I
deem fit, if I can trust it. That is welcome, although I still quite like
Facebook, so I will not do it just yet.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">But what about the artificial intelligence
generated from that data? If, in an outrageous conflagration of issues around
fake news and election-fixing by a foreign power to enable a reality TV star
with a narcissistic personality disorder to occupy the most powerful executive
office in the free world, I take against Facebook, can I withdraw consent for
my data to be used to inform artificial intelligences that Facebook can go on
to use for profit and for whatever ethical use they see fit? No, I cannot.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">What if, say, Google DeepMind got hold of NHS
data and its algorithms were used with bias? What if Google gets away with
breaking data protection as part of its innovation and maybe starts its own
ethics group, marking its own ethics homework? Where is my consent and where do
I get a share of the revenue generated by Google selling the intelligence
derived in part from my data? And if it sells that AI to a health company which
sells a resulting product back to the NHS, how do I ensure that the patients
are advantaged because their data was at the source of the product?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">No consent regime can anticipate future use or
the generation of intelligent products by aggregating my data with that of
others. The new reality is that consent in its current form is dead. Users can
no longer reasonably comprehend the risk associated with data sharing, and so
cannot reasonably be asked to give consent.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Thanks to AI, in the future we will also have to
resolve the paradox of consent. If AI determines that you have heart disease by
facial recognition or by reading your pulse, it starts to make inference
outside the context of consent. The AI knows something about you, but how can
you give consent for it to tell you when you do not know what it knows? Here,
we will probably need to find an intermediary to represent the interests of the
individual, not the state or wider society. If the AI determines that you are
in love with someone based on text messages, does the AI have the right to tell
you or your partner? What if the AI is linked to your virtual assistant—to Siri
or Google Now—and your partner asks Siri whether you are in love with someone
else? What is the consent regime around that? Clause 13, which deals with a
“significant decision”, may help with that, but machine learning means that
some of these technologies are effectively a black box where the creators
themselves do not even know the potential outcomes.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Could the Minister tell me how the right to be
forgotten works with the blockchain? These decentralised encrypted trust
networks are attractive to those who do not trust big databases for privacy
reasons. By design, data is stored in a billion different tokens and synced
across countless devices. That data is immutable. Blockchain is heavily used in
fintech, and London is a centre for fintech. But the erasure of blockchain data
is impossible. How does that work in this Bill?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">There is more to be said about portability, law
enforcement and the intelligence services, but thinking about this Bill makes
my head hurt. Let me close on a final thought. The use of data to fuel our
economy is critical. The technology and artificial intelligence it generates
has a huge power to enhance us as humans and to do good. That is the utopia we
must pursue. Doing nothing heralds a dystopian outcome, but the pace of change
is too fast for us legislators, and too complex for most of us to fathom. We
therefore need to devise a catch-all for automated or intelligent decisioning
by future data systems. Ethical and moral clauses could and should, I argue, be
forced into terms of use and privacy policies. That is the only feasible way
to ensure that the intelligence resulting from the use of one’s data is not
subsequently used against us as individuals or society as a whole. This needs
urgent consideration by the Minister.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4258" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Kidron (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">If being GDPR compliant requires a hard age
limit, how do we intend to verify the age of the child in any meaningful way
without, perversely, collecting more data from children than we do from adults?
Given that the age of consent is to vary from country to country—16 in the
Netherlands, Germany and Hungary; 14 in Austria—data controllers will also need
to know the location of a child so that the right rules can be applied.
Arguably, that creates more risk for children, but definitely it will create
more data.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In all of this we must acknowledge a child’s
right to access the digital world knowledgeably, creatively and fearlessly.
Excluding children is not the answer, but providing a digital environment fit
for them to flourish in must be. There is not enough in this Bill to
fundamentally realign young people’s relationship with tech companies when it
comes to their data.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=1854" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Marlesford (Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I very much agreed with those who said that the
regulation must certainly apply to the big boys in the computer and digital
world. I shuddered when the noble Baroness, Lady Lane-Fox, quoted from that
wholly incomprehensible Brussels jargon from the regulations.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I received last week a letter as chair of
Marlesford Parish Council. We have seven members and only 230 people live in
Marlesford. Our precept is only £1,000 a year. A letter from the National
Association of Local Councils warned me that the GDPR will impose,<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“a legal obligation to appoint a Digital
Protection Officer … this appointment may not be as straightforward as you may
be assuming, as while it may be possible to appoint an existing member of
staff”—<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">we have no staff, just a part-time parish clerk
who is basically a volunteer. It continues:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">“They must by requirement of regulations possess
‘expert knowledge of data protection law and practices’”.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I am afraid that will not be found in most small
villages in the country, so I hope that one result of this Bill will be to
introduce an element of proportionality in how it is to apply, otherwise the
noble Baroness, Lady Lane-Fox, who was so right to draw our attention to the
threat of incomprehensibility, will be right and we will all lose the plot.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=1864" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">The Earl of Lytton (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Despite acknowledging that the Bill fleshes out
the regulation to make it member-state applicable, like the noble Lord, Lord
Stevenson, I worry about a Bill of 218 pages and an explanatory note of 112
pages, plus a departmental pack of 247 pages to deal with it all. That all adds
to the complexity. I admit that the GDPR conceals its highly challenging
requirements in wording of beguiling simplicity under the flag of private rights,
but it is no wonder that the European Parliament did not want its handiwork
contextualised by inclusion in what we have before us. It is not a particularly
encouraging start to bringing 40 years of EU legislation into domestic law.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">In what I felt was an inspirational
contribution, the noble Baroness, Lady Lane-Fox—I am sorry she is not in her
place—referred to the tortuous use of language in parts of the Bill. I agree
with her—parts of it are gobbledygook that deny transparency to ordinary
mortals. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4284" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness Neville-Rolfe (Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I shall touch on three concerns. According to
the Federation of Small Businesses, the measures represent a significant step
up in the scope of data protection obligations. High-risk undertakings could
phase additional costs of £75,000 a year from the GDPR. The MoJ did an impact
assessment in 2012, which is no doubt an underestimate, since it did not take
account of the changes made by the European Parliament, which estimated the
cost at £260 million in 2018-19 and £310 million by 2025-26. I am not even sure
if that covers charities or public organisations or others who have expressed
concerns to me about the costs and the duties imposed. Then there are the costs
of the various provisions in the Bill, many levelling up data protection
measures outside the scope of the GDPR. It is less confusing, I accept, but
also more costly to all concerned.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The truth is that overregulation is a plague
that hits productivity. Small businesses are suffering already from a
combination of measures that are justified individually—pension auto-enrolment,
business rates and the living wage—but together can threaten viability at a
time of Brexit uncertainty. We must do all we can to come to an honest estimate
of the costs and minimise the burden of the new measures in this legislation.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Also, I know that CACI, one of our leading
market analysis companies working for top brands such as John Lewis and
Vodafone, thinks that the provisions in the Bill are needlessly gold-plated.
Imperial College has contacted me about the criminalisation of the
re-identification of anonymised data, which it thinks will needlessly make more
difficult the vital security work that it and others do.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The noble Lord, Lord Patel, and the noble
Baroness, Lady Manningham-Buller, were concerned about being able to contact
people at risk where scientific advance made new treatments available—a
provision that surely should be covered by the research exemption.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The second issue is complication. It is a long
and complicated Bill. We need good guidance for business on its duties—old and
new, GDPR and Data Protection Bill—in a simple new form and made available in
the best modern way: online. I suggest that—unlike the current ICO site—it
should be written by a journalist who is an expert in social media. The
Minister might also consider the merits of online training and testing in the
new rules. I should probably declare an interest: we used it in 2011 at Tesco
for the Bribery Act and at the IPO for a simple explanation of compliance with
intellectual property legislation.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The third issue is scrutiny. I am afraid that,
as is usual with modern legislation, there are wide enabling powers in the Bill
that will allow much burdensome and contentious subordinate detail to be
introduced without much scrutiny. The British Medical Association is very
concerned about this in relation to patient confidentiality. Clause 15,
according to the excellent Library Note, would allow the amendment or repeal of
derogations in the Bill by an affirmative resolution SI, thereby shifting
control over the legal basis for processing personal data from Parliament to
the Executive. Since the overall approach to the Bill is consensual, this is
the moment to take a stand on the issue of powers and take time to provide for
better scrutiny and to limit the delegated powers in the Bill. Such a model
could be useful elsewhere—not least in the Brexit process.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=2441" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Baroness O’Neill of Bengarve (CB)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I will make a few rather sceptical remarks about
the long-term viability of data protection approaches to protecting privacy.
They have, of course, worked, or people have made great efforts to make them work,
but I think the context in which they worked, at least up to a point, has
become more difficult and they are less likely to work. The definition of
personal data used in data protection approaches, and retained here, is data
relating to a living individual who is identified, or can be identified, from
the data. It is that modal idea of who can be identified that has caused
persistent problems. Twenty years ago it was pretty reasonable to assume that
identification could be prevented provided one could prevent either inadvertent
or malicious disclosure, so the focus was on wrongful disclosure. However,
today identification is much more often by inference and it is very difficult
to see how inference is to be regulated.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The first time each of us read a detective
story, he or she enjoyed the business of looking at the clues and suddenly
realising, “Ah, I know whodunnit”. That inference is the way in which persons
can be identified from data and, let us admit it, not merely from data that are
within the control of some data controller. Data protection is after all in the
end a system for regulating data controllers, combined with a requirement that
institutions of a certain size have a data controller, so there is a lot that
is outside it. However, if we are to protect privacy, there is, of course,
reason to think about what is not within the control of any data controller.
Today, vast amounts of data are outwith the control of any data controller:
they are open data. Open data, as has been shown—a proof of concept from
several years ago—can be fully anonymised and yet a process of inference can
lead to the identification of persons. This is something we will have to
consider in the future in thinking about privacy.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Moreover, throughout the period of data protection,
one of the central requirements for the acceptable use of otherwise personal
data has been that consent should be sought, yet the concepts of consent used
in this area are deeply divisive and various. In commercial contexts, consent
requirements are usually interpreted in fairly trivial ways. When we all
download new software, we are asked to accept terms and conditions. This is
called an end-user licence agreement. You tick and you click and you have
consented to 45 pages of quite complicated prose that you did not bother to
read and probably would not have understood if you had maintained attention for
45 pages. It does not much matter, because we have rather good consumer
protection legislation, but there is this fiction of consent. However, at the
other end of the spectrum, and in particular in a medical context, we have
quite serious concepts of consent. For example, to name one medical document,
the Helsinki Declaration of the World Medical Association contains the
delicious thought that the researcher must ensure that the research participant
has understood—then there is a whole list of things they have to understand,
which includes the financial arrangements for the research. This is a fiction
of consent of a completely different sort.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">We should be aware that, deep down in this
legislation, there is no level playing field at all. There are sectoral regimes
with entirely different understandings of consent. We have, in effect, a
plurality of regimes for privacy protection. Could we do otherwise or do
better? Legislation that built on the principle of confidentiality, which is a
principle that relates to the transfer of data from one party to another, might
be more effective in the long run. It would of course have to be a revised
account of confidentiality that was not tied to particular conceptions of
professional or commercial confidentiality. We have to go ahead with this
legislation now, but it may not be where we can stay for the long run.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4288" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">Lord Paddick (LD)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">This has been an interesting, and for me at
times a rather confusing, debate on the issues associated with the Bill. The
Bill is complex, but I understand that it is necessarily complex. For example,
under European law it is not allowed to reproduce the GDPR in domestic
legislation. The incorporation of the GDPR into British law is happening under
the repeal Bill, not under this legislation. Therefore, the elephant and the
prints are in the other place rather than here.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">We on these Benches welcome the Bill. It
provides the technical underpinnings that will allow the GDPR to operate in the
UK both before and after Brexit, together with the permitted derogations from
the GDPR available to all EU member states. For that reason it is an enabling
piece of legislation, together with the GDPR, which is absolutely necessary to
allow the UK to continue to exchange data, whether it is done by businesses for
commercial purposes or by law enforcement or for other reasons, once we are
considered to be a third-party nation rather than a member of the European
Union.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The enforcement regime, the Information
Commissioner, is covered in Part 5, because we will repeal the Data Protection
Act 1998 and so we need to restate the role of the Information Commissioner as
the person who will enforce, and we will need to explore concerns that we have
in each part of the Bill as we go through Committee. However, generally
speaking, we welcome the Bill and its provisions.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Of course, what the Government, very sensibly,
are trying to do but do not want to admit, is to ensure that the UK complies
with EU laws and regulations—in this case in relation to data protection—so
that it can continue to exchange data with the EU both before and after Brexit.
All this government hype about no longer being subject to EU law after Brexit
is merely the difference between having to be subject to EU law because we are
a member of the EU and having to be subject to EU law because, if we do not, we
will not be able to trade freely with the EU or exchange crime prevention and
detection intelligence, and counterterrorism intelligence, with the EU. That is
the only difference.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">For most aspects of data exchange, compliance
with the GDPR is required. The GDPR is directly applicable, so it cannot simply
be transposed into this Bill. Coupled with the derogations and applying the
GDPR to other aspects of data processing not covered by the GDPR makes this
part of the Bill complex—and, as I suggest, probably necessarily so.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">As my noble friend Lady Ludford also mentioned,
along with the noble Baroness, Lady Jay of Paddington, various provisions to
allow Ministers to alter the application of the GDPR by regulation is something
that we need much further scrutiny of, albeit that Ministers’ hands are likely
to be tied by the requirement to comply with changing EU law after Brexit—de
facto even if not de jure. Could it be—perhaps the Minister can help us
here—that the purpose of these powers, put into secondary legislation, is to
enable the UK to keep pace with changes in EU law after Brexit?<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">As other noble Lords have said, we have concerns
about the creation of a criminal offence of re-identification of individuals.
As the noble Lord, Lord Arbuthnot of Edrom, said, criminalising
re-identification could allow businesses to relax the methods that they use to
try to anonymise data on the basis that people will not try to re-identify
individuals because it is a criminal offence.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Despite what is contained in this Bill, we have
serious concerns that there are likely to be delays to being granted data
adequacy status by the European Commission when we leave the EU. That means
that there would not be a seamless continuation of data exchange with the EU 27
after Brexit. We also have serious concerns, as does the Information
Commissioner, that there are likely to be objections to being granted data
adequacy status because of the bulk collection of data allowed for under the
Investigatory Powers Act, as the noble Lord, Lord Stevenson of Balmacara, said
in his opening remarks. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">As the noble Baroness, Lady Lane-Fox, mentioned,
it is essential that the Information Commissioner is provided with adequate
resources. My understanding is that there has been a considerable loss of
staff in recent times, not least because commercial organisations want to
recruit knowledgeable staff to help them with the implementation of GDPR, plus
the 1% cap on public sector pay has diminished the number of people working for
the Information Commissioner. It is absolutely essential that she has the
resources she needs, bearing in mind the additional responsibilities that will
be placed upon her.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: 7.5pt; margin-left: 0cm; margin-right: 0cm; margin-top: 15.0pt; mso-outline-level: 2;">
<a href="https://hansard.parliament.uk/search/MemberContributions?house=Lords&memberId=4311" title="View member's contributions"><span lang="EN" style="color: #428bca; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; text-decoration: none; text-underline: none;">The Minister of State, Home Office
(Baroness Williams of Trafford) (Con)</span></a><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 12.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">A number of noble Lords, including the noble
Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady
Neville-Rolfe, asked whether the Bill was too complex. It was suggested that
data controllers would struggle to understand the obligations placed on them
and data subjects to understand and access their rights. As the noble Lord,
Lord Paddick, said, the Bill is necessarily so, because it provides a complete
data protection framework for all personal data. Most data controllers will
need to understand only the scheme for general data, allowing them to focus
just on Part 2. As now, the Information Commissioner will continue to provide
guidance tailored to data controllers and data subjects to help them understand
the obligations placed on them and exercise their rights respectively. Indeed,
she has already published a number of relevant guidance documents,
including—the noble Lord, Lord Kennedy, will be interested to know this—a guide
called <i>Preparing for the General Data Protection Regulation (GDPR): 12 Steps
to Take Now</i>. It sounds like my type of publication.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Other noble Lords rightly questioned what they
saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and
Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the
Bill would impose a new layer of unnecessary regulation on businesses—for
example, in requiring them to respond to subject access requests. Businesses
are currently required to adhere to the Data Protection Act, which makes
similar provision. The step up to the new standards should not be a disproportionate
burden. Indeed, embracing good cybersecurity and data protection practices will
help businesses to win new customers both in the UK and abroad.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">A number of noble Lords, including the noble
Lord, Lord Jay, asked how the Government would ensure that businesses and
criminal justice agencies could continue, uninterrupted, to share data with
other member states following the UK’s exit from the EU. The Government
published a “future partnership” paper on data protection in August setting out
the UK’s position on how to ensure the continued protection and exchange of
personal data between the UK and the EU. That drew on the recommendations of
the very helpful and timely report of the European Union Committee, to which
the noble Lord referred. For example, as set out in the position paper, the
Government believe that it would be in our shared interest to agree early to
recognise each other’s data protection frameworks as the basis for continued
flow of data between the EU and the UK from the point of exit until such time
as new and more permanent arrangements came into force. While the final
arrangements governing data flows are a matter for the negotiations—I regret
that I cannot give a fuller update at this time—I hope that the paper goes some
way towards assuring noble Lords of the importance that the Government attach
to this issue.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Several noble Lords, including the noble Lord,
Lord Paddick, in welcoming the Bill asked whether the Information Commissioner
would have the resource she needs to help businesses and others prepare for the
GDPR and LED and to ensure that the new legislation is properly enforced,
especially once compulsory notification has ended. The Government are committed
to ensuring that the Information Commissioner is adequately resourced to fulfil
both her current functions under the Data Protection Act 1998 and her new ones.
Noble Lords will note that the Bill replicates relevant provisions of the
Digital Economy Act 2017, which ensures that the Information Commissioner’s
functions in relation to data protection continue to be funded through charges
on data controllers. An initial proposal on what those changes might look like
is currently being consulted upon. The resulting regulations will rightly be
subject to parliamentary scrutiny in due course.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The noble Baroness, Lady Ludford, and the noble
Lord, Lord Paddick, I think it was, asked about the Government choosing not to
exercise the derogation in article 80 of the GDPR to allow not-for-profit
organisations to take action on behalf of data subjects without their consent.
This is a very important point. It is important to note that not-for-profit
organisations will be able to take action on behalf of data subjects where the
individuals concerned have mandated them to do so. This is an important new
right for data subjects and should not be underestimated.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">The noble Baroness, Lady Manningham-Buller, the
noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady
Neville-Jones all expressed concern about the effect that safeguards provided
in the Bill might have on certain types of long-term medical research, such as
clinical trials and interventional research. My noble friend pointed out that
such research can lead to measures or decisions being taken about individuals
but it might not be possible to seek their consent in every case. The noble
Lord, Lord Patel, raised a number of related issues, including the extent of
Clause 7. I assure noble Lords that the Government recognise the importance of
these issues. I would be very happy to meet noble Lords and noble Baronesses to
discuss them further.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">My noble friend Lord Arbuthnot and others
questioned the breadth of delegated powers provided for in Clause 15, which
allows the Secretary of State to use regulations to permit organisations to
process personal data in a wider range of circumstances where needed to comply
with a legal obligation, to perform a task in the public interest or in the
exercise of official authority. Given how quickly technology evolves and the
use of data can change, there may be occasions when it is necessary to act
relatively quickly to provide organisations with a legal basis for a particular
processing operation. The Government believe that the use of regulations,
rightly subject to the affirmative procedure, is entirely appropriate to
achieve that. But we will of course consider very carefully any recommendations
made on this or any other regulation-making power in the Bill by the Delegated
Powers and Regulatory Reform Committee, and I look forward to seeing its report
in due course.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">I look forward to exploring all the issues that
we have discussed as we move to the next stage. As the Information Commissioner
said in her briefing paper, it is vital that the Bill reaches the statute book,
and I look forward to working with noble Lords to achieve that as
expeditiously as possible. Noble Lords will rightly want to probe the detailed
provisions in the Bill and subject them to proper scrutiny, as noble Lords
always do, but I am pleased that we can approach this task on the basis of a
shared vision; namely, that of a world-leading Data Protection Bill that is
good for business, good for the law enforcement community and good for the
citizen. I commend the Bill to the House.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt; margin-left: 13.5pt; margin-right: 0cm; margin-top: 0cm;">
<br /></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>14568</o:Words>
<o:Characters>83042</o:Characters>
<o:Company>Privacy Consulting</o:Company>
<o:Lines>692</o:Lines>
<o:Paragraphs>194</o:Paragraphs>
<o:CharactersWithSpaces>97416</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-GB</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal" style="line-height: 18.0pt; margin-bottom: 7.5pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN" style="color: #333333; font-family: "Open Sans"; font-size: 10.5pt; mso-ansi-language: EN; mso-bidi-font-family: Helvetica; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB;">Bill
read a second time and committed to a Committee of the Whole House.<o:p></o:p></span></b></div>
Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-52122320129457695662017-09-28T23:55:00.000-07:002017-09-28T23:57:09.096-07:00The future for “free” Subject Access Requests<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMKDqgp_vzqmsNTHPl8ZKg4ywmQMlHdHxKiV-Is9wrkUBNfyKWOJSFvb2k2Tx77QsBo_aoIB2UbUeu4cxxpBpsQQPbivi4X5-nI2TNgBXrJGGLS3k-JgALxXLvpZEHuTwA7zGDCsWpX1dK/s1600/Mark-Lester-as-Oliver-Twi-007.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="276" data-original-width="460" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMKDqgp_vzqmsNTHPl8ZKg4ywmQMlHdHxKiV-Is9wrkUBNfyKWOJSFvb2k2Tx77QsBo_aoIB2UbUeu4cxxpBpsQQPbivi4X5-nI2TNgBXrJGGLS3k-JgALxXLvpZEHuTwA7zGDCsWpX1dK/s320/Mark-Lester-as-Oliver-Twi-007.jpg" width="320" /></a></div>
<div class="MsoNormal">
<span lang="EN-US">Parliamentarians will soon be debating the
merits of the Data Protection Bill, and I’m wondering whether much
consideration will be given to the implications of the proposal to gift
citizens with “free” Subject Access Requests.<span style="mso-spacerun: yes;">
</span><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">What parliamentarian might oppose such a
measure? After all, what’s not to like about “free” stuff?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">But hang on a minute. This stuff is not
“free”. Citizens will pay for it, in the end, through increased charges, as
business costs rise for data controllers.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">That's obviously not really an issue if the
cost implications are marginal. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">But a good number of the data controllers I
am in regular contact with have no real idea of the cost implications of free
subject access requests. I’m regularly asked about the contingencies other
organisations are making, as they are finding it very hard to make any plans
about what additional resources might be required to ensure that the new SAR
timescales are met, and that (potential) draconian fines for non-compliance
with the new standard are not imposed upon them by the regulator.<span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">How many additional staff should be trained
on dealing with SARs? <span style="mso-spacerun: yes;"> </span>Where can expert
advice on SAR exemptions be obtained? Can professional advisors be held on
standby just in case the client needs access to specialist advice in a hurry?
If no one has an idea of the potential costs, who within the organisation will
approve the budget that may be required to deal with these contingencies? These
are the sorts of questions that I regularly hear being asked.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">While many of the organisations I deal with
are currently facing relatively low levels of SARs currently, they really don’t
have a clue as to how “their” customers’ behaviour will change when the ability
to charge a £10 fee is removed. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">And this is before citizens rights groups
encourage individuals to vent their frustration on an organisation through the
weapon of the SAR. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">If I were Ryan Air, for example, I would be
seriously worried. That company has already managed to upset many thousands of
its customers through recent changes to its flight schedules, and a good few of
them might feel minded to give it a good administrative kicking by forcing it
to deal with a tsunami of SARs. Just for the hell of it. <span style="mso-spacerun: yes;"> </span>Don't get mad – get your SAR instead.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">So what’s the solution?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">If I were a cautions Parliamentarian, I
would amend the Bill by proposing a review mechanism, enabling the Secretary of
State to reintroduce SAR fees if, in the light of experience, data controllers
faced significant hardships in dealing with free SARs.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">What does this mean? <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">It would enable the new Data Protection Act
to be amended in the light of empirical evidence about the implications of the
measure. No hard evidence currently exists as to the implications of “free”
SARs in the UK. So lets see what will happen over the next two years. Granted, data controllers in other EU countries that currently
have a “free” SAR regime experience relatively few difficulties in dealing with
SARs. But perhaps that's because the culture in those countries is that
citizens make relatively few SARs. This cannot be said to be the case in this
country – especially when the <a href="https://ico.org.uk/about-the-ico/our-information/complaints-and-concerns-data-sets/" target="_blank">complaints logs</a> published by the ICO so
frequently mention frustration with SARs as a key complaint area.<span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">Would this proposal enrage the data
protection community?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">To be frank, any proposal can enrage some
sections of the data protection community. The Privacy Taliban might well see this
as an outright attack on the fundamental rights of individuals, and therefore
something to fiercely oppose. <span style="mso-spacerun: yes;"> </span>But it
isn’t a fundamental human right to expect a free SAR. That’s why our data
protection laws have always provided for modest SAR fees. For those that
support the principle of “free” stuff, of course there will be opposition.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">But the majority of the privacy community
might take stock and agree that it would be helpful to continue with the
practice of evidence-based policy making. And if the evidence, based on actual
outcomes, turned out to significantly different to what was expected, any
unwanted (and unforeseen) implications could be dealt with in due course.<o:p></o:p></span></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>613</o:Words>
<o:Characters>3498</o:Characters>
<o:Company>Privacy Consulting</o:Company>
<o:Lines>29</o:Lines>
<o:Paragraphs>8</o:Paragraphs>
<o:CharactersWithSpaces>4103</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal">
<span lang="EN-US"><o:p><br /></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><o:p>. </o:p></span></div>
Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-45976183763306199882017-09-22T09:31:00.003-07:002017-09-22T09:31:52.036-07:00How many audit controls does an organisation need to establish to show that it takes data protection seriously?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjESpiWLc3kvEYEi47ZTbef1Xg7H35Rxi61ikmDsG4r81Zad6UQxtVF7eWUKqlk9IrzKbwZO4yhsOA3mFB-1Mvx6sdEF4FAAogDhM4xKvEZcaTfO3fGLWO0e7pK2zBYrRXf2YMBck56CsHD/s1600/Screen+Shot+2017-09-22+at+17.18.13.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="412" data-original-width="970" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjESpiWLc3kvEYEi47ZTbef1Xg7H35Rxi61ikmDsG4r81Zad6UQxtVF7eWUKqlk9IrzKbwZO4yhsOA3mFB-1Mvx6sdEF4FAAogDhM4xKvEZcaTfO3fGLWO0e7pK2zBYrRXf2YMBck56CsHD/s320/Screen+Shot+2017-09-22+at+17.18.13.png" width="320" /></a></div>
<div class="MsoNormal">
<span lang="EN-US">Whenever I visit a clinic for a health
check, I’m asked a slightly different set of questions. Each clinic is very
professionally run, and, until recently I haven’t been unduly concerned that
the same questions aren’t always asked. I’ve generally been healthy, so I guess
there was never any real need for the medical profession to probe too deeply.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">So, why should I be worried about different
questions being asked about data protection? How deeply should professionals
probe into the 'data protection' health of an organisation? <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">The question arose because I’ve recently
had an opportunity to compare my methods with those practiced by a chum in
Austria. When I’m asked to probe an organisation, I review it through the lens
of some 45 controls. When my Austrian chum probes, he uses a similar
number – for starters – but might then extend his examination to cover some 200 controls – each of which can be specifically linked to GDPR requirements.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">And these are just GDPR controls. He told me that, in Austria, some projects necessitated the use of a
further 30 or so controls, to reflect specific aspects of Austrian data protection legislation.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">So, he was happy that the GDPR might
involve him dropping up to 30 redundant controls. But, what might my
clients might say if I slipped into the next conversation that what I needed to
do was focus not just on my initial 45 controls, but<span style="mso-spacerun: yes;"> </span>an additional 155. How would that go
down, I wondered.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Tell me, fellow data protection professionals, how
many controls are sufficient for an organisation to rely on? Should it simply rely on the controls that the
ICO uses in its “Getting Ready for the GDPR” <a href="https://ico.org.uk/for-organisations/data-protection-reform/getting-ready-for-the-gdpr/" target="_blank">checklist</a>?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Or should it introduce more? – and if so,
just how many more?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">The answer, obviously, depends on the
extent to which the organisation’s processing is likely to harm individuals,
and in particular how much harm could be caused to how many individuals.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">So, organisations need to take a risk-based
approach to developing appropriate data protection controls. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">My Austrian chum might well have been right all
along -<span style="mso-spacerun: yes;"> </span>perhaps there are a significant
number of organisations that need his “full fat” suite of over 200 controls.
And perhaps I have been misleading clients into believing that my set of 45 was sufficient.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">I won't know whether I have been misleading anyone until a data
breach has occurred and the ICO’s enforcement team has decided that an aggravating
factor in the case was the organisations decision to rely just on my initial
suite of 45 controls.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">So, I’m praying on my initial hunch that my ‘suite
of 45’ will be sufficient to prevent a reportable breach for which the inadequacy of my control set was partly responsible. <span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
Wish me luck.</div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>408</o:Words>
<o:Characters>2328</o:Characters>
<o:Company>Privacy Consulting</o:Company>
<o:Lines>19</o:Lines>
<o:Paragraphs>5</o:Paragraphs>
<o:CharactersWithSpaces>2731</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal">
<br /></div>
Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.comtag:blogger.com,1999:blog-7520012275893137285.post-86865235919683581522017-09-16T06:00:00.007-07:002017-09-16T06:11:51.213-07:00Scrutinising the Data Protection Bill: The case for a Keeling Schedule<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhijhlh-gNoiW8Kkf8oxVhLDKtAyMTipFdTV71viN-WtRisGgwuD7jOfgFghcHMdUPU6BUMw3ijF6-tLqqQHExIlOGu0JQ137Yps26opfYKL0buMHb00OYE_JgLmC4vYNtrRGe4bB-HvWAE/s1600/s630_DataProtection_GovUK.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="630" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhijhlh-gNoiW8Kkf8oxVhLDKtAyMTipFdTV71viN-WtRisGgwuD7jOfgFghcHMdUPU6BUMw3ijF6-tLqqQHExIlOGu0JQ137Yps26opfYKL0buMHb00OYE_JgLmC4vYNtrRGe4bB-HvWAE/s320/s630_DataProtection_GovUK.jpg" width="320" /></a></div>
Parliamentarians<span style="font-family: , serif;">who are tasked with scrutinising the Data Protection Bill have an
inenviable job. </span><span class="apple-converted-space" style="font-family: , serif;"> </span><span style="font-family: , serif;">Can there
be a less desirable appointment than siting on a Parliamentary Committee,
scrutinising text that many seasoned data protection professionals have thrown
their arms up in the air in despair over? </span><span class="apple-converted-space" style="font-family: , serif;"> </span><br />
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>734</o:Words>
<o:Characters>4188</o:Characters>
<o:Company>Privacy Consulting</o:Company>
<o:Lines>34</o:Lines>
<o:Paragraphs>9</o:Paragraphs>
<o:CharactersWithSpaces>4913</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Given that the Bill is intended to last a generation, (the current
Act will have lasted 20 years by the time of its repeal) , surely we deserve
something we can more readily understand. Not just something that will keep
Robin Hopkins QC, Anya Proops QC, their other colleagues at 11 Kings Bench Walk <span class="apple-converted-space"> </span>and many, many, many other data
protection lawyers in clover for their rest of their working lives.<span class="apple-converted-space"> </span></div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Is it really necessary for this Bill to be such a gorgeous gift to
the legal profession?<span class="apple-converted-space"> </span></div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Is it really necessary for hard working data protection
professionals to have to work so much harder to master the details of such a
complicated proposal?</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Is it really necessary for citizens to have “rights” that are so
hard to define and comprehend?</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
I appreciate, though, that turkeys don’t vote for Christmas. <span class="apple-converted-space"> </span>And if we data protection
professionals want to earn stratospheric salaries, which many of us do, (but
not all, I grant you) then obviously the secrets of privacy witchcraft
must be restricted to a select few. </div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
I’m pretty sure, however, that the “select few” won't include the
parliamentarians who will be charged with holding the Government to account
with regard to the Data Protection Bill.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
If my experience is anything to go by (my experience being limited
to following the passage of many bills though Parliament and being
appointed specialist advisor to two joint parliamentary committees, one
scrutinising the draft Communications Data Bill in 2012 and the other
scrutinising the draft Investigatory Powers Bill in 2015-16) the
parliamentarians doing the scrutinizing are going to need all the help they can
get.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
In my experience, as well as relying on evidence from government
officials, a selection of the usual suspects (industry reps, civil society,
lawyers, possibly a token celebrity & the ICO ) will be invited to give
evidence – and the role of the parliamentary committee member (ably supported
by the Committee secretariat) is to assess the evidence that is delivered to
it. Evidence carries weight not in terms of how many witnesses make the same
point, but whether that point is actually any good.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Witnesses were extremely generous in providing evidence to both
parliamentary committees I was involved with. Civil Society and academics were
particularly generous (ie verbose) in their comments – but fortunately as many
of them had conferred in advance of submitting their evidence, a lot of the
text submitted was remarkably similar / identical to that submitted by others
among their cohort. So, quite a few submissions didn’t take that long to read
and take note of.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
But one of the most important pieces of evidence was a Keeling
Schedule.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Keeling Schedules can be used to help explain to parliamentarians
what are new bits of law, and what are restatements of existing law. They are
very helpful when the Government is claiming that it is simply consolidating,
or amending legislation. <span class="apple-converted-space"> </span>At
a glance the schedule will tell the reader what is already on the statute book<span class="apple-converted-space"> </span> - and where it is - (which is
something that parliamentary committee members may decide not to unduly concern
themselves with), and what is new. It’s the new stuff that's critically
important for Parliament to get right.<span class="apple-converted-space"> </span></div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Robin Hopkins QC, Anya Proops QC et al, will already almost
certainly have a view on the meaning of the existing law. But the new stuff –
that's the exciting stuff, and that's the area of law for which maximum clarity
is most desirable.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
So, what all Data Protection Bill scholars really want to know is
what the new stuff is – amidst the 218 pages, 194 Clauses and 18 Sections of
the recently released text.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
How do parliamentarians get hold of a Keeling Schedule for the
Data Protection Bill?</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
Easy. The parliamentarians appointed to the relevant Bill
Committee, through the Committee Chairman, just need to ask the DCMS Bill team
to prepare one (or, more likely, to share the version they already have). The
minister may find he doesn't have that easy a ride if he can't provide a
convincing explanation as to why the parliamentarians charged with scrutininsng
the Bill can’t be provided with one.<span class="apple-converted-space"> </span></div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
The bill is, after all, one of the most significant pieces of
legislation facing Parliament this decade. I’m sure that the parliamentarians –
and the DCMS – only want to get it right.<span class="apple-converted-space"> </span></div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
But that requires clarity and transparency <span class="apple-converted-space"> </span>- the sort of thing the Bill requires
of data controllers and data processors. <span class="apple-converted-space"> </span></div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
So, lets see how Parliament leads by example, and delivers to us a
statute that we can both be proud of and understand.</div>
<o:p></o:p>
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
For starters, lets take a look at the Keeling Schedule.</div>
<o:p></o:p><!--EndFragment-->Data Protectorhttp://www.blogger.com/profile/15057767713049545333noreply@blogger.com