The MOU between the Secretary of State for Digital, Culture, Media & Sport (“DCMS”) and the ICO reinforces that new “adequacy decisions” are a matter for the Secretary of State following consultation with the ICO. The MOU contains five guiding principles: the fourth and fifth are that the ICO and the Secretary of State are to remain independent and whilst the latter is required to consult the ICO before making Adequacy Regulations, the Secretary of State is not bound by the ICO’s views. The other three guiding principles are a “no surprises” environment requiring a close working relationship between the DCMS and ICO teams and a sharing of expertise and forward planning, with the DCMS sharing information with the ICO on its program of UK adequacy assessment work, which according to the MOU is to remain secret and confidential.
Bearing in mind that the effect of UK Adequacy Regulations is to permit personal data to flow from the UK to a country specified in the Regulations without any further Chapter V UK GDPR or Chapter 5, Part 3, Data Protection Act 2018 (as appropriate) safeguards being necessary, it’s quite a powerful tool in terms of international relations and trade. The MOU aligns with the UK National Data Strategy which sets out an ambitious program to unlock the value of data and make Britain a focal point for the next wave of digital development. Is it possible that data protection is to become politicised?
At a virtual event the other week, the Secretary of State was widely reported as setting out a vision of Britain taking “a slightly less European approach as set out in GDPR by focusing more on the outcomes that we want to have and less on the burdens of the rules imposed on individual businesses”. Phil Earl, DCMS’ deputy director for data strategy implementation and evidence was critical of the ICO and British data laws. Mr Earl put forward that much of the challenge has centred on businesses struggling to understand the rules that exist creating an environment of fear, uncertainty and risk aversion which results in the suppression of innovation. Mr Earl said he thought the Secretary of State would like the new Information Commissioner to not necessarily rewrite the privacy rules, but to rebalance the overall approach whilst maintaining the existing high standards.
If one looks at the ICO’s regulatory action taken since May 2018, (58 entries on its website) it’s astonishing that anyone regards this as creating a culture of fear. 58 enforcement actions in almost 2 years many of which relatively most fines, across millions of private and public organisations caught by the data protection legislation surely cannot be spun into something that fuels a culture of fear. The chances of getting caught are minuscule and the impact of getting caught seems in most cases to be manageable. Of far greater impact on people are the continual flow of data breaches, cyber scams, and instances of fraud often brought about by poor, out-of-date and ill-conceived data handing practices and legacy systems.
The DCMS has probably a wealth of research to back up its assertions, but is that a reflection of the reality we find on the ground? The Outsourced DPO would suggest that in the main, many organisations, certainly many commercial ones, continue to not really give much thought to data protection compliance beyond the obvious public-facing aspects. In our work, we don’t find rabbits in the headlights, and we rarely find innovation halted by concerns about data protection. The one area that gives most organisations we work with the most concern is compliance with the PECR whilst trying to engage prospects and lapsed customers. It’s something of a Catch 22: you have a list of prospects you’re not sure you have GDPR standard consent to contact; the only way to check is to reach out to them, but contacting them to check is a breach of Regulation 22.
But fixing Regulation 22 of the PECR would be a doddle and doesn’t need wholesale change to the British data protection legal landscape. It seems that the next Information Commissioner looks likely to be tasked with a focus not just on enforcing privacy rules, but also helping businesses innovative more effectively using data within the framework. There are clearly lots of tensions at play here but one thing seems sure – change is in the air.
The Outsourced DPO – Philip Brining – Data Protection People