Legal experts share concerns about Data (Use and Access) Bill
“Are we complicating the law for no real benefit?”
The Data (Use and Access) Bill and practical advice on how to navigate it was the subject of a panel discussion at yesterday’s IAPP Data Protection Intensive event.
In the opening keynote at the IAPP Data Protection Intensive event, Chris Bryant, Minister for Creative Industries, Arts and Tourism hinted strongly that the Data (Use and Access) Bill was in the final straights before making it onto the statute books.
Not everyone views this wholly positively.
Eleonor Duhs, Barrister, Partner and Head of Data & Privacy, Bates Well LLP said:
“I find it surprising just how quickly this has all gone through. It’s a difficult bill to get your head around because you must look at the UK GDPR and the Data Protection Act and then look at the Bill and what changes it makes.
“Rushing legislation through that is this difficult to read isn’t a wonderful thing, I think the government has its eye on the EU adequacy decision and it wants to get this through before those negotiations kick off in earnest.”
The ‘adequacy decision’ being referred by Duhs relates to international data flows and is the one made by the EU about whether other countries – the UK in this case – provide an equivalent level of data protection as that provided by the EU. The UK adequacy decision is due to be renewed later this year. Duhs continued:
“An example is the relaxation of safeguards and protections around automated decision making in the Bill. There is no evidence that is going to be helpful. These protections only apply when you’re making significant decisions about people such as their ability to work or get credit. What is the evidence that removing these safeguards is going to be beneficial to the economy?
In my law firm we’re already seeing issues where AI is being used to manage, hire and fire the workforce and there is no real check on any of this. I’m a bit worried about that.”
Duhs also has concerns about the way ‘recognised legitimate interest’ is defined. The Bill provides a list of ‘recognised legitimate interests’ under Article 6 of the UK GDPR, which allows for use of personal data in certain circumstances without having to conduct a legitimate interests assessment.
But Duhs doesn’t think this definition is flexible enough to be useful.
“I think it's quite striking when you get into the details of the actual drafting, that recognised legitimate interests still has a necessity test. It is quite clear that in an emergency you should be sharing data not going off and conducting a legitimate interest assessment. Robust guidance can give that assurance. Data protection isn’t there to stop things happening that are needed in our society, it’s not there to be a barrier to doing perfectly sensible things.
“I think there's a real question mark about how effective this is going to be, or are we just going to be complicating the law for no real benefit?”
Henry VIII powers
Steve Wood is the former Deputy Information Commissioner and is now an independent consultant and researcher. He has related concerns about the Bill.
“On the provisions for smart data for example there is a lot more to come. The Bill leaves a lot of Secretary of state powers to decide which sectors are covered, how it will work in terms interoperability and the details of operational enforcements. The Bill will set the foundations for smart data, but there is still going to be a lot more to track and follow.”
What Wood is referring to is Secondary Legislation, or Henry VIII powers, whereby responsibility for legislating is delegated to a minister or to another organisation like the ICO instead of being scrutinised and debated by Parliament as primary legislation is. Secondary legislation can be used to amend or appeal primary legislation. It’s been used far more frequently as a legislative tool in recent years, and constitutional experts tend not to like it. Wood continues:
“The Bill is riddled with Henry VIII powers in terms of what the government could do in future in terms of additional provisions relating to legitimate interest. It’s unprecedented to have that number of provisions in a bill. Do we want to leave that many ways for legislation to be amended by future governments? That could have future knock-on effects for our EU adequacy if those powers are used extensively.”
Practical steps
What practical steps can companies take? Eleonor Duhs advises:
“In terms of practical tips, you will need to think about new complaints mechanisms, more control over that will need to go into your privacy notice. There is potentially good news on cookies [for statistical purposes] which won’t need consent.
“On the recognised legitimate interests, I think if you are dealing with vulnerable individuals or emergencies, you’ve probably already got a legitimate interest balancing test set out and legitimate interest assessment so it’s not really going to change that much.”
Steve Woods questioned whether UK companies would want to deviate from EU standards in practice, even if they are legally allowed to do so.
“On the subject of no longer needing consent for cookies for statistical purposes I think the question for companies with global websites will be do you want to make a UK specific change or do stick with your EU approach which would seek consent for those cookies?
“There is also the introduction of the trust framework for digital identity, and this shift towards having a recognised and trusted mechanism for organisations to be able to use trusted third-party providers to be able to verify individual identities in a very federated, privacy preserving way. That is a beneficial part of the Bill when you consider how identity checks currently work.
“If you are going to be using one of these third party service providers for digital identity for the first time you will need to be confident about how you learn about the accreditation that the third-party service providers will have under the framework and how that is going to work in terms of your data protection impact assessments as well.”